]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Change the default number of NewSessionTickets we send to 2
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
36ff232c 947 * resumed.
7a301f08
MC		 948 */
949 if (use_ext_cache
950 && (!TEST_int_eq(new_called, 1)
36ff232c 951 || !TEST_int_eq(remove_called, 0)))
7a301f08
MC		 952 goto end;
953 } else {
954 /*
955 * In TLSv1.2 we expect to have resumed so no sessions added or
956 * removed.
957 */
958 if (use_ext_cache
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
961 goto end;
962 }
c0537ebd
MC		 963
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
966 goto end;
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 969
970 new_called = remove_called = 0;
710756a9
RS		 971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
974 SSL_ERROR_NONE)))
2cb4b5f6 975 goto end;
2cb4b5f6 976
710756a9 977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 978 goto end;
2cb4b5f6 979
7a301f08 980 if (use_ext_cache
36ff232c
MC		 981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
eaa776da 983 goto end;
eaa776da 984
c0537ebd 985 new_called = remove_called = 0;
2cb4b5f6 986 /*
710756a9
RS		 987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
2cb4b5f6 989 */
710756a9 990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 991 goto end;
7a301f08
MC		 992 if (use_ext_cache
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 994 goto end;
710756a9 995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 996 goto end;
2cb4b5f6 997
7e885b7b 998 if (use_int_cache) {
710756a9
RS		 999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1002 goto end;
eaa776da
MC		 1003 }
1004
c0537ebd 1005 new_called = remove_called = 0;
eaa776da 1006 /* This shouldn't be in the cache so should fail */
710756a9 1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1008 goto end;
2cb4b5f6 1009
7a301f08
MC		 1010 if (use_ext_cache
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1012 goto end;
2cb4b5f6 1013
bf208d95 1014# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1015 new_called = remove_called = 0;
eaa776da
MC		 1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1021 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1023 SSL_ERROR_NONE)))
eaa776da 1024 goto end;
b4982125 1025
eaa776da 1026 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1027 if (use_ext_cache
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1029 goto end;
2cb4b5f6 1030
710756a9 1031 /* Should succeed because it should not already be in the cache */
7e885b7b 1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1033 goto end;
bf208d95 1034# endif
eaa776da 1035
7a301f08
MC		 1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1044 }
1045
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1048 if (!use_int_cache)
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1052
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1060 sess1 = NULL;
1061 SSL_SESSION_free(sess2);
1062 sess2 = NULL;
1063
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
1065 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1066 new_called = remove_called = get_called = 0;
7a301f08
MC		 1067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1068 NULL, NULL))
1069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1070 SSL_ERROR_NONE))
1071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1072 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1073 goto end;
1074
1075 /* Should fail because it should already be in the cache */
1076 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1077 goto end;
1078
1079 if (use_ext_cache) {
1080 SSL_SESSION *tmp = sess2;
1081
36ff232c 1082 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1083 || !TEST_int_eq(remove_called, 0)
1084 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1085 goto end;
1086 /*
1087 * Delete the session from the internal cache to force a lookup from
1088 * the external cache. We take a copy first because
1089 * SSL_CTX_remove_session() also marks the session as non-resumable.
1090 */
3cb6a4d6
BK		 1091 if (use_int_cache) {
1092 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1093 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1094 goto end;
1095 SSL_SESSION_free(sess2);
1096 }
7a301f08
MC		 1097 sess2 = tmp;
1098 }
1099
0afca811 1100 new_called = remove_called = get_called = 0;
7a301f08
MC		 1101 get_sess_val = sess2;
1102 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1103 &clientssl2, NULL, NULL))
1104 || !TEST_true(SSL_set_session(clientssl2, sess1))
1105 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(SSL_session_reused(clientssl2)))
1108 goto end;
1109
0afca811 1110 if (use_ext_cache) {
32305f88 1111 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1112 goto end;
1113
1114 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1115 if (!TEST_int_eq(new_called, 1)
1116 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1117 goto end;
1118 } else {
32305f88
MC		 1119 if (!TEST_int_eq(new_called, 0)
1120 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1121 goto end;
1122 }
1123 }
7a301f08 1124
2cb4b5f6 1125 testresult = 1;
eaa776da 1126
2cb4b5f6
MC		 1127 end:
1128 SSL_free(serverssl1);
1129 SSL_free(clientssl1);
1130 SSL_free(serverssl2);
1131 SSL_free(clientssl2);
bf208d95 1132# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1133 SSL_free(serverssl3);
1134 SSL_free(clientssl3);
bf208d95 1135# endif
2cb4b5f6
MC		 1136 SSL_SESSION_free(sess1);
1137 SSL_SESSION_free(sess2);
1138 SSL_CTX_free(sctx);
1139 SSL_CTX_free(cctx);
1140
1141 return testresult;
1142}
bf208d95 1143#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1144
7fb4c820
MC		 1145static int test_session_with_only_int_cache(void)
1146{
7a301f08
MC		 1147#ifndef OPENSSL_NO_TLS1_3
1148 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1149 return 0;
1150#endif
1151
1152#ifndef OPENSSL_NO_TLS1_2
1153 return execute_test_session(TLS1_2_VERSION, 1, 0);
1154#else
1155 return 1;
1156#endif
eaa776da
MC		 1157}
1158
7fb4c820
MC		 1159static int test_session_with_only_ext_cache(void)
1160{
7a301f08
MC		 1161#ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1163 return 0;
1164#endif
1165
1166#ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 0, 1);
1168#else
1169 return 1;
1170#endif
eaa776da
MC		 1171}
1172
7fb4c820
MC		 1173static int test_session_with_both_cache(void)
1174{
7a301f08
MC		 1175#ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1177 return 0;
1178#endif
1179
1180#ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 1, 1);
1182#else
1183 return 1;
1184#endif
eaa776da
MC		 1185}
1186
36ff232c
MC		 1187SSL_SESSION *sesscache[9];
1188
1189static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1190{
1191 sesscache[new_called++] = sess;
1192
1193 return 1;
1194}
1195
1196static int test_tickets(int idx)
1197{
1198 SSL_CTX *sctx = NULL, *cctx = NULL;
1199 SSL *serverssl = NULL, *clientssl = NULL;
1200 int testresult = 0, i;
1201 size_t j;
1202
1203 /* idx is the test number, but also the number of tickets we want */
1204
1205 new_called = 0;
1206
1207 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1208 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1209 &cctx, cert, privkey))
1210 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1211 goto end;
1212
1213 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1214 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1215 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1216
1217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1218 &clientssl, NULL, NULL)))
1219 goto end;
1220
1221 SSL_force_post_handshake_auth(clientssl);
1222
1223 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1224 SSL_ERROR_NONE))
1225 /* Check we got the number of tickets we were expecting */
1226 || !TEST_int_eq(idx, new_called))
1227 goto end;
1228
1229 /* After a post-handshake authentication we should get new tickets issued */
1230 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
1231 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
1232 goto end;
1233
1234 /* Start handshake on the server and client */
1235 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1)
1236 || !TEST_int_le(SSL_read(clientssl, NULL, 0), 0)
1237 || !TEST_int_le(SSL_read(serverssl, NULL, 0), 0)
1238 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1239 SSL_ERROR_NONE))
1240 || !TEST_int_eq(idx * 2, new_called))
1241 goto end;
1242
1243 SSL_CTX_sess_set_new_cb(cctx, NULL);
1244 SSL_shutdown(clientssl);
1245 SSL_shutdown(serverssl);
1246 SSL_free(serverssl);
1247 SSL_free(clientssl);
1248 serverssl = clientssl = NULL;
1249
1250 /* Test that we can resume with all the tickets we got given */
1251 for (i = 0; i < new_called; i++) {
1252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1253 &clientssl, NULL, NULL))
1254 || !TEST_true(SSL_set_session(clientssl, sesscache[i]))
1255 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1256 SSL_ERROR_NONE))
1257 || !TEST_true(SSL_session_reused(clientssl)))
1258 goto end;
1259
1260 SSL_shutdown(clientssl);
1261 SSL_shutdown(serverssl);
1262 SSL_free(serverssl);
1263 SSL_free(clientssl);
1264 serverssl = clientssl = NULL;
1265 SSL_SESSION_free(sesscache[i]);
1266 sesscache[i] = NULL;
1267 }
1268
1269 testresult = 1;
1270
1271 end:
1272 SSL_free(serverssl);
1273 SSL_free(clientssl);
1274 for (j = 0; j < OSSL_NELEM(sesscache); j++)
1275 SSL_SESSION_free(sesscache[j]);
1276 SSL_CTX_free(sctx);
1277 SSL_CTX_free(cctx);
1278
1279 return testresult;
1280}
1281
7d4488bb
MC		 1282#define USE_NULL 0
1283#define USE_BIO_1 1
1284#define USE_BIO_2 2
1285#define USE_DEFAULT 3
1286
1287#define CONNTYPE_CONNECTION_SUCCESS 0
1288#define CONNTYPE_CONNECTION_FAIL 1
1289#define CONNTYPE_NO_CONNECTION 2
1290
1291#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1292#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1293#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1294# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1295#else
1296# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1297#endif
1298
7d4488bb
MC		 1299#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1300 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1301 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1302
1303static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1304{
1305 switch (type) {
1306 case USE_NULL:
1307 *res = NULL;
1308 break;
1309 case USE_BIO_1:
1310 *res = bio1;
1311 break;
1312 case USE_BIO_2:
1313 *res = bio2;
1314 break;
1315 }
1316}
1317
7d4488bb
MC		 1318
1319/*
1320 * Tests calls to SSL_set_bio() under various conditions.
1321 *
1322 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1323 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1324 * then do more tests where we create a successful connection first using our
1325 * standard connection setup functions, and then call SSL_set_bio() with
1326 * various combinations of valid BIOs or NULL. We then repeat these tests
1327 * following a failed connection. In this last case we are looking to check that
1328 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1329 */
7fb4c820
MC		 1330static int test_ssl_set_bio(int idx)
1331{
7d4488bb 1332 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1333 BIO *bio1 = NULL;
1334 BIO *bio2 = NULL;
0fae8150 1335 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1336 SSL *serverssl = NULL, *clientssl = NULL;
1337 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1338 int testresult = 0;
1339
7d4488bb
MC		 1340 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1341 initrbio = idx % 3;
1342 idx /= 3;
1343 initwbio = idx % 3;
1344 idx /= 3;
1345 newrbio = idx % 3;
1346 idx /= 3;
1347 newwbio = idx % 3;
1348 conntype = CONNTYPE_NO_CONNECTION;
1349 } else {
1350 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1351 initrbio = initwbio = USE_DEFAULT;
1352 newrbio = idx % 2;
1353 idx /= 2;
1354 newwbio = idx % 2;
1355 idx /= 2;
1356 conntype = idx % 2;
1357 }
710756a9 1358
7d4488bb
MC		 1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1360 TLS1_VERSION, TLS_MAX_VERSION,
1361 &sctx, &cctx, cert, privkey)))
1362 goto end;
1363
1364 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1365 /*
1366 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1367 * because we reduced the number of tests in the definition of
1368 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1369 * mismatched protocol versions we will force a connection failure.
1370 */
1371 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1372 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1373 }
1374
1375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1376 NULL, NULL)))
710756a9 1377 goto end;
7fb4c820 1378
710756a9
RS		 1379 if (initrbio == USE_BIO_1
1380 || initwbio == USE_BIO_1
1381 || newrbio == USE_BIO_1
7fb4c820 1382 || newwbio == USE_BIO_1) {
710756a9 1383 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1384 goto end;
7fb4c820
MC		 1385 }
1386
710756a9
RS		 1387 if (initrbio == USE_BIO_2
1388 || initwbio == USE_BIO_2
1389 || newrbio == USE_BIO_2
7fb4c820 1390 || newwbio == USE_BIO_2) {
710756a9 1391 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1392 goto end;
7fb4c820
MC		 1393 }
1394
7d4488bb
MC		 1395 if (initrbio != USE_DEFAULT) {
1396 setupbio(&irbio, bio1, bio2, initrbio);
1397 setupbio(&iwbio, bio1, bio2, initwbio);
1398 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1399
7d4488bb
MC		 1400 /*
1401 * We want to maintain our own refs to these BIO, so do an up ref for
1402 * each BIO that will have ownership transferred in the SSL_set_bio()
1403 * call
1404 */
1405 if (irbio != NULL)
1406 BIO_up_ref(irbio);
1407 if (iwbio != NULL && iwbio != irbio)
1408 BIO_up_ref(iwbio);
1409 }
7fb4c820 1410
7d4488bb
MC		 1411 if (conntype != CONNTYPE_NO_CONNECTION
1412 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1413 SSL_ERROR_NONE)
1414 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1415 goto end;
7fb4c820
MC		 1416
1417 setupbio(&nrbio, bio1, bio2, newrbio);
1418 setupbio(&nwbio, bio1, bio2, newwbio);
1419
1420 /*
1421 * We will (maybe) transfer ownership again so do more up refs.
1422 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1423 * already been set!
1424 */
710756a9
RS		 1425 if (nrbio != NULL
1426 && nrbio != irbio
1427 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1428 BIO_up_ref(nrbio);
710756a9
RS		 1429 if (nwbio != NULL
1430 && nwbio != nrbio
1431 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1432 BIO_up_ref(nwbio);
1433
7d4488bb 1434 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1435
1436 testresult = 1;
1437
1438 end:
7fb4c820
MC		 1439 BIO_free(bio1);
1440 BIO_free(bio2);
710756a9 1441
7fb4c820
MC		 1442 /*
1443 * This test is checking that the ref counting for SSL_set_bio is correct.
1444 * If we get here and we did too many frees then we will fail in the above
1445 * functions. If we haven't done enough then this will only be detected in
1446 * a crypto-mdebug build
1447 */
7d4488bb
MC		 1448 SSL_free(serverssl);
1449 SSL_free(clientssl);
1450 SSL_CTX_free(sctx);
1451 SSL_CTX_free(cctx);
7fb4c820
MC		 1452 return testresult;
1453}
1454
7e885b7b 1455typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1456
7e885b7b 1457static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1458{
1459 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1460 SSL_CTX *ctx;
9a716987
MC		 1461 SSL *ssl = NULL;
1462 int testresult = 0;
1463
710756a9
RS		 1464 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1465 || !TEST_ptr(ssl = SSL_new(ctx))
1466 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1467 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1468 goto end;
9a716987
MC		 1469
1470 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1471
1472 /*
1473 * If anything goes wrong here then we could leak memory, so this will
1474 * be caught in a crypto-mdebug build
1475 */
1476 BIO_push(sslbio, membio1);
1477
69687aa8 1478 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1479 if (change_bio != NO_BIO_CHANGE) {
710756a9 1480 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1481 goto end;
7e885b7b 1482 if (change_bio == CHANGE_RBIO)
65e2d672 1483 SSL_set0_rbio(ssl, membio2);
9a716987 1484 else
65e2d672 1485 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1486 }
1487 ssl = NULL;
1488
7e885b7b 1489 if (pop_ssl)
9a716987
MC		 1490 BIO_pop(sslbio);
1491 else
1492 BIO_pop(membio1);
1493
1494 testresult = 1;
1495 end:
1496 BIO_free(membio1);
1497 BIO_free(sslbio);
1498 SSL_free(ssl);
1499 SSL_CTX_free(ctx);
1500
1501 return testresult;
1502}
1503
1504static int test_ssl_bio_pop_next_bio(void)
1505{
7e885b7b 1506 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1507}
1508
1509static int test_ssl_bio_pop_ssl_bio(void)
1510{
7e885b7b 1511 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1512}
1513
1514static int test_ssl_bio_change_rbio(void)
1515{
7e885b7b 1516 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1517}
1518
1519static int test_ssl_bio_change_wbio(void)
1520{
7e885b7b 1521 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1522}
1523
c423ecaa 1524#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1525typedef struct {
1526 /* The list of sig algs */
1527 const int *list;
1528 /* The length of the list */
1529 size_t listlen;
1530 /* A sigalgs list in string format */
1531 const char *liststr;
1532 /* Whether setting the list should succeed */
1533 int valid;
1534 /* Whether creating a connection with the list should succeed */
1535 int connsuccess;
1536} sigalgs_list;
1537
1538static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1539# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1540static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1541static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1542# endif
f1b25aae
MC		 1543static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1544static const int invalidlist2[] = {NID_sha256, NID_undef};
1545static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1546static const int invalidlist4[] = {NID_sha256};
1547static const sigalgs_list testsigalgs[] = {
1548 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1549# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1550 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1551 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1552# endif
f1b25aae 1553 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1554# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1555 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1556 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1557# endif
f1b25aae
MC		 1558 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1559 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1560 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1561 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1562 {NULL, 0, "RSA", 0, 0},
1563 {NULL, 0, "SHA256", 0, 0},
1564 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1565 {NULL, 0, "Invalid", 0, 0}
1566};
f1b25aae
MC		 1567
1568static int test_set_sigalgs(int idx)
1569{
1570 SSL_CTX *cctx = NULL, *sctx = NULL;
1571 SSL *clientssl = NULL, *serverssl = NULL;
1572 int testresult = 0;
1573 const sigalgs_list *curr;
1574 int testctx;
1575
1576 /* Should never happen */
710756a9 1577 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1578 return 0;
1579
1580 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1581 curr = testctx ? &testsigalgs[idx]
1582 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1583
7d7f6834
RL		 1584 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1585 TLS1_VERSION, TLS_MAX_VERSION,
1586 &sctx, &cctx, cert, privkey)))
f1b25aae 1587 return 0;
f1b25aae 1588
d2e491f2
MC		 1589 /*
1590 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1591 * for TLSv1.2 for now until we add a new API.
1592 */
1593 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1594
f1b25aae
MC		 1595 if (testctx) {
1596 int ret;
710756a9 1597
f1b25aae
MC		 1598 if (curr->list != NULL)
1599 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1600 else
1601 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1602
1603 if (!ret) {
1604 if (curr->valid)
710756a9 1605 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1606 else
1607 testresult = 1;
1608 goto end;
1609 }
1610 if (!curr->valid) {
710756a9 1611 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1612 goto end;
1613 }
1614 }
1615
710756a9
RS		 1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1617 &clientssl, NULL, NULL)))
f1b25aae 1618 goto end;
f1b25aae
MC		 1619
1620 if (!testctx) {
1621 int ret;
1622
1623 if (curr->list != NULL)
1624 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1625 else
1626 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1627 if (!ret) {
1628 if (curr->valid)
710756a9 1629 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1630 else
1631 testresult = 1;
1632 goto end;
1633 }
710756a9 1634 if (!curr->valid)
f1b25aae 1635 goto end;
f1b25aae
MC		 1636 }
1637
710756a9
RS		 1638 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1639 SSL_ERROR_NONE),
1640 curr->connsuccess))
f1b25aae 1641 goto end;
f1b25aae
MC		 1642
1643 testresult = 1;
1644
1645 end:
1646 SSL_free(serverssl);
1647 SSL_free(clientssl);
1648 SSL_CTX_free(sctx);
1649 SSL_CTX_free(cctx);
1650
1651 return testresult;
1652}
c423ecaa 1653#endif
f1b25aae 1654
fff202e5
MC		 1655#ifndef OPENSSL_NO_TLS1_3
1656
57dee9bb
MC		 1657static SSL_SESSION *clientpsk = NULL;
1658static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1659static const char *pskid = "Identity";
1660static const char *srvid;
1661
1662static int use_session_cb_cnt = 0;
1663static int find_session_cb_cnt = 0;
532f9578
MC		 1664static int psk_client_cb_cnt = 0;
1665static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1666
1667static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1668 size_t *idlen, SSL_SESSION **sess)
1669{
1670 switch (++use_session_cb_cnt) {
1671 case 1:
1672 /* The first call should always have a NULL md */
1673 if (md != NULL)
1674 return 0;
1675 break;
1676
1677 case 2:
1678 /* The second call should always have an md */
1679 if (md == NULL)
1680 return 0;
1681 break;
1682
1683 default:
1684 /* We should only be called a maximum of twice */
1685 return 0;
1686 }
1687
57dee9bb
MC		 1688 if (clientpsk != NULL)
1689 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1690
57dee9bb 1691 *sess = clientpsk;
02a3ed5a
MC		 1692 *id = (const unsigned char *)pskid;
1693 *idlen = strlen(pskid);
1694
1695 return 1;
1696}
1697
c2b290c3 1698#ifndef OPENSSL_NO_PSK
532f9578
MC		 1699static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1700 unsigned int max_id_len,
1701 unsigned char *psk,
1702 unsigned int max_psk_len)
1703{
1704 unsigned int psklen = 0;
1705
1706 psk_client_cb_cnt++;
1707
1708 if (strlen(pskid) + 1 > max_id_len)
1709 return 0;
1710
1711 /* We should only ever be called a maximum of twice per connection */
1712 if (psk_client_cb_cnt > 2)
1713 return 0;
1714
1715 if (clientpsk == NULL)
1716 return 0;
1717
1718 /* We'll reuse the PSK we set up for TLSv1.3 */
1719 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1720 return 0;
1721 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1722 strncpy(id, pskid, max_id_len);
1723
1724 return psklen;
1725}
c2b290c3 1726#endif /* OPENSSL_NO_PSK */
532f9578 1727
02a3ed5a
MC		 1728static int find_session_cb(SSL *ssl, const unsigned char *identity,
1729 size_t identity_len, SSL_SESSION **sess)
1730{
1731 find_session_cb_cnt++;
1732
1733 /* We should only ever be called a maximum of twice per connection */
1734 if (find_session_cb_cnt > 2)
1735 return 0;
1736
57dee9bb 1737 if (serverpsk == NULL)
02a3ed5a
MC		 1738 return 0;
1739
1740 /* Identity should match that set by the client */
1741 if (strlen(srvid) != identity_len
1742 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1743 /* No PSK found, continue but without a PSK */
1744 *sess = NULL;
1745 return 1;
1746 }
1747
57dee9bb
MC		 1748 SSL_SESSION_up_ref(serverpsk);
1749 *sess = serverpsk;
02a3ed5a
MC		 1750
1751 return 1;
1752}
1753
c2b290c3 1754#ifndef OPENSSL_NO_PSK
532f9578
MC		 1755static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1756 unsigned char *psk, unsigned int max_psk_len)
1757{
1758 unsigned int psklen = 0;
1759
1760 psk_server_cb_cnt++;
1761
1762 /* We should only ever be called a maximum of twice per connection */
1763 if (find_session_cb_cnt > 2)
1764 return 0;
1765
1766 if (serverpsk == NULL)
1767 return 0;
1768
1769 /* Identity should match that set by the client */
1770 if (strcmp(srvid, identity) != 0) {
1771 return 0;
1772 }
1773
1774 /* We'll reuse the PSK we set up for TLSv1.3 */
1775 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1776 return 0;
1777 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1778
1779 return psklen;
1780}
c2b290c3 1781#endif /* OPENSSL_NO_PSK */
532f9578 1782
5f982038
MC		 1783#define MSG1 "Hello"
1784#define MSG2 "World."
1785#define MSG3 "This"
1786#define MSG4 "is"
1787#define MSG5 "a"
90049cea
MC		 1788#define MSG6 "test"
1789#define MSG7 "message."
5f982038 1790
02a3ed5a 1791#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1792#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1793
5f982038
MC		 1794/*
1795 * Helper method to setup objects for early data test. Caller frees objects on
1796 * error.
1797 */
1798static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1799 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1800{
7d7f6834
RL		 1801 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1802 TLS1_VERSION, TLS_MAX_VERSION,
1803 sctx, cctx, cert, privkey))
c39e4048 1804 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
c39e4048 1805 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1806 return 0;
5f982038 1807
02a3ed5a
MC		 1808 if (idx == 1) {
1809 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1810 SSL_CTX_set_read_ahead(*cctx, 1);
1811 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1812 } else if (idx == 2) {
1813 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1814 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1815 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1816 use_session_cb_cnt = 0;
1817 find_session_cb_cnt = 0;
1818 srvid = pskid;
3cb47b4e
MC		 1819 }
1820
710756a9 1821 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1822 NULL, NULL)))
1823 return 0;
1824
141e4709
MC		 1825 /*
1826 * For one of the run throughs (doesn't matter which one), we'll try sending
1827 * some SNI data in the initial ClientHello. This will be ignored (because
1828 * there is no SNI cb set up by the server), so it should not impact
1829 * early_data.
1830 */
1831 if (idx == 1
1832 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1833 return 0;
1834
02a3ed5a
MC		 1835 if (idx == 2) {
1836 /* Create the PSK */
1837 const SSL_CIPHER *cipher = NULL;
1838 const unsigned char key[] = {
1839 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1840 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1841 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1842 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1843 0x2c, 0x2d, 0x2e, 0x2f
1844 };
1845
1846 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1847 clientpsk = SSL_SESSION_new();
1848 if (!TEST_ptr(clientpsk)
02a3ed5a 1849 || !TEST_ptr(cipher)
57dee9bb 1850 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1851 sizeof(key)))
57dee9bb 1852 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1853 || !TEST_true(
57dee9bb 1854 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1855 TLS1_3_VERSION))
1856 /*
1857 * We just choose an arbitrary value for max_early_data which
1858 * should be big enough for testing purposes.
1859 */
57dee9bb
MC		 1860 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1861 0x100))
1862 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1863 SSL_SESSION_free(clientpsk);
1864 clientpsk = NULL;
02a3ed5a
MC		 1865 return 0;
1866 }
57dee9bb 1867 serverpsk = clientpsk;
02a3ed5a 1868
c20e3b28
MC		 1869 if (sess != NULL) {
1870 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1871 SSL_SESSION_free(clientpsk);
1872 SSL_SESSION_free(serverpsk);
1873 clientpsk = serverpsk = NULL;
1874 return 0;
1875 }
57dee9bb 1876 *sess = clientpsk;
c20e3b28 1877 }
02a3ed5a
MC		 1878 return 1;
1879 }
1880
1881 if (sess == NULL)
1882 return 1;
1883
1884 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1885 SSL_ERROR_NONE)))
5f982038 1886 return 0;
5f982038
MC		 1887
1888 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1889 SSL_shutdown(*clientssl);
1890 SSL_shutdown(*serverssl);
5f982038
MC		 1891 SSL_free(*serverssl);
1892 SSL_free(*clientssl);
1893 *serverssl = *clientssl = NULL;
1894
710756a9
RS		 1895 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1896 clientssl, NULL, NULL))
1897 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1898 return 0;
5f982038
MC		 1899
1900 return 1;
1901}
1902
3cb47b4e 1903static int test_early_data_read_write(int idx)
5f982038
MC		 1904{
1905 SSL_CTX *cctx = NULL, *sctx = NULL;
1906 SSL *clientssl = NULL, *serverssl = NULL;
1907 int testresult = 0;
1908 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1909 unsigned char buf[20], data[1024];
1910 size_t readbytes, written, eoedlen, rawread, rawwritten;
1911 BIO *rbio;
5f982038 1912
710756a9
RS		 1913 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1914 &serverssl, &sess, idx)))
5f982038
MC		 1915 goto end;
1916
1917 /* Write and read some early data */
710756a9
RS		 1918 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1919 &written))
1920 || !TEST_size_t_eq(written, strlen(MSG1))
1921 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1922 sizeof(buf), &readbytes),
1923 SSL_READ_EARLY_DATA_SUCCESS)
1924 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1925 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1926 SSL_EARLY_DATA_ACCEPTED))
5f982038 1927 goto end;
5f982038
MC		 1928
1929 /*
09f28874 1930 * Server should be able to write data, and client should be able to
5f982038
MC		 1931 * read it.
1932 */
710756a9
RS		 1933 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1934 &written))
1935 || !TEST_size_t_eq(written, strlen(MSG2))
1936 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1937 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1938 goto end;
5f982038
MC		 1939
1940 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1941 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1942 &written))
1943 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1944 goto end;
5f982038 1945
09f28874 1946 /* Server should still be able read early data after writing data */
710756a9
RS		 1947 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1948 &readbytes),
1949 SSL_READ_EARLY_DATA_SUCCESS)
1950 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1951 goto end;
5f982038 1952
09f28874 1953 /* Write more data from server and read it from client */
710756a9
RS		 1954 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1955 &written))
1956 || !TEST_size_t_eq(written, strlen(MSG4))
1957 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1958 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1959 goto end;
5f982038
MC		 1960
1961 /*
1962 * If client writes normal data it should mean writing early data is no
1963 * longer possible.
1964 */
710756a9
RS		 1965 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1966 || !TEST_size_t_eq(written, strlen(MSG5))
1967 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1968 SSL_EARLY_DATA_ACCEPTED))
5f982038 1969 goto end;
5f982038 1970
9b5c865d
MC		 1971 /*
1972 * At this point the client has written EndOfEarlyData, ClientFinished and
1973 * normal (fully protected) data. We are going to cause a delay between the
1974 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1975 * in the read BIO, and then just put back the EndOfEarlyData message.
1976 */
1977 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1978 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1979 || !TEST_size_t_lt(rawread, sizeof(data))
1980 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1981 goto end;
710756a9 1982
9b5c865d
MC		 1983 /* Record length is in the 4th and 5th bytes of the record header */
1984 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1985 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1986 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1987 goto end;
9b5c865d 1988
5f982038 1989 /* Server should be told that there is no more early data */
710756a9
RS		 1990 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1991 &readbytes),
1992 SSL_READ_EARLY_DATA_FINISH)
1993 || !TEST_size_t_eq(readbytes, 0))
5f982038 1994 goto end;
5f982038 1995
9b5c865d
MC		 1996 /*
1997 * Server has not finished init yet, so should still be able to write early
1998 * data.
1999 */
710756a9
RS		 2000 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2001 &written))
2002 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2003 goto end;
9b5c865d 2004
f8a303fa 2005 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2006 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2007 &rawwritten))
2008 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2009 goto end;
f8a303fa 2010
5f982038 2011 /* Server should be able to read normal data */
710756a9
RS		 2012 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2013 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2014 goto end;
5f982038 2015
09f28874 2016 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2017 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2018 &written)))
5f982038 2019 goto end;
5f982038 2020 ERR_clear_error();
710756a9
RS		 2021 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2022 &readbytes),
2023 SSL_READ_EARLY_DATA_ERROR))
5f982038 2024 goto end;
5f982038
MC		 2025 ERR_clear_error();
2026
9b5c865d 2027 /* Client should be able to read the data sent by the server */
710756a9
RS		 2028 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2029 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2030 goto end;
710756a9 2031
f8a303fa 2032 /*
36ff232c
MC		 2033 * Make sure we process the two NewSessionTickets. These arrive
2034 * post-handshake. We attempt reads which we do not expect to return any
2035 * data.
f8a303fa 2036 */
36ff232c
MC		 2037 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2038 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2039 &readbytes)))
f8a303fa 2040 goto end;
5f982038 2041
90049cea 2042 /* Server should be able to write normal data */
710756a9
RS		 2043 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2044 || !TEST_size_t_eq(written, strlen(MSG7))
2045 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2046 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2047 goto end;
90049cea 2048
c20e3b28 2049 SSL_SESSION_free(sess);
5f982038 2050 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2051 use_session_cb_cnt = 0;
2052 find_session_cb_cnt = 0;
5f982038
MC		 2053
2054 SSL_shutdown(clientssl);
2055 SSL_shutdown(serverssl);
5f982038
MC		 2056 SSL_free(serverssl);
2057 SSL_free(clientssl);
2058 serverssl = clientssl = NULL;
710756a9
RS		 2059 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2060 &clientssl, NULL, NULL))
2061 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2062 goto end;
5f982038
MC		 2063
2064 /* Write and read some early data */
710756a9
RS		 2065 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2066 &written))
2067 || !TEST_size_t_eq(written, strlen(MSG1))
2068 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2069 &readbytes),
2070 SSL_READ_EARLY_DATA_SUCCESS)
2071 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2072 goto end;
5f982038 2073
710756a9
RS		 2074 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2075 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2076 goto end;
5f982038 2077
09f28874 2078 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2079 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2080 &written)))
5f982038 2081 goto end;
5f982038 2082 ERR_clear_error();
710756a9
RS		 2083 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2084 &readbytes),
2085 SSL_READ_EARLY_DATA_ERROR))
5f982038 2086 goto end;
5f982038
MC		 2087 ERR_clear_error();
2088
2089 /* Client and server should be able to write/read normal data */
710756a9
RS		 2090 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2091 || !TEST_size_t_eq(written, strlen(MSG5))
2092 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2093 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2094 goto end;
5f982038
MC		 2095
2096 testresult = 1;
2097
2098 end:
c20e3b28 2099 SSL_SESSION_free(sess);
57dee9bb
MC		 2100 SSL_SESSION_free(clientpsk);
2101 SSL_SESSION_free(serverpsk);
2102 clientpsk = serverpsk = NULL;
5f982038
MC		 2103 SSL_free(serverssl);
2104 SSL_free(clientssl);
2105 SSL_CTX_free(sctx);
2106 SSL_CTX_free(cctx);
5f982038
MC		 2107 return testresult;
2108}
2109
78fb5374
MC		 2110static int test_early_data_replay(int idx)
2111{
2112 SSL_CTX *cctx = NULL, *sctx = NULL;
2113 SSL *clientssl = NULL, *serverssl = NULL;
2114 int testresult = 0;
2115 SSL_SESSION *sess = NULL;
2116
2117 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2118 &serverssl, &sess, idx)))
2119 goto end;
2120
2121 /*
2122 * The server is configured to accept early data. Create a connection to
2123 * "use up" the ticket
2124 */
2125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2126 || !TEST_true(SSL_session_reused(clientssl)))
2127 goto end;
2128
2129 SSL_shutdown(clientssl);
2130 SSL_shutdown(serverssl);
2131 SSL_free(serverssl);
2132 SSL_free(clientssl);
2133 serverssl = clientssl = NULL;
2134
2135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2136 &clientssl, NULL, NULL))
2137 || !TEST_true(SSL_set_session(clientssl, sess))
2138 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2139 SSL_ERROR_NONE))
2140 /*
2141 * This time we should not have resumed the session because we
2142 * already used it once.
2143 */
2144 || !TEST_false(SSL_session_reused(clientssl)))
2145 goto end;
2146
2147 testresult = 1;
2148
2149 end:
c20e3b28 2150 SSL_SESSION_free(sess);
78fb5374
MC		 2151 SSL_SESSION_free(clientpsk);
2152 SSL_SESSION_free(serverpsk);
2153 clientpsk = serverpsk = NULL;
2154 SSL_free(serverssl);
2155 SSL_free(clientssl);
2156 SSL_CTX_free(sctx);
2157 SSL_CTX_free(cctx);
2158 return testresult;
2159}
2160
710756a9 2161/*
6b84e6bf
MC		 2162 * Helper function to test that a server attempting to read early data can
2163 * handle a connection from a client where the early data should be skipped.
710756a9 2164 */
6b84e6bf 2165static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 2166{
2167 SSL_CTX *cctx = NULL, *sctx = NULL;
2168 SSL *clientssl = NULL, *serverssl = NULL;
2169 int testresult = 0;
018fcbec 2170 SSL_SESSION *sess = NULL;
5f982038
MC		 2171 unsigned char buf[20];
2172 size_t readbytes, written;
2173
710756a9
RS		 2174 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2175 &serverssl, &sess, idx)))
5f982038
MC		 2176 goto end;
2177
6b84e6bf
MC		 2178 if (hrr) {
2179 /* Force an HRR to occur */
2180 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2181 goto end;
02a3ed5a
MC		 2182 } else if (idx == 2) {
2183 /*
2184 * We force early_data rejection by ensuring the PSK identity is
2185 * unrecognised
2186 */
2187 srvid = "Dummy Identity";
6b84e6bf
MC		 2188 } else {
2189 /*
2190 * Deliberately corrupt the creation time. We take 20 seconds off the
2191 * time. It could be any value as long as it is not within tolerance.
2192 * This should mean the ticket is rejected.
2193 */
5d99881e 2194 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2195 goto end;
2196 }
5f982038
MC		 2197
2198 /* Write some early data */
710756a9
RS		 2199 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2200 &written))
2201 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2202 goto end;
5f982038
MC		 2203
2204 /* Server should reject the early data and skip over it */
710756a9
RS		 2205 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2206 &readbytes),
2207 SSL_READ_EARLY_DATA_FINISH)
2208 || !TEST_size_t_eq(readbytes, 0)
2209 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2210 SSL_EARLY_DATA_REJECTED))
5f982038 2211 goto end;
5f982038 2212
6b84e6bf
MC		 2213 if (hrr) {
2214 /*
2215 * Finish off the handshake. We perform the same writes and reads as
2216 * further down but we expect them to fail due to the incomplete
2217 * handshake.
2218 */
2219 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2220 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2221 &readbytes)))
2222 goto end;
2223 }
2224
710756a9
RS		 2225 /* Should be able to send normal data despite rejection of early data */
2226 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2227 || !TEST_size_t_eq(written, strlen(MSG2))
2228 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2229 SSL_EARLY_DATA_REJECTED)
2230 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2231 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2232 goto end;
5f982038
MC		 2233
2234 testresult = 1;
2235
2236 end:
c20e3b28 2237 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2238 SSL_SESSION_free(serverpsk);
2239 clientpsk = serverpsk = NULL;
5f982038
MC		 2240 SSL_SESSION_free(sess);
2241 SSL_free(serverssl);
2242 SSL_free(clientssl);
2243 SSL_CTX_free(sctx);
2244 SSL_CTX_free(cctx);
5f982038
MC		 2245 return testresult;
2246}
2247
6b84e6bf
MC		 2248/*
2249 * Test that a server attempting to read early data can handle a connection
2250 * from a client where the early data is not acceptable.
2251 */
2252static int test_early_data_skip(int idx)
2253{
2254 return early_data_skip_helper(0, idx);
2255}
2256
2257/*
2258 * Test that a server attempting to read early data can handle a connection
2259 * from a client where an HRR occurs.
2260 */
2261static int test_early_data_skip_hrr(int idx)
2262{
2263 return early_data_skip_helper(1, idx);
2264}
2265
710756a9
RS		 2266/*
2267 * Test that a server attempting to read early data can handle a connection
2268 * from a client that doesn't send any.
2269 */
3cb47b4e 2270static int test_early_data_not_sent(int idx)
5f982038
MC		 2271{
2272 SSL_CTX *cctx = NULL, *sctx = NULL;
2273 SSL *clientssl = NULL, *serverssl = NULL;
2274 int testresult = 0;
018fcbec 2275 SSL_SESSION *sess = NULL;
5f982038
MC		 2276 unsigned char buf[20];
2277 size_t readbytes, written;
2278
710756a9
RS		 2279 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2280 &serverssl, &sess, idx)))
5f982038
MC		 2281 goto end;
2282
2283 /* Write some data - should block due to handshake with server */
2284 SSL_set_connect_state(clientssl);
710756a9 2285 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2286 goto end;
5f982038
MC		 2287
2288 /* Server should detect that early data has not been sent */
710756a9
RS		 2289 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2290 &readbytes),
2291 SSL_READ_EARLY_DATA_FINISH)
2292 || !TEST_size_t_eq(readbytes, 0)
2293 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2294 SSL_EARLY_DATA_NOT_SENT)
2295 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2296 SSL_EARLY_DATA_NOT_SENT))
5f982038 2297 goto end;
5f982038
MC		 2298
2299 /* Continue writing the message we started earlier */
710756a9
RS		 2300 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2301 || !TEST_size_t_eq(written, strlen(MSG1))
2302 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2303 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2304 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2305 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2306 goto end;
5f982038 2307
3cb47b4e
MC		 2308 /*
2309 * Should block due to the NewSessionTicket arrival unless we're using
c0638ade 2310 * read_ahead, or PSKs
3cb47b4e 2311 */
c0638ade 2312 if (idx != 1 && idx != 2) {
710756a9 2313 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 2314 goto end;
5f982038
MC		 2315 }
2316
710756a9
RS		 2317 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2318 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2319 goto end;
5f982038
MC		 2320
2321 testresult = 1;
2322
2323 end:
5f982038 2324 SSL_SESSION_free(sess);
c20e3b28 2325 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2326 SSL_SESSION_free(serverpsk);
2327 clientpsk = serverpsk = NULL;
5f982038
MC		 2328 SSL_free(serverssl);
2329 SSL_free(clientssl);
2330 SSL_CTX_free(sctx);
2331 SSL_CTX_free(cctx);
5f982038
MC		 2332 return testresult;
2333}
2334
976e5323
MC		 2335static int hostname_cb(SSL *s, int *al, void *arg)
2336{
2337 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2338
281bf233 2339 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2340 return SSL_TLSEXT_ERR_OK;
2341
2342 return SSL_TLSEXT_ERR_NOACK;
2343}
2344
2345static const char *servalpn;
2346
c7558d5b
PY		 2347static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2348 unsigned char *outlen, const unsigned char *in,
2349 unsigned int inlen, void *arg)
976e5323 2350{
c7558d5b 2351 unsigned int protlen = 0;
976e5323
MC		 2352 const unsigned char *prot;
2353
c7558d5b
PY		 2354 for (prot = in; prot < in + inlen; prot += protlen) {
2355 protlen = *prot++;
5d99881e 2356 if (in + inlen < prot + protlen)
976e5323
MC		 2357 return SSL_TLSEXT_ERR_NOACK;
2358
2359 if (protlen == strlen(servalpn)
0bd42fde 2360 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2361 *out = prot;
2362 *outlen = protlen;
2363 return SSL_TLSEXT_ERR_OK;
2364 }
2365 }
2366
2367 return SSL_TLSEXT_ERR_NOACK;
2368}
2369
57dee9bb 2370/* Test that a PSK can be used to send early_data */
976e5323
MC		 2371static int test_early_data_psk(int idx)
2372{
2373 SSL_CTX *cctx = NULL, *sctx = NULL;
2374 SSL *clientssl = NULL, *serverssl = NULL;
2375 int testresult = 0;
2376 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2377 unsigned char alpnlist[] = {
2378 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2379 'l', 'p', 'n'
2380 };
2381#define GOODALPNLEN 9
2382#define BADALPNLEN 8
2383#define GOODALPN (alpnlist)
2384#define BADALPN (alpnlist + GOODALPNLEN)
2385 int err = 0;
976e5323
MC		 2386 unsigned char buf[20];
2387 size_t readbytes, written;
57dee9bb 2388 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2389 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2390
2391 /* We always set this up with a final parameter of "2" for PSK */
2392 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2393 &serverssl, &sess, 2)))
2394 goto end;
2395
976e5323
MC		 2396 servalpn = "goodalpn";
2397
57dee9bb
MC		 2398 /*
2399 * Note: There is no test for inconsistent SNI with late client detection.
2400 * This is because servers do not acknowledge SNI even if they are using
2401 * it in a resumption handshake - so it is not actually possible for a
2402 * client to detect a problem.
2403 */
976e5323
MC		 2404 switch (idx) {
2405 case 0:
57dee9bb 2406 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2407 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2408 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2409 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2410 goto end;
2411 break;
2412
2413 case 1:
57dee9bb 2414 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2415 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2416 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2417 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2418 GOODALPNLEN))
2419 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2420 BADALPNLEN)))
976e5323
MC		 2421 goto end;
2422 break;
2423
2424 case 2:
2425 /*
2426 * Set invalid protocol version. Technically this affects PSKs without
2427 * early_data too, but we test it here because it is similar to the
2428 * SNI/ALPN consistency tests.
2429 */
2430 err = SSL_R_BAD_PSK;
2431 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2432 goto end;
2433 break;
2434
2435 case 3:
2436 /*
2437 * Set inconsistent SNI (server detected). In this case the connection
2438 * will succeed but reject early_data.
2439 */
281bf233
MC		 2440 SSL_SESSION_free(serverpsk);
2441 serverpsk = SSL_SESSION_dup(clientpsk);
2442 if (!TEST_ptr(serverpsk)
2443 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2444 goto end;
976e5323
MC		 2445 edstatus = SSL_EARLY_DATA_REJECTED;
2446 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2447 /* Fall through */
2448 case 4:
2449 /* Set consistent SNI */
976e5323
MC		 2450 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2451 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2452 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2453 hostname_cb)))
2454 goto end;
2455 break;
2456
2457 case 5:
2458 /*
2459 * Set inconsistent ALPN (server detected). In this case the connection
2460 * will succeed but reject early_data.
2461 */
2462 servalpn = "badalpn";
2463 edstatus = SSL_EARLY_DATA_REJECTED;
2464 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2465 /* Fall through */
2466 case 6:
976e5323 2467 /*
57dee9bb 2468 * Set consistent ALPN.
976e5323
MC		 2469 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2470 * accepts a list of protos (each one length prefixed).
2471 * SSL_set1_alpn_selected accepts a single protocol (not length
2472 * prefixed)
2473 */
57dee9bb
MC		 2474 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2475 GOODALPNLEN - 1))
2476 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2477 GOODALPNLEN)))
976e5323
MC		 2478 goto end;
2479
2480 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2481 break;
2482
57dee9bb
MC		 2483 case 7:
2484 /* Set inconsistent ALPN (late client detection) */
2485 SSL_SESSION_free(serverpsk);
2486 serverpsk = SSL_SESSION_dup(clientpsk);
2487 if (!TEST_ptr(serverpsk)
2488 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2489 BADALPN + 1,
2490 BADALPNLEN - 1))
2491 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2492 GOODALPN + 1,
2493 GOODALPNLEN - 1))
2494 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2495 sizeof(alpnlist))))
2496 goto end;
2497 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2498 edstatus = SSL_EARLY_DATA_ACCEPTED;
2499 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2500 /* SSL_connect() call should fail */
2501 connectres = -1;
2502 break;
2503
976e5323
MC		 2504 default:
2505 TEST_error("Bad test index");
2506 goto end;
2507 }
2508
2509 SSL_set_connect_state(clientssl);
2510 if (err != 0) {
2511 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2512 &written))
2513 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2514 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2515 goto end;
2516 } else {
2517 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2518 &written)))
2519 goto end;
2520
2521 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2522 &readbytes), readearlyres)
976e5323
MC		 2523 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2524 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2525 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2526 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2527 goto end;
2528 }
2529
2530 testresult = 1;
2531
2532 end:
c20e3b28 2533 SSL_SESSION_free(sess);
57dee9bb
MC		 2534 SSL_SESSION_free(clientpsk);
2535 SSL_SESSION_free(serverpsk);
2536 clientpsk = serverpsk = NULL;
976e5323
MC		 2537 SSL_free(serverssl);
2538 SSL_free(clientssl);
2539 SSL_CTX_free(sctx);
2540 SSL_CTX_free(cctx);
2541 return testresult;
2542}
2543
710756a9
RS		 2544/*
2545 * Test that a server that doesn't try to read early data can handle a
2546 * client sending some.
2547 */
3cb47b4e 2548static int test_early_data_not_expected(int idx)
5f982038
MC		 2549{
2550 SSL_CTX *cctx = NULL, *sctx = NULL;
2551 SSL *clientssl = NULL, *serverssl = NULL;
2552 int testresult = 0;
018fcbec 2553 SSL_SESSION *sess = NULL;
5f982038
MC		 2554 unsigned char buf[20];
2555 size_t readbytes, written;
2556
710756a9
RS		 2557 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2558 &serverssl, &sess, idx)))
5f982038
MC		 2559 goto end;
2560
2561 /* Write some early data */
710756a9
RS		 2562 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2563 &written)))
5f982038 2564 goto end;
5f982038
MC		 2565
2566 /*
2567 * Server should skip over early data and then block waiting for client to
2568 * continue handshake
2569 */
710756a9
RS		 2570 if (!TEST_int_le(SSL_accept(serverssl), 0)
2571 || !TEST_int_gt(SSL_connect(clientssl), 0)
2572 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2573 SSL_EARLY_DATA_REJECTED)
2574 || !TEST_int_gt(SSL_accept(serverssl), 0)
2575 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2576 SSL_EARLY_DATA_REJECTED))
5f982038 2577 goto end;
5f982038
MC		 2578
2579 /* Send some normal data from client to server */
710756a9
RS		 2580 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2581 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2582 goto end;
5f982038 2583
710756a9
RS		 2584 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2585 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2586 goto end;
5f982038
MC		 2587
2588 testresult = 1;
2589
2590 end:
5f982038 2591 SSL_SESSION_free(sess);
c20e3b28 2592 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2593 SSL_SESSION_free(serverpsk);
2594 clientpsk = serverpsk = NULL;
5f982038
MC		 2595 SSL_free(serverssl);
2596 SSL_free(clientssl);
2597 SSL_CTX_free(sctx);
2598 SSL_CTX_free(cctx);
5f982038
MC		 2599 return testresult;
2600}
2601
2602
2603# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2604/*
2605 * Test that a server attempting to read early data can handle a connection
2606 * from a TLSv1.2 client.
2607 */
3cb47b4e 2608static int test_early_data_tls1_2(int idx)
5f982038
MC		 2609{
2610 SSL_CTX *cctx = NULL, *sctx = NULL;
2611 SSL *clientssl = NULL, *serverssl = NULL;
2612 int testresult = 0;
2613 unsigned char buf[20];
2614 size_t readbytes, written;
2615
02a3ed5a
MC		 2616 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2617 &serverssl, NULL, idx)))
5f982038 2618 goto end;
5f982038
MC		 2619
2620 /* Write some data - should block due to handshake with server */
2621 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2622 SSL_set_connect_state(clientssl);
710756a9 2623 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2624 goto end;
5f982038
MC		 2625
2626 /*
2627 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2628 * messages from client after ServerDone. Then SSL_read_early_data should
2629 * finish and detect that early data has not been sent
5f982038 2630 */
710756a9
RS		 2631 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2632 &readbytes),
2633 SSL_READ_EARLY_DATA_ERROR))
5f982038 2634 goto end;
5f982038
MC		 2635
2636 /*
2637 * Continue writing the message we started earlier. Will still block waiting
2638 * for the CCS/Finished from server
2639 */
710756a9
RS		 2640 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2641 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2642 &readbytes),
2643 SSL_READ_EARLY_DATA_FINISH)
2644 || !TEST_size_t_eq(readbytes, 0)
2645 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2646 SSL_EARLY_DATA_NOT_SENT))
5f982038 2647 goto end;
5f982038
MC		 2648
2649 /* Continue writing the message we started earlier */
710756a9
RS		 2650 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2651 || !TEST_size_t_eq(written, strlen(MSG1))
2652 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2653 SSL_EARLY_DATA_NOT_SENT)
2654 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2655 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2656 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2657 || !TEST_size_t_eq(written, strlen(MSG2))
2658 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2659 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2660 goto end;
5f982038
MC		 2661
2662 testresult = 1;
2663
2664 end:
57dee9bb
MC		 2665 SSL_SESSION_free(clientpsk);
2666 SSL_SESSION_free(serverpsk);
2667 clientpsk = serverpsk = NULL;
5f982038
MC		 2668 SSL_free(serverssl);
2669 SSL_free(clientssl);
2670 SSL_CTX_free(sctx);
2671 SSL_CTX_free(cctx);
2672
2673 return testresult;
2674}
ca0413ae
MC		 2675# endif /* OPENSSL_NO_TLS1_2 */
2676
034cb87b
MC		 2677/*
2678 * Test configuring the TLSv1.3 ciphersuites
2679 *
2680 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2681 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2682 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2683 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2684 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2685 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2686 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2687 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2688 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2689 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2690 */
2691static int test_set_ciphersuite(int idx)
2692{
2693 SSL_CTX *cctx = NULL, *sctx = NULL;
2694 SSL *clientssl = NULL, *serverssl = NULL;
2695 int testresult = 0;
2696
2697 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2698 TLS1_VERSION, TLS_MAX_VERSION,
2699 &sctx, &cctx, cert, privkey))
2700 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2701 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2702 goto end;
2703
2704 if (idx >=4 && idx <= 7) {
2705 /* SSL_CTX explicit cipher list */
2706 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2707 goto end;
2708 }
2709
2710 if (idx == 0 || idx == 4) {
2711 /* Default ciphersuite */
2712 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2713 "TLS_AES_128_GCM_SHA256")))
2714 goto end;
2715 } else if (idx == 1 || idx == 5) {
2716 /* Non default ciphersuite */
2717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2718 "TLS_AES_128_CCM_SHA256")))
2719 goto end;
2720 }
2721
2722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2723 &clientssl, NULL, NULL)))
2724 goto end;
2725
2726 if (idx == 8 || idx == 9) {
2727 /* SSL explicit cipher list */
2728 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2729 goto end;
2730 }
2731
2732 if (idx == 2 || idx == 6 || idx == 8) {
2733 /* Default ciphersuite */
2734 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2735 "TLS_AES_128_GCM_SHA256")))
2736 goto end;
2737 } else if (idx == 3 || idx == 7 || idx == 9) {
2738 /* Non default ciphersuite */
2739 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2740 "TLS_AES_128_CCM_SHA256")))
2741 goto end;
2742 }
2743
2744 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2745 goto end;
2746
2747 testresult = 1;
2748
2749 end:
2750 SSL_free(serverssl);
2751 SSL_free(clientssl);
2752 SSL_CTX_free(sctx);
2753 SSL_CTX_free(cctx);
2754
2755 return testresult;
2756}
2757
ca0413ae
MC		 2758static int test_ciphersuite_change(void)
2759{
2760 SSL_CTX *cctx = NULL, *sctx = NULL;
2761 SSL *clientssl = NULL, *serverssl = NULL;
2762 SSL_SESSION *clntsess = NULL;
2763 int testresult = 0;
2764 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2765
2766 /* Create a session based on SHA-256 */
7d7f6834
RL		 2767 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2768 TLS1_VERSION, TLS_MAX_VERSION,
2769 &sctx, &cctx, cert, privkey))
f865b081
MC		 2770 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2771 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2772 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2773 &clientssl, NULL, NULL))
2774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2775 SSL_ERROR_NONE)))
2776 goto end;
2777
2778 clntsess = SSL_get1_session(clientssl);
2779 /* Save for later */
2780 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2781 SSL_shutdown(clientssl);
2782 SSL_shutdown(serverssl);
2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 serverssl = clientssl = NULL;
2786
71cff963 2787# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2788 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2789 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2790 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2791 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2792 NULL, NULL))
2793 || !TEST_true(SSL_set_session(clientssl, clntsess))
2794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2795 SSL_ERROR_NONE))
2796 || !TEST_true(SSL_session_reused(clientssl)))
2797 goto end;
2798
2799 SSL_SESSION_free(clntsess);
2800 clntsess = SSL_get1_session(clientssl);
2801 SSL_shutdown(clientssl);
2802 SSL_shutdown(serverssl);
2803 SSL_free(serverssl);
2804 SSL_free(clientssl);
2805 serverssl = clientssl = NULL;
71cff963 2806# endif
ca0413ae
MC		 2807
2808 /*
2809 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2810 * succeeds but does not resume.
ca0413ae 2811 */
f865b081 2812 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2813 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2814 NULL, NULL))
2815 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2816 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2817 SSL_ERROR_SSL))
0de6d66d 2818 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2819 goto end;
2820
2821 SSL_SESSION_free(clntsess);
2822 clntsess = NULL;
2823 SSL_shutdown(clientssl);
2824 SSL_shutdown(serverssl);
2825 SSL_free(serverssl);
2826 SSL_free(clientssl);
2827 serverssl = clientssl = NULL;
2828
2829 /* Create a session based on SHA384 */
f865b081 2830 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2831 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2832 &clientssl, NULL, NULL))
2833 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2834 SSL_ERROR_NONE)))
2835 goto end;
2836
2837 clntsess = SSL_get1_session(clientssl);
2838 SSL_shutdown(clientssl);
2839 SSL_shutdown(serverssl);
2840 SSL_free(serverssl);
2841 SSL_free(clientssl);
2842 serverssl = clientssl = NULL;
2843
f865b081
MC		 2844 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2845 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2846 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2847 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2848 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2849 NULL, NULL))
2850 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2851 /*
2852 * We use SSL_ERROR_WANT_READ below so that we can pause the
2853 * connection after the initial ClientHello has been sent to
2854 * enable us to make some session changes.
2855 */
ca0413ae
MC		 2856 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2857 SSL_ERROR_WANT_READ)))
2858 goto end;
2859
2860 /* Trick the client into thinking this session is for a different digest */
2861 clntsess->cipher = aes_128_gcm_sha256;
2862 clntsess->cipher_id = clntsess->cipher->id;
2863
2864 /*
3b0e88d3
MC		 2865 * Continue the previously started connection. Server has selected a SHA-384
2866 * ciphersuite, but client thinks the session is for SHA-256, so it should
2867 * bail out.
ca0413ae
MC		 2868 */
2869 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2870 SSL_ERROR_SSL))
2871 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2872 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2873 goto end;
2874
2875 testresult = 1;
2876
2877 end:
2878 SSL_SESSION_free(clntsess);
2879 SSL_free(serverssl);
2880 SSL_free(clientssl);
2881 SSL_CTX_free(sctx);
2882 SSL_CTX_free(cctx);
2883
2884 return testresult;
2885}
2886
0d8da779
MC		 2887/*
2888 * Test TLSv1.3 PSKs
2889 * Test 0 = Test new style callbacks
2890 * Test 1 = Test both new and old style callbacks
2891 * Test 2 = Test old style callbacks
2892 * Test 3 = Test old style callbacks with no certificate
2893 */
532f9578 2894static int test_tls13_psk(int idx)
ca8c71ba
MC		 2895{
2896 SSL_CTX *sctx = NULL, *cctx = NULL;
2897 SSL *serverssl = NULL, *clientssl = NULL;
2898 const SSL_CIPHER *cipher = NULL;
2899 const unsigned char key[] = {
2900 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2901 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2902 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2903 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2904 };
2905 int testresult = 0;
2906
7d7f6834
RL		 2907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2908 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 2909 &sctx, &cctx, idx == 3 ? NULL : cert,
2910 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 2911 goto end;
2912
0d8da779
MC		 2913 if (idx != 3) {
2914 /*
2915 * We use a ciphersuite with SHA256 to ease testing old style PSK
2916 * callbacks which will always default to SHA256. This should not be
2917 * necessary if we have no cert/priv key. In that case the server should
2918 * prefer SHA256 automatically.
2919 */
2920 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2921 "TLS_AES_128_GCM_SHA256")))
2922 goto end;
2923 }
532f9578
MC		 2924
2925 /*
2926 * Test 0: New style callbacks only
2927 * Test 1: New and old style callbacks (only the new ones should be used)
2928 * Test 2: Old style callbacks only
2929 */
2930 if (idx == 0 || idx == 1) {
2931 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2932 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2933 }
c2b290c3 2934#ifndef OPENSSL_NO_PSK
0d8da779 2935 if (idx >= 1) {
532f9578
MC		 2936 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2937 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2938 }
c2b290c3 2939#endif
ca8c71ba 2940 srvid = pskid;
02a3ed5a
MC		 2941 use_session_cb_cnt = 0;
2942 find_session_cb_cnt = 0;
532f9578
MC		 2943 psk_client_cb_cnt = 0;
2944 psk_server_cb_cnt = 0;
ca8c71ba 2945
0d8da779
MC		 2946 if (idx != 3) {
2947 /*
2948 * Check we can create a connection if callback decides not to send a
2949 * PSK
2950 */
2951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2952 NULL, NULL))
2953 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2954 SSL_ERROR_NONE))
2955 || !TEST_false(SSL_session_reused(clientssl))
2956 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 2957 goto end;
532f9578 2958
0d8da779
MC		 2959 if (idx == 0 || idx == 1) {
2960 if (!TEST_true(use_session_cb_cnt == 1)
2961 || !TEST_true(find_session_cb_cnt == 0)
2962 /*
2963 * If no old style callback then below should be 0
2964 * otherwise 1
2965 */
2966 || !TEST_true(psk_client_cb_cnt == idx)
2967 || !TEST_true(psk_server_cb_cnt == 0))
2968 goto end;
2969 } else {
2970 if (!TEST_true(use_session_cb_cnt == 0)
2971 || !TEST_true(find_session_cb_cnt == 0)
2972 || !TEST_true(psk_client_cb_cnt == 1)
2973 || !TEST_true(psk_server_cb_cnt == 0))
2974 goto end;
2975 }
2976
2977 shutdown_ssl_connection(serverssl, clientssl);
2978 serverssl = clientssl = NULL;
2979 use_session_cb_cnt = psk_client_cb_cnt = 0;
2980 }
ca8c71ba
MC		 2981
2982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2983 NULL, NULL)))
2984 goto end;
2985
2986 /* Create the PSK */
532f9578 2987 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 2988 clientpsk = SSL_SESSION_new();
2989 if (!TEST_ptr(clientpsk)
ca8c71ba 2990 || !TEST_ptr(cipher)
57dee9bb
MC		 2991 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2992 sizeof(key)))
2993 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2994 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2995 TLS1_3_VERSION))
2996 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2997 goto end;
57dee9bb 2998 serverpsk = clientpsk;
ca8c71ba
MC		 2999
3000 /* Check we can create a connection and the PSK is used */
3001 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3002 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3003 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3004 goto end;
3005
532f9578
MC		 3006 if (idx == 0 || idx == 1) {
3007 if (!TEST_true(use_session_cb_cnt == 1)
3008 || !TEST_true(find_session_cb_cnt == 1)
3009 || !TEST_true(psk_client_cb_cnt == 0)
3010 || !TEST_true(psk_server_cb_cnt == 0))
3011 goto end;
3012 } else {
3013 if (!TEST_true(use_session_cb_cnt == 0)
3014 || !TEST_true(find_session_cb_cnt == 0)
3015 || !TEST_true(psk_client_cb_cnt == 1)
3016 || !TEST_true(psk_server_cb_cnt == 1))
3017 goto end;
3018 }
3019
ca8c71ba
MC		 3020 shutdown_ssl_connection(serverssl, clientssl);
3021 serverssl = clientssl = NULL;
3022 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3023 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3024
3025 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3026 NULL, NULL)))
3027 goto end;
3028
3029 /* Force an HRR */
3030 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3031 goto end;
3032
3033 /*
3034 * Check we can create a connection, the PSK is used and the callbacks are
3035 * called twice.
3036 */
3037 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3038 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3039 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3040 goto end;
3041
532f9578
MC		 3042 if (idx == 0 || idx == 1) {
3043 if (!TEST_true(use_session_cb_cnt == 2)
3044 || !TEST_true(find_session_cb_cnt == 2)
3045 || !TEST_true(psk_client_cb_cnt == 0)
3046 || !TEST_true(psk_server_cb_cnt == 0))
3047 goto end;
3048 } else {
3049 if (!TEST_true(use_session_cb_cnt == 0)
3050 || !TEST_true(find_session_cb_cnt == 0)
3051 || !TEST_true(psk_client_cb_cnt == 2)
3052 || !TEST_true(psk_server_cb_cnt == 2))
3053 goto end;
3054 }
3055
ca8c71ba
MC		 3056 shutdown_ssl_connection(serverssl, clientssl);
3057 serverssl = clientssl = NULL;
3058 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3059 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3060
0d8da779
MC		 3061 if (idx != 3) {
3062 /*
3063 * Check that if the server rejects the PSK we can still connect, but with
3064 * a full handshake
3065 */
3066 srvid = "Dummy Identity";
3067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3068 NULL, NULL))
3069 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3070 SSL_ERROR_NONE))
3071 || !TEST_false(SSL_session_reused(clientssl))
3072 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3073 goto end;
532f9578 3074
0d8da779
MC		 3075 if (idx == 0 || idx == 1) {
3076 if (!TEST_true(use_session_cb_cnt == 1)
3077 || !TEST_true(find_session_cb_cnt == 1)
3078 || !TEST_true(psk_client_cb_cnt == 0)
3079 /*
3080 * If no old style callback then below should be 0
3081 * otherwise 1
3082 */
3083 || !TEST_true(psk_server_cb_cnt == idx))
3084 goto end;
3085 } else {
3086 if (!TEST_true(use_session_cb_cnt == 0)
3087 || !TEST_true(find_session_cb_cnt == 0)
3088 || !TEST_true(psk_client_cb_cnt == 1)
3089 || !TEST_true(psk_server_cb_cnt == 1))
3090 goto end;
3091 }
3092
3093 shutdown_ssl_connection(serverssl, clientssl);
3094 serverssl = clientssl = NULL;
3095 }
ca8c71ba
MC		 3096 testresult = 1;
3097
3098 end:
57dee9bb
MC		 3099 SSL_SESSION_free(clientpsk);
3100 SSL_SESSION_free(serverpsk);
3101 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3102 SSL_free(serverssl);
3103 SSL_free(clientssl);
3104 SSL_CTX_free(sctx);
3105 SSL_CTX_free(cctx);
3106 return testresult;
3107}
3108
c7b8ff25
MC		 3109static unsigned char cookie_magic_value[] = "cookie magic";
3110
3111static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3112 unsigned int *cookie_len)
3113{
3114 /*
3115 * Not suitable as a real cookie generation function but good enough for
3116 * testing!
3117 */
97ea1e7f
MC		 3118 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3119 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3120
3121 return 1;
3122}
3123
3124static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3125 unsigned int cookie_len)
3126{
97ea1e7f 3127 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3128 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3129 return 1;
3130
3131 return 0;
3132}
3133
3fa2812f
BS		 3134static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3135 size_t *cookie_len)
3136{
3137 unsigned int temp;
3138 int res = generate_cookie_callback(ssl, cookie, &temp);
3139 *cookie_len = temp;
3140 return res;
3141}
3142
3143static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3144 size_t cookie_len)
3145{
3146 return verify_cookie_callback(ssl, cookie, cookie_len);
3147}
3148
c7b8ff25
MC		 3149static int test_stateless(void)
3150{
3151 SSL_CTX *sctx = NULL, *cctx = NULL;
3152 SSL *serverssl = NULL, *clientssl = NULL;
3153 int testresult = 0;
3154
7d7f6834
RL		 3155 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3156 TLS1_VERSION, TLS_MAX_VERSION,
3157 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3158 goto end;
3159
e440f513
MC		 3160 /* The arrival of CCS messages can confuse the test */
3161 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3162
3163 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3164 NULL, NULL))
3165 /* Send the first ClientHello */
3166 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3167 SSL_ERROR_WANT_READ))
3168 /*
3169 * This should fail with a -1 return because we have no callbacks
3170 * set up
3171 */
3172 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3173 goto end;
3174
3175 /* Fatal error so abandon the connection from this client */
3176 SSL_free(clientssl);
3177 clientssl = NULL;
3178
c7b8ff25 3179 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3180 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3181 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3182
e440f513
MC		 3183 /*
3184 * Create a new connection from the client (we can reuse the server SSL
3185 * object).
3186 */
c7b8ff25
MC		 3187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3188 NULL, NULL))
3189 /* Send the first ClientHello */
3190 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3191 SSL_ERROR_WANT_READ))
3192 /* This should fail because there is no cookie */
e440f513 3193 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3194 goto end;
3195
3196 /* Abandon the connection from this client */
3197 SSL_free(clientssl);
3198 clientssl = NULL;
3199
3200 /*
3201 * Now create a connection from a new client but with the same server SSL
3202 * object
3203 */
3204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3205 NULL, NULL))
3206 /* Send the first ClientHello */
3207 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3208 SSL_ERROR_WANT_READ))
3209 /* This should fail because there is no cookie */
e440f513 3210 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3211 /* Send the second ClientHello */
3212 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3213 SSL_ERROR_WANT_READ))
3214 /* This should succeed because a cookie is now present */
e440f513 3215 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3216 /* Complete the connection */
3217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3218 SSL_ERROR_NONE)))
3219 goto end;
3220
3221 shutdown_ssl_connection(serverssl, clientssl);
3222 serverssl = clientssl = NULL;
3223 testresult = 1;
3224
3225 end:
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230 return testresult;
3231
3232}
ca0413ae 3233#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3234
a37008d9
MC		 3235static int clntaddoldcb = 0;
3236static int clntparseoldcb = 0;
3237static int srvaddoldcb = 0;
3238static int srvparseoldcb = 0;
3239static int clntaddnewcb = 0;
3240static int clntparsenewcb = 0;
3241static int srvaddnewcb = 0;
3242static int srvparsenewcb = 0;
bb01ef3f 3243static int snicb = 0;
a37008d9
MC		 3244
3245#define TEST_EXT_TYPE1 0xff00
3246
3247static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3248 size_t *outlen, int *al, void *add_arg)
3249{
3250 int *server = (int *)add_arg;
3251 unsigned char *data;
3252
3253 if (SSL_is_server(s))
3254 srvaddoldcb++;
3255 else
3256 clntaddoldcb++;
3257
710756a9
RS		 3258 if (*server != SSL_is_server(s)
3259 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3260 return -1;
3261
3262 *data = 1;
3263 *out = data;
3264 *outlen = sizeof(char);
a37008d9
MC		 3265 return 1;
3266}
3267
3268static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3269 void *add_arg)
3270{
3271 OPENSSL_free((unsigned char *)out);
3272}
3273
3274static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3275 size_t inlen, int *al, void *parse_arg)
3276{
3277 int *server = (int *)parse_arg;
3278
3279 if (SSL_is_server(s))
3280 srvparseoldcb++;
3281 else
3282 clntparseoldcb++;
3283
710756a9
RS		 3284 if (*server != SSL_is_server(s)
3285 || inlen != sizeof(char)
3286 || *in != 1)
a37008d9
MC		 3287 return -1;
3288
3289 return 1;
3290}
3291
3292static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3293 const unsigned char **out, size_t *outlen, X509 *x,
3294 size_t chainidx, int *al, void *add_arg)
3295{
3296 int *server = (int *)add_arg;
3297 unsigned char *data;
3298
3299 if (SSL_is_server(s))
3300 srvaddnewcb++;
3301 else
3302 clntaddnewcb++;
3303
710756a9
RS		 3304 if (*server != SSL_is_server(s)
3305 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3306 return -1;
3307
3308 *data = 1;
3309 *out = data;
710756a9 3310 *outlen = sizeof(*data);
a37008d9
MC		 3311 return 1;
3312}
3313
3314static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3315 const unsigned char *out, void *add_arg)
3316{
3317 OPENSSL_free((unsigned char *)out);
3318}
3319
3320static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3321 const unsigned char *in, size_t inlen, X509 *x,
3322 size_t chainidx, int *al, void *parse_arg)
3323{
3324 int *server = (int *)parse_arg;
3325
3326 if (SSL_is_server(s))
3327 srvparsenewcb++;
3328 else
3329 clntparsenewcb++;
3330
710756a9
RS		 3331 if (*server != SSL_is_server(s)
3332 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3333 return -1;
3334
3335 return 1;
3336}
bb01ef3f
MC		 3337
3338static int sni_cb(SSL *s, int *al, void *arg)
3339{
3340 SSL_CTX *ctx = (SSL_CTX *)arg;
3341
3342 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3343 *al = SSL_AD_INTERNAL_ERROR;
3344 return SSL_TLSEXT_ERR_ALERT_FATAL;
3345 }
3346 snicb++;
3347 return SSL_TLSEXT_ERR_OK;
3348}
3349
a37008d9
MC		 3350/*
3351 * Custom call back tests.
3352 * Test 0: Old style callbacks in TLSv1.2
3353 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3354 * Test 2: New style callbacks in TLSv1.2 with SNI
3355 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3356 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3357 */
710756a9
RS		 3358static int test_custom_exts(int tst)
3359{
bb01ef3f 3360 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3361 SSL *clientssl = NULL, *serverssl = NULL;
3362 int testresult = 0;
3363 static int server = 1;
3364 static int client = 0;
3365 SSL_SESSION *sess = NULL;
3366 unsigned int context;
3367
c423ecaa
MC		 3368#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3369 /* Skip tests for TLSv1.2 and below in this case */
3370 if (tst < 3)
3371 return 1;
3372#endif
3373
a37008d9
MC		 3374 /* Reset callback counters */
3375 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3376 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3377 snicb = 0;
a37008d9 3378
7d7f6834
RL		 3379 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3380 TLS1_VERSION, TLS_MAX_VERSION,
3381 &sctx, &cctx, cert, privkey)))
710756a9 3382 goto end;
a37008d9 3383
bb01ef3f 3384 if (tst == 2
7d7f6834
RL		 3385 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3386 TLS1_VERSION, TLS_MAX_VERSION,
3387 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3388 goto end;
3389
3390
3391 if (tst < 3) {
a37008d9
MC		 3392 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3393 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3394 if (sctx2 != NULL)
3395 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3396 }
3397
bb01ef3f 3398 if (tst == 4) {
710756a9
RS		 3399 context = SSL_EXT_CLIENT_HELLO
3400 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3401 | SSL_EXT_TLS1_3_SERVER_HELLO
3402 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3403 | SSL_EXT_TLS1_3_CERTIFICATE
3404 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3405 } else {
710756a9
RS		 3406 context = SSL_EXT_CLIENT_HELLO
3407 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3408 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3409 }
3410
3411 /* Create a client side custom extension */
3412 if (tst == 0) {
710756a9
RS		 3413 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3414 old_add_cb, old_free_cb,
3415 &client, old_parse_cb,
3416 &client)))
3417 goto end;
a37008d9 3418 } else {
710756a9
RS		 3419 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3420 new_add_cb, new_free_cb,
3421 &client, new_parse_cb, &client)))
3422 goto end;
a37008d9
MC		 3423 }
3424
3425 /* Should not be able to add duplicates */
710756a9
RS		 3426 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3427 old_add_cb, old_free_cb,
3428 &client, old_parse_cb,
3429 &client))
3430 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3431 context, new_add_cb,
3432 new_free_cb, &client,
3433 new_parse_cb, &client)))
3434 goto end;
a37008d9
MC		 3435
3436 /* Create a server side custom extension */
3437 if (tst == 0) {
710756a9
RS		 3438 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3439 old_add_cb, old_free_cb,
3440 &server, old_parse_cb,
3441 &server)))
3442 goto end;
a37008d9 3443 } else {
710756a9
RS		 3444 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3445 new_add_cb, new_free_cb,
3446 &server, new_parse_cb, &server)))
3447 goto end;
bb01ef3f
MC		 3448 if (sctx2 != NULL
3449 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3450 context, new_add_cb,
3451 new_free_cb, &server,
3452 new_parse_cb, &server)))
3453 goto end;
a37008d9
MC		 3454 }
3455
3456 /* Should not be able to add duplicates */
710756a9
RS		 3457 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3458 old_add_cb, old_free_cb,
3459 &server, old_parse_cb,
3460 &server))
3461 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3462 context, new_add_cb,
3463 new_free_cb, &server,
3464 new_parse_cb, &server)))
a37008d9 3465 goto end;
a37008d9 3466
bb01ef3f
MC		 3467 if (tst == 2) {
3468 /* Set up SNI */
3469 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3470 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3471 goto end;
3472 }
3473
710756a9
RS		 3474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3475 &clientssl, NULL, NULL))
3476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3477 SSL_ERROR_NONE)))
a37008d9 3478 goto end;
a37008d9
MC		 3479
3480 if (tst == 0) {
710756a9
RS		 3481 if (clntaddoldcb != 1
3482 || clntparseoldcb != 1
3483 || srvaddoldcb != 1
3484 || srvparseoldcb != 1)
a37008d9 3485 goto end;
bb01ef3f 3486 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3487 if (clntaddnewcb != 1
3488 || clntparsenewcb != 1
3489 || srvaddnewcb != 1
bb01ef3f
MC		 3490 || srvparsenewcb != 1
3491 || (tst != 2 && snicb != 0)
3492 || (tst == 2 && snicb != 1))
a37008d9 3493 goto end;
a37008d9 3494 } else {
36ff232c 3495 /* In this case there 2 NewSessionTicket messages created */
710756a9 3496 if (clntaddnewcb != 1
36ff232c
MC		 3497 || clntparsenewcb != 5
3498 || srvaddnewcb != 5
710756a9 3499 || srvparsenewcb != 1)
a37008d9 3500 goto end;
a37008d9
MC		 3501 }
3502
3503 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3504 SSL_shutdown(clientssl);
3505 SSL_shutdown(serverssl);
a37008d9
MC		 3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3508 serverssl = clientssl = NULL;
3509
bb01ef3f
MC		 3510 if (tst == 3) {
3511 /* We don't bother with the resumption aspects for this test */
3512 testresult = 1;
3513 goto end;
3514 }
3515
710756a9
RS		 3516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3517 NULL, NULL))
3518 || !TEST_true(SSL_set_session(clientssl, sess))
3519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3520 SSL_ERROR_NONE)))
a37008d9 3521 goto end;
a37008d9
MC		 3522
3523 /*
3524 * For a resumed session we expect to add the ClientHello extension. For the
3525 * old style callbacks we ignore it on the server side because they set
3526 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3527 * them.
3528 */
3529 if (tst == 0) {
710756a9
RS		 3530 if (clntaddoldcb != 2
3531 || clntparseoldcb != 1
3532 || srvaddoldcb != 1
3533 || srvparseoldcb != 1)
a37008d9 3534 goto end;
bb01ef3f 3535 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3536 if (clntaddnewcb != 2
3537 || clntparsenewcb != 2
3538 || srvaddnewcb != 2
3539 || srvparsenewcb != 2)
a37008d9 3540 goto end;
a37008d9 3541 } else {
36ff232c
MC		 3542 /*
3543 * No Certificate message extensions in the resumption handshake,
3544 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3545 */
710756a9 3546 if (clntaddnewcb != 2
36ff232c
MC		 3547 || clntparsenewcb != 8
3548 || srvaddnewcb != 8
710756a9 3549 || srvparsenewcb != 2)
a37008d9 3550 goto end;
a37008d9
MC		 3551 }
3552
3553 testresult = 1;
3554
3555end:
3556 SSL_SESSION_free(sess);
3557 SSL_free(serverssl);
3558 SSL_free(clientssl);
bb01ef3f 3559 SSL_CTX_free(sctx2);
a37008d9
MC		 3560 SSL_CTX_free(sctx);
3561 SSL_CTX_free(cctx);
a37008d9
MC		 3562 return testresult;
3563}
3564
16afd71c
MC		 3565/*
3566 * Test loading of serverinfo data in various formats. test_sslmessages actually
3567 * tests to make sure the extensions appear in the handshake
3568 */
3569static int test_serverinfo(int tst)
3570{
3571 unsigned int version;
3572 unsigned char *sibuf;
3573 size_t sibuflen;
3574 int ret, expected, testresult = 0;
3575 SSL_CTX *ctx;
3576
3577 ctx = SSL_CTX_new(TLS_method());
3578 if (!TEST_ptr(ctx))
3579 goto end;
3580
3581 if ((tst & 0x01) == 0x01)
3582 version = SSL_SERVERINFOV2;
3583 else
3584 version = SSL_SERVERINFOV1;
3585
3586 if ((tst & 0x02) == 0x02) {
3587 sibuf = serverinfov2;
3588 sibuflen = sizeof(serverinfov2);
3589 expected = (version == SSL_SERVERINFOV2);
3590 } else {
3591 sibuf = serverinfov1;
3592 sibuflen = sizeof(serverinfov1);
3593 expected = (version == SSL_SERVERINFOV1);
3594 }
3595
3596 if ((tst & 0x04) == 0x04) {
3597 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3598 } else {
3599 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3600
3601 /*
3602 * The version variable is irrelevant in this case - it's what is in the
3603 * buffer that matters
3604 */
3605 if ((tst & 0x02) == 0x02)
3606 expected = 0;
3607 else
3608 expected = 1;
3609 }
3610
3611 if (!TEST_true(ret == expected))
3612 goto end;
3613
3614 testresult = 1;
3615
3616 end:
3617 SSL_CTX_free(ctx);
3618
3619 return testresult;
3620}
3621
2197d1df
MC		 3622/*
3623 * Test that SSL_export_keying_material() produces expected results. There are
3624 * no test vectors so all we do is test that both sides of the communication
3625 * produce the same results for different protocol versions.
3626 */
3627static int test_export_key_mat(int tst)
3628{
a599574b 3629 int testresult = 0;
2197d1df
MC		 3630 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3631 SSL *clientssl = NULL, *serverssl = NULL;
3632 const char label[] = "test label";
3633 const unsigned char context[] = "context";
3634 const unsigned char *emptycontext = NULL;
3635 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3636 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3637 const int protocols[] = {
3638 TLS1_VERSION,
3639 TLS1_1_VERSION,
3640 TLS1_2_VERSION,
3641 TLS1_3_VERSION
3642 };
2197d1df
MC		 3643
3644#ifdef OPENSSL_NO_TLS1
3645 if (tst == 0)
3646 return 1;
3647#endif
3648#ifdef OPENSSL_NO_TLS1_1
3649 if (tst == 1)
3650 return 1;
3651#endif
3652#ifdef OPENSSL_NO_TLS1_2
3653 if (tst == 2)
3654 return 1;
3655#endif
3656#ifdef OPENSSL_NO_TLS1_3
3657 if (tst == 3)
3658 return 1;
3659#endif
7d7f6834
RL		 3660 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3661 TLS1_VERSION, TLS_MAX_VERSION,
3662 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3663 goto end;
3664
a599574b
MC		 3665 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3666 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3667 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3668
3669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3670 NULL))
3671 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3672 SSL_ERROR_NONE)))
3673 goto end;
3674
3675 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3676 sizeof(ckeymat1), label,
3677 sizeof(label) - 1, context,
3678 sizeof(context) - 1, 1), 1)
3679 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3680 sizeof(ckeymat2), label,
3681 sizeof(label) - 1,
3682 emptycontext,
3683 0, 1), 1)
3684 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3685 sizeof(ckeymat3), label,
3686 sizeof(label) - 1,
3687 NULL, 0, 0), 1)
3688 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3689 sizeof(skeymat1), label,
3690 sizeof(label) - 1,
3691 context,
3692 sizeof(context) -1, 1),
3693 1)
3694 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3695 sizeof(skeymat2), label,
3696 sizeof(label) - 1,
3697 emptycontext,
3698 0, 1), 1)
3699 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3700 sizeof(skeymat3), label,
3701 sizeof(label) - 1,
3702 NULL, 0, 0), 1)
3703 /*
3704 * Check that both sides created the same key material with the
3705 * same context.
3706 */
3707 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3708 sizeof(skeymat1))
3709 /*
3710 * Check that both sides created the same key material with an
3711 * empty context.
3712 */
3713 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3714 sizeof(skeymat2))
3715 /*
3716 * Check that both sides created the same key material without a
3717 * context.
3718 */
3719 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3720 sizeof(skeymat3))
3721 /* Different contexts should produce different results */
3722 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3723 sizeof(ckeymat2)))
3724 goto end;
3725
3726 /*
3727 * Check that an empty context and no context produce different results in
3728 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3729 */
3730 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3731 sizeof(ckeymat3)))
3732 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3733 sizeof(ckeymat3))))
3734 goto end;
3735
3736 testresult = 1;
3737
3738 end:
3739 SSL_free(serverssl);
3740 SSL_free(clientssl);
3741 SSL_CTX_free(sctx2);
3742 SSL_CTX_free(sctx);
3743 SSL_CTX_free(cctx);
3744
3745 return testresult;
3746}
3747
b38ede80
TT		 3748#ifndef OPENSSL_NO_TLS1_3
3749/*
3750 * Test that SSL_export_keying_material_early() produces expected
3751 * results. There are no test vectors so all we do is test that both
3752 * sides of the communication produce the same results for different
3753 * protocol versions.
3754 */
3755static int test_export_key_mat_early(int idx)
3756{
3757 static const char label[] = "test label";
3758 static const unsigned char context[] = "context";
3759 int testresult = 0;
3760 SSL_CTX *cctx = NULL, *sctx = NULL;
3761 SSL *clientssl = NULL, *serverssl = NULL;
3762 SSL_SESSION *sess = NULL;
3763 const unsigned char *emptycontext = NULL;
3764 unsigned char ckeymat1[80], ckeymat2[80];
3765 unsigned char skeymat1[80], skeymat2[80];
3766 unsigned char buf[1];
3767 size_t readbytes, written;
3768
3769 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3770 &sess, idx)))
3771 goto end;
3772
3773 /* Here writing 0 length early data is enough. */
3774 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3775 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3776 &readbytes),
3777 SSL_READ_EARLY_DATA_ERROR)
3778 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3779 SSL_EARLY_DATA_ACCEPTED))
3780 goto end;
3781
3782 if (!TEST_int_eq(SSL_export_keying_material_early(
3783 clientssl, ckeymat1, sizeof(ckeymat1), label,
3784 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3785 || !TEST_int_eq(SSL_export_keying_material_early(
3786 clientssl, ckeymat2, sizeof(ckeymat2), label,
3787 sizeof(label) - 1, emptycontext, 0), 1)
3788 || !TEST_int_eq(SSL_export_keying_material_early(
3789 serverssl, skeymat1, sizeof(skeymat1), label,
3790 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3791 || !TEST_int_eq(SSL_export_keying_material_early(
3792 serverssl, skeymat2, sizeof(skeymat2), label,
3793 sizeof(label) - 1, emptycontext, 0), 1)
3794 /*
3795 * Check that both sides created the same key material with the
3796 * same context.
3797 */
3798 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3799 sizeof(skeymat1))
3800 /*
3801 * Check that both sides created the same key material with an
3802 * empty context.
3803 */
3804 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3805 sizeof(skeymat2))
3806 /* Different contexts should produce different results */
3807 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3808 sizeof(ckeymat2)))
3809 goto end;
3810
3811 testresult = 1;
3812
3813 end:
c20e3b28 3814 SSL_SESSION_free(sess);
b38ede80
TT		 3815 SSL_SESSION_free(clientpsk);
3816 SSL_SESSION_free(serverpsk);
34ff74eb 3817 clientpsk = serverpsk = NULL;
b38ede80
TT		 3818 SSL_free(serverssl);
3819 SSL_free(clientssl);
3820 SSL_CTX_free(sctx);
3821 SSL_CTX_free(cctx);
3822
3823 return testresult;
3824}
3825#endif /* OPENSSL_NO_TLS1_3 */
3826
e11b6aa4
MC		 3827static int test_ssl_clear(int idx)
3828{
3829 SSL_CTX *cctx = NULL, *sctx = NULL;
3830 SSL *clientssl = NULL, *serverssl = NULL;
3831 int testresult = 0;
3832
3833#ifdef OPENSSL_NO_TLS1_2
3834 if (idx == 1)
3835 return 1;
3836#endif
3837
3838 /* Create an initial connection */
7d7f6834
RL		 3839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3840 TLS1_VERSION, TLS_MAX_VERSION,
3841 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 3842 || (idx == 1
3843 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3844 TLS1_2_VERSION)))
3845 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3846 &clientssl, NULL, NULL))
3847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3848 SSL_ERROR_NONE)))
3849 goto end;
3850
3851 SSL_shutdown(clientssl);
3852 SSL_shutdown(serverssl);
3853 SSL_free(serverssl);
3854 serverssl = NULL;
3855
3856 /* Clear clientssl - we're going to reuse the object */
3857 if (!TEST_true(SSL_clear(clientssl)))
3858 goto end;
3859
3860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3861 NULL, NULL))
3862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3863 SSL_ERROR_NONE))
3864 || !TEST_true(SSL_session_reused(clientssl)))
3865 goto end;
3866
3867 SSL_shutdown(clientssl);
3868 SSL_shutdown(serverssl);
3869
3870 testresult = 1;
3871
3872 end:
3873 SSL_free(serverssl);
3874 SSL_free(clientssl);
3875 SSL_CTX_free(sctx);
3876 SSL_CTX_free(cctx);
3877
3878 return testresult;
3879}
3880
cf72c757
F		 3881/* Parse CH and retrieve any MFL extension value if present */
3882static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3883{
3884 long len;
3885 unsigned char *data;
3886 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3887 unsigned int MFL_code = 0, type = 0;
3888
3889 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3890 goto end;
3891
3892 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3893 /* Skip the record header */
3894 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3895 /* Skip the handshake message header */
3896 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3897 /* Skip client version and random */
3898 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3899 + SSL3_RANDOM_SIZE))
3900 /* Skip session id */
3901 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3902 /* Skip ciphers */
3903 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3904 /* Skip compression */
3905 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3906 /* Extensions len */
3907 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3908 goto end;
3909
3910 /* Loop through all extensions */
3911 while (PACKET_remaining(&pkt2)) {
3912 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3913 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3914 goto end;
3915
3916 if (type == TLSEXT_TYPE_max_fragment_length) {
3917 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3918 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3919 goto end;
3920
3921 *mfl_codemfl_code = MFL_code;
3922 return 1;
3923 }
3924 }
3925
3926 end:
3927 return 0;
3928}
3929
3930/* Maximum-Fragment-Length TLS extension mode to test */
3931static const unsigned char max_fragment_len_test[] = {
3932 TLSEXT_max_fragment_length_512,
3933 TLSEXT_max_fragment_length_1024,
3934 TLSEXT_max_fragment_length_2048,
3935 TLSEXT_max_fragment_length_4096
3936};
3937
3938static int test_max_fragment_len_ext(int idx_tst)
3939{
3940 SSL_CTX *ctx;
3941 SSL *con = NULL;
3942 int testresult = 0, MFL_mode = 0;
3943 BIO *rbio, *wbio;
3944
3945 ctx = SSL_CTX_new(TLS_method());
3946 if (!TEST_ptr(ctx))
3947 goto end;
3948
3949 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3950 ctx, max_fragment_len_test[idx_tst])))
3951 goto end;
3952
3953 con = SSL_new(ctx);
3954 if (!TEST_ptr(con))
3955 goto end;
3956
3957 rbio = BIO_new(BIO_s_mem());
3958 wbio = BIO_new(BIO_s_mem());
3959 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3960 BIO_free(rbio);
3961 BIO_free(wbio);
3962 goto end;
3963 }
3964
3965 SSL_set_bio(con, rbio, wbio);
3966 SSL_set_connect_state(con);
3967
3968 if (!TEST_int_le(SSL_connect(con), 0)) {
3969 /* This shouldn't succeed because we don't have a server! */
3970 goto end;
3971 }
3972
3973 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3974 /* no MFL in client hello */
3975 goto end;
3976 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3977 goto end;
3978
3979 testresult = 1;
3980
3981end:
3982 SSL_free(con);
3983 SSL_CTX_free(ctx);
3984
3985 return testresult;
3986}
3987
9d75dce3
TS		 3988#ifndef OPENSSL_NO_TLS1_3
3989static int test_pha_key_update(void)
3990{
3991 SSL_CTX *cctx = NULL, *sctx = NULL;
3992 SSL *clientssl = NULL, *serverssl = NULL;
3993 int testresult = 0;
3994
7d7f6834
RL		 3995 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3996 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 3997 &sctx, &cctx, cert, privkey)))
3998 return 0;
3999
4000 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4001 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4002 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4003 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4004 goto end;
4005
4006
4007 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4008 NULL, NULL)))
4009 goto end;
4010
4011 SSL_force_post_handshake_auth(clientssl);
4012
4013 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4014 SSL_ERROR_NONE)))
4015 goto end;
4016
4017 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4018 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4019 goto end;
4020
4021 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4022 goto end;
4023
4024 /* Start handshake on the server */
4025 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4026 goto end;
4027
4028 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4029 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4030 SSL_ERROR_NONE)))
4031 goto end;
4032
4033 SSL_shutdown(clientssl);
4034 SSL_shutdown(serverssl);
4035
4036 testresult = 1;
4037
4038 end:
4039 SSL_free(serverssl);
4040 SSL_free(clientssl);
4041 SSL_CTX_free(sctx);
4042 SSL_CTX_free(cctx);
4043 return testresult;
4044}
4045#endif
4046
76fd7a1d
MC		 4047#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4048
4049static SRP_VBASE *vbase = NULL;
4050
4051static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4052{
4053 int ret = SSL3_AL_FATAL;
4054 char *username;
4055 SRP_user_pwd *user = NULL;
4056
4057 username = SSL_get_srp_username(s);
4058 if (username == NULL) {
4059 *ad = SSL_AD_INTERNAL_ERROR;
4060 goto err;
4061 }
4062
4063 user = SRP_VBASE_get1_by_user(vbase, username);
4064 if (user == NULL) {
4065 *ad = SSL_AD_INTERNAL_ERROR;
4066 goto err;
4067 }
4068
4069 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4070 user->info) <= 0) {
4071 *ad = SSL_AD_INTERNAL_ERROR;
4072 goto err;
4073 }
4074
4075 ret = 0;
4076
4077 err:
4078 SRP_user_pwd_free(user);
4079 return ret;
4080}
4081
4082static int create_new_vfile(char *userid, char *password, const char *filename)
4083{
4084 char *gNid = NULL;
4085 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4086 TXT_DB *db = NULL;
4087 int ret = 0;
4088 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4089 size_t i;
4090
4091 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4092 goto end;
4093
4094 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4095 &row[DB_srpverifier], NULL, NULL);
4096 if (!TEST_ptr(gNid))
4097 goto end;
4098
4099 /*
4100 * The only way to create an empty TXT_DB is to provide a BIO with no data
4101 * in it!
4102 */
4103 db = TXT_DB_read(dummy, DB_NUMBER);
4104 if (!TEST_ptr(db))
4105 goto end;
4106
4107 out = BIO_new_file(filename, "w");
4108 if (!TEST_ptr(out))
4109 goto end;
4110
4111 row[DB_srpid] = OPENSSL_strdup(userid);
4112 row[DB_srptype] = OPENSSL_strdup("V");
4113 row[DB_srpgN] = OPENSSL_strdup(gNid);
4114
4115 if (!TEST_ptr(row[DB_srpid])
4116 || !TEST_ptr(row[DB_srptype])
4117 || !TEST_ptr(row[DB_srpgN])
4118 || !TEST_true(TXT_DB_insert(db, row)))
4119 goto end;
4120
4121 row = NULL;
4122
4123 if (!TXT_DB_write(out, db))
4124 goto end;
4125
4126 ret = 1;
4127 end:
4128 if (row != NULL) {
4129 for (i = 0; i < DB_NUMBER; i++)
4130 OPENSSL_free(row[i]);
4131 }
4132 OPENSSL_free(row);
4133 BIO_free(dummy);
4134 BIO_free(out);
4135 TXT_DB_free(db);
4136
4137 return ret;
4138}
4139
4140static int create_new_vbase(char *userid, char *password)
4141{
4142 BIGNUM *verifier = NULL, *salt = NULL;
4143 const SRP_gN *lgN = NULL;
4144 SRP_user_pwd *user_pwd = NULL;
4145 int ret = 0;
4146
4147 lgN = SRP_get_default_gN(NULL);
4148 if (!TEST_ptr(lgN))
4149 goto end;
4150
4151 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4152 lgN->N, lgN->g)))
4153 goto end;
4154
4155 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4156 if (!TEST_ptr(user_pwd))
4157 goto end;
4158
4159 user_pwd->N = lgN->N;
4160 user_pwd->g = lgN->g;
4161 user_pwd->id = OPENSSL_strdup(userid);
4162 if (!TEST_ptr(user_pwd->id))
4163 goto end;
4164
4165 user_pwd->v = verifier;
4166 user_pwd->s = salt;
4167 verifier = salt = NULL;
4168
4169 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4170 goto end;
4171 user_pwd = NULL;
4172
4173 ret = 1;
4174end:
4175 SRP_user_pwd_free(user_pwd);
4176 BN_free(salt);
4177 BN_free(verifier);
4178
4179 return ret;
4180}
4181
4182/*
4183 * SRP tests
4184 *
4185 * Test 0: Simple successful SRP connection, new vbase
4186 * Test 1: Connection failure due to bad password, new vbase
4187 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4188 * Test 3: Connection failure due to bad password, vbase loaded from existing
4189 * file
4190 * Test 4: Simple successful SRP connection, vbase loaded from new file
4191 * Test 5: Connection failure due to bad password, vbase loaded from new file
4192 */
4193static int test_srp(int tst)
4194{
4195 char *userid = "test", *password = "password", *tstsrpfile;
4196 SSL_CTX *cctx = NULL, *sctx = NULL;
4197 SSL *clientssl = NULL, *serverssl = NULL;
4198 int ret, testresult = 0;
4199
4200 vbase = SRP_VBASE_new(NULL);
4201 if (!TEST_ptr(vbase))
4202 goto end;
4203
4204 if (tst == 0 || tst == 1) {
4205 if (!TEST_true(create_new_vbase(userid, password)))
4206 goto end;
4207 } else {
4208 if (tst == 4 || tst == 5) {
4209 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4210 goto end;
4211 tstsrpfile = tmpfilename;
4212 } else {
4213 tstsrpfile = srpvfile;
4214 }
4215 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4216 goto end;
4217 }
4218
4219 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4220 TLS1_VERSION, TLS_MAX_VERSION,
4221 &sctx, &cctx, cert, privkey)))
4222 goto end;
4223
4224 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4225 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4226 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4227 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4228 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4229 goto end;
4230
4231 if (tst % 2 == 1) {
4232 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4233 goto end;
4234 } else {
4235 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4236 goto end;
4237 }
4238
4239 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4240 NULL, NULL)))
4241 goto end;
4242
4243 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4244 if (ret) {
4245 if (!TEST_true(tst % 2 == 0))
4246 goto end;
4247 } else {
4248 if (!TEST_true(tst % 2 == 1))
4249 goto end;
4250 }
4251
4252 testresult = 1;
4253
4254 end:
4255 SRP_VBASE_free(vbase);
4256 vbase = NULL;
4257 SSL_free(serverssl);
4258 SSL_free(clientssl);
4259 SSL_CTX_free(sctx);
4260 SSL_CTX_free(cctx);
4261
4262 return testresult;
4263}
4264#endif
4265
5718fe45
MC		 4266static int info_cb_failed = 0;
4267static int info_cb_offset = 0;
4268static int info_cb_this_state = -1;
4269
4270static struct info_cb_states_st {
4271 int where;
4272 const char *statestr;
4273} info_cb_states[][60] = {
4274 {
4275 /* TLSv1.2 server followed by resumption */
4276 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4277 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4278 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4279 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4280 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4281 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4282 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4283 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4284 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4285 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4286 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4287 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4288 {SSL_CB_EXIT, NULL}, {0, NULL},
4289 }, {
4290 /* TLSv1.2 client followed by resumption */
4291 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4292 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4293 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4294 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4295 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4296 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4297 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4298 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4299 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4300 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4301 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4302 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4303 }, {
4304 /* TLSv1.3 server followed by resumption */
4305 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4306 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4307 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4308 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4309 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4310 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4311 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4312 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4313 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4314 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4315 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4316 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4317 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4318 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4319 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4320 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4321 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4322 }, {
4323 /* TLSv1.3 client followed by resumption */
4324 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4325 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4326 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4327 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4328 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4329 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4330 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4331 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4332 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4333 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4334 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4335 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4336 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4337 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4338 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4339 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4340 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4341 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4342 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4343 }, {
4344 /* TLSv1.3 server, early_data */
4345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4346 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4347 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4348 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4350 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4351 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4352 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4353 {SSL_CB_EXIT, NULL}, {0, NULL},
4354 }, {
4355 /* TLSv1.3 client, early_data */
4356 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4357 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4358 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4359 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4360 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4361 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4362 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4363 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4364 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4366 }, {
4367 {0, NULL},
4368 }
4369};
4370
4371static void sslapi_info_callback(const SSL *s, int where, int ret)
4372{
4373 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4374
4375 /* We do not ever expect a connection to fail in this test */
4376 if (!TEST_false(ret == 0)) {
4377 info_cb_failed = 1;
4378 return;
4379 }
4380
4381 /*
4382 * Do some sanity checks. We never expect these things to happen in this
4383 * test
4384 */
4385 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4386 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4387 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4388 info_cb_failed = 1;
4389 return;
4390 }
4391
4392 /* Now check we're in the right state */
4393 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4394 info_cb_failed = 1;
4395 return;
4396 }
4397 if ((where & SSL_CB_LOOP) != 0
4398 && !TEST_int_eq(strcmp(SSL_state_string(s),
4399 state[info_cb_this_state].statestr), 0)) {
4400 info_cb_failed = 1;
4401 return;
4402 }
033c181b
MC		 4403
4404 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4405 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4406 info_cb_failed = 1;
4407 return;
4408 }
5718fe45
MC		 4409}
4410
4411/*
4412 * Test the info callback gets called when we expect it to.
4413 *
4414 * Test 0: TLSv1.2, server
4415 * Test 1: TLSv1.2, client
4416 * Test 2: TLSv1.3, server
4417 * Test 3: TLSv1.3, client
4418 * Test 4: TLSv1.3, server, early_data
4419 * Test 5: TLSv1.3, client, early_data
4420 */
4421static int test_info_callback(int tst)
4422{
4423 SSL_CTX *cctx = NULL, *sctx = NULL;
4424 SSL *clientssl = NULL, *serverssl = NULL;
4425 SSL_SESSION *clntsess = NULL;
4426 int testresult = 0;
4427 int tlsvers;
4428
4429 if (tst < 2) {
4430#ifndef OPENSSL_NO_TLS1_2
4431 tlsvers = TLS1_2_VERSION;
4432#else
4433 return 1;
4434#endif
4435 } else {
4436#ifndef OPENSSL_NO_TLS1_3
4437 tlsvers = TLS1_3_VERSION;
4438#else
4439 return 1;
4440#endif
4441 }
4442
4443 /* Reset globals */
4444 info_cb_failed = 0;
4445 info_cb_this_state = -1;
4446 info_cb_offset = tst;
4447
6e07834c 4448#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4449 if (tst >= 4) {
4450 SSL_SESSION *sess = NULL;
4451 size_t written, readbytes;
4452 unsigned char buf[80];
4453
4454 /* early_data tests */
4455 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4456 &serverssl, &sess, 0)))
4457 goto end;
4458
4459 /* We don't actually need this reference */
4460 SSL_SESSION_free(sess);
4461
4462 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4463 sslapi_info_callback);
4464
4465 /* Write and read some early data and then complete the connection */
4466 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4467 &written))
4468 || !TEST_size_t_eq(written, strlen(MSG1))
4469 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4470 sizeof(buf), &readbytes),
4471 SSL_READ_EARLY_DATA_SUCCESS)
4472 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4474 SSL_EARLY_DATA_ACCEPTED)
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4476 SSL_ERROR_NONE))
4477 || !TEST_false(info_cb_failed))
4478 goto end;
4479
4480 testresult = 1;
4481 goto end;
4482 }
6e07834c 4483#endif
5718fe45
MC		 4484
4485 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4486 TLS_client_method(),
4487 tlsvers, tlsvers, &sctx, &cctx, cert,
4488 privkey)))
4489 goto end;
4490
4491 /*
4492 * For even numbered tests we check the server callbacks. For odd numbers we
4493 * check the client.
4494 */
4495 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4496 sslapi_info_callback);
4497
4498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4499 &clientssl, NULL, NULL))
4500 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4501 SSL_ERROR_NONE))
4502 || !TEST_false(info_cb_failed))
4503 goto end;
4504
4505
4506
4507 clntsess = SSL_get1_session(clientssl);
4508 SSL_shutdown(clientssl);
4509 SSL_shutdown(serverssl);
4510 SSL_free(serverssl);
4511 SSL_free(clientssl);
4512 serverssl = clientssl = NULL;
4513
4514 /* Now do a resumption */
4515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4516 NULL))
4517 || !TEST_true(SSL_set_session(clientssl, clntsess))
4518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4519 SSL_ERROR_NONE))
4520 || !TEST_true(SSL_session_reused(clientssl))
4521 || !TEST_false(info_cb_failed))
4522 goto end;
4523
4524 testresult = 1;
4525
4526 end:
4527 SSL_free(serverssl);
4528 SSL_free(clientssl);
4529 SSL_SESSION_free(clntsess);
4530 SSL_CTX_free(sctx);
4531 SSL_CTX_free(cctx);
4532 return testresult;
4533}
4534
4a432af8
MC		 4535static int test_ssl_pending(int tst)
4536{
4537 SSL_CTX *cctx = NULL, *sctx = NULL;
4538 SSL *clientssl = NULL, *serverssl = NULL;
4539 int testresult = 0;
4540 char msg[] = "A test message";
4541 char buf[5];
4542 size_t written, readbytes;
4543
4544 if (tst == 0) {
4545 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4546 TLS_client_method(),
4547 TLS1_VERSION, TLS_MAX_VERSION,
4548 &sctx, &cctx, cert, privkey)))
4549 goto end;
4550 } else {
4551#ifndef OPENSSL_NO_DTLS
4552 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4553 DTLS_client_method(),
4554 DTLS1_VERSION, DTLS_MAX_VERSION,
4555 &sctx, &cctx, cert, privkey)))
4556 goto end;
4557#else
4558 return 1;
4559#endif
4560 }
4561
4562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4563 NULL, NULL))
4564 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4565 SSL_ERROR_NONE)))
4566 goto end;
4567
e8251092
MC		 4568 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4569 || !TEST_false(SSL_has_pending(clientssl))
4570 || !TEST_int_eq(SSL_pending(serverssl), 0)
4571 || !TEST_false(SSL_has_pending(serverssl))
4572 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4573 || !TEST_size_t_eq(written, sizeof(msg))
4574 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4575 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4576 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4577 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4578 goto end;
4579
4580 testresult = 1;
4581
4582 end:
4583 SSL_free(serverssl);
4584 SSL_free(clientssl);
4585 SSL_CTX_free(sctx);
4586 SSL_CTX_free(cctx);
4587
4588 return testresult;
4589}
4590
e401389a
MC		 4591static struct {
4592 unsigned int maxprot;
4593 const char *clntciphers;
4594 const char *clnttls13ciphers;
4595 const char *srvrciphers;
4596 const char *srvrtls13ciphers;
4597 const char *shared;
4598} shared_ciphers_data[] = {
60155b9a
MC		 4599/*
4600 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4601 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4602 */
4603#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4604 {
4605 TLS1_2_VERSION,
4606 "AES128-SHA:AES256-SHA",
4607 NULL,
4608 "AES256-SHA:DHE-RSA-AES128-SHA",
4609 NULL,
4610 "AES256-SHA"
4611 },
4612 {
4613 TLS1_2_VERSION,
4614 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4615 NULL,
4616 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4617 NULL,
4618 "AES128-SHA:AES256-SHA"
4619 },
4620 {
4621 TLS1_2_VERSION,
4622 "AES128-SHA:AES256-SHA",
4623 NULL,
4624 "AES128-SHA:DHE-RSA-AES128-SHA",
4625 NULL,
4626 "AES128-SHA"
4627 },
60155b9a
MC		 4628#endif
4629/*
4630 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4631 * enabled.
4632 */
4633#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4634 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4635 {
4636 TLS1_3_VERSION,
4637 "AES128-SHA:AES256-SHA",
4638 NULL,
4639 "AES256-SHA:AES128-SHA256",
4640 NULL,
4641 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4642 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4643 },
60155b9a
MC		 4644#endif
4645#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4646 {
4647 TLS1_3_VERSION,
4648 "AES128-SHA",
4649 "TLS_AES_256_GCM_SHA384",
4650 "AES256-SHA",
4651 "TLS_AES_256_GCM_SHA384",
4652 "TLS_AES_256_GCM_SHA384"
4653 },
4654#endif
4655};
4656
4657static int test_ssl_get_shared_ciphers(int tst)
4658{
4659 SSL_CTX *cctx = NULL, *sctx = NULL;
4660 SSL *clientssl = NULL, *serverssl = NULL;
4661 int testresult = 0;
4662 char buf[1024];
4663
4664 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4665 TLS_client_method(),
4666 TLS1_VERSION,
4667 shared_ciphers_data[tst].maxprot,
4668 &sctx, &cctx, cert, privkey)))
4669 goto end;
4670
4671 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4672 shared_ciphers_data[tst].clntciphers))
4673 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4674 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4675 shared_ciphers_data[tst].clnttls13ciphers)))
4676 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4677 shared_ciphers_data[tst].srvrciphers))
4678 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4679 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4680 shared_ciphers_data[tst].srvrtls13ciphers))))
4681 goto end;
4682
4683
4684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4685 NULL, NULL))
4686 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4687 SSL_ERROR_NONE)))
4688 goto end;
4689
4690 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4691 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4692 TEST_info("Shared ciphers are: %s\n", buf);
4693 goto end;
4694 }
4695
4696 testresult = 1;
4697
4698 end:
4699 SSL_free(serverssl);
4700 SSL_free(clientssl);
4701 SSL_CTX_free(sctx);
4702 SSL_CTX_free(cctx);
4703
4704 return testresult;
4705}
4706
d0191fe0 4707static const char *appdata = "Hello World";
61fb5923
MC		 4708static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4709static int tick_key_renew = 0;
4710static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4711
4712static int gen_tick_cb(SSL *s, void *arg)
4713{
4714 gen_tick_called = 1;
4715
4716 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4717 strlen(appdata));
4718}
4719
4720static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4721 const unsigned char *keyname,
4722 size_t keyname_length,
61fb5923
MC		 4723 SSL_TICKET_STATUS status,
4724 void *arg)
d0191fe0
MC		 4725{
4726 void *tickdata;
4727 size_t tickdlen;
4728
4729 dec_tick_called = 1;
4730
61fb5923
MC		 4731 if (status == SSL_TICKET_EMPTY)
4732 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4733
61fb5923
MC		 4734 if (!TEST_true(status == SSL_TICKET_SUCCESS
4735 || status == SSL_TICKET_SUCCESS_RENEW))
4736 return SSL_TICKET_RETURN_ABORT;
4737
4738 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4739 &tickdlen))
d0191fe0
MC		 4740 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4741 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4742 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4743
61fb5923
MC		 4744 if (tick_key_cb_called) {
4745 /* Don't change what the ticket key callback wanted to do */
4746 switch (status) {
4747 case SSL_TICKET_NO_DECRYPT:
4748 return SSL_TICKET_RETURN_IGNORE_RENEW;
4749
4750 case SSL_TICKET_SUCCESS:
4751 return SSL_TICKET_RETURN_USE;
d0191fe0 4752
61fb5923
MC		 4753 case SSL_TICKET_SUCCESS_RENEW:
4754 return SSL_TICKET_RETURN_USE_RENEW;
4755
4756 default:
4757 return SSL_TICKET_RETURN_ABORT;
4758 }
4759 }
4760 return tick_dec_ret;
4761
4762}
d0191fe0
MC		 4763
4764static int tick_key_cb(SSL *s, unsigned char key_name[16],
4765 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4766 HMAC_CTX *hctx, int enc)
4767{
4768 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4769 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4770
61fb5923 4771 tick_key_cb_called = 1;
d0191fe0
MC		 4772 memset(iv, 0, AES_BLOCK_SIZE);
4773 memset(key_name, 0, 16);
4774 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4775 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4776 EVP_sha256(), NULL))
4777 return -1;
4778
61fb5923 4779 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4780}
4781
4782/*
4783 * Test the various ticket callbacks
61fb5923
MC		 4784 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4785 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4786 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4787 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4788 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4789 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4790 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4791 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4792 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4793 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4794 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4795 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4796 */
4797static int test_ticket_callbacks(int tst)
4798{
4799 SSL_CTX *cctx = NULL, *sctx = NULL;
4800 SSL *clientssl = NULL, *serverssl = NULL;
4801 SSL_SESSION *clntsess = NULL;
4802 int testresult = 0;
4803
4804#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 4805 if (tst % 2 == 0)
d0191fe0
MC		 4806 return 1;
4807#endif
4808#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 4809 if (tst % 2 == 1)
d0191fe0
MC		 4810 return 1;
4811#endif
4812
61fb5923 4813 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 4814
4815 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 4816 if (tst == 10 || tst == 11)
4817 tick_key_renew = 1;
d0191fe0 4818 else
61fb5923
MC		 4819 tick_key_renew = 0;
4820
4821 /* Which tests the decrypt ticket callback should request renewal for */
4822 switch (tst) {
4823 case 0:
4824 case 1:
4825 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4826 break;
4827
4828 case 2:
4829 case 3:
4830 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4831 break;
4832
4833 case 4:
4834 case 5:
4835 tick_dec_ret = SSL_TICKET_RETURN_USE;
4836 break;
4837
4838 case 6:
4839 case 7:
4840 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4841 break;
4842
4843 default:
4844 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4845 }
d0191fe0
MC		 4846
4847 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4848 TLS_client_method(),
4849 TLS1_VERSION,
61fb5923
MC		 4850 ((tst % 2) == 0) ? TLS1_2_VERSION
4851 : TLS1_3_VERSION,
d0191fe0
MC		 4852 &sctx, &cctx, cert, privkey)))
4853 goto end;
4854
61fb5923
MC		 4855 /*
4856 * We only want sessions to resume from tickets - not the session cache. So
4857 * switch the cache off.
4858 */
4859 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4860 goto end;
4861
d0191fe0
MC		 4862 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4863 NULL)))
4864 goto end;
4865
61fb5923 4866 if (tst >= 8
d0191fe0
MC		 4867 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4868 goto end;
4869
4870 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4871 NULL, NULL))
4872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4873 SSL_ERROR_NONE)))
4874 goto end;
4875
61fb5923
MC		 4876 /*
4877 * The decrypt ticket key callback in TLSv1.2 should be called even though
4878 * we have no ticket yet, because it gets called with a status of
4879 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4880 * actually send any ticket data). This does not happen in TLSv1.3 because
4881 * it is not valid to send empty ticket data in TLSv1.3.
4882 */
d0191fe0 4883 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 4884 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 4885 goto end;
4886
4887 gen_tick_called = dec_tick_called = 0;
4888
4889 clntsess = SSL_get1_session(clientssl);
4890 SSL_shutdown(clientssl);
4891 SSL_shutdown(serverssl);
4892 SSL_free(serverssl);
4893 SSL_free(clientssl);
4894 serverssl = clientssl = NULL;
4895
4896 /* Now do a resumption */
4897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4898 NULL))
4899 || !TEST_true(SSL_set_session(clientssl, clntsess))
4900 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 4901 SSL_ERROR_NONE)))
d0191fe0
MC		 4902 goto end;
4903
61fb5923
MC		 4904 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4905 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4906 if (!TEST_false(SSL_session_reused(clientssl)))
4907 goto end;
4908 } else {
4909 if (!TEST_true(SSL_session_reused(clientssl)))
4910 goto end;
4911 }
4912
d0191fe0 4913 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 4914 (tick_key_renew
4915 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4916 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4917 ? 1 : 0)
d0191fe0
MC		 4918 || !TEST_int_eq(dec_tick_called, 1))
4919 goto end;
4920
4921 testresult = 1;
4922
4923 end:
4924 SSL_SESSION_free(clntsess);
4925 SSL_free(serverssl);
4926 SSL_free(clientssl);
4927 SSL_CTX_free(sctx);
4928 SSL_CTX_free(cctx);
4929
4930 return testresult;
4931}
4932
ad887416 4933int setup_tests(void)
2cb4b5f6 4934{
ad887416 4935 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 4936 || !TEST_ptr(privkey = test_get_argument(1))
4937 || !TEST_ptr(srpvfile = test_get_argument(2))
4938 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 4939 return 0;
2cb4b5f6 4940
f297e4ec
RS		 4941 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4942#ifdef OPENSSL_NO_CRYPTO_MDEBUG
4943 TEST_error("not supported in this build");
4944 return 0;
4945#else
4946 int i, mcount, rcount, fcount;
4947
4948 for (i = 0; i < 4; i++)
4949 test_export_key_mat(i);
4950 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4951 test_printf_stdout("malloc %d realloc %d free %d\n",
4952 mcount, rcount, fcount);
4953 return 1;
4954#endif
4955 }
4956
84d5549e 4957 ADD_TEST(test_large_message_tls);
7856332e 4958 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 4959#ifndef OPENSSL_NO_DTLS
84d5549e 4960 ADD_TEST(test_large_message_dtls);
55386bef 4961#endif
8f8c11d8 4962#ifndef OPENSSL_NO_OCSP
c887104f 4963 ADD_TEST(test_tlsext_status_type);
8f8c11d8 4964#endif
eaa776da
MC		 4965 ADD_TEST(test_session_with_only_int_cache);
4966 ADD_TEST(test_session_with_only_ext_cache);
4967 ADD_TEST(test_session_with_both_cache);
36ff232c
MC		 4968#ifndef OPENSSL_NO_TLS1_3
4969 ADD_ALL_TESTS(test_tickets, 3);
4970#endif
7fb4c820 4971 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 4972 ADD_TEST(test_ssl_bio_pop_next_bio);
4973 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4974 ADD_TEST(test_ssl_bio_change_rbio);
4975 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 4976#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 4977 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 4978 ADD_TEST(test_keylog);
c423ecaa 4979#endif
6acdd3e5
CB		 4980#ifndef OPENSSL_NO_TLS1_3
4981 ADD_TEST(test_keylog_no_master_key);
4982#endif
e9ee6536 4983#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 4984 ADD_TEST(test_client_hello_cb);
5f982038
MC		 4985#endif
4986#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 4987 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 4988 /*
4989 * We don't do replay tests for external PSK. Replay protection isn't used
4990 * in that scenario.
4991 */
4992 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 4993 ADD_ALL_TESTS(test_early_data_skip, 3);
4994 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4995 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 4996 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 4997 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 4998# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 4999 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5000# endif
e9ee6536 5001#endif
a273157a 5002#ifndef OPENSSL_NO_TLS1_3
034cb87b 5003 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5004 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5005#ifdef OPENSSL_NO_PSK
5006 ADD_ALL_TESTS(test_tls13_psk, 1);
5007#else
0d8da779 5008 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5009#endif /* OPENSSL_NO_PSK */
bb01ef3f 5010 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5011 ADD_TEST(test_stateless);
9d75dce3 5012 ADD_TEST(test_pha_key_update);
a273157a 5013#else
bb01ef3f 5014 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5015#endif
16afd71c 5016 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5017 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5018#ifndef OPENSSL_NO_TLS1_3
5019 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5020#endif
e11b6aa4 5021 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5022 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5023#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5024 ADD_ALL_TESTS(test_srp, 6);
5025#endif
5718fe45 5026 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5027 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5028 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5029 ADD_ALL_TESTS(test_ticket_callbacks, 12);
ad887416
P		 5030 return 1;
5031}
2cb4b5f6 5032
ad887416
P		 5033void cleanup_tests(void)
5034{
fa454945 5035 bio_s_mempacket_test_free();
2cb4b5f6 5036}
A mirror of the official openssl repository