]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
2cb4b5f6
MC		 33
34#include "ssltestlib.h"
c887104f 35#include "testutil.h"
f297e4ec 36#include "testutil/output.h"
176db6dc 37#include "internal/nelem.h"
fe5d9450 38#include "internal/ktls.h"
706457b7 39#include "../ssl/ssl_local.h"
2cb4b5f6 40
b3842539
MC		 41/* Defined in filterprov.c */
42OSSL_provider_init_fn filter_provider_init;
43int filter_provider_set_filter(int operation, const char *name);
44
0c13cdf8
MC		 45/* Defined in tls-provider.c */
46int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
49 void **provctx);
852c2ed2 50
b4250010 51static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 52static OSSL_PROVIDER *defctxnull = NULL;
53
8614a4eb
MC		 54#ifndef OPENSSL_NO_TLS1_3
55
56static SSL_SESSION *clientpsk = NULL;
57static SSL_SESSION *serverpsk = NULL;
58static const char *pskid = "Identity";
59static const char *srvid;
60
61static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
62 size_t *idlen, SSL_SESSION **sess);
63static int find_session_cb(SSL *ssl, const unsigned char *identity,
64 size_t identity_len, SSL_SESSION **sess);
65
66static int use_session_cb_cnt = 0;
67static int find_session_cb_cnt = 0;
68
69static SSL_SESSION *create_a_psk(SSL *ssl);
70#endif
71
1a2a3a42 72static char *certsdir = NULL;
2cb4b5f6
MC		 73static char *cert = NULL;
74static char *privkey = NULL;
b3842539
MC		 75static char *cert2 = NULL;
76static char *privkey2 = NULL;
76fd7a1d
MC		 77static char *srpvfile = NULL;
78static char *tmpfilename = NULL;
2cb4b5f6 79
4f6c7044
MC		 80static int is_fips = 0;
81
cffe973c 82#define LOG_BUFFER_SIZE 2048
6acdd3e5 83static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 84static size_t server_log_buffer_index = 0;
6acdd3e5 85static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 86static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 87static int error_writing_log = 0;
88
8f8c11d8 89#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 90static const unsigned char orespder[] = "Dummy OCSP Response";
91static int ocsp_server_called = 0;
92static int ocsp_client_called = 0;
93
94static int cdummyarg = 1;
95static X509 *ocspcert = NULL;
8f8c11d8 96#endif
ba881d3b 97
84d5549e 98#define NUM_EXTRA_CERTS 40
cf72c757 99#define CLIENT_VERSION_LEN 2
84d5549e 100
f1a5939f
CB		 101/*
102 * This structure is used to validate that the correct number of log messages
103 * of various types are emitted when emitting secret logs.
104 */
105struct sslapitest_log_counts {
106 unsigned int rsa_key_exchange_count;
107 unsigned int master_secret_count;
cffe973c 108 unsigned int client_early_secret_count;
f1a5939f
CB		 109 unsigned int client_handshake_secret_count;
110 unsigned int server_handshake_secret_count;
111 unsigned int client_application_secret_count;
112 unsigned int server_application_secret_count;
01a2a654 113 unsigned int early_exporter_secret_count;
6329ce8f 114 unsigned int exporter_secret_count;
f1a5939f
CB		 115};
116
16afd71c
MC		 117
118static unsigned char serverinfov1[] = {
119 0xff, 0xff, /* Dummy extension type */
120 0x00, 0x01, /* Extension length is 1 byte */
121 0xff /* Dummy extension data */
122};
123
124static unsigned char serverinfov2[] = {
125 0x00, 0x00, 0x00,
126 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
127 0xff, 0xff, /* Dummy extension type */
128 0x00, 0x01, /* Extension length is 1 byte */
129 0xff /* Dummy extension data */
130};
131
104a733d
MC		 132static int hostname_cb(SSL *s, int *al, void *arg)
133{
134 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
135
136 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
137 || strcmp(hostname, "altgoodhost") == 0))
138 return SSL_TLSEXT_ERR_OK;
139
140 return SSL_TLSEXT_ERR_NOACK;
141}
142
710756a9
RS		 143static void client_keylog_callback(const SSL *ssl, const char *line)
144{
6acdd3e5
CB		 145 int line_length = strlen(line);
146
147 /* If the log doesn't fit, error out. */
710756a9
RS		 148 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
149 TEST_info("Client log too full");
6acdd3e5
CB		 150 error_writing_log = 1;
151 return;
152 }
153
154 strcat(client_log_buffer, line);
155 client_log_buffer_index += line_length;
710756a9 156 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 157}
158
710756a9
RS		 159static void server_keylog_callback(const SSL *ssl, const char *line)
160{
6acdd3e5
CB		 161 int line_length = strlen(line);
162
163 /* If the log doesn't fit, error out. */
710756a9 164 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 165 TEST_info("Server log too full");
6acdd3e5
CB		 166 error_writing_log = 1;
167 return;
168 }
169
170 strcat(server_log_buffer, line);
171 server_log_buffer_index += line_length;
710756a9 172 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 173}
174
175static int compare_hex_encoded_buffer(const char *hex_encoded,
176 size_t hex_length,
177 const uint8_t *raw,
710756a9
RS		 178 size_t raw_length)
179{
180 size_t i, j;
181 char hexed[3];
6acdd3e5 182
710756a9 183 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 184 return 1;
6acdd3e5 185
710756a9 186 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 187 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 188 if (!TEST_int_eq(hexed[0], hex_encoded[j])
189 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 190 return 1;
6acdd3e5
CB		 191 }
192
193 return 0;
194}
195
196static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 197 const SSL_SESSION *session,
710756a9
RS		 198 struct sslapitest_log_counts *expected)
199{
6acdd3e5
CB		 200 char *token = NULL;
201 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
202 size_t client_random_size = SSL3_RANDOM_SIZE;
203 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
204 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 205 unsigned int rsa_key_exchange_count = 0;
206 unsigned int master_secret_count = 0;
cffe973c 207 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 208 unsigned int client_handshake_secret_count = 0;
209 unsigned int server_handshake_secret_count = 0;
210 unsigned int client_application_secret_count = 0;
211 unsigned int server_application_secret_count = 0;
01a2a654 212 unsigned int early_exporter_secret_count = 0;
6329ce8f 213 unsigned int exporter_secret_count = 0;
6acdd3e5 214
710756a9
RS		 215 for (token = strtok(buffer, " \n"); token != NULL;
216 token = strtok(NULL, " \n")) {
6acdd3e5 217 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 218 /*
219 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 220 * hex-encoded encrypted secret, then the hex-encoded pre-master
221 * secret.
222 */
710756a9 223 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 224 return 0;
710756a9 225 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 226 return 0;
710756a9 227 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 228 return 0;
f1a5939f
CB		 229 /*
230 * We can't sensibly check the log because the premaster secret is
231 * transient, and OpenSSL doesn't keep hold of it once the master
232 * secret is generated.
233 */
234 rsa_key_exchange_count++;
6acdd3e5 235 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 236 /*
237 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 238 * client random, then the hex-encoded master secret.
239 */
240 client_random_size = SSL_get_client_random(ssl,
241 actual_client_random,
242 SSL3_RANDOM_SIZE);
710756a9 243 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 244 return 0;
6acdd3e5 245
710756a9 246 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 247 return 0;
710756a9 248 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 249 return 0;
710756a9
RS		 250 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
251 actual_client_random,
252 client_random_size)))
f1a5939f 253 return 0;
6acdd3e5 254
710756a9 255 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 256 return 0;
6acdd3e5
CB		 257 master_key_size = SSL_SESSION_get_master_key(session,
258 actual_master_key,
259 master_key_size);
710756a9 260 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 261 return 0;
710756a9
RS		 262 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
263 actual_master_key,
264 master_key_size)))
f1a5939f 265 return 0;
f1a5939f 266 master_secret_count++;
cffe973c
PW		 267 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
268 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 269 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
270 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 271 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 272 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 273 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 274 /*
275 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
276 * client random, and then the hex-encoded secret. In this case,
277 * we treat all of these secrets identically and then just
278 * distinguish between them when counting what we saw.
279 */
cffe973c
PW		 280 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
281 client_early_secret_count++;
282 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 283 client_handshake_secret_count++;
284 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
285 server_handshake_secret_count++;
286 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
287 client_application_secret_count++;
288 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
289 server_application_secret_count++;
01a2a654
PW		 290 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
291 early_exporter_secret_count++;
6329ce8f
PW		 292 else if (strcmp(token, "EXPORTER_SECRET") == 0)
293 exporter_secret_count++;
f1a5939f
CB		 294
295 client_random_size = SSL_get_client_random(ssl,
296 actual_client_random,
297 SSL3_RANDOM_SIZE);
710756a9 298 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 299 return 0;
f1a5939f 300
710756a9 301 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 302 return 0;
710756a9 303 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 304 return 0;
710756a9
RS		 305 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
306 actual_client_random,
307 client_random_size)))
f1a5939f 308 return 0;
6acdd3e5 309
710756a9 310 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 311 return 0;
f1a5939f
CB		 312
313 /*
314 * TODO(TLS1.3): test that application traffic secrets are what
315 * we expect */
6acdd3e5 316 } else {
710756a9 317 TEST_info("Unexpected token %s\n", token);
f1a5939f 318 return 0;
6acdd3e5 319 }
6acdd3e5
CB		 320 }
321
710756a9
RS		 322 /* Got what we expected? */
323 if (!TEST_size_t_eq(rsa_key_exchange_count,
324 expected->rsa_key_exchange_count)
325 || !TEST_size_t_eq(master_secret_count,
326 expected->master_secret_count)
cffe973c
PW		 327 || !TEST_size_t_eq(client_early_secret_count,
328 expected->client_early_secret_count)
710756a9
RS		 329 || !TEST_size_t_eq(client_handshake_secret_count,
330 expected->client_handshake_secret_count)
331 || !TEST_size_t_eq(server_handshake_secret_count,
332 expected->server_handshake_secret_count)
333 || !TEST_size_t_eq(client_application_secret_count,
334 expected->client_application_secret_count)
335 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 336 expected->server_application_secret_count)
01a2a654
PW		 337 || !TEST_size_t_eq(early_exporter_secret_count,
338 expected->early_exporter_secret_count)
6329ce8f
PW		 339 || !TEST_size_t_eq(exporter_secret_count,
340 expected->exporter_secret_count))
710756a9
RS		 341 return 0;
342 return 1;
6acdd3e5
CB		 343}
344
c423ecaa 345#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 346static int test_keylog(void)
347{
6acdd3e5
CB		 348 SSL_CTX *cctx = NULL, *sctx = NULL;
349 SSL *clientssl = NULL, *serverssl = NULL;
350 int testresult = 0;
6fc1e624 351 struct sslapitest_log_counts expected;
6acdd3e5
CB		 352
353 /* Clean up logging space */
6fc1e624 354 memset(&expected, 0, sizeof(expected));
710756a9
RS		 355 memset(client_log_buffer, 0, sizeof(client_log_buffer));
356 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 357 client_log_buffer_index = 0;
358 server_log_buffer_index = 0;
359 error_writing_log = 0;
360
5e30f2fd 361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 362 TLS_client_method(),
5c587fb6 363 TLS1_VERSION, 0,
710756a9 364 &sctx, &cctx, cert, privkey)))
6acdd3e5 365 return 0;
6acdd3e5
CB		 366
367 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
368 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
369 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
370
f0deb4d3 371 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 372 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 373 goto end;
f0deb4d3 374
cf10df81
RS		 375 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
376 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 377 goto end;
6acdd3e5 378 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
380 == client_keylog_callback))
6acdd3e5 381 goto end;
710756a9 382 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 383 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
384 == server_keylog_callback))
6acdd3e5 385 goto end;
6acdd3e5 386
710756a9
RS		 387 /* Now do a handshake and check that the logs have been written to. */
388 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
389 &clientssl, NULL, NULL))
390 || !TEST_true(create_ssl_connection(serverssl, clientssl,
391 SSL_ERROR_NONE))
392 || !TEST_false(error_writing_log)
393 || !TEST_int_gt(client_log_buffer_index, 0)
394 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 395 goto end;
6acdd3e5 396
f1a5939f
CB		 397 /*
398 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 399 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 400 * data we expect. For both client and server, we expect to see one master
401 * secret. The client should also see a RSA key exchange.
6acdd3e5 402 */
f1a5939f
CB		 403 expected.rsa_key_exchange_count = 1;
404 expected.master_secret_count = 1;
710756a9
RS		 405 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
406 SSL_get_session(clientssl), &expected)))
6acdd3e5 407 goto end;
f1a5939f
CB		 408
409 expected.rsa_key_exchange_count = 0;
710756a9
RS		 410 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
411 SSL_get_session(serverssl), &expected)))
6acdd3e5 412 goto end;
6acdd3e5
CB		 413
414 testresult = 1;
415
416end:
417 SSL_free(serverssl);
418 SSL_free(clientssl);
419 SSL_CTX_free(sctx);
420 SSL_CTX_free(cctx);
421
422 return testresult;
423}
c423ecaa 424#endif
6acdd3e5
CB		 425
426#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 427static int test_keylog_no_master_key(void)
428{
6acdd3e5
CB		 429 SSL_CTX *cctx = NULL, *sctx = NULL;
430 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 431 SSL_SESSION *sess = NULL;
6acdd3e5 432 int testresult = 0;
6fc1e624 433 struct sslapitest_log_counts expected;
cffe973c
PW		 434 unsigned char buf[1];
435 size_t readbytes, written;
6acdd3e5
CB		 436
437 /* Clean up logging space */
6fc1e624 438 memset(&expected, 0, sizeof(expected));
710756a9
RS		 439 memset(client_log_buffer, 0, sizeof(client_log_buffer));
440 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 441 client_log_buffer_index = 0;
442 server_log_buffer_index = 0;
443 error_writing_log = 0;
444
5e30f2fd
MC		 445 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
446 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 447 &sctx, &cctx, cert, privkey))
448 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 449 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 450 return 0;
6acdd3e5 451
cf10df81
RS		 452 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
453 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 454 goto end;
6acdd3e5
CB		 455
456 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 457 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
458 == client_keylog_callback))
6acdd3e5 459 goto end;
6acdd3e5 460
710756a9 461 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 462 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
463 == server_keylog_callback))
6acdd3e5 464 goto end;
6acdd3e5 465
710756a9
RS		 466 /* Now do a handshake and check that the logs have been written to. */
467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
468 &clientssl, NULL, NULL))
469 || !TEST_true(create_ssl_connection(serverssl, clientssl,
470 SSL_ERROR_NONE))
471 || !TEST_false(error_writing_log))
6acdd3e5 472 goto end;
6acdd3e5 473
f1a5939f
CB		 474 /*
475 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 476 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 477 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 478 */
f1a5939f
CB		 479 expected.client_handshake_secret_count = 1;
480 expected.server_handshake_secret_count = 1;
481 expected.client_application_secret_count = 1;
482 expected.server_application_secret_count = 1;
6329ce8f 483 expected.exporter_secret_count = 1;
710756a9
RS		 484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
488 &expected)))
6acdd3e5 489 goto end;
6acdd3e5 490
cffe973c
PW		 491 /* Terminate old session and resume with early data. */
492 sess = SSL_get1_session(clientssl);
493 SSL_shutdown(clientssl);
494 SSL_shutdown(serverssl);
495 SSL_free(serverssl);
496 SSL_free(clientssl);
497 serverssl = clientssl = NULL;
498
499 /* Reset key log */
500 memset(client_log_buffer, 0, sizeof(client_log_buffer));
501 memset(server_log_buffer, 0, sizeof(server_log_buffer));
502 client_log_buffer_index = 0;
503 server_log_buffer_index = 0;
504
505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
506 &clientssl, NULL, NULL))
507 || !TEST_true(SSL_set_session(clientssl, sess))
508 /* Here writing 0 length early data is enough. */
509 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
511 &readbytes),
512 SSL_READ_EARLY_DATA_ERROR)
513 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
514 SSL_EARLY_DATA_ACCEPTED)
515 || !TEST_true(create_ssl_connection(serverssl, clientssl,
516 SSL_ERROR_NONE))
517 || !TEST_true(SSL_session_reused(clientssl)))
518 goto end;
519
520 /* In addition to the previous entries, expect early secrets. */
521 expected.client_early_secret_count = 1;
01a2a654 522 expected.early_exporter_secret_count = 1;
cffe973c
PW		 523 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
524 SSL_get_session(clientssl), &expected))
525 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
526 SSL_get_session(serverssl),
527 &expected)))
528 goto end;
529
6acdd3e5
CB		 530 testresult = 1;
531
532end:
cffe973c 533 SSL_SESSION_free(sess);
6acdd3e5
CB		 534 SSL_free(serverssl);
535 SSL_free(clientssl);
536 SSL_CTX_free(sctx);
537 SSL_CTX_free(cctx);
538
539 return testresult;
540}
541#endif
542
e9ee6536 543#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 544static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 545{
546 int *ctr = arg;
547 const unsigned char *p;
8ea404fb 548 int *exts;
2afaee51
BK		 549 /* We only configure two ciphers, but the SCSV is added automatically. */
550#ifdef OPENSSL_NO_EC
551 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
552#else
553 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
554 0x2c, 0x00, 0xff};
555#endif
8ea404fb
BK		 556 const int expected_extensions[] = {
557#ifndef OPENSSL_NO_EC
558 11, 10,
559#endif
10ed1b72 560 35, 22, 23, 13};
2afaee51
BK		 561 size_t len;
562
563 /* Make sure we can defer processing and get called back. */
564 if ((*ctr)++ == 0)
f1b97da1 565 return SSL_CLIENT_HELLO_RETRY;
2afaee51 566
a9c0d8be 567 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 568 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 569 || !TEST_size_t_eq(
570 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 571 || !TEST_int_eq(*p, 0))
f1b97da1 572 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 573 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 574 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 575 if (len != OSSL_NELEM(expected_extensions) ||
576 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 577 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 578 OPENSSL_free(exts);
f1b97da1 579 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 580 }
581 OPENSSL_free(exts);
f1b97da1 582 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 583}
584
a9c0d8be 585static int test_client_hello_cb(void)
710756a9 586{
2afaee51
BK		 587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
589 int testctr = 0, testresult = 0;
590
5e30f2fd
MC		 591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 593 &sctx, &cctx, cert, privkey)))
2afaee51 594 goto end;
a9c0d8be 595 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 596
2afaee51
BK		 597 /* The gimpy cipher list we configure can't do TLS 1.3. */
598 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 599
710756a9
RS		 600 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
601 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
602 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
603 &clientssl, NULL, NULL))
604 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 605 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 606 /*
607 * Passing a -1 literal is a hack since
608 * the real value was lost.
609 * */
a9c0d8be
DB		 610 || !TEST_int_eq(SSL_get_error(serverssl, -1),
611 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
613 SSL_ERROR_NONE)))
2afaee51 614 goto end;
2afaee51
BK		 615
616 testresult = 1;
617
088dfa13
TS		 618end:
619 SSL_free(serverssl);
620 SSL_free(clientssl);
621 SSL_CTX_free(sctx);
622 SSL_CTX_free(cctx);
623
624 return testresult;
625}
626
627static int test_no_ems(void)
628{
629 SSL_CTX *cctx = NULL, *sctx = NULL;
630 SSL *clientssl = NULL, *serverssl = NULL;
631 int testresult = 0;
632
5e30f2fd 633 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 634 TLS1_VERSION, TLS1_2_VERSION,
635 &sctx, &cctx, cert, privkey)) {
636 printf("Unable to create SSL_CTX pair\n");
637 goto end;
638 }
639
640 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
641
642 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
643 printf("Unable to create SSL objects\n");
644 goto end;
645 }
646
647 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
648 printf("Creating SSL connection failed\n");
649 goto end;
650 }
651
652 if (SSL_get_extms_support(serverssl)) {
653 printf("Server reports Extended Master Secret support\n");
654 goto end;
655 }
656
657 if (SSL_get_extms_support(clientssl)) {
658 printf("Client reports Extended Master Secret support\n");
659 goto end;
660 }
661 testresult = 1;
662
2afaee51
BK		 663end:
664 SSL_free(serverssl);
665 SSL_free(clientssl);
666 SSL_CTX_free(sctx);
667 SSL_CTX_free(cctx);
668
669 return testresult;
670}
671
3cd14e5e
BK		 672/*
673 * Very focused test to exercise a single case in the server-side state
674 * machine, when the ChangeCipherState message needs to actually change
675 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 676 * encryption to real encryption).
3cd14e5e
BK		 677 */
678static int test_ccs_change_cipher(void)
679{
680 SSL_CTX *cctx = NULL, *sctx = NULL;
681 SSL *clientssl = NULL, *serverssl = NULL;
682 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
683 int testresult = 0;
684 int i;
685 unsigned char buf;
686 size_t readbytes;
687
688 /*
689 * Create a conection so we can resume and potentially (but not) use
690 * a different cipher in the second connection.
691 */
5e30f2fd 692 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 693 TLS_client_method(),
694 TLS1_VERSION, TLS1_2_VERSION,
695 &sctx, &cctx, cert, privkey))
696 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
697 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
698 NULL, NULL))
699 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
700 || !TEST_true(create_ssl_connection(serverssl, clientssl,
701 SSL_ERROR_NONE))
702 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
703 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
704 goto end;
705
706 shutdown_ssl_connection(serverssl, clientssl);
707 serverssl = clientssl = NULL;
708
709 /* Resume, preferring a different cipher. Our server will force the
710 * same cipher to be used as the initial handshake. */
711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
712 NULL, NULL))
713 || !TEST_true(SSL_set_session(clientssl, sess))
714 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
715 || !TEST_true(create_ssl_connection(serverssl, clientssl,
716 SSL_ERROR_NONE))
717 || !TEST_true(SSL_session_reused(clientssl))
718 || !TEST_true(SSL_session_reused(serverssl))
719 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
720 || !TEST_ptr_eq(sesspre, sesspost)
721 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
722 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
723 goto end;
724 shutdown_ssl_connection(serverssl, clientssl);
725 serverssl = clientssl = NULL;
726
727 /*
728 * Now create a fresh connection and try to renegotiate a different
729 * cipher on it.
730 */
b3e6d666
BK		 731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
732 NULL, NULL))
3cd14e5e
BK		 733 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
735 SSL_ERROR_NONE))
736 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
737 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
738 || !TEST_true(SSL_renegotiate(clientssl))
739 || !TEST_true(SSL_renegotiate_pending(clientssl)))
740 goto end;
741 /* Actually drive the renegotiation. */
742 for (i = 0; i < 3; i++) {
743 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
744 if (!TEST_ulong_eq(readbytes, 0))
745 goto end;
746 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
747 SSL_ERROR_WANT_READ)) {
748 goto end;
749 }
750 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
751 if (!TEST_ulong_eq(readbytes, 0))
752 goto end;
753 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
754 SSL_ERROR_WANT_READ)) {
755 goto end;
756 }
757 }
758 /* sesspre and sesspost should be different since the cipher changed. */
759 if (!TEST_false(SSL_renegotiate_pending(clientssl))
760 || !TEST_false(SSL_session_reused(clientssl))
761 || !TEST_false(SSL_session_reused(serverssl))
762 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
763 || !TEST_ptr_ne(sesspre, sesspost)
764 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
765 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
766 goto end;
767
768 shutdown_ssl_connection(serverssl, clientssl);
769 serverssl = clientssl = NULL;
770
771 testresult = 1;
772
773end:
774 SSL_free(serverssl);
775 SSL_free(clientssl);
776 SSL_CTX_free(sctx);
777 SSL_CTX_free(cctx);
778 SSL_SESSION_free(sess);
779
780 return testresult;
781}
fb121631 782#endif
3cd14e5e 783
84d5549e 784static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 785 const SSL_METHOD *cmeth,
786 int min_version, int max_version,
787 int read_ahead)
84d5549e
MC		 788{
789 SSL_CTX *cctx = NULL, *sctx = NULL;
790 SSL *clientssl = NULL, *serverssl = NULL;
791 int testresult = 0;
792 int i;
710756a9 793 BIO *certbio = NULL;
84d5549e
MC		 794 X509 *chaincert = NULL;
795 int certlen;
796
710756a9 797 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 798 goto end;
6725682d 799
d8652be0 800 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 801 goto end;
802
803 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
804 goto end;
fa454945
MC		 805 BIO_free(certbio);
806 certbio = NULL;
84d5549e 807
5e30f2fd
MC		 808 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
809 max_version, &sctx, &cctx, cert,
810 privkey)))
84d5549e 811 goto end;
84d5549e 812
710756a9 813 if (read_ahead) {
7856332e
MC		 814 /*
815 * Test that read_ahead works correctly when dealing with large
816 * records
817 */
818 SSL_CTX_set_read_ahead(cctx, 1);
819 }
820
84d5549e
MC		 821 /*
822 * We assume the supplied certificate is big enough so that if we add
823 * NUM_EXTRA_CERTS it will make the overall message large enough. The
824 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 825 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
826 * test we need to have a message larger than that.
84d5549e
MC		 827 */
828 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 829 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
830 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 831 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 832 if (!X509_up_ref(chaincert))
84d5549e 833 goto end;
84d5549e 834 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 835 X509_free(chaincert);
836 goto end;
837 }
838 }
839
710756a9
RS		 840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
841 NULL, NULL))
842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
843 SSL_ERROR_NONE)))
84d5549e 844 goto end;
84d5549e 845
4bf08600
MC		 846 /*
847 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 848 * doesn't leak.
4bf08600 849 */
710756a9 850 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 851 goto end;
84d5549e 852
4bf08600 853 testresult = 1;
84d5549e 854 end:
6725682d 855 BIO_free(certbio);
84d5549e
MC		 856 X509_free(chaincert);
857 SSL_free(serverssl);
858 SSL_free(clientssl);
859 SSL_CTX_free(sctx);
860 SSL_CTX_free(cctx);
861
862 return testresult;
863}
864
da4db160
VF		 865#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
866 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
867#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 868/* sock must be connected */
869static int ktls_chk_platform(int sock)
870{
871 if (!ktls_enable(sock))
872 return 0;
873 return 1;
874}
875
da4db160 876static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 877{
878 static char count = 1;
879 unsigned char cbuf[16000] = {0};
880 unsigned char sbuf[16000];
881 size_t err = 0;
da4db160
VF		 882 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
885 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
889 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 890
891 cbuf[0] = count++;
da4db160
VF		 892 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
893 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
894 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
895 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 896
897 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
898 goto end;
899
900 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
901 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
902 goto end;
903 }
904 }
905
906 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
907 goto end;
908
909 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
910 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
911 goto end;
912 }
913 }
914
da4db160
VF		 915 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
916 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
917 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
918 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 919
920 /* verify the payload */
921 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
922 goto end;
923
924 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
925 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 926 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
927 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 928 goto end;
929 } else {
da4db160
VF		 930 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
931 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 932 goto end;
933 }
934
935 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 936 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
937 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 938 goto end;
939 } else {
da4db160
VF		 940 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
941 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 942 goto end;
943 }
944
2fab79af 945 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 946 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
947 crec_rseq_after, rec_seq_size))
2fab79af
BP		 948 goto end;
949 } else {
da4db160
VF		 950 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
951 crec_rseq_after, rec_seq_size))
2fab79af
BP		 952 goto end;
953 }
954
955 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 956 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
957 srec_rseq_after, rec_seq_size))
2fab79af
BP		 958 goto end;
959 } else {
da4db160
VF		 960 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
961 srec_rseq_after, rec_seq_size))
2fab79af
BP		 962 goto end;
963 }
fe5d9450
BP		 964
965 return 1;
966end:
967 return 0;
968}
969
2fab79af 970static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 971 int sis_ktls_tx, int sis_ktls_rx,
972 int tls_version, const char *cipher,
973 int rec_seq_size)
fe5d9450
BP		 974{
975 SSL_CTX *cctx = NULL, *sctx = NULL;
976 SSL *clientssl = NULL, *serverssl = NULL;
977 int testresult = 0;
978 int cfd, sfd;
979
980 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
981 goto end;
982
983 /* Skip this test if the platform does not support ktls */
984 if (!ktls_chk_platform(cfd))
985 return 1;
986
987 /* Create a session based on SHA-256 */
5e30f2fd 988 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 989 TLS_client_method(),
da4db160 990 tls_version, tls_version,
fe5d9450 991 &sctx, &cctx, cert, privkey))
da4db160 992 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 993 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 994 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
995 &clientssl, sfd, cfd)))
996 goto end;
997
998 if (!cis_ktls_tx) {
999 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1000 goto end;
1001 }
1002
1003 if (!sis_ktls_tx) {
1004 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1005 goto end;
1006 }
1007
2fab79af
BP		 1008 if (!cis_ktls_rx) {
1009 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1010 goto end;
1011 }
1012
1013 if (!sis_ktls_rx) {
1014 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1015 goto end;
1016 }
1017
fe5d9450
BP		 1018 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1019 SSL_ERROR_NONE)))
1020 goto end;
1021
1022 if (!cis_ktls_tx) {
1023 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1024 goto end;
1025 } else {
1026 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1027 goto end;
1028 }
1029
1030 if (!sis_ktls_tx) {
1031 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1032 goto end;
1033 } else {
1034 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1035 goto end;
1036 }
1037
2fab79af
BP		 1038 if (!cis_ktls_rx) {
1039 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1040 goto end;
1041 } else {
1042 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1043 goto end;
1044 }
1045
1046 if (!sis_ktls_rx) {
1047 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1048 goto end;
1049 } else {
1050 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1051 goto end;
1052 }
1053
da4db160
VF		 1054 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1055 rec_seq_size)))
fe5d9450
BP		 1056 goto end;
1057
1058 testresult = 1;
1059end:
1060 if (clientssl) {
1061 SSL_shutdown(clientssl);
1062 SSL_free(clientssl);
1063 }
1064 if (serverssl) {
1065 SSL_shutdown(serverssl);
1066 SSL_free(serverssl);
1067 }
1068 SSL_CTX_free(sctx);
1069 SSL_CTX_free(cctx);
1070 serverssl = clientssl = NULL;
1071 return testresult;
1072}
1073
7c3a7561
BP		 1074#define SENDFILE_SZ (16 * 4096)
1075#define SENDFILE_CHUNK (4 * 4096)
1076#define min(a,b) ((a) > (b) ? (b) : (a))
1077
da4db160 1078static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1079{
1080 SSL_CTX *cctx = NULL, *sctx = NULL;
1081 SSL *clientssl = NULL, *serverssl = NULL;
1082 unsigned char *buf, *buf_dst;
1083 BIO *out = NULL, *in = NULL;
1084 int cfd, sfd, ffd, err;
1085 ssize_t chunk_size = 0;
1086 off_t chunk_off = 0;
1087 int testresult = 0;
1088 FILE *ffdp;
1089
1090 buf = OPENSSL_zalloc(SENDFILE_SZ);
1091 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1092 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1093 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1094 goto end;
1095
1096 /* Skip this test if the platform does not support ktls */
1097 if (!ktls_chk_platform(sfd)) {
1098 testresult = 1;
1099 goto end;
1100 }
1101
1102 /* Create a session based on SHA-256 */
5e30f2fd 1103 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1104 TLS_client_method(),
da4db160 1105 tls_version, tls_version,
7c3a7561 1106 &sctx, &cctx, cert, privkey))
da4db160 1107 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1108 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1109 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1110 &clientssl, sfd, cfd)))
1111 goto end;
1112
1113 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1114 SSL_ERROR_NONE))
1115 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1116 goto end;
1117
72c1e374
JB		 1118 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1119 goto end;
1120
7c3a7561
BP		 1121 out = BIO_new_file(tmpfilename, "wb");
1122 if (!TEST_ptr(out))
1123 goto end;
1124
1125 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1126 goto end;
1127
1128 BIO_free(out);
1129 out = NULL;
1130 in = BIO_new_file(tmpfilename, "rb");
1131 BIO_get_fp(in, &ffdp);
1132 ffd = fileno(ffdp);
1133
1134 while (chunk_off < SENDFILE_SZ) {
1135 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1136 while ((err = SSL_sendfile(serverssl,
1137 ffd,
1138 chunk_off,
1139 chunk_size,
1140 0)) != chunk_size) {
1141 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1142 goto end;
1143 }
1144 while ((err = SSL_read(clientssl,
1145 buf_dst + chunk_off,
1146 chunk_size)) != chunk_size) {
1147 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1148 goto end;
1149 }
1150
1151 /* verify the payload */
1152 if (!TEST_mem_eq(buf_dst + chunk_off,
1153 chunk_size,
1154 buf + chunk_off,
1155 chunk_size))
1156 goto end;
1157
1158 chunk_off += chunk_size;
1159 }
1160
1161 testresult = 1;
1162end:
1163 if (clientssl) {
1164 SSL_shutdown(clientssl);
1165 SSL_free(clientssl);
1166 }
1167 if (serverssl) {
1168 SSL_shutdown(serverssl);
1169 SSL_free(serverssl);
1170 }
1171 SSL_CTX_free(sctx);
1172 SSL_CTX_free(cctx);
1173 serverssl = clientssl = NULL;
1174 BIO_free(out);
1175 BIO_free(in);
1176 OPENSSL_free(buf);
1177 OPENSSL_free(buf_dst);
1178 return testresult;
1179}
1180
da4db160
VF		 1181#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1182static int test_ktls(int test)
1183{
eb818d23
JB		 1184 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1185 int tlsver, testresult;
da4db160
VF		 1186
1187 if (test > 15) {
1188#if defined(OPENSSL_NO_TLS1_3)
1189 return 1;
1190#else
1191 test -= 16;
1192 tlsver = TLS1_3_VERSION;
1193#endif
1194 } else {
1195#if defined(OPENSSL_NO_TLS1_2)
1196 return 1;
1197#else
1198 tlsver = TLS1_2_VERSION;
1199#endif
1200 }
1201
eb818d23
JB		 1202 cis_ktls_tx = (test & 1) != 0;
1203 cis_ktls_rx = (test & 2) != 0;
1204 sis_ktls_tx = (test & 4) != 0;
1205 sis_ktls_rx = (test & 8) != 0;
1206
cd03b5dc
JB		 1207#if defined(OPENSSL_NO_KTLS_RX)
1208 if (cis_ktls_rx || sis_ktls_rx)
1209 return 1;
1210#endif
18efb630
JB		 1211#if !defined(OPENSSL_NO_TLS1_3)
1212 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1213 return 1;
1214#endif
cd03b5dc 1215
eb818d23
JB		 1216 testresult = 1;
1217#ifdef OPENSSL_KTLS_AES_GCM_128
1218 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1219 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1220 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1221#endif
1222#ifdef OPENSSL_KTLS_AES_CCM_128
1223 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1224 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1225 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1226#endif
1227#ifdef OPENSSL_KTLS_AES_GCM_256
1228 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1229 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1230 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1231#endif
1232 return testresult;
2fab79af
BP		 1233}
1234
da4db160 1235static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1236{
ab114c6d 1237 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1238 int tlsver;
1239
1240 if (tst > 2) {
1241#if defined(OPENSSL_NO_TLS1_3)
1242 return 1;
1243#else
1244 tst -= 3;
1245 tlsver = TLS1_3_VERSION;
1246#endif
1247 } else {
1248#if defined(OPENSSL_NO_TLS1_2)
1249 return 1;
1250#else
1251 tlsver = TLS1_2_VERSION;
1252#endif
1253 }
1254
1255#ifndef OPENSSL_KTLS_AES_GCM_128
1256 if(tst == 0) return 1;
1257#endif
1258#ifndef OPENSSL_KTLS_AES_CCM_128
1259 if(tst == 1) return 1;
1260#endif
1261#ifndef OPENSSL_KTLS_AES_GCM_256
1262 if(tst == 2) return 1;
1263#endif
1264 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1265}
da4db160
VF		 1266
1267#endif
fe5d9450
BP		 1268#endif
1269
84d5549e
MC		 1270static int test_large_message_tls(void)
1271{
7856332e 1272 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1273 TLS1_VERSION, 0, 0);
7856332e
MC		 1274}
1275
1276static int test_large_message_tls_read_ahead(void)
1277{
1278 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1279 TLS1_VERSION, 0, 1);
84d5549e
MC		 1280}
1281
55386bef 1282#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1283static int test_large_message_dtls(void)
1284{
7856332e
MC		 1285 /*
1286 * read_ahead is not relevant to DTLS because DTLS always acts as if
1287 * read_ahead is set.
1288 */
84d5549e 1289 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1290 DTLS_client_method(),
5c587fb6 1291 DTLS1_VERSION, 0, 0);
84d5549e 1292}
55386bef 1293#endif
84d5549e 1294
163b8016
ME		 1295static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1296 const SSL_METHOD *cmeth,
1297 int min_version, int max_version)
1298{
1299 size_t i;
1300 SSL_CTX *cctx = NULL, *sctx = NULL;
1301 SSL *clientssl = NULL, *serverssl = NULL;
1302 int testresult = 0;
1303 SSL3_RECORD *rr;
1304 void *zbuf;
1305
1306 static unsigned char cbuf[16000];
1307 static unsigned char sbuf[16000];
1308
1309 if (!TEST_true(create_ssl_ctx_pair(libctx,
1310 smeth, cmeth,
1311 min_version, max_version,
1312 &sctx, &cctx, cert,
1313 privkey)))
1314 goto end;
1315
1316 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1317 NULL, NULL)))
1318 goto end;
1319
1320 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1321 goto end;
1322
1323 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1324 SSL_ERROR_NONE)))
1325 goto end;
1326
1327 for (i = 0; i < sizeof(cbuf); i++) {
1328 cbuf[i] = i & 0xff;
1329 }
1330
1331 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1332 goto end;
1333
1334 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1335 goto end;
1336
1337 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1338 goto end;
1339
1340 /*
1341 * Since we called SSL_peek(), we know the data in the record
1342 * layer is a plaintext record. We can gather the pointer to check
1343 * for zeroization after SSL_read().
1344 */
1345 rr = serverssl->rlayer.rrec;
1346 zbuf = &rr->data[rr->off];
1347 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1348 goto end;
1349
1350 /*
1351 * After SSL_peek() the plaintext must still be stored in the
1352 * record.
1353 */
1354 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1355 goto end;
1356
1357 memset(sbuf, 0, sizeof(sbuf));
1358 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1359 goto end;
1360
1361 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1362 goto end;
1363
1364 /* Check if rbuf is cleansed */
1365 memset(cbuf, 0, sizeof(cbuf));
1366 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1367 goto end;
1368
1369 testresult = 1;
1370 end:
1371 SSL_free(serverssl);
1372 SSL_free(clientssl);
1373 SSL_CTX_free(sctx);
1374 SSL_CTX_free(cctx);
1375
1376 return testresult;
1377}
1378
1379static int test_cleanse_plaintext(void)
1380{
1381#if !defined(OPENSSL_NO_TLS1_2)
1382 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1383 TLS_client_method(),
1384 TLS1_2_VERSION,
1385 TLS1_2_VERSION)))
1386 return 0;
1387
1388#endif
1389
1390#if !defined(OPENSSL_NO_TLS1_3)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1393 TLS1_3_VERSION,
1394 TLS1_3_VERSION)))
1395 return 0;
1396#endif
1397
1398#if !defined(OPENSSL_NO_DTLS)
1399 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1400 DTLS_client_method(),
1401 DTLS1_VERSION,
1402 0)))
1403 return 0;
1404#endif
1405 return 1;
1406}
1407
8f8c11d8 1408#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1409static int ocsp_server_cb(SSL *s, void *arg)
1410{
1411 int *argi = (int *)arg;
710756a9 1412 unsigned char *copy = NULL;
ba881d3b
MC		 1413 STACK_OF(OCSP_RESPID) *ids = NULL;
1414 OCSP_RESPID *id = NULL;
1415
1416 if (*argi == 2) {
1417 /* In this test we are expecting exactly 1 OCSP_RESPID */
1418 SSL_get_tlsext_status_ids(s, &ids);
1419 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1420 return SSL_TLSEXT_ERR_ALERT_FATAL;
1421
1422 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1423 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1424 return SSL_TLSEXT_ERR_ALERT_FATAL;
1425 } else if (*argi != 1) {
1426 return SSL_TLSEXT_ERR_ALERT_FATAL;
1427 }
1428
710756a9 1429 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1430 return SSL_TLSEXT_ERR_ALERT_FATAL;
1431
710756a9 1432 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1433 ocsp_server_called = 1;
ba881d3b
MC		 1434 return SSL_TLSEXT_ERR_OK;
1435}
1436
1437static int ocsp_client_cb(SSL *s, void *arg)
1438{
1439 int *argi = (int *)arg;
1440 const unsigned char *respderin;
1441 size_t len;
1442
1443 if (*argi != 1 && *argi != 2)
1444 return 0;
1445
1446 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1447 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1448 return 0;
1449
1450 ocsp_client_called = 1;
ba881d3b
MC		 1451 return 1;
1452}
1453
2cb4b5f6
MC		 1454static int test_tlsext_status_type(void)
1455{
ba881d3b
MC		 1456 SSL_CTX *cctx = NULL, *sctx = NULL;
1457 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1458 int testresult = 0;
ba881d3b
MC		 1459 STACK_OF(OCSP_RESPID) *ids = NULL;
1460 OCSP_RESPID *id = NULL;
1461 BIO *certbio = NULL;
2cb4b5f6 1462
5e30f2fd 1463 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1464 TLS1_VERSION, 0,
7d7f6834 1465 &sctx, &cctx, cert, privkey))
ba881d3b 1466 return 0;
2cb4b5f6 1467
710756a9 1468 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1469 goto end;
2cb4b5f6 1470
ba881d3b 1471 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1472
ba881d3b 1473 clientssl = SSL_new(cctx);
710756a9
RS		 1474 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1475 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1476 TLSEXT_STATUSTYPE_ocsp))
1477 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1478 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1479 goto end;
2cb4b5f6 1480
ba881d3b
MC		 1481 SSL_free(clientssl);
1482 clientssl = NULL;
2cb4b5f6 1483
710756a9
RS		 1484 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1485 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1486 goto end;
2cb4b5f6 1487
ba881d3b 1488 clientssl = SSL_new(cctx);
710756a9 1489 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1490 goto end;
ba881d3b
MC		 1491 SSL_free(clientssl);
1492 clientssl = NULL;
1493
1494 /*
1495 * Now actually do a handshake and check OCSP information is exchanged and
1496 * the callbacks get called
1497 */
ba881d3b
MC		 1498 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1499 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1500 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1501 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1503 &clientssl, NULL, NULL))
1504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1505 SSL_ERROR_NONE))
1506 || !TEST_true(ocsp_client_called)
1507 || !TEST_true(ocsp_server_called))
ba881d3b 1508 goto end;
ba881d3b
MC		 1509 SSL_free(serverssl);
1510 SSL_free(clientssl);
1511 serverssl = NULL;
1512 clientssl = NULL;
1513
1514 /* Try again but this time force the server side callback to fail */
1515 ocsp_client_called = 0;
1516 ocsp_server_called = 0;
1517 cdummyarg = 0;
710756a9
RS		 1518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1519 &clientssl, NULL, NULL))
1520 /* This should fail because the callback will fail */
1521 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1522 SSL_ERROR_NONE))
1523 || !TEST_false(ocsp_client_called)
1524 || !TEST_false(ocsp_server_called))
ba881d3b 1525 goto end;
ba881d3b
MC		 1526 SSL_free(serverssl);
1527 SSL_free(clientssl);
1528 serverssl = NULL;
1529 clientssl = NULL;
1530
1531 /*
1532 * This time we'll get the client to send an OCSP_RESPID that it will
1533 * accept.
1534 */
1535 ocsp_client_called = 0;
1536 ocsp_server_called = 0;
1537 cdummyarg = 2;
710756a9
RS		 1538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1539 &clientssl, NULL, NULL)))
ba881d3b 1540 goto end;
ba881d3b
MC		 1541
1542 /*
1543 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1544 * specific one. We'll use the server cert.
ba881d3b 1545 */
710756a9
RS		 1546 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1547 || !TEST_ptr(id = OCSP_RESPID_new())
1548 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1549 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1550 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1551 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1552 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1553 goto end;
ba881d3b
MC		 1554 id = NULL;
1555 SSL_set_tlsext_status_ids(clientssl, ids);
1556 /* Control has been transferred */
1557 ids = NULL;
1558
1559 BIO_free(certbio);
1560 certbio = NULL;
1561
710756a9
RS		 1562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1563 SSL_ERROR_NONE))
1564 || !TEST_true(ocsp_client_called)
1565 || !TEST_true(ocsp_server_called))
ba881d3b 1566 goto end;
ba881d3b 1567
2cb4b5f6
MC		 1568 testresult = 1;
1569
1570 end:
ba881d3b
MC		 1571 SSL_free(serverssl);
1572 SSL_free(clientssl);
1573 SSL_CTX_free(sctx);
1574 SSL_CTX_free(cctx);
1575 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1576 OCSP_RESPID_free(id);
1577 BIO_free(certbio);
1578 X509_free(ocspcert);
1579 ocspcert = NULL;
2cb4b5f6
MC		 1580
1581 return testresult;
1582}
8f8c11d8 1583#endif
2cb4b5f6 1584
bf208d95 1585#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1586static int new_called, remove_called, get_called;
eaa776da 1587
eaa776da
MC		 1588static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1589{
1590 new_called++;
c0537ebd
MC		 1591 /*
1592 * sess has been up-refed for us, but we don't actually need it so free it
1593 * immediately.
1594 */
1595 SSL_SESSION_free(sess);
eaa776da
MC		 1596 return 1;
1597}
1598
1599static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1600{
1601 remove_called++;
1602}
1603
7a301f08
MC		 1604static SSL_SESSION *get_sess_val = NULL;
1605
1606static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1607 int *copy)
1608{
0afca811 1609 get_called++;
7a301f08
MC		 1610 *copy = 1;
1611 return get_sess_val;
1612}
1613
7a301f08 1614static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1615 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1616{
1617 SSL_CTX *sctx = NULL, *cctx = NULL;
1618 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1619 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1620# ifndef OPENSSL_NO_TLS1_1
eaa776da 1621 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1622# endif
2cb4b5f6 1623 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1624 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1625
7e885b7b
P		 1626 new_called = remove_called = 0;
1627
36ff232c
MC		 1628 /* TLSv1.3 sends 2 NewSessionTickets */
1629 if (maxprot == TLS1_3_VERSION)
1630 numnewsesstick = 2;
1631
5e30f2fd
MC		 1632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1633 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1634 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1635 return 0;
2cb4b5f6 1636
7a301f08
MC		 1637 /*
1638 * Only allow the max protocol version so we can force a connection failure
1639 * later
1640 */
1641 SSL_CTX_set_min_proto_version(cctx, maxprot);
1642 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1643
1644 /* Set up session cache */
7e885b7b 1645 if (use_ext_cache) {
eaa776da
MC		 1646 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1647 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1648 }
7e885b7b 1649 if (use_int_cache) {
eaa776da
MC		 1650 /* Also covers instance where both are set */
1651 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1652 } else {
1653 SSL_CTX_set_session_cache_mode(cctx,
1654 SSL_SESS_CACHE_CLIENT
1655 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1656 }
2cb4b5f6 1657
90fc2c26
NM		 1658 if (s_options) {
1659 SSL_CTX_set_options(sctx, s_options);
1660 }
1661
710756a9
RS		 1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1663 NULL, NULL))
1664 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1665 SSL_ERROR_NONE))
1666 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1667 goto end;
2cb4b5f6 1668
710756a9 1669 /* Should fail because it should already be in the cache */
7e885b7b 1670 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1671 goto end;
7a301f08 1672 if (use_ext_cache
36ff232c
MC		 1673 && (!TEST_int_eq(new_called, numnewsesstick)
1674
1675 || !TEST_int_eq(remove_called, 0)))
b4982125 1676 goto end;
b4982125 1677
c0537ebd
MC		 1678 new_called = remove_called = 0;
1679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1680 &clientssl2, NULL, NULL))
1681 || !TEST_true(SSL_set_session(clientssl2, sess1))
1682 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1683 SSL_ERROR_NONE))
1684 || !TEST_true(SSL_session_reused(clientssl2)))
1685 goto end;
1686
7a301f08
MC		 1687 if (maxprot == TLS1_3_VERSION) {
1688 /*
1689 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1690 * resumed. Since we attempted a resume we should also have removed the
1691 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1692 */
1693 if (use_ext_cache
1694 && (!TEST_int_eq(new_called, 1)
4cb00457 1695 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1696 goto end;
1697 } else {
1698 /*
1699 * In TLSv1.2 we expect to have resumed so no sessions added or
1700 * removed.
1701 */
1702 if (use_ext_cache
1703 && (!TEST_int_eq(new_called, 0)
1704 || !TEST_int_eq(remove_called, 0)))
1705 goto end;
1706 }
c0537ebd
MC		 1707
1708 SSL_SESSION_free(sess1);
1709 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1710 goto end;
1711 shutdown_ssl_connection(serverssl2, clientssl2);
1712 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1713
1714 new_called = remove_called = 0;
710756a9
RS		 1715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1716 &clientssl2, NULL, NULL))
1717 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1718 SSL_ERROR_NONE)))
2cb4b5f6 1719 goto end;
2cb4b5f6 1720
710756a9 1721 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1722 goto end;
2cb4b5f6 1723
7a301f08 1724 if (use_ext_cache
36ff232c
MC		 1725 && (!TEST_int_eq(new_called, numnewsesstick)
1726 || !TEST_int_eq(remove_called, 0)))
eaa776da 1727 goto end;
eaa776da 1728
c0537ebd 1729 new_called = remove_called = 0;
2cb4b5f6 1730 /*
710756a9
RS		 1731 * This should clear sess2 from the cache because it is a "bad" session.
1732 * See SSL_set_session() documentation.
2cb4b5f6 1733 */
710756a9 1734 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1735 goto end;
7a301f08
MC		 1736 if (use_ext_cache
1737 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1738 goto end;
710756a9 1739 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1740 goto end;
2cb4b5f6 1741
7e885b7b 1742 if (use_int_cache) {
710756a9
RS		 1743 /* Should succeeded because it should not already be in the cache */
1744 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1745 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1746 goto end;
eaa776da
MC		 1747 }
1748
c0537ebd 1749 new_called = remove_called = 0;
eaa776da 1750 /* This shouldn't be in the cache so should fail */
710756a9 1751 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1752 goto end;
2cb4b5f6 1753
7a301f08
MC		 1754 if (use_ext_cache
1755 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1756 goto end;
2cb4b5f6 1757
bf208d95 1758# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1759 new_called = remove_called = 0;
eaa776da
MC		 1760 /* Force a connection failure */
1761 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1763 &clientssl3, NULL, NULL))
1764 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1765 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1766 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1767 SSL_ERROR_NONE)))
eaa776da 1768 goto end;
b4982125 1769
eaa776da 1770 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1771 if (use_ext_cache
1772 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1773 goto end;
2cb4b5f6 1774
710756a9 1775 /* Should succeed because it should not already be in the cache */
7e885b7b 1776 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1777 goto end;
bf208d95 1778# endif
eaa776da 1779
7a301f08
MC		 1780 /* Now do some tests for server side caching */
1781 if (use_ext_cache) {
1782 SSL_CTX_sess_set_new_cb(cctx, NULL);
1783 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1784 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1785 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1786 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1787 get_sess_val = NULL;
1788 }
1789
1790 SSL_CTX_set_session_cache_mode(cctx, 0);
1791 /* Internal caching is the default on the server side */
1792 if (!use_int_cache)
1793 SSL_CTX_set_session_cache_mode(sctx,
1794 SSL_SESS_CACHE_SERVER
1795 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1796
1797 SSL_free(serverssl1);
1798 SSL_free(clientssl1);
1799 serverssl1 = clientssl1 = NULL;
1800 SSL_free(serverssl2);
1801 SSL_free(clientssl2);
1802 serverssl2 = clientssl2 = NULL;
1803 SSL_SESSION_free(sess1);
1804 sess1 = NULL;
1805 SSL_SESSION_free(sess2);
1806 sess2 = NULL;
1807
1808 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1809 if (maxprot == TLS1_2_VERSION)
1810 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1811 new_called = remove_called = get_called = 0;
7a301f08
MC		 1812 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1813 NULL, NULL))
1814 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1815 SSL_ERROR_NONE))
1816 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1817 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1818 goto end;
1819
ee94ec2e
MC		 1820 if (use_int_cache) {
1821 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1822 /*
1823 * In TLSv1.3 it should not have been added to the internal cache,
1824 * except in the case where we also have an external cache (in that
1825 * case it gets added to the cache in order to generate remove
1826 * events after timeout).
1827 */
1828 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1829 goto end;
1830 } else {
1831 /* Should fail because it should already be in the cache */
1832 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1833 goto end;
1834 }
1835 }
7a301f08
MC		 1836
1837 if (use_ext_cache) {
1838 SSL_SESSION *tmp = sess2;
1839
36ff232c 1840 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1841 || !TEST_int_eq(remove_called, 0)
1842 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1843 goto end;
1844 /*
1845 * Delete the session from the internal cache to force a lookup from
1846 * the external cache. We take a copy first because
1847 * SSL_CTX_remove_session() also marks the session as non-resumable.
1848 */
ee94ec2e 1849 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1850 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1851 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1852 goto end;
1853 SSL_SESSION_free(sess2);
1854 }
7a301f08
MC		 1855 sess2 = tmp;
1856 }
1857
0afca811 1858 new_called = remove_called = get_called = 0;
7a301f08
MC		 1859 get_sess_val = sess2;
1860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1861 &clientssl2, NULL, NULL))
1862 || !TEST_true(SSL_set_session(clientssl2, sess1))
1863 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1864 SSL_ERROR_NONE))
1865 || !TEST_true(SSL_session_reused(clientssl2)))
1866 goto end;
1867
0afca811 1868 if (use_ext_cache) {
32305f88 1869 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1870 goto end;
1871
1872 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1873 if (!TEST_int_eq(new_called, 1)
1874 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1875 goto end;
1876 } else {
32305f88
MC		 1877 if (!TEST_int_eq(new_called, 0)
1878 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1879 goto end;
1880 }
1881 }
7a301f08 1882
2cb4b5f6 1883 testresult = 1;
eaa776da 1884
2cb4b5f6
MC		 1885 end:
1886 SSL_free(serverssl1);
1887 SSL_free(clientssl1);
1888 SSL_free(serverssl2);
1889 SSL_free(clientssl2);
bf208d95 1890# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1891 SSL_free(serverssl3);
1892 SSL_free(clientssl3);
bf208d95 1893# endif
2cb4b5f6
MC		 1894 SSL_SESSION_free(sess1);
1895 SSL_SESSION_free(sess2);
1896 SSL_CTX_free(sctx);
1897 SSL_CTX_free(cctx);
1898
1899 return testresult;
1900}
bf208d95 1901#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1902
7fb4c820
MC		 1903static int test_session_with_only_int_cache(void)
1904{
7a301f08 1905#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1906 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 1907 return 0;
1908#endif
1909
1910#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1911 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 1912#else
1913 return 1;
1914#endif
eaa776da
MC		 1915}
1916
7fb4c820
MC		 1917static int test_session_with_only_ext_cache(void)
1918{
7a301f08 1919#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1920 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 1921 return 0;
1922#endif
1923
1924#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1925 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 1926#else
1927 return 1;
1928#endif
eaa776da
MC		 1929}
1930
7fb4c820
MC		 1931static int test_session_with_both_cache(void)
1932{
7a301f08 1933#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 1934 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1935 return 0;
1936#endif
1937
1938#ifndef OPENSSL_NO_TLS1_2
1939 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1940#else
1941 return 1;
1942#endif
1943}
1944
1945static int test_session_wo_ca_names(void)
1946{
1947#ifndef OPENSSL_NO_TLS1_3
1948 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 1949 return 0;
1950#endif
1951
1952#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1953 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 1954#else
1955 return 1;
1956#endif
eaa776da
MC		 1957}
1958
90fc2c26 1959
04225915 1960#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1961static SSL_SESSION *sesscache[6];
1962static int do_cache;
36ff232c
MC		 1963
1964static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1965{
c22365b3
MC		 1966 if (do_cache) {
1967 sesscache[new_called] = sess;
1968 } else {
1969 /* We don't need the reference to the session, so free it */
1970 SSL_SESSION_free(sess);
1971 }
1972 new_called++;
1973
1974 return 1;
1975}
1976
1977static int post_handshake_verify(SSL *sssl, SSL *cssl)
1978{
1979 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1980 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1981 return 0;
1982
1983 /* Start handshake on the server and client */
1984 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1985 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1986 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1987 || !TEST_true(create_ssl_connection(sssl, cssl,
1988 SSL_ERROR_NONE)))
1989 return 0;
36ff232c
MC		 1990
1991 return 1;
1992}
1993
fbe9dafd 1994static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1995 SSL_CTX **cctx)
1996{
1997 int sess_id_ctx = 1;
1998
5e30f2fd
MC		 1999 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2000 TLS_client_method(), TLS1_VERSION, 0,
2001 sctx, cctx, cert, privkey))
03cdf559
MC		 2002 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2003 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2004 (void *)&sess_id_ctx,
2005 sizeof(sess_id_ctx))))
2006 return 0;
2007
2008 if (stateful)
2009 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2010
2011 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2012 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2013 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2014
2015 return 1;
2016}
2017
2018static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2019{
2020 SSL *serverssl = NULL, *clientssl = NULL;
2021 int i;
2022
2023 /* Test that we can resume with all the tickets we got given */
2024 for (i = 0; i < idx * 2; i++) {
2025 new_called = 0;
2026 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2027 &clientssl, NULL, NULL))
2028 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2029 goto end;
2030
32097b33 2031 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2032
2033 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2034 SSL_ERROR_NONE)))
2035 goto end;
2036
2037 /*
2038 * Following a successful resumption we only get 1 ticket. After a
2039 * failed one we should get idx tickets.
2040 */
2041 if (succ) {
2042 if (!TEST_true(SSL_session_reused(clientssl))
2043 || !TEST_int_eq(new_called, 1))
2044 goto end;
2045 } else {
2046 if (!TEST_false(SSL_session_reused(clientssl))
2047 || !TEST_int_eq(new_called, idx))
2048 goto end;
2049 }
2050
2051 new_called = 0;
2052 /* After a post-handshake authentication we should get 1 new ticket */
2053 if (succ
2054 && (!post_handshake_verify(serverssl, clientssl)
2055 || !TEST_int_eq(new_called, 1)))
2056 goto end;
2057
2058 SSL_shutdown(clientssl);
2059 SSL_shutdown(serverssl);
2060 SSL_free(serverssl);
2061 SSL_free(clientssl);
2062 serverssl = clientssl = NULL;
2063 SSL_SESSION_free(sesscache[i]);
2064 sesscache[i] = NULL;
2065 }
2066
2067 return 1;
2068
2069 end:
2070 SSL_free(clientssl);
2071 SSL_free(serverssl);
2072 return 0;
2073}
2074
04d7814a 2075static int test_tickets(int stateful, int idx)
36ff232c
MC		 2076{
2077 SSL_CTX *sctx = NULL, *cctx = NULL;
2078 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2079 int testresult = 0;
36ff232c
MC		 2080 size_t j;
2081
2082 /* idx is the test number, but also the number of tickets we want */
2083
2084 new_called = 0;
c22365b3 2085 do_cache = 1;
36ff232c 2086
fbe9dafd 2087 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2088 goto end;
2089
03cdf559
MC		 2090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2091 &clientssl, NULL, NULL)))
2092 goto end;
2093
2094 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2095 SSL_ERROR_NONE))
2096 /* Check we got the number of tickets we were expecting */
2097 || !TEST_int_eq(idx, new_called))
2098 goto end;
04d7814a 2099
03cdf559
MC		 2100 SSL_shutdown(clientssl);
2101 SSL_shutdown(serverssl);
2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2104 SSL_CTX_free(sctx);
2105 SSL_CTX_free(cctx);
2106 clientssl = serverssl = NULL;
2107 sctx = cctx = NULL;
2108
2109 /*
2110 * Now we try to resume with the tickets we previously created. The
2111 * resumption attempt is expected to fail (because we're now using a new
2112 * SSL_CTX). We should see idx number of tickets issued again.
2113 */
2114
2115 /* Stop caching sessions - just count them */
2116 do_cache = 0;
2117
fbe9dafd 2118 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2119 goto end;
2120
2121 if (!check_resumption(idx, sctx, cctx, 0))
2122 goto end;
2123
2124 /* Start again with caching sessions */
2125 new_called = 0;
2126 do_cache = 1;
fbe9dafd
MC		 2127 SSL_CTX_free(sctx);
2128 SSL_CTX_free(cctx);
2129 sctx = cctx = NULL;
03cdf559 2130
fbe9dafd 2131 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2132 goto end;
36ff232c
MC		 2133
2134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2135 &clientssl, NULL, NULL)))
2136 goto end;
2137
32097b33 2138 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2139
2140 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2141 SSL_ERROR_NONE))
2142 /* Check we got the number of tickets we were expecting */
2143 || !TEST_int_eq(idx, new_called))
2144 goto end;
2145
2146 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2147 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2148 || !TEST_int_eq(idx * 2, new_called))
2149 goto end;
2150
36ff232c
MC		 2151 SSL_shutdown(clientssl);
2152 SSL_shutdown(serverssl);
2153 SSL_free(serverssl);
2154 SSL_free(clientssl);
2155 serverssl = clientssl = NULL;
2156
c22365b3
MC		 2157 /* Stop caching sessions - just count them */
2158 do_cache = 0;
2159
03cdf559
MC		 2160 /*
2161 * Check we can resume with all the tickets we created. This time around the
2162 * resumptions should all be successful.
2163 */
2164 if (!check_resumption(idx, sctx, cctx, 1))
2165 goto end;
36ff232c
MC		 2166
2167 testresult = 1;
2168
2169 end:
2170 SSL_free(serverssl);
2171 SSL_free(clientssl);
c22365b3 2172 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2173 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2174 sesscache[j] = NULL;
2175 }
36ff232c
MC		 2176 SSL_CTX_free(sctx);
2177 SSL_CTX_free(cctx);
2178
2179 return testresult;
2180}
04d7814a
MC		 2181
2182static int test_stateless_tickets(int idx)
2183{
2184 return test_tickets(0, idx);
2185}
2186
2187static int test_stateful_tickets(int idx)
2188{
2189 return test_tickets(1, idx);
2190}
8614a4eb
MC		 2191
2192static int test_psk_tickets(void)
2193{
2194 SSL_CTX *sctx = NULL, *cctx = NULL;
2195 SSL *serverssl = NULL, *clientssl = NULL;
2196 int testresult = 0;
2197 int sess_id_ctx = 1;
2198
5e30f2fd
MC		 2199 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2200 TLS_client_method(), TLS1_VERSION, 0,
2201 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2202 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2203 (void *)&sess_id_ctx,
2204 sizeof(sess_id_ctx))))
2205 goto end;
2206
2207 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2208 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2209 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2210 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2211 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2212 use_session_cb_cnt = 0;
2213 find_session_cb_cnt = 0;
2214 srvid = pskid;
2215 new_called = 0;
2216
2217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2218 NULL, NULL)))
2219 goto end;
2220 clientpsk = serverpsk = create_a_psk(clientssl);
2221 if (!TEST_ptr(clientpsk))
2222 goto end;
2223 SSL_SESSION_up_ref(clientpsk);
2224
2225 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2226 SSL_ERROR_NONE))
2227 || !TEST_int_eq(1, find_session_cb_cnt)
2228 || !TEST_int_eq(1, use_session_cb_cnt)
2229 /* We should always get 1 ticket when using external PSK */
2230 || !TEST_int_eq(1, new_called))
2231 goto end;
2232
2233 testresult = 1;
2234
2235 end:
2236 SSL_free(serverssl);
2237 SSL_free(clientssl);
2238 SSL_CTX_free(sctx);
2239 SSL_CTX_free(cctx);
2240 SSL_SESSION_free(clientpsk);
2241 SSL_SESSION_free(serverpsk);
2242 clientpsk = serverpsk = NULL;
2243
2244 return testresult;
2245}
f0049b86
BK		 2246
2247static int test_extra_tickets(int idx)
2248{
2249 SSL_CTX *sctx = NULL, *cctx = NULL;
2250 SSL *serverssl = NULL, *clientssl = NULL;
2251 BIO *bretry = BIO_new(bio_s_always_retry());
2252 BIO *tmp = NULL;
2253 int testresult = 0;
2254 int stateful = 0;
2255 size_t nbytes;
2256 unsigned char c, buf[1];
2257
2258 new_called = 0;
2259 do_cache = 1;
2260
2261 if (idx >= 3) {
2262 idx -= 3;
2263 stateful = 1;
2264 }
2265
2266 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2267 goto end;
2268 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2269 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2270 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2271
2272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2273 &clientssl, NULL, NULL)))
2274 goto end;
2275
2276 /*
2277 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2278 * incremented by both client and server.
2279 */
2280 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2281 SSL_ERROR_NONE))
2282 /* Check we got the number of tickets we were expecting */
2283 || !TEST_int_eq(idx * 2, new_called)
2284 || !TEST_true(SSL_new_session_ticket(serverssl))
2285 || !TEST_true(SSL_new_session_ticket(serverssl))
2286 || !TEST_int_eq(idx * 2, new_called))
2287 goto end;
2288
2289 /* Now try a (real) write to actually send the tickets */
2290 c = '1';
2291 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2292 || !TEST_size_t_eq(1, nbytes)
2293 || !TEST_int_eq(idx * 2 + 2, new_called)
2294 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2295 || !TEST_int_eq(idx * 2 + 4, new_called)
2296 || !TEST_int_eq(sizeof(buf), nbytes)
2297 || !TEST_int_eq(c, buf[0])
2298 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2299 goto end;
2300
2301 /* Try with only requesting one new ticket, too */
2302 c = '2';
2303 new_called = 0;
2304 if (!TEST_true(SSL_new_session_ticket(serverssl))
2305 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2306 || !TEST_size_t_eq(sizeof(c), nbytes)
2307 || !TEST_int_eq(1, new_called)
2308 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2309 || !TEST_int_eq(2, new_called)
2310 || !TEST_size_t_eq(sizeof(buf), nbytes)
2311 || !TEST_int_eq(c, buf[0]))
2312 goto end;
2313
2314 /* Do it again but use dummy writes to drive the ticket generation */
2315 c = '3';
2316 new_called = 0;
2317 if (!TEST_true(SSL_new_session_ticket(serverssl))
2318 || !TEST_true(SSL_new_session_ticket(serverssl))
2319 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2320 || !TEST_size_t_eq(0, nbytes)
2321 || !TEST_int_eq(2, new_called)
2322 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2323 || !TEST_int_eq(4, new_called))
2324 goto end;
2325
2326 /*
2327 * Use the always-retry BIO to exercise the logic that forces ticket
2328 * generation to wait until a record boundary.
2329 */
2330 c = '4';
2331 new_called = 0;
2332 tmp = SSL_get_wbio(serverssl);
2333 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2334 tmp = NULL;
2335 goto end;
2336 }
2337 SSL_set0_wbio(serverssl, bretry);
2338 bretry = NULL;
2339 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2340 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2341 || !TEST_size_t_eq(nbytes, 0))
2342 goto end;
2343 /* Restore a BIO that will let the write succeed */
2344 SSL_set0_wbio(serverssl, tmp);
2345 tmp = NULL;
2346 /* These calls should just queue the request and not send anything. */
2347 if (!TEST_true(SSL_new_session_ticket(serverssl))
2348 || !TEST_true(SSL_new_session_ticket(serverssl))
2349 || !TEST_int_eq(0, new_called))
2350 goto end;
2351 /* Re-do the write; still no tickets sent */
2352 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2353 || !TEST_size_t_eq(1, nbytes)
2354 || !TEST_int_eq(0, new_called)
2355 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2356 || !TEST_int_eq(0, new_called)
2357 || !TEST_int_eq(sizeof(buf), nbytes)
2358 || !TEST_int_eq(c, buf[0])
2359 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2360 goto end;
2361 /* Now the *next* write should send the tickets */
2362 c = '5';
2363 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2364 || !TEST_size_t_eq(1, nbytes)
2365 || !TEST_int_eq(2, new_called)
2366 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2367 || !TEST_int_eq(4, new_called)
2368 || !TEST_int_eq(sizeof(buf), nbytes)
2369 || !TEST_int_eq(c, buf[0])
2370 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2371 goto end;
2372
2373 SSL_shutdown(clientssl);
2374 SSL_shutdown(serverssl);
2375 testresult = 1;
2376
2377 end:
2378 BIO_free(bretry);
2379 BIO_free(tmp);
2380 SSL_free(serverssl);
2381 SSL_free(clientssl);
2382 SSL_CTX_free(sctx);
2383 SSL_CTX_free(cctx);
2384 clientssl = serverssl = NULL;
2385 sctx = cctx = NULL;
2386 return testresult;
2387}
04225915 2388#endif
36ff232c 2389
7d4488bb
MC		 2390#define USE_NULL 0
2391#define USE_BIO_1 1
2392#define USE_BIO_2 2
2393#define USE_DEFAULT 3
2394
2395#define CONNTYPE_CONNECTION_SUCCESS 0
2396#define CONNTYPE_CONNECTION_FAIL 1
2397#define CONNTYPE_NO_CONNECTION 2
2398
2399#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2400#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2401#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2402# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2403#else
2404# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2405#endif
2406
7d4488bb
MC		 2407#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2408 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2409 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2410
2411static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2412{
2413 switch (type) {
2414 case USE_NULL:
2415 *res = NULL;
2416 break;
2417 case USE_BIO_1:
2418 *res = bio1;
2419 break;
2420 case USE_BIO_2:
2421 *res = bio2;
2422 break;
2423 }
2424}
2425
7d4488bb
MC		 2426
2427/*
2428 * Tests calls to SSL_set_bio() under various conditions.
2429 *
2430 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2431 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2432 * then do more tests where we create a successful connection first using our
2433 * standard connection setup functions, and then call SSL_set_bio() with
2434 * various combinations of valid BIOs or NULL. We then repeat these tests
2435 * following a failed connection. In this last case we are looking to check that
2436 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2437 */
7fb4c820
MC		 2438static int test_ssl_set_bio(int idx)
2439{
7d4488bb 2440 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2441 BIO *bio1 = NULL;
2442 BIO *bio2 = NULL;
0fae8150 2443 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2444 SSL *serverssl = NULL, *clientssl = NULL;
2445 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2446 int testresult = 0;
2447
7d4488bb
MC		 2448 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2449 initrbio = idx % 3;
2450 idx /= 3;
2451 initwbio = idx % 3;
2452 idx /= 3;
2453 newrbio = idx % 3;
2454 idx /= 3;
2455 newwbio = idx % 3;
2456 conntype = CONNTYPE_NO_CONNECTION;
2457 } else {
2458 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2459 initrbio = initwbio = USE_DEFAULT;
2460 newrbio = idx % 2;
2461 idx /= 2;
2462 newwbio = idx % 2;
2463 idx /= 2;
2464 conntype = idx % 2;
2465 }
710756a9 2466
5e30f2fd
MC		 2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2469 &sctx, &cctx, cert, privkey)))
2470 goto end;
2471
2472 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2473 /*
2474 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2475 * because we reduced the number of tests in the definition of
2476 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2477 * mismatched protocol versions we will force a connection failure.
2478 */
2479 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2480 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2481 }
2482
2483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2484 NULL, NULL)))
710756a9 2485 goto end;
7fb4c820 2486
710756a9
RS		 2487 if (initrbio == USE_BIO_1
2488 || initwbio == USE_BIO_1
2489 || newrbio == USE_BIO_1
7fb4c820 2490 || newwbio == USE_BIO_1) {
710756a9 2491 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2492 goto end;
7fb4c820
MC		 2493 }
2494
710756a9
RS		 2495 if (initrbio == USE_BIO_2
2496 || initwbio == USE_BIO_2
2497 || newrbio == USE_BIO_2
7fb4c820 2498 || newwbio == USE_BIO_2) {
710756a9 2499 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2500 goto end;
7fb4c820
MC		 2501 }
2502
7d4488bb
MC		 2503 if (initrbio != USE_DEFAULT) {
2504 setupbio(&irbio, bio1, bio2, initrbio);
2505 setupbio(&iwbio, bio1, bio2, initwbio);
2506 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2507
7d4488bb
MC		 2508 /*
2509 * We want to maintain our own refs to these BIO, so do an up ref for
2510 * each BIO that will have ownership transferred in the SSL_set_bio()
2511 * call
2512 */
2513 if (irbio != NULL)
2514 BIO_up_ref(irbio);
2515 if (iwbio != NULL && iwbio != irbio)
2516 BIO_up_ref(iwbio);
2517 }
7fb4c820 2518
7d4488bb
MC		 2519 if (conntype != CONNTYPE_NO_CONNECTION
2520 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2521 SSL_ERROR_NONE)
2522 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2523 goto end;
7fb4c820
MC		 2524
2525 setupbio(&nrbio, bio1, bio2, newrbio);
2526 setupbio(&nwbio, bio1, bio2, newwbio);
2527
2528 /*
2529 * We will (maybe) transfer ownership again so do more up refs.
2530 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2531 * already been set!
2532 */
710756a9
RS		 2533 if (nrbio != NULL
2534 && nrbio != irbio
2535 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2536 BIO_up_ref(nrbio);
710756a9
RS		 2537 if (nwbio != NULL
2538 && nwbio != nrbio
2539 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2540 BIO_up_ref(nwbio);
2541
7d4488bb 2542 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2543
2544 testresult = 1;
2545
2546 end:
7fb4c820
MC		 2547 BIO_free(bio1);
2548 BIO_free(bio2);
710756a9 2549
7fb4c820
MC		 2550 /*
2551 * This test is checking that the ref counting for SSL_set_bio is correct.
2552 * If we get here and we did too many frees then we will fail in the above
742ccab3 2553 * functions.
7fb4c820 2554 */
7d4488bb
MC		 2555 SSL_free(serverssl);
2556 SSL_free(clientssl);
2557 SSL_CTX_free(sctx);
2558 SSL_CTX_free(cctx);
7fb4c820
MC		 2559 return testresult;
2560}
2561
7e885b7b 2562typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2563
7e885b7b 2564static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2565{
2566 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2567 SSL_CTX *ctx;
9a716987
MC		 2568 SSL *ssl = NULL;
2569 int testresult = 0;
2570
d8652be0 2571 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2572 || !TEST_ptr(ssl = SSL_new(ctx))
2573 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2574 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2575 goto end;
9a716987
MC		 2576
2577 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2578
2579 /*
742ccab3 2580 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2581 */
2582 BIO_push(sslbio, membio1);
2583
69687aa8 2584 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2585 if (change_bio != NO_BIO_CHANGE) {
710756a9 2586 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2587 goto end;
7e885b7b 2588 if (change_bio == CHANGE_RBIO)
65e2d672 2589 SSL_set0_rbio(ssl, membio2);
9a716987 2590 else
65e2d672 2591 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2592 }
2593 ssl = NULL;
2594
7e885b7b 2595 if (pop_ssl)
9a716987
MC		 2596 BIO_pop(sslbio);
2597 else
2598 BIO_pop(membio1);
2599
2600 testresult = 1;
2601 end:
2602 BIO_free(membio1);
2603 BIO_free(sslbio);
2604 SSL_free(ssl);
2605 SSL_CTX_free(ctx);
2606
2607 return testresult;
2608}
2609
2610static int test_ssl_bio_pop_next_bio(void)
2611{
7e885b7b 2612 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2613}
2614
2615static int test_ssl_bio_pop_ssl_bio(void)
2616{
7e885b7b 2617 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2618}
2619
2620static int test_ssl_bio_change_rbio(void)
2621{
7e885b7b 2622 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2623}
2624
2625static int test_ssl_bio_change_wbio(void)
2626{
7e885b7b 2627 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2628}
2629
c423ecaa 2630#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2631typedef struct {
2632 /* The list of sig algs */
2633 const int *list;
2634 /* The length of the list */
2635 size_t listlen;
2636 /* A sigalgs list in string format */
2637 const char *liststr;
2638 /* Whether setting the list should succeed */
2639 int valid;
2640 /* Whether creating a connection with the list should succeed */
2641 int connsuccess;
2642} sigalgs_list;
2643
2644static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2645# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2646static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2647static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2648# endif
f1b25aae
MC		 2649static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2650static const int invalidlist2[] = {NID_sha256, NID_undef};
2651static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2652static const int invalidlist4[] = {NID_sha256};
2653static const sigalgs_list testsigalgs[] = {
2654 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2655# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2656 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2657 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2658# endif
f1b25aae 2659 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2660# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2661 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2662 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2663# endif
f1b25aae
MC		 2664 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2665 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2666 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2667 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2668 {NULL, 0, "RSA", 0, 0},
2669 {NULL, 0, "SHA256", 0, 0},
2670 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2671 {NULL, 0, "Invalid", 0, 0}
2672};
f1b25aae
MC		 2673
2674static int test_set_sigalgs(int idx)
2675{
2676 SSL_CTX *cctx = NULL, *sctx = NULL;
2677 SSL *clientssl = NULL, *serverssl = NULL;
2678 int testresult = 0;
2679 const sigalgs_list *curr;
2680 int testctx;
2681
2682 /* Should never happen */
710756a9 2683 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2684 return 0;
2685
2686 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2687 curr = testctx ? &testsigalgs[idx]
2688 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2689
5e30f2fd
MC		 2690 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2691 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2692 &sctx, &cctx, cert, privkey)))
f1b25aae 2693 return 0;
f1b25aae 2694
d2e491f2
MC		 2695 /*
2696 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2697 * for TLSv1.2 for now until we add a new API.
2698 */
2699 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2700
f1b25aae
MC		 2701 if (testctx) {
2702 int ret;
710756a9 2703
f1b25aae
MC		 2704 if (curr->list != NULL)
2705 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2706 else
2707 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2708
2709 if (!ret) {
2710 if (curr->valid)
710756a9 2711 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2712 else
2713 testresult = 1;
2714 goto end;
2715 }
2716 if (!curr->valid) {
710756a9 2717 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2718 goto end;
2719 }
2720 }
2721
710756a9
RS		 2722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2723 &clientssl, NULL, NULL)))
f1b25aae 2724 goto end;
f1b25aae
MC		 2725
2726 if (!testctx) {
2727 int ret;
2728
2729 if (curr->list != NULL)
2730 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2731 else
2732 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2733 if (!ret) {
2734 if (curr->valid)
710756a9 2735 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2736 else
2737 testresult = 1;
2738 goto end;
2739 }
710756a9 2740 if (!curr->valid)
f1b25aae 2741 goto end;
f1b25aae
MC		 2742 }
2743
710756a9
RS		 2744 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2745 SSL_ERROR_NONE),
2746 curr->connsuccess))
f1b25aae 2747 goto end;
f1b25aae
MC		 2748
2749 testresult = 1;
2750
2751 end:
2752 SSL_free(serverssl);
2753 SSL_free(clientssl);
2754 SSL_CTX_free(sctx);
2755 SSL_CTX_free(cctx);
2756
2757 return testresult;
2758}
c423ecaa 2759#endif
f1b25aae 2760
fff202e5 2761#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2762static int psk_client_cb_cnt = 0;
2763static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2764
2765static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2766 size_t *idlen, SSL_SESSION **sess)
2767{
2768 switch (++use_session_cb_cnt) {
2769 case 1:
2770 /* The first call should always have a NULL md */
2771 if (md != NULL)
2772 return 0;
2773 break;
2774
2775 case 2:
2776 /* The second call should always have an md */
2777 if (md == NULL)
2778 return 0;
2779 break;
2780
2781 default:
2782 /* We should only be called a maximum of twice */
2783 return 0;
2784 }
2785
57dee9bb
MC		 2786 if (clientpsk != NULL)
2787 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2788
57dee9bb 2789 *sess = clientpsk;
02a3ed5a
MC		 2790 *id = (const unsigned char *)pskid;
2791 *idlen = strlen(pskid);
2792
2793 return 1;
2794}
2795
c2b290c3 2796#ifndef OPENSSL_NO_PSK
532f9578
MC		 2797static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2798 unsigned int max_id_len,
2799 unsigned char *psk,
2800 unsigned int max_psk_len)
2801{
2802 unsigned int psklen = 0;
2803
2804 psk_client_cb_cnt++;
2805
2806 if (strlen(pskid) + 1 > max_id_len)
2807 return 0;
2808
2809 /* We should only ever be called a maximum of twice per connection */
2810 if (psk_client_cb_cnt > 2)
2811 return 0;
2812
2813 if (clientpsk == NULL)
2814 return 0;
2815
2816 /* We'll reuse the PSK we set up for TLSv1.3 */
2817 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2818 return 0;
2819 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2820 strncpy(id, pskid, max_id_len);
2821
2822 return psklen;
2823}
c2b290c3 2824#endif /* OPENSSL_NO_PSK */
532f9578 2825
02a3ed5a
MC		 2826static int find_session_cb(SSL *ssl, const unsigned char *identity,
2827 size_t identity_len, SSL_SESSION **sess)
2828{
2829 find_session_cb_cnt++;
2830
2831 /* We should only ever be called a maximum of twice per connection */
2832 if (find_session_cb_cnt > 2)
2833 return 0;
2834
57dee9bb 2835 if (serverpsk == NULL)
02a3ed5a
MC		 2836 return 0;
2837
2838 /* Identity should match that set by the client */
2839 if (strlen(srvid) != identity_len
2840 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2841 /* No PSK found, continue but without a PSK */
2842 *sess = NULL;
2843 return 1;
2844 }
2845
57dee9bb
MC		 2846 SSL_SESSION_up_ref(serverpsk);
2847 *sess = serverpsk;
02a3ed5a
MC		 2848
2849 return 1;
2850}
2851
c2b290c3 2852#ifndef OPENSSL_NO_PSK
532f9578
MC		 2853static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2854 unsigned char *psk, unsigned int max_psk_len)
2855{
2856 unsigned int psklen = 0;
2857
2858 psk_server_cb_cnt++;
2859
2860 /* We should only ever be called a maximum of twice per connection */
2861 if (find_session_cb_cnt > 2)
2862 return 0;
2863
2864 if (serverpsk == NULL)
2865 return 0;
2866
2867 /* Identity should match that set by the client */
2868 if (strcmp(srvid, identity) != 0) {
2869 return 0;
2870 }
2871
2872 /* We'll reuse the PSK we set up for TLSv1.3 */
2873 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2874 return 0;
2875 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2876
2877 return psklen;
2878}
c2b290c3 2879#endif /* OPENSSL_NO_PSK */
532f9578 2880
5f982038
MC		 2881#define MSG1 "Hello"
2882#define MSG2 "World."
2883#define MSG3 "This"
2884#define MSG4 "is"
2885#define MSG5 "a"
90049cea
MC		 2886#define MSG6 "test"
2887#define MSG7 "message."
5f982038 2888
532f9578 2889#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 2890#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2891#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2892#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2893#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 2894
8614a4eb
MC		 2895
2896static SSL_SESSION *create_a_psk(SSL *ssl)
2897{
2898 const SSL_CIPHER *cipher = NULL;
2899 const unsigned char key[] = {
2900 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2901 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2902 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2903 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2904 0x2c, 0x2d, 0x2e, 0x2f
2905 };
2906 SSL_SESSION *sess = NULL;
2907
2908 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2909 sess = SSL_SESSION_new();
2910 if (!TEST_ptr(sess)
2911 || !TEST_ptr(cipher)
2912 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2913 sizeof(key)))
2914 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2915 || !TEST_true(
2916 SSL_SESSION_set_protocol_version(sess,
2917 TLS1_3_VERSION))) {
2918 SSL_SESSION_free(sess);
2919 return NULL;
2920 }
2921 return sess;
2922}
2923
5f982038
MC		 2924/*
2925 * Helper method to setup objects for early data test. Caller frees objects on
2926 * error.
2927 */
2928static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2929 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2930{
5a421415 2931 if (*sctx == NULL
5e30f2fd 2932 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 2933 TLS_client_method(),
5c587fb6 2934 TLS1_VERSION, 0,
5a421415
MC		 2935 sctx, cctx, cert, privkey)))
2936 return 0;
2937
2938 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2939 return 0;
5f982038 2940
02a3ed5a
MC		 2941 if (idx == 1) {
2942 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2943 SSL_CTX_set_read_ahead(*cctx, 1);
2944 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2945 } else if (idx == 2) {
2946 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2947 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2948 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2949 use_session_cb_cnt = 0;
2950 find_session_cb_cnt = 0;
2951 srvid = pskid;
3cb47b4e
MC		 2952 }
2953
710756a9 2954 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2955 NULL, NULL)))
2956 return 0;
2957
141e4709
MC		 2958 /*
2959 * For one of the run throughs (doesn't matter which one), we'll try sending
2960 * some SNI data in the initial ClientHello. This will be ignored (because
2961 * there is no SNI cb set up by the server), so it should not impact
2962 * early_data.
2963 */
2964 if (idx == 1
2965 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2966 return 0;
2967
02a3ed5a 2968 if (idx == 2) {
8614a4eb 2969 clientpsk = create_a_psk(*clientssl);
57dee9bb 2970 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2971 /*
2972 * We just choose an arbitrary value for max_early_data which
2973 * should be big enough for testing purposes.
2974 */
57dee9bb
MC		 2975 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2976 0x100))
2977 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2978 SSL_SESSION_free(clientpsk);
2979 clientpsk = NULL;
02a3ed5a
MC		 2980 return 0;
2981 }
57dee9bb 2982 serverpsk = clientpsk;
02a3ed5a 2983
c20e3b28
MC		 2984 if (sess != NULL) {
2985 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2986 SSL_SESSION_free(clientpsk);
2987 SSL_SESSION_free(serverpsk);
2988 clientpsk = serverpsk = NULL;
2989 return 0;
2990 }
57dee9bb 2991 *sess = clientpsk;
c20e3b28 2992 }
02a3ed5a
MC		 2993 return 1;
2994 }
2995
2996 if (sess == NULL)
2997 return 1;
2998
2999 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3000 SSL_ERROR_NONE)))
5f982038 3001 return 0;
5f982038
MC		 3002
3003 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3004 SSL_shutdown(*clientssl);
3005 SSL_shutdown(*serverssl);
5f982038
MC		 3006 SSL_free(*serverssl);
3007 SSL_free(*clientssl);
3008 *serverssl = *clientssl = NULL;
3009
710756a9
RS		 3010 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3011 clientssl, NULL, NULL))
3012 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3013 return 0;
5f982038
MC		 3014
3015 return 1;
3016}
3017
3cb47b4e 3018static int test_early_data_read_write(int idx)
5f982038
MC		 3019{
3020 SSL_CTX *cctx = NULL, *sctx = NULL;
3021 SSL *clientssl = NULL, *serverssl = NULL;
3022 int testresult = 0;
3023 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3024 unsigned char buf[20], data[1024];
3025 size_t readbytes, written, eoedlen, rawread, rawwritten;
3026 BIO *rbio;
5f982038 3027
710756a9
RS		 3028 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3029 &serverssl, &sess, idx)))
5f982038
MC		 3030 goto end;
3031
3032 /* Write and read some early data */
710756a9
RS		 3033 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3034 &written))
3035 || !TEST_size_t_eq(written, strlen(MSG1))
3036 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3037 sizeof(buf), &readbytes),
3038 SSL_READ_EARLY_DATA_SUCCESS)
3039 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3041 SSL_EARLY_DATA_ACCEPTED))
5f982038 3042 goto end;
5f982038
MC		 3043
3044 /*
09f28874 3045 * Server should be able to write data, and client should be able to
5f982038
MC		 3046 * read it.
3047 */
710756a9
RS		 3048 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3049 &written))
3050 || !TEST_size_t_eq(written, strlen(MSG2))
3051 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3052 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3053 goto end;
5f982038
MC		 3054
3055 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3056 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3057 &written))
3058 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3059 goto end;
5f982038 3060
09f28874 3061 /* Server should still be able read early data after writing data */
710756a9
RS		 3062 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3063 &readbytes),
3064 SSL_READ_EARLY_DATA_SUCCESS)
3065 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3066 goto end;
5f982038 3067
09f28874 3068 /* Write more data from server and read it from client */
710756a9
RS		 3069 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3070 &written))
3071 || !TEST_size_t_eq(written, strlen(MSG4))
3072 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3073 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3074 goto end;
5f982038
MC		 3075
3076 /*
3077 * If client writes normal data it should mean writing early data is no
3078 * longer possible.
3079 */
710756a9
RS		 3080 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3081 || !TEST_size_t_eq(written, strlen(MSG5))
3082 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3083 SSL_EARLY_DATA_ACCEPTED))
5f982038 3084 goto end;
5f982038 3085
9b5c865d
MC		 3086 /*
3087 * At this point the client has written EndOfEarlyData, ClientFinished and
3088 * normal (fully protected) data. We are going to cause a delay between the
3089 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3090 * in the read BIO, and then just put back the EndOfEarlyData message.
3091 */
3092 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3093 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3094 || !TEST_size_t_lt(rawread, sizeof(data))
3095 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3096 goto end;
710756a9 3097
9b5c865d
MC		 3098 /* Record length is in the 4th and 5th bytes of the record header */
3099 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3100 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3101 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3102 goto end;
9b5c865d 3103
5f982038 3104 /* Server should be told that there is no more early data */
710756a9
RS		 3105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3106 &readbytes),
3107 SSL_READ_EARLY_DATA_FINISH)
3108 || !TEST_size_t_eq(readbytes, 0))
5f982038 3109 goto end;
5f982038 3110
9b5c865d
MC		 3111 /*
3112 * Server has not finished init yet, so should still be able to write early
3113 * data.
3114 */
710756a9
RS		 3115 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3116 &written))
3117 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3118 goto end;
9b5c865d 3119
f8a303fa 3120 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3121 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3122 &rawwritten))
3123 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3124 goto end;
f8a303fa 3125
5f982038 3126 /* Server should be able to read normal data */
710756a9
RS		 3127 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3128 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3129 goto end;
5f982038 3130
09f28874 3131 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3132 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3133 &written)))
5f982038 3134 goto end;
5f982038 3135 ERR_clear_error();
710756a9
RS		 3136 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3137 &readbytes),
3138 SSL_READ_EARLY_DATA_ERROR))
5f982038 3139 goto end;
5f982038
MC		 3140 ERR_clear_error();
3141
9b5c865d 3142 /* Client should be able to read the data sent by the server */
710756a9
RS		 3143 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3144 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3145 goto end;
710756a9 3146
f8a303fa 3147 /*
36ff232c
MC		 3148 * Make sure we process the two NewSessionTickets. These arrive
3149 * post-handshake. We attempt reads which we do not expect to return any
3150 * data.
f8a303fa 3151 */
36ff232c
MC		 3152 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3154 &readbytes)))
f8a303fa 3155 goto end;
5f982038 3156
90049cea 3157 /* Server should be able to write normal data */
710756a9
RS		 3158 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3159 || !TEST_size_t_eq(written, strlen(MSG7))
3160 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3161 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3162 goto end;
90049cea 3163
c20e3b28 3164 SSL_SESSION_free(sess);
5f982038 3165 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3166 use_session_cb_cnt = 0;
3167 find_session_cb_cnt = 0;
5f982038
MC		 3168
3169 SSL_shutdown(clientssl);
3170 SSL_shutdown(serverssl);
5f982038
MC		 3171 SSL_free(serverssl);
3172 SSL_free(clientssl);
3173 serverssl = clientssl = NULL;
710756a9
RS		 3174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3175 &clientssl, NULL, NULL))
3176 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3177 goto end;
5f982038
MC		 3178
3179 /* Write and read some early data */
710756a9
RS		 3180 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3181 &written))
3182 || !TEST_size_t_eq(written, strlen(MSG1))
3183 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3184 &readbytes),
3185 SSL_READ_EARLY_DATA_SUCCESS)
3186 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3187 goto end;
5f982038 3188
710756a9
RS		 3189 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3190 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3191 goto end;
5f982038 3192
09f28874 3193 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3194 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3195 &written)))
5f982038 3196 goto end;
5f982038 3197 ERR_clear_error();
710756a9
RS		 3198 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3199 &readbytes),
3200 SSL_READ_EARLY_DATA_ERROR))
5f982038 3201 goto end;
5f982038
MC		 3202 ERR_clear_error();
3203
3204 /* Client and server should be able to write/read normal data */
710756a9
RS		 3205 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3206 || !TEST_size_t_eq(written, strlen(MSG5))
3207 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3208 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3209 goto end;
5f982038
MC		 3210
3211 testresult = 1;
3212
3213 end:
c20e3b28 3214 SSL_SESSION_free(sess);
57dee9bb
MC		 3215 SSL_SESSION_free(clientpsk);
3216 SSL_SESSION_free(serverpsk);
3217 clientpsk = serverpsk = NULL;
5f982038
MC		 3218 SSL_free(serverssl);
3219 SSL_free(clientssl);
3220 SSL_CTX_free(sctx);
3221 SSL_CTX_free(cctx);
5f982038
MC		 3222 return testresult;
3223}
3224
5a421415
MC		 3225static int allow_ed_cb_called = 0;
3226
3227static int allow_early_data_cb(SSL *s, void *arg)
3228{
3229 int *usecb = (int *)arg;
3230
3231 allow_ed_cb_called++;
3232
3233 if (*usecb == 1)
3234 return 0;
3235
3236 return 1;
3237}
3238
3239/*
3240 * idx == 0: Standard early_data setup
3241 * idx == 1: early_data setup using read_ahead
3242 * usecb == 0: Don't use a custom early data callback
3243 * usecb == 1: Use a custom early data callback and reject the early data
3244 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3245 * confopt == 0: Configure anti-replay directly
3246 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3247 */
3bb5e5b0 3248static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3249{
3250 SSL_CTX *cctx = NULL, *sctx = NULL;
3251 SSL *clientssl = NULL, *serverssl = NULL;
3252 int testresult = 0;
3253 SSL_SESSION *sess = NULL;
5a421415
MC		 3254 size_t readbytes, written;
3255 unsigned char buf[20];
3256
3257 allow_ed_cb_called = 0;
3258
5e30f2fd
MC		 3259 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3260 TLS_client_method(), TLS1_VERSION, 0,
3261 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3262 return 0;
3263
3264 if (usecb > 0) {
3bb5e5b0
MC		 3265 if (confopt == 0) {
3266 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3267 } else {
3268 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3269
3270 if (!TEST_ptr(confctx))
3271 goto end;
3272 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3273 | SSL_CONF_FLAG_SERVER);
3274 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3275 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3276 2)) {
3277 SSL_CONF_CTX_free(confctx);
3278 goto end;
3279 }
3280 SSL_CONF_CTX_free(confctx);
3281 }
5a421415
MC		 3282 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3283 }
78fb5374
MC		 3284
3285 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3286 &serverssl, &sess, idx)))
3287 goto end;
3288
3289 /*
3290 * The server is configured to accept early data. Create a connection to
3291 * "use up" the ticket
3292 */
3293 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3294 || !TEST_true(SSL_session_reused(clientssl)))
3295 goto end;
3296
3297 SSL_shutdown(clientssl);
3298 SSL_shutdown(serverssl);
3299 SSL_free(serverssl);
3300 SSL_free(clientssl);
3301 serverssl = clientssl = NULL;
3302
3303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3304 &clientssl, NULL, NULL))
5a421415
MC		 3305 || !TEST_true(SSL_set_session(clientssl, sess)))
3306 goto end;
3307
3308 /* Write and read some early data */
3309 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3310 &written))
3311 || !TEST_size_t_eq(written, strlen(MSG1)))
3312 goto end;
3313
3314 if (usecb <= 1) {
3315 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3316 &readbytes),
3317 SSL_READ_EARLY_DATA_FINISH)
3318 /*
3319 * The ticket was reused, so the we should have rejected the
3320 * early data
3321 */
3322 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3323 SSL_EARLY_DATA_REJECTED))
3324 goto end;
3325 } else {
3326 /* In this case the callback decides to accept the early data */
3327 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3328 &readbytes),
3329 SSL_READ_EARLY_DATA_SUCCESS)
3330 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3331 /*
3332 * Server will have sent its flight so client can now send
3333 * end of early data and complete its half of the handshake
3334 */
3335 || !TEST_int_gt(SSL_connect(clientssl), 0)
3336 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3337 &readbytes),
3338 SSL_READ_EARLY_DATA_FINISH)
3339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3340 SSL_EARLY_DATA_ACCEPTED))
3341 goto end;
3342 }
3343
3344 /* Complete the connection */
3345 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3346 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3347 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3348 goto end;
3349
3350 testresult = 1;
3351
3352 end:
c20e3b28 3353 SSL_SESSION_free(sess);
78fb5374
MC		 3354 SSL_SESSION_free(clientpsk);
3355 SSL_SESSION_free(serverpsk);
3356 clientpsk = serverpsk = NULL;
3357 SSL_free(serverssl);
3358 SSL_free(clientssl);
3359 SSL_CTX_free(sctx);
3360 SSL_CTX_free(cctx);
3361 return testresult;
3362}
3363
5a421415
MC		 3364static int test_early_data_replay(int idx)
3365{
3bb5e5b0 3366 int ret = 1, usecb, confopt;
5a421415 3367
3bb5e5b0
MC		 3368 for (usecb = 0; usecb < 3; usecb++) {
3369 for (confopt = 0; confopt < 2; confopt++)
3370 ret &= test_early_data_replay_int(idx, usecb, confopt);
3371 }
5a421415
MC		 3372
3373 return ret;
3374}
3375
710756a9 3376/*
6b84e6bf
MC		 3377 * Helper function to test that a server attempting to read early data can
3378 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3379 * testtype: 0 == No HRR
3380 * testtype: 1 == HRR
0efa0ba4
MC		 3381 * testtype: 2 == HRR, invalid early_data sent after HRR
3382 * testtype: 3 == recv_max_early_data set to 0
710756a9 3383 */
0d1b7789 3384static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3385{
3386 SSL_CTX *cctx = NULL, *sctx = NULL;
3387 SSL *clientssl = NULL, *serverssl = NULL;
3388 int testresult = 0;
018fcbec 3389 SSL_SESSION *sess = NULL;
5f982038
MC		 3390 unsigned char buf[20];
3391 size_t readbytes, written;
3392
710756a9
RS		 3393 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3394 &serverssl, &sess, idx)))
5f982038
MC		 3395 goto end;
3396
0efa0ba4 3397 if (testtype == 1 || testtype == 2) {
6b84e6bf 3398 /* Force an HRR to occur */
dbc6268f
MC		 3399#if defined(OPENSSL_NO_EC)
3400 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3401 goto end;
3402#else
6b84e6bf
MC		 3403 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3404 goto end;
dbc6268f 3405#endif
02a3ed5a
MC		 3406 } else if (idx == 2) {
3407 /*
3408 * We force early_data rejection by ensuring the PSK identity is
3409 * unrecognised
3410 */
3411 srvid = "Dummy Identity";
6b84e6bf
MC		 3412 } else {
3413 /*
3414 * Deliberately corrupt the creation time. We take 20 seconds off the
3415 * time. It could be any value as long as it is not within tolerance.
3416 * This should mean the ticket is rejected.
3417 */
5d99881e 3418 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3419 goto end;
3420 }
5f982038 3421
0efa0ba4 3422 if (testtype == 3
0d1b7789
MC		 3423 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3424 goto end;
3425
5f982038 3426 /* Write some early data */
710756a9
RS		 3427 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3428 &written))
3429 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3430 goto end;
5f982038 3431
0d1b7789 3432 /* Server should reject the early data */
710756a9
RS		 3433 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3434 &readbytes),
3435 SSL_READ_EARLY_DATA_FINISH)
3436 || !TEST_size_t_eq(readbytes, 0)
3437 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3438 SSL_EARLY_DATA_REJECTED))
5f982038 3439 goto end;
5f982038 3440
0efa0ba4
MC		 3441 switch (testtype) {
3442 case 0:
3443 /* Nothing to do */
3444 break;
3445
3446 case 1:
6b84e6bf
MC		 3447 /*
3448 * Finish off the handshake. We perform the same writes and reads as
3449 * further down but we expect them to fail due to the incomplete
3450 * handshake.
3451 */
3452 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3453 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3454 &readbytes)))
3455 goto end;
0efa0ba4
MC		 3456 break;
3457
3458 case 2:
3459 {
3460 BIO *wbio = SSL_get_wbio(clientssl);
3461 /* A record that will appear as bad early_data */
3462 const unsigned char bad_early_data[] = {
3463 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3464 };
3465
3466 /*
3467 * We force the client to attempt a write. This will fail because
3468 * we're still in the handshake. It will cause the second
3469 * ClientHello to be sent.
3470 */
3471 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3472 &written)))
3473 goto end;
3474
3475 /*
3476 * Inject some early_data after the second ClientHello. This should
3477 * cause the server to fail
3478 */
3479 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3480 sizeof(bad_early_data), &written)))
3481 goto end;
3482 }
3483 /* fallthrough */
3484
3485 case 3:
0d1b7789 3486 /*
0efa0ba4
MC		 3487 * This client has sent more early_data than we are willing to skip
3488 * (case 3) or sent invalid early_data (case 2) so the connection should
3489 * abort.
0d1b7789
MC		 3490 */
3491 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3492 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3493 goto end;
3494
3495 /* Connection has failed - nothing more to do */
3496 testresult = 1;
3497 goto end;
0efa0ba4
MC		 3498
3499 default:
3500 TEST_error("Invalid test type");
3501 goto end;
6b84e6bf
MC		 3502 }
3503
0d1b7789
MC		 3504 /*
3505 * Should be able to send normal data despite rejection of early data. The
3506 * early_data should be skipped.
3507 */
710756a9
RS		 3508 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3509 || !TEST_size_t_eq(written, strlen(MSG2))
3510 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3511 SSL_EARLY_DATA_REJECTED)
3512 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3513 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3514 goto end;
5f982038
MC		 3515
3516 testresult = 1;
3517
3518 end:
c20e3b28 3519 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3520 SSL_SESSION_free(serverpsk);
3521 clientpsk = serverpsk = NULL;
5f982038
MC		 3522 SSL_SESSION_free(sess);
3523 SSL_free(serverssl);
3524 SSL_free(clientssl);
3525 SSL_CTX_free(sctx);
3526 SSL_CTX_free(cctx);
5f982038
MC		 3527 return testresult;
3528}
3529
6b84e6bf
MC		 3530/*
3531 * Test that a server attempting to read early data can handle a connection
3532 * from a client where the early data is not acceptable.
3533 */
3534static int test_early_data_skip(int idx)
3535{
3536 return early_data_skip_helper(0, idx);
3537}
3538
3539/*
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where an HRR occurs.
3542 */
3543static int test_early_data_skip_hrr(int idx)
3544{
3545 return early_data_skip_helper(1, idx);
3546}
3547
0efa0ba4
MC		 3548/*
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs and correctly fails if early_data is sent
3551 * after the HRR
3552 */
3553static int test_early_data_skip_hrr_fail(int idx)
3554{
3555 return early_data_skip_helper(2, idx);
3556}
3557
0d1b7789
MC		 3558/*
3559 * Test that a server attempting to read early data will abort if it tries to
3560 * skip over too much.
3561 */
3562static int test_early_data_skip_abort(int idx)
3563{
0efa0ba4 3564 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3565}
3566
710756a9
RS		 3567/*
3568 * Test that a server attempting to read early data can handle a connection
3569 * from a client that doesn't send any.
3570 */
3cb47b4e 3571static int test_early_data_not_sent(int idx)
5f982038
MC		 3572{
3573 SSL_CTX *cctx = NULL, *sctx = NULL;
3574 SSL *clientssl = NULL, *serverssl = NULL;
3575 int testresult = 0;
018fcbec 3576 SSL_SESSION *sess = NULL;
5f982038
MC		 3577 unsigned char buf[20];
3578 size_t readbytes, written;
3579
710756a9
RS		 3580 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3581 &serverssl, &sess, idx)))
5f982038
MC		 3582 goto end;
3583
3584 /* Write some data - should block due to handshake with server */
3585 SSL_set_connect_state(clientssl);
710756a9 3586 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3587 goto end;
5f982038
MC		 3588
3589 /* Server should detect that early data has not been sent */
710756a9
RS		 3590 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3591 &readbytes),
3592 SSL_READ_EARLY_DATA_FINISH)
3593 || !TEST_size_t_eq(readbytes, 0)
3594 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3595 SSL_EARLY_DATA_NOT_SENT)
3596 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3597 SSL_EARLY_DATA_NOT_SENT))
5f982038 3598 goto end;
5f982038
MC		 3599
3600 /* Continue writing the message we started earlier */
710756a9
RS		 3601 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3602 || !TEST_size_t_eq(written, strlen(MSG1))
3603 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3604 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3605 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3606 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3607 goto end;
5f982038 3608
710756a9
RS		 3609 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3610 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3611 goto end;
5f982038
MC		 3612
3613 testresult = 1;
3614
3615 end:
5f982038 3616 SSL_SESSION_free(sess);
c20e3b28 3617 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3618 SSL_SESSION_free(serverpsk);
3619 clientpsk = serverpsk = NULL;
5f982038
MC		 3620 SSL_free(serverssl);
3621 SSL_free(clientssl);
3622 SSL_CTX_free(sctx);
3623 SSL_CTX_free(cctx);
5f982038
MC		 3624 return testresult;
3625}
3626
976e5323
MC		 3627static const char *servalpn;
3628
c7558d5b
PY		 3629static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3630 unsigned char *outlen, const unsigned char *in,
3631 unsigned int inlen, void *arg)
976e5323 3632{
c7558d5b 3633 unsigned int protlen = 0;
976e5323
MC		 3634 const unsigned char *prot;
3635
c7558d5b
PY		 3636 for (prot = in; prot < in + inlen; prot += protlen) {
3637 protlen = *prot++;
5d99881e 3638 if (in + inlen < prot + protlen)
976e5323
MC		 3639 return SSL_TLSEXT_ERR_NOACK;
3640
3641 if (protlen == strlen(servalpn)
0bd42fde 3642 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3643 *out = prot;
3644 *outlen = protlen;
3645 return SSL_TLSEXT_ERR_OK;
3646 }
3647 }
3648
3649 return SSL_TLSEXT_ERR_NOACK;
3650}
3651
57dee9bb 3652/* Test that a PSK can be used to send early_data */
976e5323
MC		 3653static int test_early_data_psk(int idx)
3654{
3655 SSL_CTX *cctx = NULL, *sctx = NULL;
3656 SSL *clientssl = NULL, *serverssl = NULL;
3657 int testresult = 0;
3658 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3659 unsigned char alpnlist[] = {
3660 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3661 'l', 'p', 'n'
3662 };
3663#define GOODALPNLEN 9
3664#define BADALPNLEN 8
3665#define GOODALPN (alpnlist)
3666#define BADALPN (alpnlist + GOODALPNLEN)
3667 int err = 0;
976e5323
MC		 3668 unsigned char buf[20];
3669 size_t readbytes, written;
57dee9bb 3670 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3671 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3672
3673 /* We always set this up with a final parameter of "2" for PSK */
3674 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3675 &serverssl, &sess, 2)))
3676 goto end;
3677
976e5323
MC		 3678 servalpn = "goodalpn";
3679
57dee9bb
MC		 3680 /*
3681 * Note: There is no test for inconsistent SNI with late client detection.
3682 * This is because servers do not acknowledge SNI even if they are using
3683 * it in a resumption handshake - so it is not actually possible for a
3684 * client to detect a problem.
3685 */
976e5323
MC		 3686 switch (idx) {
3687 case 0:
57dee9bb 3688 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3689 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3690 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3691 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3692 goto end;
3693 break;
3694
3695 case 1:
57dee9bb 3696 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3697 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3698 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3699 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3700 GOODALPNLEN))
3701 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3702 BADALPNLEN)))
976e5323
MC		 3703 goto end;
3704 break;
3705
3706 case 2:
3707 /*
3708 * Set invalid protocol version. Technically this affects PSKs without
3709 * early_data too, but we test it here because it is similar to the
3710 * SNI/ALPN consistency tests.
3711 */
3712 err = SSL_R_BAD_PSK;
3713 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3714 goto end;
3715 break;
3716
3717 case 3:
3718 /*
49ef3d07
MC		 3719 * Set inconsistent SNI (server side). In this case the connection
3720 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3721 * is associated with each handshake - not the session. Therefore it
3722 * should not matter that we used a different server name last time.
976e5323 3723 */
281bf233
MC		 3724 SSL_SESSION_free(serverpsk);
3725 serverpsk = SSL_SESSION_dup(clientpsk);
3726 if (!TEST_ptr(serverpsk)
3727 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3728 goto end;
976e5323
MC		 3729 /* Fall through */
3730 case 4:
3731 /* Set consistent SNI */
976e5323
MC		 3732 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3733 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3734 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3735 hostname_cb)))
3736 goto end;
3737 break;
3738
3739 case 5:
3740 /*
3741 * Set inconsistent ALPN (server detected). In this case the connection
3742 * will succeed but reject early_data.
3743 */
3744 servalpn = "badalpn";
3745 edstatus = SSL_EARLY_DATA_REJECTED;
3746 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3747 /* Fall through */
3748 case 6:
976e5323 3749 /*
57dee9bb 3750 * Set consistent ALPN.
976e5323
MC		 3751 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3752 * accepts a list of protos (each one length prefixed).
3753 * SSL_set1_alpn_selected accepts a single protocol (not length
3754 * prefixed)
3755 */
57dee9bb
MC		 3756 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3757 GOODALPNLEN - 1))
3758 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3759 GOODALPNLEN)))
976e5323
MC		 3760 goto end;
3761
3762 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3763 break;
3764
57dee9bb
MC		 3765 case 7:
3766 /* Set inconsistent ALPN (late client detection) */
3767 SSL_SESSION_free(serverpsk);
3768 serverpsk = SSL_SESSION_dup(clientpsk);
3769 if (!TEST_ptr(serverpsk)
3770 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3771 BADALPN + 1,
3772 BADALPNLEN - 1))
3773 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3774 GOODALPN + 1,
3775 GOODALPNLEN - 1))
3776 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3777 sizeof(alpnlist))))
3778 goto end;
3779 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3780 edstatus = SSL_EARLY_DATA_ACCEPTED;
3781 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3782 /* SSL_connect() call should fail */
3783 connectres = -1;
3784 break;
3785
976e5323
MC		 3786 default:
3787 TEST_error("Bad test index");
3788 goto end;
3789 }
3790
3791 SSL_set_connect_state(clientssl);
3792 if (err != 0) {
3793 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3794 &written))
3795 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3796 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3797 goto end;
3798 } else {
3799 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3800 &written)))
3801 goto end;
3802
3803 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3804 &readbytes), readearlyres)
976e5323
MC		 3805 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3806 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3807 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3808 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3809 goto end;
3810 }
3811
3812 testresult = 1;
3813
3814 end:
c20e3b28 3815 SSL_SESSION_free(sess);
57dee9bb
MC		 3816 SSL_SESSION_free(clientpsk);
3817 SSL_SESSION_free(serverpsk);
3818 clientpsk = serverpsk = NULL;
976e5323
MC		 3819 SSL_free(serverssl);
3820 SSL_free(clientssl);
3821 SSL_CTX_free(sctx);
3822 SSL_CTX_free(cctx);
3823 return testresult;
3824}
3825
0b2b0be9 3826/*
3827 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3828 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3829 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3830 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3831 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3832 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3833 */
3834static int test_early_data_psk_with_all_ciphers(int idx)
3835{
3836 SSL_CTX *cctx = NULL, *sctx = NULL;
3837 SSL *clientssl = NULL, *serverssl = NULL;
3838 int testresult = 0;
3839 SSL_SESSION *sess = NULL;
3840 unsigned char buf[20];
3841 size_t readbytes, written;
3842 const SSL_CIPHER *cipher;
3843 const char *cipher_str[] = {
3844 TLS1_3_RFC_AES_128_GCM_SHA256,
3845 TLS1_3_RFC_AES_256_GCM_SHA384,
3846# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3847 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3848# else
3849 NULL,
3850# endif
3851 TLS1_3_RFC_AES_128_CCM_SHA256,
3852 TLS1_3_RFC_AES_128_CCM_8_SHA256
3853 };
3854 const unsigned char *cipher_bytes[] = {
3855 TLS13_AES_128_GCM_SHA256_BYTES,
3856 TLS13_AES_256_GCM_SHA384_BYTES,
3857# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3858 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3859# else
3860 NULL,
3861# endif
3862 TLS13_AES_128_CCM_SHA256_BYTES,
3863 TLS13_AES_128_CCM_8_SHA256_BYTES
3864 };
3865
3866 if (cipher_str[idx] == NULL)
3867 return 1;
3868 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3869 if (idx == 2 && is_fips == 1)
3870 return 1;
3871
3872 /* We always set this up with a final parameter of "2" for PSK */
3873 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3874 &serverssl, &sess, 2)))
3875 goto end;
3876
3877 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3878 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3879 goto end;
3880
3881 /*
3882 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3883 * and assigns to both client and server with incremented reference
3884 * and the same instance is updated in 'sess'.
3885 * So updating ciphersuite in 'sess' which will get reflected in
3886 * PSK handshake using psk use sess and find sess cb.
3887 */
3888 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3889 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3890 goto end;
3891
3892 SSL_set_connect_state(clientssl);
3893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3894 &written)))
3895 goto end;
3896
3897 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3898 &readbytes),
3899 SSL_READ_EARLY_DATA_SUCCESS)
3900 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3901 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3902 SSL_EARLY_DATA_ACCEPTED)
3903 || !TEST_int_eq(SSL_connect(clientssl), 1)
3904 || !TEST_int_eq(SSL_accept(serverssl), 1))
3905 goto end;
3906
3907 /* Send some normal data from client to server */
3908 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3909 || !TEST_size_t_eq(written, strlen(MSG2)))
3910 goto end;
3911
3912 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3913 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3914 goto end;
3915
3916 testresult = 1;
3917 end:
3918 SSL_SESSION_free(sess);
3919 SSL_SESSION_free(clientpsk);
3920 SSL_SESSION_free(serverpsk);
3921 clientpsk = serverpsk = NULL;
3922 if (clientssl != NULL)
3923 SSL_shutdown(clientssl);
3924 if (serverssl != NULL)
3925 SSL_shutdown(serverssl);
3926 SSL_free(serverssl);
3927 SSL_free(clientssl);
3928 SSL_CTX_free(sctx);
3929 SSL_CTX_free(cctx);
3930 return testresult;
3931}
3932
710756a9
RS		 3933/*
3934 * Test that a server that doesn't try to read early data can handle a
3935 * client sending some.
3936 */
3cb47b4e 3937static int test_early_data_not_expected(int idx)
5f982038
MC		 3938{
3939 SSL_CTX *cctx = NULL, *sctx = NULL;
3940 SSL *clientssl = NULL, *serverssl = NULL;
3941 int testresult = 0;
018fcbec 3942 SSL_SESSION *sess = NULL;
5f982038
MC		 3943 unsigned char buf[20];
3944 size_t readbytes, written;
3945
710756a9
RS		 3946 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3947 &serverssl, &sess, idx)))
5f982038
MC		 3948 goto end;
3949
3950 /* Write some early data */
710756a9
RS		 3951 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3952 &written)))
5f982038 3953 goto end;
5f982038
MC		 3954
3955 /*
3956 * Server should skip over early data and then block waiting for client to
3957 * continue handshake
3958 */
710756a9
RS		 3959 if (!TEST_int_le(SSL_accept(serverssl), 0)
3960 || !TEST_int_gt(SSL_connect(clientssl), 0)
3961 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3962 SSL_EARLY_DATA_REJECTED)
3963 || !TEST_int_gt(SSL_accept(serverssl), 0)
3964 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3965 SSL_EARLY_DATA_REJECTED))
5f982038 3966 goto end;
5f982038
MC		 3967
3968 /* Send some normal data from client to server */
710756a9
RS		 3969 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3970 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3971 goto end;
5f982038 3972
710756a9
RS		 3973 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3974 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3975 goto end;
5f982038
MC		 3976
3977 testresult = 1;
3978
3979 end:
5f982038 3980 SSL_SESSION_free(sess);
c20e3b28 3981 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3982 SSL_SESSION_free(serverpsk);
3983 clientpsk = serverpsk = NULL;
5f982038
MC		 3984 SSL_free(serverssl);
3985 SSL_free(clientssl);
3986 SSL_CTX_free(sctx);
3987 SSL_CTX_free(cctx);
5f982038
MC		 3988 return testresult;
3989}
3990
3991
3992# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3993/*
3994 * Test that a server attempting to read early data can handle a connection
3995 * from a TLSv1.2 client.
3996 */
3cb47b4e 3997static int test_early_data_tls1_2(int idx)
5f982038
MC		 3998{
3999 SSL_CTX *cctx = NULL, *sctx = NULL;
4000 SSL *clientssl = NULL, *serverssl = NULL;
4001 int testresult = 0;
4002 unsigned char buf[20];
4003 size_t readbytes, written;
4004
02a3ed5a
MC		 4005 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4006 &serverssl, NULL, idx)))
5f982038 4007 goto end;
5f982038
MC		 4008
4009 /* Write some data - should block due to handshake with server */
4010 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4011 SSL_set_connect_state(clientssl);
710756a9 4012 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4013 goto end;
5f982038
MC		 4014
4015 /*
4016 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4017 * messages from client after ServerDone. Then SSL_read_early_data should
4018 * finish and detect that early data has not been sent
5f982038 4019 */
710756a9
RS		 4020 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4021 &readbytes),
4022 SSL_READ_EARLY_DATA_ERROR))
5f982038 4023 goto end;
5f982038
MC		 4024
4025 /*
4026 * Continue writing the message we started earlier. Will still block waiting
4027 * for the CCS/Finished from server
4028 */
710756a9
RS		 4029 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4030 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4031 &readbytes),
4032 SSL_READ_EARLY_DATA_FINISH)
4033 || !TEST_size_t_eq(readbytes, 0)
4034 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4035 SSL_EARLY_DATA_NOT_SENT))
5f982038 4036 goto end;
5f982038
MC		 4037
4038 /* Continue writing the message we started earlier */
710756a9
RS		 4039 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4040 || !TEST_size_t_eq(written, strlen(MSG1))
4041 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4042 SSL_EARLY_DATA_NOT_SENT)
4043 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4044 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4045 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4046 || !TEST_size_t_eq(written, strlen(MSG2))
4047 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4048 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4049 goto end;
5f982038
MC		 4050
4051 testresult = 1;
4052
4053 end:
57dee9bb
MC		 4054 SSL_SESSION_free(clientpsk);
4055 SSL_SESSION_free(serverpsk);
4056 clientpsk = serverpsk = NULL;
5f982038
MC		 4057 SSL_free(serverssl);
4058 SSL_free(clientssl);
4059 SSL_CTX_free(sctx);
4060 SSL_CTX_free(cctx);
4061
4062 return testresult;
4063}
ca0413ae
MC		 4064# endif /* OPENSSL_NO_TLS1_2 */
4065
034cb87b
MC		 4066/*
4067 * Test configuring the TLSv1.3 ciphersuites
4068 *
4069 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4070 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4071 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4072 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4073 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4074 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4075 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4076 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4077 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4078 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4079 */
4080static int test_set_ciphersuite(int idx)
4081{
4082 SSL_CTX *cctx = NULL, *sctx = NULL;
4083 SSL *clientssl = NULL, *serverssl = NULL;
4084 int testresult = 0;
4085
5e30f2fd
MC		 4086 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4087 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4088 &sctx, &cctx, cert, privkey))
4089 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4090 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4091 goto end;
4092
4093 if (idx >=4 && idx <= 7) {
4094 /* SSL_CTX explicit cipher list */
4095 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4096 goto end;
4097 }
4098
4099 if (idx == 0 || idx == 4) {
4100 /* Default ciphersuite */
4101 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4102 "TLS_AES_128_GCM_SHA256")))
4103 goto end;
4104 } else if (idx == 1 || idx == 5) {
4105 /* Non default ciphersuite */
4106 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4107 "TLS_AES_128_CCM_SHA256")))
4108 goto end;
4109 }
4110
4111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4112 &clientssl, NULL, NULL)))
4113 goto end;
4114
4115 if (idx == 8 || idx == 9) {
4116 /* SSL explicit cipher list */
4117 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4118 goto end;
4119 }
4120
4121 if (idx == 2 || idx == 6 || idx == 8) {
4122 /* Default ciphersuite */
4123 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4124 "TLS_AES_128_GCM_SHA256")))
4125 goto end;
4126 } else if (idx == 3 || idx == 7 || idx == 9) {
4127 /* Non default ciphersuite */
4128 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4129 "TLS_AES_128_CCM_SHA256")))
4130 goto end;
4131 }
4132
4133 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4134 goto end;
4135
4136 testresult = 1;
4137
4138 end:
4139 SSL_free(serverssl);
4140 SSL_free(clientssl);
4141 SSL_CTX_free(sctx);
4142 SSL_CTX_free(cctx);
4143
4144 return testresult;
4145}
4146
ca0413ae
MC		 4147static int test_ciphersuite_change(void)
4148{
4149 SSL_CTX *cctx = NULL, *sctx = NULL;
4150 SSL *clientssl = NULL, *serverssl = NULL;
4151 SSL_SESSION *clntsess = NULL;
4152 int testresult = 0;
4153 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4154
4155 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4156 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4157 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4158 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4159 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4160 "TLS_AES_128_GCM_SHA256:"
4161 "TLS_AES_256_GCM_SHA384:"
4162 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4163 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4164 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4165 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4166 &clientssl, NULL, NULL))
4167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4168 SSL_ERROR_NONE)))
4169 goto end;
4170
4171 clntsess = SSL_get1_session(clientssl);
4172 /* Save for later */
4173 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4174 SSL_shutdown(clientssl);
4175 SSL_shutdown(serverssl);
4176 SSL_free(serverssl);
4177 SSL_free(clientssl);
4178 serverssl = clientssl = NULL;
4179
4180 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4181 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4182 "TLS_AES_128_CCM_SHA256"))
4183 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4184 &clientssl, NULL, NULL))
ca0413ae
MC		 4185 || !TEST_true(SSL_set_session(clientssl, clntsess))
4186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4187 SSL_ERROR_NONE))
4188 || !TEST_true(SSL_session_reused(clientssl)))
4189 goto end;
4190
4191 SSL_SESSION_free(clntsess);
4192 clntsess = SSL_get1_session(clientssl);
4193 SSL_shutdown(clientssl);
4194 SSL_shutdown(serverssl);
4195 SSL_free(serverssl);
4196 SSL_free(clientssl);
4197 serverssl = clientssl = NULL;
4198
4199 /*
4200 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4201 * succeeds but does not resume.
ca0413ae 4202 */
f865b081 4203 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4204 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4205 NULL, NULL))
4206 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4207 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4208 SSL_ERROR_SSL))
0de6d66d 4209 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4210 goto end;
4211
4212 SSL_SESSION_free(clntsess);
4213 clntsess = NULL;
4214 SSL_shutdown(clientssl);
4215 SSL_shutdown(serverssl);
4216 SSL_free(serverssl);
4217 SSL_free(clientssl);
4218 serverssl = clientssl = NULL;
4219
4220 /* Create a session based on SHA384 */
f865b081 4221 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4222 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4223 &clientssl, NULL, NULL))
4224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4225 SSL_ERROR_NONE)))
4226 goto end;
4227
4228 clntsess = SSL_get1_session(clientssl);
4229 SSL_shutdown(clientssl);
4230 SSL_shutdown(serverssl);
4231 SSL_free(serverssl);
4232 SSL_free(clientssl);
4233 serverssl = clientssl = NULL;
4234
f865b081
MC		 4235 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4236 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4237 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4238 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4239 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4240 NULL, NULL))
4241 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4242 /*
4243 * We use SSL_ERROR_WANT_READ below so that we can pause the
4244 * connection after the initial ClientHello has been sent to
4245 * enable us to make some session changes.
4246 */
ca0413ae
MC		 4247 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4248 SSL_ERROR_WANT_READ)))
4249 goto end;
4250
4251 /* Trick the client into thinking this session is for a different digest */
4252 clntsess->cipher = aes_128_gcm_sha256;
4253 clntsess->cipher_id = clntsess->cipher->id;
4254
4255 /*
3b0e88d3
MC		 4256 * Continue the previously started connection. Server has selected a SHA-384
4257 * ciphersuite, but client thinks the session is for SHA-256, so it should
4258 * bail out.
ca0413ae
MC		 4259 */
4260 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4261 SSL_ERROR_SSL))
4262 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4263 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4264 goto end;
4265
4266 testresult = 1;
4267
4268 end:
4269 SSL_SESSION_free(clntsess);
4270 SSL_free(serverssl);
4271 SSL_free(clientssl);
4272 SSL_CTX_free(sctx);
4273 SSL_CTX_free(cctx);
4274
4275 return testresult;
4276}
4277
8e63900a 4278/*
5bf2eade 4279 * Test TLSv1.3 Key exchange
4280 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4281 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4282 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4283 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4284 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4285 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4286 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4287 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4288 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4289 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4290 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4291 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4292 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4293 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4294 */
db26ec80 4295static int test_key_exchange(int idx)
8e63900a 4296{
4297 SSL_CTX *sctx = NULL, *cctx = NULL;
4298 SSL *serverssl = NULL, *clientssl = NULL;
4299 int testresult = 0;
5bf2eade 4300# ifndef OPENSSL_NO_EC
4301 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4302 NID_secp521r1, NID_X25519, NID_X448};
4303# endif
4304# ifndef OPENSSL_NO_DH
8e63900a 4305 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4306 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4307# endif
fb8c6db4 4308 int kexch_alg;
4309 int *kexch_groups = &kexch_alg;
4310 int kexch_groups_size = 1;
8e63900a 4311 int max_version = TLS1_3_VERSION;
8e63900a 4312
4313 switch (idx) {
5bf2eade 4314# ifndef OPENSSL_NO_EC
db26ec80 4315# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4316 case 12:
fb8c6db4 4317 max_version = TLS1_2_VERSION;
db26ec80 4318# endif
fb8c6db4 4319 /* Fall through */
4320 case 0:
4321 kexch_groups = ecdhe_kexch_groups;
4322 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4323 break;
5bf2eade 4324 case 1:
fb8c6db4 4325 kexch_alg = NID_X9_62_prime256v1;
4326 break;
5bf2eade 4327 case 2:
fb8c6db4 4328 kexch_alg = NID_secp384r1;
4329 break;
5bf2eade 4330 case 3:
fb8c6db4 4331 kexch_alg = NID_secp521r1;
4332 break;
5bf2eade 4333 case 4:
fb8c6db4 4334 kexch_alg = NID_X25519;
4335 break;
5bf2eade 4336 case 5:
fb8c6db4 4337 kexch_alg = NID_X448;
4338 break;
5bf2eade 4339# endif
4340# ifndef OPENSSL_NO_DH
db26ec80 4341# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4342 case 13:
dbc6268f 4343 max_version = TLS1_2_VERSION;
db26ec80 4344# endif
dbc6268f 4345 /* Fall through */
5bf2eade 4346 case 6:
8e63900a 4347 kexch_groups = ffdhe_kexch_groups;
4348 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4349 break;
5bf2eade 4350 case 7:
fb8c6db4 4351 kexch_alg = NID_ffdhe2048;
4352 break;
5bf2eade 4353 case 8:
fb8c6db4 4354 kexch_alg = NID_ffdhe3072;
4355 break;
5bf2eade 4356 case 9:
fb8c6db4 4357 kexch_alg = NID_ffdhe4096;
4358 break;
5bf2eade 4359 case 10:
fb8c6db4 4360 kexch_alg = NID_ffdhe6144;
4361 break;
5bf2eade 4362 case 11:
fb8c6db4 4363 kexch_alg = NID_ffdhe8192;
8e63900a 4364 break;
5bf2eade 4365# endif
6597d62b
MC		 4366 default:
4367 /* We're skipping this test */
4368 return 1;
8e63900a 4369 }
4370
5e30f2fd
MC		 4371 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4372 TLS_client_method(), TLS1_VERSION,
4373 max_version, &sctx, &cctx, cert,
4374 privkey)))
8e63900a 4375 goto end;
4376
5bf2eade 4377 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4378 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4379 goto end;
4380
5bf2eade 4381 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4382 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4383 goto end;
4384
5bf2eade 4385 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4386 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4387 goto end;
4388
dbc6268f
MC		 4389 /*
4390 * Must include an EC ciphersuite so that we send supported groups in
4391 * TLSv1.2
4392 */
5bf2eade 4393# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4394 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4396 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4397 goto end;
5bf2eade 4398# endif
8e63900a 4399
4400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4401 NULL, NULL)))
4402 goto end;
4403
4404 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4405 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4406 goto end;
4407
5bf2eade 4408 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4409 goto end;
8e63900a 4410
dbc6268f 4411 /*
5bf2eade 4412 * If Handshake succeeds the negotiated kexch alg should be the first one in
4413 * configured, except in the case of FFDHE groups (idx 13), which are
4414 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4415 */
4416 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4417 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4418 goto end;
fb8c6db4 4419 if (max_version == TLS1_3_VERSION) {
4420 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4421 goto end;
4422 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4423 goto end;
4424 }
8e63900a 4425
4426 testresult = 1;
4427 end:
4428 SSL_free(serverssl);
4429 SSL_free(clientssl);
4430 SSL_CTX_free(sctx);
4431 SSL_CTX_free(cctx);
4432 return testresult;
4433}
4434
5bf2eade 4435/*
4436 * Test TLSv1.3 Cipher Suite
4437 * Test 0 = Set TLS1.3 cipher on context
4438 * Test 1 = Set TLS1.3 cipher on SSL
4439 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4440 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4441 */
4442static int test_tls13_ciphersuite(int idx)
4443{
4444 SSL_CTX *sctx = NULL, *cctx = NULL;
4445 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4446 static const struct {
4447 const char *ciphername;
4448 int fipscapable;
4449 } t13_ciphers[] = {
4450 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4451 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4452 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4453# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4454 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4455 { TLS1_3_RFC_AES_256_GCM_SHA384
4456 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4457# endif
4f6c7044 4458 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4459 };
4460 const char *t13_cipher = NULL;
4461 const char *t12_cipher = NULL;
4462 const char *negotiated_scipher;
4463 const char *negotiated_ccipher;
4464 int set_at_ctx = 0;
4465 int set_at_ssl = 0;
4466 int testresult = 0;
4467 int max_ver;
4468 size_t i;
4469
4470 switch (idx) {
4471 case 0:
4472 set_at_ctx = 1;
4473 break;
4474 case 1:
4475 set_at_ssl = 1;
4476 break;
4477 case 2:
4478 set_at_ctx = 1;
2d900758 4479 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4480 break;
4481 case 3:
4482 set_at_ssl = 1;
2d900758 4483 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4484 break;
4485 }
4486
4487 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4488# ifdef OPENSSL_NO_TLS1_2
4489 if (max_ver == TLS1_2_VERSION)
4490 continue;
4491# endif
4492 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4493 if (is_fips && !t13_ciphers[i].fipscapable)
4494 continue;
4495 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4497 TLS_client_method(),
4498 TLS1_VERSION, max_ver,
4499 &sctx, &cctx, cert, privkey)))
4500 goto end;
4501
4502 if (set_at_ctx) {
4503 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4504 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4505 goto end;
4506 if (t12_cipher != NULL) {
4507 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4508 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4509 t12_cipher)))
4510 goto end;
4511 }
4512 }
4513
4514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4515 &clientssl, NULL, NULL)))
4516 goto end;
4517
4518 if (set_at_ssl) {
4519 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4520 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4521 goto end;
4522 if (t12_cipher != NULL) {
4523 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4524 || !TEST_true(SSL_set_cipher_list(clientssl,
4525 t12_cipher)))
4526 goto end;
4527 }
4528 }
4529
4530 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4531 SSL_ERROR_NONE)))
4532 goto end;
4533
4534 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4535 serverssl));
4536 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4537 clientssl));
4538 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4539 goto end;
4540
4541 /*
4542 * TEST_strn_eq is used below because t13_cipher can contain
4543 * multiple ciphersuites
4544 */
4545 if (max_ver == TLS1_3_VERSION
4546 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4547 strlen(negotiated_scipher)))
4548 goto end;
4549
4550# ifndef OPENSSL_NO_TLS1_2
4551 /* Below validation is not done when t12_cipher is NULL */
4552 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4553 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4554 goto end;
4555# endif
4556
4557 SSL_free(serverssl);
4558 serverssl = NULL;
4559 SSL_free(clientssl);
4560 clientssl = NULL;
4561 SSL_CTX_free(sctx);
4562 sctx = NULL;
4563 SSL_CTX_free(cctx);
4564 cctx = NULL;
4565 }
4566 }
4567
4568 testresult = 1;
4569 end:
4570 SSL_free(serverssl);
4571 SSL_free(clientssl);
4572 SSL_CTX_free(sctx);
4573 SSL_CTX_free(cctx);
4574 return testresult;
4575}
4576
0d8da779
MC		 4577/*
4578 * Test TLSv1.3 PSKs
4579 * Test 0 = Test new style callbacks
4580 * Test 1 = Test both new and old style callbacks
4581 * Test 2 = Test old style callbacks
4582 * Test 3 = Test old style callbacks with no certificate
4583 */
532f9578 4584static int test_tls13_psk(int idx)
ca8c71ba
MC		 4585{
4586 SSL_CTX *sctx = NULL, *cctx = NULL;
4587 SSL *serverssl = NULL, *clientssl = NULL;
4588 const SSL_CIPHER *cipher = NULL;
4589 const unsigned char key[] = {
4590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4591 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4592 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4593 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4594 };
4595 int testresult = 0;
4596
5e30f2fd
MC		 4597 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4598 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4599 &sctx, &cctx, idx == 3 ? NULL : cert,
4600 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4601 goto end;
4602
0d8da779
MC		 4603 if (idx != 3) {
4604 /*
4605 * We use a ciphersuite with SHA256 to ease testing old style PSK
4606 * callbacks which will always default to SHA256. This should not be
4607 * necessary if we have no cert/priv key. In that case the server should
4608 * prefer SHA256 automatically.
4609 */
4610 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4611 "TLS_AES_128_GCM_SHA256")))
4612 goto end;
4f6c7044
MC		 4613 } else {
4614 /*
4615 * As noted above the server should prefer SHA256 automatically. However
4616 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4617 * code works even if we are testing with only the FIPS provider loaded.
4618 */
4619 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4620 "TLS_AES_256_GCM_SHA384:"
4621 "TLS_AES_128_GCM_SHA256")))
4622 goto end;
0d8da779 4623 }
532f9578
MC		 4624
4625 /*
4626 * Test 0: New style callbacks only
4627 * Test 1: New and old style callbacks (only the new ones should be used)
4628 * Test 2: Old style callbacks only
4629 */
4630 if (idx == 0 || idx == 1) {
4631 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4632 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4633 }
c2b290c3 4634#ifndef OPENSSL_NO_PSK
0d8da779 4635 if (idx >= 1) {
532f9578
MC		 4636 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4637 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4638 }
c2b290c3 4639#endif
ca8c71ba 4640 srvid = pskid;
02a3ed5a
MC		 4641 use_session_cb_cnt = 0;
4642 find_session_cb_cnt = 0;
532f9578
MC		 4643 psk_client_cb_cnt = 0;
4644 psk_server_cb_cnt = 0;
ca8c71ba 4645
0d8da779
MC		 4646 if (idx != 3) {
4647 /*
4648 * Check we can create a connection if callback decides not to send a
4649 * PSK
4650 */
4651 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4652 NULL, NULL))
4653 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4654 SSL_ERROR_NONE))
4655 || !TEST_false(SSL_session_reused(clientssl))
4656 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4657 goto end;
532f9578 4658
0d8da779
MC		 4659 if (idx == 0 || idx == 1) {
4660 if (!TEST_true(use_session_cb_cnt == 1)
4661 || !TEST_true(find_session_cb_cnt == 0)
4662 /*
4663 * If no old style callback then below should be 0
4664 * otherwise 1
4665 */
4666 || !TEST_true(psk_client_cb_cnt == idx)
4667 || !TEST_true(psk_server_cb_cnt == 0))
4668 goto end;
4669 } else {
4670 if (!TEST_true(use_session_cb_cnt == 0)
4671 || !TEST_true(find_session_cb_cnt == 0)
4672 || !TEST_true(psk_client_cb_cnt == 1)
4673 || !TEST_true(psk_server_cb_cnt == 0))
4674 goto end;
4675 }
4676
4677 shutdown_ssl_connection(serverssl, clientssl);
4678 serverssl = clientssl = NULL;
4679 use_session_cb_cnt = psk_client_cb_cnt = 0;
4680 }
ca8c71ba
MC		 4681
4682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4683 NULL, NULL)))
4684 goto end;
4685
4686 /* Create the PSK */
532f9578 4687 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4688 clientpsk = SSL_SESSION_new();
4689 if (!TEST_ptr(clientpsk)
ca8c71ba 4690 || !TEST_ptr(cipher)
57dee9bb
MC		 4691 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4692 sizeof(key)))
4693 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4694 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4695 TLS1_3_VERSION))
4696 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4697 goto end;
57dee9bb 4698 serverpsk = clientpsk;
ca8c71ba
MC		 4699
4700 /* Check we can create a connection and the PSK is used */
4701 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4702 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4703 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4704 goto end;
4705
532f9578
MC		 4706 if (idx == 0 || idx == 1) {
4707 if (!TEST_true(use_session_cb_cnt == 1)
4708 || !TEST_true(find_session_cb_cnt == 1)
4709 || !TEST_true(psk_client_cb_cnt == 0)
4710 || !TEST_true(psk_server_cb_cnt == 0))
4711 goto end;
4712 } else {
4713 if (!TEST_true(use_session_cb_cnt == 0)
4714 || !TEST_true(find_session_cb_cnt == 0)
4715 || !TEST_true(psk_client_cb_cnt == 1)
4716 || !TEST_true(psk_server_cb_cnt == 1))
4717 goto end;
4718 }
4719
ca8c71ba
MC		 4720 shutdown_ssl_connection(serverssl, clientssl);
4721 serverssl = clientssl = NULL;
4722 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4723 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4724
4725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4726 NULL, NULL)))
4727 goto end;
4728
4729 /* Force an HRR */
dbc6268f
MC		 4730#if defined(OPENSSL_NO_EC)
4731 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4732 goto end;
4733#else
ca8c71ba
MC		 4734 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4735 goto end;
dbc6268f 4736#endif
ca8c71ba
MC		 4737
4738 /*
4739 * Check we can create a connection, the PSK is used and the callbacks are
4740 * called twice.
4741 */
4742 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4743 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4744 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4745 goto end;
4746
532f9578
MC		 4747 if (idx == 0 || idx == 1) {
4748 if (!TEST_true(use_session_cb_cnt == 2)
4749 || !TEST_true(find_session_cb_cnt == 2)
4750 || !TEST_true(psk_client_cb_cnt == 0)
4751 || !TEST_true(psk_server_cb_cnt == 0))
4752 goto end;
4753 } else {
4754 if (!TEST_true(use_session_cb_cnt == 0)
4755 || !TEST_true(find_session_cb_cnt == 0)
4756 || !TEST_true(psk_client_cb_cnt == 2)
4757 || !TEST_true(psk_server_cb_cnt == 2))
4758 goto end;
4759 }
4760
ca8c71ba
MC		 4761 shutdown_ssl_connection(serverssl, clientssl);
4762 serverssl = clientssl = NULL;
4763 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4764 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4765
0d8da779
MC		 4766 if (idx != 3) {
4767 /*
4768 * Check that if the server rejects the PSK we can still connect, but with
4769 * a full handshake
4770 */
4771 srvid = "Dummy Identity";
4772 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4773 NULL, NULL))
4774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4775 SSL_ERROR_NONE))
4776 || !TEST_false(SSL_session_reused(clientssl))
4777 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4778 goto end;
532f9578 4779
0d8da779
MC		 4780 if (idx == 0 || idx == 1) {
4781 if (!TEST_true(use_session_cb_cnt == 1)
4782 || !TEST_true(find_session_cb_cnt == 1)
4783 || !TEST_true(psk_client_cb_cnt == 0)
4784 /*
4785 * If no old style callback then below should be 0
4786 * otherwise 1
4787 */
4788 || !TEST_true(psk_server_cb_cnt == idx))
4789 goto end;
4790 } else {
4791 if (!TEST_true(use_session_cb_cnt == 0)
4792 || !TEST_true(find_session_cb_cnt == 0)
4793 || !TEST_true(psk_client_cb_cnt == 1)
4794 || !TEST_true(psk_server_cb_cnt == 1))
4795 goto end;
4796 }
4797
4798 shutdown_ssl_connection(serverssl, clientssl);
4799 serverssl = clientssl = NULL;
4800 }
ca8c71ba
MC		 4801 testresult = 1;
4802
4803 end:
57dee9bb
MC		 4804 SSL_SESSION_free(clientpsk);
4805 SSL_SESSION_free(serverpsk);
4806 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4807 SSL_free(serverssl);
4808 SSL_free(clientssl);
4809 SSL_CTX_free(sctx);
4810 SSL_CTX_free(cctx);
4811 return testresult;
4812}
4813
c7b8ff25
MC		 4814static unsigned char cookie_magic_value[] = "cookie magic";
4815
4816static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4817 unsigned int *cookie_len)
4818{
4819 /*
4820 * Not suitable as a real cookie generation function but good enough for
4821 * testing!
4822 */
97ea1e7f
MC		 4823 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4824 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4825
4826 return 1;
4827}
4828
4829static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4830 unsigned int cookie_len)
4831{
97ea1e7f 4832 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4833 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4834 return 1;
4835
4836 return 0;
4837}
4838
3fa2812f
BS		 4839static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4840 size_t *cookie_len)
4841{
4842 unsigned int temp;
4843 int res = generate_cookie_callback(ssl, cookie, &temp);
4844 *cookie_len = temp;
4845 return res;
4846}
4847
4848static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4849 size_t cookie_len)
4850{
4851 return verify_cookie_callback(ssl, cookie, cookie_len);
4852}
4853
c7b8ff25
MC		 4854static int test_stateless(void)
4855{
4856 SSL_CTX *sctx = NULL, *cctx = NULL;
4857 SSL *serverssl = NULL, *clientssl = NULL;
4858 int testresult = 0;
4859
5e30f2fd
MC		 4860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4861 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4862 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4863 goto end;
4864
e440f513
MC		 4865 /* The arrival of CCS messages can confuse the test */
4866 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4867
4868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4869 NULL, NULL))
4870 /* Send the first ClientHello */
4871 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4872 SSL_ERROR_WANT_READ))
4873 /*
4874 * This should fail with a -1 return because we have no callbacks
4875 * set up
4876 */
4877 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4878 goto end;
4879
4880 /* Fatal error so abandon the connection from this client */
4881 SSL_free(clientssl);
4882 clientssl = NULL;
4883
c7b8ff25 4884 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4885 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4886 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4887
e440f513
MC		 4888 /*
4889 * Create a new connection from the client (we can reuse the server SSL
4890 * object).
4891 */
c7b8ff25
MC		 4892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4893 NULL, NULL))
4894 /* Send the first ClientHello */
4895 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4896 SSL_ERROR_WANT_READ))
4897 /* This should fail because there is no cookie */
e440f513 4898 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4899 goto end;
4900
4901 /* Abandon the connection from this client */
4902 SSL_free(clientssl);
4903 clientssl = NULL;
4904
4905 /*
4906 * Now create a connection from a new client but with the same server SSL
4907 * object
4908 */
4909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4910 NULL, NULL))
4911 /* Send the first ClientHello */
4912 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4913 SSL_ERROR_WANT_READ))
4914 /* This should fail because there is no cookie */
e440f513 4915 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4916 /* Send the second ClientHello */
4917 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4918 SSL_ERROR_WANT_READ))
4919 /* This should succeed because a cookie is now present */
e440f513 4920 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4921 /* Complete the connection */
4922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4923 SSL_ERROR_NONE)))
4924 goto end;
4925
4926 shutdown_ssl_connection(serverssl, clientssl);
4927 serverssl = clientssl = NULL;
4928 testresult = 1;
4929
4930 end:
4931 SSL_free(serverssl);
4932 SSL_free(clientssl);
4933 SSL_CTX_free(sctx);
4934 SSL_CTX_free(cctx);
4935 return testresult;
4936
4937}
ca0413ae 4938#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4939
a37008d9
MC		 4940static int clntaddoldcb = 0;
4941static int clntparseoldcb = 0;
4942static int srvaddoldcb = 0;
4943static int srvparseoldcb = 0;
4944static int clntaddnewcb = 0;
4945static int clntparsenewcb = 0;
4946static int srvaddnewcb = 0;
4947static int srvparsenewcb = 0;
bb01ef3f 4948static int snicb = 0;
a37008d9
MC		 4949
4950#define TEST_EXT_TYPE1 0xff00
4951
4952static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4953 size_t *outlen, int *al, void *add_arg)
4954{
4955 int *server = (int *)add_arg;
4956 unsigned char *data;
4957
4958 if (SSL_is_server(s))
4959 srvaddoldcb++;
4960 else
4961 clntaddoldcb++;
4962
710756a9
RS		 4963 if (*server != SSL_is_server(s)
4964 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4965 return -1;
4966
4967 *data = 1;
4968 *out = data;
4969 *outlen = sizeof(char);
a37008d9
MC		 4970 return 1;
4971}
4972
4973static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4974 void *add_arg)
4975{
4976 OPENSSL_free((unsigned char *)out);
4977}
4978
4979static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4980 size_t inlen, int *al, void *parse_arg)
4981{
4982 int *server = (int *)parse_arg;
4983
4984 if (SSL_is_server(s))
4985 srvparseoldcb++;
4986 else
4987 clntparseoldcb++;
4988
710756a9
RS		 4989 if (*server != SSL_is_server(s)
4990 || inlen != sizeof(char)
4991 || *in != 1)
a37008d9
MC		 4992 return -1;
4993
4994 return 1;
4995}
4996
4997static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4998 const unsigned char **out, size_t *outlen, X509 *x,
4999 size_t chainidx, int *al, void *add_arg)
5000{
5001 int *server = (int *)add_arg;
5002 unsigned char *data;
5003
5004 if (SSL_is_server(s))
5005 srvaddnewcb++;
5006 else
5007 clntaddnewcb++;
5008
710756a9
RS		 5009 if (*server != SSL_is_server(s)
5010 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5011 return -1;
5012
5013 *data = 1;
5014 *out = data;
710756a9 5015 *outlen = sizeof(*data);
a37008d9
MC		 5016 return 1;
5017}
5018
5019static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5020 const unsigned char *out, void *add_arg)
5021{
5022 OPENSSL_free((unsigned char *)out);
5023}
5024
5025static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5026 const unsigned char *in, size_t inlen, X509 *x,
5027 size_t chainidx, int *al, void *parse_arg)
5028{
5029 int *server = (int *)parse_arg;
5030
5031 if (SSL_is_server(s))
5032 srvparsenewcb++;
5033 else
5034 clntparsenewcb++;
5035
710756a9
RS		 5036 if (*server != SSL_is_server(s)
5037 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5038 return -1;
5039
5040 return 1;
5041}
bb01ef3f
MC		 5042
5043static int sni_cb(SSL *s, int *al, void *arg)
5044{
5045 SSL_CTX *ctx = (SSL_CTX *)arg;
5046
5047 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5048 *al = SSL_AD_INTERNAL_ERROR;
5049 return SSL_TLSEXT_ERR_ALERT_FATAL;
5050 }
5051 snicb++;
5052 return SSL_TLSEXT_ERR_OK;
5053}
5054
a37008d9
MC		 5055/*
5056 * Custom call back tests.
5057 * Test 0: Old style callbacks in TLSv1.2
5058 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5059 * Test 2: New style callbacks in TLSv1.2 with SNI
5060 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5061 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5062 */
710756a9
RS		 5063static int test_custom_exts(int tst)
5064{
bb01ef3f 5065 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5066 SSL *clientssl = NULL, *serverssl = NULL;
5067 int testresult = 0;
5068 static int server = 1;
5069 static int client = 0;
5070 SSL_SESSION *sess = NULL;
5071 unsigned int context;
5072
c423ecaa
MC		 5073#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5074 /* Skip tests for TLSv1.2 and below in this case */
5075 if (tst < 3)
5076 return 1;
5077#endif
5078
a37008d9
MC		 5079 /* Reset callback counters */
5080 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5081 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5082 snicb = 0;
a37008d9 5083
5e30f2fd
MC		 5084 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5085 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5086 &sctx, &cctx, cert, privkey)))
710756a9 5087 goto end;
a37008d9 5088
bb01ef3f 5089 if (tst == 2
5e30f2fd 5090 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5091 TLS1_VERSION, 0,
7d7f6834 5092 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5093 goto end;
5094
5095
5096 if (tst < 3) {
a37008d9
MC		 5097 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5098 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5099 if (sctx2 != NULL)
5100 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5101 }
5102
bb01ef3f 5103 if (tst == 4) {
710756a9
RS		 5104 context = SSL_EXT_CLIENT_HELLO
5105 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5106 | SSL_EXT_TLS1_3_SERVER_HELLO
5107 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5108 | SSL_EXT_TLS1_3_CERTIFICATE
5109 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5110 } else {
710756a9
RS		 5111 context = SSL_EXT_CLIENT_HELLO
5112 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5113 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5114 }
5115
5116 /* Create a client side custom extension */
5117 if (tst == 0) {
710756a9
RS		 5118 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5119 old_add_cb, old_free_cb,
5120 &client, old_parse_cb,
5121 &client)))
5122 goto end;
a37008d9 5123 } else {
710756a9
RS		 5124 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5125 new_add_cb, new_free_cb,
5126 &client, new_parse_cb, &client)))
5127 goto end;
a37008d9
MC		 5128 }
5129
5130 /* Should not be able to add duplicates */
710756a9
RS		 5131 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5132 old_add_cb, old_free_cb,
5133 &client, old_parse_cb,
5134 &client))
5135 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5136 context, new_add_cb,
5137 new_free_cb, &client,
5138 new_parse_cb, &client)))
5139 goto end;
a37008d9
MC		 5140
5141 /* Create a server side custom extension */
5142 if (tst == 0) {
710756a9
RS		 5143 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5144 old_add_cb, old_free_cb,
5145 &server, old_parse_cb,
5146 &server)))
5147 goto end;
a37008d9 5148 } else {
710756a9
RS		 5149 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5150 new_add_cb, new_free_cb,
5151 &server, new_parse_cb, &server)))
5152 goto end;
bb01ef3f
MC		 5153 if (sctx2 != NULL
5154 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5155 context, new_add_cb,
5156 new_free_cb, &server,
5157 new_parse_cb, &server)))
5158 goto end;
a37008d9
MC		 5159 }
5160
5161 /* Should not be able to add duplicates */
710756a9
RS		 5162 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5163 old_add_cb, old_free_cb,
5164 &server, old_parse_cb,
5165 &server))
5166 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5167 context, new_add_cb,
5168 new_free_cb, &server,
5169 new_parse_cb, &server)))
a37008d9 5170 goto end;
a37008d9 5171
bb01ef3f
MC		 5172 if (tst == 2) {
5173 /* Set up SNI */
5174 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5175 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5176 goto end;
5177 }
5178
710756a9
RS		 5179 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5180 &clientssl, NULL, NULL))
5181 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5182 SSL_ERROR_NONE)))
a37008d9 5183 goto end;
a37008d9
MC		 5184
5185 if (tst == 0) {
710756a9
RS		 5186 if (clntaddoldcb != 1
5187 || clntparseoldcb != 1
5188 || srvaddoldcb != 1
5189 || srvparseoldcb != 1)
a37008d9 5190 goto end;
bb01ef3f 5191 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5192 if (clntaddnewcb != 1
5193 || clntparsenewcb != 1
5194 || srvaddnewcb != 1
bb01ef3f
MC		 5195 || srvparsenewcb != 1
5196 || (tst != 2 && snicb != 0)
5197 || (tst == 2 && snicb != 1))
a37008d9 5198 goto end;
a37008d9 5199 } else {
36ff232c 5200 /* In this case there 2 NewSessionTicket messages created */
710756a9 5201 if (clntaddnewcb != 1
36ff232c
MC		 5202 || clntparsenewcb != 5
5203 || srvaddnewcb != 5
710756a9 5204 || srvparsenewcb != 1)
a37008d9 5205 goto end;
a37008d9
MC		 5206 }
5207
5208 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5209 SSL_shutdown(clientssl);
5210 SSL_shutdown(serverssl);
a37008d9
MC		 5211 SSL_free(serverssl);
5212 SSL_free(clientssl);
5213 serverssl = clientssl = NULL;
5214
bb01ef3f
MC		 5215 if (tst == 3) {
5216 /* We don't bother with the resumption aspects for this test */
5217 testresult = 1;
5218 goto end;
5219 }
5220
710756a9
RS		 5221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5222 NULL, NULL))
5223 || !TEST_true(SSL_set_session(clientssl, sess))
5224 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5225 SSL_ERROR_NONE)))
a37008d9 5226 goto end;
a37008d9
MC		 5227
5228 /*
5229 * For a resumed session we expect to add the ClientHello extension. For the
5230 * old style callbacks we ignore it on the server side because they set
5231 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5232 * them.
5233 */
5234 if (tst == 0) {
710756a9
RS		 5235 if (clntaddoldcb != 2
5236 || clntparseoldcb != 1
5237 || srvaddoldcb != 1
5238 || srvparseoldcb != 1)
a37008d9 5239 goto end;
bb01ef3f 5240 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5241 if (clntaddnewcb != 2
5242 || clntparsenewcb != 2
5243 || srvaddnewcb != 2
5244 || srvparsenewcb != 2)
a37008d9 5245 goto end;
a37008d9 5246 } else {
36ff232c
MC		 5247 /*
5248 * No Certificate message extensions in the resumption handshake,
5249 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5250 */
710756a9 5251 if (clntaddnewcb != 2
36ff232c
MC		 5252 || clntparsenewcb != 8
5253 || srvaddnewcb != 8
710756a9 5254 || srvparsenewcb != 2)
a37008d9 5255 goto end;
a37008d9
MC		 5256 }
5257
5258 testresult = 1;
5259
5260end:
5261 SSL_SESSION_free(sess);
5262 SSL_free(serverssl);
5263 SSL_free(clientssl);
bb01ef3f 5264 SSL_CTX_free(sctx2);
a37008d9
MC		 5265 SSL_CTX_free(sctx);
5266 SSL_CTX_free(cctx);
a37008d9
MC		 5267 return testresult;
5268}
5269
16afd71c
MC		 5270/*
5271 * Test loading of serverinfo data in various formats. test_sslmessages actually
5272 * tests to make sure the extensions appear in the handshake
5273 */
5274static int test_serverinfo(int tst)
5275{
5276 unsigned int version;
5277 unsigned char *sibuf;
5278 size_t sibuflen;
5279 int ret, expected, testresult = 0;
5280 SSL_CTX *ctx;
5281
d8652be0 5282 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5283 if (!TEST_ptr(ctx))
5284 goto end;
5285
5286 if ((tst & 0x01) == 0x01)
5287 version = SSL_SERVERINFOV2;
5288 else
5289 version = SSL_SERVERINFOV1;
5290
5291 if ((tst & 0x02) == 0x02) {
5292 sibuf = serverinfov2;
5293 sibuflen = sizeof(serverinfov2);
5294 expected = (version == SSL_SERVERINFOV2);
5295 } else {
5296 sibuf = serverinfov1;
5297 sibuflen = sizeof(serverinfov1);
5298 expected = (version == SSL_SERVERINFOV1);
5299 }
5300
5301 if ((tst & 0x04) == 0x04) {
5302 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5303 } else {
5304 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5305
5306 /*
5307 * The version variable is irrelevant in this case - it's what is in the
5308 * buffer that matters
5309 */
5310 if ((tst & 0x02) == 0x02)
5311 expected = 0;
5312 else
5313 expected = 1;
5314 }
5315
5316 if (!TEST_true(ret == expected))
5317 goto end;
5318
5319 testresult = 1;
5320
5321 end:
5322 SSL_CTX_free(ctx);
5323
5324 return testresult;
5325}
5326
2197d1df
MC		 5327/*
5328 * Test that SSL_export_keying_material() produces expected results. There are
5329 * no test vectors so all we do is test that both sides of the communication
5330 * produce the same results for different protocol versions.
5331 */
0fb2815b
MC		 5332#define SMALL_LABEL_LEN 10
5333#define LONG_LABEL_LEN 249
2197d1df
MC		 5334static int test_export_key_mat(int tst)
5335{
a599574b 5336 int testresult = 0;
2197d1df
MC		 5337 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5338 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5339 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5340 const unsigned char context[] = "context";
5341 const unsigned char *emptycontext = NULL;
5342 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5343 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5344 size_t labellen;
a599574b
MC		 5345 const int protocols[] = {
5346 TLS1_VERSION,
5347 TLS1_1_VERSION,
5348 TLS1_2_VERSION,
0fb2815b
MC		 5349 TLS1_3_VERSION,
5350 TLS1_3_VERSION,
a599574b
MC		 5351 TLS1_3_VERSION
5352 };
2197d1df
MC		 5353
5354#ifdef OPENSSL_NO_TLS1
5355 if (tst == 0)
5356 return 1;
5357#endif
5358#ifdef OPENSSL_NO_TLS1_1
5359 if (tst == 1)
5360 return 1;
5361#endif
4f6c7044
MC		 5362 if (is_fips && (tst == 0 || tst == 1))
5363 return 1;
2197d1df
MC		 5364#ifdef OPENSSL_NO_TLS1_2
5365 if (tst == 2)
5366 return 1;
5367#endif
5368#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5369 if (tst >= 3)
2197d1df
MC		 5370 return 1;
5371#endif
5e30f2fd
MC		 5372 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5373 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5374 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5375 goto end;
5376
a599574b
MC		 5377 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5378 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5379 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5380 if ((protocols[tst] < TLS1_2_VERSION) &&
5381 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5382 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5383 goto end;
2197d1df
MC		 5384
5385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5386 NULL)))
5387 goto end;
5388
5389 /*
5390 * Premature call of SSL_export_keying_material should just fail.
5391 */
5392 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5393 sizeof(ckeymat1), label,
5394 SMALL_LABEL_LEN + 1, context,
5395 sizeof(context) - 1, 1), 0))
5396 goto end;
5397
5398 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5399 SSL_ERROR_NONE)))
2197d1df
MC		 5400 goto end;
5401
0fb2815b
MC		 5402 if (tst == 5) {
5403 /*
5404 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5405 * go over that.
5406 */
5407 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5408 sizeof(ckeymat1), label,
5409 LONG_LABEL_LEN + 1, context,
5410 sizeof(context) - 1, 1), 0))
5411 goto end;
5412
5413 testresult = 1;
5414 goto end;
5415 } else if (tst == 4) {
5416 labellen = LONG_LABEL_LEN;
5417 } else {
5418 labellen = SMALL_LABEL_LEN;
5419 }
5420
2197d1df
MC		 5421 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5422 sizeof(ckeymat1), label,
0fb2815b 5423 labellen, context,
2197d1df
MC		 5424 sizeof(context) - 1, 1), 1)
5425 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5426 sizeof(ckeymat2), label,
0fb2815b 5427 labellen,
2197d1df
MC		 5428 emptycontext,
5429 0, 1), 1)
5430 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5431 sizeof(ckeymat3), label,
0fb2815b 5432 labellen,
2197d1df
MC		 5433 NULL, 0, 0), 1)
5434 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5435 sizeof(skeymat1), label,
0fb2815b 5436 labellen,
2197d1df
MC		 5437 context,
5438 sizeof(context) -1, 1),
5439 1)
5440 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5441 sizeof(skeymat2), label,
0fb2815b 5442 labellen,
2197d1df
MC		 5443 emptycontext,
5444 0, 1), 1)
5445 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5446 sizeof(skeymat3), label,
0fb2815b 5447 labellen,
2197d1df
MC		 5448 NULL, 0, 0), 1)
5449 /*
5450 * Check that both sides created the same key material with the
5451 * same context.
5452 */
5453 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5454 sizeof(skeymat1))
5455 /*
5456 * Check that both sides created the same key material with an
5457 * empty context.
5458 */
5459 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5460 sizeof(skeymat2))
5461 /*
5462 * Check that both sides created the same key material without a
5463 * context.
5464 */
5465 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5466 sizeof(skeymat3))
5467 /* Different contexts should produce different results */
5468 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5469 sizeof(ckeymat2)))
5470 goto end;
5471
5472 /*
5473 * Check that an empty context and no context produce different results in
5474 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5475 */
0fb2815b 5476 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5477 sizeof(ckeymat3)))
0fb2815b
MC		 5478 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5479 sizeof(ckeymat3))))
2197d1df
MC		 5480 goto end;
5481
5482 testresult = 1;
5483
5484 end:
5485 SSL_free(serverssl);
5486 SSL_free(clientssl);
5487 SSL_CTX_free(sctx2);
5488 SSL_CTX_free(sctx);
5489 SSL_CTX_free(cctx);
5490
5491 return testresult;
5492}
5493
b38ede80
TT		 5494#ifndef OPENSSL_NO_TLS1_3
5495/*
5496 * Test that SSL_export_keying_material_early() produces expected
5497 * results. There are no test vectors so all we do is test that both
5498 * sides of the communication produce the same results for different
5499 * protocol versions.
5500 */
5501static int test_export_key_mat_early(int idx)
5502{
5503 static const char label[] = "test label";
5504 static const unsigned char context[] = "context";
5505 int testresult = 0;
5506 SSL_CTX *cctx = NULL, *sctx = NULL;
5507 SSL *clientssl = NULL, *serverssl = NULL;
5508 SSL_SESSION *sess = NULL;
5509 const unsigned char *emptycontext = NULL;
5510 unsigned char ckeymat1[80], ckeymat2[80];
5511 unsigned char skeymat1[80], skeymat2[80];
5512 unsigned char buf[1];
5513 size_t readbytes, written;
5514
5515 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5516 &sess, idx)))
5517 goto end;
5518
5519 /* Here writing 0 length early data is enough. */
5520 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5521 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5522 &readbytes),
5523 SSL_READ_EARLY_DATA_ERROR)
5524 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5525 SSL_EARLY_DATA_ACCEPTED))
5526 goto end;
5527
5528 if (!TEST_int_eq(SSL_export_keying_material_early(
5529 clientssl, ckeymat1, sizeof(ckeymat1), label,
5530 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5531 || !TEST_int_eq(SSL_export_keying_material_early(
5532 clientssl, ckeymat2, sizeof(ckeymat2), label,
5533 sizeof(label) - 1, emptycontext, 0), 1)
5534 || !TEST_int_eq(SSL_export_keying_material_early(
5535 serverssl, skeymat1, sizeof(skeymat1), label,
5536 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5537 || !TEST_int_eq(SSL_export_keying_material_early(
5538 serverssl, skeymat2, sizeof(skeymat2), label,
5539 sizeof(label) - 1, emptycontext, 0), 1)
5540 /*
5541 * Check that both sides created the same key material with the
5542 * same context.
5543 */
5544 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5545 sizeof(skeymat1))
5546 /*
5547 * Check that both sides created the same key material with an
5548 * empty context.
5549 */
5550 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5551 sizeof(skeymat2))
5552 /* Different contexts should produce different results */
5553 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5554 sizeof(ckeymat2)))
5555 goto end;
5556
5557 testresult = 1;
5558
5559 end:
c20e3b28 5560 SSL_SESSION_free(sess);
b38ede80
TT		 5561 SSL_SESSION_free(clientpsk);
5562 SSL_SESSION_free(serverpsk);
34ff74eb 5563 clientpsk = serverpsk = NULL;
b38ede80
TT		 5564 SSL_free(serverssl);
5565 SSL_free(clientssl);
5566 SSL_CTX_free(sctx);
5567 SSL_CTX_free(cctx);
5568
5569 return testresult;
5570}
3409a5ff
MC		 5571
5572#define NUM_KEY_UPDATE_MESSAGES 40
5573/*
5574 * Test KeyUpdate.
5575 */
5576static int test_key_update(void)
5577{
5578 SSL_CTX *cctx = NULL, *sctx = NULL;
5579 SSL *clientssl = NULL, *serverssl = NULL;
5580 int testresult = 0, i, j;
5581 char buf[20];
5582 static char *mess = "A test message";
5583
5e30f2fd 5584 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5585 TLS_client_method(),
5586 TLS1_3_VERSION,
5587 0,
5588 &sctx, &cctx, cert, privkey))
5589 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5590 NULL, NULL))
5591 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5592 SSL_ERROR_NONE)))
5593 goto end;
5594
5595 for (j = 0; j < 2; j++) {
5596 /* Send lots of KeyUpdate messages */
5597 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5598 if (!TEST_true(SSL_key_update(clientssl,
5599 (j == 0)
5600 ? SSL_KEY_UPDATE_NOT_REQUESTED
5601 : SSL_KEY_UPDATE_REQUESTED))
5602 || !TEST_true(SSL_do_handshake(clientssl)))
5603 goto end;
5604 }
5605
5606 /* Check that sending and receiving app data is ok */
5607 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5608 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5609 strlen(mess)))
5610 goto end;
a77b4dba
MC		 5611
5612 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5613 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5614 strlen(mess)))
5615 goto end;
3409a5ff
MC		 5616 }
5617
5618 testresult = 1;
5619
5620 end:
5621 SSL_free(serverssl);
5622 SSL_free(clientssl);
5623 SSL_CTX_free(sctx);
5624 SSL_CTX_free(cctx);
5625
5626 return testresult;
5627}
a77b4dba
MC		 5628
5629/*
5630 * Test we can handle a KeyUpdate (update requested) message while write data
5631 * is pending.
5632 * Test 0: Client sends KeyUpdate while Server is writing
5633 * Test 1: Server sends KeyUpdate while Client is writing
5634 */
5635static int test_key_update_in_write(int tst)
5636{
5637 SSL_CTX *cctx = NULL, *sctx = NULL;
5638 SSL *clientssl = NULL, *serverssl = NULL;
5639 int testresult = 0;
5640 char buf[20];
5641 static char *mess = "A test message";
5642 BIO *bretry = BIO_new(bio_s_always_retry());
5643 BIO *tmp = NULL;
5644 SSL *peerupdate = NULL, *peerwrite = NULL;
5645
5646 if (!TEST_ptr(bretry)
5e30f2fd 5647 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5648 TLS_client_method(),
5649 TLS1_3_VERSION,
5650 0,
5651 &sctx, &cctx, cert, privkey))
5652 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5653 NULL, NULL))
5654 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5655 SSL_ERROR_NONE)))
5656 goto end;
5657
5658 peerupdate = tst == 0 ? clientssl : serverssl;
5659 peerwrite = tst == 0 ? serverssl : clientssl;
5660
5661 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5662 || !TEST_true(SSL_do_handshake(peerupdate)))
5663 goto end;
5664
5665 /* Swap the writing endpoint's write BIO to force a retry */
5666 tmp = SSL_get_wbio(peerwrite);
5667 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5668 tmp = NULL;
5669 goto end;
5670 }
5671 SSL_set0_wbio(peerwrite, bretry);
5672 bretry = NULL;
5673
5674 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5675 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5676 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5677 goto end;
5678
5679 /* Reinstate the original writing endpoint's write BIO */
5680 SSL_set0_wbio(peerwrite, tmp);
5681 tmp = NULL;
5682
5683 /* Now read some data - we will read the key update */
5684 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5685 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5686 goto end;
5687
5688 /*
5689 * Complete the write we started previously and read it from the other
5690 * endpoint
5691 */
5692 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5693 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5694 goto end;
5695
5696 /* Write more data to ensure we send the KeyUpdate message back */
5697 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5698 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5699 goto end;
5700
5701 testresult = 1;
5702
5703 end:
5704 SSL_free(serverssl);
5705 SSL_free(clientssl);
5706 SSL_CTX_free(sctx);
5707 SSL_CTX_free(cctx);
5708 BIO_free(bretry);
5709 BIO_free(tmp);
5710
5711 return testresult;
5712}
b38ede80
TT		 5713#endif /* OPENSSL_NO_TLS1_3 */
5714
e11b6aa4
MC		 5715static int test_ssl_clear(int idx)
5716{
5717 SSL_CTX *cctx = NULL, *sctx = NULL;
5718 SSL *clientssl = NULL, *serverssl = NULL;
5719 int testresult = 0;
5720
5721#ifdef OPENSSL_NO_TLS1_2
5722 if (idx == 1)
5723 return 1;
5724#endif
5725
5726 /* Create an initial connection */
5e30f2fd
MC		 5727 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5728 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5729 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5730 || (idx == 1
5731 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5732 TLS1_2_VERSION)))
5733 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5734 &clientssl, NULL, NULL))
5735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5736 SSL_ERROR_NONE)))
5737 goto end;
5738
5739 SSL_shutdown(clientssl);
5740 SSL_shutdown(serverssl);
5741 SSL_free(serverssl);
5742 serverssl = NULL;
5743
5744 /* Clear clientssl - we're going to reuse the object */
5745 if (!TEST_true(SSL_clear(clientssl)))
5746 goto end;
5747
5748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5749 NULL, NULL))
5750 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5751 SSL_ERROR_NONE))
5752 || !TEST_true(SSL_session_reused(clientssl)))
5753 goto end;
5754
5755 SSL_shutdown(clientssl);
5756 SSL_shutdown(serverssl);
5757
5758 testresult = 1;
5759
5760 end:
5761 SSL_free(serverssl);
5762 SSL_free(clientssl);
5763 SSL_CTX_free(sctx);
5764 SSL_CTX_free(cctx);
5765
5766 return testresult;
5767}
5768
cf72c757
F		 5769/* Parse CH and retrieve any MFL extension value if present */
5770static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5771{
5772 long len;
5773 unsigned char *data;
72962d02 5774 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5775 unsigned int MFL_code = 0, type = 0;
5776
5777 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5778 goto end;
5779
72962d02
P		 5780 memset(&pkt, 0, sizeof(pkt));
5781 memset(&pkt2, 0, sizeof(pkt2));
5782 memset(&pkt3, 0, sizeof(pkt3));
5783
cf72c757
F		 5784 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5785 /* Skip the record header */
5786 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5787 /* Skip the handshake message header */
5788 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5789 /* Skip client version and random */
5790 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5791 + SSL3_RANDOM_SIZE))
5792 /* Skip session id */
5793 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5794 /* Skip ciphers */
5795 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5796 /* Skip compression */
5797 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5798 /* Extensions len */
5799 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5800 goto end;
5801
5802 /* Loop through all extensions */
5803 while (PACKET_remaining(&pkt2)) {
5804 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5805 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5806 goto end;
5807
5808 if (type == TLSEXT_TYPE_max_fragment_length) {
5809 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5810 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5811 goto end;
5812
5813 *mfl_codemfl_code = MFL_code;
5814 return 1;
5815 }
5816 }
5817
5818 end:
5819 return 0;
5820}
5821
5822/* Maximum-Fragment-Length TLS extension mode to test */
5823static const unsigned char max_fragment_len_test[] = {
5824 TLSEXT_max_fragment_length_512,
5825 TLSEXT_max_fragment_length_1024,
5826 TLSEXT_max_fragment_length_2048,
5827 TLSEXT_max_fragment_length_4096
5828};
5829
5830static int test_max_fragment_len_ext(int idx_tst)
5831{
5832 SSL_CTX *ctx;
5833 SSL *con = NULL;
5834 int testresult = 0, MFL_mode = 0;
5835 BIO *rbio, *wbio;
5836
d8652be0 5837 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
cf72c757
F		 5838 if (!TEST_ptr(ctx))
5839 goto end;
5840
5841 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5842 ctx, max_fragment_len_test[idx_tst])))
5843 goto end;
5844
5845 con = SSL_new(ctx);
5846 if (!TEST_ptr(con))
5847 goto end;
5848
5849 rbio = BIO_new(BIO_s_mem());
5850 wbio = BIO_new(BIO_s_mem());
5851 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5852 BIO_free(rbio);
5853 BIO_free(wbio);
5854 goto end;
5855 }
5856
5857 SSL_set_bio(con, rbio, wbio);
5858 SSL_set_connect_state(con);
5859
5860 if (!TEST_int_le(SSL_connect(con), 0)) {
5861 /* This shouldn't succeed because we don't have a server! */
5862 goto end;
5863 }
5864
5865 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5866 /* no MFL in client hello */
5867 goto end;
5868 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5869 goto end;
5870
5871 testresult = 1;
5872
5873end:
5874 SSL_free(con);
5875 SSL_CTX_free(ctx);
5876
5877 return testresult;
5878}
5879
9d75dce3
TS		 5880#ifndef OPENSSL_NO_TLS1_3
5881static int test_pha_key_update(void)
5882{
5883 SSL_CTX *cctx = NULL, *sctx = NULL;
5884 SSL *clientssl = NULL, *serverssl = NULL;
5885 int testresult = 0;
5886
5e30f2fd
MC		 5887 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5888 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 5889 &sctx, &cctx, cert, privkey)))
5890 return 0;
5891
5892 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5893 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5894 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5895 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5896 goto end;
5897
e97be718 5898 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5899
5900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5901 NULL, NULL)))
5902 goto end;
5903
9d75dce3
TS		 5904 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5905 SSL_ERROR_NONE)))
5906 goto end;
5907
5908 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5909 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5910 goto end;
5911
5912 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5913 goto end;
5914
5915 /* Start handshake on the server */
5916 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5917 goto end;
5918
5919 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5920 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5921 SSL_ERROR_NONE)))
5922 goto end;
5923
5924 SSL_shutdown(clientssl);
5925 SSL_shutdown(serverssl);
5926
5927 testresult = 1;
5928
5929 end:
5930 SSL_free(serverssl);
5931 SSL_free(clientssl);
5932 SSL_CTX_free(sctx);
5933 SSL_CTX_free(cctx);
5934 return testresult;
5935}
5936#endif
5937
76fd7a1d
MC		 5938#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5939
5940static SRP_VBASE *vbase = NULL;
5941
5942static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5943{
5944 int ret = SSL3_AL_FATAL;
5945 char *username;
5946 SRP_user_pwd *user = NULL;
5947
5948 username = SSL_get_srp_username(s);
5949 if (username == NULL) {
5950 *ad = SSL_AD_INTERNAL_ERROR;
5951 goto err;
5952 }
5953
5954 user = SRP_VBASE_get1_by_user(vbase, username);
5955 if (user == NULL) {
5956 *ad = SSL_AD_INTERNAL_ERROR;
5957 goto err;
5958 }
5959
5960 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5961 user->info) <= 0) {
5962 *ad = SSL_AD_INTERNAL_ERROR;
5963 goto err;
5964 }
5965
5966 ret = 0;
5967
5968 err:
5969 SRP_user_pwd_free(user);
5970 return ret;
5971}
5972
5973static int create_new_vfile(char *userid, char *password, const char *filename)
5974{
5975 char *gNid = NULL;
5976 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5977 TXT_DB *db = NULL;
5978 int ret = 0;
5979 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5980 size_t i;
5981
5982 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5983 goto end;
5984
20c00d0a 5985 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 5986 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 5987 if (!TEST_ptr(gNid))
5988 goto end;
5989
5990 /*
5991 * The only way to create an empty TXT_DB is to provide a BIO with no data
5992 * in it!
5993 */
5994 db = TXT_DB_read(dummy, DB_NUMBER);
5995 if (!TEST_ptr(db))
5996 goto end;
5997
5998 out = BIO_new_file(filename, "w");
5999 if (!TEST_ptr(out))
6000 goto end;
6001
6002 row[DB_srpid] = OPENSSL_strdup(userid);
6003 row[DB_srptype] = OPENSSL_strdup("V");
6004 row[DB_srpgN] = OPENSSL_strdup(gNid);
6005
6006 if (!TEST_ptr(row[DB_srpid])
6007 || !TEST_ptr(row[DB_srptype])
6008 || !TEST_ptr(row[DB_srpgN])
6009 || !TEST_true(TXT_DB_insert(db, row)))
6010 goto end;
6011
6012 row = NULL;
6013
6014 if (!TXT_DB_write(out, db))
6015 goto end;
6016
6017 ret = 1;
6018 end:
6019 if (row != NULL) {
6020 for (i = 0; i < DB_NUMBER; i++)
6021 OPENSSL_free(row[i]);
6022 }
6023 OPENSSL_free(row);
6024 BIO_free(dummy);
6025 BIO_free(out);
6026 TXT_DB_free(db);
6027
6028 return ret;
6029}
6030
6031static int create_new_vbase(char *userid, char *password)
6032{
6033 BIGNUM *verifier = NULL, *salt = NULL;
6034 const SRP_gN *lgN = NULL;
6035 SRP_user_pwd *user_pwd = NULL;
6036 int ret = 0;
6037
6038 lgN = SRP_get_default_gN(NULL);
6039 if (!TEST_ptr(lgN))
6040 goto end;
6041
20c00d0a 6042 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6043 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6044 goto end;
6045
6046 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6047 if (!TEST_ptr(user_pwd))
6048 goto end;
6049
6050 user_pwd->N = lgN->N;
6051 user_pwd->g = lgN->g;
6052 user_pwd->id = OPENSSL_strdup(userid);
6053 if (!TEST_ptr(user_pwd->id))
6054 goto end;
6055
6056 user_pwd->v = verifier;
6057 user_pwd->s = salt;
6058 verifier = salt = NULL;
6059
6060 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6061 goto end;
6062 user_pwd = NULL;
6063
6064 ret = 1;
6065end:
6066 SRP_user_pwd_free(user_pwd);
6067 BN_free(salt);
6068 BN_free(verifier);
6069
6070 return ret;
6071}
6072
6073/*
6074 * SRP tests
6075 *
6076 * Test 0: Simple successful SRP connection, new vbase
6077 * Test 1: Connection failure due to bad password, new vbase
6078 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6079 * Test 3: Connection failure due to bad password, vbase loaded from existing
6080 * file
6081 * Test 4: Simple successful SRP connection, vbase loaded from new file
6082 * Test 5: Connection failure due to bad password, vbase loaded from new file
6083 */
6084static int test_srp(int tst)
6085{
6086 char *userid = "test", *password = "password", *tstsrpfile;
6087 SSL_CTX *cctx = NULL, *sctx = NULL;
6088 SSL *clientssl = NULL, *serverssl = NULL;
6089 int ret, testresult = 0;
6090
6091 vbase = SRP_VBASE_new(NULL);
6092 if (!TEST_ptr(vbase))
6093 goto end;
6094
6095 if (tst == 0 || tst == 1) {
6096 if (!TEST_true(create_new_vbase(userid, password)))
6097 goto end;
6098 } else {
6099 if (tst == 4 || tst == 5) {
6100 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6101 goto end;
6102 tstsrpfile = tmpfilename;
6103 } else {
6104 tstsrpfile = srpvfile;
6105 }
6106 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6107 goto end;
6108 }
6109
5e30f2fd
MC		 6110 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6111 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6112 &sctx, &cctx, cert, privkey)))
6113 goto end;
6114
6115 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6116 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6117 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6118 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6119 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6120 goto end;
6121
6122 if (tst % 2 == 1) {
6123 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6124 goto end;
6125 } else {
6126 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6127 goto end;
6128 }
6129
6130 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6131 NULL, NULL)))
6132 goto end;
6133
6134 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6135 if (ret) {
6136 if (!TEST_true(tst % 2 == 0))
6137 goto end;
6138 } else {
6139 if (!TEST_true(tst % 2 == 1))
6140 goto end;
6141 }
6142
6143 testresult = 1;
6144
6145 end:
6146 SRP_VBASE_free(vbase);
6147 vbase = NULL;
6148 SSL_free(serverssl);
6149 SSL_free(clientssl);
6150 SSL_CTX_free(sctx);
6151 SSL_CTX_free(cctx);
6152
6153 return testresult;
6154}
6155#endif
6156
5718fe45
MC		 6157static int info_cb_failed = 0;
6158static int info_cb_offset = 0;
6159static int info_cb_this_state = -1;
6160
6161static struct info_cb_states_st {
6162 int where;
6163 const char *statestr;
6164} info_cb_states[][60] = {
6165 {
6166 /* TLSv1.2 server followed by resumption */
6167 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6168 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6169 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6170 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6171 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6172 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6173 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6174 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6175 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6176 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6177 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6178 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6179 {SSL_CB_EXIT, NULL}, {0, NULL},
6180 }, {
6181 /* TLSv1.2 client followed by resumption */
6182 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6183 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6184 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6185 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6186 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6187 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6188 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6189 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6190 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6191 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6192 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6193 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6194 }, {
6195 /* TLSv1.3 server followed by resumption */
6196 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6197 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6198 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6199 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6200 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6201 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6202 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6203 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6204 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6205 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6206 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6207 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6208 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6209 }, {
6210 /* TLSv1.3 client followed by resumption */
6211 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6212 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6213 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6214 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6215 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6216 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6217 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6218 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6219 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6220 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6221 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6222 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6223 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6224 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6225 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6226 }, {
6227 /* TLSv1.3 server, early_data */
6228 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6229 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6230 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6231 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6232 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6233 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6234 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6235 {SSL_CB_EXIT, NULL}, {0, NULL},
6236 }, {
6237 /* TLSv1.3 client, early_data */
6238 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6239 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6240 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6241 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6242 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6243 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6244 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6245 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6246 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6247 }, {
6248 {0, NULL},
6249 }
6250};
6251
6252static void sslapi_info_callback(const SSL *s, int where, int ret)
6253{
6254 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6255
6256 /* We do not ever expect a connection to fail in this test */
6257 if (!TEST_false(ret == 0)) {
6258 info_cb_failed = 1;
6259 return;
6260 }
6261
6262 /*
6263 * Do some sanity checks. We never expect these things to happen in this
6264 * test
6265 */
6266 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6267 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6268 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6269 info_cb_failed = 1;
6270 return;
6271 }
6272
6273 /* Now check we're in the right state */
6274 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6275 info_cb_failed = 1;
6276 return;
6277 }
6278 if ((where & SSL_CB_LOOP) != 0
6279 && !TEST_int_eq(strcmp(SSL_state_string(s),
6280 state[info_cb_this_state].statestr), 0)) {
6281 info_cb_failed = 1;
6282 return;
6283 }
033c181b 6284
4af5836b
MC		 6285 /*
6286 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6287 */
6288 if ((where & SSL_CB_HANDSHAKE_DONE)
6289 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6290 info_cb_failed = 1;
6291 return;
6292 }
5718fe45
MC		 6293}
6294
6295/*
6296 * Test the info callback gets called when we expect it to.
6297 *
6298 * Test 0: TLSv1.2, server
6299 * Test 1: TLSv1.2, client
6300 * Test 2: TLSv1.3, server
6301 * Test 3: TLSv1.3, client
6302 * Test 4: TLSv1.3, server, early_data
6303 * Test 5: TLSv1.3, client, early_data
6304 */
6305static int test_info_callback(int tst)
6306{
6307 SSL_CTX *cctx = NULL, *sctx = NULL;
6308 SSL *clientssl = NULL, *serverssl = NULL;
6309 SSL_SESSION *clntsess = NULL;
6310 int testresult = 0;
6311 int tlsvers;
6312
6313 if (tst < 2) {
1aac20f5
MC		 6314/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6315#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6316 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6317 tlsvers = TLS1_2_VERSION;
6318#else
6319 return 1;
6320#endif
6321 } else {
6322#ifndef OPENSSL_NO_TLS1_3
6323 tlsvers = TLS1_3_VERSION;
6324#else
6325 return 1;
6326#endif
6327 }
6328
6329 /* Reset globals */
6330 info_cb_failed = 0;
6331 info_cb_this_state = -1;
6332 info_cb_offset = tst;
6333
6e07834c 6334#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6335 if (tst >= 4) {
6336 SSL_SESSION *sess = NULL;
6337 size_t written, readbytes;
6338 unsigned char buf[80];
6339
6340 /* early_data tests */
6341 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6342 &serverssl, &sess, 0)))
6343 goto end;
6344
6345 /* We don't actually need this reference */
6346 SSL_SESSION_free(sess);
6347
6348 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6349 sslapi_info_callback);
6350
6351 /* Write and read some early data and then complete the connection */
6352 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6353 &written))
6354 || !TEST_size_t_eq(written, strlen(MSG1))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6356 sizeof(buf), &readbytes),
6357 SSL_READ_EARLY_DATA_SUCCESS)
6358 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6359 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6360 SSL_EARLY_DATA_ACCEPTED)
6361 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6362 SSL_ERROR_NONE))
6363 || !TEST_false(info_cb_failed))
6364 goto end;
6365
6366 testresult = 1;
6367 goto end;
6368 }
6e07834c 6369#endif
5718fe45 6370
5e30f2fd 6371 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6372 TLS_client_method(),
6373 tlsvers, tlsvers, &sctx, &cctx, cert,
6374 privkey)))
6375 goto end;
6376
6377 /*
6378 * For even numbered tests we check the server callbacks. For odd numbers we
6379 * check the client.
6380 */
6381 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6382 sslapi_info_callback);
6383
6384 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6385 &clientssl, NULL, NULL))
6386 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6387 SSL_ERROR_NONE))
6388 || !TEST_false(info_cb_failed))
6389 goto end;
6390
6391
6392
6393 clntsess = SSL_get1_session(clientssl);
6394 SSL_shutdown(clientssl);
6395 SSL_shutdown(serverssl);
6396 SSL_free(serverssl);
6397 SSL_free(clientssl);
6398 serverssl = clientssl = NULL;
6399
6400 /* Now do a resumption */
6401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6402 NULL))
6403 || !TEST_true(SSL_set_session(clientssl, clntsess))
6404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6405 SSL_ERROR_NONE))
6406 || !TEST_true(SSL_session_reused(clientssl))
6407 || !TEST_false(info_cb_failed))
6408 goto end;
6409
6410 testresult = 1;
6411
6412 end:
6413 SSL_free(serverssl);
6414 SSL_free(clientssl);
6415 SSL_SESSION_free(clntsess);
6416 SSL_CTX_free(sctx);
6417 SSL_CTX_free(cctx);
6418 return testresult;
6419}
6420
4a432af8
MC		 6421static int test_ssl_pending(int tst)
6422{
6423 SSL_CTX *cctx = NULL, *sctx = NULL;
6424 SSL *clientssl = NULL, *serverssl = NULL;
6425 int testresult = 0;
6426 char msg[] = "A test message";
6427 char buf[5];
6428 size_t written, readbytes;
6429
6430 if (tst == 0) {
5e30f2fd 6431 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6432 TLS_client_method(),
5c587fb6 6433 TLS1_VERSION, 0,
4a432af8
MC		 6434 &sctx, &cctx, cert, privkey)))
6435 goto end;
6436 } else {
6437#ifndef OPENSSL_NO_DTLS
5e30f2fd 6438 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6439 DTLS_client_method(),
5c587fb6 6440 DTLS1_VERSION, 0,
4a432af8
MC		 6441 &sctx, &cctx, cert, privkey)))
6442 goto end;
6443#else
6444 return 1;
6445#endif
6446 }
6447
6448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6449 NULL, NULL))
6450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6451 SSL_ERROR_NONE)))
6452 goto end;
6453
e8251092
MC		 6454 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6455 || !TEST_false(SSL_has_pending(clientssl))
6456 || !TEST_int_eq(SSL_pending(serverssl), 0)
6457 || !TEST_false(SSL_has_pending(serverssl))
6458 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6459 || !TEST_size_t_eq(written, sizeof(msg))
6460 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6461 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6462 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6463 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6464 goto end;
6465
6466 testresult = 1;
6467
6468 end:
6469 SSL_free(serverssl);
6470 SSL_free(clientssl);
6471 SSL_CTX_free(sctx);
6472 SSL_CTX_free(cctx);
6473
6474 return testresult;
6475}
6476
e401389a
MC		 6477static struct {
6478 unsigned int maxprot;
6479 const char *clntciphers;
6480 const char *clnttls13ciphers;
6481 const char *srvrciphers;
6482 const char *srvrtls13ciphers;
6483 const char *shared;
a96e6c34 6484 const char *fipsshared;
e401389a 6485} shared_ciphers_data[] = {
60155b9a
MC		 6486/*
6487 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6488 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6489 */
6490#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6491 {
6492 TLS1_2_VERSION,
6493 "AES128-SHA:AES256-SHA",
6494 NULL,
6495 "AES256-SHA:DHE-RSA-AES128-SHA",
6496 NULL,
a96e6c34 6497 "AES256-SHA",
e401389a
MC		 6498 "AES256-SHA"
6499 },
a96e6c34
MC		 6500# if !defined(OPENSSL_NO_CHACHA) \
6501 && !defined(OPENSSL_NO_POLY1305) \
6502 && !defined(OPENSSL_NO_EC)
6503 {
6504 TLS1_2_VERSION,
6505 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6506 NULL,
6507 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6508 NULL,
6509 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6510 "AES128-SHA"
6511 },
6512# endif
e401389a
MC		 6513 {
6514 TLS1_2_VERSION,
6515 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6516 NULL,
6517 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6518 NULL,
a96e6c34 6519 "AES128-SHA:AES256-SHA",
e401389a
MC		 6520 "AES128-SHA:AES256-SHA"
6521 },
6522 {
6523 TLS1_2_VERSION,
6524 "AES128-SHA:AES256-SHA",
6525 NULL,
6526 "AES128-SHA:DHE-RSA-AES128-SHA",
6527 NULL,
a96e6c34 6528 "AES128-SHA",
e401389a
MC		 6529 "AES128-SHA"
6530 },
60155b9a
MC		 6531#endif
6532/*
6533 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6534 * enabled.
6535 */
6536#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6537 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6538 {
6539 TLS1_3_VERSION,
6540 "AES128-SHA:AES256-SHA",
6541 NULL,
6542 "AES256-SHA:AES128-SHA256",
6543 NULL,
6544 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6545 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6546 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6547 },
60155b9a
MC		 6548#endif
6549#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6550 {
6551 TLS1_3_VERSION,
6552 "AES128-SHA",
6553 "TLS_AES_256_GCM_SHA384",
6554 "AES256-SHA",
6555 "TLS_AES_256_GCM_SHA384",
a96e6c34 6556 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6557 "TLS_AES_256_GCM_SHA384"
6558 },
6559#endif
6560};
6561
a96e6c34 6562static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6563{
6564 SSL_CTX *cctx = NULL, *sctx = NULL;
6565 SSL *clientssl = NULL, *serverssl = NULL;
6566 int testresult = 0;
6567 char buf[1024];
b4250010 6568 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6569
6570 if (!TEST_ptr(tmplibctx))
6571 goto end;
6572
6573 /*
6574 * Regardless of whether we're testing with the FIPS provider loaded into
6575 * libctx, we want one peer to always use the full set of ciphersuites
6576 * available. Therefore we use a separate libctx with the default provider
6577 * loaded into it. We run the same tests twice - once with the client side
6578 * having the full set of ciphersuites and once with the server side.
6579 */
6580 if (clnt) {
d8652be0 6581 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6582 if (!TEST_ptr(cctx))
6583 goto end;
6584 } else {
d8652be0 6585 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6586 if (!TEST_ptr(sctx))
6587 goto end;
6588 }
e401389a 6589
5e30f2fd 6590 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6591 TLS_client_method(),
6592 TLS1_VERSION,
6593 shared_ciphers_data[tst].maxprot,
6594 &sctx, &cctx, cert, privkey)))
6595 goto end;
6596
6597 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6598 shared_ciphers_data[tst].clntciphers))
6599 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6600 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6601 shared_ciphers_data[tst].clnttls13ciphers)))
6602 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6603 shared_ciphers_data[tst].srvrciphers))
6604 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6605 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6606 shared_ciphers_data[tst].srvrtls13ciphers))))
6607 goto end;
6608
6609
6610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6611 NULL, NULL))
6612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6613 SSL_ERROR_NONE)))
6614 goto end;
6615
6616 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6617 || !TEST_int_eq(strcmp(buf,
6618 is_fips
6619 ? shared_ciphers_data[tst].fipsshared
6620 : shared_ciphers_data[tst].shared),
6621 0)) {
e401389a
MC		 6622 TEST_info("Shared ciphers are: %s\n", buf);
6623 goto end;
6624 }
6625
6626 testresult = 1;
6627
6628 end:
6629 SSL_free(serverssl);
6630 SSL_free(clientssl);
6631 SSL_CTX_free(sctx);
6632 SSL_CTX_free(cctx);
b4250010 6633 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6634
6635 return testresult;
6636}
6637
a96e6c34
MC		 6638static int test_ssl_get_shared_ciphers(int tst)
6639{
6640 return int_test_ssl_get_shared_ciphers(tst, 0)
6641 && int_test_ssl_get_shared_ciphers(tst, 1);
6642}
6643
6644
d0191fe0 6645static const char *appdata = "Hello World";
61fb5923
MC		 6646static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6647static int tick_key_renew = 0;
6648static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6649
6650static int gen_tick_cb(SSL *s, void *arg)
6651{
6652 gen_tick_called = 1;
6653
6654 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6655 strlen(appdata));
6656}
6657
6658static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6659 const unsigned char *keyname,
6660 size_t keyname_length,
61fb5923
MC		 6661 SSL_TICKET_STATUS status,
6662 void *arg)
d0191fe0
MC		 6663{
6664 void *tickdata;
6665 size_t tickdlen;
6666
6667 dec_tick_called = 1;
6668
61fb5923
MC		 6669 if (status == SSL_TICKET_EMPTY)
6670 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6671
61fb5923
MC		 6672 if (!TEST_true(status == SSL_TICKET_SUCCESS
6673 || status == SSL_TICKET_SUCCESS_RENEW))
6674 return SSL_TICKET_RETURN_ABORT;
6675
6676 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6677 &tickdlen))
d0191fe0
MC		 6678 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6679 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6680 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6681
61fb5923
MC		 6682 if (tick_key_cb_called) {
6683 /* Don't change what the ticket key callback wanted to do */
6684 switch (status) {
6685 case SSL_TICKET_NO_DECRYPT:
6686 return SSL_TICKET_RETURN_IGNORE_RENEW;
6687
6688 case SSL_TICKET_SUCCESS:
6689 return SSL_TICKET_RETURN_USE;
d0191fe0 6690
61fb5923
MC		 6691 case SSL_TICKET_SUCCESS_RENEW:
6692 return SSL_TICKET_RETURN_USE_RENEW;
6693
6694 default:
6695 return SSL_TICKET_RETURN_ABORT;
6696 }
6697 }
6698 return tick_dec_ret;
6699
6700}
d0191fe0 6701
a76ce286 6702#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6703static int tick_key_cb(SSL *s, unsigned char key_name[16],
6704 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6705 HMAC_CTX *hctx, int enc)
6706{
6707 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6708 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6709 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6710 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6711 int ret;
d0191fe0 6712
61fb5923 6713 tick_key_cb_called = 1;
d0191fe0
MC		 6714 memset(iv, 0, AES_BLOCK_SIZE);
6715 memset(key_name, 0, 16);
5e30f2fd
MC		 6716 if (aes128cbc == NULL
6717 || sha256 == NULL
6718 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6719 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6720 NULL))
6721 ret = -1;
6722 else
6723 ret = tick_key_renew ? 2 : 1;
d0191fe0 6724
5e30f2fd
MC		 6725 EVP_CIPHER_free(aes128cbc);
6726 EVP_MD_free(sha256);
6727
6728 return ret;
d0191fe0 6729}
a76ce286
P		 6730#endif
6731
6732static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6733 unsigned char iv[EVP_MAX_IV_LENGTH],
6734 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6735{
6736 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6737 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6738 OSSL_PARAM params[3];
5e30f2fd
MC		 6739 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6740 int ret;
a76ce286
P		 6741
6742 tick_key_cb_called = 1;
6743 memset(iv, 0, AES_BLOCK_SIZE);
6744 memset(key_name, 0, 16);
6745 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6746 "SHA256", 0);
6747 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6748 tick_hmac_key,
6749 sizeof(tick_hmac_key));
6750 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6751 if (aes128cbc == NULL
6752 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 6753 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 6754 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6755 ret = -1;
6756 else
6757 ret = tick_key_renew ? 2 : 1;
6758
6759 EVP_CIPHER_free(aes128cbc);
a76ce286 6760
5e30f2fd 6761 return ret;
a76ce286 6762}
d0191fe0
MC		 6763
6764/*
6765 * Test the various ticket callbacks
61fb5923
MC		 6766 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6767 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6768 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6769 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6770 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6771 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6772 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6773 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6774 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6775 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6776 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6777 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6778 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6779 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6780 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6781 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6782 */
6783static int test_ticket_callbacks(int tst)
6784{
6785 SSL_CTX *cctx = NULL, *sctx = NULL;
6786 SSL *clientssl = NULL, *serverssl = NULL;
6787 SSL_SESSION *clntsess = NULL;
6788 int testresult = 0;
6789
6790#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6791 if (tst % 2 == 0)
d0191fe0
MC		 6792 return 1;
6793#endif
6794#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6795 if (tst % 2 == 1)
d0191fe0
MC		 6796 return 1;
6797#endif
a76ce286
P		 6798#ifdef OPENSSL_NO_DEPRECATED_3_0
6799 if (tst >= 8 && tst <= 11)
6800 return 1;
6801#endif
d0191fe0 6802
61fb5923 6803 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6804
6805 /* Which tests the ticket key callback should request renewal for */
a76ce286 6806 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6807 tick_key_renew = 1;
d0191fe0 6808 else
61fb5923
MC		 6809 tick_key_renew = 0;
6810
6811 /* Which tests the decrypt ticket callback should request renewal for */
6812 switch (tst) {
6813 case 0:
6814 case 1:
6815 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6816 break;
6817
6818 case 2:
6819 case 3:
6820 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6821 break;
6822
6823 case 4:
6824 case 5:
6825 tick_dec_ret = SSL_TICKET_RETURN_USE;
6826 break;
6827
6828 case 6:
6829 case 7:
6830 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6831 break;
6832
6833 default:
6834 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6835 }
d0191fe0 6836
5e30f2fd 6837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6838 TLS_client_method(),
6839 TLS1_VERSION,
61fb5923
MC		 6840 ((tst % 2) == 0) ? TLS1_2_VERSION
6841 : TLS1_3_VERSION,
d0191fe0
MC		 6842 &sctx, &cctx, cert, privkey)))
6843 goto end;
6844
61fb5923
MC		 6845 /*
6846 * We only want sessions to resume from tickets - not the session cache. So
6847 * switch the cache off.
6848 */
6849 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6850 goto end;
6851
d0191fe0
MC		 6852 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6853 NULL)))
6854 goto end;
6855
a76ce286
P		 6856 if (tst >= 12) {
6857 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6858 goto end;
6859#ifndef OPENSSL_NO_DEPRECATED_3_0
6860 } else if (tst >= 8) {
6861 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6862 goto end;
6863#endif
6864 }
d0191fe0
MC		 6865
6866 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6867 NULL, NULL))
6868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6869 SSL_ERROR_NONE)))
6870 goto end;
6871
61fb5923
MC		 6872 /*
6873 * The decrypt ticket key callback in TLSv1.2 should be called even though
6874 * we have no ticket yet, because it gets called with a status of
6875 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6876 * actually send any ticket data). This does not happen in TLSv1.3 because
6877 * it is not valid to send empty ticket data in TLSv1.3.
6878 */
d0191fe0 6879 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6880 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6881 goto end;
6882
6883 gen_tick_called = dec_tick_called = 0;
6884
6885 clntsess = SSL_get1_session(clientssl);
6886 SSL_shutdown(clientssl);
6887 SSL_shutdown(serverssl);
6888 SSL_free(serverssl);
6889 SSL_free(clientssl);
6890 serverssl = clientssl = NULL;
6891
6892 /* Now do a resumption */
6893 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6894 NULL))
6895 || !TEST_true(SSL_set_session(clientssl, clntsess))
6896 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6897 SSL_ERROR_NONE)))
d0191fe0
MC		 6898 goto end;
6899
61fb5923
MC		 6900 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6901 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6902 if (!TEST_false(SSL_session_reused(clientssl)))
6903 goto end;
6904 } else {
6905 if (!TEST_true(SSL_session_reused(clientssl)))
6906 goto end;
6907 }
6908
d0191fe0 6909 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6910 (tick_key_renew
6911 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6912 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6913 ? 1 : 0)
d0191fe0
MC		 6914 || !TEST_int_eq(dec_tick_called, 1))
6915 goto end;
6916
6917 testresult = 1;
6918
6919 end:
6920 SSL_SESSION_free(clntsess);
6921 SSL_free(serverssl);
6922 SSL_free(clientssl);
6923 SSL_CTX_free(sctx);
6924 SSL_CTX_free(cctx);
6925
6926 return testresult;
6927}
6928
e638112e
DB		 6929/*
6930 * Test incorrect shutdown.
6931 * Test 0: client does not shutdown properly,
6932 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6933 * server should get SSL_ERROR_SSL
6934 * Test 1: client does not shutdown properly,
6935 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6936 * server should get SSL_ERROR_ZERO_RETURN
6937 */
6938static int test_incorrect_shutdown(int tst)
6939{
6940 SSL_CTX *cctx = NULL, *sctx = NULL;
6941 SSL *clientssl = NULL, *serverssl = NULL;
6942 int testresult = 0;
6943 char buf[80];
6944 BIO *c2s;
6945
6946 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6947 TLS_client_method(), 0, 0,
6948 &sctx, &cctx, cert, privkey)))
6949 goto end;
6950
6951 if (tst == 1)
6952 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6953
6954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6955 NULL, NULL)))
6956 goto end;
6957
6958 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6959 SSL_ERROR_NONE)))
6960 goto end;
6961
6962 c2s = SSL_get_rbio(serverssl);
6963 BIO_set_mem_eof_return(c2s, 0);
6964
6965 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6966 goto end;
6967
6968 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6969 goto end;
6970 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6971 goto end;
6972
6973 testresult = 1;
6974
6975 end:
6976 SSL_free(serverssl);
6977 SSL_free(clientssl);
6978 SSL_CTX_free(sctx);
6979 SSL_CTX_free(cctx);
6980
6981 return testresult;
6982}
6983
c748834f
MC		 6984/*
6985 * Test bi-directional shutdown.
6986 * Test 0: TLSv1.2
6987 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6988 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6989 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6990 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6991 * sends key update, client reads it
57d7b988
MC		 6992 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6993 * sends CertificateRequest, client reads and ignores it
6994 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6995 * doesn't read it
6996 */
6997static int test_shutdown(int tst)
6998{
6999 SSL_CTX *cctx = NULL, *sctx = NULL;
7000 SSL *clientssl = NULL, *serverssl = NULL;
7001 int testresult = 0;
7002 char msg[] = "A test message";
7003 char buf[80];
7004 size_t written, readbytes;
80eff008 7005 SSL_SESSION *sess;
c748834f
MC		 7006
7007#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7008 if (tst <= 1)
c748834f
MC		 7009 return 1;
7010#endif
7011#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7012 if (tst >= 2)
c748834f
MC		 7013 return 1;
7014#endif
7015
5e30f2fd 7016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7017 TLS_client_method(),
7018 TLS1_VERSION,
7019 (tst <= 1) ? TLS1_2_VERSION
7020 : TLS1_3_VERSION,
57d7b988
MC		 7021 &sctx, &cctx, cert, privkey)))
7022 goto end;
7023
7024 if (tst == 5)
7025 SSL_CTX_set_post_handshake_auth(cctx, 1);
7026
7027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7028 NULL, NULL)))
7029 goto end;
7030
7031 if (tst == 3) {
7032 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7033 SSL_ERROR_NONE, 1))
80eff008
KR		 7034 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7035 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7036 goto end;
7037 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7038 SSL_ERROR_NONE))
7039 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7040 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7041 goto end;
7042 }
7043
7044 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7045 goto end;
7046
7047 if (tst >= 4) {
7048 /*
7049 * Reading on the server after the client has sent close_notify should
7050 * fail and provide SSL_ERROR_ZERO_RETURN
7051 */
7052 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7053 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7054 SSL_ERROR_ZERO_RETURN)
7055 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7056 SSL_RECEIVED_SHUTDOWN)
7057 /*
7058 * Even though we're shutdown on receive we should still be
7059 * able to write.
7060 */
80eff008
KR		 7061 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7062 goto end;
57d7b988
MC		 7063 if (tst == 4
7064 && !TEST_true(SSL_key_update(serverssl,
7065 SSL_KEY_UPDATE_REQUESTED)))
7066 goto end;
7067 if (tst == 5) {
7068 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7069 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7070 goto end;
7071 }
7072 if ((tst == 4 || tst == 5)
7073 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7074 goto end;
7075 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7076 goto end;
57d7b988 7077 if (tst == 4 || tst == 5) {
80eff008 7078 /* Should still be able to read data from server */
c748834f 7079 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7080 &readbytes))
7081 || !TEST_size_t_eq(readbytes, sizeof(msg))
7082 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7083 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7084 &readbytes))
c748834f
MC		 7085 || !TEST_size_t_eq(readbytes, sizeof(msg))
7086 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7087 goto end;
7088 }
7089 }
7090
7091 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7092 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7093 goto end;
7094
7095 if (tst < 4) {
7096 /*
7097 * For these tests the client has sent close_notify but it has not yet
7098 * been received by the server. The server has not sent close_notify
7099 * yet.
7100 */
7101 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7102 /*
7103 * Writing on the server after sending close_notify shouldn't
7104 * be possible.
7105 */
7106 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7107 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7108 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7109 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7110 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7111 goto end;
57d7b988 7112 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7113 /*
7114 * In this test the client has sent close_notify and it has been
7115 * received by the server which has responded with a close_notify. The
358ffa05 7116 * client needs to read the close_notify sent by the server.
c748834f 7117 */
80eff008
KR		 7118 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7119 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7120 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7121 goto end;
358ffa05
MC		 7122 } else {
7123 /*
57d7b988 7124 * tst == 6
358ffa05
MC		 7125 *
7126 * The client has sent close_notify and is expecting a close_notify
7127 * back, but instead there is application data first. The shutdown
7128 * should fail with a fatal error.
7129 */
7130 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7131 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7132 goto end;
c748834f
MC		 7133 }
7134
7135 testresult = 1;
7136
7137 end:
7138 SSL_free(serverssl);
7139 SSL_free(clientssl);
7140 SSL_CTX_free(sctx);
7141 SSL_CTX_free(cctx);
7142
7143 return testresult;
7144}
7145
7f1d923a 7146#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7147static int cert_cb_cnt;
7148
7149static int cert_cb(SSL *s, void *arg)
7150{
7151 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7152 BIO *in = NULL;
7153 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7154 X509 *x509 = NULL, *rootx = NULL;
7155 STACK_OF(X509) *chain = NULL;
7156 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7157 int ret = 0;
cd6fe29f
MC		 7158
7159 if (cert_cb_cnt == 0) {
7160 /* Suspend the handshake */
7161 cert_cb_cnt++;
7162 return -1;
7163 } else if (cert_cb_cnt == 1) {
7164 /*
7165 * Update the SSL_CTX, set the certificate and private key and then
7166 * continue the handshake normally.
7167 */
7168 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7169 return 0;
7170
7171 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7172 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7173 SSL_FILETYPE_PEM))
7174 || !TEST_true(SSL_check_private_key(s)))
7175 return 0;
7176 cert_cb_cnt++;
7177 return 1;
7cb8fb07
BK		 7178 } else if (cert_cb_cnt == 3) {
7179 int rv;
1a2a3a42
MC		 7180
7181 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7182 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7183 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7184 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7185 goto out;
7186 chain = sk_X509_new_null();
7187 if (!TEST_ptr(chain))
7188 goto out;
7cb8fb07 7189 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7190 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7191 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7192 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7193 || !TEST_true(sk_X509_push(chain, rootx)))
7194 goto out;
7195 rootx = NULL;
7196 BIO_free(in);
7197 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7198 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7199 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7200 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7201 goto out;
7202 BIO_free(in);
7203 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7204 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7205 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7206 NULL, NULL,
7207 libctx, NULL)))
7cb8fb07 7208 goto out;
1a2a3a42 7209 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7210 /*
7211 * If the cert doesn't show as valid here (e.g., because we don't
7212 * have any shared sigalgs), then we will not set it, and there will
7213 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7214 * will cause tls_choose_sigalgs() to fail the connection.
7215 */
1a2a3a42
MC		 7216 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7217 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7218 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7219 goto out;
7220 }
1a2a3a42
MC		 7221
7222 ret = 1;
cd6fe29f
MC		 7223 }
7224
7225 /* Abort the handshake */
7cb8fb07 7226 out:
1a2a3a42
MC		 7227 OPENSSL_free(ecdsacert);
7228 OPENSSL_free(ecdsakey);
7229 OPENSSL_free(rootfile);
7cb8fb07
BK		 7230 BIO_free(in);
7231 EVP_PKEY_free(pkey);
7232 X509_free(x509);
1a2a3a42
MC		 7233 X509_free(rootx);
7234 sk_X509_pop_free(chain, X509_free);
7235 return ret;
cd6fe29f
MC		 7236}
7237
7238/*
7239 * Test the certificate callback.
7240 * Test 0: Callback fails
7241 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7242 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7243 * Test 3: Success - Call SSL_check_chain from the callback
7244 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7245 * chain
7246 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7247 */
7248static int test_cert_cb_int(int prot, int tst)
7249{
7250 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7251 SSL *clientssl = NULL, *serverssl = NULL;
7252 int testresult = 0, ret;
7253
1a2a3a42
MC		 7254#ifdef OPENSSL_NO_EC
7255 /* We use an EC cert in these tests, so we skip in a no-ec build */
7256 if (tst >= 3)
7257 return 1;
7258#endif
7259
5e30f2fd 7260 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7261 TLS_client_method(),
7262 TLS1_VERSION,
7263 prot,
7264 &sctx, &cctx, NULL, NULL)))
7265 goto end;
7266
7267 if (tst == 0)
7268 cert_cb_cnt = -1;
1a2a3a42 7269 else if (tst >= 3)
7cb8fb07 7270 cert_cb_cnt = 3;
cd6fe29f
MC		 7271 else
7272 cert_cb_cnt = 0;
1a2a3a42 7273
cd6fe29f
MC		 7274 if (tst == 2)
7275 snictx = SSL_CTX_new(TLS_server_method());
7276 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7277
7278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7279 NULL, NULL)))
7280 goto end;
7281
1a2a3a42
MC		 7282 if (tst == 4) {
7283 /*
7284 * We cause SSL_check_chain() to fail by specifying sig_algs that
7285 * the chain doesn't meet (the root uses an RSA cert)
7286 */
7287 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7288 "ecdsa_secp256r1_sha256")))
7289 goto end;
7290 } else if (tst == 5) {
7291 /*
7292 * We cause SSL_check_chain() to fail by specifying sig_algs that
7293 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7294 */
7295 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7296 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7297 goto end;
7298 }
7299
cd6fe29f 7300 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7301 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7302 || (tst > 0
7303 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7304 goto end;
7305 }
7306
7307 testresult = 1;
7308
7309 end:
7310 SSL_free(serverssl);
7311 SSL_free(clientssl);
7312 SSL_CTX_free(sctx);
7313 SSL_CTX_free(cctx);
7314 SSL_CTX_free(snictx);
7315
7316 return testresult;
7317}
7f1d923a 7318#endif
cd6fe29f
MC		 7319
7320static int test_cert_cb(int tst)
7321{
7322 int testresult = 1;
7323
7324#ifndef OPENSSL_NO_TLS1_2
7325 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7326#endif
7f1d923a 7327#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7328 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7329#endif
7330
7331 return testresult;
7332}
7333
6e46c065
MC		 7334static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7335{
8c2bfd25 7336 X509 *xcert;
6e46c065
MC		 7337 EVP_PKEY *privpkey;
7338 BIO *in = NULL;
6725682d 7339 BIO *priv_in = NULL;
6e46c065 7340
8c2bfd25
TS		 7341 /* Check that SSL_get0_peer_certificate() returns something sensible */
7342 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7343 return 0;
6e46c065
MC		 7344
7345 in = BIO_new_file(cert, "r");
7346 if (!TEST_ptr(in))
7347 return 0;
7348
d8652be0 7349 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7350 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7351 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7352 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7353 NULL, NULL,
7354 libctx, NULL)))
6725682d 7355 goto err;
6e46c065
MC		 7356
7357 *x509 = xcert;
7358 *pkey = privpkey;
7359
6725682d
SL		 7360 BIO_free(in);
7361 BIO_free(priv_in);
6e46c065 7362 return 1;
6725682d
SL		 7363err:
7364 X509_free(xcert);
7365 BIO_free(in);
7366 BIO_free(priv_in);
7367 return 0;
6e46c065
MC		 7368}
7369
7370static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7371{
7372 return 1;
7373}
7374
7375static int test_client_cert_cb(int tst)
7376{
7377 SSL_CTX *cctx = NULL, *sctx = NULL;
7378 SSL *clientssl = NULL, *serverssl = NULL;
7379 int testresult = 0;
7380
7381#ifdef OPENSSL_NO_TLS1_2
7382 if (tst == 0)
7383 return 1;
7384#endif
7385#ifdef OPENSSL_NO_TLS1_3
7386 if (tst == 1)
7387 return 1;
7388#endif
7389
5e30f2fd 7390 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7391 TLS_client_method(),
7392 TLS1_VERSION,
7393 tst == 0 ? TLS1_2_VERSION
7394 : TLS1_3_VERSION,
7395 &sctx, &cctx, cert, privkey)))
7396 goto end;
7397
7398 /*
7399 * Test that setting a client_cert_cb results in a client certificate being
7400 * sent.
7401 */
7402 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7403 SSL_CTX_set_verify(sctx,
7404 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7405 verify_cb);
fb8c8359
MC		 7406
7407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7408 NULL, NULL))
7409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7410 SSL_ERROR_NONE)))
7411 goto end;
7412
7413 testresult = 1;
7414
7415 end:
7416 SSL_free(serverssl);
7417 SSL_free(clientssl);
7418 SSL_CTX_free(sctx);
7419 SSL_CTX_free(cctx);
7420
7421 return testresult;
7422}
7423
7424#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7425/*
7426 * Test setting certificate authorities on both client and server.
7427 *
7428 * Test 0: SSL_CTX_set0_CA_list() only
7429 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7430 * Test 2: Only SSL_CTX_set_client_CA_list()
7431 */
7432static int test_ca_names_int(int prot, int tst)
7433{
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7436 int testresult = 0;
7437 size_t i;
7438 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7439 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7440 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7441 const STACK_OF(X509_NAME) *sktmp = NULL;
7442
7443 for (i = 0; i < OSSL_NELEM(name); i++) {
7444 name[i] = X509_NAME_new();
7445 if (!TEST_ptr(name[i])
7446 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7447 MBSTRING_ASC,
7448 (unsigned char *)
7449 strnames[i],
7450 -1, -1, 0)))
7451 goto end;
7452 }
7453
5e30f2fd 7454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7455 TLS_client_method(),
7456 TLS1_VERSION,
7457 prot,
7458 &sctx, &cctx, cert, privkey)))
7459 goto end;
7460
7461 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7462
7463 if (tst == 0 || tst == 1) {
7464 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7465 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7466 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7467 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7468 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7469 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7470 goto end;
7471
7472 SSL_CTX_set0_CA_list(sctx, sk1);
7473 SSL_CTX_set0_CA_list(cctx, sk2);
7474 sk1 = sk2 = NULL;
7475 }
7476 if (tst == 1 || tst == 2) {
7477 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7478 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7479 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7480 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7481 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7482 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7483 goto end;
7484
7485 SSL_CTX_set_client_CA_list(sctx, sk1);
7486 SSL_CTX_set_client_CA_list(cctx, sk2);
7487 sk1 = sk2 = NULL;
7488 }
7489
6e46c065
MC		 7490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7491 NULL, NULL))
7492 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7493 SSL_ERROR_NONE)))
7494 goto end;
7495
fb8c8359
MC		 7496 /*
7497 * We only expect certificate authorities to have been sent to the server
7498 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7499 */
7500 sktmp = SSL_get0_peer_CA_list(serverssl);
7501 if (prot == TLS1_3_VERSION
7502 && (tst == 0 || tst == 1)) {
7503 if (!TEST_ptr(sktmp)
7504 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7505 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7506 name[0]), 0)
7507 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7508 name[1]), 0))
7509 goto end;
7510 } else if (!TEST_ptr_null(sktmp)) {
7511 goto end;
7512 }
7513
7514 /*
7515 * In all tests we expect certificate authorities to have been sent to the
7516 * client. However, SSL_set_client_CA_list() should override
7517 * SSL_set0_CA_list()
7518 */
7519 sktmp = SSL_get0_peer_CA_list(clientssl);
7520 if (!TEST_ptr(sktmp)
7521 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7522 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7523 name[tst == 0 ? 0 : 2]), 0)
7524 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7525 name[tst == 0 ? 1 : 3]), 0))
7526 goto end;
7527
6e46c065
MC		 7528 testresult = 1;
7529
7530 end:
7531 SSL_free(serverssl);
7532 SSL_free(clientssl);
7533 SSL_CTX_free(sctx);
7534 SSL_CTX_free(cctx);
fb8c8359
MC		 7535 for (i = 0; i < OSSL_NELEM(name); i++)
7536 X509_NAME_free(name[i]);
7537 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7538 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7539
7540 return testresult;
7541}
7542#endif
7543
7544static int test_ca_names(int tst)
7545{
7546 int testresult = 1;
7547
7548#ifndef OPENSSL_NO_TLS1_2
7549 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7550#endif
7551#ifndef OPENSSL_NO_TLS1_3
7552 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7553#endif
6e46c065
MC		 7554
7555 return testresult;
7556}
7557
0d2bfe52
SL		 7558#ifndef OPENSSL_NO_TLS1_2
7559static const char *multiblock_cipherlist_data[]=
7560{
7561 "AES128-SHA",
7562 "AES128-SHA256",
7563 "AES256-SHA",
7564 "AES256-SHA256",
7565};
7566
7567/* Reduce the fragment size - so the multiblock test buffer can be small */
7568# define MULTIBLOCK_FRAGSIZE 512
7569
7570static int test_multiblock_write(int test_index)
7571{
7572 static const char *fetchable_ciphers[]=
7573 {
7574 "AES-128-CBC-HMAC-SHA1",
7575 "AES-128-CBC-HMAC-SHA256",
7576 "AES-256-CBC-HMAC-SHA1",
7577 "AES-256-CBC-HMAC-SHA256"
7578 };
7579 const char *cipherlist = multiblock_cipherlist_data[test_index];
7580 const SSL_METHOD *smeth = TLS_server_method();
7581 const SSL_METHOD *cmeth = TLS_client_method();
7582 int min_version = TLS1_VERSION;
7583 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7584 SSL_CTX *cctx = NULL, *sctx = NULL;
7585 SSL *clientssl = NULL, *serverssl = NULL;
7586 int testresult = 0;
7587
7588 /*
7589 * Choose a buffer large enough to perform a multi-block operation
7590 * i.e: write_len >= 4 * frag_size
7591 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7592 */
7593 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7594 unsigned char buf[sizeof(msg)], *p = buf;
7595 size_t readbytes, written, len;
7596 EVP_CIPHER *ciph = NULL;
7597
7598 /*
7599 * Check if the cipher exists before attempting to use it since it only has
7600 * a hardware specific implementation.
7601 */
7602 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7603 if (ciph == NULL) {
7604 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7605 return 1;
7606 }
7607 EVP_CIPHER_free(ciph);
7608
7609 /* Set up a buffer with some data that will be sent to the client */
7610 RAND_bytes(msg, sizeof(msg));
7611
5e30f2fd
MC		 7612 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7613 max_version, &sctx, &cctx, cert,
7614 privkey)))
0d2bfe52
SL		 7615 goto end;
7616
7617 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7618 goto end;
7619
7620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7621 NULL, NULL)))
7622 goto end;
7623
7624 /* settings to force it to use AES-CBC-HMAC_SHA */
7625 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7626 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7627 goto end;
7628
7629 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7630 goto end;
7631
7632 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7633 || !TEST_size_t_eq(written, sizeof(msg)))
7634 goto end;
7635
7636 len = written;
7637 while (len > 0) {
7638 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7639 goto end;
7640 p += readbytes;
7641 len -= readbytes;
7642 }
7643 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7644 goto end;
7645
7646 testresult = 1;
7647end:
7648 SSL_free(serverssl);
7649 SSL_free(clientssl);
7650 SSL_CTX_free(sctx);
7651 SSL_CTX_free(cctx);
7652
7653 return testresult;
7654}
7655#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7656
49ef3d07
MC		 7657/*
7658 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7659 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7660 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7661 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7662 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7663 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7664 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7665 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7666 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7667 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7668 */
7669static int test_servername(int tst)
7670{
7671 SSL_CTX *cctx = NULL, *sctx = NULL;
7672 SSL *clientssl = NULL, *serverssl = NULL;
7673 int testresult = 0;
7674 SSL_SESSION *sess = NULL;
7675 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7676
7677#ifdef OPENSSL_NO_TLS1_2
7678 if (tst <= 4)
7679 return 1;
7680#endif
7681#ifdef OPENSSL_NO_TLS1_3
7682 if (tst >= 5)
7683 return 1;
7684#endif
7685
5e30f2fd 7686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7687 TLS_client_method(),
7688 TLS1_VERSION,
7689 (tst <= 4) ? TLS1_2_VERSION
7690 : TLS1_3_VERSION,
7691 &sctx, &cctx, cert, privkey))
7692 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7693 NULL, NULL)))
7694 goto end;
7695
7696 if (tst != 1 && tst != 6) {
7697 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7698 hostname_cb)))
7699 goto end;
7700 }
7701
7702 if (tst != 3 && tst != 8) {
7703 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7704 goto end;
7705 sexpectedhost = cexpectedhost = "goodhost";
7706 }
7707
7708 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7709 goto end;
7710
7711 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7712 cexpectedhost)
7713 || !TEST_str_eq(SSL_get_servername(serverssl,
7714 TLSEXT_NAMETYPE_host_name),
7715 sexpectedhost))
7716 goto end;
7717
7718 /* Now repeat with a resumption handshake */
7719
7720 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7721 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7722 || !TEST_true(SSL_SESSION_is_resumable(sess))
7723 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7724 goto end;
7725
7726 SSL_free(clientssl);
7727 SSL_free(serverssl);
7728 clientssl = serverssl = NULL;
7729
7730 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7731 NULL)))
7732 goto end;
7733
7734 if (!TEST_true(SSL_set_session(clientssl, sess)))
7735 goto end;
7736
7737 sexpectedhost = cexpectedhost = "goodhost";
7738 if (tst == 2 || tst == 7) {
7739 /* Set an inconsistent hostname */
7740 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7741 goto end;
7742 /*
7743 * In TLSv1.2 we expect the hostname from the original handshake, in
7744 * TLSv1.3 we expect the hostname from this handshake
7745 */
7746 if (tst == 7)
7747 sexpectedhost = cexpectedhost = "altgoodhost";
7748
7749 if (!TEST_str_eq(SSL_get_servername(clientssl,
7750 TLSEXT_NAMETYPE_host_name),
7751 "altgoodhost"))
7752 goto end;
7753 } else if (tst == 4 || tst == 9) {
7754 /*
7755 * A TLSv1.3 session does not associate a session with a servername,
7756 * but a TLSv1.2 session does.
7757 */
7758 if (tst == 9)
7759 sexpectedhost = cexpectedhost = NULL;
7760
7761 if (!TEST_str_eq(SSL_get_servername(clientssl,
7762 TLSEXT_NAMETYPE_host_name),
7763 cexpectedhost))
7764 goto end;
7765 } else {
7766 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7767 goto end;
7768 /*
7769 * In a TLSv1.2 resumption where the hostname was not acknowledged
7770 * we expect the hostname on the server to be empty. On the client we
7771 * return what was requested in this case.
7772 *
7773 * Similarly if the client didn't set a hostname on an original TLSv1.2
7774 * session but is now, the server hostname will be empty, but the client
7775 * is as we set it.
7776 */
7777 if (tst == 1 || tst == 3)
7778 sexpectedhost = NULL;
7779
7780 if (!TEST_str_eq(SSL_get_servername(clientssl,
7781 TLSEXT_NAMETYPE_host_name),
7782 "goodhost"))
7783 goto end;
7784 }
7785
7786 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7787 goto end;
7788
7789 if (!TEST_true(SSL_session_reused(clientssl))
7790 || !TEST_true(SSL_session_reused(serverssl))
7791 || !TEST_str_eq(SSL_get_servername(clientssl,
7792 TLSEXT_NAMETYPE_host_name),
7793 cexpectedhost)
7794 || !TEST_str_eq(SSL_get_servername(serverssl,
7795 TLSEXT_NAMETYPE_host_name),
7796 sexpectedhost))
7797 goto end;
7798
7799 testresult = 1;
7800
7801 end:
7802 SSL_SESSION_free(sess);
7803 SSL_free(serverssl);
7804 SSL_free(clientssl);
7805 SSL_CTX_free(sctx);
7806 SSL_CTX_free(cctx);
7807
7808 return testresult;
7809}
7810
b3842539
MC		 7811#ifndef OPENSSL_NO_EC
7812/*
7813 * Test that if signature algorithms are not available, then we do not offer or
7814 * accept them.
7815 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7816 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7817 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7818 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7819 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7820 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7821 */
7822static int test_sigalgs_available(int idx)
7823{
7824 SSL_CTX *cctx = NULL, *sctx = NULL;
7825 SSL *clientssl = NULL, *serverssl = NULL;
7826 int testresult = 0;
b4250010
DMSP		 7827 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7828 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 7829 OSSL_PROVIDER *filterprov = NULL;
7830 int sig, hash;
7831
7832 if (!TEST_ptr(tmpctx))
7833 goto end;
7834
7835 if (idx != 0 && idx != 3) {
7836 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7837 filter_provider_init)))
7838 goto end;
7839
7840 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7841 if (!TEST_ptr(filterprov))
7842 goto end;
7843
7844 if (idx < 3) {
7845 /*
7846 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7847 * or accepted for the peer that uses this libctx. Note that libssl
7848 * *requires* SHA2-256 to be available so we cannot disable that. We
7849 * also need SHA1 for our certificate.
7850 */
7851 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7852 "SHA2-256:SHA1")))
7853 goto end;
7854 } else {
7855 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7856 "ECDSA"))
7857 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7858 "EC:X25519:X448")))
7859 goto end;
7860 }
7861
7862 if (idx == 1 || idx == 4)
7863 clientctx = tmpctx;
7864 else
7865 serverctx = tmpctx;
7866 }
7867
d8652be0
MC		 7868 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7869 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 7870 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7871 goto end;
b3842539
MC		 7872
7873 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7874 TLS_client_method(),
7875 TLS1_VERSION,
7876 0,
7877 &sctx, &cctx, cert, privkey)))
7878 goto end;
7879
7880 if (idx < 3) {
7881 if (!SSL_CTX_set1_sigalgs_list(cctx,
7882 "rsa_pss_rsae_sha384"
7883 ":rsa_pss_rsae_sha256")
7884 || !SSL_CTX_set1_sigalgs_list(sctx,
7885 "rsa_pss_rsae_sha384"
7886 ":rsa_pss_rsae_sha256"))
7887 goto end;
7888 } else {
7889 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7890 || !SSL_CTX_set1_sigalgs_list(sctx,
7891 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7892 goto end;
7893 }
7894
7895 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7896 SSL_FILETYPE_PEM), 1)
7897 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7898 privkey2,
7899 SSL_FILETYPE_PEM), 1)
7900 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7901 goto end;
7902
7903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7904 NULL, NULL)))
7905 goto end;
7906
7907 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7908 goto end;
7909
7910 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7911 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7912 NULL, NULL),
7913 (idx == 0 || idx == 3) ? 2 : 1))
7914 goto end;
7915
7916 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7917 goto end;
7918
7919 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7920 : NID_rsassaPss))
7921 goto end;
7922
7923 testresult = 1;
7924
7925 end:
7926 SSL_free(serverssl);
7927 SSL_free(clientssl);
7928 SSL_CTX_free(sctx);
7929 SSL_CTX_free(cctx);
7930 OSSL_PROVIDER_unload(filterprov);
b4250010 7931 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 7932
7933 return testresult;
7934}
7935#endif /* OPENSSL_NO_EC */
7936
0c13cdf8 7937#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 7938static int test_pluggable_group(int idx)
0c13cdf8
MC		 7939{
7940 SSL_CTX *cctx = NULL, *sctx = NULL;
7941 SSL *clientssl = NULL, *serverssl = NULL;
7942 int testresult = 0;
7943 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 7944 /* Check that we are not impacted by a provider without any groups */
7945 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 7946 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 7947
146aebc6 7948 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
0c13cdf8
MC		 7949 goto end;
7950
7951 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7952 TLS_client_method(),
7953 TLS1_3_VERSION,
7954 TLS1_3_VERSION,
7955 &sctx, &cctx, cert, privkey))
7956 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7957 NULL, NULL)))
7958 goto end;
7959
c8e3a4c6
NT		 7960 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
7961 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 7962 goto end;
7963
7964 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7965 goto end;
7966
7967 testresult = 1;
7968
7969 end:
7970 SSL_free(serverssl);
7971 SSL_free(clientssl);
7972 SSL_CTX_free(sctx);
7973 SSL_CTX_free(cctx);
7974 OSSL_PROVIDER_unload(tlsprov);
146aebc6 7975 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 7976
7977 return testresult;
7978}
7979#endif
b3842539 7980
49a36a52
MC		 7981#ifndef OPENSSL_NO_TLS1_2
7982static int test_ssl_dup(void)
7983{
7984 SSL_CTX *cctx = NULL, *sctx = NULL;
7985 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
7986 int testresult = 0;
7987 BIO *rbio = NULL, *wbio = NULL;
7988
7989 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7990 TLS_client_method(),
7991 0,
7992 0,
7993 &sctx, &cctx, cert, privkey)))
7994 goto end;
7995
7996 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7997 NULL, NULL)))
7998 goto end;
7999
8000 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8001 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8002 goto end;
8003
8004 client2ssl = SSL_dup(clientssl);
8005 rbio = SSL_get_rbio(clientssl);
8006 if (!TEST_ptr(rbio)
8007 || !TEST_true(BIO_up_ref(rbio)))
8008 goto end;
8009 SSL_set0_rbio(client2ssl, rbio);
8010 rbio = NULL;
8011
8012 wbio = SSL_get_wbio(clientssl);
8013 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8014 goto end;
8015 SSL_set0_wbio(client2ssl, wbio);
8016 rbio = NULL;
8017
8018 if (!TEST_ptr(client2ssl)
8019 /* Handshake not started so pointers should be different */
8020 || !TEST_ptr_ne(clientssl, client2ssl))
8021 goto end;
8022
8023 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8024 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8025 goto end;
8026
8027 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8028 goto end;
8029
8030 SSL_free(clientssl);
8031 clientssl = SSL_dup(client2ssl);
8032 if (!TEST_ptr(clientssl)
8033 /* Handshake has finished so pointers should be the same */
8034 || !TEST_ptr_eq(clientssl, client2ssl))
8035 goto end;
8036
8037 testresult = 1;
8038
8039 end:
8040 SSL_free(serverssl);
8041 SSL_free(clientssl);
8042 SSL_free(client2ssl);
8043 SSL_CTX_free(sctx);
8044 SSL_CTX_free(cctx);
8045
8046 return testresult;
8047}
8048#endif
8049
5e30f2fd 8050OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8051
ad887416 8052int setup_tests(void)
2cb4b5f6 8053{
5e30f2fd
MC		 8054 char *modulename;
8055 char *configfile;
8056
b4250010 8057 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8058 if (!TEST_ptr(libctx))
8059 return 0;
8060
8061 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8062
8063 /*
8064 * Verify that the default and fips providers in the default libctx are not
8065 * available
8066 */
8067 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8068 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8069 return 0;
8070
8d242823
MC		 8071 if (!test_skip_common_options()) {
8072 TEST_error("Error parsing test options\n");
8073 return 0;
8074 }
8075
1a2a3a42
MC		 8076 if (!TEST_ptr(certsdir = test_get_argument(0))
8077 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8078 || !TEST_ptr(tmpfilename = test_get_argument(2))
8079 || !TEST_ptr(modulename = test_get_argument(3))
8080 || !TEST_ptr(configfile = test_get_argument(4)))
8081 return 0;
8082
b4250010 8083 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8084 return 0;
8085
8086 /* Check we have the expected provider available */
8087 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8088 return 0;
8089
8090 /* Check the default provider is not available */
8091 if (strcmp(modulename, "default") != 0
8092 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8093 return 0;
2cb4b5f6 8094
4f6c7044
MC		 8095 if (strcmp(modulename, "fips") == 0)
8096 is_fips = 1;
8097
0c13cdf8
MC		 8098 /*
8099 * We add, but don't load the test "tls-provider". We'll load it when we
8100 * need it.
8101 */
8102 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8103 tls_provider_init)))
8104 return 0;
8105
8106
f297e4ec
RS		 8107 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8108#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8109 TEST_error("not supported in this build");
8110 return 0;
8111#else
8112 int i, mcount, rcount, fcount;
8113
8114 for (i = 0; i < 4; i++)
8115 test_export_key_mat(i);
8116 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8117 test_printf_stdout("malloc %d realloc %d free %d\n",
8118 mcount, rcount, fcount);
8119 return 1;
8120#endif
8121 }
8122
1a2a3a42
MC		 8123 cert = test_mk_file_path(certsdir, "servercert.pem");
8124 if (cert == NULL)
b3842539 8125 goto err;
1a2a3a42
MC		 8126
8127 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8128 if (privkey == NULL)
8129 goto err;
8130
8131 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8132 if (cert2 == NULL)
8133 goto err;
8134
8135 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8136 if (privkey2 == NULL)
8137 goto err;
1a2a3a42 8138
da4db160 8139#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
c8e3a4c6 8140# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
da4db160
VF		 8141 ADD_ALL_TESTS(test_ktls, 32);
8142 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8143# endif
fe5d9450 8144#endif
84d5549e 8145 ADD_TEST(test_large_message_tls);
7856332e 8146 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8147#ifndef OPENSSL_NO_DTLS
84d5549e 8148 ADD_TEST(test_large_message_dtls);
55386bef 8149#endif
163b8016 8150 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8151#ifndef OPENSSL_NO_OCSP
c887104f 8152 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8153#endif
eaa776da
MC		 8154 ADD_TEST(test_session_with_only_int_cache);
8155 ADD_TEST(test_session_with_only_ext_cache);
8156 ADD_TEST(test_session_with_both_cache);
90fc2c26 8157 ADD_TEST(test_session_wo_ca_names);
36ff232c 8158#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8159 ADD_ALL_TESTS(test_stateful_tickets, 3);
8160 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8161 ADD_TEST(test_psk_tickets);
f0049b86 8162 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8163#endif
7fb4c820 8164 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8165 ADD_TEST(test_ssl_bio_pop_next_bio);
8166 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8167 ADD_TEST(test_ssl_bio_change_rbio);
8168 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8169#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8170 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8171 ADD_TEST(test_keylog);
c423ecaa 8172#endif
6acdd3e5
CB		 8173#ifndef OPENSSL_NO_TLS1_3
8174 ADD_TEST(test_keylog_no_master_key);
8175#endif
e9ee6536 8176#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8177 ADD_TEST(test_client_hello_cb);
088dfa13 8178 ADD_TEST(test_no_ems);
3cd14e5e 8179 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8180#endif
8181#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8182 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8183 /*
8184 * We don't do replay tests for external PSK. Replay protection isn't used
8185 * in that scenario.
8186 */
8187 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8188 ADD_ALL_TESTS(test_early_data_skip, 3);
8189 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8190 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8191 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8192 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8193 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8194 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8195 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8196# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8197 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8198# endif
e9ee6536 8199#endif
a273157a 8200#ifndef OPENSSL_NO_TLS1_3
034cb87b 8201 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8202 ADD_TEST(test_ciphersuite_change);
5bf2eade 8203 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8204# ifdef OPENSSL_NO_PSK
c2b290c3 8205 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8206# else
0d8da779 8207 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8208# endif /* OPENSSL_NO_PSK */
8209# ifndef OPENSSL_NO_TLS1_2
8210 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8211 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8212# else
8213 /* Test with only TLSv1.3 versions */
8214 ADD_ALL_TESTS(test_key_exchange, 12);
8215# endif
bb01ef3f 8216 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8217 ADD_TEST(test_stateless);
9d75dce3 8218 ADD_TEST(test_pha_key_update);
a273157a 8219#else
bb01ef3f 8220 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8221#endif
16afd71c 8222 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8223 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8224#ifndef OPENSSL_NO_TLS1_3
8225 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8226 ADD_TEST(test_key_update);
a77b4dba 8227 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8228#endif
e11b6aa4 8229 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8230 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8231#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8232 ADD_ALL_TESTS(test_srp, 6);
8233#endif
5718fe45 8234 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8235 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8236 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8237 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8238 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8239 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8240 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8241 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8242 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8243#ifndef OPENSSL_NO_TLS1_2
8244 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8245#endif
49ef3d07 8246 ADD_ALL_TESTS(test_servername, 10);
b3842539
MC		 8247#ifndef OPENSSL_NO_EC
8248 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8249#endif
8250#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8251 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8252#endif
8253#ifndef OPENSSL_NO_TLS1_2
8254 ADD_TEST(test_ssl_dup);
b3842539 8255#endif
ad887416 8256 return 1;
b3842539
MC		 8257
8258 err:
8259 OPENSSL_free(cert);
8260 OPENSSL_free(privkey);
8261 OPENSSL_free(cert2);
8262 OPENSSL_free(privkey2);
8263 return 0;
ad887416 8264}
2cb4b5f6 8265
ad887416
P		 8266void cleanup_tests(void)
8267{
1a2a3a42
MC		 8268 OPENSSL_free(cert);
8269 OPENSSL_free(privkey);
b3842539
MC		 8270 OPENSSL_free(cert2);
8271 OPENSSL_free(privkey2);
fa454945 8272 bio_s_mempacket_test_free();
a77b4dba 8273 bio_s_always_retry_free();
5e30f2fd 8274 OSSL_PROVIDER_unload(defctxnull);
b4250010 8275 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8276}
A mirror of the official openssl repository