]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove use of SSL object for fragment length checking in record layer
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
2cb4b5f6 36
20f8bc72 37#include "helpers/ssltestlib.h"
c887104f 38#include "testutil.h"
f297e4ec 39#include "testutil/output.h"
176db6dc 40#include "internal/nelem.h"
fe5d9450 41#include "internal/ktls.h"
706457b7 42#include "../ssl/ssl_local.h"
b0001d0c 43#include "filterprov.h"
2cb4b5f6 44
a763ca11
MC		 45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
0c13cdf8
MC		 55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
852c2ed2 60
b4250010 61static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 62static OSSL_PROVIDER *defctxnull = NULL;
63
a763ca11 64#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
1a2a3a42 82static char *certsdir = NULL;
2cb4b5f6
MC		 83static char *cert = NULL;
84static char *privkey = NULL;
b3842539
MC		 85static char *cert2 = NULL;
86static char *privkey2 = NULL;
3105d846
MC		 87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
76fd7a1d
MC		 95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
b2b8d188 97static char *dhfile = NULL;
2cb4b5f6 98
4f6c7044
MC		 99static int is_fips = 0;
100
cffe973c 101#define LOG_BUFFER_SIZE 2048
6acdd3e5 102static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 103static size_t server_log_buffer_index = 0;
6acdd3e5 104static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 106static int error_writing_log = 0;
107
8f8c11d8 108#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 109static const unsigned char orespder[] = "Dummy OCSP Response";
110static int ocsp_server_called = 0;
111static int ocsp_client_called = 0;
112
113static int cdummyarg = 1;
114static X509 *ocspcert = NULL;
8f8c11d8 115#endif
ba881d3b 116
84d5549e 117#define NUM_EXTRA_CERTS 40
cf72c757 118#define CLIENT_VERSION_LEN 2
84d5549e 119
f1a5939f
CB		 120/*
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
123 */
124struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
cffe973c 127 unsigned int client_early_secret_count;
f1a5939f
CB		 128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
01a2a654 132 unsigned int early_exporter_secret_count;
6329ce8f 133 unsigned int exporter_secret_count;
f1a5939f
CB		 134};
135
16afd71c
MC		 136
137static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
141};
142
143static unsigned char serverinfov2[] = {
144 0x00, 0x00, 0x00,
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
149};
150
104a733d
MC		 151static int hostname_cb(SSL *s, int *al, void *arg)
152{
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
154
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
158
159 return SSL_TLSEXT_ERR_NOACK;
160}
161
710756a9
RS		 162static void client_keylog_callback(const SSL *ssl, const char *line)
163{
6acdd3e5
CB		 164 int line_length = strlen(line);
165
166 /* If the log doesn't fit, error out. */
710756a9
RS		 167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
6acdd3e5
CB		 169 error_writing_log = 1;
170 return;
171 }
172
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
710756a9 175 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 176}
177
710756a9
RS		 178static void server_keylog_callback(const SSL *ssl, const char *line)
179{
6acdd3e5
CB		 180 int line_length = strlen(line);
181
182 /* If the log doesn't fit, error out. */
710756a9 183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 184 TEST_info("Server log too full");
6acdd3e5
CB		 185 error_writing_log = 1;
186 return;
187 }
188
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
710756a9 191 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 192}
193
194static int compare_hex_encoded_buffer(const char *hex_encoded,
195 size_t hex_length,
196 const uint8_t *raw,
710756a9
RS		 197 size_t raw_length)
198{
199 size_t i, j;
200 char hexed[3];
6acdd3e5 201
710756a9 202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 203 return 1;
6acdd3e5 204
710756a9 205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 206 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 209 return 1;
6acdd3e5
CB		 210 }
211
212 return 0;
213}
214
215static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 216 const SSL_SESSION *session,
710756a9
RS		 217 struct sslapitest_log_counts *expected)
218{
6acdd3e5
CB		 219 char *token = NULL;
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
cffe973c 226 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
01a2a654 231 unsigned int early_exporter_secret_count = 0;
6329ce8f 232 unsigned int exporter_secret_count = 0;
6acdd3e5 233
710756a9
RS		 234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
6acdd3e5 236 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 237 /*
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 239 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 * secret.
241 */
710756a9 242 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 243 return 0;
710756a9 244 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 245 return 0;
710756a9 246 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 247 return 0;
f1a5939f
CB		 248 /*
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
252 */
253 rsa_key_exchange_count++;
6acdd3e5 254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 255 /*
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 257 * client random, then the hex-encoded master secret.
258 */
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
261 SSL3_RANDOM_SIZE);
710756a9 262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 263 return 0;
6acdd3e5 264
710756a9 265 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 266 return 0;
710756a9 267 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 268 return 0;
710756a9
RS		 269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
f1a5939f 272 return 0;
6acdd3e5 273
710756a9 274 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 275 return 0;
6acdd3e5
CB		 276 master_key_size = SSL_SESSION_get_master_key(session,
277 actual_master_key,
278 master_key_size);
710756a9 279 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 280 return 0;
710756a9
RS		 281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
282 actual_master_key,
283 master_key_size)))
f1a5939f 284 return 0;
f1a5939f 285 master_secret_count++;
cffe973c
PW		 286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 292 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 293 /*
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
298 */
cffe973c
PW		 299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
01a2a654
PW		 309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
6329ce8f
PW		 311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
f1a5939f
CB		 313
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
316 SSL3_RANDOM_SIZE);
710756a9 317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 318 return 0;
f1a5939f 319
710756a9 320 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 321 return 0;
710756a9 322 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 323 return 0;
710756a9
RS		 324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
f1a5939f 327 return 0;
6acdd3e5 328
710756a9 329 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 330 return 0;
6acdd3e5 331 } else {
710756a9 332 TEST_info("Unexpected token %s\n", token);
f1a5939f 333 return 0;
6acdd3e5 334 }
6acdd3e5
CB		 335 }
336
710756a9
RS		 337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count,
339 expected->rsa_key_exchange_count)
340 || !TEST_size_t_eq(master_secret_count,
341 expected->master_secret_count)
cffe973c
PW		 342 || !TEST_size_t_eq(client_early_secret_count,
343 expected->client_early_secret_count)
710756a9
RS		 344 || !TEST_size_t_eq(client_handshake_secret_count,
345 expected->client_handshake_secret_count)
346 || !TEST_size_t_eq(server_handshake_secret_count,
347 expected->server_handshake_secret_count)
348 || !TEST_size_t_eq(client_application_secret_count,
349 expected->client_application_secret_count)
350 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 351 expected->server_application_secret_count)
01a2a654
PW		 352 || !TEST_size_t_eq(early_exporter_secret_count,
353 expected->early_exporter_secret_count)
6329ce8f
PW		 354 || !TEST_size_t_eq(exporter_secret_count,
355 expected->exporter_secret_count))
710756a9
RS		 356 return 0;
357 return 1;
6acdd3e5
CB		 358}
359
a763ca11 360#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 361static int test_keylog(void)
362{
6acdd3e5
CB		 363 SSL_CTX *cctx = NULL, *sctx = NULL;
364 SSL *clientssl = NULL, *serverssl = NULL;
365 int testresult = 0;
6fc1e624 366 struct sslapitest_log_counts expected;
6acdd3e5
CB		 367
368 /* Clean up logging space */
6fc1e624 369 memset(&expected, 0, sizeof(expected));
710756a9
RS		 370 memset(client_log_buffer, 0, sizeof(client_log_buffer));
371 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 372 client_log_buffer_index = 0;
373 server_log_buffer_index = 0;
374 error_writing_log = 0;
375
5e30f2fd 376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 377 TLS_client_method(),
5c587fb6 378 TLS1_VERSION, 0,
710756a9 379 &sctx, &cctx, cert, privkey)))
6acdd3e5 380 return 0;
6acdd3e5
CB		 381
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
384 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
385
f0deb4d3 386 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 388 goto end;
f0deb4d3 389
cf10df81
RS		 390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 392 goto end;
6acdd3e5 393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
710756a9 397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
6acdd3e5 400 goto end;
6acdd3e5 401
710756a9
RS		 402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
406 SSL_ERROR_NONE))
407 || !TEST_false(error_writing_log)
408 || !TEST_int_gt(client_log_buffer_index, 0)
409 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 410 goto end;
6acdd3e5 411
f1a5939f
CB		 412 /*
413 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 414 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
6acdd3e5 417 */
f1a5939f
CB		 418 expected.rsa_key_exchange_count = 1;
419 expected.master_secret_count = 1;
710756a9
RS		 420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected)))
6acdd3e5 422 goto end;
f1a5939f
CB		 423
424 expected.rsa_key_exchange_count = 0;
710756a9
RS		 425 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
426 SSL_get_session(serverssl), &expected)))
6acdd3e5 427 goto end;
6acdd3e5
CB		 428
429 testresult = 1;
430
431end:
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 SSL_CTX_free(sctx);
435 SSL_CTX_free(cctx);
436
437 return testresult;
438}
c423ecaa 439#endif
6acdd3e5 440
a763ca11 441#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 442static int test_keylog_no_master_key(void)
443{
6acdd3e5
CB		 444 SSL_CTX *cctx = NULL, *sctx = NULL;
445 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 446 SSL_SESSION *sess = NULL;
6acdd3e5 447 int testresult = 0;
6fc1e624 448 struct sslapitest_log_counts expected;
cffe973c
PW		 449 unsigned char buf[1];
450 size_t readbytes, written;
6acdd3e5
CB		 451
452 /* Clean up logging space */
6fc1e624 453 memset(&expected, 0, sizeof(expected));
710756a9
RS		 454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458 error_writing_log = 0;
459
5e30f2fd
MC		 460 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 462 &sctx, &cctx, cert, privkey))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 464 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 465 return 0;
6acdd3e5 466
cf10df81
RS		 467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 469 goto end;
6acdd3e5
CB		 470
471 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
473 == client_keylog_callback))
6acdd3e5 474 goto end;
6acdd3e5 475
710756a9 476 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
478 == server_keylog_callback))
6acdd3e5 479 goto end;
6acdd3e5 480
710756a9
RS		 481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
483 &clientssl, NULL, NULL))
484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 SSL_ERROR_NONE))
486 || !TEST_false(error_writing_log))
6acdd3e5 487 goto end;
6acdd3e5 488
f1a5939f
CB		 489 /*
490 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 492 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 493 */
f1a5939f
CB		 494 expected.client_handshake_secret_count = 1;
495 expected.server_handshake_secret_count = 1;
496 expected.client_application_secret_count = 1;
497 expected.server_application_secret_count = 1;
6329ce8f 498 expected.exporter_secret_count = 1;
710756a9
RS		 499 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
500 SSL_get_session(clientssl), &expected))
501 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
502 SSL_get_session(serverssl),
503 &expected)))
6acdd3e5 504 goto end;
6acdd3e5 505
cffe973c
PW		 506 /* Terminate old session and resume with early data. */
507 sess = SSL_get1_session(clientssl);
508 SSL_shutdown(clientssl);
509 SSL_shutdown(serverssl);
510 SSL_free(serverssl);
511 SSL_free(clientssl);
512 serverssl = clientssl = NULL;
513
514 /* Reset key log */
515 memset(client_log_buffer, 0, sizeof(client_log_buffer));
516 memset(server_log_buffer, 0, sizeof(server_log_buffer));
517 client_log_buffer_index = 0;
518 server_log_buffer_index = 0;
519
520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
521 &clientssl, NULL, NULL))
522 || !TEST_true(SSL_set_session(clientssl, sess))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
526 &readbytes),
527 SSL_READ_EARLY_DATA_ERROR)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
529 SSL_EARLY_DATA_ACCEPTED)
530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
531 SSL_ERROR_NONE))
532 || !TEST_true(SSL_session_reused(clientssl)))
533 goto end;
534
535 /* In addition to the previous entries, expect early secrets. */
536 expected.client_early_secret_count = 1;
01a2a654 537 expected.early_exporter_secret_count = 1;
cffe973c
PW		 538 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
539 SSL_get_session(clientssl), &expected))
540 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
541 SSL_get_session(serverssl),
542 &expected)))
543 goto end;
544
6acdd3e5
CB		 545 testresult = 1;
546
547end:
cffe973c 548 SSL_SESSION_free(sess);
6acdd3e5
CB		 549 SSL_free(serverssl);
550 SSL_free(clientssl);
551 SSL_CTX_free(sctx);
552 SSL_CTX_free(cctx);
553
554 return testresult;
555}
556#endif
557
0c3eb279
DDO		 558static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
559{
560 int res = X509_verify_cert(ctx);
dfb39f73
TM		 561 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
562 SSL *ssl;
563
564 /* this should not happen but check anyway */
565 if (idx < 0
566 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
567 return 0;
0c3eb279
DDO		 568
569 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl);
573
0c3eb279
DDO		 574 return res;
575}
576
577static int test_client_cert_verify_cb(void)
578{
579 /* server key, cert, chain, and root */
580 char *skey = test_mk_file_path(certsdir, "leaf.key");
581 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
582 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
583 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
584 char *root = test_mk_file_path(certsdir, "rootCA.pem");
585 X509 *crt1 = NULL, *crt2 = NULL;
586 STACK_OF(X509) *server_chain;
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
589 int testresult = 0;
590
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, NULL, NULL)))
594 goto end;
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
597 SSL_FILETYPE_PEM), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
599 goto end;
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
601 goto end;
602 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
603 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
605 &clientssl, NULL, NULL)))
606 goto end;
607
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_WANT_RETRY_VERIFY)))
611 goto end;
612
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
615 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
616 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
617 goto end;
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain, crt1)))
620 goto end;
621 crt1 = NULL;
622 if (!TEST_true(sk_X509_push(server_chain, crt2)))
623 goto end;
624 crt2 = NULL;
625
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
628 SSL_ERROR_NONE)))
629 goto end;
630
631 testresult = 1;
632
633end:
634 X509_free(crt1);
635 X509_free(crt2);
c38048e7
P		 636 if (clientssl != NULL) {
637 SSL_shutdown(clientssl);
638 SSL_free(clientssl);
639 }
640 if (serverssl != NULL) {
641 SSL_shutdown(serverssl);
642 SSL_free(serverssl);
643 }
0c3eb279
DDO		 644 SSL_CTX_free(sctx);
645 SSL_CTX_free(cctx);
646
647 OPENSSL_free(skey);
648 OPENSSL_free(leaf);
649 OPENSSL_free(int2);
650 OPENSSL_free(int1);
651 OPENSSL_free(root);
652
653 return testresult;
654}
655
4e4ae840
SL		 656static int test_ssl_build_cert_chain(void)
657{
658 int ret = 0;
659 SSL_CTX *ssl_ctx = NULL;
660 SSL *ssl = NULL;
661 char *skey = test_mk_file_path(certsdir, "leaf.key");
662 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
663
664 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
665 goto end;
666 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
667 goto end;
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
672 goto end;
673 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK)))
675 goto end;
676 ret = 1;
677end:
678 SSL_free(ssl);
679 SSL_CTX_free(ssl_ctx);
680 OPENSSL_free(leaf_chain);
681 OPENSSL_free(skey);
682 return ret;
683}
684
c7debe81
TM		 685static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
686{
687 static const char pass[] = "testpass";
688
689 if (!TEST_int_eq(size, PEM_BUFSIZE))
690 return -1;
691
692 memcpy(buf, pass, sizeof(pass) - 1);
693 return sizeof(pass) - 1;
694}
695
4e4ae840
SL		 696static int test_ssl_ctx_build_cert_chain(void)
697{
698 int ret = 0;
699 SSL_CTX *ctx = NULL;
c7debe81 700 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 701 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
702
703 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
704 goto end;
c7debe81 705 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
709 SSL_FILETYPE_PEM), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
711 goto end;
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK)))
714 goto end;
715 ret = 1;
716end:
717 SSL_CTX_free(ctx);
718 OPENSSL_free(leaf_chain);
719 OPENSSL_free(skey);
720 return ret;
721}
722
e9ee6536 723#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 724static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 725{
726 int *ctr = arg;
727 const unsigned char *p;
8ea404fb 728 int *exts;
2afaee51
BK		 729 /* We only configure two ciphers, but the SCSV is added automatically. */
730#ifdef OPENSSL_NO_EC
731 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
732#else
733 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
734 0x2c, 0x00, 0xff};
735#endif
8ea404fb
BK		 736 const int expected_extensions[] = {
737#ifndef OPENSSL_NO_EC
738 11, 10,
739#endif
10ed1b72 740 35, 22, 23, 13};
2afaee51
BK		 741 size_t len;
742
743 /* Make sure we can defer processing and get called back. */
744 if ((*ctr)++ == 0)
f1b97da1 745 return SSL_CLIENT_HELLO_RETRY;
2afaee51 746
a9c0d8be 747 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 748 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 749 || !TEST_size_t_eq(
750 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 751 || !TEST_int_eq(*p, 0))
f1b97da1 752 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 753 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 754 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 755 if (len != OSSL_NELEM(expected_extensions) ||
756 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 757 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 758 OPENSSL_free(exts);
f1b97da1 759 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 760 }
761 OPENSSL_free(exts);
f1b97da1 762 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 763}
764
a9c0d8be 765static int test_client_hello_cb(void)
710756a9 766{
2afaee51
BK		 767 SSL_CTX *cctx = NULL, *sctx = NULL;
768 SSL *clientssl = NULL, *serverssl = NULL;
769 int testctr = 0, testresult = 0;
770
5e30f2fd
MC		 771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 773 &sctx, &cctx, cert, privkey)))
2afaee51 774 goto end;
a9c0d8be 775 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 776
2afaee51
BK		 777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 779
710756a9
RS		 780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
783 &clientssl, NULL, NULL))
784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 785 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 786 /*
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
789 * */
a9c0d8be
DB		 790 || !TEST_int_eq(SSL_get_error(serverssl, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
793 SSL_ERROR_NONE)))
2afaee51 794 goto end;
2afaee51
BK		 795
796 testresult = 1;
797
088dfa13
TS		 798end:
799 SSL_free(serverssl);
800 SSL_free(clientssl);
801 SSL_CTX_free(sctx);
802 SSL_CTX_free(cctx);
803
804 return testresult;
805}
806
807static int test_no_ems(void)
808{
809 SSL_CTX *cctx = NULL, *sctx = NULL;
810 SSL *clientssl = NULL, *serverssl = NULL;
811 int testresult = 0;
812
5e30f2fd 813 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 814 TLS1_VERSION, TLS1_2_VERSION,
815 &sctx, &cctx, cert, privkey)) {
816 printf("Unable to create SSL_CTX pair\n");
817 goto end;
818 }
819
820 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
821
822 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
823 printf("Unable to create SSL objects\n");
824 goto end;
825 }
826
827 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
828 printf("Creating SSL connection failed\n");
829 goto end;
830 }
831
832 if (SSL_get_extms_support(serverssl)) {
833 printf("Server reports Extended Master Secret support\n");
834 goto end;
835 }
836
837 if (SSL_get_extms_support(clientssl)) {
838 printf("Client reports Extended Master Secret support\n");
839 goto end;
840 }
841 testresult = 1;
842
2afaee51
BK		 843end:
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850}
851
3cd14e5e
BK		 852/*
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 856 * encryption to real encryption).
3cd14e5e
BK		 857 */
858static int test_ccs_change_cipher(void)
859{
860 SSL_CTX *cctx = NULL, *sctx = NULL;
861 SSL *clientssl = NULL, *serverssl = NULL;
862 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
863 int testresult = 0;
864 int i;
865 unsigned char buf;
866 size_t readbytes;
867
868 /*
e304aa87 869 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 870 * a different cipher in the second connection.
871 */
5e30f2fd 872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 873 TLS_client_method(),
874 TLS1_VERSION, TLS1_2_VERSION,
875 &sctx, &cctx, cert, privkey))
876 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
878 NULL, NULL))
879 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
881 SSL_ERROR_NONE))
882 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
883 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
884 goto end;
885
886 shutdown_ssl_connection(serverssl, clientssl);
887 serverssl = clientssl = NULL;
888
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
892 NULL, NULL))
893 || !TEST_true(SSL_set_session(clientssl, sess))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
896 SSL_ERROR_NONE))
897 || !TEST_true(SSL_session_reused(clientssl))
898 || !TEST_true(SSL_session_reused(serverssl))
899 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
900 || !TEST_ptr_eq(sesspre, sesspost)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
903 goto end;
904 shutdown_ssl_connection(serverssl, clientssl);
905 serverssl = clientssl = NULL;
906
907 /*
908 * Now create a fresh connection and try to renegotiate a different
909 * cipher on it.
910 */
b3e6d666
BK		 911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
912 NULL, NULL))
3cd14e5e
BK		 913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
915 SSL_ERROR_NONE))
916 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
917 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl))
919 || !TEST_true(SSL_renegotiate_pending(clientssl)))
920 goto end;
921 /* Actually drive the renegotiation. */
922 for (i = 0; i < 3; i++) {
923 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
931 if (!TEST_ulong_eq(readbytes, 0))
932 goto end;
933 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
934 SSL_ERROR_WANT_READ)) {
935 goto end;
936 }
937 }
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl))
940 || !TEST_false(SSL_session_reused(clientssl))
941 || !TEST_false(SSL_session_reused(serverssl))
942 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
943 || !TEST_ptr_ne(sesspre, sesspost)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
946 goto end;
947
948 shutdown_ssl_connection(serverssl, clientssl);
949 serverssl = clientssl = NULL;
950
951 testresult = 1;
952
953end:
954 SSL_free(serverssl);
955 SSL_free(clientssl);
956 SSL_CTX_free(sctx);
957 SSL_CTX_free(cctx);
958 SSL_SESSION_free(sess);
959
960 return testresult;
961}
fb121631 962#endif
3cd14e5e 963
84d5549e 964static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 965 const SSL_METHOD *cmeth,
966 int min_version, int max_version,
967 int read_ahead)
84d5549e
MC		 968{
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
971 int testresult = 0;
972 int i;
710756a9 973 BIO *certbio = NULL;
84d5549e
MC		 974 X509 *chaincert = NULL;
975 int certlen;
976
710756a9 977 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 978 goto end;
6725682d 979
d8652be0 980 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 981 goto end;
982
983 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
984 goto end;
fa454945
MC		 985 BIO_free(certbio);
986 certbio = NULL;
84d5549e 987
5e30f2fd
MC		 988 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
989 max_version, &sctx, &cctx, cert,
990 privkey)))
84d5549e 991 goto end;
84d5549e 992
8ce390e1
MC		 993#ifdef OPENSSL_NO_DTLS1_2
994 if (smeth == DTLS_server_method()) {
995 /*
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
997 * level 0
998 */
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1001 "DEFAULT:@SECLEVEL=0")))
1002 goto end;
1003 }
1004#endif
1005
710756a9 1006 if (read_ahead) {
7856332e
MC		 1007 /*
1008 * Test that read_ahead works correctly when dealing with large
1009 * records
1010 */
1011 SSL_CTX_set_read_ahead(cctx, 1);
1012 }
1013
84d5549e
MC		 1014 /*
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
84d5549e
MC		 1020 */
1021 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1022 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1023 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1024 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1025 if (!X509_up_ref(chaincert))
84d5549e 1026 goto end;
84d5549e 1027 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1028 X509_free(chaincert);
1029 goto end;
1030 }
1031 }
1032
710756a9
RS		 1033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1034 NULL, NULL))
1035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1036 SSL_ERROR_NONE)))
84d5549e 1037 goto end;
84d5549e 1038
4bf08600
MC		 1039 /*
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1041 * doesn't leak.
4bf08600 1042 */
710756a9 1043 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1044 goto end;
84d5549e 1045
4bf08600 1046 testresult = 1;
84d5549e 1047 end:
6725682d 1048 BIO_free(certbio);
84d5549e
MC		 1049 X509_free(chaincert);
1050 SSL_free(serverssl);
1051 SSL_free(clientssl);
1052 SSL_CTX_free(sctx);
1053 SSL_CTX_free(cctx);
1054
1055 return testresult;
1056}
1057
da4db160 1058#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1060/* sock must be connected */
1061static int ktls_chk_platform(int sock)
1062{
1063 if (!ktls_enable(sock))
1064 return 0;
1065 return 1;
1066}
1067
e1fdd526 1068static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1069{
1070 static char count = 1;
1071 unsigned char cbuf[16000] = {0};
1072 unsigned char sbuf[16000];
1073 size_t err = 0;
e1fdd526
JB		 1074 char crec_wseq_before[SEQ_NUM_SIZE];
1075 char crec_wseq_after[SEQ_NUM_SIZE];
1076 char crec_rseq_before[SEQ_NUM_SIZE];
1077 char crec_rseq_after[SEQ_NUM_SIZE];
1078 char srec_wseq_before[SEQ_NUM_SIZE];
1079 char srec_wseq_after[SEQ_NUM_SIZE];
1080 char srec_rseq_before[SEQ_NUM_SIZE];
1081 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1082 SSL_CONNECTION *clientsc, *serversc;
1083
1084 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1085 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1086 goto end;
fe5d9450
BP		 1087
1088 cbuf[0] = count++;
38b051a1
TM		 1089 memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
1090 memcpy(crec_rseq_before, &clientsc->rlayer.read_sequence, SEQ_NUM_SIZE);
1091 memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
1092 memcpy(srec_rseq_before, &serversc->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1093
1094 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1095 goto end;
1096
1097 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1098 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1099 goto end;
1100 }
1101 }
1102
1103 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1104 goto end;
1105
1106 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1107 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1108 goto end;
1109 }
1110 }
1111
38b051a1
TM		 1112 memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
1113 memcpy(crec_rseq_after, &clientsc->rlayer.read_sequence, SEQ_NUM_SIZE);
1114 memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
1115 memcpy(srec_rseq_after, &serversc->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1116
1117 /* verify the payload */
1118 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1119 goto end;
1120
e1fdd526
JB		 1121 /*
1122 * If ktls is used then kernel sequences are used instead of
1123 * OpenSSL sequences
1124 */
38b051a1 1125 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1126 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1127 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1128 goto end;
1129 } else {
e1fdd526
JB		 1130 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1131 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1132 goto end;
1133 }
1134
38b051a1 1135 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1136 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1137 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1138 goto end;
1139 } else {
e1fdd526
JB		 1140 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1141 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1142 goto end;
1143 }
1144
38b051a1 1145 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1146 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1147 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1148 goto end;
1149 } else {
e1fdd526
JB		 1150 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1151 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1152 goto end;
1153 }
1154
38b051a1 1155 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1156 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1157 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1158 goto end;
1159 } else {
e1fdd526
JB		 1160 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1161 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1162 goto end;
1163 }
fe5d9450
BP		 1164
1165 return 1;
1166end:
1167 return 0;
1168}
1169
a3a54179 1170static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1171 int tls_version, const char *cipher)
fe5d9450
BP		 1172{
1173 SSL_CTX *cctx = NULL, *sctx = NULL;
1174 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1175 int ktls_used = 0, testresult = 0;
1176 int cfd = -1, sfd = -1;
1177 int rx_supported;
38b051a1 1178 SSL_CONNECTION *clientsc, *serversc;
fe5d9450
BP		 1179
1180 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1181 goto end;
1182
1183 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1184 if (!ktls_chk_platform(cfd)) {
1185 testresult = TEST_skip("Kernel does not support KTLS");
1186 goto end;
1187 }
fe5d9450 1188
a5d8a2f8
DB		 1189 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1190 testresult = TEST_skip("CHACHA is not supported in FIPS");
1191 goto end;
1192 }
1193
fe5d9450 1194 /* Create a session based on SHA-256 */
5e30f2fd 1195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1196 TLS_client_method(),
da4db160 1197 tls_version, tls_version,
e1fdd526
JB		 1198 &sctx, &cctx, cert, privkey)))
1199 goto end;
1200
1201 if (tls_version == TLS1_3_VERSION) {
1202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1203 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1204 goto end;
1205 } else {
1206 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1207 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1208 goto end;
1209 }
1210
1211 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1212 &clientssl, sfd, cfd)))
fe5d9450
BP		 1213 goto end;
1214
38b051a1
TM		 1215 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1216 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1217 goto end;
1218
a3a54179
MC		 1219 if (cis_ktls) {
1220 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1221 goto end;
1222 }
1223
a3a54179 1224 if (sis_ktls) {
e1fdd526 1225 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1226 goto end;
1227 }
1228
e1fdd526 1229 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1230 goto end;
1231
e1fdd526
JB		 1232 /*
1233 * The running kernel may not support a given cipher suite
1234 * or direction, so just check that KTLS isn't used when it
1235 * isn't enabled.
1236 */
a3a54179 1237 if (!cis_ktls) {
38b051a1 1238 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1239 goto end;
1240 } else {
38b051a1 1241 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1242 ktls_used = 1;
fe5d9450
BP		 1243 }
1244
a3a54179 1245 if (!sis_ktls) {
38b051a1 1246 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1247 goto end;
1248 } else {
38b051a1 1249 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1250 ktls_used = 1;
fe5d9450
BP		 1251 }
1252
a3a54179 1253#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1254 rx_supported = 0;
1255#else
7c78932b 1256 rx_supported = 1;
a3a54179 1257#endif
e1fdd526 1258 if (!cis_ktls || !rx_supported) {
38b051a1 1259 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1260 goto end;
1261 } else {
38b051a1 1262 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1263 ktls_used = 1;
2fab79af
BP		 1264 }
1265
e1fdd526 1266 if (!sis_ktls || !rx_supported) {
38b051a1 1267 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1268 goto end;
1269 } else {
38b051a1 1270 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1271 ktls_used = 1;
1272 }
1273
1274 if ((cis_ktls || sis_ktls) && !ktls_used) {
1275 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1276 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1277 "TLS 1.2", cipher);
1278 goto end;
2fab79af
BP		 1279 }
1280
e1fdd526 1281 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1282 goto end;
1283
1284 testresult = 1;
1285end:
1286 if (clientssl) {
1287 SSL_shutdown(clientssl);
1288 SSL_free(clientssl);
1289 }
1290 if (serverssl) {
1291 SSL_shutdown(serverssl);
1292 SSL_free(serverssl);
1293 }
1294 SSL_CTX_free(sctx);
1295 SSL_CTX_free(cctx);
1296 serverssl = clientssl = NULL;
e1fdd526
JB		 1297 if (cfd != -1)
1298 close(cfd);
1299 if (sfd != -1)
1300 close(sfd);
fe5d9450
BP		 1301 return testresult;
1302}
1303
7c3a7561
BP		 1304#define SENDFILE_SZ (16 * 4096)
1305#define SENDFILE_CHUNK (4 * 4096)
1306#define min(a,b) ((a) > (b) ? (b) : (a))
1307
e1fdd526 1308static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1309{
1310 SSL_CTX *cctx = NULL, *sctx = NULL;
1311 SSL *clientssl = NULL, *serverssl = NULL;
1312 unsigned char *buf, *buf_dst;
1313 BIO *out = NULL, *in = NULL;
e1fdd526 1314 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1315 ssize_t chunk_size = 0;
1316 off_t chunk_off = 0;
1317 int testresult = 0;
1318 FILE *ffdp;
38b051a1 1319 SSL_CONNECTION *serversc;
7c3a7561
BP		 1320
1321 buf = OPENSSL_zalloc(SENDFILE_SZ);
1322 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1323 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1324 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1325 goto end;
1326
1327 /* Skip this test if the platform does not support ktls */
1328 if (!ktls_chk_platform(sfd)) {
e1fdd526 1329 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1330 goto end;
1331 }
1332
a5d8a2f8
DB		 1333 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1334 testresult = TEST_skip("CHACHA is not supported in FIPS");
1335 goto end;
1336 }
1337
7c3a7561 1338 /* Create a session based on SHA-256 */
5e30f2fd 1339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1340 TLS_client_method(),
da4db160 1341 tls_version, tls_version,
e1fdd526
JB		 1342 &sctx, &cctx, cert, privkey)))
1343 goto end;
1344
1345 if (tls_version == TLS1_3_VERSION) {
1346 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1348 goto end;
1349 } else {
1350 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1351 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1352 goto end;
1353 }
1354
1355 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1356 &clientssl, sfd, cfd)))
1357 goto end;
1358
38b051a1
TM		 1359 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1360 goto end;
1361
e1fdd526 1362 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1363 goto end;
1364
1365 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1366 SSL_ERROR_NONE)))
7c3a7561
BP		 1367 goto end;
1368
38b051a1 1369 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1370 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1371 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1372 "TLS 1.2", cipher);
1373 goto end;
1374 }
1375
c9007bda 1376 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1377 goto end;
1378
7c3a7561
BP		 1379 out = BIO_new_file(tmpfilename, "wb");
1380 if (!TEST_ptr(out))
1381 goto end;
1382
1383 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1384 goto end;
1385
1386 BIO_free(out);
1387 out = NULL;
1388 in = BIO_new_file(tmpfilename, "rb");
1389 BIO_get_fp(in, &ffdp);
1390 ffd = fileno(ffdp);
1391
1392 while (chunk_off < SENDFILE_SZ) {
1393 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1394 while ((err = SSL_sendfile(serverssl,
1395 ffd,
1396 chunk_off,
1397 chunk_size,
1398 0)) != chunk_size) {
1399 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1400 goto end;
1401 }
1402 while ((err = SSL_read(clientssl,
1403 buf_dst + chunk_off,
1404 chunk_size)) != chunk_size) {
1405 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1406 goto end;
1407 }
1408
1409 /* verify the payload */
1410 if (!TEST_mem_eq(buf_dst + chunk_off,
1411 chunk_size,
1412 buf + chunk_off,
1413 chunk_size))
1414 goto end;
1415
1416 chunk_off += chunk_size;
1417 }
1418
1419 testresult = 1;
1420end:
1421 if (clientssl) {
1422 SSL_shutdown(clientssl);
1423 SSL_free(clientssl);
1424 }
1425 if (serverssl) {
1426 SSL_shutdown(serverssl);
1427 SSL_free(serverssl);
1428 }
1429 SSL_CTX_free(sctx);
1430 SSL_CTX_free(cctx);
1431 serverssl = clientssl = NULL;
1432 BIO_free(out);
1433 BIO_free(in);
e1fdd526
JB		 1434 if (cfd != -1)
1435 close(cfd);
1436 if (sfd != -1)
1437 close(sfd);
7c3a7561
BP		 1438 OPENSSL_free(buf);
1439 OPENSSL_free(buf_dst);
1440 return testresult;
1441}
1442
e1fdd526
JB		 1443static struct ktls_test_cipher {
1444 int tls_version;
1445 const char *cipher;
1446} ktls_test_ciphers[] = {
1447# if !defined(OPENSSL_NO_TLS1_2)
1448# ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1450# endif
1451# ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_2_VERSION, "AES128-CCM"},
1453# endif
1454# ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1456# endif
11bac1b4
JB		 1457# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1459# endif
e1fdd526
JB		 1460# endif
1461# if !defined(OSSL_NO_USABLE_TLS1_3)
1462# ifdef OPENSSL_KTLS_AES_GCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1464# endif
1465# ifdef OPENSSL_KTLS_AES_CCM_128
1466 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1467# endif
1468# ifdef OPENSSL_KTLS_AES_GCM_256
1469 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1470# endif
11bac1b4
JB		 1471# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1472 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1473# endif
e1fdd526
JB		 1474# endif
1475};
1476
1477#define NUM_KTLS_TEST_CIPHERS \
1478 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1479
da4db160
VF		 1480static int test_ktls(int test)
1481{
e1fdd526 1482 struct ktls_test_cipher *cipher;
a3a54179 1483 int cis_ktls, sis_ktls;
da4db160 1484
2cff17fd 1485 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1486 cipher = &ktls_test_ciphers[test / 4];
da4db160 1487
a3a54179
MC		 1488 cis_ktls = (test & 1) != 0;
1489 sis_ktls = (test & 2) != 0;
cd03b5dc 1490
e1fdd526
JB		 1491 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1492 cipher->cipher);
2fab79af
BP		 1493}
1494
e1fdd526 1495static int test_ktls_sendfile(int tst)
fe5d9450 1496{
e1fdd526 1497 struct ktls_test_cipher *cipher;
da4db160 1498
2cff17fd 1499 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1500 cipher = &ktls_test_ciphers[tst];
da4db160 1501
e1fdd526 1502 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1503}
fe5d9450
BP		 1504#endif
1505
84d5549e
MC		 1506static int test_large_message_tls(void)
1507{
7856332e 1508 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1509 TLS1_VERSION, 0, 0);
7856332e
MC		 1510}
1511
1512static int test_large_message_tls_read_ahead(void)
1513{
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 1);
84d5549e
MC		 1516}
1517
55386bef 1518#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1519static int test_large_message_dtls(void)
1520{
8ce390e1
MC		 1521# ifdef OPENSSL_NO_DTLS1_2
1522 /* Not supported in the FIPS provider */
1523 if (is_fips)
1524 return 1;
1525# endif
7856332e
MC		 1526 /*
1527 * read_ahead is not relevant to DTLS because DTLS always acts as if
1528 * read_ahead is set.
1529 */
84d5549e 1530 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1531 DTLS_client_method(),
5c587fb6 1532 DTLS1_VERSION, 0, 0);
84d5549e 1533}
55386bef 1534#endif
84d5549e 1535
163b8016
ME		 1536static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1537 const SSL_METHOD *cmeth,
1538 int min_version, int max_version)
1539{
1540 size_t i;
1541 SSL_CTX *cctx = NULL, *sctx = NULL;
1542 SSL *clientssl = NULL, *serverssl = NULL;
1543 int testresult = 0;
163b8016 1544 void *zbuf;
38b051a1 1545 SSL_CONNECTION *serversc;
163b8016
ME		 1546
1547 static unsigned char cbuf[16000];
1548 static unsigned char sbuf[16000];
1549
1550 if (!TEST_true(create_ssl_ctx_pair(libctx,
1551 smeth, cmeth,
1552 min_version, max_version,
1553 &sctx, &cctx, cert,
1554 privkey)))
1555 goto end;
1556
8ce390e1
MC		 1557#ifdef OPENSSL_NO_DTLS1_2
1558 if (smeth == DTLS_server_method()) {
1559# ifdef OPENSSL_NO_DTLS1_2
1560 /* Not supported in the FIPS provider */
1561 if (is_fips) {
1562 testresult = 1;
1563 goto end;
1564 };
1565# endif
1566 /*
1567 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1568 * level 0
1569 */
1570 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1571 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1572 "DEFAULT:@SECLEVEL=0")))
1573 goto end;
1574 }
1575#endif
1576
163b8016
ME		 1577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1578 NULL, NULL)))
1579 goto end;
1580
1581 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1582 goto end;
1583
1584 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1585 SSL_ERROR_NONE)))
1586 goto end;
1587
1588 for (i = 0; i < sizeof(cbuf); i++) {
1589 cbuf[i] = i & 0xff;
1590 }
1591
1592 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1593 goto end;
1594
1595 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1596 goto end;
1597
1598 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1599 goto end;
1600
1601 /*
1602 * Since we called SSL_peek(), we know the data in the record
1603 * layer is a plaintext record. We can gather the pointer to check
1604 * for zeroization after SSL_read().
1605 */
38b051a1
TM		 1606 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1607 goto end;
4030869d
MC		 1608
1609 /*
1610 * TODO(RECLAYER): This is temporary until DTLS is converted to use the new
1611 * record layer code.
1612 */
1613 if (!SSL_is_dtls(serverssl)) {
1614 TLS_RECORD *rr = serversc->rlayer.tlsrecs;
1615
1616 zbuf = &rr->data[rr->off];
1617 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1618 goto end;
1619 } else {
1620 SSL3_RECORD *rr = serversc->rlayer.rrec;
1621
1622 zbuf = &rr->data[rr->off];
1623 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1624 goto end;
1625 }
163b8016
ME		 1626
1627 /*
1628 * After SSL_peek() the plaintext must still be stored in the
1629 * record.
1630 */
1631 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1632 goto end;
1633
1634 memset(sbuf, 0, sizeof(sbuf));
1635 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1636 goto end;
1637
1638 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1639 goto end;
1640
1641 /* Check if rbuf is cleansed */
1642 memset(cbuf, 0, sizeof(cbuf));
1643 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1644 goto end;
1645
1646 testresult = 1;
1647 end:
1648 SSL_free(serverssl);
1649 SSL_free(clientssl);
1650 SSL_CTX_free(sctx);
1651 SSL_CTX_free(cctx);
1652
1653 return testresult;
1654}
1655
1656static int test_cleanse_plaintext(void)
1657{
1658#if !defined(OPENSSL_NO_TLS1_2)
1659 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1660 TLS_client_method(),
1661 TLS1_2_VERSION,
1662 TLS1_2_VERSION)))
1663 return 0;
1664
1665#endif
1666
a763ca11 1667#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1668 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1669 TLS_client_method(),
1670 TLS1_3_VERSION,
1671 TLS1_3_VERSION)))
1672 return 0;
1673#endif
1674
1675#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1676
163b8016
ME		 1677 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1678 DTLS_client_method(),
1679 DTLS1_VERSION,
1680 0)))
1681 return 0;
1682#endif
1683 return 1;
1684}
1685
8f8c11d8 1686#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1687static int ocsp_server_cb(SSL *s, void *arg)
1688{
1689 int *argi = (int *)arg;
710756a9 1690 unsigned char *copy = NULL;
ba881d3b
MC		 1691 STACK_OF(OCSP_RESPID) *ids = NULL;
1692 OCSP_RESPID *id = NULL;
1693
1694 if (*argi == 2) {
1695 /* In this test we are expecting exactly 1 OCSP_RESPID */
1696 SSL_get_tlsext_status_ids(s, &ids);
1697 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1698 return SSL_TLSEXT_ERR_ALERT_FATAL;
1699
1700 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1701 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1702 return SSL_TLSEXT_ERR_ALERT_FATAL;
1703 } else if (*argi != 1) {
1704 return SSL_TLSEXT_ERR_ALERT_FATAL;
1705 }
1706
710756a9 1707 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1708 return SSL_TLSEXT_ERR_ALERT_FATAL;
1709
711d5a2f
P		 1710 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1711 sizeof(orespder)))) {
1712 OPENSSL_free(copy);
1713 return SSL_TLSEXT_ERR_ALERT_FATAL;
1714 }
ba881d3b 1715 ocsp_server_called = 1;
ba881d3b
MC		 1716 return SSL_TLSEXT_ERR_OK;
1717}
1718
1719static int ocsp_client_cb(SSL *s, void *arg)
1720{
1721 int *argi = (int *)arg;
1722 const unsigned char *respderin;
1723 size_t len;
1724
1725 if (*argi != 1 && *argi != 2)
1726 return 0;
1727
1728 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1729 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1730 return 0;
1731
1732 ocsp_client_called = 1;
ba881d3b
MC		 1733 return 1;
1734}
1735
2cb4b5f6
MC		 1736static int test_tlsext_status_type(void)
1737{
ba881d3b
MC		 1738 SSL_CTX *cctx = NULL, *sctx = NULL;
1739 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1740 int testresult = 0;
ba881d3b
MC		 1741 STACK_OF(OCSP_RESPID) *ids = NULL;
1742 OCSP_RESPID *id = NULL;
1743 BIO *certbio = NULL;
2cb4b5f6 1744
5e30f2fd 1745 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1746 TLS1_VERSION, 0,
7d7f6834 1747 &sctx, &cctx, cert, privkey))
ba881d3b 1748 return 0;
2cb4b5f6 1749
710756a9 1750 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1751 goto end;
2cb4b5f6 1752
ba881d3b 1753 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1754
ba881d3b 1755 clientssl = SSL_new(cctx);
710756a9
RS		 1756 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1757 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1758 TLSEXT_STATUSTYPE_ocsp))
1759 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1760 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1761 goto end;
2cb4b5f6 1762
ba881d3b
MC		 1763 SSL_free(clientssl);
1764 clientssl = NULL;
2cb4b5f6 1765
710756a9
RS		 1766 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1767 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1768 goto end;
2cb4b5f6 1769
ba881d3b 1770 clientssl = SSL_new(cctx);
710756a9 1771 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1772 goto end;
ba881d3b
MC		 1773 SSL_free(clientssl);
1774 clientssl = NULL;
1775
1776 /*
1777 * Now actually do a handshake and check OCSP information is exchanged and
1778 * the callbacks get called
1779 */
ba881d3b
MC		 1780 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1781 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1782 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1783 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1784 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1785 &clientssl, NULL, NULL))
1786 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1787 SSL_ERROR_NONE))
1788 || !TEST_true(ocsp_client_called)
1789 || !TEST_true(ocsp_server_called))
ba881d3b 1790 goto end;
ba881d3b
MC		 1791 SSL_free(serverssl);
1792 SSL_free(clientssl);
1793 serverssl = NULL;
1794 clientssl = NULL;
1795
1796 /* Try again but this time force the server side callback to fail */
1797 ocsp_client_called = 0;
1798 ocsp_server_called = 0;
1799 cdummyarg = 0;
710756a9
RS		 1800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1801 &clientssl, NULL, NULL))
1802 /* This should fail because the callback will fail */
1803 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1804 SSL_ERROR_NONE))
1805 || !TEST_false(ocsp_client_called)
1806 || !TEST_false(ocsp_server_called))
ba881d3b 1807 goto end;
ba881d3b
MC		 1808 SSL_free(serverssl);
1809 SSL_free(clientssl);
1810 serverssl = NULL;
1811 clientssl = NULL;
1812
1813 /*
1814 * This time we'll get the client to send an OCSP_RESPID that it will
1815 * accept.
1816 */
1817 ocsp_client_called = 0;
1818 ocsp_server_called = 0;
1819 cdummyarg = 2;
710756a9
RS		 1820 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1821 &clientssl, NULL, NULL)))
ba881d3b 1822 goto end;
ba881d3b
MC		 1823
1824 /*
1825 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1826 * specific one. We'll use the server cert.
ba881d3b 1827 */
710756a9
RS		 1828 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1829 || !TEST_ptr(id = OCSP_RESPID_new())
1830 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1831 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1832 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1833 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1834 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1835 goto end;
ba881d3b
MC		 1836 id = NULL;
1837 SSL_set_tlsext_status_ids(clientssl, ids);
1838 /* Control has been transferred */
1839 ids = NULL;
1840
1841 BIO_free(certbio);
1842 certbio = NULL;
1843
710756a9
RS		 1844 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1845 SSL_ERROR_NONE))
1846 || !TEST_true(ocsp_client_called)
1847 || !TEST_true(ocsp_server_called))
ba881d3b 1848 goto end;
ba881d3b 1849
2cb4b5f6
MC		 1850 testresult = 1;
1851
1852 end:
ba881d3b
MC		 1853 SSL_free(serverssl);
1854 SSL_free(clientssl);
1855 SSL_CTX_free(sctx);
1856 SSL_CTX_free(cctx);
1857 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1858 OCSP_RESPID_free(id);
1859 BIO_free(certbio);
1860 X509_free(ocspcert);
1861 ocspcert = NULL;
2cb4b5f6
MC		 1862
1863 return testresult;
1864}
8f8c11d8 1865#endif
2cb4b5f6 1866
a763ca11 1867#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1868static int new_called, remove_called, get_called;
eaa776da 1869
eaa776da
MC		 1870static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1871{
1872 new_called++;
c0537ebd
MC		 1873 /*
1874 * sess has been up-refed for us, but we don't actually need it so free it
1875 * immediately.
1876 */
1877 SSL_SESSION_free(sess);
eaa776da
MC		 1878 return 1;
1879}
1880
1881static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1882{
1883 remove_called++;
1884}
1885
7a301f08
MC		 1886static SSL_SESSION *get_sess_val = NULL;
1887
1888static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1889 int *copy)
1890{
0afca811 1891 get_called++;
7a301f08
MC		 1892 *copy = 1;
1893 return get_sess_val;
1894}
1895
7a301f08 1896static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1897 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1898{
1899 SSL_CTX *sctx = NULL, *cctx = NULL;
1900 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1901 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1902# ifndef OPENSSL_NO_TLS1_1
eaa776da 1903 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1904# endif
2cb4b5f6 1905 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1906 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1907
7e885b7b
P		 1908 new_called = remove_called = 0;
1909
36ff232c
MC		 1910 /* TLSv1.3 sends 2 NewSessionTickets */
1911 if (maxprot == TLS1_3_VERSION)
1912 numnewsesstick = 2;
1913
5e30f2fd
MC		 1914 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1915 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1916 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1917 return 0;
2cb4b5f6 1918
7a301f08
MC		 1919 /*
1920 * Only allow the max protocol version so we can force a connection failure
1921 * later
1922 */
1923 SSL_CTX_set_min_proto_version(cctx, maxprot);
1924 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1925
1926 /* Set up session cache */
7e885b7b 1927 if (use_ext_cache) {
eaa776da
MC		 1928 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1929 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1930 }
7e885b7b 1931 if (use_int_cache) {
eaa776da
MC		 1932 /* Also covers instance where both are set */
1933 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1934 } else {
1935 SSL_CTX_set_session_cache_mode(cctx,
1936 SSL_SESS_CACHE_CLIENT
1937 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1938 }
2cb4b5f6 1939
90fc2c26
NM		 1940 if (s_options) {
1941 SSL_CTX_set_options(sctx, s_options);
1942 }
1943
710756a9
RS		 1944 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1945 NULL, NULL))
1946 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1947 SSL_ERROR_NONE))
1948 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1949 goto end;
2cb4b5f6 1950
710756a9 1951 /* Should fail because it should already be in the cache */
7e885b7b 1952 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1953 goto end;
7a301f08 1954 if (use_ext_cache
36ff232c
MC		 1955 && (!TEST_int_eq(new_called, numnewsesstick)
1956
1957 || !TEST_int_eq(remove_called, 0)))
b4982125 1958 goto end;
b4982125 1959
c0537ebd
MC		 1960 new_called = remove_called = 0;
1961 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1962 &clientssl2, NULL, NULL))
1963 || !TEST_true(SSL_set_session(clientssl2, sess1))
1964 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1965 SSL_ERROR_NONE))
1966 || !TEST_true(SSL_session_reused(clientssl2)))
1967 goto end;
1968
7a301f08
MC		 1969 if (maxprot == TLS1_3_VERSION) {
1970 /*
1971 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1972 * resumed. Since we attempted a resume we should also have removed the
1973 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1974 */
1975 if (use_ext_cache
1976 && (!TEST_int_eq(new_called, 1)
4cb00457 1977 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1978 goto end;
1979 } else {
1980 /*
1981 * In TLSv1.2 we expect to have resumed so no sessions added or
1982 * removed.
1983 */
1984 if (use_ext_cache
1985 && (!TEST_int_eq(new_called, 0)
1986 || !TEST_int_eq(remove_called, 0)))
1987 goto end;
1988 }
c0537ebd
MC		 1989
1990 SSL_SESSION_free(sess1);
1991 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1992 goto end;
1993 shutdown_ssl_connection(serverssl2, clientssl2);
1994 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1995
1996 new_called = remove_called = 0;
710756a9
RS		 1997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1998 &clientssl2, NULL, NULL))
1999 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2000 SSL_ERROR_NONE)))
2cb4b5f6 2001 goto end;
2cb4b5f6 2002
710756a9 2003 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2004 goto end;
2cb4b5f6 2005
7a301f08 2006 if (use_ext_cache
36ff232c
MC		 2007 && (!TEST_int_eq(new_called, numnewsesstick)
2008 || !TEST_int_eq(remove_called, 0)))
eaa776da 2009 goto end;
eaa776da 2010
c0537ebd 2011 new_called = remove_called = 0;
2cb4b5f6 2012 /*
710756a9
RS		 2013 * This should clear sess2 from the cache because it is a "bad" session.
2014 * See SSL_set_session() documentation.
2cb4b5f6 2015 */
710756a9 2016 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2017 goto end;
7a301f08
MC		 2018 if (use_ext_cache
2019 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2020 goto end;
710756a9 2021 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2022 goto end;
2cb4b5f6 2023
7e885b7b 2024 if (use_int_cache) {
710756a9
RS		 2025 /* Should succeeded because it should not already be in the cache */
2026 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2027 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2028 goto end;
eaa776da
MC		 2029 }
2030
c0537ebd 2031 new_called = remove_called = 0;
eaa776da 2032 /* This shouldn't be in the cache so should fail */
710756a9 2033 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2034 goto end;
2cb4b5f6 2035
7a301f08
MC		 2036 if (use_ext_cache
2037 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2038 goto end;
2cb4b5f6 2039
bf208d95 2040# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2041 new_called = remove_called = 0;
eaa776da
MC		 2042 /* Force a connection failure */
2043 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2044 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2045 &clientssl3, NULL, NULL))
2046 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2047 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2048 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2049 SSL_ERROR_NONE)))
eaa776da 2050 goto end;
b4982125 2051
eaa776da 2052 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2053 if (use_ext_cache
2054 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2055 goto end;
2cb4b5f6 2056
710756a9 2057 /* Should succeed because it should not already be in the cache */
7e885b7b 2058 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2059 goto end;
bf208d95 2060# endif
eaa776da 2061
7a301f08
MC		 2062 /* Now do some tests for server side caching */
2063 if (use_ext_cache) {
2064 SSL_CTX_sess_set_new_cb(cctx, NULL);
2065 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2066 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2067 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2068 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2069 get_sess_val = NULL;
2070 }
2071
2072 SSL_CTX_set_session_cache_mode(cctx, 0);
2073 /* Internal caching is the default on the server side */
2074 if (!use_int_cache)
2075 SSL_CTX_set_session_cache_mode(sctx,
2076 SSL_SESS_CACHE_SERVER
2077 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2078
2079 SSL_free(serverssl1);
2080 SSL_free(clientssl1);
2081 serverssl1 = clientssl1 = NULL;
2082 SSL_free(serverssl2);
2083 SSL_free(clientssl2);
2084 serverssl2 = clientssl2 = NULL;
2085 SSL_SESSION_free(sess1);
2086 sess1 = NULL;
2087 SSL_SESSION_free(sess2);
2088 sess2 = NULL;
2089
2090 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2091 if (maxprot == TLS1_2_VERSION)
2092 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2093 new_called = remove_called = get_called = 0;
7a301f08
MC		 2094 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2095 NULL, NULL))
2096 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2097 SSL_ERROR_NONE))
2098 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2099 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2100 goto end;
2101
ee94ec2e
MC		 2102 if (use_int_cache) {
2103 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2104 /*
2105 * In TLSv1.3 it should not have been added to the internal cache,
2106 * except in the case where we also have an external cache (in that
2107 * case it gets added to the cache in order to generate remove
2108 * events after timeout).
2109 */
2110 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2111 goto end;
2112 } else {
2113 /* Should fail because it should already be in the cache */
2114 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2115 goto end;
2116 }
2117 }
7a301f08
MC		 2118
2119 if (use_ext_cache) {
2120 SSL_SESSION *tmp = sess2;
2121
36ff232c 2122 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2123 || !TEST_int_eq(remove_called, 0)
2124 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2125 goto end;
2126 /*
2127 * Delete the session from the internal cache to force a lookup from
2128 * the external cache. We take a copy first because
2129 * SSL_CTX_remove_session() also marks the session as non-resumable.
2130 */
ee94ec2e 2131 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2132 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2133 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2134 goto end;
2135 SSL_SESSION_free(sess2);
2136 }
7a301f08
MC		 2137 sess2 = tmp;
2138 }
2139
0afca811 2140 new_called = remove_called = get_called = 0;
7a301f08
MC		 2141 get_sess_val = sess2;
2142 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2143 &clientssl2, NULL, NULL))
2144 || !TEST_true(SSL_set_session(clientssl2, sess1))
2145 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2146 SSL_ERROR_NONE))
2147 || !TEST_true(SSL_session_reused(clientssl2)))
2148 goto end;
2149
0afca811 2150 if (use_ext_cache) {
32305f88 2151 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2152 goto end;
2153
2154 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2155 if (!TEST_int_eq(new_called, 1)
2156 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2157 goto end;
2158 } else {
32305f88
MC		 2159 if (!TEST_int_eq(new_called, 0)
2160 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2161 goto end;
2162 }
2163 }
4842a27b
TS		 2164 /*
2165 * Make a small cache, force out all other sessions but
2166 * sess2, try to add sess1, which should succeed. Then
2167 * make sure it's there by checking the owners. Despite
2168 * the timeouts, sess1 should have kicked out sess2
2169 */
2170
2171 /* Make sess1 expire before sess2 */
2172 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2173 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2174 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2175 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2176 goto end;
2177
2178 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2179 goto end;
2180
2181 /* Don't care about results - cache should only be sess2 at end */
2182 SSL_CTX_add_session(sctx, sess1);
2183 SSL_CTX_add_session(sctx, sess2);
2184
2185 /* Now add sess1, and make sure it remains, despite timeout */
2186 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2187 || !TEST_ptr(sess1->owner)
2188 || !TEST_ptr_null(sess2->owner))
2189 goto end;
7a301f08 2190
2cb4b5f6 2191 testresult = 1;
eaa776da 2192
2cb4b5f6
MC		 2193 end:
2194 SSL_free(serverssl1);
2195 SSL_free(clientssl1);
2196 SSL_free(serverssl2);
2197 SSL_free(clientssl2);
bf208d95 2198# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2199 SSL_free(serverssl3);
2200 SSL_free(clientssl3);
bf208d95 2201# endif
2cb4b5f6
MC		 2202 SSL_SESSION_free(sess1);
2203 SSL_SESSION_free(sess2);
2204 SSL_CTX_free(sctx);
2205 SSL_CTX_free(cctx);
2206
2207 return testresult;
2208}
a763ca11 2209#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2210
7fb4c820
MC		 2211static int test_session_with_only_int_cache(void)
2212{
a763ca11 2213#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2214 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2215 return 0;
2216#endif
2217
2218#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2219 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2220#else
2221 return 1;
2222#endif
eaa776da
MC		 2223}
2224
7fb4c820
MC		 2225static int test_session_with_only_ext_cache(void)
2226{
a763ca11 2227#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2228 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2229 return 0;
2230#endif
2231
2232#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2233 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2234#else
2235 return 1;
2236#endif
eaa776da
MC		 2237}
2238
7fb4c820
MC		 2239static int test_session_with_both_cache(void)
2240{
a763ca11 2241#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2242 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2243 return 0;
2244#endif
2245
2246#ifndef OPENSSL_NO_TLS1_2
2247 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2248#else
2249 return 1;
2250#endif
2251}
2252
2253static int test_session_wo_ca_names(void)
2254{
a763ca11 2255#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2256 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2257 return 0;
2258#endif
2259
2260#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2261 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2262#else
2263 return 1;
2264#endif
eaa776da
MC		 2265}
2266
90fc2c26 2267
a763ca11 2268#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2269static SSL_SESSION *sesscache[6];
2270static int do_cache;
36ff232c
MC		 2271
2272static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2273{
c22365b3
MC		 2274 if (do_cache) {
2275 sesscache[new_called] = sess;
2276 } else {
2277 /* We don't need the reference to the session, so free it */
2278 SSL_SESSION_free(sess);
2279 }
2280 new_called++;
2281
2282 return 1;
2283}
2284
2285static int post_handshake_verify(SSL *sssl, SSL *cssl)
2286{
2287 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2288 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2289 return 0;
2290
2291 /* Start handshake on the server and client */
2292 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2293 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2294 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2295 || !TEST_true(create_ssl_connection(sssl, cssl,
2296 SSL_ERROR_NONE)))
2297 return 0;
36ff232c
MC		 2298
2299 return 1;
2300}
2301
fbe9dafd 2302static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2303 SSL_CTX **cctx)
2304{
2305 int sess_id_ctx = 1;
2306
5e30f2fd
MC		 2307 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2308 TLS_client_method(), TLS1_VERSION, 0,
2309 sctx, cctx, cert, privkey))
03cdf559
MC		 2310 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2311 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2312 (void *)&sess_id_ctx,
2313 sizeof(sess_id_ctx))))
2314 return 0;
2315
2316 if (stateful)
2317 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2318
2319 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2320 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2321 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2322
2323 return 1;
2324}
2325
2326static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2327{
2328 SSL *serverssl = NULL, *clientssl = NULL;
2329 int i;
2330
2331 /* Test that we can resume with all the tickets we got given */
2332 for (i = 0; i < idx * 2; i++) {
2333 new_called = 0;
2334 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2335 &clientssl, NULL, NULL))
2336 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2337 goto end;
2338
32097b33 2339 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2340
2341 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2342 SSL_ERROR_NONE)))
2343 goto end;
2344
2345 /*
2346 * Following a successful resumption we only get 1 ticket. After a
2347 * failed one we should get idx tickets.
2348 */
2349 if (succ) {
2350 if (!TEST_true(SSL_session_reused(clientssl))
2351 || !TEST_int_eq(new_called, 1))
2352 goto end;
2353 } else {
2354 if (!TEST_false(SSL_session_reused(clientssl))
2355 || !TEST_int_eq(new_called, idx))
2356 goto end;
2357 }
2358
2359 new_called = 0;
2360 /* After a post-handshake authentication we should get 1 new ticket */
2361 if (succ
2362 && (!post_handshake_verify(serverssl, clientssl)
2363 || !TEST_int_eq(new_called, 1)))
2364 goto end;
2365
2366 SSL_shutdown(clientssl);
2367 SSL_shutdown(serverssl);
2368 SSL_free(serverssl);
2369 SSL_free(clientssl);
2370 serverssl = clientssl = NULL;
2371 SSL_SESSION_free(sesscache[i]);
2372 sesscache[i] = NULL;
2373 }
2374
2375 return 1;
2376
2377 end:
2378 SSL_free(clientssl);
2379 SSL_free(serverssl);
2380 return 0;
2381}
2382
04d7814a 2383static int test_tickets(int stateful, int idx)
36ff232c
MC		 2384{
2385 SSL_CTX *sctx = NULL, *cctx = NULL;
2386 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2387 int testresult = 0;
36ff232c
MC		 2388 size_t j;
2389
2390 /* idx is the test number, but also the number of tickets we want */
2391
2392 new_called = 0;
c22365b3 2393 do_cache = 1;
36ff232c 2394
fbe9dafd 2395 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2396 goto end;
2397
03cdf559
MC		 2398 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2399 &clientssl, NULL, NULL)))
2400 goto end;
2401
2402 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2403 SSL_ERROR_NONE))
2404 /* Check we got the number of tickets we were expecting */
2405 || !TEST_int_eq(idx, new_called))
2406 goto end;
04d7814a 2407
03cdf559
MC		 2408 SSL_shutdown(clientssl);
2409 SSL_shutdown(serverssl);
2410 SSL_free(serverssl);
2411 SSL_free(clientssl);
2412 SSL_CTX_free(sctx);
2413 SSL_CTX_free(cctx);
2414 clientssl = serverssl = NULL;
2415 sctx = cctx = NULL;
2416
2417 /*
2418 * Now we try to resume with the tickets we previously created. The
2419 * resumption attempt is expected to fail (because we're now using a new
2420 * SSL_CTX). We should see idx number of tickets issued again.
2421 */
2422
2423 /* Stop caching sessions - just count them */
2424 do_cache = 0;
2425
fbe9dafd 2426 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2427 goto end;
2428
2429 if (!check_resumption(idx, sctx, cctx, 0))
2430 goto end;
2431
2432 /* Start again with caching sessions */
2433 new_called = 0;
2434 do_cache = 1;
fbe9dafd
MC		 2435 SSL_CTX_free(sctx);
2436 SSL_CTX_free(cctx);
2437 sctx = cctx = NULL;
03cdf559 2438
fbe9dafd 2439 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2440 goto end;
36ff232c
MC		 2441
2442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2443 &clientssl, NULL, NULL)))
2444 goto end;
2445
32097b33 2446 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2447
2448 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2449 SSL_ERROR_NONE))
2450 /* Check we got the number of tickets we were expecting */
2451 || !TEST_int_eq(idx, new_called))
2452 goto end;
2453
2454 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2455 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2456 || !TEST_int_eq(idx * 2, new_called))
2457 goto end;
2458
36ff232c
MC		 2459 SSL_shutdown(clientssl);
2460 SSL_shutdown(serverssl);
2461 SSL_free(serverssl);
2462 SSL_free(clientssl);
2463 serverssl = clientssl = NULL;
2464
c22365b3
MC		 2465 /* Stop caching sessions - just count them */
2466 do_cache = 0;
2467
03cdf559
MC		 2468 /*
2469 * Check we can resume with all the tickets we created. This time around the
2470 * resumptions should all be successful.
2471 */
2472 if (!check_resumption(idx, sctx, cctx, 1))
2473 goto end;
36ff232c
MC		 2474
2475 testresult = 1;
2476
2477 end:
2478 SSL_free(serverssl);
2479 SSL_free(clientssl);
c22365b3 2480 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2481 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2482 sesscache[j] = NULL;
2483 }
36ff232c
MC		 2484 SSL_CTX_free(sctx);
2485 SSL_CTX_free(cctx);
2486
2487 return testresult;
2488}
04d7814a
MC		 2489
2490static int test_stateless_tickets(int idx)
2491{
2492 return test_tickets(0, idx);
2493}
2494
2495static int test_stateful_tickets(int idx)
2496{
2497 return test_tickets(1, idx);
2498}
8614a4eb
MC		 2499
2500static int test_psk_tickets(void)
2501{
2502 SSL_CTX *sctx = NULL, *cctx = NULL;
2503 SSL *serverssl = NULL, *clientssl = NULL;
2504 int testresult = 0;
2505 int sess_id_ctx = 1;
2506
5e30f2fd
MC		 2507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2508 TLS_client_method(), TLS1_VERSION, 0,
2509 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2510 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2511 (void *)&sess_id_ctx,
2512 sizeof(sess_id_ctx))))
2513 goto end;
2514
2515 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2516 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2517 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2518 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2519 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2520 use_session_cb_cnt = 0;
2521 find_session_cb_cnt = 0;
2522 srvid = pskid;
2523 new_called = 0;
2524
2525 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2526 NULL, NULL)))
2527 goto end;
2528 clientpsk = serverpsk = create_a_psk(clientssl);
2529 if (!TEST_ptr(clientpsk))
2530 goto end;
2531 SSL_SESSION_up_ref(clientpsk);
2532
2533 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2534 SSL_ERROR_NONE))
2535 || !TEST_int_eq(1, find_session_cb_cnt)
2536 || !TEST_int_eq(1, use_session_cb_cnt)
2537 /* We should always get 1 ticket when using external PSK */
2538 || !TEST_int_eq(1, new_called))
2539 goto end;
2540
2541 testresult = 1;
2542
2543 end:
2544 SSL_free(serverssl);
2545 SSL_free(clientssl);
2546 SSL_CTX_free(sctx);
2547 SSL_CTX_free(cctx);
2548 SSL_SESSION_free(clientpsk);
2549 SSL_SESSION_free(serverpsk);
2550 clientpsk = serverpsk = NULL;
2551
2552 return testresult;
2553}
f0049b86
BK		 2554
2555static int test_extra_tickets(int idx)
2556{
2557 SSL_CTX *sctx = NULL, *cctx = NULL;
2558 SSL *serverssl = NULL, *clientssl = NULL;
2559 BIO *bretry = BIO_new(bio_s_always_retry());
2560 BIO *tmp = NULL;
2561 int testresult = 0;
2562 int stateful = 0;
2563 size_t nbytes;
2564 unsigned char c, buf[1];
2565
2566 new_called = 0;
2567 do_cache = 1;
2568
2569 if (idx >= 3) {
2570 idx -= 3;
2571 stateful = 1;
2572 }
2573
2574 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2575 goto end;
2576 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2577 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2578 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2579
2580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2581 &clientssl, NULL, NULL)))
2582 goto end;
2583
2584 /*
2585 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2586 * incremented by both client and server.
2587 */
2588 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2589 SSL_ERROR_NONE))
2590 /* Check we got the number of tickets we were expecting */
2591 || !TEST_int_eq(idx * 2, new_called)
2592 || !TEST_true(SSL_new_session_ticket(serverssl))
2593 || !TEST_true(SSL_new_session_ticket(serverssl))
2594 || !TEST_int_eq(idx * 2, new_called))
2595 goto end;
2596
2597 /* Now try a (real) write to actually send the tickets */
2598 c = '1';
2599 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2600 || !TEST_size_t_eq(1, nbytes)
2601 || !TEST_int_eq(idx * 2 + 2, new_called)
2602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2603 || !TEST_int_eq(idx * 2 + 4, new_called)
2604 || !TEST_int_eq(sizeof(buf), nbytes)
2605 || !TEST_int_eq(c, buf[0])
2606 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2607 goto end;
2608
2609 /* Try with only requesting one new ticket, too */
2610 c = '2';
2611 new_called = 0;
2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2614 || !TEST_size_t_eq(sizeof(c), nbytes)
2615 || !TEST_int_eq(1, new_called)
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2617 || !TEST_int_eq(2, new_called)
2618 || !TEST_size_t_eq(sizeof(buf), nbytes)
2619 || !TEST_int_eq(c, buf[0]))
2620 goto end;
2621
2622 /* Do it again but use dummy writes to drive the ticket generation */
2623 c = '3';
2624 new_called = 0;
2625 if (!TEST_true(SSL_new_session_ticket(serverssl))
2626 || !TEST_true(SSL_new_session_ticket(serverssl))
2627 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2628 || !TEST_size_t_eq(0, nbytes)
2629 || !TEST_int_eq(2, new_called)
2630 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2631 || !TEST_int_eq(4, new_called))
2632 goto end;
2633
a0bbcb42
BK		 2634 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2635 c = '4';
2636 new_called = 0;
2637 if (!TEST_true(SSL_new_session_ticket(serverssl))
2638 || !TEST_true(SSL_new_session_ticket(serverssl))
2639 || !TEST_true(SSL_do_handshake(serverssl))
2640 || !TEST_int_eq(2, new_called)
2641 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2642 || !TEST_int_eq(4, new_called))
2643 goto end;
2644
f0049b86
BK		 2645 /*
2646 * Use the always-retry BIO to exercise the logic that forces ticket
2647 * generation to wait until a record boundary.
2648 */
a0bbcb42 2649 c = '5';
f0049b86
BK		 2650 new_called = 0;
2651 tmp = SSL_get_wbio(serverssl);
2652 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2653 tmp = NULL;
2654 goto end;
2655 }
2656 SSL_set0_wbio(serverssl, bretry);
2657 bretry = NULL;
2658 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2659 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2660 || !TEST_size_t_eq(nbytes, 0))
2661 goto end;
2662 /* Restore a BIO that will let the write succeed */
2663 SSL_set0_wbio(serverssl, tmp);
2664 tmp = NULL;
a0bbcb42
BK		 2665 /*
2666 * These calls should just queue the request and not send anything
2667 * even if we explicitly try to hit the state machine.
2668 */
f0049b86
BK		 2669 if (!TEST_true(SSL_new_session_ticket(serverssl))
2670 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2671 || !TEST_int_eq(0, new_called)
2672 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2673 || !TEST_int_eq(0, new_called))
2674 goto end;
2675 /* Re-do the write; still no tickets sent */
2676 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2677 || !TEST_size_t_eq(1, nbytes)
2678 || !TEST_int_eq(0, new_called)
2679 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2680 || !TEST_int_eq(0, new_called)
2681 || !TEST_int_eq(sizeof(buf), nbytes)
2682 || !TEST_int_eq(c, buf[0])
2683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2684 goto end;
a0bbcb42
BK		 2685 /* Even trying to hit the state machine now will still not send tickets */
2686 if (!TEST_true(SSL_do_handshake(serverssl))
2687 || !TEST_int_eq(0, new_called))
2688 goto end;
f0049b86 2689 /* Now the *next* write should send the tickets */
a0bbcb42 2690 c = '6';
f0049b86
BK		 2691 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2692 || !TEST_size_t_eq(1, nbytes)
2693 || !TEST_int_eq(2, new_called)
2694 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2695 || !TEST_int_eq(4, new_called)
2696 || !TEST_int_eq(sizeof(buf), nbytes)
2697 || !TEST_int_eq(c, buf[0])
2698 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2699 goto end;
2700
2701 SSL_shutdown(clientssl);
2702 SSL_shutdown(serverssl);
2703 testresult = 1;
2704
2705 end:
2706 BIO_free(bretry);
2707 BIO_free(tmp);
2708 SSL_free(serverssl);
2709 SSL_free(clientssl);
2710 SSL_CTX_free(sctx);
2711 SSL_CTX_free(cctx);
2712 clientssl = serverssl = NULL;
2713 sctx = cctx = NULL;
2714 return testresult;
2715}
04225915 2716#endif
36ff232c 2717
7d4488bb
MC		 2718#define USE_NULL 0
2719#define USE_BIO_1 1
2720#define USE_BIO_2 2
2721#define USE_DEFAULT 3
2722
2723#define CONNTYPE_CONNECTION_SUCCESS 0
2724#define CONNTYPE_CONNECTION_FAIL 1
2725#define CONNTYPE_NO_CONNECTION 2
2726
2727#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2728#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2729#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2730# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2731#else
2732# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2733#endif
2734
7d4488bb
MC		 2735#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2736 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2737 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2738
2739static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2740{
2741 switch (type) {
2742 case USE_NULL:
2743 *res = NULL;
2744 break;
2745 case USE_BIO_1:
2746 *res = bio1;
2747 break;
2748 case USE_BIO_2:
2749 *res = bio2;
2750 break;
2751 }
2752}
2753
7d4488bb
MC		 2754
2755/*
2756 * Tests calls to SSL_set_bio() under various conditions.
2757 *
2758 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2759 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2760 * then do more tests where we create a successful connection first using our
2761 * standard connection setup functions, and then call SSL_set_bio() with
2762 * various combinations of valid BIOs or NULL. We then repeat these tests
2763 * following a failed connection. In this last case we are looking to check that
2764 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2765 */
7fb4c820
MC		 2766static int test_ssl_set_bio(int idx)
2767{
7d4488bb 2768 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2769 BIO *bio1 = NULL;
2770 BIO *bio2 = NULL;
0fae8150 2771 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2772 SSL *serverssl = NULL, *clientssl = NULL;
2773 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2774 int testresult = 0;
2775
7d4488bb
MC		 2776 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2777 initrbio = idx % 3;
2778 idx /= 3;
2779 initwbio = idx % 3;
2780 idx /= 3;
2781 newrbio = idx % 3;
2782 idx /= 3;
2783 newwbio = idx % 3;
2784 conntype = CONNTYPE_NO_CONNECTION;
2785 } else {
2786 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2787 initrbio = initwbio = USE_DEFAULT;
2788 newrbio = idx % 2;
2789 idx /= 2;
2790 newwbio = idx % 2;
2791 idx /= 2;
2792 conntype = idx % 2;
2793 }
710756a9 2794
5e30f2fd
MC		 2795 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2796 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2797 &sctx, &cctx, cert, privkey)))
2798 goto end;
2799
2800 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2801 /*
2802 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2803 * because we reduced the number of tests in the definition of
2804 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2805 * mismatched protocol versions we will force a connection failure.
2806 */
2807 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2808 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2809 }
2810
2811 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2812 NULL, NULL)))
710756a9 2813 goto end;
7fb4c820 2814
710756a9
RS		 2815 if (initrbio == USE_BIO_1
2816 || initwbio == USE_BIO_1
2817 || newrbio == USE_BIO_1
7fb4c820 2818 || newwbio == USE_BIO_1) {
710756a9 2819 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2820 goto end;
7fb4c820
MC		 2821 }
2822
710756a9
RS		 2823 if (initrbio == USE_BIO_2
2824 || initwbio == USE_BIO_2
2825 || newrbio == USE_BIO_2
7fb4c820 2826 || newwbio == USE_BIO_2) {
710756a9 2827 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2828 goto end;
7fb4c820
MC		 2829 }
2830
7d4488bb
MC		 2831 if (initrbio != USE_DEFAULT) {
2832 setupbio(&irbio, bio1, bio2, initrbio);
2833 setupbio(&iwbio, bio1, bio2, initwbio);
2834 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2835
7d4488bb
MC		 2836 /*
2837 * We want to maintain our own refs to these BIO, so do an up ref for
2838 * each BIO that will have ownership transferred in the SSL_set_bio()
2839 * call
2840 */
2841 if (irbio != NULL)
2842 BIO_up_ref(irbio);
2843 if (iwbio != NULL && iwbio != irbio)
2844 BIO_up_ref(iwbio);
2845 }
7fb4c820 2846
7d4488bb
MC		 2847 if (conntype != CONNTYPE_NO_CONNECTION
2848 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2849 SSL_ERROR_NONE)
2850 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2851 goto end;
7fb4c820
MC		 2852
2853 setupbio(&nrbio, bio1, bio2, newrbio);
2854 setupbio(&nwbio, bio1, bio2, newwbio);
2855
2856 /*
2857 * We will (maybe) transfer ownership again so do more up refs.
2858 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2859 * already been set!
2860 */
710756a9
RS		 2861 if (nrbio != NULL
2862 && nrbio != irbio
2863 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2864 BIO_up_ref(nrbio);
710756a9
RS		 2865 if (nwbio != NULL
2866 && nwbio != nrbio
2867 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2868 BIO_up_ref(nwbio);
2869
7d4488bb 2870 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2871
2872 testresult = 1;
2873
2874 end:
7fb4c820
MC		 2875 BIO_free(bio1);
2876 BIO_free(bio2);
710756a9 2877
7fb4c820
MC		 2878 /*
2879 * This test is checking that the ref counting for SSL_set_bio is correct.
2880 * If we get here and we did too many frees then we will fail in the above
742ccab3 2881 * functions.
7fb4c820 2882 */
7d4488bb
MC		 2883 SSL_free(serverssl);
2884 SSL_free(clientssl);
2885 SSL_CTX_free(sctx);
2886 SSL_CTX_free(cctx);
7fb4c820
MC		 2887 return testresult;
2888}
2889
7e885b7b 2890typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2891
7e885b7b 2892static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2893{
2894 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2895 SSL_CTX *ctx;
9a716987
MC		 2896 SSL *ssl = NULL;
2897 int testresult = 0;
2898
d8652be0 2899 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2900 || !TEST_ptr(ssl = SSL_new(ctx))
2901 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2902 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2903 goto end;
9a716987
MC		 2904
2905 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2906
2907 /*
742ccab3 2908 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2909 */
2910 BIO_push(sslbio, membio1);
2911
69687aa8 2912 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2913 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2914 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2915 ssl = NULL;
9a716987 2916 goto end;
493e7898 2917 }
7e885b7b 2918 if (change_bio == CHANGE_RBIO)
65e2d672 2919 SSL_set0_rbio(ssl, membio2);
9a716987 2920 else
65e2d672 2921 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2922 }
2923 ssl = NULL;
2924
7e885b7b 2925 if (pop_ssl)
9a716987
MC		 2926 BIO_pop(sslbio);
2927 else
2928 BIO_pop(membio1);
2929
2930 testresult = 1;
2931 end:
2932 BIO_free(membio1);
2933 BIO_free(sslbio);
2934 SSL_free(ssl);
2935 SSL_CTX_free(ctx);
2936
2937 return testresult;
2938}
2939
2940static int test_ssl_bio_pop_next_bio(void)
2941{
7e885b7b 2942 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2943}
2944
2945static int test_ssl_bio_pop_ssl_bio(void)
2946{
7e885b7b 2947 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2948}
2949
2950static int test_ssl_bio_change_rbio(void)
2951{
7e885b7b 2952 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2953}
2954
2955static int test_ssl_bio_change_wbio(void)
2956{
7e885b7b 2957 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2958}
2959
a763ca11 2960#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2961typedef struct {
2962 /* The list of sig algs */
2963 const int *list;
2964 /* The length of the list */
2965 size_t listlen;
2966 /* A sigalgs list in string format */
2967 const char *liststr;
2968 /* Whether setting the list should succeed */
2969 int valid;
2970 /* Whether creating a connection with the list should succeed */
2971 int connsuccess;
2972} sigalgs_list;
2973
2974static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2975# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2976static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2977static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2978# endif
f1b25aae
MC		 2979static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2980static const int invalidlist2[] = {NID_sha256, NID_undef};
2981static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2982static const int invalidlist4[] = {NID_sha256};
2983static const sigalgs_list testsigalgs[] = {
2984 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2985# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2986 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2987 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2988# endif
f1b25aae 2989 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2990# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2991 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2992 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2993# endif
f1b25aae
MC		 2994 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2995 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2996 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2997 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2998 {NULL, 0, "RSA", 0, 0},
2999 {NULL, 0, "SHA256", 0, 0},
3000 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3001 {NULL, 0, "Invalid", 0, 0}
3002};
f1b25aae
MC		 3003
3004static int test_set_sigalgs(int idx)
3005{
3006 SSL_CTX *cctx = NULL, *sctx = NULL;
3007 SSL *clientssl = NULL, *serverssl = NULL;
3008 int testresult = 0;
3009 const sigalgs_list *curr;
3010 int testctx;
3011
3012 /* Should never happen */
710756a9 3013 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3014 return 0;
3015
3016 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3017 curr = testctx ? &testsigalgs[idx]
3018 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3019
5e30f2fd
MC		 3020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3021 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3022 &sctx, &cctx, cert, privkey)))
f1b25aae 3023 return 0;
f1b25aae 3024
d2e491f2
MC		 3025 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3026
f1b25aae
MC		 3027 if (testctx) {
3028 int ret;
710756a9 3029
f1b25aae
MC		 3030 if (curr->list != NULL)
3031 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3032 else
3033 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3034
3035 if (!ret) {
3036 if (curr->valid)
710756a9 3037 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3038 else
3039 testresult = 1;
3040 goto end;
3041 }
3042 if (!curr->valid) {
710756a9 3043 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3044 goto end;
3045 }
3046 }
3047
710756a9
RS		 3048 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3049 &clientssl, NULL, NULL)))
f1b25aae 3050 goto end;
f1b25aae
MC		 3051
3052 if (!testctx) {
3053 int ret;
3054
3055 if (curr->list != NULL)
3056 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3057 else
3058 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3059 if (!ret) {
3060 if (curr->valid)
710756a9 3061 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3062 else
3063 testresult = 1;
3064 goto end;
3065 }
710756a9 3066 if (!curr->valid)
f1b25aae 3067 goto end;
f1b25aae
MC		 3068 }
3069
710756a9
RS		 3070 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3071 SSL_ERROR_NONE),
3072 curr->connsuccess))
f1b25aae 3073 goto end;
f1b25aae
MC		 3074
3075 testresult = 1;
3076
3077 end:
3078 SSL_free(serverssl);
3079 SSL_free(clientssl);
3080 SSL_CTX_free(sctx);
3081 SSL_CTX_free(cctx);
3082
3083 return testresult;
3084}
c423ecaa 3085#endif
f1b25aae 3086
a763ca11 3087#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3088static int psk_client_cb_cnt = 0;
3089static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3090
3091static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3092 size_t *idlen, SSL_SESSION **sess)
3093{
3094 switch (++use_session_cb_cnt) {
3095 case 1:
3096 /* The first call should always have a NULL md */
3097 if (md != NULL)
3098 return 0;
3099 break;
3100
3101 case 2:
3102 /* The second call should always have an md */
3103 if (md == NULL)
3104 return 0;
3105 break;
3106
3107 default:
3108 /* We should only be called a maximum of twice */
3109 return 0;
3110 }
3111
57dee9bb
MC		 3112 if (clientpsk != NULL)
3113 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3114
57dee9bb 3115 *sess = clientpsk;
02a3ed5a
MC		 3116 *id = (const unsigned char *)pskid;
3117 *idlen = strlen(pskid);
3118
3119 return 1;
3120}
3121
c2b290c3 3122#ifndef OPENSSL_NO_PSK
532f9578
MC		 3123static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3124 unsigned int max_id_len,
3125 unsigned char *psk,
3126 unsigned int max_psk_len)
3127{
3128 unsigned int psklen = 0;
3129
3130 psk_client_cb_cnt++;
3131
3132 if (strlen(pskid) + 1 > max_id_len)
3133 return 0;
3134
3135 /* We should only ever be called a maximum of twice per connection */
3136 if (psk_client_cb_cnt > 2)
3137 return 0;
3138
3139 if (clientpsk == NULL)
3140 return 0;
3141
3142 /* We'll reuse the PSK we set up for TLSv1.3 */
3143 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3144 return 0;
3145 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3146 strncpy(id, pskid, max_id_len);
3147
3148 return psklen;
3149}
c2b290c3 3150#endif /* OPENSSL_NO_PSK */
532f9578 3151
02a3ed5a
MC		 3152static int find_session_cb(SSL *ssl, const unsigned char *identity,
3153 size_t identity_len, SSL_SESSION **sess)
3154{
3155 find_session_cb_cnt++;
3156
3157 /* We should only ever be called a maximum of twice per connection */
3158 if (find_session_cb_cnt > 2)
3159 return 0;
3160
57dee9bb 3161 if (serverpsk == NULL)
02a3ed5a
MC		 3162 return 0;
3163
3164 /* Identity should match that set by the client */
3165 if (strlen(srvid) != identity_len
3166 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3167 /* No PSK found, continue but without a PSK */
3168 *sess = NULL;
3169 return 1;
3170 }
3171
57dee9bb
MC		 3172 SSL_SESSION_up_ref(serverpsk);
3173 *sess = serverpsk;
02a3ed5a
MC		 3174
3175 return 1;
3176}
3177
c2b290c3 3178#ifndef OPENSSL_NO_PSK
532f9578
MC		 3179static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3180 unsigned char *psk, unsigned int max_psk_len)
3181{
3182 unsigned int psklen = 0;
3183
3184 psk_server_cb_cnt++;
3185
3186 /* We should only ever be called a maximum of twice per connection */
3187 if (find_session_cb_cnt > 2)
3188 return 0;
3189
3190 if (serverpsk == NULL)
3191 return 0;
3192
3193 /* Identity should match that set by the client */
3194 if (strcmp(srvid, identity) != 0) {
3195 return 0;
3196 }
3197
3198 /* We'll reuse the PSK we set up for TLSv1.3 */
3199 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3200 return 0;
3201 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3202
3203 return psklen;
3204}
c2b290c3 3205#endif /* OPENSSL_NO_PSK */
532f9578 3206
5f982038
MC		 3207#define MSG1 "Hello"
3208#define MSG2 "World."
3209#define MSG3 "This"
3210#define MSG4 "is"
3211#define MSG5 "a"
90049cea
MC		 3212#define MSG6 "test"
3213#define MSG7 "message."
5f982038 3214
532f9578 3215#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3216#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3217#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3218#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3219#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3220
8614a4eb
MC		 3221
3222static SSL_SESSION *create_a_psk(SSL *ssl)
3223{
3224 const SSL_CIPHER *cipher = NULL;
3225 const unsigned char key[] = {
3226 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3227 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3228 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3229 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3230 0x2c, 0x2d, 0x2e, 0x2f
3231 };
3232 SSL_SESSION *sess = NULL;
3233
3234 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3235 sess = SSL_SESSION_new();
3236 if (!TEST_ptr(sess)
3237 || !TEST_ptr(cipher)
3238 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3239 sizeof(key)))
3240 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3241 || !TEST_true(
3242 SSL_SESSION_set_protocol_version(sess,
3243 TLS1_3_VERSION))) {
3244 SSL_SESSION_free(sess);
3245 return NULL;
3246 }
3247 return sess;
3248}
3249
5f982038
MC		 3250/*
3251 * Helper method to setup objects for early data test. Caller frees objects on
3252 * error.
3253 */
3254static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3255 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3256{
5a421415 3257 if (*sctx == NULL
5e30f2fd 3258 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3259 TLS_client_method(),
5c587fb6 3260 TLS1_VERSION, 0,
5a421415
MC		 3261 sctx, cctx, cert, privkey)))
3262 return 0;
3263
3264 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3265 return 0;
5f982038 3266
02a3ed5a
MC		 3267 if (idx == 1) {
3268 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3269 SSL_CTX_set_read_ahead(*cctx, 1);
3270 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3271 } else if (idx == 2) {
3272 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3273 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3274 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3275 use_session_cb_cnt = 0;
3276 find_session_cb_cnt = 0;
3277 srvid = pskid;
3cb47b4e
MC		 3278 }
3279
710756a9 3280 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3281 NULL, NULL)))
3282 return 0;
3283
141e4709
MC		 3284 /*
3285 * For one of the run throughs (doesn't matter which one), we'll try sending
3286 * some SNI data in the initial ClientHello. This will be ignored (because
3287 * there is no SNI cb set up by the server), so it should not impact
3288 * early_data.
3289 */
3290 if (idx == 1
3291 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3292 return 0;
3293
02a3ed5a 3294 if (idx == 2) {
8614a4eb 3295 clientpsk = create_a_psk(*clientssl);
57dee9bb 3296 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3297 /*
3298 * We just choose an arbitrary value for max_early_data which
3299 * should be big enough for testing purposes.
3300 */
57dee9bb
MC		 3301 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3302 0x100))
3303 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3304 SSL_SESSION_free(clientpsk);
3305 clientpsk = NULL;
02a3ed5a
MC		 3306 return 0;
3307 }
57dee9bb 3308 serverpsk = clientpsk;
02a3ed5a 3309
c20e3b28
MC		 3310 if (sess != NULL) {
3311 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3312 SSL_SESSION_free(clientpsk);
3313 SSL_SESSION_free(serverpsk);
3314 clientpsk = serverpsk = NULL;
3315 return 0;
3316 }
57dee9bb 3317 *sess = clientpsk;
c20e3b28 3318 }
02a3ed5a
MC		 3319 return 1;
3320 }
3321
3322 if (sess == NULL)
3323 return 1;
3324
3325 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3326 SSL_ERROR_NONE)))
5f982038 3327 return 0;
5f982038
MC		 3328
3329 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3330 SSL_shutdown(*clientssl);
3331 SSL_shutdown(*serverssl);
5f982038
MC		 3332 SSL_free(*serverssl);
3333 SSL_free(*clientssl);
3334 *serverssl = *clientssl = NULL;
3335
710756a9
RS		 3336 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3337 clientssl, NULL, NULL))
3338 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3339 return 0;
5f982038
MC		 3340
3341 return 1;
3342}
3343
3cb47b4e 3344static int test_early_data_read_write(int idx)
5f982038
MC		 3345{
3346 SSL_CTX *cctx = NULL, *sctx = NULL;
3347 SSL *clientssl = NULL, *serverssl = NULL;
3348 int testresult = 0;
3349 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3350 unsigned char buf[20], data[1024];
3351 size_t readbytes, written, eoedlen, rawread, rawwritten;
3352 BIO *rbio;
5f982038 3353
710756a9
RS		 3354 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3355 &serverssl, &sess, idx)))
5f982038
MC		 3356 goto end;
3357
3358 /* Write and read some early data */
710756a9
RS		 3359 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3360 &written))
3361 || !TEST_size_t_eq(written, strlen(MSG1))
3362 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3363 sizeof(buf), &readbytes),
3364 SSL_READ_EARLY_DATA_SUCCESS)
3365 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3366 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3367 SSL_EARLY_DATA_ACCEPTED))
5f982038 3368 goto end;
5f982038
MC		 3369
3370 /*
09f28874 3371 * Server should be able to write data, and client should be able to
5f982038
MC		 3372 * read it.
3373 */
710756a9
RS		 3374 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3375 &written))
3376 || !TEST_size_t_eq(written, strlen(MSG2))
3377 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3378 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3379 goto end;
5f982038
MC		 3380
3381 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3382 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3383 &written))
3384 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3385 goto end;
5f982038 3386
09f28874 3387 /* Server should still be able read early data after writing data */
710756a9
RS		 3388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3389 &readbytes),
3390 SSL_READ_EARLY_DATA_SUCCESS)
3391 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3392 goto end;
5f982038 3393
09f28874 3394 /* Write more data from server and read it from client */
710756a9
RS		 3395 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3396 &written))
3397 || !TEST_size_t_eq(written, strlen(MSG4))
3398 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3399 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3400 goto end;
5f982038
MC		 3401
3402 /*
3403 * If client writes normal data it should mean writing early data is no
3404 * longer possible.
3405 */
710756a9
RS		 3406 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3407 || !TEST_size_t_eq(written, strlen(MSG5))
3408 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3409 SSL_EARLY_DATA_ACCEPTED))
5f982038 3410 goto end;
5f982038 3411
9b5c865d
MC		 3412 /*
3413 * At this point the client has written EndOfEarlyData, ClientFinished and
3414 * normal (fully protected) data. We are going to cause a delay between the
3415 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3416 * in the read BIO, and then just put back the EndOfEarlyData message.
3417 */
3418 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3419 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3420 || !TEST_size_t_lt(rawread, sizeof(data))
3421 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3422 goto end;
710756a9 3423
9b5c865d
MC		 3424 /* Record length is in the 4th and 5th bytes of the record header */
3425 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3426 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3427 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3428 goto end;
9b5c865d 3429
5f982038 3430 /* Server should be told that there is no more early data */
710756a9
RS		 3431 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3432 &readbytes),
3433 SSL_READ_EARLY_DATA_FINISH)
3434 || !TEST_size_t_eq(readbytes, 0))
5f982038 3435 goto end;
5f982038 3436
9b5c865d
MC		 3437 /*
3438 * Server has not finished init yet, so should still be able to write early
3439 * data.
3440 */
710756a9
RS		 3441 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3442 &written))
3443 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3444 goto end;
9b5c865d 3445
f8a303fa 3446 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3447 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3448 &rawwritten))
3449 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3450 goto end;
f8a303fa 3451
5f982038 3452 /* Server should be able to read normal data */
710756a9
RS		 3453 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3454 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3455 goto end;
5f982038 3456
09f28874 3457 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3458 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3459 &written)))
5f982038 3460 goto end;
5f982038 3461 ERR_clear_error();
710756a9
RS		 3462 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3463 &readbytes),
3464 SSL_READ_EARLY_DATA_ERROR))
5f982038 3465 goto end;
5f982038
MC		 3466 ERR_clear_error();
3467
9b5c865d 3468 /* Client should be able to read the data sent by the server */
710756a9
RS		 3469 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3470 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3471 goto end;
710756a9 3472
f8a303fa 3473 /*
36ff232c
MC		 3474 * Make sure we process the two NewSessionTickets. These arrive
3475 * post-handshake. We attempt reads which we do not expect to return any
3476 * data.
f8a303fa 3477 */
36ff232c
MC		 3478 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3479 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3480 &readbytes)))
f8a303fa 3481 goto end;
5f982038 3482
90049cea 3483 /* Server should be able to write normal data */
710756a9
RS		 3484 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3485 || !TEST_size_t_eq(written, strlen(MSG7))
3486 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3487 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3488 goto end;
90049cea 3489
c20e3b28 3490 SSL_SESSION_free(sess);
5f982038 3491 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3492 use_session_cb_cnt = 0;
3493 find_session_cb_cnt = 0;
5f982038
MC		 3494
3495 SSL_shutdown(clientssl);
3496 SSL_shutdown(serverssl);
5f982038
MC		 3497 SSL_free(serverssl);
3498 SSL_free(clientssl);
3499 serverssl = clientssl = NULL;
710756a9
RS		 3500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3501 &clientssl, NULL, NULL))
3502 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3503 goto end;
5f982038
MC		 3504
3505 /* Write and read some early data */
710756a9
RS		 3506 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3507 &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3510 &readbytes),
3511 SSL_READ_EARLY_DATA_SUCCESS)
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3513 goto end;
5f982038 3514
710756a9
RS		 3515 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3516 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3517 goto end;
5f982038 3518
09f28874 3519 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3520 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3521 &written)))
5f982038 3522 goto end;
5f982038 3523 ERR_clear_error();
710756a9
RS		 3524 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3525 &readbytes),
3526 SSL_READ_EARLY_DATA_ERROR))
5f982038 3527 goto end;
5f982038
MC		 3528 ERR_clear_error();
3529
3530 /* Client and server should be able to write/read normal data */
710756a9
RS		 3531 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3532 || !TEST_size_t_eq(written, strlen(MSG5))
3533 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3534 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3535 goto end;
5f982038
MC		 3536
3537 testresult = 1;
3538
3539 end:
c20e3b28 3540 SSL_SESSION_free(sess);
57dee9bb
MC		 3541 SSL_SESSION_free(clientpsk);
3542 SSL_SESSION_free(serverpsk);
3543 clientpsk = serverpsk = NULL;
5f982038
MC		 3544 SSL_free(serverssl);
3545 SSL_free(clientssl);
3546 SSL_CTX_free(sctx);
3547 SSL_CTX_free(cctx);
5f982038
MC		 3548 return testresult;
3549}
3550
5a421415
MC		 3551static int allow_ed_cb_called = 0;
3552
3553static int allow_early_data_cb(SSL *s, void *arg)
3554{
3555 int *usecb = (int *)arg;
3556
3557 allow_ed_cb_called++;
3558
3559 if (*usecb == 1)
3560 return 0;
3561
3562 return 1;
3563}
3564
3565/*
3566 * idx == 0: Standard early_data setup
3567 * idx == 1: early_data setup using read_ahead
3568 * usecb == 0: Don't use a custom early data callback
3569 * usecb == 1: Use a custom early data callback and reject the early data
3570 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3571 * confopt == 0: Configure anti-replay directly
3572 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3573 */
3bb5e5b0 3574static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3575{
3576 SSL_CTX *cctx = NULL, *sctx = NULL;
3577 SSL *clientssl = NULL, *serverssl = NULL;
3578 int testresult = 0;
3579 SSL_SESSION *sess = NULL;
5a421415
MC		 3580 size_t readbytes, written;
3581 unsigned char buf[20];
3582
3583 allow_ed_cb_called = 0;
3584
5e30f2fd
MC		 3585 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3586 TLS_client_method(), TLS1_VERSION, 0,
3587 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3588 return 0;
3589
3590 if (usecb > 0) {
3bb5e5b0
MC		 3591 if (confopt == 0) {
3592 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3593 } else {
3594 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3595
3596 if (!TEST_ptr(confctx))
3597 goto end;
3598 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3599 | SSL_CONF_FLAG_SERVER);
3600 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3601 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3602 2)) {
3603 SSL_CONF_CTX_free(confctx);
3604 goto end;
3605 }
3606 SSL_CONF_CTX_free(confctx);
3607 }
5a421415
MC		 3608 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3609 }
78fb5374
MC		 3610
3611 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3612 &serverssl, &sess, idx)))
3613 goto end;
3614
3615 /*
3616 * The server is configured to accept early data. Create a connection to
3617 * "use up" the ticket
3618 */
3619 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3620 || !TEST_true(SSL_session_reused(clientssl)))
3621 goto end;
3622
3623 SSL_shutdown(clientssl);
3624 SSL_shutdown(serverssl);
3625 SSL_free(serverssl);
3626 SSL_free(clientssl);
3627 serverssl = clientssl = NULL;
3628
3629 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
5a421415
MC		 3631 || !TEST_true(SSL_set_session(clientssl, sess)))
3632 goto end;
3633
3634 /* Write and read some early data */
3635 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3636 &written))
3637 || !TEST_size_t_eq(written, strlen(MSG1)))
3638 goto end;
3639
3640 if (usecb <= 1) {
3641 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3642 &readbytes),
3643 SSL_READ_EARLY_DATA_FINISH)
3644 /*
3645 * The ticket was reused, so the we should have rejected the
3646 * early data
3647 */
3648 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3649 SSL_EARLY_DATA_REJECTED))
3650 goto end;
3651 } else {
3652 /* In this case the callback decides to accept the early data */
3653 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3654 &readbytes),
3655 SSL_READ_EARLY_DATA_SUCCESS)
3656 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3657 /*
3658 * Server will have sent its flight so client can now send
3659 * end of early data and complete its half of the handshake
3660 */
3661 || !TEST_int_gt(SSL_connect(clientssl), 0)
3662 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3663 &readbytes),
3664 SSL_READ_EARLY_DATA_FINISH)
3665 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3666 SSL_EARLY_DATA_ACCEPTED))
3667 goto end;
3668 }
3669
3670 /* Complete the connection */
3671 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3672 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3673 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3674 goto end;
3675
3676 testresult = 1;
3677
3678 end:
c20e3b28 3679 SSL_SESSION_free(sess);
78fb5374
MC		 3680 SSL_SESSION_free(clientpsk);
3681 SSL_SESSION_free(serverpsk);
3682 clientpsk = serverpsk = NULL;
3683 SSL_free(serverssl);
3684 SSL_free(clientssl);
3685 SSL_CTX_free(sctx);
3686 SSL_CTX_free(cctx);
3687 return testresult;
3688}
3689
5a421415
MC		 3690static int test_early_data_replay(int idx)
3691{
3bb5e5b0 3692 int ret = 1, usecb, confopt;
5a421415 3693
3bb5e5b0
MC		 3694 for (usecb = 0; usecb < 3; usecb++) {
3695 for (confopt = 0; confopt < 2; confopt++)
3696 ret &= test_early_data_replay_int(idx, usecb, confopt);
3697 }
5a421415
MC		 3698
3699 return ret;
3700}
3701
710756a9 3702/*
6b84e6bf
MC		 3703 * Helper function to test that a server attempting to read early data can
3704 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3705 * testtype: 0 == No HRR
3706 * testtype: 1 == HRR
0efa0ba4
MC		 3707 * testtype: 2 == HRR, invalid early_data sent after HRR
3708 * testtype: 3 == recv_max_early_data set to 0
710756a9 3709 */
0d1b7789 3710static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3711{
3712 SSL_CTX *cctx = NULL, *sctx = NULL;
3713 SSL *clientssl = NULL, *serverssl = NULL;
3714 int testresult = 0;
018fcbec 3715 SSL_SESSION *sess = NULL;
5f982038
MC		 3716 unsigned char buf[20];
3717 size_t readbytes, written;
3718
710756a9
RS		 3719 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3720 &serverssl, &sess, idx)))
5f982038
MC		 3721 goto end;
3722
0efa0ba4 3723 if (testtype == 1 || testtype == 2) {
6b84e6bf 3724 /* Force an HRR to occur */
dbc6268f
MC		 3725#if defined(OPENSSL_NO_EC)
3726 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3727 goto end;
3728#else
6b84e6bf
MC		 3729 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3730 goto end;
dbc6268f 3731#endif
02a3ed5a
MC		 3732 } else if (idx == 2) {
3733 /*
3734 * We force early_data rejection by ensuring the PSK identity is
3735 * unrecognised
3736 */
3737 srvid = "Dummy Identity";
6b84e6bf
MC		 3738 } else {
3739 /*
3740 * Deliberately corrupt the creation time. We take 20 seconds off the
3741 * time. It could be any value as long as it is not within tolerance.
3742 * This should mean the ticket is rejected.
3743 */
5d99881e 3744 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3745 goto end;
3746 }
5f982038 3747
0efa0ba4 3748 if (testtype == 3
0d1b7789
MC		 3749 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3750 goto end;
3751
5f982038 3752 /* Write some early data */
710756a9
RS		 3753 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3754 &written))
3755 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3756 goto end;
5f982038 3757
0d1b7789 3758 /* Server should reject the early data */
710756a9
RS		 3759 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3760 &readbytes),
3761 SSL_READ_EARLY_DATA_FINISH)
3762 || !TEST_size_t_eq(readbytes, 0)
3763 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3764 SSL_EARLY_DATA_REJECTED))
5f982038 3765 goto end;
5f982038 3766
0efa0ba4
MC		 3767 switch (testtype) {
3768 case 0:
3769 /* Nothing to do */
3770 break;
3771
3772 case 1:
6b84e6bf
MC		 3773 /*
3774 * Finish off the handshake. We perform the same writes and reads as
3775 * further down but we expect them to fail due to the incomplete
3776 * handshake.
3777 */
3778 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3779 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3780 &readbytes)))
3781 goto end;
0efa0ba4
MC		 3782 break;
3783
3784 case 2:
3785 {
3786 BIO *wbio = SSL_get_wbio(clientssl);
3787 /* A record that will appear as bad early_data */
3788 const unsigned char bad_early_data[] = {
3789 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3790 };
3791
3792 /*
3793 * We force the client to attempt a write. This will fail because
3794 * we're still in the handshake. It will cause the second
3795 * ClientHello to be sent.
3796 */
3797 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3798 &written)))
3799 goto end;
3800
3801 /*
3802 * Inject some early_data after the second ClientHello. This should
3803 * cause the server to fail
3804 */
3805 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3806 sizeof(bad_early_data), &written)))
3807 goto end;
3808 }
3809 /* fallthrough */
3810
3811 case 3:
0d1b7789 3812 /*
0efa0ba4
MC		 3813 * This client has sent more early_data than we are willing to skip
3814 * (case 3) or sent invalid early_data (case 2) so the connection should
3815 * abort.
0d1b7789
MC		 3816 */
3817 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3818 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3819 goto end;
3820
3821 /* Connection has failed - nothing more to do */
3822 testresult = 1;
3823 goto end;
0efa0ba4
MC		 3824
3825 default:
3826 TEST_error("Invalid test type");
3827 goto end;
6b84e6bf
MC		 3828 }
3829
0d1b7789
MC		 3830 /*
3831 * Should be able to send normal data despite rejection of early data. The
3832 * early_data should be skipped.
3833 */
710756a9
RS		 3834 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3835 || !TEST_size_t_eq(written, strlen(MSG2))
3836 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3837 SSL_EARLY_DATA_REJECTED)
3838 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3839 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3840 goto end;
5f982038
MC		 3841
3842 testresult = 1;
3843
3844 end:
c20e3b28 3845 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3846 SSL_SESSION_free(serverpsk);
3847 clientpsk = serverpsk = NULL;
5f982038
MC		 3848 SSL_SESSION_free(sess);
3849 SSL_free(serverssl);
3850 SSL_free(clientssl);
3851 SSL_CTX_free(sctx);
3852 SSL_CTX_free(cctx);
5f982038
MC		 3853 return testresult;
3854}
3855
6b84e6bf
MC		 3856/*
3857 * Test that a server attempting to read early data can handle a connection
3858 * from a client where the early data is not acceptable.
3859 */
3860static int test_early_data_skip(int idx)
3861{
3862 return early_data_skip_helper(0, idx);
3863}
3864
3865/*
3866 * Test that a server attempting to read early data can handle a connection
3867 * from a client where an HRR occurs.
3868 */
3869static int test_early_data_skip_hrr(int idx)
3870{
3871 return early_data_skip_helper(1, idx);
3872}
3873
0efa0ba4
MC		 3874/*
3875 * Test that a server attempting to read early data can handle a connection
3876 * from a client where an HRR occurs and correctly fails if early_data is sent
3877 * after the HRR
3878 */
3879static int test_early_data_skip_hrr_fail(int idx)
3880{
3881 return early_data_skip_helper(2, idx);
3882}
3883
0d1b7789
MC		 3884/*
3885 * Test that a server attempting to read early data will abort if it tries to
3886 * skip over too much.
3887 */
3888static int test_early_data_skip_abort(int idx)
3889{
0efa0ba4 3890 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3891}
3892
710756a9
RS		 3893/*
3894 * Test that a server attempting to read early data can handle a connection
3895 * from a client that doesn't send any.
3896 */
3cb47b4e 3897static int test_early_data_not_sent(int idx)
5f982038
MC		 3898{
3899 SSL_CTX *cctx = NULL, *sctx = NULL;
3900 SSL *clientssl = NULL, *serverssl = NULL;
3901 int testresult = 0;
018fcbec 3902 SSL_SESSION *sess = NULL;
5f982038
MC		 3903 unsigned char buf[20];
3904 size_t readbytes, written;
3905
710756a9
RS		 3906 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3907 &serverssl, &sess, idx)))
5f982038
MC		 3908 goto end;
3909
3910 /* Write some data - should block due to handshake with server */
3911 SSL_set_connect_state(clientssl);
710756a9 3912 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3913 goto end;
5f982038
MC		 3914
3915 /* Server should detect that early data has not been sent */
710756a9
RS		 3916 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3917 &readbytes),
3918 SSL_READ_EARLY_DATA_FINISH)
3919 || !TEST_size_t_eq(readbytes, 0)
3920 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3921 SSL_EARLY_DATA_NOT_SENT)
3922 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3923 SSL_EARLY_DATA_NOT_SENT))
5f982038 3924 goto end;
5f982038
MC		 3925
3926 /* Continue writing the message we started earlier */
710756a9
RS		 3927 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3928 || !TEST_size_t_eq(written, strlen(MSG1))
3929 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3930 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3931 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3932 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3933 goto end;
5f982038 3934
710756a9
RS		 3935 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3936 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3937 goto end;
5f982038
MC		 3938
3939 testresult = 1;
3940
3941 end:
5f982038 3942 SSL_SESSION_free(sess);
c20e3b28 3943 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3944 SSL_SESSION_free(serverpsk);
3945 clientpsk = serverpsk = NULL;
5f982038
MC		 3946 SSL_free(serverssl);
3947 SSL_free(clientssl);
3948 SSL_CTX_free(sctx);
3949 SSL_CTX_free(cctx);
5f982038
MC		 3950 return testresult;
3951}
3952
976e5323
MC		 3953static const char *servalpn;
3954
c7558d5b
PY		 3955static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3956 unsigned char *outlen, const unsigned char *in,
3957 unsigned int inlen, void *arg)
976e5323 3958{
c7558d5b 3959 unsigned int protlen = 0;
976e5323
MC		 3960 const unsigned char *prot;
3961
c7558d5b
PY		 3962 for (prot = in; prot < in + inlen; prot += protlen) {
3963 protlen = *prot++;
5d99881e 3964 if (in + inlen < prot + protlen)
976e5323
MC		 3965 return SSL_TLSEXT_ERR_NOACK;
3966
3967 if (protlen == strlen(servalpn)
0bd42fde 3968 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3969 *out = prot;
3970 *outlen = protlen;
3971 return SSL_TLSEXT_ERR_OK;
3972 }
3973 }
3974
3975 return SSL_TLSEXT_ERR_NOACK;
3976}
3977
57dee9bb 3978/* Test that a PSK can be used to send early_data */
976e5323
MC		 3979static int test_early_data_psk(int idx)
3980{
3981 SSL_CTX *cctx = NULL, *sctx = NULL;
3982 SSL *clientssl = NULL, *serverssl = NULL;
3983 int testresult = 0;
3984 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3985 unsigned char alpnlist[] = {
3986 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3987 'l', 'p', 'n'
3988 };
3989#define GOODALPNLEN 9
3990#define BADALPNLEN 8
3991#define GOODALPN (alpnlist)
3992#define BADALPN (alpnlist + GOODALPNLEN)
3993 int err = 0;
976e5323
MC		 3994 unsigned char buf[20];
3995 size_t readbytes, written;
57dee9bb 3996 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3997 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3998
3999 /* We always set this up with a final parameter of "2" for PSK */
4000 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4001 &serverssl, &sess, 2)))
4002 goto end;
4003
976e5323
MC		 4004 servalpn = "goodalpn";
4005
57dee9bb
MC		 4006 /*
4007 * Note: There is no test for inconsistent SNI with late client detection.
4008 * This is because servers do not acknowledge SNI even if they are using
4009 * it in a resumption handshake - so it is not actually possible for a
4010 * client to detect a problem.
4011 */
976e5323
MC		 4012 switch (idx) {
4013 case 0:
57dee9bb 4014 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4015 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4016 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4017 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4018 goto end;
4019 break;
4020
4021 case 1:
57dee9bb 4022 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4023 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4024 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4025 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4026 GOODALPNLEN))
4027 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4028 BADALPNLEN)))
976e5323
MC		 4029 goto end;
4030 break;
4031
4032 case 2:
4033 /*
4034 * Set invalid protocol version. Technically this affects PSKs without
4035 * early_data too, but we test it here because it is similar to the
4036 * SNI/ALPN consistency tests.
4037 */
4038 err = SSL_R_BAD_PSK;
4039 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4040 goto end;
4041 break;
4042
4043 case 3:
4044 /*
49ef3d07
MC		 4045 * Set inconsistent SNI (server side). In this case the connection
4046 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4047 * is associated with each handshake - not the session. Therefore it
4048 * should not matter that we used a different server name last time.
976e5323 4049 */
281bf233
MC		 4050 SSL_SESSION_free(serverpsk);
4051 serverpsk = SSL_SESSION_dup(clientpsk);
4052 if (!TEST_ptr(serverpsk)
4053 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4054 goto end;
976e5323
MC		 4055 /* Fall through */
4056 case 4:
4057 /* Set consistent SNI */
976e5323
MC		 4058 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4059 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4060 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4061 hostname_cb)))
4062 goto end;
4063 break;
4064
4065 case 5:
4066 /*
4067 * Set inconsistent ALPN (server detected). In this case the connection
4068 * will succeed but reject early_data.
4069 */
4070 servalpn = "badalpn";
4071 edstatus = SSL_EARLY_DATA_REJECTED;
4072 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4073 /* Fall through */
4074 case 6:
976e5323 4075 /*
57dee9bb 4076 * Set consistent ALPN.
976e5323
MC		 4077 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4078 * accepts a list of protos (each one length prefixed).
4079 * SSL_set1_alpn_selected accepts a single protocol (not length
4080 * prefixed)
4081 */
57dee9bb
MC		 4082 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4083 GOODALPNLEN - 1))
4084 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4085 GOODALPNLEN)))
976e5323
MC		 4086 goto end;
4087
4088 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4089 break;
4090
57dee9bb
MC		 4091 case 7:
4092 /* Set inconsistent ALPN (late client detection) */
4093 SSL_SESSION_free(serverpsk);
4094 serverpsk = SSL_SESSION_dup(clientpsk);
4095 if (!TEST_ptr(serverpsk)
4096 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4097 BADALPN + 1,
4098 BADALPNLEN - 1))
4099 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4100 GOODALPN + 1,
4101 GOODALPNLEN - 1))
4102 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4103 sizeof(alpnlist))))
4104 goto end;
4105 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4106 edstatus = SSL_EARLY_DATA_ACCEPTED;
4107 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4108 /* SSL_connect() call should fail */
4109 connectres = -1;
4110 break;
4111
976e5323
MC		 4112 default:
4113 TEST_error("Bad test index");
4114 goto end;
4115 }
4116
4117 SSL_set_connect_state(clientssl);
4118 if (err != 0) {
4119 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4120 &written))
4121 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4122 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4123 goto end;
4124 } else {
4125 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4126 &written)))
4127 goto end;
4128
4129 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4130 &readbytes), readearlyres)
976e5323
MC		 4131 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4132 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4133 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4134 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4135 goto end;
4136 }
4137
4138 testresult = 1;
4139
4140 end:
c20e3b28 4141 SSL_SESSION_free(sess);
57dee9bb
MC		 4142 SSL_SESSION_free(clientpsk);
4143 SSL_SESSION_free(serverpsk);
4144 clientpsk = serverpsk = NULL;
976e5323
MC		 4145 SSL_free(serverssl);
4146 SSL_free(clientssl);
4147 SSL_CTX_free(sctx);
4148 SSL_CTX_free(cctx);
4149 return testresult;
4150}
4151
0b2b0be9 4152/*
4153 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4154 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4155 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4156 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4157 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4158 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4159 */
4160static int test_early_data_psk_with_all_ciphers(int idx)
4161{
4162 SSL_CTX *cctx = NULL, *sctx = NULL;
4163 SSL *clientssl = NULL, *serverssl = NULL;
4164 int testresult = 0;
4165 SSL_SESSION *sess = NULL;
4166 unsigned char buf[20];
4167 size_t readbytes, written;
4168 const SSL_CIPHER *cipher;
4169 const char *cipher_str[] = {
4170 TLS1_3_RFC_AES_128_GCM_SHA256,
4171 TLS1_3_RFC_AES_256_GCM_SHA384,
4172# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4173 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4174# else
4175 NULL,
4176# endif
4177 TLS1_3_RFC_AES_128_CCM_SHA256,
4178 TLS1_3_RFC_AES_128_CCM_8_SHA256
4179 };
4180 const unsigned char *cipher_bytes[] = {
4181 TLS13_AES_128_GCM_SHA256_BYTES,
4182 TLS13_AES_256_GCM_SHA384_BYTES,
4183# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4184 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4185# else
4186 NULL,
4187# endif
4188 TLS13_AES_128_CCM_SHA256_BYTES,
4189 TLS13_AES_128_CCM_8_SHA256_BYTES
4190 };
4191
4192 if (cipher_str[idx] == NULL)
4193 return 1;
4194 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4195 if (idx == 2 && is_fips == 1)
4196 return 1;
4197
4198 /* We always set this up with a final parameter of "2" for PSK */
4199 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4200 &serverssl, &sess, 2)))
4201 goto end;
4202
e0710222
P		 4203 if (idx == 4) {
4204 /* CCM8 ciphers are considered low security due to their short tag */
4205 SSL_set_security_level(clientssl, 0);
4206 SSL_set_security_level(serverssl, 0);
4207 }
4208
0b2b0be9 4209 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4210 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4211 goto end;
4212
4213 /*
4214 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4215 * and assigns to both client and server with incremented reference
4216 * and the same instance is updated in 'sess'.
4217 * So updating ciphersuite in 'sess' which will get reflected in
4218 * PSK handshake using psk use sess and find sess cb.
4219 */
4220 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4221 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4222 goto end;
4223
4224 SSL_set_connect_state(clientssl);
4225 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4226 &written)))
4227 goto end;
4228
4229 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4230 &readbytes),
4231 SSL_READ_EARLY_DATA_SUCCESS)
4232 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4233 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4234 SSL_EARLY_DATA_ACCEPTED)
4235 || !TEST_int_eq(SSL_connect(clientssl), 1)
4236 || !TEST_int_eq(SSL_accept(serverssl), 1))
4237 goto end;
4238
4239 /* Send some normal data from client to server */
4240 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4241 || !TEST_size_t_eq(written, strlen(MSG2)))
4242 goto end;
4243
4244 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4245 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4246 goto end;
4247
4248 testresult = 1;
4249 end:
4250 SSL_SESSION_free(sess);
4251 SSL_SESSION_free(clientpsk);
4252 SSL_SESSION_free(serverpsk);
4253 clientpsk = serverpsk = NULL;
4254 if (clientssl != NULL)
4255 SSL_shutdown(clientssl);
4256 if (serverssl != NULL)
4257 SSL_shutdown(serverssl);
4258 SSL_free(serverssl);
4259 SSL_free(clientssl);
4260 SSL_CTX_free(sctx);
4261 SSL_CTX_free(cctx);
4262 return testresult;
4263}
4264
710756a9
RS		 4265/*
4266 * Test that a server that doesn't try to read early data can handle a
4267 * client sending some.
4268 */
3cb47b4e 4269static int test_early_data_not_expected(int idx)
5f982038
MC		 4270{
4271 SSL_CTX *cctx = NULL, *sctx = NULL;
4272 SSL *clientssl = NULL, *serverssl = NULL;
4273 int testresult = 0;
018fcbec 4274 SSL_SESSION *sess = NULL;
5f982038
MC		 4275 unsigned char buf[20];
4276 size_t readbytes, written;
4277
710756a9
RS		 4278 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4279 &serverssl, &sess, idx)))
5f982038
MC		 4280 goto end;
4281
4282 /* Write some early data */
710756a9
RS		 4283 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4284 &written)))
5f982038 4285 goto end;
5f982038
MC		 4286
4287 /*
4288 * Server should skip over early data and then block waiting for client to
4289 * continue handshake
4290 */
710756a9
RS		 4291 if (!TEST_int_le(SSL_accept(serverssl), 0)
4292 || !TEST_int_gt(SSL_connect(clientssl), 0)
4293 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4294 SSL_EARLY_DATA_REJECTED)
4295 || !TEST_int_gt(SSL_accept(serverssl), 0)
4296 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4297 SSL_EARLY_DATA_REJECTED))
5f982038 4298 goto end;
5f982038
MC		 4299
4300 /* Send some normal data from client to server */
710756a9
RS		 4301 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4302 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4303 goto end;
5f982038 4304
710756a9
RS		 4305 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4306 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4307 goto end;
5f982038
MC		 4308
4309 testresult = 1;
4310
4311 end:
5f982038 4312 SSL_SESSION_free(sess);
c20e3b28 4313 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4314 SSL_SESSION_free(serverpsk);
4315 clientpsk = serverpsk = NULL;
5f982038
MC		 4316 SSL_free(serverssl);
4317 SSL_free(clientssl);
4318 SSL_CTX_free(sctx);
4319 SSL_CTX_free(cctx);
5f982038
MC		 4320 return testresult;
4321}
4322
4323
4324# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4325/*
4326 * Test that a server attempting to read early data can handle a connection
4327 * from a TLSv1.2 client.
4328 */
3cb47b4e 4329static int test_early_data_tls1_2(int idx)
5f982038
MC		 4330{
4331 SSL_CTX *cctx = NULL, *sctx = NULL;
4332 SSL *clientssl = NULL, *serverssl = NULL;
4333 int testresult = 0;
4334 unsigned char buf[20];
4335 size_t readbytes, written;
4336
02a3ed5a
MC		 4337 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4338 &serverssl, NULL, idx)))
5f982038 4339 goto end;
5f982038
MC		 4340
4341 /* Write some data - should block due to handshake with server */
4342 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4343 SSL_set_connect_state(clientssl);
710756a9 4344 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4345 goto end;
5f982038
MC		 4346
4347 /*
4348 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4349 * messages from client after ServerDone. Then SSL_read_early_data should
4350 * finish and detect that early data has not been sent
5f982038 4351 */
710756a9
RS		 4352 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4353 &readbytes),
4354 SSL_READ_EARLY_DATA_ERROR))
5f982038 4355 goto end;
5f982038
MC		 4356
4357 /*
4358 * Continue writing the message we started earlier. Will still block waiting
4359 * for the CCS/Finished from server
4360 */
710756a9
RS		 4361 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4362 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4363 &readbytes),
4364 SSL_READ_EARLY_DATA_FINISH)
4365 || !TEST_size_t_eq(readbytes, 0)
4366 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4367 SSL_EARLY_DATA_NOT_SENT))
5f982038 4368 goto end;
5f982038
MC		 4369
4370 /* Continue writing the message we started earlier */
710756a9
RS		 4371 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4372 || !TEST_size_t_eq(written, strlen(MSG1))
4373 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4374 SSL_EARLY_DATA_NOT_SENT)
4375 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4376 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4377 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4378 || !TEST_size_t_eq(written, strlen(MSG2))
4379 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4380 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4381 goto end;
5f982038
MC		 4382
4383 testresult = 1;
4384
4385 end:
57dee9bb
MC		 4386 SSL_SESSION_free(clientpsk);
4387 SSL_SESSION_free(serverpsk);
4388 clientpsk = serverpsk = NULL;
5f982038
MC		 4389 SSL_free(serverssl);
4390 SSL_free(clientssl);
4391 SSL_CTX_free(sctx);
4392 SSL_CTX_free(cctx);
4393
4394 return testresult;
4395}
ca0413ae
MC		 4396# endif /* OPENSSL_NO_TLS1_2 */
4397
034cb87b
MC		 4398/*
4399 * Test configuring the TLSv1.3 ciphersuites
4400 *
4401 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4402 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4403 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4404 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4405 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4406 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4407 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4408 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4409 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4410 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4411 */
4412static int test_set_ciphersuite(int idx)
4413{
4414 SSL_CTX *cctx = NULL, *sctx = NULL;
4415 SSL *clientssl = NULL, *serverssl = NULL;
4416 int testresult = 0;
4417
5e30f2fd
MC		 4418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4419 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4420 &sctx, &cctx, cert, privkey))
4421 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4422 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4423 goto end;
4424
4425 if (idx >=4 && idx <= 7) {
4426 /* SSL_CTX explicit cipher list */
4427 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4428 goto end;
4429 }
4430
4431 if (idx == 0 || idx == 4) {
4432 /* Default ciphersuite */
4433 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4434 "TLS_AES_128_GCM_SHA256")))
4435 goto end;
4436 } else if (idx == 1 || idx == 5) {
4437 /* Non default ciphersuite */
4438 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4439 "TLS_AES_128_CCM_SHA256")))
4440 goto end;
4441 }
4442
4443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4444 &clientssl, NULL, NULL)))
4445 goto end;
4446
4447 if (idx == 8 || idx == 9) {
4448 /* SSL explicit cipher list */
4449 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4450 goto end;
4451 }
4452
4453 if (idx == 2 || idx == 6 || idx == 8) {
4454 /* Default ciphersuite */
4455 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4456 "TLS_AES_128_GCM_SHA256")))
4457 goto end;
4458 } else if (idx == 3 || idx == 7 || idx == 9) {
4459 /* Non default ciphersuite */
4460 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4461 "TLS_AES_128_CCM_SHA256")))
4462 goto end;
4463 }
4464
4465 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4466 goto end;
4467
4468 testresult = 1;
4469
4470 end:
4471 SSL_free(serverssl);
4472 SSL_free(clientssl);
4473 SSL_CTX_free(sctx);
4474 SSL_CTX_free(cctx);
4475
4476 return testresult;
4477}
4478
ca0413ae
MC		 4479static int test_ciphersuite_change(void)
4480{
4481 SSL_CTX *cctx = NULL, *sctx = NULL;
4482 SSL *clientssl = NULL, *serverssl = NULL;
4483 SSL_SESSION *clntsess = NULL;
4484 int testresult = 0;
4485 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4486
4487 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4488 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4489 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4490 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4491 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4492 "TLS_AES_128_GCM_SHA256:"
4493 "TLS_AES_256_GCM_SHA384:"
4494 "TLS_AES_128_CCM_SHA256"))
f865b081 4495 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4496 "TLS_AES_128_GCM_SHA256")))
4497 goto end;
4498
4499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4500 NULL, NULL))
ca0413ae
MC		 4501 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4502 SSL_ERROR_NONE)))
4503 goto end;
4504
4505 clntsess = SSL_get1_session(clientssl);
4506 /* Save for later */
4507 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4508 SSL_shutdown(clientssl);
4509 SSL_shutdown(serverssl);
4510 SSL_free(serverssl);
4511 SSL_free(clientssl);
4512 serverssl = clientssl = NULL;
4513
4514 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4515 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4516 "TLS_AES_128_CCM_SHA256"))
4517 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4518 &clientssl, NULL, NULL))
ca0413ae
MC		 4519 || !TEST_true(SSL_set_session(clientssl, clntsess))
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4521 SSL_ERROR_NONE))
4522 || !TEST_true(SSL_session_reused(clientssl)))
4523 goto end;
4524
4525 SSL_SESSION_free(clntsess);
4526 clntsess = SSL_get1_session(clientssl);
4527 SSL_shutdown(clientssl);
4528 SSL_shutdown(serverssl);
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4531 serverssl = clientssl = NULL;
4532
4533 /*
4534 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4535 * succeeds but does not resume.
ca0413ae 4536 */
f865b081 4537 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4538 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4539 NULL, NULL))
4540 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4541 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4542 SSL_ERROR_SSL))
0de6d66d 4543 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4544 goto end;
4545
4546 SSL_SESSION_free(clntsess);
4547 clntsess = NULL;
4548 SSL_shutdown(clientssl);
4549 SSL_shutdown(serverssl);
4550 SSL_free(serverssl);
4551 SSL_free(clientssl);
4552 serverssl = clientssl = NULL;
4553
4554 /* Create a session based on SHA384 */
f865b081 4555 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4556 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4557 &clientssl, NULL, NULL))
4558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4559 SSL_ERROR_NONE)))
4560 goto end;
4561
4562 clntsess = SSL_get1_session(clientssl);
4563 SSL_shutdown(clientssl);
4564 SSL_shutdown(serverssl);
4565 SSL_free(serverssl);
4566 SSL_free(clientssl);
4567 serverssl = clientssl = NULL;
4568
f865b081
MC		 4569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4571 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4572 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4573 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4574 NULL, NULL))
4575 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4576 /*
4577 * We use SSL_ERROR_WANT_READ below so that we can pause the
4578 * connection after the initial ClientHello has been sent to
4579 * enable us to make some session changes.
4580 */
ca0413ae
MC		 4581 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4582 SSL_ERROR_WANT_READ)))
4583 goto end;
4584
4585 /* Trick the client into thinking this session is for a different digest */
4586 clntsess->cipher = aes_128_gcm_sha256;
4587 clntsess->cipher_id = clntsess->cipher->id;
4588
4589 /*
3b0e88d3
MC		 4590 * Continue the previously started connection. Server has selected a SHA-384
4591 * ciphersuite, but client thinks the session is for SHA-256, so it should
4592 * bail out.
ca0413ae
MC		 4593 */
4594 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4595 SSL_ERROR_SSL))
4596 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4597 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4598 goto end;
4599
4600 testresult = 1;
4601
4602 end:
4603 SSL_SESSION_free(clntsess);
4604 SSL_free(serverssl);
4605 SSL_free(clientssl);
4606 SSL_CTX_free(sctx);
4607 SSL_CTX_free(cctx);
4608
4609 return testresult;
4610}
4611
8e63900a 4612/*
5bf2eade 4613 * Test TLSv1.3 Key exchange
4614 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4615 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4616 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4617 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4618 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4619 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4620 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4621 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4622 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4623 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4624 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4625 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4626 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4627 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4628 */
f89d3d69
BK		 4629# ifndef OPENSSL_NO_EC
4630static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4631 NID_secp521r1, NID_X25519, NID_X448};
4632# endif
4633# ifndef OPENSSL_NO_DH
4634static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4635 NID_ffdhe6144, NID_ffdhe8192};
4636# endif
db26ec80 4637static int test_key_exchange(int idx)
8e63900a 4638{
4639 SSL_CTX *sctx = NULL, *cctx = NULL;
4640 SSL *serverssl = NULL, *clientssl = NULL;
4641 int testresult = 0;
fb8c6db4 4642 int kexch_alg;
4643 int *kexch_groups = &kexch_alg;
4644 int kexch_groups_size = 1;
8e63900a 4645 int max_version = TLS1_3_VERSION;
becbacd7 4646 char *kexch_name0 = NULL;
8e63900a 4647
4648 switch (idx) {
5bf2eade 4649# ifndef OPENSSL_NO_EC
db26ec80 4650# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4651 case 12:
fb8c6db4 4652 max_version = TLS1_2_VERSION;
db26ec80 4653# endif
fb8c6db4 4654 /* Fall through */
4655 case 0:
4656 kexch_groups = ecdhe_kexch_groups;
4657 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4658 kexch_name0 = "secp256r1";
fb8c6db4 4659 break;
5bf2eade 4660 case 1:
fb8c6db4 4661 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4662 kexch_name0 = "secp256r1";
fb8c6db4 4663 break;
5bf2eade 4664 case 2:
fb8c6db4 4665 kexch_alg = NID_secp384r1;
becbacd7 4666 kexch_name0 = "secp384r1";
fb8c6db4 4667 break;
5bf2eade 4668 case 3:
fb8c6db4 4669 kexch_alg = NID_secp521r1;
becbacd7 4670 kexch_name0 = "secp521r1";
fb8c6db4 4671 break;
5bf2eade 4672 case 4:
fb8c6db4 4673 kexch_alg = NID_X25519;
becbacd7 4674 kexch_name0 = "x25519";
fb8c6db4 4675 break;
5bf2eade 4676 case 5:
fb8c6db4 4677 kexch_alg = NID_X448;
becbacd7 4678 kexch_name0 = "x448";
fb8c6db4 4679 break;
5bf2eade 4680# endif
4681# ifndef OPENSSL_NO_DH
db26ec80 4682# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4683 case 13:
dbc6268f 4684 max_version = TLS1_2_VERSION;
becbacd7 4685 kexch_name0 = "ffdhe2048";
db26ec80 4686# endif
dbc6268f 4687 /* Fall through */
5bf2eade 4688 case 6:
8e63900a 4689 kexch_groups = ffdhe_kexch_groups;
4690 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4691 kexch_name0 = "ffdhe2048";
8e63900a 4692 break;
5bf2eade 4693 case 7:
fb8c6db4 4694 kexch_alg = NID_ffdhe2048;
becbacd7 4695 kexch_name0 = "ffdhe2048";
fb8c6db4 4696 break;
5bf2eade 4697 case 8:
fb8c6db4 4698 kexch_alg = NID_ffdhe3072;
becbacd7 4699 kexch_name0 = "ffdhe3072";
fb8c6db4 4700 break;
5bf2eade 4701 case 9:
fb8c6db4 4702 kexch_alg = NID_ffdhe4096;
becbacd7 4703 kexch_name0 = "ffdhe4096";
fb8c6db4 4704 break;
5bf2eade 4705 case 10:
fb8c6db4 4706 kexch_alg = NID_ffdhe6144;
becbacd7 4707 kexch_name0 = "ffdhe6144";
fb8c6db4 4708 break;
5bf2eade 4709 case 11:
fb8c6db4 4710 kexch_alg = NID_ffdhe8192;
becbacd7 4711 kexch_name0 = "ffdhe8192";
8e63900a 4712 break;
5bf2eade 4713# endif
6597d62b
MC		 4714 default:
4715 /* We're skipping this test */
4716 return 1;
8e63900a 4717 }
4718
5e30f2fd
MC		 4719 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4720 TLS_client_method(), TLS1_VERSION,
4721 max_version, &sctx, &cctx, cert,
4722 privkey)))
8e63900a 4723 goto end;
4724
5bf2eade 4725 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4726 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4727 goto end;
4728
5bf2eade 4729 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4730 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4731 goto end;
4732
5bf2eade 4733 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4734 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4735 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4736 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4737 goto end;
4738
dbc6268f
MC		 4739 /*
4740 * Must include an EC ciphersuite so that we send supported groups in
4741 * TLSv1.2
4742 */
5bf2eade 4743# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4744 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4745 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4746 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4747 goto end;
5bf2eade 4748# endif
8e63900a 4749
4750 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4751 NULL, NULL)))
4752 goto end;
4753
4754 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4755 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4756 goto end;
4757
5bf2eade 4758 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4759 goto end;
8e63900a 4760
dbc6268f 4761 /*
5bf2eade 4762 * If Handshake succeeds the negotiated kexch alg should be the first one in
4763 * configured, except in the case of FFDHE groups (idx 13), which are
4764 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4765 */
4766 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4767 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4768 goto end;
becbacd7
MB		 4769
4770 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4771 kexch_name0))
4772 goto end;
4773
75d48520
BK		 4774 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4775 if (idx != 13) {
fb8c6db4 4776 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4777 goto end;
4778 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4779 goto end;
4780 }
8e63900a 4781
4782 testresult = 1;
4783 end:
4784 SSL_free(serverssl);
4785 SSL_free(clientssl);
4786 SSL_CTX_free(sctx);
4787 SSL_CTX_free(cctx);
4788 return testresult;
4789}
4790
c9cddf05
P		 4791# if !defined(OPENSSL_NO_TLS1_2) \
4792 && !defined(OPENSSL_NO_EC) \
4793 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4794static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4795 int isecdhe, int idx)
4796{
4797 int kexch_alg;
4798 int *kexch_groups = &kexch_alg;
4799 int numec, numff;
4800
4801 numec = OSSL_NELEM(ecdhe_kexch_groups);
4802 numff = OSSL_NELEM(ffdhe_kexch_groups);
4803 if (isecdhe)
4804 kexch_alg = ecdhe_kexch_groups[idx];
4805 else
4806 kexch_alg = ffdhe_kexch_groups[idx];
4807
4808 if (clientmulti) {
4809 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4810 return 0;
4811 if (isecdhe) {
4812 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4813 numec)))
4814 return 0;
4815 } else {
4816 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4817 numff)))
4818 return 0;
4819 }
4820 } else {
4821 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4822 return 0;
4823 if (isecdhe) {
4824 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4825 numec)))
4826 return 0;
4827 } else {
4828 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4829 numff)))
4830 return 0;
4831 }
4832 }
4833 return 1;
4834}
4835
4836/*-
4837 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4838 * Run through both the ECDHE and FFDHE group lists used in the previous
4839 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4840 * confirming the expected result; then perform a resumption handshake
4841 * while offering the same group list, and another resumption handshake
4842 * offering a different group list. The returned value should be the
4843 * negotiated group for the initial handshake; for TLS 1.3 resumption
4844 * handshakes the returned value will be negotiated on the resumption
4845 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4846 * be cached in the session from the original handshake, regardless of what
4847 * was offered in the resumption ClientHello.
4848 *
4849 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4850 * E tests of ECDHE with TLS 1.3, server only has one group
4851 * F tests of FFDHE with TLS 1.3, server only has one group
4852 * E tests of ECDHE with TLS 1.2, server only has one group
4853 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 4854 * E tests of ECDHE with TLS 1.3, client sends only one group
4855 * F tests of FFDHE with TLS 1.3, client sends only one group
4856 * E tests of ECDHE with TLS 1.2, client sends only one group
4857 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 4858 */
4859static int test_negotiated_group(int idx)
4860{
4861 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4862 int expectednid;
4863 SSL_CTX *sctx = NULL, *cctx = NULL;
4864 SSL *serverssl = NULL, *clientssl = NULL;
4865 SSL_SESSION *origsess = NULL;
4866 int testresult = 0;
4867 int kexch_alg;
4868 int max_version = TLS1_3_VERSION;
4869
4870 numec = OSSL_NELEM(ecdhe_kexch_groups);
4871 numff = OSSL_NELEM(ffdhe_kexch_groups);
4872 numgroups = numec + numff;
4873 clientmulti = (idx < 2 * numgroups);
4874 idx = idx % (2 * numgroups);
4875 istls13 = (idx < numgroups);
4876 idx = idx % numgroups;
4877 isecdhe = (idx < numec);
4878 if (!isecdhe)
4879 idx -= numec;
4880 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4881 if (isecdhe)
4882 kexch_alg = ecdhe_kexch_groups[idx];
4883 else
4884 kexch_alg = ffdhe_kexch_groups[idx];
4885 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4886 if (!istls13 && !isecdhe)
4887 expectednid = NID_undef;
4888 else
4889 expectednid = kexch_alg;
4890
4891 if (!istls13)
4892 max_version = TLS1_2_VERSION;
4893
4894 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4895 TLS_client_method(), TLS1_VERSION,
4896 max_version, &sctx, &cctx, cert,
4897 privkey)))
4898 goto end;
4899
4900 /*
4901 * Force (EC)DHE ciphers for TLS 1.2.
4902 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4903 */
4904 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4905 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4906 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4907 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4908 goto end;
4909 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4910 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4911 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4912 goto end;
4913
4914 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4915 NULL, NULL)))
4916 goto end;
4917
4918 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4919 idx)))
4920 goto end;
4921
4922 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4923 goto end;
4924
4925 /* Initial handshake; always the configured one */
4926 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4927 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4928 goto end;
4929
4930 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4931 goto end;
4932
4933 SSL_shutdown(clientssl);
4934 SSL_shutdown(serverssl);
4935 SSL_free(serverssl);
4936 SSL_free(clientssl);
4937 serverssl = clientssl = NULL;
4938
4939 /* First resumption attempt; use the same config as initial handshake */
4940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4941 NULL, NULL))
4942 || !TEST_true(SSL_set_session(clientssl, origsess))
4943 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4944 isecdhe, idx)))
4945 goto end;
4946
4947 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4948 || !TEST_true(SSL_session_reused(clientssl)))
4949 goto end;
4950
4951 /* Still had better agree, since nothing changed... */
4952 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4953 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4954 goto end;
4955
4956 SSL_shutdown(clientssl);
4957 SSL_shutdown(serverssl);
4958 SSL_free(serverssl);
4959 SSL_free(clientssl);
4960 serverssl = clientssl = NULL;
4961
4962 /*-
4963 * Second resumption attempt
4964 * The party that picks one group changes it, which we effectuate by
4965 * changing 'idx' and updating what we expect.
4966 */
4967 if (idx == 0)
4968 idx = 1;
4969 else
4970 idx--;
4971 if (istls13) {
4972 if (isecdhe)
4973 expectednid = ecdhe_kexch_groups[idx];
4974 else
4975 expectednid = ffdhe_kexch_groups[idx];
4976 /* Verify that we are changing what we expect. */
4977 if (!TEST_int_ne(expectednid, kexch_alg))
4978 goto end;
4979 } else {
4980 /* TLS 1.2 only supports named groups for ECDHE. */
4981 if (isecdhe)
4982 expectednid = kexch_alg;
4983 else
4984 expectednid = 0;
4985 }
4986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4987 NULL, NULL))
4988 || !TEST_true(SSL_set_session(clientssl, origsess))
4989 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4990 isecdhe, idx)))
4991 goto end;
4992
4993 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4994 || !TEST_true(SSL_session_reused(clientssl)))
4995 goto end;
4996
4997 /* Check that we get what we expected */
4998 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4999 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5000 goto end;
5001
5002 testresult = 1;
5003 end:
5004 SSL_free(serverssl);
5005 SSL_free(clientssl);
5006 SSL_CTX_free(sctx);
5007 SSL_CTX_free(cctx);
5008 SSL_SESSION_free(origsess);
5009 return testresult;
5010}
5011# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5012
5bf2eade 5013/*
5014 * Test TLSv1.3 Cipher Suite
5015 * Test 0 = Set TLS1.3 cipher on context
5016 * Test 1 = Set TLS1.3 cipher on SSL
5017 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5018 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5019 */
5020static int test_tls13_ciphersuite(int idx)
5021{
5022 SSL_CTX *sctx = NULL, *cctx = NULL;
5023 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5024 static const struct {
5025 const char *ciphername;
5026 int fipscapable;
e0710222 5027 int low_security;
4f6c7044 5028 } t13_ciphers[] = {
e0710222
P		 5029 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5030 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5031 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5032# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5033 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5034 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5035 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5036# endif
e0710222
P		 5037 /* CCM8 ciphers are considered low security due to their short tag */
5038 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5039 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5040 };
5041 const char *t13_cipher = NULL;
5042 const char *t12_cipher = NULL;
5043 const char *negotiated_scipher;
5044 const char *negotiated_ccipher;
5045 int set_at_ctx = 0;
5046 int set_at_ssl = 0;
5047 int testresult = 0;
5048 int max_ver;
5049 size_t i;
5050
5051 switch (idx) {
5052 case 0:
5053 set_at_ctx = 1;
5054 break;
5055 case 1:
5056 set_at_ssl = 1;
5057 break;
5058 case 2:
5059 set_at_ctx = 1;
2d900758 5060 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5061 break;
5062 case 3:
5063 set_at_ssl = 1;
2d900758 5064 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5065 break;
5066 }
5067
5068 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5069# ifdef OPENSSL_NO_TLS1_2
5070 if (max_ver == TLS1_2_VERSION)
5071 continue;
5072# endif
5073 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5074 if (is_fips && !t13_ciphers[i].fipscapable)
5075 continue;
5076 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5077 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5078 TLS_client_method(),
5079 TLS1_VERSION, max_ver,
5080 &sctx, &cctx, cert, privkey)))
5081 goto end;
5082
e0710222
P		 5083 if (t13_ciphers[i].low_security) {
5084 SSL_CTX_set_security_level(sctx, 0);
5085 SSL_CTX_set_security_level(cctx, 0);
5086 }
5087
5bf2eade 5088 if (set_at_ctx) {
5089 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5090 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5091 goto end;
5092 if (t12_cipher != NULL) {
5093 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5094 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5095 t12_cipher)))
5096 goto end;
5097 }
5098 }
5099
5100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5101 &clientssl, NULL, NULL)))
5102 goto end;
5103
5104 if (set_at_ssl) {
5105 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5106 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5107 goto end;
5108 if (t12_cipher != NULL) {
5109 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5110 || !TEST_true(SSL_set_cipher_list(clientssl,
5111 t12_cipher)))
5112 goto end;
5113 }
5114 }
5115
5116 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5117 SSL_ERROR_NONE)))
5118 goto end;
5119
5120 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5121 serverssl));
5122 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5123 clientssl));
5124 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5125 goto end;
5126
5127 /*
5128 * TEST_strn_eq is used below because t13_cipher can contain
5129 * multiple ciphersuites
5130 */
5131 if (max_ver == TLS1_3_VERSION
5132 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5133 strlen(negotiated_scipher)))
5134 goto end;
5135
5136# ifndef OPENSSL_NO_TLS1_2
5137 /* Below validation is not done when t12_cipher is NULL */
5138 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5139 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5140 goto end;
5141# endif
5142
5143 SSL_free(serverssl);
5144 serverssl = NULL;
5145 SSL_free(clientssl);
5146 clientssl = NULL;
5147 SSL_CTX_free(sctx);
5148 sctx = NULL;
5149 SSL_CTX_free(cctx);
5150 cctx = NULL;
5151 }
5152 }
5153
5154 testresult = 1;
5155 end:
5156 SSL_free(serverssl);
5157 SSL_free(clientssl);
5158 SSL_CTX_free(sctx);
5159 SSL_CTX_free(cctx);
5160 return testresult;
5161}
5162
0d8da779
MC		 5163/*
5164 * Test TLSv1.3 PSKs
5165 * Test 0 = Test new style callbacks
5166 * Test 1 = Test both new and old style callbacks
5167 * Test 2 = Test old style callbacks
5168 * Test 3 = Test old style callbacks with no certificate
5169 */
532f9578 5170static int test_tls13_psk(int idx)
ca8c71ba
MC		 5171{
5172 SSL_CTX *sctx = NULL, *cctx = NULL;
5173 SSL *serverssl = NULL, *clientssl = NULL;
5174 const SSL_CIPHER *cipher = NULL;
5175 const unsigned char key[] = {
5176 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5177 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5178 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5179 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5180 };
5181 int testresult = 0;
5182
5e30f2fd
MC		 5183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5184 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5185 &sctx, &cctx, idx == 3 ? NULL : cert,
5186 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5187 goto end;
5188
0d8da779
MC		 5189 if (idx != 3) {
5190 /*
5191 * We use a ciphersuite with SHA256 to ease testing old style PSK
5192 * callbacks which will always default to SHA256. This should not be
5193 * necessary if we have no cert/priv key. In that case the server should
5194 * prefer SHA256 automatically.
5195 */
5196 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5197 "TLS_AES_128_GCM_SHA256")))
5198 goto end;
4f6c7044
MC		 5199 } else {
5200 /*
5201 * As noted above the server should prefer SHA256 automatically. However
5202 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5203 * code works even if we are testing with only the FIPS provider loaded.
5204 */
5205 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5206 "TLS_AES_256_GCM_SHA384:"
5207 "TLS_AES_128_GCM_SHA256")))
5208 goto end;
0d8da779 5209 }
532f9578
MC		 5210
5211 /*
5212 * Test 0: New style callbacks only
5213 * Test 1: New and old style callbacks (only the new ones should be used)
5214 * Test 2: Old style callbacks only
5215 */
5216 if (idx == 0 || idx == 1) {
5217 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5218 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5219 }
c2b290c3 5220#ifndef OPENSSL_NO_PSK
0d8da779 5221 if (idx >= 1) {
532f9578
MC		 5222 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5223 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5224 }
c2b290c3 5225#endif
ca8c71ba 5226 srvid = pskid;
02a3ed5a
MC		 5227 use_session_cb_cnt = 0;
5228 find_session_cb_cnt = 0;
532f9578
MC		 5229 psk_client_cb_cnt = 0;
5230 psk_server_cb_cnt = 0;
ca8c71ba 5231
0d8da779
MC		 5232 if (idx != 3) {
5233 /*
5234 * Check we can create a connection if callback decides not to send a
5235 * PSK
5236 */
5237 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5238 NULL, NULL))
5239 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5240 SSL_ERROR_NONE))
5241 || !TEST_false(SSL_session_reused(clientssl))
5242 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5243 goto end;
532f9578 5244
0d8da779
MC		 5245 if (idx == 0 || idx == 1) {
5246 if (!TEST_true(use_session_cb_cnt == 1)
5247 || !TEST_true(find_session_cb_cnt == 0)
5248 /*
5249 * If no old style callback then below should be 0
5250 * otherwise 1
5251 */
5252 || !TEST_true(psk_client_cb_cnt == idx)
5253 || !TEST_true(psk_server_cb_cnt == 0))
5254 goto end;
5255 } else {
5256 if (!TEST_true(use_session_cb_cnt == 0)
5257 || !TEST_true(find_session_cb_cnt == 0)
5258 || !TEST_true(psk_client_cb_cnt == 1)
5259 || !TEST_true(psk_server_cb_cnt == 0))
5260 goto end;
5261 }
5262
5263 shutdown_ssl_connection(serverssl, clientssl);
5264 serverssl = clientssl = NULL;
5265 use_session_cb_cnt = psk_client_cb_cnt = 0;
5266 }
ca8c71ba
MC		 5267
5268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5269 NULL, NULL)))
5270 goto end;
5271
5272 /* Create the PSK */
532f9578 5273 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5274 clientpsk = SSL_SESSION_new();
5275 if (!TEST_ptr(clientpsk)
ca8c71ba 5276 || !TEST_ptr(cipher)
57dee9bb
MC		 5277 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5278 sizeof(key)))
5279 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5280 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5281 TLS1_3_VERSION))
5282 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5283 goto end;
57dee9bb 5284 serverpsk = clientpsk;
ca8c71ba
MC		 5285
5286 /* Check we can create a connection and the PSK is used */
5287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5288 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5289 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5290 goto end;
5291
532f9578
MC		 5292 if (idx == 0 || idx == 1) {
5293 if (!TEST_true(use_session_cb_cnt == 1)
5294 || !TEST_true(find_session_cb_cnt == 1)
5295 || !TEST_true(psk_client_cb_cnt == 0)
5296 || !TEST_true(psk_server_cb_cnt == 0))
5297 goto end;
5298 } else {
5299 if (!TEST_true(use_session_cb_cnt == 0)
5300 || !TEST_true(find_session_cb_cnt == 0)
5301 || !TEST_true(psk_client_cb_cnt == 1)
5302 || !TEST_true(psk_server_cb_cnt == 1))
5303 goto end;
5304 }
5305
ca8c71ba
MC		 5306 shutdown_ssl_connection(serverssl, clientssl);
5307 serverssl = clientssl = NULL;
5308 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5309 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5310
5311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5312 NULL, NULL)))
5313 goto end;
5314
5315 /* Force an HRR */
dbc6268f
MC		 5316#if defined(OPENSSL_NO_EC)
5317 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5318 goto end;
5319#else
ca8c71ba
MC		 5320 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5321 goto end;
dbc6268f 5322#endif
ca8c71ba
MC		 5323
5324 /*
5325 * Check we can create a connection, the PSK is used and the callbacks are
5326 * called twice.
5327 */
5328 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5329 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5330 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5331 goto end;
5332
532f9578
MC		 5333 if (idx == 0 || idx == 1) {
5334 if (!TEST_true(use_session_cb_cnt == 2)
5335 || !TEST_true(find_session_cb_cnt == 2)
5336 || !TEST_true(psk_client_cb_cnt == 0)
5337 || !TEST_true(psk_server_cb_cnt == 0))
5338 goto end;
5339 } else {
5340 if (!TEST_true(use_session_cb_cnt == 0)
5341 || !TEST_true(find_session_cb_cnt == 0)
5342 || !TEST_true(psk_client_cb_cnt == 2)
5343 || !TEST_true(psk_server_cb_cnt == 2))
5344 goto end;
5345 }
5346
ca8c71ba
MC		 5347 shutdown_ssl_connection(serverssl, clientssl);
5348 serverssl = clientssl = NULL;
5349 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5350 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5351
0d8da779
MC		 5352 if (idx != 3) {
5353 /*
5354 * Check that if the server rejects the PSK we can still connect, but with
5355 * a full handshake
5356 */
5357 srvid = "Dummy Identity";
5358 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5359 NULL, NULL))
5360 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5361 SSL_ERROR_NONE))
5362 || !TEST_false(SSL_session_reused(clientssl))
5363 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5364 goto end;
532f9578 5365
0d8da779
MC		 5366 if (idx == 0 || idx == 1) {
5367 if (!TEST_true(use_session_cb_cnt == 1)
5368 || !TEST_true(find_session_cb_cnt == 1)
5369 || !TEST_true(psk_client_cb_cnt == 0)
5370 /*
5371 * If no old style callback then below should be 0
5372 * otherwise 1
5373 */
5374 || !TEST_true(psk_server_cb_cnt == idx))
5375 goto end;
5376 } else {
5377 if (!TEST_true(use_session_cb_cnt == 0)
5378 || !TEST_true(find_session_cb_cnt == 0)
5379 || !TEST_true(psk_client_cb_cnt == 1)
5380 || !TEST_true(psk_server_cb_cnt == 1))
5381 goto end;
5382 }
5383
5384 shutdown_ssl_connection(serverssl, clientssl);
5385 serverssl = clientssl = NULL;
5386 }
ca8c71ba
MC		 5387 testresult = 1;
5388
5389 end:
57dee9bb
MC		 5390 SSL_SESSION_free(clientpsk);
5391 SSL_SESSION_free(serverpsk);
5392 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5393 SSL_free(serverssl);
5394 SSL_free(clientssl);
5395 SSL_CTX_free(sctx);
5396 SSL_CTX_free(cctx);
5397 return testresult;
5398}
5399
c7b8ff25
MC		 5400static unsigned char cookie_magic_value[] = "cookie magic";
5401
5402static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5403 unsigned int *cookie_len)
5404{
5405 /*
5406 * Not suitable as a real cookie generation function but good enough for
5407 * testing!
5408 */
97ea1e7f
MC		 5409 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5410 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5411
5412 return 1;
5413}
5414
5415static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5416 unsigned int cookie_len)
5417{
97ea1e7f 5418 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5419 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5420 return 1;
5421
5422 return 0;
5423}
5424
3fa2812f
BS		 5425static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5426 size_t *cookie_len)
5427{
5428 unsigned int temp;
5429 int res = generate_cookie_callback(ssl, cookie, &temp);
5430 *cookie_len = temp;
5431 return res;
5432}
5433
5434static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5435 size_t cookie_len)
5436{
5437 return verify_cookie_callback(ssl, cookie, cookie_len);
5438}
5439
c7b8ff25
MC		 5440static int test_stateless(void)
5441{
5442 SSL_CTX *sctx = NULL, *cctx = NULL;
5443 SSL *serverssl = NULL, *clientssl = NULL;
5444 int testresult = 0;
5445
5e30f2fd
MC		 5446 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5447 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5448 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5449 goto end;
5450
e440f513
MC		 5451 /* The arrival of CCS messages can confuse the test */
5452 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5453
5454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5455 NULL, NULL))
5456 /* Send the first ClientHello */
5457 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5458 SSL_ERROR_WANT_READ))
5459 /*
5460 * This should fail with a -1 return because we have no callbacks
5461 * set up
5462 */
5463 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5464 goto end;
5465
5466 /* Fatal error so abandon the connection from this client */
5467 SSL_free(clientssl);
5468 clientssl = NULL;
5469
c7b8ff25 5470 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5471 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5472 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5473
e440f513
MC		 5474 /*
5475 * Create a new connection from the client (we can reuse the server SSL
5476 * object).
5477 */
c7b8ff25
MC		 5478 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5479 NULL, NULL))
5480 /* Send the first ClientHello */
5481 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5482 SSL_ERROR_WANT_READ))
5483 /* This should fail because there is no cookie */
e440f513 5484 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5485 goto end;
5486
5487 /* Abandon the connection from this client */
5488 SSL_free(clientssl);
5489 clientssl = NULL;
5490
5491 /*
5492 * Now create a connection from a new client but with the same server SSL
5493 * object
5494 */
5495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5496 NULL, NULL))
5497 /* Send the first ClientHello */
5498 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5499 SSL_ERROR_WANT_READ))
5500 /* This should fail because there is no cookie */
e440f513 5501 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5502 /* Send the second ClientHello */
5503 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5504 SSL_ERROR_WANT_READ))
5505 /* This should succeed because a cookie is now present */
e440f513 5506 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5507 /* Complete the connection */
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 SSL_ERROR_NONE)))
5510 goto end;
5511
5512 shutdown_ssl_connection(serverssl, clientssl);
5513 serverssl = clientssl = NULL;
5514 testresult = 1;
5515
5516 end:
5517 SSL_free(serverssl);
5518 SSL_free(clientssl);
5519 SSL_CTX_free(sctx);
5520 SSL_CTX_free(cctx);
5521 return testresult;
5522
5523}
a763ca11 5524#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5525
a37008d9
MC		 5526static int clntaddoldcb = 0;
5527static int clntparseoldcb = 0;
5528static int srvaddoldcb = 0;
5529static int srvparseoldcb = 0;
5530static int clntaddnewcb = 0;
5531static int clntparsenewcb = 0;
5532static int srvaddnewcb = 0;
5533static int srvparsenewcb = 0;
bb01ef3f 5534static int snicb = 0;
a37008d9
MC		 5535
5536#define TEST_EXT_TYPE1 0xff00
5537
5538static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5539 size_t *outlen, int *al, void *add_arg)
5540{
5541 int *server = (int *)add_arg;
5542 unsigned char *data;
5543
5544 if (SSL_is_server(s))
5545 srvaddoldcb++;
5546 else
5547 clntaddoldcb++;
5548
710756a9
RS		 5549 if (*server != SSL_is_server(s)
5550 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5551 return -1;
5552
5553 *data = 1;
5554 *out = data;
5555 *outlen = sizeof(char);
a37008d9
MC		 5556 return 1;
5557}
5558
5559static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5560 void *add_arg)
5561{
5562 OPENSSL_free((unsigned char *)out);
5563}
5564
5565static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5566 size_t inlen, int *al, void *parse_arg)
5567{
5568 int *server = (int *)parse_arg;
5569
5570 if (SSL_is_server(s))
5571 srvparseoldcb++;
5572 else
5573 clntparseoldcb++;
5574
710756a9
RS		 5575 if (*server != SSL_is_server(s)
5576 || inlen != sizeof(char)
5577 || *in != 1)
a37008d9
MC		 5578 return -1;
5579
5580 return 1;
5581}
5582
5583static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5584 const unsigned char **out, size_t *outlen, X509 *x,
5585 size_t chainidx, int *al, void *add_arg)
5586{
5587 int *server = (int *)add_arg;
5588 unsigned char *data;
5589
5590 if (SSL_is_server(s))
5591 srvaddnewcb++;
5592 else
5593 clntaddnewcb++;
5594
710756a9
RS		 5595 if (*server != SSL_is_server(s)
5596 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5597 return -1;
5598
5599 *data = 1;
5600 *out = data;
710756a9 5601 *outlen = sizeof(*data);
a37008d9
MC		 5602 return 1;
5603}
5604
5605static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5606 const unsigned char *out, void *add_arg)
5607{
5608 OPENSSL_free((unsigned char *)out);
5609}
5610
5611static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5612 const unsigned char *in, size_t inlen, X509 *x,
5613 size_t chainidx, int *al, void *parse_arg)
5614{
5615 int *server = (int *)parse_arg;
5616
5617 if (SSL_is_server(s))
5618 srvparsenewcb++;
5619 else
5620 clntparsenewcb++;
5621
710756a9
RS		 5622 if (*server != SSL_is_server(s)
5623 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5624 return -1;
5625
5626 return 1;
5627}
bb01ef3f
MC		 5628
5629static int sni_cb(SSL *s, int *al, void *arg)
5630{
5631 SSL_CTX *ctx = (SSL_CTX *)arg;
5632
5633 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5634 *al = SSL_AD_INTERNAL_ERROR;
5635 return SSL_TLSEXT_ERR_ALERT_FATAL;
5636 }
5637 snicb++;
5638 return SSL_TLSEXT_ERR_OK;
5639}
5640
0db3a990
MC		 5641static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5642{
5643 return 1;
5644}
5645
a37008d9
MC		 5646/*
5647 * Custom call back tests.
5648 * Test 0: Old style callbacks in TLSv1.2
5649 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5650 * Test 2: New style callbacks in TLSv1.2 with SNI
5651 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5652 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5653 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5654 */
710756a9
RS		 5655static int test_custom_exts(int tst)
5656{
bb01ef3f 5657 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5658 SSL *clientssl = NULL, *serverssl = NULL;
5659 int testresult = 0;
5660 static int server = 1;
5661 static int client = 0;
5662 SSL_SESSION *sess = NULL;
5663 unsigned int context;
5664
a763ca11 5665#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5666 /* Skip tests for TLSv1.2 and below in this case */
5667 if (tst < 3)
5668 return 1;
5669#endif
5670
a37008d9
MC		 5671 /* Reset callback counters */
5672 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5673 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5674 snicb = 0;
a37008d9 5675
5e30f2fd
MC		 5676 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5677 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5678 &sctx, &cctx, cert, privkey)))
710756a9 5679 goto end;
a37008d9 5680
bb01ef3f 5681 if (tst == 2
5e30f2fd 5682 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5683 TLS1_VERSION, 0,
7d7f6834 5684 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5685 goto end;
5686
5687
5688 if (tst < 3) {
a37008d9
MC		 5689 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5690 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5691 if (sctx2 != NULL)
5692 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5693 }
5694
0db3a990
MC		 5695 if (tst == 5) {
5696 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5697 | SSL_EXT_TLS1_3_CERTIFICATE;
5698 SSL_CTX_set_verify(sctx,
5699 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5700 verify_cb);
5701 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5702 SSL_FILETYPE_PEM), 1)
5703 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5704 SSL_FILETYPE_PEM), 1)
5705 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5706 goto end;
5707 } else if (tst == 4) {
710756a9
RS		 5708 context = SSL_EXT_CLIENT_HELLO
5709 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5710 | SSL_EXT_TLS1_3_SERVER_HELLO
5711 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5712 | SSL_EXT_TLS1_3_CERTIFICATE
5713 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5714 } else {
710756a9
RS		 5715 context = SSL_EXT_CLIENT_HELLO
5716 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5717 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5718 }
5719
5720 /* Create a client side custom extension */
5721 if (tst == 0) {
710756a9
RS		 5722 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5723 old_add_cb, old_free_cb,
5724 &client, old_parse_cb,
5725 &client)))
5726 goto end;
a37008d9 5727 } else {
710756a9
RS		 5728 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5729 new_add_cb, new_free_cb,
5730 &client, new_parse_cb, &client)))
5731 goto end;
a37008d9
MC		 5732 }
5733
5734 /* Should not be able to add duplicates */
710756a9
RS		 5735 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5736 old_add_cb, old_free_cb,
5737 &client, old_parse_cb,
5738 &client))
5739 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5740 context, new_add_cb,
5741 new_free_cb, &client,
5742 new_parse_cb, &client)))
5743 goto end;
a37008d9
MC		 5744
5745 /* Create a server side custom extension */
5746 if (tst == 0) {
710756a9
RS		 5747 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5748 old_add_cb, old_free_cb,
5749 &server, old_parse_cb,
5750 &server)))
5751 goto end;
a37008d9 5752 } else {
710756a9
RS		 5753 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5754 new_add_cb, new_free_cb,
5755 &server, new_parse_cb, &server)))
5756 goto end;
bb01ef3f
MC		 5757 if (sctx2 != NULL
5758 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5759 context, new_add_cb,
5760 new_free_cb, &server,
5761 new_parse_cb, &server)))
5762 goto end;
a37008d9
MC		 5763 }
5764
5765 /* Should not be able to add duplicates */
710756a9
RS		 5766 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5767 old_add_cb, old_free_cb,
5768 &server, old_parse_cb,
5769 &server))
5770 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5771 context, new_add_cb,
5772 new_free_cb, &server,
5773 new_parse_cb, &server)))
a37008d9 5774 goto end;
a37008d9 5775
bb01ef3f
MC		 5776 if (tst == 2) {
5777 /* Set up SNI */
5778 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5779 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5780 goto end;
5781 }
5782
710756a9
RS		 5783 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5784 &clientssl, NULL, NULL))
5785 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5786 SSL_ERROR_NONE)))
a37008d9 5787 goto end;
a37008d9
MC		 5788
5789 if (tst == 0) {
710756a9
RS		 5790 if (clntaddoldcb != 1
5791 || clntparseoldcb != 1
5792 || srvaddoldcb != 1
5793 || srvparseoldcb != 1)
a37008d9 5794 goto end;
bb01ef3f 5795 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5796 if (clntaddnewcb != 1
5797 || clntparsenewcb != 1
5798 || srvaddnewcb != 1
bb01ef3f
MC		 5799 || srvparsenewcb != 1
5800 || (tst != 2 && snicb != 0)
5801 || (tst == 2 && snicb != 1))
a37008d9 5802 goto end;
0db3a990
MC		 5803 } else if (tst == 5) {
5804 if (clntaddnewcb != 1
5805 || clntparsenewcb != 1
5806 || srvaddnewcb != 1
5807 || srvparsenewcb != 1)
5808 goto end;
a37008d9 5809 } else {
36ff232c 5810 /* In this case there 2 NewSessionTicket messages created */
710756a9 5811 if (clntaddnewcb != 1
36ff232c
MC		 5812 || clntparsenewcb != 5
5813 || srvaddnewcb != 5
710756a9 5814 || srvparsenewcb != 1)
a37008d9 5815 goto end;
a37008d9
MC		 5816 }
5817
5818 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5819 SSL_shutdown(clientssl);
5820 SSL_shutdown(serverssl);
a37008d9
MC		 5821 SSL_free(serverssl);
5822 SSL_free(clientssl);
5823 serverssl = clientssl = NULL;
5824
0db3a990
MC		 5825 if (tst == 3 || tst == 5) {
5826 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5827 testresult = 1;
5828 goto end;
5829 }
5830
710756a9
RS		 5831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5832 NULL, NULL))
5833 || !TEST_true(SSL_set_session(clientssl, sess))
5834 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5835 SSL_ERROR_NONE)))
a37008d9 5836 goto end;
a37008d9
MC		 5837
5838 /*
5839 * For a resumed session we expect to add the ClientHello extension. For the
5840 * old style callbacks we ignore it on the server side because they set
5841 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5842 * them.
5843 */
5844 if (tst == 0) {
710756a9
RS		 5845 if (clntaddoldcb != 2
5846 || clntparseoldcb != 1
5847 || srvaddoldcb != 1
5848 || srvparseoldcb != 1)
a37008d9 5849 goto end;
bb01ef3f 5850 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5851 if (clntaddnewcb != 2
5852 || clntparsenewcb != 2
5853 || srvaddnewcb != 2
5854 || srvparsenewcb != 2)
a37008d9 5855 goto end;
a37008d9 5856 } else {
36ff232c
MC		 5857 /*
5858 * No Certificate message extensions in the resumption handshake,
5859 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5860 */
710756a9 5861 if (clntaddnewcb != 2
36ff232c
MC		 5862 || clntparsenewcb != 8
5863 || srvaddnewcb != 8
710756a9 5864 || srvparsenewcb != 2)
a37008d9 5865 goto end;
a37008d9
MC		 5866 }
5867
5868 testresult = 1;
5869
5870end:
5871 SSL_SESSION_free(sess);
5872 SSL_free(serverssl);
5873 SSL_free(clientssl);
bb01ef3f 5874 SSL_CTX_free(sctx2);
a37008d9
MC		 5875 SSL_CTX_free(sctx);
5876 SSL_CTX_free(cctx);
a37008d9
MC		 5877 return testresult;
5878}
5879
16afd71c
MC		 5880/*
5881 * Test loading of serverinfo data in various formats. test_sslmessages actually
5882 * tests to make sure the extensions appear in the handshake
5883 */
5884static int test_serverinfo(int tst)
5885{
5886 unsigned int version;
5887 unsigned char *sibuf;
5888 size_t sibuflen;
5889 int ret, expected, testresult = 0;
5890 SSL_CTX *ctx;
5891
d8652be0 5892 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5893 if (!TEST_ptr(ctx))
5894 goto end;
5895
5896 if ((tst & 0x01) == 0x01)
5897 version = SSL_SERVERINFOV2;
5898 else
5899 version = SSL_SERVERINFOV1;
5900
5901 if ((tst & 0x02) == 0x02) {
5902 sibuf = serverinfov2;
5903 sibuflen = sizeof(serverinfov2);
5904 expected = (version == SSL_SERVERINFOV2);
5905 } else {
5906 sibuf = serverinfov1;
5907 sibuflen = sizeof(serverinfov1);
5908 expected = (version == SSL_SERVERINFOV1);
5909 }
5910
5911 if ((tst & 0x04) == 0x04) {
5912 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5913 } else {
5914 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5915
5916 /*
5917 * The version variable is irrelevant in this case - it's what is in the
5918 * buffer that matters
5919 */
5920 if ((tst & 0x02) == 0x02)
5921 expected = 0;
5922 else
5923 expected = 1;
5924 }
5925
5926 if (!TEST_true(ret == expected))
5927 goto end;
5928
5929 testresult = 1;
5930
5931 end:
5932 SSL_CTX_free(ctx);
5933
5934 return testresult;
5935}
5936
2197d1df
MC		 5937/*
5938 * Test that SSL_export_keying_material() produces expected results. There are
5939 * no test vectors so all we do is test that both sides of the communication
5940 * produce the same results for different protocol versions.
5941 */
0fb2815b
MC		 5942#define SMALL_LABEL_LEN 10
5943#define LONG_LABEL_LEN 249
2197d1df
MC		 5944static int test_export_key_mat(int tst)
5945{
a599574b 5946 int testresult = 0;
2197d1df
MC		 5947 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5948 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5949 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5950 const unsigned char context[] = "context";
5951 const unsigned char *emptycontext = NULL;
5952 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5953 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5954 size_t labellen;
a599574b
MC		 5955 const int protocols[] = {
5956 TLS1_VERSION,
5957 TLS1_1_VERSION,
5958 TLS1_2_VERSION,
0fb2815b
MC		 5959 TLS1_3_VERSION,
5960 TLS1_3_VERSION,
a599574b
MC		 5961 TLS1_3_VERSION
5962 };
2197d1df
MC		 5963
5964#ifdef OPENSSL_NO_TLS1
5965 if (tst == 0)
5966 return 1;
5967#endif
5968#ifdef OPENSSL_NO_TLS1_1
5969 if (tst == 1)
5970 return 1;
5971#endif
4f6c7044
MC		 5972 if (is_fips && (tst == 0 || tst == 1))
5973 return 1;
2197d1df
MC		 5974#ifdef OPENSSL_NO_TLS1_2
5975 if (tst == 2)
5976 return 1;
5977#endif
a763ca11 5978#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5979 if (tst >= 3)
2197d1df
MC		 5980 return 1;
5981#endif
5e30f2fd
MC		 5982 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5983 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5984 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5985 goto end;
5986
a599574b
MC		 5987 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5988 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5989 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5990 if ((protocols[tst] < TLS1_2_VERSION) &&
5991 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5992 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5993 goto end;
2197d1df
MC		 5994
5995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5996 NULL)))
5997 goto end;
5998
5999 /*
6000 * Premature call of SSL_export_keying_material should just fail.
6001 */
6002 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6003 sizeof(ckeymat1), label,
6004 SMALL_LABEL_LEN + 1, context,
6005 sizeof(context) - 1, 1), 0))
6006 goto end;
6007
6008 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6009 SSL_ERROR_NONE)))
2197d1df
MC		 6010 goto end;
6011
0fb2815b
MC		 6012 if (tst == 5) {
6013 /*
6014 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6015 * go over that.
6016 */
6017 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6018 sizeof(ckeymat1), label,
6019 LONG_LABEL_LEN + 1, context,
6020 sizeof(context) - 1, 1), 0))
6021 goto end;
6022
6023 testresult = 1;
6024 goto end;
6025 } else if (tst == 4) {
6026 labellen = LONG_LABEL_LEN;
6027 } else {
6028 labellen = SMALL_LABEL_LEN;
6029 }
6030
2197d1df
MC		 6031 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6032 sizeof(ckeymat1), label,
0fb2815b 6033 labellen, context,
2197d1df
MC		 6034 sizeof(context) - 1, 1), 1)
6035 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6036 sizeof(ckeymat2), label,
0fb2815b 6037 labellen,
2197d1df
MC		 6038 emptycontext,
6039 0, 1), 1)
6040 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6041 sizeof(ckeymat3), label,
0fb2815b 6042 labellen,
2197d1df
MC		 6043 NULL, 0, 0), 1)
6044 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6045 sizeof(skeymat1), label,
0fb2815b 6046 labellen,
2197d1df
MC		 6047 context,
6048 sizeof(context) -1, 1),
6049 1)
6050 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6051 sizeof(skeymat2), label,
0fb2815b 6052 labellen,
2197d1df
MC		 6053 emptycontext,
6054 0, 1), 1)
6055 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6056 sizeof(skeymat3), label,
0fb2815b 6057 labellen,
2197d1df
MC		 6058 NULL, 0, 0), 1)
6059 /*
6060 * Check that both sides created the same key material with the
6061 * same context.
6062 */
6063 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6064 sizeof(skeymat1))
6065 /*
6066 * Check that both sides created the same key material with an
6067 * empty context.
6068 */
6069 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6070 sizeof(skeymat2))
6071 /*
6072 * Check that both sides created the same key material without a
6073 * context.
6074 */
6075 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6076 sizeof(skeymat3))
6077 /* Different contexts should produce different results */
6078 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6079 sizeof(ckeymat2)))
6080 goto end;
6081
6082 /*
6083 * Check that an empty context and no context produce different results in
6084 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6085 */
0fb2815b 6086 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6087 sizeof(ckeymat3)))
0fb2815b
MC		 6088 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6089 sizeof(ckeymat3))))
2197d1df
MC		 6090 goto end;
6091
6092 testresult = 1;
6093
6094 end:
6095 SSL_free(serverssl);
6096 SSL_free(clientssl);
6097 SSL_CTX_free(sctx2);
6098 SSL_CTX_free(sctx);
6099 SSL_CTX_free(cctx);
6100
6101 return testresult;
6102}
6103
a763ca11 6104#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6105/*
6106 * Test that SSL_export_keying_material_early() produces expected
6107 * results. There are no test vectors so all we do is test that both
6108 * sides of the communication produce the same results for different
6109 * protocol versions.
6110 */
6111static int test_export_key_mat_early(int idx)
6112{
6113 static const char label[] = "test label";
6114 static const unsigned char context[] = "context";
6115 int testresult = 0;
6116 SSL_CTX *cctx = NULL, *sctx = NULL;
6117 SSL *clientssl = NULL, *serverssl = NULL;
6118 SSL_SESSION *sess = NULL;
6119 const unsigned char *emptycontext = NULL;
6120 unsigned char ckeymat1[80], ckeymat2[80];
6121 unsigned char skeymat1[80], skeymat2[80];
6122 unsigned char buf[1];
6123 size_t readbytes, written;
6124
6125 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6126 &sess, idx)))
6127 goto end;
6128
6129 /* Here writing 0 length early data is enough. */
6130 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6131 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6132 &readbytes),
6133 SSL_READ_EARLY_DATA_ERROR)
6134 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6135 SSL_EARLY_DATA_ACCEPTED))
6136 goto end;
6137
6138 if (!TEST_int_eq(SSL_export_keying_material_early(
6139 clientssl, ckeymat1, sizeof(ckeymat1), label,
6140 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6141 || !TEST_int_eq(SSL_export_keying_material_early(
6142 clientssl, ckeymat2, sizeof(ckeymat2), label,
6143 sizeof(label) - 1, emptycontext, 0), 1)
6144 || !TEST_int_eq(SSL_export_keying_material_early(
6145 serverssl, skeymat1, sizeof(skeymat1), label,
6146 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6147 || !TEST_int_eq(SSL_export_keying_material_early(
6148 serverssl, skeymat2, sizeof(skeymat2), label,
6149 sizeof(label) - 1, emptycontext, 0), 1)
6150 /*
6151 * Check that both sides created the same key material with the
6152 * same context.
6153 */
6154 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6155 sizeof(skeymat1))
6156 /*
6157 * Check that both sides created the same key material with an
6158 * empty context.
6159 */
6160 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6161 sizeof(skeymat2))
6162 /* Different contexts should produce different results */
6163 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6164 sizeof(ckeymat2)))
6165 goto end;
6166
6167 testresult = 1;
6168
6169 end:
c20e3b28 6170 SSL_SESSION_free(sess);
b38ede80
TT		 6171 SSL_SESSION_free(clientpsk);
6172 SSL_SESSION_free(serverpsk);
34ff74eb 6173 clientpsk = serverpsk = NULL;
b38ede80
TT		 6174 SSL_free(serverssl);
6175 SSL_free(clientssl);
6176 SSL_CTX_free(sctx);
6177 SSL_CTX_free(cctx);
6178
6179 return testresult;
6180}
3409a5ff
MC		 6181
6182#define NUM_KEY_UPDATE_MESSAGES 40
6183/*
6184 * Test KeyUpdate.
6185 */
6186static int test_key_update(void)
6187{
6188 SSL_CTX *cctx = NULL, *sctx = NULL;
6189 SSL *clientssl = NULL, *serverssl = NULL;
6190 int testresult = 0, i, j;
6191 char buf[20];
6192 static char *mess = "A test message";
6193
5e30f2fd 6194 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6195 TLS_client_method(),
6196 TLS1_3_VERSION,
6197 0,
6198 &sctx, &cctx, cert, privkey))
6199 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6200 NULL, NULL))
6201 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6202 SSL_ERROR_NONE)))
6203 goto end;
6204
6205 for (j = 0; j < 2; j++) {
6206 /* Send lots of KeyUpdate messages */
6207 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6208 if (!TEST_true(SSL_key_update(clientssl,
6209 (j == 0)
6210 ? SSL_KEY_UPDATE_NOT_REQUESTED
6211 : SSL_KEY_UPDATE_REQUESTED))
6212 || !TEST_true(SSL_do_handshake(clientssl)))
6213 goto end;
6214 }
6215
6216 /* Check that sending and receiving app data is ok */
6217 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6218 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6219 strlen(mess)))
6220 goto end;
a77b4dba
MC		 6221
6222 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6223 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6224 strlen(mess)))
6225 goto end;
3409a5ff
MC		 6226 }
6227
6228 testresult = 1;
6229
6230 end:
6231 SSL_free(serverssl);
6232 SSL_free(clientssl);
6233 SSL_CTX_free(sctx);
6234 SSL_CTX_free(cctx);
6235
6236 return testresult;
6237}
a77b4dba
MC		 6238
6239/*
0c48fda8 6240 * Test we can handle a KeyUpdate (update requested) message while
6241 * write data is pending in peer.
a77b4dba
MC		 6242 * Test 0: Client sends KeyUpdate while Server is writing
6243 * Test 1: Server sends KeyUpdate while Client is writing
6244 */
0c48fda8 6245static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6246{
6247 SSL_CTX *cctx = NULL, *sctx = NULL;
6248 SSL *clientssl = NULL, *serverssl = NULL;
6249 int testresult = 0;
6250 char buf[20];
6251 static char *mess = "A test message";
6252 BIO *bretry = BIO_new(bio_s_always_retry());
6253 BIO *tmp = NULL;
6254 SSL *peerupdate = NULL, *peerwrite = NULL;
6255
6256 if (!TEST_ptr(bretry)
5e30f2fd 6257 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6258 TLS_client_method(),
6259 TLS1_3_VERSION,
6260 0,
6261 &sctx, &cctx, cert, privkey))
6262 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6263 NULL, NULL))
6264 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6265 SSL_ERROR_NONE)))
6266 goto end;
6267
6268 peerupdate = tst == 0 ? clientssl : serverssl;
6269 peerwrite = tst == 0 ? serverssl : clientssl;
6270
6271 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6272 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6273 goto end;
6274
6275 /* Swap the writing endpoint's write BIO to force a retry */
6276 tmp = SSL_get_wbio(peerwrite);
6277 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6278 tmp = NULL;
6279 goto end;
6280 }
6281 SSL_set0_wbio(peerwrite, bretry);
6282 bretry = NULL;
6283
6284 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6285 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6286 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6287 goto end;
6288
6289 /* Reinstate the original writing endpoint's write BIO */
6290 SSL_set0_wbio(peerwrite, tmp);
6291 tmp = NULL;
6292
6293 /* Now read some data - we will read the key update */
6294 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6295 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6296 goto end;
6297
6298 /*
6299 * Complete the write we started previously and read it from the other
6300 * endpoint
6301 */
6302 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6303 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6304 goto end;
6305
6306 /* Write more data to ensure we send the KeyUpdate message back */
6307 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6308 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6309 goto end;
6310
6311 testresult = 1;
6312
6313 end:
6314 SSL_free(serverssl);
6315 SSL_free(clientssl);
6316 SSL_CTX_free(sctx);
6317 SSL_CTX_free(cctx);
6318 BIO_free(bretry);
6319 BIO_free(tmp);
6320
6321 return testresult;
6322}
0c48fda8 6323
6324/*
6325 * Test we can handle a KeyUpdate (update requested) message while
6326 * peer read data is pending after peer accepted keyupdate(the msg header
6327 * had been read 5 bytes).
6328 * Test 0: Client sends KeyUpdate while Server is reading
6329 * Test 1: Server sends KeyUpdate while Client is reading
6330 */
6331static int test_key_update_peer_in_read(int tst)
6332{
6333 SSL_CTX *cctx = NULL, *sctx = NULL;
6334 SSL *clientssl = NULL, *serverssl = NULL;
6335 int testresult = 0;
6336 char prbuf[515], lwbuf[515] = {0};
6337 static char *mess = "A test message";
6338 BIO *lbio = NULL, *pbio = NULL;
6339 SSL *local = NULL, *peer = NULL;
6340
6341 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6342 TLS_client_method(),
6343 TLS1_3_VERSION,
6344 0,
6345 &sctx, &cctx, cert, privkey))
6346 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6347 NULL, NULL))
6348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6349 SSL_ERROR_NONE)))
6350 goto end;
6351
6352 local = tst == 0 ? clientssl : serverssl;
6353 peer = tst == 0 ? serverssl : clientssl;
6354
6355 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6356 goto end;
6357
6358 SSL_set_bio(local, lbio, lbio);
6359 SSL_set_bio(peer, pbio, pbio);
6360
6361 /*
6362 * we first write keyupdate msg then appdata in local
6363 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6364 * lwbuf app data msg size + key updata msg size > 512(the size of
6365 * the bio pair buffer)
6366 */
6367 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6368 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6369 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6370 goto end;
6371
6372 /*
6373 * first read keyupdate msg in peer in peer
6374 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6375 */
6376 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6377 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6378 goto end;
6379
6380 /* Now write some data in peer - we will write the key update */
6381 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6382 goto end;
6383
6384 /*
6385 * write data in local previously that we will complete
6386 * read data in peer previously that we will complete
6387 */
6388 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6389 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6390 goto end;
6391
6392 /* check that sending and receiving appdata ok */
6393 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6394 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6395 goto end;
6396
6397 testresult = 1;
6398
6399 end:
6400 SSL_free(serverssl);
6401 SSL_free(clientssl);
6402 SSL_CTX_free(sctx);
6403 SSL_CTX_free(cctx);
6404
6405 return testresult;
6406}
6407
6408/*
6409 * Test we can't send a KeyUpdate (update requested) message while
6410 * local write data is pending.
6411 * Test 0: Client sends KeyUpdate while Client is writing
6412 * Test 1: Server sends KeyUpdate while Server is writing
6413 */
6414static int test_key_update_local_in_write(int tst)
6415{
6416 SSL_CTX *cctx = NULL, *sctx = NULL;
6417 SSL *clientssl = NULL, *serverssl = NULL;
6418 int testresult = 0;
6419 char buf[20];
6420 static char *mess = "A test message";
6421 BIO *bretry = BIO_new(bio_s_always_retry());
6422 BIO *tmp = NULL;
6423 SSL *local = NULL, *peer = NULL;
6424
6425 if (!TEST_ptr(bretry)
6426 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6427 TLS_client_method(),
6428 TLS1_3_VERSION,
6429 0,
6430 &sctx, &cctx, cert, privkey))
6431 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6432 NULL, NULL))
6433 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6434 SSL_ERROR_NONE)))
6435 goto end;
6436
6437 local = tst == 0 ? clientssl : serverssl;
6438 peer = tst == 0 ? serverssl : clientssl;
6439
6440 /* Swap the writing endpoint's write BIO to force a retry */
6441 tmp = SSL_get_wbio(local);
6442 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6443 tmp = NULL;
6444 goto end;
6445 }
6446 SSL_set0_wbio(local, bretry);
6447 bretry = NULL;
6448
6449 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6450 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6451 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6452 goto end;
6453
6454 /* Reinstate the original writing endpoint's write BIO */
6455 SSL_set0_wbio(local, tmp);
6456 tmp = NULL;
6457
6458 /* SSL_key_update will fail, because writing in local*/
6459 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6460 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6461 goto end;
6462
6463 ERR_clear_error();
6464 /* write data in local previously that we will complete */
6465 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6466 goto end;
6467
6468 /* SSL_key_update will succeed because there is no pending write data */
6469 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6470 || !TEST_int_eq(SSL_do_handshake(local), 1))
6471 goto end;
6472
6473 /*
6474 * we write some appdata in local
6475 * read data in peer - we will read the keyupdate msg
6476 */
6477 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6478 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6479 goto end;
6480
6481 /* Write more peer more data to ensure we send the keyupdate message back */
6482 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6483 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6484 goto end;
6485
6486 testresult = 1;
6487
6488 end:
6489 SSL_free(serverssl);
6490 SSL_free(clientssl);
6491 SSL_CTX_free(sctx);
6492 SSL_CTX_free(cctx);
6493 BIO_free(bretry);
6494 BIO_free(tmp);
6495
6496 return testresult;
6497}
6498
6499/*
6500 * Test we can handle a KeyUpdate (update requested) message while
6501 * local read data is pending(the msg header had been read 5 bytes).
6502 * Test 0: Client sends KeyUpdate while Client is reading
6503 * Test 1: Server sends KeyUpdate while Server is reading
6504 */
6505static int test_key_update_local_in_read(int tst)
6506{
6507 SSL_CTX *cctx = NULL, *sctx = NULL;
6508 SSL *clientssl = NULL, *serverssl = NULL;
6509 int testresult = 0;
6510 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6511 static char *mess = "A test message";
6512 BIO *lbio = NULL, *pbio = NULL;
6513 SSL *local = NULL, *peer = NULL;
6514
6515 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6516 TLS_client_method(),
6517 TLS1_3_VERSION,
6518 0,
6519 &sctx, &cctx, cert, privkey))
6520 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6521 NULL, NULL))
6522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6523 SSL_ERROR_NONE)))
6524 goto end;
6525
6526 local = tst == 0 ? clientssl : serverssl;
6527 peer = tst == 0 ? serverssl : clientssl;
6528
6529 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6530 goto end;
6531
6532 SSL_set_bio(local, lbio, lbio);
6533 SSL_set_bio(peer, pbio, pbio);
6534
6535 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6536 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6537 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6538 goto end;
6539
6540 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6541 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6542 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6543 goto end;
6544
6545 /* SSL_do_handshake will send keyupdate msg */
6546 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6547 || !TEST_int_eq(SSL_do_handshake(local), 1))
6548 goto end;
6549
6550 /*
6551 * write data in peer previously that we will complete
6552 * read data in local previously that we will complete
6553 */
6554 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6555 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6556 goto end;
6557
6558 /*
6559 * write data in local
6560 * read data in peer - we will read the key update
6561 */
6562 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6563 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6564 goto end;
6565
6566 /* Write more peer data to ensure we send the keyupdate message back */
6567 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6568 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6569 goto end;
6570
6571 testresult = 1;
6572
6573 end:
6574 SSL_free(serverssl);
6575 SSL_free(clientssl);
6576 SSL_CTX_free(sctx);
6577 SSL_CTX_free(cctx);
6578
6579 return testresult;
6580}
a763ca11 6581#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6582
e11b6aa4
MC		 6583static int test_ssl_clear(int idx)
6584{
6585 SSL_CTX *cctx = NULL, *sctx = NULL;
6586 SSL *clientssl = NULL, *serverssl = NULL;
6587 int testresult = 0;
6588
6589#ifdef OPENSSL_NO_TLS1_2
6590 if (idx == 1)
6591 return 1;
6592#endif
6593
6594 /* Create an initial connection */
5e30f2fd
MC		 6595 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6596 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6597 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6598 || (idx == 1
6599 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6600 TLS1_2_VERSION)))
6601 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6602 &clientssl, NULL, NULL))
6603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6604 SSL_ERROR_NONE)))
6605 goto end;
6606
6607 SSL_shutdown(clientssl);
6608 SSL_shutdown(serverssl);
6609 SSL_free(serverssl);
6610 serverssl = NULL;
6611
6612 /* Clear clientssl - we're going to reuse the object */
6613 if (!TEST_true(SSL_clear(clientssl)))
6614 goto end;
6615
6616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6617 NULL, NULL))
6618 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6619 SSL_ERROR_NONE))
6620 || !TEST_true(SSL_session_reused(clientssl)))
6621 goto end;
6622
6623 SSL_shutdown(clientssl);
6624 SSL_shutdown(serverssl);
6625
6626 testresult = 1;
6627
6628 end:
6629 SSL_free(serverssl);
6630 SSL_free(clientssl);
6631 SSL_CTX_free(sctx);
6632 SSL_CTX_free(cctx);
6633
6634 return testresult;
6635}
6636
cf72c757
F		 6637/* Parse CH and retrieve any MFL extension value if present */
6638static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6639{
6640 long len;
6641 unsigned char *data;
72962d02 6642 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6643 unsigned int MFL_code = 0, type = 0;
6644
1287dabd 6645 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6646 goto end;
6647
72962d02
P		 6648 memset(&pkt, 0, sizeof(pkt));
6649 memset(&pkt2, 0, sizeof(pkt2));
6650 memset(&pkt3, 0, sizeof(pkt3));
6651
9ba18520 6652 if (!TEST_long_gt(len, 0)
1287dabd 6653 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6654 /* Skip the record header */
6655 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6656 /* Skip the handshake message header */
6657 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6658 /* Skip client version and random */
6659 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6660 + SSL3_RANDOM_SIZE))
6661 /* Skip session id */
6662 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6663 /* Skip ciphers */
6664 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6665 /* Skip compression */
6666 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6667 /* Extensions len */
6668 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6669 goto end;
6670
6671 /* Loop through all extensions */
6672 while (PACKET_remaining(&pkt2)) {
6673 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6674 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6675 goto end;
6676
6677 if (type == TLSEXT_TYPE_max_fragment_length) {
6678 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6679 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6680 goto end;
6681
6682 *mfl_codemfl_code = MFL_code;
6683 return 1;
6684 }
6685 }
6686
6687 end:
6688 return 0;
6689}
6690
6691/* Maximum-Fragment-Length TLS extension mode to test */
6692static const unsigned char max_fragment_len_test[] = {
6693 TLSEXT_max_fragment_length_512,
6694 TLSEXT_max_fragment_length_1024,
6695 TLSEXT_max_fragment_length_2048,
6696 TLSEXT_max_fragment_length_4096
6697};
6698
6699static int test_max_fragment_len_ext(int idx_tst)
6700{
a763ca11 6701 SSL_CTX *ctx = NULL;
cf72c757
F		 6702 SSL *con = NULL;
6703 int testresult = 0, MFL_mode = 0;
6704 BIO *rbio, *wbio;
6705
a763ca11
MC		 6706 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6707 TLS1_VERSION, 0, NULL, &ctx, NULL,
6708 NULL)))
6709 return 0;
cf72c757
F		 6710
6711 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6712 ctx, max_fragment_len_test[idx_tst])))
6713 goto end;
6714
6715 con = SSL_new(ctx);
6716 if (!TEST_ptr(con))
6717 goto end;
6718
6719 rbio = BIO_new(BIO_s_mem());
6720 wbio = BIO_new(BIO_s_mem());
6721 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6722 BIO_free(rbio);
6723 BIO_free(wbio);
6724 goto end;
6725 }
6726
6727 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6728
6729 if (!TEST_int_le(SSL_connect(con), 0)) {
6730 /* This shouldn't succeed because we don't have a server! */
6731 goto end;
6732 }
6733
6734 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6735 /* no MFL in client hello */
6736 goto end;
6737 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6738 goto end;
6739
6740 testresult = 1;
6741
6742end:
6743 SSL_free(con);
6744 SSL_CTX_free(ctx);
6745
6746 return testresult;
6747}
6748
a763ca11 6749#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6750static int test_pha_key_update(void)
6751{
6752 SSL_CTX *cctx = NULL, *sctx = NULL;
6753 SSL *clientssl = NULL, *serverssl = NULL;
6754 int testresult = 0;
6755
5e30f2fd
MC		 6756 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6757 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6758 &sctx, &cctx, cert, privkey)))
6759 return 0;
6760
6761 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6762 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6763 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6764 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6765 goto end;
6766
e97be718 6767 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6768
6769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6770 NULL, NULL)))
6771 goto end;
6772
9d75dce3
TS		 6773 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6774 SSL_ERROR_NONE)))
6775 goto end;
6776
6777 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6778 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6779 goto end;
6780
6781 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6782 goto end;
6783
6784 /* Start handshake on the server */
6785 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6786 goto end;
6787
6788 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6789 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6790 SSL_ERROR_NONE)))
6791 goto end;
6792
6793 SSL_shutdown(clientssl);
6794 SSL_shutdown(serverssl);
6795
6796 testresult = 1;
6797
6798 end:
6799 SSL_free(serverssl);
6800 SSL_free(clientssl);
6801 SSL_CTX_free(sctx);
6802 SSL_CTX_free(cctx);
6803 return testresult;
6804}
6805#endif
6806
76fd7a1d
MC		 6807#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6808
6809static SRP_VBASE *vbase = NULL;
6810
6811static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6812{
6813 int ret = SSL3_AL_FATAL;
6814 char *username;
6815 SRP_user_pwd *user = NULL;
6816
6817 username = SSL_get_srp_username(s);
6818 if (username == NULL) {
6819 *ad = SSL_AD_INTERNAL_ERROR;
6820 goto err;
6821 }
6822
6823 user = SRP_VBASE_get1_by_user(vbase, username);
6824 if (user == NULL) {
6825 *ad = SSL_AD_INTERNAL_ERROR;
6826 goto err;
6827 }
6828
6829 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6830 user->info) <= 0) {
6831 *ad = SSL_AD_INTERNAL_ERROR;
6832 goto err;
6833 }
6834
6835 ret = 0;
6836
6837 err:
6838 SRP_user_pwd_free(user);
6839 return ret;
6840}
6841
6842static int create_new_vfile(char *userid, char *password, const char *filename)
6843{
6844 char *gNid = NULL;
6845 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6846 TXT_DB *db = NULL;
6847 int ret = 0;
6848 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6849 size_t i;
6850
6851 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6852 goto end;
6853
20c00d0a 6854 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6855 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6856 if (!TEST_ptr(gNid))
6857 goto end;
6858
6859 /*
6860 * The only way to create an empty TXT_DB is to provide a BIO with no data
6861 * in it!
6862 */
6863 db = TXT_DB_read(dummy, DB_NUMBER);
6864 if (!TEST_ptr(db))
6865 goto end;
6866
6867 out = BIO_new_file(filename, "w");
6868 if (!TEST_ptr(out))
6869 goto end;
6870
6871 row[DB_srpid] = OPENSSL_strdup(userid);
6872 row[DB_srptype] = OPENSSL_strdup("V");
6873 row[DB_srpgN] = OPENSSL_strdup(gNid);
6874
6875 if (!TEST_ptr(row[DB_srpid])
6876 || !TEST_ptr(row[DB_srptype])
6877 || !TEST_ptr(row[DB_srpgN])
6878 || !TEST_true(TXT_DB_insert(db, row)))
6879 goto end;
6880
6881 row = NULL;
6882
aba9943f 6883 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 6884 goto end;
6885
6886 ret = 1;
6887 end:
6888 if (row != NULL) {
6889 for (i = 0; i < DB_NUMBER; i++)
6890 OPENSSL_free(row[i]);
6891 }
6892 OPENSSL_free(row);
6893 BIO_free(dummy);
6894 BIO_free(out);
6895 TXT_DB_free(db);
6896
6897 return ret;
6898}
6899
6900static int create_new_vbase(char *userid, char *password)
6901{
6902 BIGNUM *verifier = NULL, *salt = NULL;
6903 const SRP_gN *lgN = NULL;
6904 SRP_user_pwd *user_pwd = NULL;
6905 int ret = 0;
6906
6907 lgN = SRP_get_default_gN(NULL);
6908 if (!TEST_ptr(lgN))
6909 goto end;
6910
20c00d0a 6911 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6912 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6913 goto end;
6914
6915 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6916 if (!TEST_ptr(user_pwd))
6917 goto end;
6918
6919 user_pwd->N = lgN->N;
6920 user_pwd->g = lgN->g;
6921 user_pwd->id = OPENSSL_strdup(userid);
6922 if (!TEST_ptr(user_pwd->id))
6923 goto end;
6924
6925 user_pwd->v = verifier;
6926 user_pwd->s = salt;
6927 verifier = salt = NULL;
6928
6929 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6930 goto end;
6931 user_pwd = NULL;
6932
6933 ret = 1;
6934end:
6935 SRP_user_pwd_free(user_pwd);
6936 BN_free(salt);
6937 BN_free(verifier);
6938
6939 return ret;
6940}
6941
6942/*
6943 * SRP tests
6944 *
6945 * Test 0: Simple successful SRP connection, new vbase
6946 * Test 1: Connection failure due to bad password, new vbase
6947 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6948 * Test 3: Connection failure due to bad password, vbase loaded from existing
6949 * file
6950 * Test 4: Simple successful SRP connection, vbase loaded from new file
6951 * Test 5: Connection failure due to bad password, vbase loaded from new file
6952 */
6953static int test_srp(int tst)
6954{
6955 char *userid = "test", *password = "password", *tstsrpfile;
6956 SSL_CTX *cctx = NULL, *sctx = NULL;
6957 SSL *clientssl = NULL, *serverssl = NULL;
6958 int ret, testresult = 0;
6959
6960 vbase = SRP_VBASE_new(NULL);
6961 if (!TEST_ptr(vbase))
6962 goto end;
6963
6964 if (tst == 0 || tst == 1) {
6965 if (!TEST_true(create_new_vbase(userid, password)))
6966 goto end;
6967 } else {
6968 if (tst == 4 || tst == 5) {
6969 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6970 goto end;
6971 tstsrpfile = tmpfilename;
6972 } else {
6973 tstsrpfile = srpvfile;
6974 }
6975 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6976 goto end;
6977 }
6978
5e30f2fd
MC		 6979 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6980 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6981 &sctx, &cctx, cert, privkey)))
6982 goto end;
6983
6984 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6985 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6987 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6988 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6989 goto end;
6990
6991 if (tst % 2 == 1) {
6992 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6993 goto end;
6994 } else {
6995 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6996 goto end;
6997 }
6998
6999 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7000 NULL, NULL)))
7001 goto end;
7002
7003 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7004 if (ret) {
7005 if (!TEST_true(tst % 2 == 0))
7006 goto end;
7007 } else {
7008 if (!TEST_true(tst % 2 == 1))
7009 goto end;
7010 }
7011
7012 testresult = 1;
7013
7014 end:
7015 SRP_VBASE_free(vbase);
7016 vbase = NULL;
7017 SSL_free(serverssl);
7018 SSL_free(clientssl);
7019 SSL_CTX_free(sctx);
7020 SSL_CTX_free(cctx);
7021
7022 return testresult;
7023}
7024#endif
7025
5718fe45
MC		 7026static int info_cb_failed = 0;
7027static int info_cb_offset = 0;
7028static int info_cb_this_state = -1;
7029
7030static struct info_cb_states_st {
7031 int where;
7032 const char *statestr;
7033} info_cb_states[][60] = {
7034 {
7035 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7036 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7037 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7038 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7039 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7040 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7041 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7042 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7043 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7044 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7045 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7046 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7047 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7048 {SSL_CB_EXIT, NULL}, {0, NULL},
7049 }, {
7050 /* TLSv1.2 client followed by resumption */
e0f69c35 7051 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7052 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7053 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7054 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7055 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7056 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7057 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7058 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7059 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7060 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7061 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7062 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7063 }, {
7064 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7065 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7066 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7067 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7068 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7069 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7070 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7071 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7072 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7073 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7074 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7075 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7076 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7077 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7078 }, {
7079 /* TLSv1.3 client followed by resumption */
e0f69c35 7080 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7081 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7082 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7083 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7084 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7085 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7086 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7087 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7088 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7089 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7090 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7091 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7092 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7093 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7094 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7095 }, {
7096 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7097 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7098 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7099 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7100 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7101 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7102 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7103 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7104 {SSL_CB_EXIT, NULL}, {0, NULL},
7105 }, {
7106 /* TLSv1.3 client, early_data */
e0f69c35 7107 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7108 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7109 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7110 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7111 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7112 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7113 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7114 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7115 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7116 }, {
7117 {0, NULL},
7118 }
7119};
7120
7121static void sslapi_info_callback(const SSL *s, int where, int ret)
7122{
7123 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7124
7125 /* We do not ever expect a connection to fail in this test */
7126 if (!TEST_false(ret == 0)) {
7127 info_cb_failed = 1;
7128 return;
7129 }
7130
7131 /*
7132 * Do some sanity checks. We never expect these things to happen in this
7133 * test
7134 */
7135 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7136 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7137 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7138 info_cb_failed = 1;
7139 return;
7140 }
7141
7142 /* Now check we're in the right state */
7143 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7144 info_cb_failed = 1;
7145 return;
7146 }
7147 if ((where & SSL_CB_LOOP) != 0
7148 && !TEST_int_eq(strcmp(SSL_state_string(s),
7149 state[info_cb_this_state].statestr), 0)) {
7150 info_cb_failed = 1;
7151 return;
7152 }
033c181b 7153
4af5836b
MC		 7154 /*
7155 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7156 */
7157 if ((where & SSL_CB_HANDSHAKE_DONE)
7158 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7159 info_cb_failed = 1;
7160 return;
7161 }
5718fe45
MC		 7162}
7163
7164/*
7165 * Test the info callback gets called when we expect it to.
7166 *
7167 * Test 0: TLSv1.2, server
7168 * Test 1: TLSv1.2, client
7169 * Test 2: TLSv1.3, server
7170 * Test 3: TLSv1.3, client
7171 * Test 4: TLSv1.3, server, early_data
7172 * Test 5: TLSv1.3, client, early_data
7173 */
7174static int test_info_callback(int tst)
7175{
7176 SSL_CTX *cctx = NULL, *sctx = NULL;
7177 SSL *clientssl = NULL, *serverssl = NULL;
7178 SSL_SESSION *clntsess = NULL;
7179 int testresult = 0;
7180 int tlsvers;
7181
7182 if (tst < 2) {
1aac20f5
MC		 7183/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7184#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7185 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7186 tlsvers = TLS1_2_VERSION;
7187#else
7188 return 1;
7189#endif
7190 } else {
a763ca11 7191#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7192 tlsvers = TLS1_3_VERSION;
7193#else
7194 return 1;
7195#endif
7196 }
7197
7198 /* Reset globals */
7199 info_cb_failed = 0;
7200 info_cb_this_state = -1;
7201 info_cb_offset = tst;
7202
a763ca11 7203#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7204 if (tst >= 4) {
7205 SSL_SESSION *sess = NULL;
7206 size_t written, readbytes;
7207 unsigned char buf[80];
7208
7209 /* early_data tests */
7210 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7211 &serverssl, &sess, 0)))
7212 goto end;
7213
7214 /* We don't actually need this reference */
7215 SSL_SESSION_free(sess);
7216
7217 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7218 sslapi_info_callback);
7219
7220 /* Write and read some early data and then complete the connection */
7221 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7222 &written))
7223 || !TEST_size_t_eq(written, strlen(MSG1))
7224 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7225 sizeof(buf), &readbytes),
7226 SSL_READ_EARLY_DATA_SUCCESS)
7227 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7228 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7229 SSL_EARLY_DATA_ACCEPTED)
7230 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7231 SSL_ERROR_NONE))
7232 || !TEST_false(info_cb_failed))
7233 goto end;
7234
7235 testresult = 1;
7236 goto end;
7237 }
6e07834c 7238#endif
5718fe45 7239
5e30f2fd 7240 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7241 TLS_client_method(),
7242 tlsvers, tlsvers, &sctx, &cctx, cert,
7243 privkey)))
7244 goto end;
7245
33c39a06
MC		 7246 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7247 goto end;
7248
5718fe45
MC		 7249 /*
7250 * For even numbered tests we check the server callbacks. For odd numbers we
7251 * check the client.
7252 */
7253 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7254 sslapi_info_callback);
7255
7256 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7257 &clientssl, NULL, NULL))
7258 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7259 SSL_ERROR_NONE))
7260 || !TEST_false(info_cb_failed))
7261 goto end;
7262
7263
7264
7265 clntsess = SSL_get1_session(clientssl);
7266 SSL_shutdown(clientssl);
7267 SSL_shutdown(serverssl);
7268 SSL_free(serverssl);
7269 SSL_free(clientssl);
7270 serverssl = clientssl = NULL;
7271
7272 /* Now do a resumption */
7273 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7274 NULL))
7275 || !TEST_true(SSL_set_session(clientssl, clntsess))
7276 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7277 SSL_ERROR_NONE))
7278 || !TEST_true(SSL_session_reused(clientssl))
7279 || !TEST_false(info_cb_failed))
7280 goto end;
7281
7282 testresult = 1;
7283
7284 end:
7285 SSL_free(serverssl);
7286 SSL_free(clientssl);
7287 SSL_SESSION_free(clntsess);
7288 SSL_CTX_free(sctx);
7289 SSL_CTX_free(cctx);
7290 return testresult;
7291}
7292
4a432af8
MC		 7293static int test_ssl_pending(int tst)
7294{
7295 SSL_CTX *cctx = NULL, *sctx = NULL;
7296 SSL *clientssl = NULL, *serverssl = NULL;
7297 int testresult = 0;
7298 char msg[] = "A test message";
7299 char buf[5];
7300 size_t written, readbytes;
7301
7302 if (tst == 0) {
5e30f2fd 7303 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7304 TLS_client_method(),
5c587fb6 7305 TLS1_VERSION, 0,
4a432af8
MC		 7306 &sctx, &cctx, cert, privkey)))
7307 goto end;
7308 } else {
7309#ifndef OPENSSL_NO_DTLS
5e30f2fd 7310 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7311 DTLS_client_method(),
5c587fb6 7312 DTLS1_VERSION, 0,
4a432af8
MC		 7313 &sctx, &cctx, cert, privkey)))
7314 goto end;
8ce390e1
MC		 7315
7316# ifdef OPENSSL_NO_DTLS1_2
7317 /* Not supported in the FIPS provider */
7318 if (is_fips) {
7319 testresult = 1;
7320 goto end;
7321 };
7322 /*
7323 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7324 * level 0
7325 */
7326 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7327 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7328 "DEFAULT:@SECLEVEL=0")))
7329 goto end;
7330# endif
4a432af8
MC		 7331#else
7332 return 1;
7333#endif
7334 }
7335
7336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7337 NULL, NULL))
7338 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7339 SSL_ERROR_NONE)))
7340 goto end;
7341
e8251092
MC		 7342 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7343 || !TEST_false(SSL_has_pending(clientssl))
7344 || !TEST_int_eq(SSL_pending(serverssl), 0)
7345 || !TEST_false(SSL_has_pending(serverssl))
7346 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7347 || !TEST_size_t_eq(written, sizeof(msg))
7348 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7349 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7350 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7351 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7352 goto end;
7353
7354 testresult = 1;
7355
7356 end:
7357 SSL_free(serverssl);
7358 SSL_free(clientssl);
7359 SSL_CTX_free(sctx);
7360 SSL_CTX_free(cctx);
7361
7362 return testresult;
7363}
7364
e401389a
MC		 7365static struct {
7366 unsigned int maxprot;
7367 const char *clntciphers;
7368 const char *clnttls13ciphers;
7369 const char *srvrciphers;
7370 const char *srvrtls13ciphers;
7371 const char *shared;
a96e6c34 7372 const char *fipsshared;
e401389a 7373} shared_ciphers_data[] = {
60155b9a
MC		 7374/*
7375 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7376 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7377 */
a763ca11 7378#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7379 {
7380 TLS1_2_VERSION,
7381 "AES128-SHA:AES256-SHA",
7382 NULL,
7383 "AES256-SHA:DHE-RSA-AES128-SHA",
7384 NULL,
a96e6c34 7385 "AES256-SHA",
e401389a
MC		 7386 "AES256-SHA"
7387 },
a96e6c34
MC		 7388# if !defined(OPENSSL_NO_CHACHA) \
7389 && !defined(OPENSSL_NO_POLY1305) \
7390 && !defined(OPENSSL_NO_EC)
7391 {
7392 TLS1_2_VERSION,
7393 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7394 NULL,
7395 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7396 NULL,
7397 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7398 "AES128-SHA"
7399 },
7400# endif
e401389a
MC		 7401 {
7402 TLS1_2_VERSION,
7403 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7404 NULL,
7405 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7406 NULL,
a96e6c34 7407 "AES128-SHA:AES256-SHA",
e401389a
MC		 7408 "AES128-SHA:AES256-SHA"
7409 },
7410 {
7411 TLS1_2_VERSION,
7412 "AES128-SHA:AES256-SHA",
7413 NULL,
7414 "AES128-SHA:DHE-RSA-AES128-SHA",
7415 NULL,
a96e6c34 7416 "AES128-SHA",
e401389a
MC		 7417 "AES128-SHA"
7418 },
60155b9a
MC		 7419#endif
7420/*
7421 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7422 * enabled.
7423 */
a763ca11 7424#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7425 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7426 {
7427 TLS1_3_VERSION,
7428 "AES128-SHA:AES256-SHA",
7429 NULL,
7430 "AES256-SHA:AES128-SHA256",
7431 NULL,
7432 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7433 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7434 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7435 },
60155b9a 7436#endif
a763ca11 7437#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7438 {
7439 TLS1_3_VERSION,
7440 "AES128-SHA",
7441 "TLS_AES_256_GCM_SHA384",
7442 "AES256-SHA",
7443 "TLS_AES_256_GCM_SHA384",
a96e6c34 7444 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7445 "TLS_AES_256_GCM_SHA384"
7446 },
7447#endif
7448};
7449
a96e6c34 7450static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7451{
7452 SSL_CTX *cctx = NULL, *sctx = NULL;
7453 SSL *clientssl = NULL, *serverssl = NULL;
7454 int testresult = 0;
7455 char buf[1024];
b4250010 7456 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7457
7458 if (!TEST_ptr(tmplibctx))
7459 goto end;
7460
7461 /*
7462 * Regardless of whether we're testing with the FIPS provider loaded into
7463 * libctx, we want one peer to always use the full set of ciphersuites
7464 * available. Therefore we use a separate libctx with the default provider
7465 * loaded into it. We run the same tests twice - once with the client side
7466 * having the full set of ciphersuites and once with the server side.
7467 */
7468 if (clnt) {
d8652be0 7469 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7470 if (!TEST_ptr(cctx))
7471 goto end;
7472 } else {
d8652be0 7473 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7474 if (!TEST_ptr(sctx))
7475 goto end;
7476 }
e401389a 7477
5e30f2fd 7478 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7479 TLS_client_method(),
7480 TLS1_VERSION,
7481 shared_ciphers_data[tst].maxprot,
7482 &sctx, &cctx, cert, privkey)))
7483 goto end;
7484
7485 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7486 shared_ciphers_data[tst].clntciphers))
7487 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7488 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7489 shared_ciphers_data[tst].clnttls13ciphers)))
7490 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7491 shared_ciphers_data[tst].srvrciphers))
7492 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7493 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7494 shared_ciphers_data[tst].srvrtls13ciphers))))
7495 goto end;
7496
7497
7498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7499 NULL, NULL))
7500 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7501 SSL_ERROR_NONE)))
7502 goto end;
7503
7504 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7505 || !TEST_int_eq(strcmp(buf,
7506 is_fips
7507 ? shared_ciphers_data[tst].fipsshared
7508 : shared_ciphers_data[tst].shared),
7509 0)) {
e401389a
MC		 7510 TEST_info("Shared ciphers are: %s\n", buf);
7511 goto end;
7512 }
7513
7514 testresult = 1;
7515
7516 end:
7517 SSL_free(serverssl);
7518 SSL_free(clientssl);
7519 SSL_CTX_free(sctx);
7520 SSL_CTX_free(cctx);
b4250010 7521 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7522
7523 return testresult;
7524}
7525
a96e6c34
MC		 7526static int test_ssl_get_shared_ciphers(int tst)
7527{
7528 return int_test_ssl_get_shared_ciphers(tst, 0)
7529 && int_test_ssl_get_shared_ciphers(tst, 1);
7530}
7531
7532
d0191fe0 7533static const char *appdata = "Hello World";
61fb5923
MC		 7534static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7535static int tick_key_renew = 0;
7536static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7537
7538static int gen_tick_cb(SSL *s, void *arg)
7539{
7540 gen_tick_called = 1;
7541
7542 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7543 strlen(appdata));
7544}
7545
7546static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7547 const unsigned char *keyname,
7548 size_t keyname_length,
61fb5923
MC		 7549 SSL_TICKET_STATUS status,
7550 void *arg)
d0191fe0
MC		 7551{
7552 void *tickdata;
7553 size_t tickdlen;
7554
7555 dec_tick_called = 1;
7556
61fb5923
MC		 7557 if (status == SSL_TICKET_EMPTY)
7558 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7559
61fb5923
MC		 7560 if (!TEST_true(status == SSL_TICKET_SUCCESS
7561 || status == SSL_TICKET_SUCCESS_RENEW))
7562 return SSL_TICKET_RETURN_ABORT;
7563
7564 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7565 &tickdlen))
d0191fe0
MC		 7566 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7567 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7568 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7569
61fb5923
MC		 7570 if (tick_key_cb_called) {
7571 /* Don't change what the ticket key callback wanted to do */
7572 switch (status) {
7573 case SSL_TICKET_NO_DECRYPT:
7574 return SSL_TICKET_RETURN_IGNORE_RENEW;
7575
7576 case SSL_TICKET_SUCCESS:
7577 return SSL_TICKET_RETURN_USE;
d0191fe0 7578
61fb5923
MC		 7579 case SSL_TICKET_SUCCESS_RENEW:
7580 return SSL_TICKET_RETURN_USE_RENEW;
7581
7582 default:
7583 return SSL_TICKET_RETURN_ABORT;
7584 }
7585 }
7586 return tick_dec_ret;
7587
7588}
d0191fe0 7589
a76ce286 7590#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7591static int tick_key_cb(SSL *s, unsigned char key_name[16],
7592 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7593 HMAC_CTX *hctx, int enc)
7594{
7595 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7596 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7597 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7598 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7599 int ret;
d0191fe0 7600
61fb5923 7601 tick_key_cb_called = 1;
d0191fe0
MC		 7602 memset(iv, 0, AES_BLOCK_SIZE);
7603 memset(key_name, 0, 16);
5e30f2fd
MC		 7604 if (aes128cbc == NULL
7605 || sha256 == NULL
7606 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7607 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7608 NULL))
7609 ret = -1;
7610 else
7611 ret = tick_key_renew ? 2 : 1;
d0191fe0 7612
5e30f2fd
MC		 7613 EVP_CIPHER_free(aes128cbc);
7614 EVP_MD_free(sha256);
7615
7616 return ret;
d0191fe0 7617}
a76ce286
P		 7618#endif
7619
7620static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7621 unsigned char iv[EVP_MAX_IV_LENGTH],
7622 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7623{
7624 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7625 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7626 OSSL_PARAM params[2];
5e30f2fd
MC		 7627 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7628 int ret;
a76ce286
P		 7629
7630 tick_key_cb_called = 1;
7631 memset(iv, 0, AES_BLOCK_SIZE);
7632 memset(key_name, 0, 16);
7633 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7634 "SHA256", 0);
77e4ae58 7635 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7636 if (aes128cbc == NULL
7637 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7638 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7639 params))
5e30f2fd
MC		 7640 ret = -1;
7641 else
7642 ret = tick_key_renew ? 2 : 1;
7643
7644 EVP_CIPHER_free(aes128cbc);
a76ce286 7645
5e30f2fd 7646 return ret;
a76ce286 7647}
d0191fe0
MC		 7648
7649/*
7650 * Test the various ticket callbacks
61fb5923
MC		 7651 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7652 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7653 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7654 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7655 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7656 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7657 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7658 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7659 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7660 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7661 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7662 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7663 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7664 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7665 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7666 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7667 */
7668static int test_ticket_callbacks(int tst)
7669{
7670 SSL_CTX *cctx = NULL, *sctx = NULL;
7671 SSL *clientssl = NULL, *serverssl = NULL;
7672 SSL_SESSION *clntsess = NULL;
7673 int testresult = 0;
7674
7675#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7676 if (tst % 2 == 0)
d0191fe0
MC		 7677 return 1;
7678#endif
a763ca11 7679#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7680 if (tst % 2 == 1)
d0191fe0
MC		 7681 return 1;
7682#endif
a76ce286
P		 7683#ifdef OPENSSL_NO_DEPRECATED_3_0
7684 if (tst >= 8 && tst <= 11)
7685 return 1;
7686#endif
d0191fe0 7687
61fb5923 7688 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7689
7690 /* Which tests the ticket key callback should request renewal for */
a76ce286 7691 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7692 tick_key_renew = 1;
d0191fe0 7693 else
61fb5923
MC		 7694 tick_key_renew = 0;
7695
7696 /* Which tests the decrypt ticket callback should request renewal for */
7697 switch (tst) {
7698 case 0:
7699 case 1:
7700 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7701 break;
7702
7703 case 2:
7704 case 3:
7705 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7706 break;
7707
7708 case 4:
7709 case 5:
7710 tick_dec_ret = SSL_TICKET_RETURN_USE;
7711 break;
7712
7713 case 6:
7714 case 7:
7715 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7716 break;
7717
7718 default:
7719 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7720 }
d0191fe0 7721
5e30f2fd 7722 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7723 TLS_client_method(),
7724 TLS1_VERSION,
61fb5923
MC		 7725 ((tst % 2) == 0) ? TLS1_2_VERSION
7726 : TLS1_3_VERSION,
d0191fe0
MC		 7727 &sctx, &cctx, cert, privkey)))
7728 goto end;
7729
61fb5923
MC		 7730 /*
7731 * We only want sessions to resume from tickets - not the session cache. So
7732 * switch the cache off.
7733 */
7734 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7735 goto end;
7736
d0191fe0
MC		 7737 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7738 NULL)))
7739 goto end;
7740
a76ce286
P		 7741 if (tst >= 12) {
7742 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7743 goto end;
7744#ifndef OPENSSL_NO_DEPRECATED_3_0
7745 } else if (tst >= 8) {
7746 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7747 goto end;
7748#endif
7749 }
d0191fe0
MC		 7750
7751 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7752 NULL, NULL))
7753 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7754 SSL_ERROR_NONE)))
7755 goto end;
7756
61fb5923
MC		 7757 /*
7758 * The decrypt ticket key callback in TLSv1.2 should be called even though
7759 * we have no ticket yet, because it gets called with a status of
7760 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7761 * actually send any ticket data). This does not happen in TLSv1.3 because
7762 * it is not valid to send empty ticket data in TLSv1.3.
7763 */
d0191fe0 7764 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7765 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7766 goto end;
7767
7768 gen_tick_called = dec_tick_called = 0;
7769
7770 clntsess = SSL_get1_session(clientssl);
7771 SSL_shutdown(clientssl);
7772 SSL_shutdown(serverssl);
7773 SSL_free(serverssl);
7774 SSL_free(clientssl);
7775 serverssl = clientssl = NULL;
7776
7777 /* Now do a resumption */
7778 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7779 NULL))
7780 || !TEST_true(SSL_set_session(clientssl, clntsess))
7781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7782 SSL_ERROR_NONE)))
d0191fe0
MC		 7783 goto end;
7784
61fb5923
MC		 7785 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7786 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7787 if (!TEST_false(SSL_session_reused(clientssl)))
7788 goto end;
7789 } else {
7790 if (!TEST_true(SSL_session_reused(clientssl)))
7791 goto end;
7792 }
7793
d0191fe0 7794 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7795 (tick_key_renew
7796 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7797 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7798 ? 1 : 0)
d0191fe0
MC		 7799 || !TEST_int_eq(dec_tick_called, 1))
7800 goto end;
7801
7802 testresult = 1;
7803
7804 end:
7805 SSL_SESSION_free(clntsess);
7806 SSL_free(serverssl);
7807 SSL_free(clientssl);
7808 SSL_CTX_free(sctx);
7809 SSL_CTX_free(cctx);
7810
7811 return testresult;
7812}
7813
e638112e
DB		 7814/*
7815 * Test incorrect shutdown.
7816 * Test 0: client does not shutdown properly,
7817 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7818 * server should get SSL_ERROR_SSL
7819 * Test 1: client does not shutdown properly,
7820 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7821 * server should get SSL_ERROR_ZERO_RETURN
7822 */
7823static int test_incorrect_shutdown(int tst)
7824{
7825 SSL_CTX *cctx = NULL, *sctx = NULL;
7826 SSL *clientssl = NULL, *serverssl = NULL;
7827 int testresult = 0;
7828 char buf[80];
7829 BIO *c2s;
7830
7831 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7832 TLS_client_method(), 0, 0,
7833 &sctx, &cctx, cert, privkey)))
7834 goto end;
7835
7836 if (tst == 1)
7837 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7838
7839 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7840 NULL, NULL)))
7841 goto end;
7842
7843 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7844 SSL_ERROR_NONE)))
7845 goto end;
7846
7847 c2s = SSL_get_rbio(serverssl);
7848 BIO_set_mem_eof_return(c2s, 0);
7849
7850 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7851 goto end;
7852
7853 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7854 goto end;
7855 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7856 goto end;
7857
7858 testresult = 1;
7859
7860 end:
7861 SSL_free(serverssl);
7862 SSL_free(clientssl);
7863 SSL_CTX_free(sctx);
7864 SSL_CTX_free(cctx);
7865
7866 return testresult;
7867}
7868
c748834f
MC		 7869/*
7870 * Test bi-directional shutdown.
7871 * Test 0: TLSv1.2
7872 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7873 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7874 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7875 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7876 * sends key update, client reads it
57d7b988
MC		 7877 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7878 * sends CertificateRequest, client reads and ignores it
7879 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7880 * doesn't read it
7881 */
7882static int test_shutdown(int tst)
7883{
7884 SSL_CTX *cctx = NULL, *sctx = NULL;
7885 SSL *clientssl = NULL, *serverssl = NULL;
7886 int testresult = 0;
7887 char msg[] = "A test message";
7888 char buf[80];
7889 size_t written, readbytes;
80eff008 7890 SSL_SESSION *sess;
c748834f
MC		 7891
7892#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7893 if (tst <= 1)
c748834f
MC		 7894 return 1;
7895#endif
a763ca11 7896#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7897 if (tst >= 2)
c748834f
MC		 7898 return 1;
7899#endif
7900
5e30f2fd 7901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7902 TLS_client_method(),
7903 TLS1_VERSION,
7904 (tst <= 1) ? TLS1_2_VERSION
7905 : TLS1_3_VERSION,
57d7b988
MC		 7906 &sctx, &cctx, cert, privkey)))
7907 goto end;
7908
7909 if (tst == 5)
7910 SSL_CTX_set_post_handshake_auth(cctx, 1);
7911
7912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7913 NULL, NULL)))
7914 goto end;
7915
7916 if (tst == 3) {
7917 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 7918 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 7919 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7920 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7921 goto end;
7922 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7923 SSL_ERROR_NONE))
7924 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7925 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7926 goto end;
7927 }
7928
7929 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7930 goto end;
7931
7932 if (tst >= 4) {
7933 /*
7934 * Reading on the server after the client has sent close_notify should
7935 * fail and provide SSL_ERROR_ZERO_RETURN
7936 */
7937 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7938 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7939 SSL_ERROR_ZERO_RETURN)
7940 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7941 SSL_RECEIVED_SHUTDOWN)
7942 /*
7943 * Even though we're shutdown on receive we should still be
7944 * able to write.
7945 */
80eff008
KR		 7946 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7947 goto end;
57d7b988
MC		 7948 if (tst == 4
7949 && !TEST_true(SSL_key_update(serverssl,
7950 SSL_KEY_UPDATE_REQUESTED)))
7951 goto end;
7952 if (tst == 5) {
7953 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7954 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7955 goto end;
7956 }
7957 if ((tst == 4 || tst == 5)
7958 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7959 goto end;
7960 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7961 goto end;
57d7b988 7962 if (tst == 4 || tst == 5) {
80eff008 7963 /* Should still be able to read data from server */
c748834f 7964 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7965 &readbytes))
7966 || !TEST_size_t_eq(readbytes, sizeof(msg))
7967 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7968 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7969 &readbytes))
c748834f
MC		 7970 || !TEST_size_t_eq(readbytes, sizeof(msg))
7971 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7972 goto end;
7973 }
7974 }
7975
7976 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7977 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7978 goto end;
7979
7980 if (tst < 4) {
7981 /*
7982 * For these tests the client has sent close_notify but it has not yet
7983 * been received by the server. The server has not sent close_notify
7984 * yet.
7985 */
7986 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7987 /*
7988 * Writing on the server after sending close_notify shouldn't
7989 * be possible.
7990 */
7991 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7992 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7993 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7994 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7995 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7996 goto end;
57d7b988 7997 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7998 /*
7999 * In this test the client has sent close_notify and it has been
8000 * received by the server which has responded with a close_notify. The
358ffa05 8001 * client needs to read the close_notify sent by the server.
c748834f 8002 */
80eff008
KR		 8003 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8004 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8005 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8006 goto end;
358ffa05
MC		 8007 } else {
8008 /*
57d7b988 8009 * tst == 6
358ffa05
MC		 8010 *
8011 * The client has sent close_notify and is expecting a close_notify
8012 * back, but instead there is application data first. The shutdown
8013 * should fail with a fatal error.
8014 */
8015 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8016 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8017 goto end;
c748834f
MC		 8018 }
8019
8020 testresult = 1;
8021
8022 end:
8023 SSL_free(serverssl);
8024 SSL_free(clientssl);
8025 SSL_CTX_free(sctx);
8026 SSL_CTX_free(cctx);
8027
8028 return testresult;
8029}
8030
a763ca11 8031#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8032static int cert_cb_cnt;
8033
8034static int cert_cb(SSL *s, void *arg)
8035{
8036 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8037 BIO *in = NULL;
8038 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8039 X509 *x509 = NULL, *rootx = NULL;
8040 STACK_OF(X509) *chain = NULL;
8041 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8042 int ret = 0;
cd6fe29f
MC		 8043
8044 if (cert_cb_cnt == 0) {
8045 /* Suspend the handshake */
8046 cert_cb_cnt++;
8047 return -1;
8048 } else if (cert_cb_cnt == 1) {
8049 /*
8050 * Update the SSL_CTX, set the certificate and private key and then
8051 * continue the handshake normally.
8052 */
8053 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8054 return 0;
8055
8056 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8057 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8058 SSL_FILETYPE_PEM))
8059 || !TEST_true(SSL_check_private_key(s)))
8060 return 0;
8061 cert_cb_cnt++;
8062 return 1;
7cb8fb07
BK		 8063 } else if (cert_cb_cnt == 3) {
8064 int rv;
1a2a3a42
MC		 8065
8066 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8067 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8068 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8069 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8070 goto out;
8071 chain = sk_X509_new_null();
8072 if (!TEST_ptr(chain))
8073 goto out;
7cb8fb07 8074 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8075 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8076 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8077 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8078 || !TEST_true(sk_X509_push(chain, rootx)))
8079 goto out;
8080 rootx = NULL;
8081 BIO_free(in);
8082 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8083 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8084 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8085 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8086 goto out;
8087 BIO_free(in);
8088 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8089 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8090 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8091 NULL, NULL,
8092 libctx, NULL)))
7cb8fb07 8093 goto out;
1a2a3a42 8094 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8095 /*
8096 * If the cert doesn't show as valid here (e.g., because we don't
8097 * have any shared sigalgs), then we will not set it, and there will
8098 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8099 * will cause tls_choose_sigalgs() to fail the connection.
8100 */
1a2a3a42
MC		 8101 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8102 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8103 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8104 goto out;
8105 }
1a2a3a42
MC		 8106
8107 ret = 1;
cd6fe29f
MC		 8108 }
8109
8110 /* Abort the handshake */
7cb8fb07 8111 out:
1a2a3a42
MC		 8112 OPENSSL_free(ecdsacert);
8113 OPENSSL_free(ecdsakey);
8114 OPENSSL_free(rootfile);
7cb8fb07
BK		 8115 BIO_free(in);
8116 EVP_PKEY_free(pkey);
8117 X509_free(x509);
1a2a3a42 8118 X509_free(rootx);
79b2a2f2 8119 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8120 return ret;
cd6fe29f
MC		 8121}
8122
8123/*
8124 * Test the certificate callback.
8125 * Test 0: Callback fails
8126 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8127 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8128 * Test 3: Success - Call SSL_check_chain from the callback
8129 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8130 * chain
8131 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8132 */
8133static int test_cert_cb_int(int prot, int tst)
8134{
8135 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8136 SSL *clientssl = NULL, *serverssl = NULL;
8137 int testresult = 0, ret;
8138
1a2a3a42
MC		 8139#ifdef OPENSSL_NO_EC
8140 /* We use an EC cert in these tests, so we skip in a no-ec build */
8141 if (tst >= 3)
8142 return 1;
8143#endif
8144
5e30f2fd 8145 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8146 TLS_client_method(),
8147 TLS1_VERSION,
8148 prot,
8149 &sctx, &cctx, NULL, NULL)))
8150 goto end;
8151
8152 if (tst == 0)
8153 cert_cb_cnt = -1;
1a2a3a42 8154 else if (tst >= 3)
7cb8fb07 8155 cert_cb_cnt = 3;
cd6fe29f
MC		 8156 else
8157 cert_cb_cnt = 0;
1a2a3a42 8158
b0317df2 8159 if (tst == 2) {
7e1eda48 8160 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8161 if (!TEST_ptr(snictx))
8162 goto end;
8163 }
8164
cd6fe29f
MC		 8165 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8166
8167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8168 NULL, NULL)))
8169 goto end;
8170
1a2a3a42
MC		 8171 if (tst == 4) {
8172 /*
8173 * We cause SSL_check_chain() to fail by specifying sig_algs that
8174 * the chain doesn't meet (the root uses an RSA cert)
8175 */
8176 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8177 "ecdsa_secp256r1_sha256")))
8178 goto end;
8179 } else if (tst == 5) {
8180 /*
8181 * We cause SSL_check_chain() to fail by specifying sig_algs that
8182 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8183 */
8184 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8185 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8186 goto end;
8187 }
8188
cd6fe29f 8189 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8190 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8191 || (tst > 0
8192 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8193 goto end;
8194 }
8195
8196 testresult = 1;
8197
8198 end:
8199 SSL_free(serverssl);
8200 SSL_free(clientssl);
8201 SSL_CTX_free(sctx);
8202 SSL_CTX_free(cctx);
8203 SSL_CTX_free(snictx);
8204
8205 return testresult;
8206}
7f1d923a 8207#endif
cd6fe29f
MC		 8208
8209static int test_cert_cb(int tst)
8210{
8211 int testresult = 1;
8212
8213#ifndef OPENSSL_NO_TLS1_2
8214 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8215#endif
a763ca11 8216#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8217 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8218#endif
8219
8220 return testresult;
8221}
8222
6e46c065
MC		 8223static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8224{
8c2bfd25 8225 X509 *xcert;
6e46c065
MC		 8226 EVP_PKEY *privpkey;
8227 BIO *in = NULL;
6725682d 8228 BIO *priv_in = NULL;
6e46c065 8229
8c2bfd25
TS		 8230 /* Check that SSL_get0_peer_certificate() returns something sensible */
8231 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8232 return 0;
6e46c065
MC		 8233
8234 in = BIO_new_file(cert, "r");
8235 if (!TEST_ptr(in))
8236 return 0;
8237
d8652be0 8238 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8239 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8240 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8241 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8242 NULL, NULL,
8243 libctx, NULL)))
6725682d 8244 goto err;
6e46c065
MC		 8245
8246 *x509 = xcert;
8247 *pkey = privpkey;
8248
6725682d
SL		 8249 BIO_free(in);
8250 BIO_free(priv_in);
6e46c065 8251 return 1;
6725682d
SL		 8252err:
8253 X509_free(xcert);
8254 BIO_free(in);
8255 BIO_free(priv_in);
8256 return 0;
6e46c065
MC		 8257}
8258
6e46c065
MC		 8259static int test_client_cert_cb(int tst)
8260{
8261 SSL_CTX *cctx = NULL, *sctx = NULL;
8262 SSL *clientssl = NULL, *serverssl = NULL;
8263 int testresult = 0;
8264
8265#ifdef OPENSSL_NO_TLS1_2
8266 if (tst == 0)
8267 return 1;
8268#endif
a763ca11 8269#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8270 if (tst == 1)
8271 return 1;
8272#endif
8273
5e30f2fd 8274 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8275 TLS_client_method(),
8276 TLS1_VERSION,
8277 tst == 0 ? TLS1_2_VERSION
8278 : TLS1_3_VERSION,
8279 &sctx, &cctx, cert, privkey)))
8280 goto end;
8281
8282 /*
8283 * Test that setting a client_cert_cb results in a client certificate being
8284 * sent.
8285 */
8286 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8287 SSL_CTX_set_verify(sctx,
8288 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8289 verify_cb);
fb8c8359
MC		 8290
8291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8292 NULL, NULL))
8293 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8294 SSL_ERROR_NONE)))
8295 goto end;
8296
8297 testresult = 1;
8298
8299 end:
8300 SSL_free(serverssl);
8301 SSL_free(clientssl);
8302 SSL_CTX_free(sctx);
8303 SSL_CTX_free(cctx);
8304
8305 return testresult;
8306}
8307
a763ca11 8308#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8309/*
8310 * Test setting certificate authorities on both client and server.
8311 *
8312 * Test 0: SSL_CTX_set0_CA_list() only
8313 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8314 * Test 2: Only SSL_CTX_set_client_CA_list()
8315 */
8316static int test_ca_names_int(int prot, int tst)
8317{
8318 SSL_CTX *cctx = NULL, *sctx = NULL;
8319 SSL *clientssl = NULL, *serverssl = NULL;
8320 int testresult = 0;
8321 size_t i;
8322 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8323 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8324 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8325 const STACK_OF(X509_NAME) *sktmp = NULL;
8326
8327 for (i = 0; i < OSSL_NELEM(name); i++) {
8328 name[i] = X509_NAME_new();
8329 if (!TEST_ptr(name[i])
8330 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8331 MBSTRING_ASC,
8332 (unsigned char *)
8333 strnames[i],
8334 -1, -1, 0)))
8335 goto end;
8336 }
8337
5e30f2fd 8338 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8339 TLS_client_method(),
8340 TLS1_VERSION,
8341 prot,
8342 &sctx, &cctx, cert, privkey)))
8343 goto end;
8344
8345 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8346
8347 if (tst == 0 || tst == 1) {
8348 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8349 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8350 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8351 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8352 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8353 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8354 goto end;
8355
8356 SSL_CTX_set0_CA_list(sctx, sk1);
8357 SSL_CTX_set0_CA_list(cctx, sk2);
8358 sk1 = sk2 = NULL;
8359 }
8360 if (tst == 1 || tst == 2) {
8361 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8362 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8363 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8364 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8365 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8366 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8367 goto end;
8368
8369 SSL_CTX_set_client_CA_list(sctx, sk1);
8370 SSL_CTX_set_client_CA_list(cctx, sk2);
8371 sk1 = sk2 = NULL;
8372 }
8373
6e46c065
MC		 8374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8375 NULL, NULL))
8376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8377 SSL_ERROR_NONE)))
8378 goto end;
8379
fb8c8359
MC		 8380 /*
8381 * We only expect certificate authorities to have been sent to the server
8382 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8383 */
8384 sktmp = SSL_get0_peer_CA_list(serverssl);
8385 if (prot == TLS1_3_VERSION
8386 && (tst == 0 || tst == 1)) {
8387 if (!TEST_ptr(sktmp)
8388 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8389 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8390 name[0]), 0)
8391 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8392 name[1]), 0))
8393 goto end;
8394 } else if (!TEST_ptr_null(sktmp)) {
8395 goto end;
8396 }
8397
8398 /*
8399 * In all tests we expect certificate authorities to have been sent to the
8400 * client. However, SSL_set_client_CA_list() should override
8401 * SSL_set0_CA_list()
8402 */
8403 sktmp = SSL_get0_peer_CA_list(clientssl);
8404 if (!TEST_ptr(sktmp)
8405 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8406 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8407 name[tst == 0 ? 0 : 2]), 0)
8408 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8409 name[tst == 0 ? 1 : 3]), 0))
8410 goto end;
8411
6e46c065
MC		 8412 testresult = 1;
8413
8414 end:
8415 SSL_free(serverssl);
8416 SSL_free(clientssl);
8417 SSL_CTX_free(sctx);
8418 SSL_CTX_free(cctx);
fb8c8359
MC		 8419 for (i = 0; i < OSSL_NELEM(name); i++)
8420 X509_NAME_free(name[i]);
8421 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8422 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8423
8424 return testresult;
8425}
8426#endif
8427
8428static int test_ca_names(int tst)
8429{
8430 int testresult = 1;
8431
8432#ifndef OPENSSL_NO_TLS1_2
8433 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8434#endif
a763ca11 8435#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8436 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8437#endif
6e46c065
MC		 8438
8439 return testresult;
8440}
8441
0d2bfe52
SL		 8442#ifndef OPENSSL_NO_TLS1_2
8443static const char *multiblock_cipherlist_data[]=
8444{
8445 "AES128-SHA",
8446 "AES128-SHA256",
8447 "AES256-SHA",
8448 "AES256-SHA256",
8449};
8450
8451/* Reduce the fragment size - so the multiblock test buffer can be small */
8452# define MULTIBLOCK_FRAGSIZE 512
8453
8454static int test_multiblock_write(int test_index)
8455{
8456 static const char *fetchable_ciphers[]=
8457 {
8458 "AES-128-CBC-HMAC-SHA1",
8459 "AES-128-CBC-HMAC-SHA256",
8460 "AES-256-CBC-HMAC-SHA1",
8461 "AES-256-CBC-HMAC-SHA256"
8462 };
8463 const char *cipherlist = multiblock_cipherlist_data[test_index];
8464 const SSL_METHOD *smeth = TLS_server_method();
8465 const SSL_METHOD *cmeth = TLS_client_method();
8466 int min_version = TLS1_VERSION;
8467 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8468 SSL_CTX *cctx = NULL, *sctx = NULL;
8469 SSL *clientssl = NULL, *serverssl = NULL;
8470 int testresult = 0;
8471
8472 /*
8473 * Choose a buffer large enough to perform a multi-block operation
8474 * i.e: write_len >= 4 * frag_size
8475 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8476 */
8477 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8478 unsigned char buf[sizeof(msg)], *p = buf;
8479 size_t readbytes, written, len;
8480 EVP_CIPHER *ciph = NULL;
8481
8482 /*
8483 * Check if the cipher exists before attempting to use it since it only has
8484 * a hardware specific implementation.
8485 */
7c82a7a8 8486 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 8487 if (ciph == NULL) {
8488 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8489 return 1;
8490 }
8491 EVP_CIPHER_free(ciph);
8492
8493 /* Set up a buffer with some data that will be sent to the client */
8494 RAND_bytes(msg, sizeof(msg));
8495
5e30f2fd
MC		 8496 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8497 max_version, &sctx, &cctx, cert,
8498 privkey)))
0d2bfe52
SL		 8499 goto end;
8500
8501 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8502 goto end;
8503
8504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8505 NULL, NULL)))
8506 goto end;
8507
8508 /* settings to force it to use AES-CBC-HMAC_SHA */
8509 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8510 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8511 goto end;
8512
8513 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8514 goto end;
8515
8516 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8517 || !TEST_size_t_eq(written, sizeof(msg)))
8518 goto end;
8519
8520 len = written;
8521 while (len > 0) {
8522 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8523 goto end;
8524 p += readbytes;
8525 len -= readbytes;
8526 }
8527 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8528 goto end;
8529
8530 testresult = 1;
8531end:
8532 SSL_free(serverssl);
8533 SSL_free(clientssl);
8534 SSL_CTX_free(sctx);
8535 SSL_CTX_free(cctx);
8536
8537 return testresult;
8538}
8539#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8540
25959e04
TS		 8541static int test_session_timeout(int test)
8542{
8543 /*
8544 * Test session ordering and timeout
8545 * Can't explicitly test performance of the new code,
8546 * but can test to see if the ordering of the sessions
8547 * are correct, and they they are removed as expected
8548 */
8549 SSL_SESSION *early = NULL;
8550 SSL_SESSION *middle = NULL;
8551 SSL_SESSION *late = NULL;
8552 SSL_CTX *ctx;
8553 int testresult = 0;
8554 long now = (long)time(NULL);
8555#define TIMEOUT 10
8556
8557 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8558 || !TEST_ptr(early = SSL_SESSION_new())
8559 || !TEST_ptr(middle = SSL_SESSION_new())
8560 || !TEST_ptr(late = SSL_SESSION_new()))
8561 goto end;
8562
8563 /* assign unique session ids */
8564 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8565 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8566 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8567 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8568 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8569 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8570
8571 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8572 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8573 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8574 goto end;
8575
8576 /* Make sure they are all added */
8577 if (!TEST_ptr(early->prev)
8578 || !TEST_ptr(middle->prev)
8579 || !TEST_ptr(late->prev))
8580 goto end;
8581
8582 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8583 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8584 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8585 goto end;
8586
8587 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8588 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8589 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8590 goto end;
8591
8592 /* Make sure they are all still there */
8593 if (!TEST_ptr(early->prev)
8594 || !TEST_ptr(middle->prev)
8595 || !TEST_ptr(late->prev))
8596 goto end;
8597
8598 /* Make sure they are in the expected order */
8599 if (!TEST_ptr_eq(late->next, middle)
8600 || !TEST_ptr_eq(middle->next, early)
8601 || !TEST_ptr_eq(early->prev, middle)
8602 || !TEST_ptr_eq(middle->prev, late))
8603 goto end;
8604
8605 /* This should remove "early" */
8606 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8607 if (!TEST_ptr_null(early->prev)
8608 || !TEST_ptr(middle->prev)
8609 || !TEST_ptr(late->prev))
8610 goto end;
8611
8612 /* This should remove "middle" */
8613 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8614 if (!TEST_ptr_null(early->prev)
8615 || !TEST_ptr_null(middle->prev)
8616 || !TEST_ptr(late->prev))
8617 goto end;
8618
8619 /* This should remove "late" */
8620 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8621 if (!TEST_ptr_null(early->prev)
8622 || !TEST_ptr_null(middle->prev)
8623 || !TEST_ptr_null(late->prev))
8624 goto end;
8625
8626 /* Add them back in again */
8627 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8628 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8629 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8630 goto end;
8631
8632 /* Make sure they are all added */
8633 if (!TEST_ptr(early->prev)
8634 || !TEST_ptr(middle->prev)
8635 || !TEST_ptr(late->prev))
8636 goto end;
8637
8638 /* This should remove all of them */
8639 SSL_CTX_flush_sessions(ctx, 0);
8640 if (!TEST_ptr_null(early->prev)
8641 || !TEST_ptr_null(middle->prev)
8642 || !TEST_ptr_null(late->prev))
8643 goto end;
8644
8645 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8646 | SSL_CTX_get_session_cache_mode(ctx));
8647
8648 /* make sure |now| is NOT equal to the current time */
8649 now -= 10;
8650 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8651 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8652 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8653 goto end;
8654
8655 testresult = 1;
8656 end:
8657 SSL_CTX_free(ctx);
8658 SSL_SESSION_free(early);
8659 SSL_SESSION_free(middle);
8660 SSL_SESSION_free(late);
8661 return testresult;
8662}
8663
49ef3d07
MC		 8664/*
8665 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8666 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8667 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8668 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8669 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8670 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8671 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8672 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8673 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8674 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8675 */
8676static int test_servername(int tst)
8677{
8678 SSL_CTX *cctx = NULL, *sctx = NULL;
8679 SSL *clientssl = NULL, *serverssl = NULL;
8680 int testresult = 0;
8681 SSL_SESSION *sess = NULL;
8682 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8683
8684#ifdef OPENSSL_NO_TLS1_2
8685 if (tst <= 4)
8686 return 1;
8687#endif
a763ca11 8688#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8689 if (tst >= 5)
8690 return 1;
8691#endif
8692
5e30f2fd 8693 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8694 TLS_client_method(),
8695 TLS1_VERSION,
8696 (tst <= 4) ? TLS1_2_VERSION
8697 : TLS1_3_VERSION,
8698 &sctx, &cctx, cert, privkey))
8699 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8700 NULL, NULL)))
8701 goto end;
8702
8703 if (tst != 1 && tst != 6) {
8704 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8705 hostname_cb)))
8706 goto end;
8707 }
8708
8709 if (tst != 3 && tst != 8) {
8710 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8711 goto end;
8712 sexpectedhost = cexpectedhost = "goodhost";
8713 }
8714
8715 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8716 goto end;
8717
8718 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8719 cexpectedhost)
8720 || !TEST_str_eq(SSL_get_servername(serverssl,
8721 TLSEXT_NAMETYPE_host_name),
8722 sexpectedhost))
8723 goto end;
8724
8725 /* Now repeat with a resumption handshake */
8726
8727 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8728 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8729 || !TEST_true(SSL_SESSION_is_resumable(sess))
8730 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8731 goto end;
8732
8733 SSL_free(clientssl);
8734 SSL_free(serverssl);
8735 clientssl = serverssl = NULL;
8736
8737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8738 NULL)))
8739 goto end;
8740
8741 if (!TEST_true(SSL_set_session(clientssl, sess)))
8742 goto end;
8743
8744 sexpectedhost = cexpectedhost = "goodhost";
8745 if (tst == 2 || tst == 7) {
8746 /* Set an inconsistent hostname */
8747 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8748 goto end;
8749 /*
8750 * In TLSv1.2 we expect the hostname from the original handshake, in
8751 * TLSv1.3 we expect the hostname from this handshake
8752 */
8753 if (tst == 7)
8754 sexpectedhost = cexpectedhost = "altgoodhost";
8755
8756 if (!TEST_str_eq(SSL_get_servername(clientssl,
8757 TLSEXT_NAMETYPE_host_name),
8758 "altgoodhost"))
8759 goto end;
8760 } else if (tst == 4 || tst == 9) {
8761 /*
8762 * A TLSv1.3 session does not associate a session with a servername,
8763 * but a TLSv1.2 session does.
8764 */
8765 if (tst == 9)
8766 sexpectedhost = cexpectedhost = NULL;
8767
8768 if (!TEST_str_eq(SSL_get_servername(clientssl,
8769 TLSEXT_NAMETYPE_host_name),
8770 cexpectedhost))
8771 goto end;
8772 } else {
8773 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8774 goto end;
8775 /*
8776 * In a TLSv1.2 resumption where the hostname was not acknowledged
8777 * we expect the hostname on the server to be empty. On the client we
8778 * return what was requested in this case.
8779 *
8780 * Similarly if the client didn't set a hostname on an original TLSv1.2
8781 * session but is now, the server hostname will be empty, but the client
8782 * is as we set it.
8783 */
8784 if (tst == 1 || tst == 3)
8785 sexpectedhost = NULL;
8786
8787 if (!TEST_str_eq(SSL_get_servername(clientssl,
8788 TLSEXT_NAMETYPE_host_name),
8789 "goodhost"))
8790 goto end;
8791 }
8792
8793 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8794 goto end;
8795
8796 if (!TEST_true(SSL_session_reused(clientssl))
8797 || !TEST_true(SSL_session_reused(serverssl))
8798 || !TEST_str_eq(SSL_get_servername(clientssl,
8799 TLSEXT_NAMETYPE_host_name),
8800 cexpectedhost)
8801 || !TEST_str_eq(SSL_get_servername(serverssl,
8802 TLSEXT_NAMETYPE_host_name),
8803 sexpectedhost))
8804 goto end;
8805
8806 testresult = 1;
8807
8808 end:
8809 SSL_SESSION_free(sess);
8810 SSL_free(serverssl);
8811 SSL_free(clientssl);
8812 SSL_CTX_free(sctx);
8813 SSL_CTX_free(cctx);
8814
8815 return testresult;
8816}
8817
b1fdbc68 8818#if !defined(OPENSSL_NO_EC) \
a763ca11 8819 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8820/*
8821 * Test that if signature algorithms are not available, then we do not offer or
8822 * accept them.
8823 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8824 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8825 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8826 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8827 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8828 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8829 */
8830static int test_sigalgs_available(int idx)
8831{
8832 SSL_CTX *cctx = NULL, *sctx = NULL;
8833 SSL *clientssl = NULL, *serverssl = NULL;
8834 int testresult = 0;
b4250010
DMSP		 8835 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8836 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8837 OSSL_PROVIDER *filterprov = NULL;
8838 int sig, hash;
8839
8840 if (!TEST_ptr(tmpctx))
8841 goto end;
8842
8843 if (idx != 0 && idx != 3) {
8844 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8845 filter_provider_init)))
8846 goto end;
8847
8848 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8849 if (!TEST_ptr(filterprov))
8850 goto end;
8851
8852 if (idx < 3) {
8853 /*
8854 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8855 * or accepted for the peer that uses this libctx. Note that libssl
8856 * *requires* SHA2-256 to be available so we cannot disable that. We
8857 * also need SHA1 for our certificate.
8858 */
8859 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8860 "SHA2-256:SHA1")))
8861 goto end;
8862 } else {
8863 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8864 "ECDSA"))
8865 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8866 "EC:X25519:X448")))
8867 goto end;
8868 }
8869
8870 if (idx == 1 || idx == 4)
8871 clientctx = tmpctx;
8872 else
8873 serverctx = tmpctx;
8874 }
8875
d8652be0
MC		 8876 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8877 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8878 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8879 goto end;
b3842539 8880
b4c4a2c6
TM		 8881 if (idx != 5) {
8882 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8883 TLS_client_method(),
8884 TLS1_VERSION,
8885 0,
8886 &sctx, &cctx, cert, privkey)))
8887 goto end;
8888 } else {
8889 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8890 TLS_client_method(),
8891 TLS1_VERSION,
8892 0,
8893 &sctx, &cctx, cert2, privkey2)))
8894 goto end;
8895 }
b3842539 8896
b1fdbc68
MC		 8897 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8898 if (idx < 4) {
8899 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8900 "ECDHE-RSA-AES128-GCM-SHA256")))
8901 goto end;
8902 } else {
8903 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8904 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8905 goto end;
8906 }
8907
b3842539
MC		 8908 if (idx < 3) {
8909 if (!SSL_CTX_set1_sigalgs_list(cctx,
8910 "rsa_pss_rsae_sha384"
8911 ":rsa_pss_rsae_sha256")
8912 || !SSL_CTX_set1_sigalgs_list(sctx,
8913 "rsa_pss_rsae_sha384"
8914 ":rsa_pss_rsae_sha256"))
8915 goto end;
8916 } else {
8917 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8918 || !SSL_CTX_set1_sigalgs_list(sctx,
8919 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8920 goto end;
8921 }
8922
b4c4a2c6
TM		 8923 if (idx != 5
8924 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8925 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8926 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8927 privkey2,
8928 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8929 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8930 goto end;
8931
8932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8933 NULL, NULL)))
b3842539
MC		 8934 goto end;
8935
8936 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8937 goto end;
8938
8939 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8940 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8941 NULL, NULL),
8942 (idx == 0 || idx == 3) ? 2 : 1))
8943 goto end;
8944
8945 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8946 goto end;
8947
8948 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8949 : NID_rsassaPss))
8950 goto end;
8951
b0001d0c 8952 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8953
8954 end:
8955 SSL_free(serverssl);
8956 SSL_free(clientssl);
8957 SSL_CTX_free(sctx);
8958 SSL_CTX_free(cctx);
8959 OSSL_PROVIDER_unload(filterprov);
b4250010 8960 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8961
8962 return testresult;
8963}
b1fdbc68
MC		 8964#endif /*
8965 * !defined(OPENSSL_NO_EC) \
a763ca11 8966 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8967 */
b3842539 8968
0c13cdf8 8969#ifndef OPENSSL_NO_TLS1_3
a763ca11 8970/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8971static int test_pluggable_group(int idx)
0c13cdf8
MC		 8972{
8973 SSL_CTX *cctx = NULL, *sctx = NULL;
8974 SSL *clientssl = NULL, *serverssl = NULL;
8975 int testresult = 0;
8976 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8977 /* Check that we are not impacted by a provider without any groups */
8978 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8979 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8980
5ae54dba 8981 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8982 goto end;
8983
5ae54dba
MC		 8984 if (legacyprov == NULL) {
8985 /*
8986 * In this case we assume we've been built with "no-legacy" and skip
8987 * this test (there is no OPENSSL_NO_LEGACY)
8988 */
8989 testresult = 1;
8990 goto end;
8991 }
8992
0c13cdf8
MC		 8993 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8994 TLS_client_method(),
8995 TLS1_3_VERSION,
8996 TLS1_3_VERSION,
8997 &sctx, &cctx, cert, privkey))
8998 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8999 NULL, NULL)))
9000 goto end;
9001
c8e3a4c6
NT		 9002 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9003 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9004 goto end;
9005
9006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9007 goto end;
9008
becbacd7
MB		 9009 if (!TEST_str_eq(group_name,
9010 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9011 goto end;
9012
0c13cdf8
MC		 9013 testresult = 1;
9014
9015 end:
9016 SSL_free(serverssl);
9017 SSL_free(clientssl);
9018 SSL_CTX_free(sctx);
9019 SSL_CTX_free(cctx);
9020 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9021 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9022
9023 return testresult;
9024}
9025#endif
b3842539 9026
49a36a52
MC		 9027#ifndef OPENSSL_NO_TLS1_2
9028static int test_ssl_dup(void)
9029{
9030 SSL_CTX *cctx = NULL, *sctx = NULL;
9031 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9032 int testresult = 0;
9033 BIO *rbio = NULL, *wbio = NULL;
9034
9035 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9036 TLS_client_method(),
9037 0,
9038 0,
9039 &sctx, &cctx, cert, privkey)))
9040 goto end;
9041
9042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9043 NULL, NULL)))
9044 goto end;
9045
9046 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9047 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9048 goto end;
9049
9050 client2ssl = SSL_dup(clientssl);
9051 rbio = SSL_get_rbio(clientssl);
9052 if (!TEST_ptr(rbio)
9053 || !TEST_true(BIO_up_ref(rbio)))
9054 goto end;
9055 SSL_set0_rbio(client2ssl, rbio);
9056 rbio = NULL;
9057
9058 wbio = SSL_get_wbio(clientssl);
9059 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9060 goto end;
9061 SSL_set0_wbio(client2ssl, wbio);
9062 rbio = NULL;
9063
9064 if (!TEST_ptr(client2ssl)
9065 /* Handshake not started so pointers should be different */
9066 || !TEST_ptr_ne(clientssl, client2ssl))
9067 goto end;
9068
9069 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9070 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9071 goto end;
9072
9073 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9074 goto end;
9075
9076 SSL_free(clientssl);
9077 clientssl = SSL_dup(client2ssl);
9078 if (!TEST_ptr(clientssl)
9079 /* Handshake has finished so pointers should be the same */
9080 || !TEST_ptr_eq(clientssl, client2ssl))
9081 goto end;
9082
9083 testresult = 1;
9084
9085 end:
9086 SSL_free(serverssl);
9087 SSL_free(clientssl);
9088 SSL_free(client2ssl);
9089 SSL_CTX_free(sctx);
9090 SSL_CTX_free(cctx);
9091
9092 return testresult;
9093}
33c39a06
MC		 9094
9095# ifndef OPENSSL_NO_DH
9096
9097static EVP_PKEY *tmp_dh_params = NULL;
9098
9099/* Helper function for the test_set_tmp_dh() tests */
9100static EVP_PKEY *get_tmp_dh_params(void)
9101{
9102 if (tmp_dh_params == NULL) {
9103 BIGNUM *p = NULL;
9104 OSSL_PARAM_BLD *tmpl = NULL;
9105 EVP_PKEY_CTX *pctx = NULL;
9106 OSSL_PARAM *params = NULL;
9107 EVP_PKEY *dhpkey = NULL;
9108
9109 p = BN_get_rfc3526_prime_2048(NULL);
9110 if (!TEST_ptr(p))
9111 goto end;
9112
9113 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9114 if (!TEST_ptr(pctx)
884400d7 9115 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9116 goto end;
9117
9118 tmpl = OSSL_PARAM_BLD_new();
9119 if (!TEST_ptr(tmpl)
9120 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9121 OSSL_PKEY_PARAM_FFC_P,
9122 p))
9123 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9124 OSSL_PKEY_PARAM_FFC_G,
9125 2)))
9126 goto end;
9127
9128 params = OSSL_PARAM_BLD_to_param(tmpl);
9129 if (!TEST_ptr(params)
884400d7 9130 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9131 EVP_PKEY_KEY_PARAMETERS,
9132 params), 1))
33c39a06
MC		 9133 goto end;
9134
9135 tmp_dh_params = dhpkey;
9136 end:
9137 BN_free(p);
9138 EVP_PKEY_CTX_free(pctx);
9139 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9140 OSSL_PARAM_free(params);
33c39a06
MC		 9141 }
9142
f1619160 9143 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9144 return NULL;
9145
9146 return tmp_dh_params;
9147}
9148
39f3427d 9149# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9150/* Callback used by test_set_tmp_dh() */
9151static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9152{
9153 EVP_PKEY *dhpkey = get_tmp_dh_params();
9154 DH *ret = NULL;
9155
9156 if (!TEST_ptr(dhpkey))
9157 return NULL;
9158
7bc0fdd3
MC		 9159 /*
9160 * libssl does not free the returned DH, so we free it now knowing that even
9161 * after we free dhpkey, there will still be a reference to the owning
9162 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9163 * of time we need it for.
9164 */
9165 ret = EVP_PKEY_get1_DH(dhpkey);
9166 DH_free(ret);
33c39a06
MC		 9167
9168 EVP_PKEY_free(dhpkey);
9169
9170 return ret;
9171}
9172# endif
9173
9174/*
9175 * Test the various methods for setting temporary DH parameters
9176 *
9177 * Test 0: Default (no auto) setting
9178 * Test 1: Explicit SSL_CTX auto off
9179 * Test 2: Explicit SSL auto off
9180 * Test 3: Explicit SSL_CTX auto on
9181 * Test 4: Explicit SSL auto on
9182 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9183 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9184 *
9185 * The following are testing deprecated APIs, so we only run them if available
9186 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9187 * Test 8: Explicit SSL auto off, custom DH params via DH
9188 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9189 * Test 10: Explicit SSL auto off, custom DH params via callback
9190 */
9191static int test_set_tmp_dh(int idx)
9192{
9193 SSL_CTX *cctx = NULL, *sctx = NULL;
9194 SSL *clientssl = NULL, *serverssl = NULL;
9195 int testresult = 0;
9196 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9197 int expected = (idx <= 2) ? 0 : 1;
9198 EVP_PKEY *dhpkey = NULL;
9199# ifndef OPENSSL_NO_DEPRECATED_3_0
9200 DH *dh = NULL;
9201# else
9202
9203 if (idx >= 7)
9204 return 1;
9205# endif
9206
9207 if (idx >= 5 && idx <= 8) {
9208 dhpkey = get_tmp_dh_params();
9209 if (!TEST_ptr(dhpkey))
9210 goto end;
9211 }
9212# ifndef OPENSSL_NO_DEPRECATED_3_0
9213 if (idx == 7 || idx == 8) {
7bc0fdd3 9214 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9215 if (!TEST_ptr(dh))
9216 goto end;
9217 }
9218# endif
9219
9220 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9221 TLS_client_method(),
9222 0,
9223 0,
9224 &sctx, &cctx, cert, privkey)))
9225 goto end;
9226
9227 if ((idx & 1) == 1) {
9228 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9229 goto end;
9230 }
9231
9232 if (idx == 5) {
9233 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9234 goto end;
9235 dhpkey = NULL;
9236 }
9237# ifndef OPENSSL_NO_DEPRECATED_3_0
9238 else if (idx == 7) {
9239 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9240 goto end;
9241 } else if (idx == 9) {
9242 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9243 }
9244# endif
9245
9246 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9247 NULL, NULL)))
9248 goto end;
9249
9250 if ((idx & 1) == 0 && idx != 0) {
9251 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9252 goto end;
9253 }
9254 if (idx == 6) {
9255 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9256 goto end;
9257 dhpkey = NULL;
9258 }
9259# ifndef OPENSSL_NO_DEPRECATED_3_0
9260 else if (idx == 8) {
9261 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9262 goto end;
9263 } else if (idx == 10) {
9264 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9265 }
9266# endif
9267
9268 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9269 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9270 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9271 goto end;
9272
9273 /*
9274 * If autoon then we should succeed. Otherwise we expect failure because
9275 * there are no parameters
9276 */
9277 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9278 SSL_ERROR_NONE), expected))
9279 goto end;
9280
9281 testresult = 1;
9282
9283 end:
7bc0fdd3
MC		 9284# ifndef OPENSSL_NO_DEPRECATED_3_0
9285 DH_free(dh);
9286# endif
33c39a06
MC		 9287 SSL_free(serverssl);
9288 SSL_free(clientssl);
9289 SSL_CTX_free(sctx);
9290 SSL_CTX_free(cctx);
9291 EVP_PKEY_free(dhpkey);
9292
9293 return testresult;
9294}
3105d846
MC		 9295
9296/*
9297 * Test the auto DH keys are appropriately sized
9298 */
9299static int test_dh_auto(int idx)
9300{
61cab650
MC		 9301 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9302 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9303 SSL *clientssl = NULL, *serverssl = NULL;
9304 int testresult = 0;
9305 EVP_PKEY *tmpkey = NULL;
9306 char *thiscert = NULL, *thiskey = NULL;
9307 size_t expdhsize = 0;
9308 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9309
61cab650
MC		 9310 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9311 goto end;
9312
3105d846
MC		 9313 switch (idx) {
9314 case 0:
9315 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9316 if (is_fips) {
9317 testresult = 1;
9318 goto end;
9319 }
3105d846
MC		 9320 thiscert = cert1024;
9321 thiskey = privkey1024;
9322 expdhsize = 1024;
61cab650
MC		 9323 SSL_CTX_set_security_level(sctx, 1);
9324 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9325 break;
9326 case 1:
9327 /* 2048 bit prime */
9328 thiscert = cert;
9329 thiskey = privkey;
9330 expdhsize = 2048;
9331 break;
9332 case 2:
9333 thiscert = cert3072;
9334 thiskey = privkey3072;
9335 expdhsize = 3072;
9336 break;
9337 case 3:
9338 thiscert = cert4096;
9339 thiskey = privkey4096;
9340 expdhsize = 4096;
9341 break;
9342 case 4:
9343 thiscert = cert8192;
9344 thiskey = privkey8192;
9345 expdhsize = 8192;
9346 break;
9347 /* No certificate cases */
9348 case 5:
9349 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9350 if (is_fips) {
9351 testresult = 1;
9352 goto end;
9353 }
3105d846
MC		 9354 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9355 expdhsize = 1024;
9356 break;
9357 case 6:
9358 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9359 expdhsize = 3072;
9360 break;
9361 default:
9362 TEST_error("Invalid text index");
9363 goto end;
9364 }
9365
61cab650
MC		 9366 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9367 NULL,
3105d846
MC		 9368 0,
9369 0,
9370 &sctx, &cctx, thiscert, thiskey)))
9371 goto end;
9372
9373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9374 NULL, NULL)))
9375 goto end;
9376
9377 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9378 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9379 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9380 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9381 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9382 goto end;
9383
9384 /*
9385 * Send the server's first flight. At this point the server has created the
9386 * temporary DH key but hasn't finished using it yet. Once used it is
9387 * removed, so we cannot test it.
9388 */
9389 if (!TEST_int_le(SSL_connect(clientssl), 0)
9390 || !TEST_int_le(SSL_accept(serverssl), 0))
9391 goto end;
9392
9393 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9394 goto end;
ed576acd 9395 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9396 goto end;
9397
9398 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9399 goto end;
9400
9401 testresult = 1;
9402
9403 end:
9404 SSL_free(serverssl);
9405 SSL_free(clientssl);
9406 SSL_CTX_free(sctx);
9407 SSL_CTX_free(cctx);
9408 EVP_PKEY_free(tmpkey);
9409
9410 return testresult;
9411
9412}
33c39a06
MC		 9413# endif /* OPENSSL_NO_DH */
9414#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9415
a763ca11 9416#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9417/*
9418 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9419 * that it works even without a certificate configured for the original
9420 * SSL_CTX
9421 */
9422static int test_sni_tls13(void)
9423{
9424 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9425 SSL *clientssl = NULL, *serverssl = NULL;
9426 int testresult = 0;
9427
9428 /* Reset callback counter */
9429 snicb = 0;
9430
9431 /* Create an initial SSL_CTX with no certificate configured */
9432 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9433 if (!TEST_ptr(sctx))
9434 goto end;
9435 /* Require TLSv1.3 as a minimum */
9436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9437 TLS_client_method(), TLS1_3_VERSION, 0,
9438 &sctx2, &cctx, cert, privkey)))
9439 goto end;
9440
9441 /* Set up SNI */
9442 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9443 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9444 goto end;
9445
9446 /*
9447 * Connection should still succeed because the final SSL_CTX has the right
9448 * certificates configured.
9449 */
9450 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9451 &clientssl, NULL, NULL))
9452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9453 SSL_ERROR_NONE)))
9454 goto end;
9455
9456 /* We should have had the SNI callback called exactly once */
9457 if (!TEST_int_eq(snicb, 1))
9458 goto end;
9459
9460 testresult = 1;
9461
9462end:
9463 SSL_free(serverssl);
9464 SSL_free(clientssl);
9465 SSL_CTX_free(sctx2);
9466 SSL_CTX_free(sctx);
9467 SSL_CTX_free(cctx);
9468 return testresult;
9469}
0089cc7f
TS		 9470
9471/*
9472 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9473 * 0 = TLSv1.2
9474 * 1 = TLSv1.3
9475 */
9476static int test_ticket_lifetime(int idx)
9477{
9478 SSL_CTX *cctx = NULL, *sctx = NULL;
9479 SSL *clientssl = NULL, *serverssl = NULL;
9480 int testresult = 0;
9481 int version = TLS1_3_VERSION;
9482
9483#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9484#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9485
9486 if (idx == 0) {
40fb5a4c
TS		 9487#ifdef OPENSSL_NO_TLS1_2
9488 return TEST_skip("TLS 1.2 is disabled.");
9489#else
0089cc7f 9490 version = TLS1_2_VERSION;
40fb5a4c 9491#endif
0089cc7f
TS		 9492 }
9493
9494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9495 TLS_client_method(), version, version,
9496 &sctx, &cctx, cert, privkey)))
9497 goto end;
9498
9499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9500 &clientssl, NULL, NULL)))
9501 goto end;
9502
9503 /*
9504 * Set the timeout to be more than 1 week
9505 * make sure the returned value is the default
9506 */
9507 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9508 SSL_get_default_timeout(serverssl)))
9509 goto end;
9510
9511 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9512 goto end;
9513
9514 if (idx == 0) {
9515 /* TLSv1.2 uses the set value */
9516 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9517 goto end;
9518 } else {
9519 /* TLSv1.3 uses the limited value */
9520 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9521 goto end;
9522 }
9523 testresult = 1;
9524
9525end:
9526 SSL_free(serverssl);
9527 SSL_free(clientssl);
9528 SSL_CTX_free(sctx);
9529 SSL_CTX_free(cctx);
9530 return testresult;
9531}
6582661f 9532#endif
feba11cf
TS		 9533/*
9534 * Test that setting an ALPN does not violate RFC
9535 */
9536static int test_set_alpn(void)
9537{
9538 SSL_CTX *ctx = NULL;
9539 SSL *ssl = NULL;
9540 int testresult = 0;
9541
9542 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9543 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9544 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9545 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9546 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9547 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9548
9549 /* Create an initial SSL_CTX with no certificate configured */
9550 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9551 if (!TEST_ptr(ctx))
9552 goto end;
9553
9554 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9555 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9556 goto end;
9557 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9558 goto end;
9559 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9560 goto end;
9561 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9562 goto end;
9563 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9564 goto end;
9565 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9566 goto end;
9567 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9568 goto end;
9569 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9570 goto end;
9571 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9572 goto end;
9573
9574 ssl = SSL_new(ctx);
9575 if (!TEST_ptr(ssl))
9576 goto end;
9577
9578 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9579 goto end;
9580 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9581 goto end;
9582 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9583 goto end;
9584 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9585 goto end;
9586 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9587 goto end;
9588 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9589 goto end;
9590 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9591 goto end;
9592 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9593 goto end;
9594 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9595 goto end;
9596
9597 testresult = 1;
9598
9599end:
9600 SSL_free(ssl);
9601 SSL_CTX_free(ctx);
9602 return testresult;
9603}
6582661f 9604
948cf521
HL		 9605/*
9606 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9607 */
9608static int test_set_verify_cert_store_ssl_ctx(void)
9609{
9610 SSL_CTX *ctx = NULL;
9611 int testresult = 0;
9612 X509_STORE *store = NULL, *new_store = NULL,
9613 *cstore = NULL, *new_cstore = NULL;
9614
9615 /* Create an initial SSL_CTX. */
9616 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9617 if (!TEST_ptr(ctx))
9618 goto end;
9619
9620 /* Retrieve verify store pointer. */
9621 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9622 goto end;
9623
9624 /* Retrieve chain store pointer. */
9625 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9626 goto end;
9627
9628 /* We haven't set any yet, so this should be NULL. */
9629 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9630 goto end;
9631
9632 /* Create stores. We use separate stores so pointers are different. */
9633 new_store = X509_STORE_new();
9634 if (!TEST_ptr(new_store))
9635 goto end;
9636
9637 new_cstore = X509_STORE_new();
9638 if (!TEST_ptr(new_cstore))
9639 goto end;
9640
9641 /* Set stores. */
9642 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9643 goto end;
9644
9645 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9646 goto end;
9647
9648 /* Should be able to retrieve the same pointer. */
9649 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9650 goto end;
9651
9652 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9653 goto end;
9654
9655 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9656 goto end;
9657
9658 /* Should be able to unset again. */
9659 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9660 goto end;
9661
9662 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9663 goto end;
9664
9665 /* Should now be NULL. */
9666 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9667 goto end;
9668
9669 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9670 goto end;
9671
9672 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9673 goto end;
9674
9675 testresult = 1;
9676
9677end:
9678 X509_STORE_free(new_store);
9679 X509_STORE_free(new_cstore);
9680 SSL_CTX_free(ctx);
9681 return testresult;
9682}
9683
9684/*
9685 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9686 */
9687static int test_set_verify_cert_store_ssl(void)
9688{
9689 SSL_CTX *ctx = NULL;
9690 SSL *ssl = NULL;
9691 int testresult = 0;
9692 X509_STORE *store = NULL, *new_store = NULL,
9693 *cstore = NULL, *new_cstore = NULL;
9694
9695 /* Create an initial SSL_CTX. */
9696 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9697 if (!TEST_ptr(ctx))
9698 goto end;
9699
9700 /* Create an SSL object. */
9701 ssl = SSL_new(ctx);
9702 if (!TEST_ptr(ssl))
9703 goto end;
9704
9705 /* Retrieve verify store pointer. */
9706 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9707 goto end;
9708
9709 /* Retrieve chain store pointer. */
9710 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9711 goto end;
9712
9713 /* We haven't set any yet, so this should be NULL. */
9714 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9715 goto end;
9716
9717 /* Create stores. We use separate stores so pointers are different. */
9718 new_store = X509_STORE_new();
9719 if (!TEST_ptr(new_store))
9720 goto end;
9721
9722 new_cstore = X509_STORE_new();
9723 if (!TEST_ptr(new_cstore))
9724 goto end;
9725
9726 /* Set stores. */
9727 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9728 goto end;
9729
9730 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9731 goto end;
9732
9733 /* Should be able to retrieve the same pointer. */
9734 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9735 goto end;
9736
9737 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9738 goto end;
9739
9740 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9741 goto end;
9742
9743 /* Should be able to unset again. */
9744 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9745 goto end;
9746
9747 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9748 goto end;
9749
9750 /* Should now be NULL. */
9751 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9752 goto end;
9753
9754 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9755 goto end;
9756
9757 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9758 goto end;
9759
9760 testresult = 1;
9761
9762end:
9763 X509_STORE_free(new_store);
9764 X509_STORE_free(new_cstore);
9765 SSL_free(ssl);
9766 SSL_CTX_free(ctx);
9767 return testresult;
9768}
9769
9770
dfccfde0
CH		 9771static int test_inherit_verify_param(void)
9772{
9773 int testresult = 0;
9774
9775 SSL_CTX *ctx = NULL;
9776 X509_VERIFY_PARAM *cp = NULL;
9777 SSL *ssl = NULL;
9778 X509_VERIFY_PARAM *sp = NULL;
9779 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9780
9781 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9782 if (!TEST_ptr(ctx))
9783 goto end;
9784
9785 cp = SSL_CTX_get0_param(ctx);
9786 if (!TEST_ptr(cp))
9787 goto end;
9788 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9789 goto end;
9790
9791 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9792
9793 ssl = SSL_new(ctx);
9794 if (!TEST_ptr(ssl))
9795 goto end;
9796
9797 sp = SSL_get0_param(ssl);
9798 if (!TEST_ptr(sp))
9799 goto end;
9800 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9801 goto end;
9802
9803 testresult = 1;
9804
9805 end:
9806 SSL_free(ssl);
9807 SSL_CTX_free(ctx);
9808
9809 return testresult;
9810}
9811
b2b8d188
DF		 9812static int test_load_dhfile(void)
9813{
9814#ifndef OPENSSL_NO_DH
9815 int testresult = 0;
9816
9817 SSL_CTX *ctx = NULL;
9818 SSL_CONF_CTX *cctx = NULL;
9819
9820 if (dhfile == NULL)
9821 return 1;
9822
9823 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9824 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9825 goto end;
9826
9827 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9828 SSL_CONF_CTX_set_flags(cctx,
9829 SSL_CONF_FLAG_CERTIFICATE
9830 | SSL_CONF_FLAG_SERVER
9831 | SSL_CONF_FLAG_FILE);
9832
9833 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9834 goto end;
9835
9836 testresult = 1;
9837end:
9838 SSL_CONF_CTX_free(cctx);
9839 SSL_CTX_free(ctx);
9840
9841 return testresult;
9842#else
9843 return TEST_skip("DH not supported by this build");
9844#endif
9845}
9846
f7565348
MC		 9847#ifndef OSSL_NO_USABLE_TLS1_3
9848/* Test that read_ahead works across a key change */
9849static int test_read_ahead_key_change(void)
9850{
9851 SSL_CTX *cctx = NULL, *sctx = NULL;
9852 SSL *clientssl = NULL, *serverssl = NULL;
9853 int testresult = 0;
9854 char *msg = "Hello World";
9855 size_t written, readbytes;
9856 char buf[80];
9857 int i;
9858
9859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9860 TLS_client_method(), TLS1_3_VERSION, 0,
9861 &sctx, &cctx, cert, privkey)))
9862 goto end;
9863
9864 SSL_CTX_set_read_ahead(sctx, 1);
9865
9866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9867 &clientssl, NULL, NULL)))
9868 goto end;
9869
9870 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9871 goto end;
9872
9873 /* Write some data, send a key update, write more data */
9874 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
9875 || !TEST_size_t_eq(written, strlen(msg)))
9876 goto end;
9877
9878 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
9879 goto end;
9880
9881 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
9882 || !TEST_size_t_eq(written, strlen(msg)))
9883 goto end;
9884
9885 /*
9886 * Since read_ahead is on the first read below should read the record with
9887 * the first app data, the second record with the key update message, and
9888 * the third record with the app data all in one go. We should be able to
9889 * still process the read_ahead data correctly even though it crosses
9890 * epochs
9891 */
9892 for (i = 0; i < 2; i++) {
9893 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
9894 &readbytes)))
9895 goto end;
9896
9897 buf[readbytes] = '\0';
9898 if (!TEST_str_eq(buf, msg))
9899 goto end;
9900 }
9901
9902 testresult = 1;
9903
9904end:
9905 SSL_free(serverssl);
9906 SSL_free(clientssl);
9907 SSL_CTX_free(sctx);
9908 SSL_CTX_free(cctx);
9909 return testresult;
9910}
9911#endif /* OSSL_NO_USABLE_TLS1_3 */
9912
b2b8d188 9913OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 9914
ad887416 9915int setup_tests(void)
2cb4b5f6 9916{
5e30f2fd
MC		 9917 char *modulename;
9918 char *configfile;
9919
b4250010 9920 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9921 if (!TEST_ptr(libctx))
9922 return 0;
9923
9924 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9925
9926 /*
9927 * Verify that the default and fips providers in the default libctx are not
9928 * available
9929 */
9930 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9931 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9932 return 0;
9933
8d242823
MC		 9934 if (!test_skip_common_options()) {
9935 TEST_error("Error parsing test options\n");
9936 return 0;
9937 }
9938
1a2a3a42
MC		 9939 if (!TEST_ptr(certsdir = test_get_argument(0))
9940 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9941 || !TEST_ptr(tmpfilename = test_get_argument(2))
9942 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 9943 || !TEST_ptr(configfile = test_get_argument(4))
9944 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 9945 return 0;
9946
b4250010 9947 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9948 return 0;
9949
9950 /* Check we have the expected provider available */
9951 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9952 return 0;
9953
9954 /* Check the default provider is not available */
9955 if (strcmp(modulename, "default") != 0
9956 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9957 return 0;
2cb4b5f6 9958
4f6c7044
MC		 9959 if (strcmp(modulename, "fips") == 0)
9960 is_fips = 1;
9961
0c13cdf8
MC		 9962 /*
9963 * We add, but don't load the test "tls-provider". We'll load it when we
9964 * need it.
9965 */
9966 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9967 tls_provider_init)))
9968 return 0;
9969
9970
f297e4ec
RS		 9971 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9972#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9973 TEST_error("not supported in this build");
9974 return 0;
9975#else
9976 int i, mcount, rcount, fcount;
9977
9978 for (i = 0; i < 4; i++)
9979 test_export_key_mat(i);
9980 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9981 test_printf_stdout("malloc %d realloc %d free %d\n",
9982 mcount, rcount, fcount);
9983 return 1;
9984#endif
9985 }
9986
1a2a3a42
MC		 9987 cert = test_mk_file_path(certsdir, "servercert.pem");
9988 if (cert == NULL)
b3842539 9989 goto err;
1a2a3a42
MC		 9990
9991 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9992 if (privkey == NULL)
9993 goto err;
9994
9995 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9996 if (cert2 == NULL)
9997 goto err;
9998
9999 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10000 if (privkey2 == NULL)
10001 goto err;
1a2a3a42 10002
3105d846
MC		 10003 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10004 if (cert1024 == NULL)
10005 goto err;
10006
10007 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10008 if (privkey1024 == NULL)
10009 goto err;
10010
10011 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10012 if (cert3072 == NULL)
10013 goto err;
10014
10015 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10016 if (privkey3072 == NULL)
10017 goto err;
10018
10019 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10020 if (cert4096 == NULL)
10021 goto err;
10022
10023 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10024 if (privkey4096 == NULL)
10025 goto err;
10026
10027 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10028 if (cert8192 == NULL)
10029 goto err;
10030
10031 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10032 if (privkey8192 == NULL)
10033 goto err;
10034
da4db160 10035#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 10036# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 10037 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10038 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 10039# endif
fe5d9450 10040#endif
84d5549e 10041 ADD_TEST(test_large_message_tls);
7856332e 10042 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 10043#ifndef OPENSSL_NO_DTLS
84d5549e 10044 ADD_TEST(test_large_message_dtls);
55386bef 10045#endif
163b8016 10046 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 10047#ifndef OPENSSL_NO_OCSP
c887104f 10048 ADD_TEST(test_tlsext_status_type);
8f8c11d8 10049#endif
eaa776da
MC		 10050 ADD_TEST(test_session_with_only_int_cache);
10051 ADD_TEST(test_session_with_only_ext_cache);
10052 ADD_TEST(test_session_with_both_cache);
90fc2c26 10053 ADD_TEST(test_session_wo_ca_names);
a763ca11 10054#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 10055 ADD_ALL_TESTS(test_stateful_tickets, 3);
10056 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 10057 ADD_TEST(test_psk_tickets);
f0049b86 10058 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 10059#endif
7fb4c820 10060 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 10061 ADD_TEST(test_ssl_bio_pop_next_bio);
10062 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10063 ADD_TEST(test_ssl_bio_change_rbio);
10064 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 10065#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 10066 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 10067 ADD_TEST(test_keylog);
c423ecaa 10068#endif
a763ca11 10069#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 10070 ADD_TEST(test_keylog_no_master_key);
10071#endif
0c3eb279 10072 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 10073 ADD_TEST(test_ssl_build_cert_chain);
10074 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 10075#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 10076 ADD_TEST(test_client_hello_cb);
088dfa13 10077 ADD_TEST(test_no_ems);
3cd14e5e 10078 ADD_TEST(test_ccs_change_cipher);
5f982038 10079#endif
a763ca11 10080#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 10081 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 10082 /*
10083 * We don't do replay tests for external PSK. Replay protection isn't used
10084 * in that scenario.
10085 */
10086 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 10087 ADD_ALL_TESTS(test_early_data_skip, 3);
10088 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 10089 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 10090 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 10091 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 10092 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 10093 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 10094 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 10095# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 10096 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 10097# endif
e9ee6536 10098#endif
a763ca11 10099#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 10100 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 10101 ADD_TEST(test_ciphersuite_change);
5bf2eade 10102 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10103# ifdef OPENSSL_NO_PSK
c2b290c3 10104 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 10105# else
0d8da779 10106 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 10107# endif /* OPENSSL_NO_PSK */
10108# ifndef OPENSSL_NO_TLS1_2
10109 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 10110 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 10111# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10112 ADD_ALL_TESTS(test_negotiated_group,
10113 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10114 + OSSL_NELEM(ffdhe_kexch_groups)));
10115# endif
5bf2eade 10116# else
10117 /* Test with only TLSv1.3 versions */
10118 ADD_ALL_TESTS(test_key_exchange, 12);
10119# endif
0db3a990 10120 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 10121 ADD_TEST(test_stateless);
9d75dce3 10122 ADD_TEST(test_pha_key_update);
a273157a 10123#else
bb01ef3f 10124 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 10125#endif
16afd71c 10126 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 10127 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 10128#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 10129 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 10130 ADD_TEST(test_key_update);
0c48fda8 10131 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10132 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10133 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10134 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 10135#endif
e11b6aa4 10136 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 10137 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 10138#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10139 ADD_ALL_TESTS(test_srp, 6);
10140#endif
5718fe45 10141 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 10142 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 10143 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 10144 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 10145 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 10146 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 10147 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 10148 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 10149 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 10150#ifndef OPENSSL_NO_TLS1_2
10151 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10152#endif
49ef3d07 10153 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 10154#if !defined(OPENSSL_NO_EC) \
a763ca11 10155 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 10156 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 10157#endif
10158#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 10159 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 10160#endif
10161#ifndef OPENSSL_NO_TLS1_2
10162 ADD_TEST(test_ssl_dup);
33c39a06
MC		 10163# ifndef OPENSSL_NO_DH
10164 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 10165 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 10166# endif
6582661f 10167#endif
a763ca11 10168#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 10169 ADD_TEST(test_sni_tls13);
0089cc7f 10170 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 10171#endif
dfccfde0 10172 ADD_TEST(test_inherit_verify_param);
feba11cf 10173 ADD_TEST(test_set_alpn);
948cf521
HL		 10174 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10175 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 10176 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 10177 ADD_TEST(test_load_dhfile);
f7565348
MC		 10178#ifndef OSSL_NO_USABLE_TLS1_3
10179 ADD_TEST(test_read_ahead_key_change);
10180#endif
ad887416 10181 return 1;
b3842539
MC		 10182
10183 err:
10184 OPENSSL_free(cert);
10185 OPENSSL_free(privkey);
10186 OPENSSL_free(cert2);
10187 OPENSSL_free(privkey2);
10188 return 0;
ad887416 10189}
2cb4b5f6 10190
ad887416
P		 10191void cleanup_tests(void)
10192{
8778f0eb 10193# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 10194 EVP_PKEY_free(tmp_dh_params);
10195#endif
1a2a3a42
MC		 10196 OPENSSL_free(cert);
10197 OPENSSL_free(privkey);
b3842539
MC		 10198 OPENSSL_free(cert2);
10199 OPENSSL_free(privkey2);
3105d846
MC		 10200 OPENSSL_free(cert1024);
10201 OPENSSL_free(privkey1024);
10202 OPENSSL_free(cert3072);
10203 OPENSSL_free(privkey3072);
10204 OPENSSL_free(cert4096);
10205 OPENSSL_free(privkey4096);
10206 OPENSSL_free(cert8192);
10207 OPENSSL_free(privkey8192);
fa454945 10208 bio_s_mempacket_test_free();
a77b4dba 10209 bio_s_always_retry_free();
5e30f2fd 10210 OSSL_PROVIDER_unload(defctxnull);
b4250010 10211 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 10212}
A mirror of the official openssl repository