]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
2cb4b5f6 34
20f8bc72 35#include "helpers/ssltestlib.h"
c887104f 36#include "testutil.h"
f297e4ec 37#include "testutil/output.h"
176db6dc 38#include "internal/nelem.h"
fe5d9450 39#include "internal/ktls.h"
706457b7 40#include "../ssl/ssl_local.h"
2cb4b5f6 41
b3842539
MC		 42/* Defined in filterprov.c */
43OSSL_provider_init_fn filter_provider_init;
44int filter_provider_set_filter(int operation, const char *name);
45
0c13cdf8
MC		 46/* Defined in tls-provider.c */
47int tls_provider_init(const OSSL_CORE_HANDLE *handle,
48 const OSSL_DISPATCH *in,
49 const OSSL_DISPATCH **out,
50 void **provctx);
852c2ed2 51
b4250010 52static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 53static OSSL_PROVIDER *defctxnull = NULL;
54
8614a4eb
MC		 55#ifndef OPENSSL_NO_TLS1_3
56
57static SSL_SESSION *clientpsk = NULL;
58static SSL_SESSION *serverpsk = NULL;
59static const char *pskid = "Identity";
60static const char *srvid;
61
62static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
63 size_t *idlen, SSL_SESSION **sess);
64static int find_session_cb(SSL *ssl, const unsigned char *identity,
65 size_t identity_len, SSL_SESSION **sess);
66
67static int use_session_cb_cnt = 0;
68static int find_session_cb_cnt = 0;
69
70static SSL_SESSION *create_a_psk(SSL *ssl);
71#endif
72
1a2a3a42 73static char *certsdir = NULL;
2cb4b5f6
MC		 74static char *cert = NULL;
75static char *privkey = NULL;
b3842539
MC		 76static char *cert2 = NULL;
77static char *privkey2 = NULL;
3105d846
MC		 78static char *cert1024 = NULL;
79static char *privkey1024 = NULL;
80static char *cert3072 = NULL;
81static char *privkey3072 = NULL;
82static char *cert4096 = NULL;
83static char *privkey4096 = NULL;
84static char *cert8192 = NULL;
85static char *privkey8192 = NULL;
76fd7a1d
MC		 86static char *srpvfile = NULL;
87static char *tmpfilename = NULL;
2cb4b5f6 88
4f6c7044
MC		 89static int is_fips = 0;
90
cffe973c 91#define LOG_BUFFER_SIZE 2048
6acdd3e5 92static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 93static size_t server_log_buffer_index = 0;
6acdd3e5 94static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 95static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 96static int error_writing_log = 0;
97
8f8c11d8 98#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 99static const unsigned char orespder[] = "Dummy OCSP Response";
100static int ocsp_server_called = 0;
101static int ocsp_client_called = 0;
102
103static int cdummyarg = 1;
104static X509 *ocspcert = NULL;
8f8c11d8 105#endif
ba881d3b 106
84d5549e 107#define NUM_EXTRA_CERTS 40
cf72c757 108#define CLIENT_VERSION_LEN 2
84d5549e 109
f1a5939f
CB		 110/*
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
113 */
114struct sslapitest_log_counts {
115 unsigned int rsa_key_exchange_count;
116 unsigned int master_secret_count;
cffe973c 117 unsigned int client_early_secret_count;
f1a5939f
CB		 118 unsigned int client_handshake_secret_count;
119 unsigned int server_handshake_secret_count;
120 unsigned int client_application_secret_count;
121 unsigned int server_application_secret_count;
01a2a654 122 unsigned int early_exporter_secret_count;
6329ce8f 123 unsigned int exporter_secret_count;
f1a5939f
CB		 124};
125
16afd71c
MC		 126
127static unsigned char serverinfov1[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
131};
132
133static unsigned char serverinfov2[] = {
134 0x00, 0x00, 0x00,
135 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
104a733d
MC		 141static int hostname_cb(SSL *s, int *al, void *arg)
142{
143 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144
145 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
146 || strcmp(hostname, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK;
148
149 return SSL_TLSEXT_ERR_NOACK;
150}
151
710756a9
RS		 152static void client_keylog_callback(const SSL *ssl, const char *line)
153{
6acdd3e5
CB		 154 int line_length = strlen(line);
155
156 /* If the log doesn't fit, error out. */
710756a9
RS		 157 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
158 TEST_info("Client log too full");
6acdd3e5
CB		 159 error_writing_log = 1;
160 return;
161 }
162
163 strcat(client_log_buffer, line);
164 client_log_buffer_index += line_length;
710756a9 165 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 166}
167
710756a9
RS		 168static void server_keylog_callback(const SSL *ssl, const char *line)
169{
6acdd3e5
CB		 170 int line_length = strlen(line);
171
172 /* If the log doesn't fit, error out. */
710756a9 173 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 174 TEST_info("Server log too full");
6acdd3e5
CB		 175 error_writing_log = 1;
176 return;
177 }
178
179 strcat(server_log_buffer, line);
180 server_log_buffer_index += line_length;
710756a9 181 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 182}
183
184static int compare_hex_encoded_buffer(const char *hex_encoded,
185 size_t hex_length,
186 const uint8_t *raw,
710756a9
RS		 187 size_t raw_length)
188{
189 size_t i, j;
190 char hexed[3];
6acdd3e5 191
710756a9 192 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 193 return 1;
6acdd3e5 194
710756a9 195 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 196 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 197 if (!TEST_int_eq(hexed[0], hex_encoded[j])
198 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 199 return 1;
6acdd3e5
CB		 200 }
201
202 return 0;
203}
204
205static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 206 const SSL_SESSION *session,
710756a9
RS		 207 struct sslapitest_log_counts *expected)
208{
6acdd3e5
CB		 209 char *token = NULL;
210 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
211 size_t client_random_size = SSL3_RANDOM_SIZE;
212 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
213 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 214 unsigned int rsa_key_exchange_count = 0;
215 unsigned int master_secret_count = 0;
cffe973c 216 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 217 unsigned int client_handshake_secret_count = 0;
218 unsigned int server_handshake_secret_count = 0;
219 unsigned int client_application_secret_count = 0;
220 unsigned int server_application_secret_count = 0;
01a2a654 221 unsigned int early_exporter_secret_count = 0;
6329ce8f 222 unsigned int exporter_secret_count = 0;
6acdd3e5 223
710756a9
RS		 224 for (token = strtok(buffer, " \n"); token != NULL;
225 token = strtok(NULL, " \n")) {
6acdd3e5 226 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 227 /*
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 229 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 * secret.
231 */
710756a9 232 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 233 return 0;
710756a9 234 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 235 return 0;
710756a9 236 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 237 return 0;
f1a5939f
CB		 238 /*
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
242 */
243 rsa_key_exchange_count++;
6acdd3e5 244 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 245 /*
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 247 * client random, then the hex-encoded master secret.
248 */
249 client_random_size = SSL_get_client_random(ssl,
250 actual_client_random,
251 SSL3_RANDOM_SIZE);
710756a9 252 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 253 return 0;
6acdd3e5 254
710756a9 255 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 256 return 0;
710756a9 257 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 258 return 0;
710756a9
RS		 259 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
260 actual_client_random,
261 client_random_size)))
f1a5939f 262 return 0;
6acdd3e5 263
710756a9 264 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 265 return 0;
6acdd3e5
CB		 266 master_key_size = SSL_SESSION_get_master_key(session,
267 actual_master_key,
268 master_key_size);
710756a9 269 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 270 return 0;
710756a9
RS		 271 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 actual_master_key,
273 master_key_size)))
f1a5939f 274 return 0;
f1a5939f 275 master_secret_count++;
cffe973c
PW		 276 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 278 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 280 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 281 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 282 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 283 /*
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
288 */
cffe973c
PW		 289 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count++;
291 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 292 client_handshake_secret_count++;
293 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count++;
295 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count++;
297 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count++;
01a2a654
PW		 299 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count++;
6329ce8f
PW		 301 else if (strcmp(token, "EXPORTER_SECRET") == 0)
302 exporter_secret_count++;
f1a5939f
CB		 303
304 client_random_size = SSL_get_client_random(ssl,
305 actual_client_random,
306 SSL3_RANDOM_SIZE);
710756a9 307 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 308 return 0;
f1a5939f 309
710756a9 310 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 311 return 0;
710756a9 312 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 313 return 0;
710756a9
RS		 314 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
315 actual_client_random,
316 client_random_size)))
f1a5939f 317 return 0;
6acdd3e5 318
710756a9 319 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 320 return 0;
f1a5939f
CB		 321
322 /*
323 * TODO(TLS1.3): test that application traffic secrets are what
324 * we expect */
6acdd3e5 325 } else {
710756a9 326 TEST_info("Unexpected token %s\n", token);
f1a5939f 327 return 0;
6acdd3e5 328 }
6acdd3e5
CB		 329 }
330
710756a9
RS		 331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count,
333 expected->rsa_key_exchange_count)
334 || !TEST_size_t_eq(master_secret_count,
335 expected->master_secret_count)
cffe973c
PW		 336 || !TEST_size_t_eq(client_early_secret_count,
337 expected->client_early_secret_count)
710756a9
RS		 338 || !TEST_size_t_eq(client_handshake_secret_count,
339 expected->client_handshake_secret_count)
340 || !TEST_size_t_eq(server_handshake_secret_count,
341 expected->server_handshake_secret_count)
342 || !TEST_size_t_eq(client_application_secret_count,
343 expected->client_application_secret_count)
344 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 345 expected->server_application_secret_count)
01a2a654
PW		 346 || !TEST_size_t_eq(early_exporter_secret_count,
347 expected->early_exporter_secret_count)
6329ce8f
PW		 348 || !TEST_size_t_eq(exporter_secret_count,
349 expected->exporter_secret_count))
710756a9
RS		 350 return 0;
351 return 1;
6acdd3e5
CB		 352}
353
c423ecaa 354#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 355static int test_keylog(void)
356{
6acdd3e5
CB		 357 SSL_CTX *cctx = NULL, *sctx = NULL;
358 SSL *clientssl = NULL, *serverssl = NULL;
359 int testresult = 0;
6fc1e624 360 struct sslapitest_log_counts expected;
6acdd3e5
CB		 361
362 /* Clean up logging space */
6fc1e624 363 memset(&expected, 0, sizeof(expected));
710756a9
RS		 364 memset(client_log_buffer, 0, sizeof(client_log_buffer));
365 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 366 client_log_buffer_index = 0;
367 server_log_buffer_index = 0;
368 error_writing_log = 0;
369
5e30f2fd 370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 371 TLS_client_method(),
5c587fb6 372 TLS1_VERSION, 0,
710756a9 373 &sctx, &cctx, cert, privkey)))
6acdd3e5 374 return 0;
6acdd3e5
CB		 375
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
378 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
379
f0deb4d3 380 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 382 goto end;
f0deb4d3 383
cf10df81
RS		 384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 386 goto end;
6acdd3e5 387 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
389 == client_keylog_callback))
6acdd3e5 390 goto end;
710756a9 391 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
393 == server_keylog_callback))
6acdd3e5 394 goto end;
6acdd3e5 395
710756a9
RS		 396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
398 &clientssl, NULL, NULL))
399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
400 SSL_ERROR_NONE))
401 || !TEST_false(error_writing_log)
402 || !TEST_int_gt(client_log_buffer_index, 0)
403 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 404 goto end;
6acdd3e5 405
f1a5939f
CB		 406 /*
407 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 408 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
6acdd3e5 411 */
f1a5939f
CB		 412 expected.rsa_key_exchange_count = 1;
413 expected.master_secret_count = 1;
710756a9
RS		 414 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
415 SSL_get_session(clientssl), &expected)))
6acdd3e5 416 goto end;
f1a5939f
CB		 417
418 expected.rsa_key_exchange_count = 0;
710756a9
RS		 419 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
420 SSL_get_session(serverssl), &expected)))
6acdd3e5 421 goto end;
6acdd3e5
CB		 422
423 testresult = 1;
424
425end:
426 SSL_free(serverssl);
427 SSL_free(clientssl);
428 SSL_CTX_free(sctx);
429 SSL_CTX_free(cctx);
430
431 return testresult;
432}
c423ecaa 433#endif
6acdd3e5
CB		 434
435#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 436static int test_keylog_no_master_key(void)
437{
6acdd3e5
CB		 438 SSL_CTX *cctx = NULL, *sctx = NULL;
439 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 440 SSL_SESSION *sess = NULL;
6acdd3e5 441 int testresult = 0;
6fc1e624 442 struct sslapitest_log_counts expected;
cffe973c
PW		 443 unsigned char buf[1];
444 size_t readbytes, written;
6acdd3e5
CB		 445
446 /* Clean up logging space */
6fc1e624 447 memset(&expected, 0, sizeof(expected));
710756a9
RS		 448 memset(client_log_buffer, 0, sizeof(client_log_buffer));
449 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 450 client_log_buffer_index = 0;
451 server_log_buffer_index = 0;
452 error_writing_log = 0;
453
5e30f2fd
MC		 454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 456 &sctx, &cctx, cert, privkey))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 458 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 459 return 0;
6acdd3e5 460
cf10df81
RS		 461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 463 goto end;
6acdd3e5
CB		 464
465 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
467 == client_keylog_callback))
6acdd3e5 468 goto end;
6acdd3e5 469
710756a9 470 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
472 == server_keylog_callback))
6acdd3e5 473 goto end;
6acdd3e5 474
710756a9
RS		 475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(create_ssl_connection(serverssl, clientssl,
479 SSL_ERROR_NONE))
480 || !TEST_false(error_writing_log))
6acdd3e5 481 goto end;
6acdd3e5 482
f1a5939f
CB		 483 /*
484 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 486 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 487 */
f1a5939f
CB		 488 expected.client_handshake_secret_count = 1;
489 expected.server_handshake_secret_count = 1;
490 expected.client_application_secret_count = 1;
491 expected.server_application_secret_count = 1;
6329ce8f 492 expected.exporter_secret_count = 1;
710756a9
RS		 493 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
494 SSL_get_session(clientssl), &expected))
495 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
496 SSL_get_session(serverssl),
497 &expected)))
6acdd3e5 498 goto end;
6acdd3e5 499
cffe973c
PW		 500 /* Terminate old session and resume with early data. */
501 sess = SSL_get1_session(clientssl);
502 SSL_shutdown(clientssl);
503 SSL_shutdown(serverssl);
504 SSL_free(serverssl);
505 SSL_free(clientssl);
506 serverssl = clientssl = NULL;
507
508 /* Reset key log */
509 memset(client_log_buffer, 0, sizeof(client_log_buffer));
510 memset(server_log_buffer, 0, sizeof(server_log_buffer));
511 client_log_buffer_index = 0;
512 server_log_buffer_index = 0;
513
514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
515 &clientssl, NULL, NULL))
516 || !TEST_true(SSL_set_session(clientssl, sess))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
520 &readbytes),
521 SSL_READ_EARLY_DATA_ERROR)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
523 SSL_EARLY_DATA_ACCEPTED)
524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
525 SSL_ERROR_NONE))
526 || !TEST_true(SSL_session_reused(clientssl)))
527 goto end;
528
529 /* In addition to the previous entries, expect early secrets. */
530 expected.client_early_secret_count = 1;
01a2a654 531 expected.early_exporter_secret_count = 1;
cffe973c
PW		 532 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
533 SSL_get_session(clientssl), &expected))
534 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
535 SSL_get_session(serverssl),
536 &expected)))
537 goto end;
538
6acdd3e5
CB		 539 testresult = 1;
540
541end:
cffe973c 542 SSL_SESSION_free(sess);
6acdd3e5
CB		 543 SSL_free(serverssl);
544 SSL_free(clientssl);
545 SSL_CTX_free(sctx);
546 SSL_CTX_free(cctx);
547
548 return testresult;
549}
550#endif
551
0c3eb279
DDO		 552static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
553{
554 int res = X509_verify_cert(ctx);
555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return res;
560}
561
562static int test_client_cert_verify_cb(void)
563{
564 /* server key, cert, chain, and root */
565 char *skey = test_mk_file_path(certsdir, "leaf.key");
566 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
567 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
568 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
569 char *root = test_mk_file_path(certsdir, "rootCA.pem");
570 X509 *crt1 = NULL, *crt2 = NULL;
571 STACK_OF(X509) *server_chain;
572 SSL_CTX *cctx = NULL, *sctx = NULL;
573 SSL *clientssl = NULL, *serverssl = NULL;
574 int testresult = 0;
575
576 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
577 TLS_client_method(), TLS1_VERSION, 0,
578 &sctx, &cctx, NULL, NULL)))
579 goto end;
580 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
581 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
582 SSL_FILETYPE_PEM), 1)
583 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
584 goto end;
585 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
586 goto end;
587 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
588 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
589 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
590 &clientssl, NULL, NULL)))
591 goto end;
592
593 /* attempt SSL_connect() with incomplete server chain */
594 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
595 SSL_ERROR_WANT_RETRY_VERIFY)))
596 goto end;
597
598 /* application provides intermediate certs needed to verify server cert */
599 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
600 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
601 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
602 goto end;
603 /* add certs in reverse order to demonstrate real chain building */
604 if (!TEST_true(sk_X509_push(server_chain, crt1)))
605 goto end;
606 crt1 = NULL;
607 if (!TEST_true(sk_X509_push(server_chain, crt2)))
608 goto end;
609 crt2 = NULL;
610
611 /* continue SSL_connect(), must now succeed with completed server chain */
612 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
613 SSL_ERROR_NONE)))
614 goto end;
615
616 testresult = 1;
617
618end:
619 X509_free(crt1);
620 X509_free(crt2);
621 SSL_shutdown(clientssl);
622 SSL_shutdown(serverssl);
623 SSL_free(serverssl);
624 SSL_free(clientssl);
625 SSL_CTX_free(sctx);
626 SSL_CTX_free(cctx);
627
628 OPENSSL_free(skey);
629 OPENSSL_free(leaf);
630 OPENSSL_free(int2);
631 OPENSSL_free(int1);
632 OPENSSL_free(root);
633
634 return testresult;
635}
636
e9ee6536 637#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 638static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 639{
640 int *ctr = arg;
641 const unsigned char *p;
8ea404fb 642 int *exts;
2afaee51
BK		 643 /* We only configure two ciphers, but the SCSV is added automatically. */
644#ifdef OPENSSL_NO_EC
645 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
646#else
647 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
648 0x2c, 0x00, 0xff};
649#endif
8ea404fb
BK		 650 const int expected_extensions[] = {
651#ifndef OPENSSL_NO_EC
652 11, 10,
653#endif
10ed1b72 654 35, 22, 23, 13};
2afaee51
BK		 655 size_t len;
656
657 /* Make sure we can defer processing and get called back. */
658 if ((*ctr)++ == 0)
f1b97da1 659 return SSL_CLIENT_HELLO_RETRY;
2afaee51 660
a9c0d8be 661 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 662 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 663 || !TEST_size_t_eq(
664 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 665 || !TEST_int_eq(*p, 0))
f1b97da1 666 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 667 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 668 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 669 if (len != OSSL_NELEM(expected_extensions) ||
670 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 671 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 672 OPENSSL_free(exts);
f1b97da1 673 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 674 }
675 OPENSSL_free(exts);
f1b97da1 676 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 677}
678
a9c0d8be 679static int test_client_hello_cb(void)
710756a9 680{
2afaee51
BK		 681 SSL_CTX *cctx = NULL, *sctx = NULL;
682 SSL *clientssl = NULL, *serverssl = NULL;
683 int testctr = 0, testresult = 0;
684
5e30f2fd
MC		 685 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
686 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 687 &sctx, &cctx, cert, privkey)))
2afaee51 688 goto end;
a9c0d8be 689 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 690
2afaee51
BK		 691 /* The gimpy cipher list we configure can't do TLS 1.3. */
692 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 693
710756a9
RS		 694 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
695 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
696 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
697 &clientssl, NULL, NULL))
698 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 699 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 700 /*
701 * Passing a -1 literal is a hack since
702 * the real value was lost.
703 * */
a9c0d8be
DB		 704 || !TEST_int_eq(SSL_get_error(serverssl, -1),
705 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
707 SSL_ERROR_NONE)))
2afaee51 708 goto end;
2afaee51
BK		 709
710 testresult = 1;
711
088dfa13
TS		 712end:
713 SSL_free(serverssl);
714 SSL_free(clientssl);
715 SSL_CTX_free(sctx);
716 SSL_CTX_free(cctx);
717
718 return testresult;
719}
720
721static int test_no_ems(void)
722{
723 SSL_CTX *cctx = NULL, *sctx = NULL;
724 SSL *clientssl = NULL, *serverssl = NULL;
725 int testresult = 0;
726
5e30f2fd 727 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 728 TLS1_VERSION, TLS1_2_VERSION,
729 &sctx, &cctx, cert, privkey)) {
730 printf("Unable to create SSL_CTX pair\n");
731 goto end;
732 }
733
734 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
735
736 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
737 printf("Unable to create SSL objects\n");
738 goto end;
739 }
740
741 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
742 printf("Creating SSL connection failed\n");
743 goto end;
744 }
745
746 if (SSL_get_extms_support(serverssl)) {
747 printf("Server reports Extended Master Secret support\n");
748 goto end;
749 }
750
751 if (SSL_get_extms_support(clientssl)) {
752 printf("Client reports Extended Master Secret support\n");
753 goto end;
754 }
755 testresult = 1;
756
2afaee51
BK		 757end:
758 SSL_free(serverssl);
759 SSL_free(clientssl);
760 SSL_CTX_free(sctx);
761 SSL_CTX_free(cctx);
762
763 return testresult;
764}
765
3cd14e5e
BK		 766/*
767 * Very focused test to exercise a single case in the server-side state
768 * machine, when the ChangeCipherState message needs to actually change
769 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 770 * encryption to real encryption).
3cd14e5e
BK		 771 */
772static int test_ccs_change_cipher(void)
773{
774 SSL_CTX *cctx = NULL, *sctx = NULL;
775 SSL *clientssl = NULL, *serverssl = NULL;
776 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
777 int testresult = 0;
778 int i;
779 unsigned char buf;
780 size_t readbytes;
781
782 /*
783 * Create a conection so we can resume and potentially (but not) use
784 * a different cipher in the second connection.
785 */
5e30f2fd 786 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 787 TLS_client_method(),
788 TLS1_VERSION, TLS1_2_VERSION,
789 &sctx, &cctx, cert, privkey))
790 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
791 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
792 NULL, NULL))
793 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
795 SSL_ERROR_NONE))
796 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
797 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
798 goto end;
799
800 shutdown_ssl_connection(serverssl, clientssl);
801 serverssl = clientssl = NULL;
802
803 /* Resume, preferring a different cipher. Our server will force the
804 * same cipher to be used as the initial handshake. */
805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
806 NULL, NULL))
807 || !TEST_true(SSL_set_session(clientssl, sess))
808 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
810 SSL_ERROR_NONE))
811 || !TEST_true(SSL_session_reused(clientssl))
812 || !TEST_true(SSL_session_reused(serverssl))
813 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
814 || !TEST_ptr_eq(sesspre, sesspost)
815 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
816 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
817 goto end;
818 shutdown_ssl_connection(serverssl, clientssl);
819 serverssl = clientssl = NULL;
820
821 /*
822 * Now create a fresh connection and try to renegotiate a different
823 * cipher on it.
824 */
b3e6d666
BK		 825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
826 NULL, NULL))
3cd14e5e
BK		 827 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
828 || !TEST_true(create_ssl_connection(serverssl, clientssl,
829 SSL_ERROR_NONE))
830 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
831 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
832 || !TEST_true(SSL_renegotiate(clientssl))
833 || !TEST_true(SSL_renegotiate_pending(clientssl)))
834 goto end;
835 /* Actually drive the renegotiation. */
836 for (i = 0; i < 3; i++) {
837 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
838 if (!TEST_ulong_eq(readbytes, 0))
839 goto end;
840 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
841 SSL_ERROR_WANT_READ)) {
842 goto end;
843 }
844 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
845 if (!TEST_ulong_eq(readbytes, 0))
846 goto end;
847 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
848 SSL_ERROR_WANT_READ)) {
849 goto end;
850 }
851 }
852 /* sesspre and sesspost should be different since the cipher changed. */
853 if (!TEST_false(SSL_renegotiate_pending(clientssl))
854 || !TEST_false(SSL_session_reused(clientssl))
855 || !TEST_false(SSL_session_reused(serverssl))
856 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
857 || !TEST_ptr_ne(sesspre, sesspost)
858 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
859 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
860 goto end;
861
862 shutdown_ssl_connection(serverssl, clientssl);
863 serverssl = clientssl = NULL;
864
865 testresult = 1;
866
867end:
868 SSL_free(serverssl);
869 SSL_free(clientssl);
870 SSL_CTX_free(sctx);
871 SSL_CTX_free(cctx);
872 SSL_SESSION_free(sess);
873
874 return testresult;
875}
fb121631 876#endif
3cd14e5e 877
84d5549e 878static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 879 const SSL_METHOD *cmeth,
880 int min_version, int max_version,
881 int read_ahead)
84d5549e
MC		 882{
883 SSL_CTX *cctx = NULL, *sctx = NULL;
884 SSL *clientssl = NULL, *serverssl = NULL;
885 int testresult = 0;
886 int i;
710756a9 887 BIO *certbio = NULL;
84d5549e
MC		 888 X509 *chaincert = NULL;
889 int certlen;
890
710756a9 891 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 892 goto end;
6725682d 893
d8652be0 894 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 895 goto end;
896
897 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
898 goto end;
fa454945
MC		 899 BIO_free(certbio);
900 certbio = NULL;
84d5549e 901
5e30f2fd
MC		 902 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
903 max_version, &sctx, &cctx, cert,
904 privkey)))
84d5549e 905 goto end;
84d5549e 906
710756a9 907 if (read_ahead) {
7856332e
MC		 908 /*
909 * Test that read_ahead works correctly when dealing with large
910 * records
911 */
912 SSL_CTX_set_read_ahead(cctx, 1);
913 }
914
84d5549e
MC		 915 /*
916 * We assume the supplied certificate is big enough so that if we add
917 * NUM_EXTRA_CERTS it will make the overall message large enough. The
918 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 919 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
920 * test we need to have a message larger than that.
84d5549e
MC		 921 */
922 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 923 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
924 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 925 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 926 if (!X509_up_ref(chaincert))
84d5549e 927 goto end;
84d5549e 928 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 929 X509_free(chaincert);
930 goto end;
931 }
932 }
933
710756a9
RS		 934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
935 NULL, NULL))
936 || !TEST_true(create_ssl_connection(serverssl, clientssl,
937 SSL_ERROR_NONE)))
84d5549e 938 goto end;
84d5549e 939
4bf08600
MC		 940 /*
941 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 942 * doesn't leak.
4bf08600 943 */
710756a9 944 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 945 goto end;
84d5549e 946
4bf08600 947 testresult = 1;
84d5549e 948 end:
6725682d 949 BIO_free(certbio);
84d5549e
MC		 950 X509_free(chaincert);
951 SSL_free(serverssl);
952 SSL_free(clientssl);
953 SSL_CTX_free(sctx);
954 SSL_CTX_free(cctx);
955
956 return testresult;
957}
958
da4db160
VF		 959#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
960 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
961#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 962/* sock must be connected */
963static int ktls_chk_platform(int sock)
964{
965 if (!ktls_enable(sock))
966 return 0;
967 return 1;
968}
969
da4db160 970static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 971{
972 static char count = 1;
973 unsigned char cbuf[16000] = {0};
974 unsigned char sbuf[16000];
975 size_t err = 0;
da4db160
VF		 976 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
977 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
978 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
979 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
980 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
981 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
982 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
983 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 984
985 cbuf[0] = count++;
da4db160
VF		 986 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
987 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
988 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
989 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 990
991 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
992 goto end;
993
994 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
995 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
996 goto end;
997 }
998 }
999
1000 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1001 goto end;
1002
1003 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1004 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1005 goto end;
1006 }
1007 }
1008
da4db160
VF		 1009 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1010 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1011 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1012 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1013
1014 /* verify the payload */
1015 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1016 goto end;
1017
1018 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1019 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1020 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1021 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1022 goto end;
1023 } else {
da4db160
VF		 1024 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1025 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1026 goto end;
1027 }
1028
1029 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1030 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1031 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1032 goto end;
1033 } else {
da4db160
VF		 1034 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1035 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1036 goto end;
1037 }
1038
2fab79af 1039 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1040 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1041 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1042 goto end;
1043 } else {
da4db160
VF		 1044 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1045 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1046 goto end;
1047 }
1048
1049 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1050 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1051 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1052 goto end;
1053 } else {
da4db160
VF		 1054 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1055 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1056 goto end;
1057 }
fe5d9450
BP		 1058
1059 return 1;
1060end:
1061 return 0;
1062}
1063
2fab79af 1064static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 1065 int sis_ktls_tx, int sis_ktls_rx,
1066 int tls_version, const char *cipher,
1067 int rec_seq_size)
fe5d9450
BP		 1068{
1069 SSL_CTX *cctx = NULL, *sctx = NULL;
1070 SSL *clientssl = NULL, *serverssl = NULL;
1071 int testresult = 0;
1072 int cfd, sfd;
1073
1074 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1075 goto end;
1076
1077 /* Skip this test if the platform does not support ktls */
1078 if (!ktls_chk_platform(cfd))
1079 return 1;
1080
1081 /* Create a session based on SHA-256 */
5e30f2fd 1082 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1083 TLS_client_method(),
da4db160 1084 tls_version, tls_version,
fe5d9450 1085 &sctx, &cctx, cert, privkey))
da4db160 1086 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1087 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1088 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1089 &clientssl, sfd, cfd)))
1090 goto end;
1091
1092 if (!cis_ktls_tx) {
1093 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1094 goto end;
1095 }
1096
1097 if (!sis_ktls_tx) {
1098 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1099 goto end;
1100 }
1101
2fab79af
BP		 1102 if (!cis_ktls_rx) {
1103 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1104 goto end;
1105 }
1106
1107 if (!sis_ktls_rx) {
1108 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1109 goto end;
1110 }
1111
fe5d9450
BP		 1112 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1113 SSL_ERROR_NONE)))
1114 goto end;
1115
1116 if (!cis_ktls_tx) {
1117 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1118 goto end;
1119 } else {
1120 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1121 goto end;
1122 }
1123
1124 if (!sis_ktls_tx) {
1125 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1126 goto end;
1127 } else {
1128 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1129 goto end;
1130 }
1131
2fab79af
BP		 1132 if (!cis_ktls_rx) {
1133 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1134 goto end;
1135 } else {
1136 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1137 goto end;
1138 }
1139
1140 if (!sis_ktls_rx) {
1141 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1142 goto end;
1143 } else {
1144 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1145 goto end;
1146 }
1147
da4db160
VF		 1148 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1149 rec_seq_size)))
fe5d9450
BP		 1150 goto end;
1151
1152 testresult = 1;
1153end:
1154 if (clientssl) {
1155 SSL_shutdown(clientssl);
1156 SSL_free(clientssl);
1157 }
1158 if (serverssl) {
1159 SSL_shutdown(serverssl);
1160 SSL_free(serverssl);
1161 }
1162 SSL_CTX_free(sctx);
1163 SSL_CTX_free(cctx);
1164 serverssl = clientssl = NULL;
1165 return testresult;
1166}
1167
7c3a7561
BP		 1168#define SENDFILE_SZ (16 * 4096)
1169#define SENDFILE_CHUNK (4 * 4096)
1170#define min(a,b) ((a) > (b) ? (b) : (a))
1171
da4db160 1172static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1173{
1174 SSL_CTX *cctx = NULL, *sctx = NULL;
1175 SSL *clientssl = NULL, *serverssl = NULL;
1176 unsigned char *buf, *buf_dst;
1177 BIO *out = NULL, *in = NULL;
1178 int cfd, sfd, ffd, err;
1179 ssize_t chunk_size = 0;
1180 off_t chunk_off = 0;
1181 int testresult = 0;
1182 FILE *ffdp;
1183
1184 buf = OPENSSL_zalloc(SENDFILE_SZ);
1185 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1186 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1187 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1188 goto end;
1189
1190 /* Skip this test if the platform does not support ktls */
1191 if (!ktls_chk_platform(sfd)) {
1192 testresult = 1;
1193 goto end;
1194 }
1195
1196 /* Create a session based on SHA-256 */
5e30f2fd 1197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1198 TLS_client_method(),
da4db160 1199 tls_version, tls_version,
7c3a7561 1200 &sctx, &cctx, cert, privkey))
da4db160 1201 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1203 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1204 &clientssl, sfd, cfd)))
1205 goto end;
1206
1207 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1208 SSL_ERROR_NONE))
1209 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1210 goto end;
1211
72c1e374
JB		 1212 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1213 goto end;
1214
7c3a7561
BP		 1215 out = BIO_new_file(tmpfilename, "wb");
1216 if (!TEST_ptr(out))
1217 goto end;
1218
1219 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1220 goto end;
1221
1222 BIO_free(out);
1223 out = NULL;
1224 in = BIO_new_file(tmpfilename, "rb");
1225 BIO_get_fp(in, &ffdp);
1226 ffd = fileno(ffdp);
1227
1228 while (chunk_off < SENDFILE_SZ) {
1229 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1230 while ((err = SSL_sendfile(serverssl,
1231 ffd,
1232 chunk_off,
1233 chunk_size,
1234 0)) != chunk_size) {
1235 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1236 goto end;
1237 }
1238 while ((err = SSL_read(clientssl,
1239 buf_dst + chunk_off,
1240 chunk_size)) != chunk_size) {
1241 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1242 goto end;
1243 }
1244
1245 /* verify the payload */
1246 if (!TEST_mem_eq(buf_dst + chunk_off,
1247 chunk_size,
1248 buf + chunk_off,
1249 chunk_size))
1250 goto end;
1251
1252 chunk_off += chunk_size;
1253 }
1254
1255 testresult = 1;
1256end:
1257 if (clientssl) {
1258 SSL_shutdown(clientssl);
1259 SSL_free(clientssl);
1260 }
1261 if (serverssl) {
1262 SSL_shutdown(serverssl);
1263 SSL_free(serverssl);
1264 }
1265 SSL_CTX_free(sctx);
1266 SSL_CTX_free(cctx);
1267 serverssl = clientssl = NULL;
1268 BIO_free(out);
1269 BIO_free(in);
1270 OPENSSL_free(buf);
1271 OPENSSL_free(buf_dst);
1272 return testresult;
1273}
1274
da4db160
VF		 1275#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1276static int test_ktls(int test)
1277{
eb818d23
JB		 1278 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1279 int tlsver, testresult;
da4db160
VF		 1280
1281 if (test > 15) {
1282#if defined(OPENSSL_NO_TLS1_3)
1283 return 1;
1284#else
1285 test -= 16;
1286 tlsver = TLS1_3_VERSION;
1287#endif
1288 } else {
1289#if defined(OPENSSL_NO_TLS1_2)
1290 return 1;
1291#else
1292 tlsver = TLS1_2_VERSION;
1293#endif
1294 }
1295
eb818d23
JB		 1296 cis_ktls_tx = (test & 1) != 0;
1297 cis_ktls_rx = (test & 2) != 0;
1298 sis_ktls_tx = (test & 4) != 0;
1299 sis_ktls_rx = (test & 8) != 0;
1300
cd03b5dc
JB		 1301#if defined(OPENSSL_NO_KTLS_RX)
1302 if (cis_ktls_rx || sis_ktls_rx)
1303 return 1;
1304#endif
18efb630
JB		 1305#if !defined(OPENSSL_NO_TLS1_3)
1306 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1307 return 1;
1308#endif
cd03b5dc 1309
eb818d23
JB		 1310 testresult = 1;
1311#ifdef OPENSSL_KTLS_AES_GCM_128
1312 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1313 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1314 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1315#endif
1316#ifdef OPENSSL_KTLS_AES_CCM_128
1317 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1318 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1319 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1320#endif
1321#ifdef OPENSSL_KTLS_AES_GCM_256
1322 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1323 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1324 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1325#endif
1326 return testresult;
2fab79af
BP		 1327}
1328
da4db160 1329static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1330{
ab114c6d 1331 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1332 int tlsver;
1333
1334 if (tst > 2) {
1335#if defined(OPENSSL_NO_TLS1_3)
1336 return 1;
1337#else
1338 tst -= 3;
1339 tlsver = TLS1_3_VERSION;
1340#endif
1341 } else {
1342#if defined(OPENSSL_NO_TLS1_2)
1343 return 1;
1344#else
1345 tlsver = TLS1_2_VERSION;
1346#endif
1347 }
1348
1349#ifndef OPENSSL_KTLS_AES_GCM_128
1350 if(tst == 0) return 1;
1351#endif
1352#ifndef OPENSSL_KTLS_AES_CCM_128
1353 if(tst == 1) return 1;
1354#endif
1355#ifndef OPENSSL_KTLS_AES_GCM_256
1356 if(tst == 2) return 1;
1357#endif
1358 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1359}
da4db160
VF		 1360
1361#endif
fe5d9450
BP		 1362#endif
1363
84d5549e
MC		 1364static int test_large_message_tls(void)
1365{
7856332e 1366 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1367 TLS1_VERSION, 0, 0);
7856332e
MC		 1368}
1369
1370static int test_large_message_tls_read_ahead(void)
1371{
1372 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1373 TLS1_VERSION, 0, 1);
84d5549e
MC		 1374}
1375
55386bef 1376#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1377static int test_large_message_dtls(void)
1378{
7856332e
MC		 1379 /*
1380 * read_ahead is not relevant to DTLS because DTLS always acts as if
1381 * read_ahead is set.
1382 */
84d5549e 1383 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1384 DTLS_client_method(),
5c587fb6 1385 DTLS1_VERSION, 0, 0);
84d5549e 1386}
55386bef 1387#endif
84d5549e 1388
163b8016
ME		 1389static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1390 const SSL_METHOD *cmeth,
1391 int min_version, int max_version)
1392{
1393 size_t i;
1394 SSL_CTX *cctx = NULL, *sctx = NULL;
1395 SSL *clientssl = NULL, *serverssl = NULL;
1396 int testresult = 0;
1397 SSL3_RECORD *rr;
1398 void *zbuf;
1399
1400 static unsigned char cbuf[16000];
1401 static unsigned char sbuf[16000];
1402
1403 if (!TEST_true(create_ssl_ctx_pair(libctx,
1404 smeth, cmeth,
1405 min_version, max_version,
1406 &sctx, &cctx, cert,
1407 privkey)))
1408 goto end;
1409
1410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1411 NULL, NULL)))
1412 goto end;
1413
1414 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1415 goto end;
1416
1417 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1418 SSL_ERROR_NONE)))
1419 goto end;
1420
1421 for (i = 0; i < sizeof(cbuf); i++) {
1422 cbuf[i] = i & 0xff;
1423 }
1424
1425 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1426 goto end;
1427
1428 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1429 goto end;
1430
1431 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1432 goto end;
1433
1434 /*
1435 * Since we called SSL_peek(), we know the data in the record
1436 * layer is a plaintext record. We can gather the pointer to check
1437 * for zeroization after SSL_read().
1438 */
1439 rr = serverssl->rlayer.rrec;
1440 zbuf = &rr->data[rr->off];
1441 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1442 goto end;
1443
1444 /*
1445 * After SSL_peek() the plaintext must still be stored in the
1446 * record.
1447 */
1448 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1449 goto end;
1450
1451 memset(sbuf, 0, sizeof(sbuf));
1452 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1453 goto end;
1454
1455 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1456 goto end;
1457
1458 /* Check if rbuf is cleansed */
1459 memset(cbuf, 0, sizeof(cbuf));
1460 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1461 goto end;
1462
1463 testresult = 1;
1464 end:
1465 SSL_free(serverssl);
1466 SSL_free(clientssl);
1467 SSL_CTX_free(sctx);
1468 SSL_CTX_free(cctx);
1469
1470 return testresult;
1471}
1472
1473static int test_cleanse_plaintext(void)
1474{
1475#if !defined(OPENSSL_NO_TLS1_2)
1476 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1477 TLS_client_method(),
1478 TLS1_2_VERSION,
1479 TLS1_2_VERSION)))
1480 return 0;
1481
1482#endif
1483
1484#if !defined(OPENSSL_NO_TLS1_3)
1485 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1486 TLS_client_method(),
1487 TLS1_3_VERSION,
1488 TLS1_3_VERSION)))
1489 return 0;
1490#endif
1491
1492#if !defined(OPENSSL_NO_DTLS)
1493 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1494 DTLS_client_method(),
1495 DTLS1_VERSION,
1496 0)))
1497 return 0;
1498#endif
1499 return 1;
1500}
1501
8f8c11d8 1502#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1503static int ocsp_server_cb(SSL *s, void *arg)
1504{
1505 int *argi = (int *)arg;
710756a9 1506 unsigned char *copy = NULL;
ba881d3b
MC		 1507 STACK_OF(OCSP_RESPID) *ids = NULL;
1508 OCSP_RESPID *id = NULL;
1509
1510 if (*argi == 2) {
1511 /* In this test we are expecting exactly 1 OCSP_RESPID */
1512 SSL_get_tlsext_status_ids(s, &ids);
1513 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1514 return SSL_TLSEXT_ERR_ALERT_FATAL;
1515
1516 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1517 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1518 return SSL_TLSEXT_ERR_ALERT_FATAL;
1519 } else if (*argi != 1) {
1520 return SSL_TLSEXT_ERR_ALERT_FATAL;
1521 }
1522
710756a9 1523 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1524 return SSL_TLSEXT_ERR_ALERT_FATAL;
1525
710756a9 1526 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1527 ocsp_server_called = 1;
ba881d3b
MC		 1528 return SSL_TLSEXT_ERR_OK;
1529}
1530
1531static int ocsp_client_cb(SSL *s, void *arg)
1532{
1533 int *argi = (int *)arg;
1534 const unsigned char *respderin;
1535 size_t len;
1536
1537 if (*argi != 1 && *argi != 2)
1538 return 0;
1539
1540 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1541 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1542 return 0;
1543
1544 ocsp_client_called = 1;
ba881d3b
MC		 1545 return 1;
1546}
1547
2cb4b5f6
MC		 1548static int test_tlsext_status_type(void)
1549{
ba881d3b
MC		 1550 SSL_CTX *cctx = NULL, *sctx = NULL;
1551 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1552 int testresult = 0;
ba881d3b
MC		 1553 STACK_OF(OCSP_RESPID) *ids = NULL;
1554 OCSP_RESPID *id = NULL;
1555 BIO *certbio = NULL;
2cb4b5f6 1556
5e30f2fd 1557 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1558 TLS1_VERSION, 0,
7d7f6834 1559 &sctx, &cctx, cert, privkey))
ba881d3b 1560 return 0;
2cb4b5f6 1561
710756a9 1562 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1563 goto end;
2cb4b5f6 1564
ba881d3b 1565 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1566
ba881d3b 1567 clientssl = SSL_new(cctx);
710756a9
RS		 1568 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1569 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1570 TLSEXT_STATUSTYPE_ocsp))
1571 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1572 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1573 goto end;
2cb4b5f6 1574
ba881d3b
MC		 1575 SSL_free(clientssl);
1576 clientssl = NULL;
2cb4b5f6 1577
710756a9
RS		 1578 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1579 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1580 goto end;
2cb4b5f6 1581
ba881d3b 1582 clientssl = SSL_new(cctx);
710756a9 1583 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1584 goto end;
ba881d3b
MC		 1585 SSL_free(clientssl);
1586 clientssl = NULL;
1587
1588 /*
1589 * Now actually do a handshake and check OCSP information is exchanged and
1590 * the callbacks get called
1591 */
ba881d3b
MC		 1592 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1593 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1594 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1595 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1597 &clientssl, NULL, NULL))
1598 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1599 SSL_ERROR_NONE))
1600 || !TEST_true(ocsp_client_called)
1601 || !TEST_true(ocsp_server_called))
ba881d3b 1602 goto end;
ba881d3b
MC		 1603 SSL_free(serverssl);
1604 SSL_free(clientssl);
1605 serverssl = NULL;
1606 clientssl = NULL;
1607
1608 /* Try again but this time force the server side callback to fail */
1609 ocsp_client_called = 0;
1610 ocsp_server_called = 0;
1611 cdummyarg = 0;
710756a9
RS		 1612 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1613 &clientssl, NULL, NULL))
1614 /* This should fail because the callback will fail */
1615 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1616 SSL_ERROR_NONE))
1617 || !TEST_false(ocsp_client_called)
1618 || !TEST_false(ocsp_server_called))
ba881d3b 1619 goto end;
ba881d3b
MC		 1620 SSL_free(serverssl);
1621 SSL_free(clientssl);
1622 serverssl = NULL;
1623 clientssl = NULL;
1624
1625 /*
1626 * This time we'll get the client to send an OCSP_RESPID that it will
1627 * accept.
1628 */
1629 ocsp_client_called = 0;
1630 ocsp_server_called = 0;
1631 cdummyarg = 2;
710756a9
RS		 1632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1633 &clientssl, NULL, NULL)))
ba881d3b 1634 goto end;
ba881d3b
MC		 1635
1636 /*
1637 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1638 * specific one. We'll use the server cert.
ba881d3b 1639 */
710756a9
RS		 1640 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1641 || !TEST_ptr(id = OCSP_RESPID_new())
1642 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1643 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1644 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1645 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1646 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1647 goto end;
ba881d3b
MC		 1648 id = NULL;
1649 SSL_set_tlsext_status_ids(clientssl, ids);
1650 /* Control has been transferred */
1651 ids = NULL;
1652
1653 BIO_free(certbio);
1654 certbio = NULL;
1655
710756a9
RS		 1656 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1657 SSL_ERROR_NONE))
1658 || !TEST_true(ocsp_client_called)
1659 || !TEST_true(ocsp_server_called))
ba881d3b 1660 goto end;
ba881d3b 1661
2cb4b5f6
MC		 1662 testresult = 1;
1663
1664 end:
ba881d3b
MC		 1665 SSL_free(serverssl);
1666 SSL_free(clientssl);
1667 SSL_CTX_free(sctx);
1668 SSL_CTX_free(cctx);
1669 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1670 OCSP_RESPID_free(id);
1671 BIO_free(certbio);
1672 X509_free(ocspcert);
1673 ocspcert = NULL;
2cb4b5f6
MC		 1674
1675 return testresult;
1676}
8f8c11d8 1677#endif
2cb4b5f6 1678
bf208d95 1679#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1680static int new_called, remove_called, get_called;
eaa776da 1681
eaa776da
MC		 1682static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1683{
1684 new_called++;
c0537ebd
MC		 1685 /*
1686 * sess has been up-refed for us, but we don't actually need it so free it
1687 * immediately.
1688 */
1689 SSL_SESSION_free(sess);
eaa776da
MC		 1690 return 1;
1691}
1692
1693static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1694{
1695 remove_called++;
1696}
1697
7a301f08
MC		 1698static SSL_SESSION *get_sess_val = NULL;
1699
1700static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1701 int *copy)
1702{
0afca811 1703 get_called++;
7a301f08
MC		 1704 *copy = 1;
1705 return get_sess_val;
1706}
1707
7a301f08 1708static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1709 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1710{
1711 SSL_CTX *sctx = NULL, *cctx = NULL;
1712 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1713 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1714# ifndef OPENSSL_NO_TLS1_1
eaa776da 1715 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1716# endif
2cb4b5f6 1717 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1718 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1719
7e885b7b
P		 1720 new_called = remove_called = 0;
1721
36ff232c
MC		 1722 /* TLSv1.3 sends 2 NewSessionTickets */
1723 if (maxprot == TLS1_3_VERSION)
1724 numnewsesstick = 2;
1725
5e30f2fd
MC		 1726 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1727 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1728 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1729 return 0;
2cb4b5f6 1730
7a301f08
MC		 1731 /*
1732 * Only allow the max protocol version so we can force a connection failure
1733 * later
1734 */
1735 SSL_CTX_set_min_proto_version(cctx, maxprot);
1736 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1737
1738 /* Set up session cache */
7e885b7b 1739 if (use_ext_cache) {
eaa776da
MC		 1740 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1741 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1742 }
7e885b7b 1743 if (use_int_cache) {
eaa776da
MC		 1744 /* Also covers instance where both are set */
1745 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1746 } else {
1747 SSL_CTX_set_session_cache_mode(cctx,
1748 SSL_SESS_CACHE_CLIENT
1749 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1750 }
2cb4b5f6 1751
90fc2c26
NM		 1752 if (s_options) {
1753 SSL_CTX_set_options(sctx, s_options);
1754 }
1755
710756a9
RS		 1756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1757 NULL, NULL))
1758 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1759 SSL_ERROR_NONE))
1760 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1761 goto end;
2cb4b5f6 1762
710756a9 1763 /* Should fail because it should already be in the cache */
7e885b7b 1764 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1765 goto end;
7a301f08 1766 if (use_ext_cache
36ff232c
MC		 1767 && (!TEST_int_eq(new_called, numnewsesstick)
1768
1769 || !TEST_int_eq(remove_called, 0)))
b4982125 1770 goto end;
b4982125 1771
c0537ebd
MC		 1772 new_called = remove_called = 0;
1773 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1774 &clientssl2, NULL, NULL))
1775 || !TEST_true(SSL_set_session(clientssl2, sess1))
1776 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1777 SSL_ERROR_NONE))
1778 || !TEST_true(SSL_session_reused(clientssl2)))
1779 goto end;
1780
7a301f08
MC		 1781 if (maxprot == TLS1_3_VERSION) {
1782 /*
1783 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1784 * resumed. Since we attempted a resume we should also have removed the
1785 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1786 */
1787 if (use_ext_cache
1788 && (!TEST_int_eq(new_called, 1)
4cb00457 1789 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1790 goto end;
1791 } else {
1792 /*
1793 * In TLSv1.2 we expect to have resumed so no sessions added or
1794 * removed.
1795 */
1796 if (use_ext_cache
1797 && (!TEST_int_eq(new_called, 0)
1798 || !TEST_int_eq(remove_called, 0)))
1799 goto end;
1800 }
c0537ebd
MC		 1801
1802 SSL_SESSION_free(sess1);
1803 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1804 goto end;
1805 shutdown_ssl_connection(serverssl2, clientssl2);
1806 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1807
1808 new_called = remove_called = 0;
710756a9
RS		 1809 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1810 &clientssl2, NULL, NULL))
1811 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1812 SSL_ERROR_NONE)))
2cb4b5f6 1813 goto end;
2cb4b5f6 1814
710756a9 1815 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1816 goto end;
2cb4b5f6 1817
7a301f08 1818 if (use_ext_cache
36ff232c
MC		 1819 && (!TEST_int_eq(new_called, numnewsesstick)
1820 || !TEST_int_eq(remove_called, 0)))
eaa776da 1821 goto end;
eaa776da 1822
c0537ebd 1823 new_called = remove_called = 0;
2cb4b5f6 1824 /*
710756a9
RS		 1825 * This should clear sess2 from the cache because it is a "bad" session.
1826 * See SSL_set_session() documentation.
2cb4b5f6 1827 */
710756a9 1828 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1829 goto end;
7a301f08
MC		 1830 if (use_ext_cache
1831 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1832 goto end;
710756a9 1833 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1834 goto end;
2cb4b5f6 1835
7e885b7b 1836 if (use_int_cache) {
710756a9
RS		 1837 /* Should succeeded because it should not already be in the cache */
1838 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1839 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1840 goto end;
eaa776da
MC		 1841 }
1842
c0537ebd 1843 new_called = remove_called = 0;
eaa776da 1844 /* This shouldn't be in the cache so should fail */
710756a9 1845 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1846 goto end;
2cb4b5f6 1847
7a301f08
MC		 1848 if (use_ext_cache
1849 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1850 goto end;
2cb4b5f6 1851
bf208d95 1852# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1853 new_called = remove_called = 0;
eaa776da
MC		 1854 /* Force a connection failure */
1855 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1857 &clientssl3, NULL, NULL))
1858 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1859 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1860 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1861 SSL_ERROR_NONE)))
eaa776da 1862 goto end;
b4982125 1863
eaa776da 1864 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1865 if (use_ext_cache
1866 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1867 goto end;
2cb4b5f6 1868
710756a9 1869 /* Should succeed because it should not already be in the cache */
7e885b7b 1870 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1871 goto end;
bf208d95 1872# endif
eaa776da 1873
7a301f08
MC		 1874 /* Now do some tests for server side caching */
1875 if (use_ext_cache) {
1876 SSL_CTX_sess_set_new_cb(cctx, NULL);
1877 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1878 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1879 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1880 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1881 get_sess_val = NULL;
1882 }
1883
1884 SSL_CTX_set_session_cache_mode(cctx, 0);
1885 /* Internal caching is the default on the server side */
1886 if (!use_int_cache)
1887 SSL_CTX_set_session_cache_mode(sctx,
1888 SSL_SESS_CACHE_SERVER
1889 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1890
1891 SSL_free(serverssl1);
1892 SSL_free(clientssl1);
1893 serverssl1 = clientssl1 = NULL;
1894 SSL_free(serverssl2);
1895 SSL_free(clientssl2);
1896 serverssl2 = clientssl2 = NULL;
1897 SSL_SESSION_free(sess1);
1898 sess1 = NULL;
1899 SSL_SESSION_free(sess2);
1900 sess2 = NULL;
1901
1902 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1903 if (maxprot == TLS1_2_VERSION)
1904 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1905 new_called = remove_called = get_called = 0;
7a301f08
MC		 1906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1907 NULL, NULL))
1908 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1909 SSL_ERROR_NONE))
1910 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1911 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1912 goto end;
1913
ee94ec2e
MC		 1914 if (use_int_cache) {
1915 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1916 /*
1917 * In TLSv1.3 it should not have been added to the internal cache,
1918 * except in the case where we also have an external cache (in that
1919 * case it gets added to the cache in order to generate remove
1920 * events after timeout).
1921 */
1922 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1923 goto end;
1924 } else {
1925 /* Should fail because it should already be in the cache */
1926 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1927 goto end;
1928 }
1929 }
7a301f08
MC		 1930
1931 if (use_ext_cache) {
1932 SSL_SESSION *tmp = sess2;
1933
36ff232c 1934 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1935 || !TEST_int_eq(remove_called, 0)
1936 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1937 goto end;
1938 /*
1939 * Delete the session from the internal cache to force a lookup from
1940 * the external cache. We take a copy first because
1941 * SSL_CTX_remove_session() also marks the session as non-resumable.
1942 */
ee94ec2e 1943 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1944 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1945 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1946 goto end;
1947 SSL_SESSION_free(sess2);
1948 }
7a301f08
MC		 1949 sess2 = tmp;
1950 }
1951
0afca811 1952 new_called = remove_called = get_called = 0;
7a301f08
MC		 1953 get_sess_val = sess2;
1954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1955 &clientssl2, NULL, NULL))
1956 || !TEST_true(SSL_set_session(clientssl2, sess1))
1957 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1958 SSL_ERROR_NONE))
1959 || !TEST_true(SSL_session_reused(clientssl2)))
1960 goto end;
1961
0afca811 1962 if (use_ext_cache) {
32305f88 1963 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1964 goto end;
1965
1966 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1967 if (!TEST_int_eq(new_called, 1)
1968 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1969 goto end;
1970 } else {
32305f88
MC		 1971 if (!TEST_int_eq(new_called, 0)
1972 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1973 goto end;
1974 }
1975 }
7a301f08 1976
2cb4b5f6 1977 testresult = 1;
eaa776da 1978
2cb4b5f6
MC		 1979 end:
1980 SSL_free(serverssl1);
1981 SSL_free(clientssl1);
1982 SSL_free(serverssl2);
1983 SSL_free(clientssl2);
bf208d95 1984# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1985 SSL_free(serverssl3);
1986 SSL_free(clientssl3);
bf208d95 1987# endif
2cb4b5f6
MC		 1988 SSL_SESSION_free(sess1);
1989 SSL_SESSION_free(sess2);
1990 SSL_CTX_free(sctx);
1991 SSL_CTX_free(cctx);
1992
1993 return testresult;
1994}
bf208d95 1995#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1996
7fb4c820
MC		 1997static int test_session_with_only_int_cache(void)
1998{
7a301f08 1999#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2000 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2001 return 0;
2002#endif
2003
2004#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2005 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2006#else
2007 return 1;
2008#endif
eaa776da
MC		 2009}
2010
7fb4c820
MC		 2011static int test_session_with_only_ext_cache(void)
2012{
7a301f08 2013#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2014 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2015 return 0;
2016#endif
2017
2018#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2019 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2020#else
2021 return 1;
2022#endif
eaa776da
MC		 2023}
2024
7fb4c820
MC		 2025static int test_session_with_both_cache(void)
2026{
7a301f08 2027#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 2028 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2029 return 0;
2030#endif
2031
2032#ifndef OPENSSL_NO_TLS1_2
2033 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2034#else
2035 return 1;
2036#endif
2037}
2038
2039static int test_session_wo_ca_names(void)
2040{
2041#ifndef OPENSSL_NO_TLS1_3
2042 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2043 return 0;
2044#endif
2045
2046#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2047 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2048#else
2049 return 1;
2050#endif
eaa776da
MC		 2051}
2052
90fc2c26 2053
04225915 2054#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 2055static SSL_SESSION *sesscache[6];
2056static int do_cache;
36ff232c
MC		 2057
2058static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2059{
c22365b3
MC		 2060 if (do_cache) {
2061 sesscache[new_called] = sess;
2062 } else {
2063 /* We don't need the reference to the session, so free it */
2064 SSL_SESSION_free(sess);
2065 }
2066 new_called++;
2067
2068 return 1;
2069}
2070
2071static int post_handshake_verify(SSL *sssl, SSL *cssl)
2072{
2073 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2074 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2075 return 0;
2076
2077 /* Start handshake on the server and client */
2078 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2079 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2080 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2081 || !TEST_true(create_ssl_connection(sssl, cssl,
2082 SSL_ERROR_NONE)))
2083 return 0;
36ff232c
MC		 2084
2085 return 1;
2086}
2087
fbe9dafd 2088static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2089 SSL_CTX **cctx)
2090{
2091 int sess_id_ctx = 1;
2092
5e30f2fd
MC		 2093 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2094 TLS_client_method(), TLS1_VERSION, 0,
2095 sctx, cctx, cert, privkey))
03cdf559
MC		 2096 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2097 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2098 (void *)&sess_id_ctx,
2099 sizeof(sess_id_ctx))))
2100 return 0;
2101
2102 if (stateful)
2103 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2104
2105 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2106 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2107 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2108
2109 return 1;
2110}
2111
2112static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2113{
2114 SSL *serverssl = NULL, *clientssl = NULL;
2115 int i;
2116
2117 /* Test that we can resume with all the tickets we got given */
2118 for (i = 0; i < idx * 2; i++) {
2119 new_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2121 &clientssl, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2123 goto end;
2124
32097b33 2125 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2126
2127 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2128 SSL_ERROR_NONE)))
2129 goto end;
2130
2131 /*
2132 * Following a successful resumption we only get 1 ticket. After a
2133 * failed one we should get idx tickets.
2134 */
2135 if (succ) {
2136 if (!TEST_true(SSL_session_reused(clientssl))
2137 || !TEST_int_eq(new_called, 1))
2138 goto end;
2139 } else {
2140 if (!TEST_false(SSL_session_reused(clientssl))
2141 || !TEST_int_eq(new_called, idx))
2142 goto end;
2143 }
2144
2145 new_called = 0;
2146 /* After a post-handshake authentication we should get 1 new ticket */
2147 if (succ
2148 && (!post_handshake_verify(serverssl, clientssl)
2149 || !TEST_int_eq(new_called, 1)))
2150 goto end;
2151
2152 SSL_shutdown(clientssl);
2153 SSL_shutdown(serverssl);
2154 SSL_free(serverssl);
2155 SSL_free(clientssl);
2156 serverssl = clientssl = NULL;
2157 SSL_SESSION_free(sesscache[i]);
2158 sesscache[i] = NULL;
2159 }
2160
2161 return 1;
2162
2163 end:
2164 SSL_free(clientssl);
2165 SSL_free(serverssl);
2166 return 0;
2167}
2168
04d7814a 2169static int test_tickets(int stateful, int idx)
36ff232c
MC		 2170{
2171 SSL_CTX *sctx = NULL, *cctx = NULL;
2172 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2173 int testresult = 0;
36ff232c
MC		 2174 size_t j;
2175
2176 /* idx is the test number, but also the number of tickets we want */
2177
2178 new_called = 0;
c22365b3 2179 do_cache = 1;
36ff232c 2180
fbe9dafd 2181 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2182 goto end;
2183
03cdf559
MC		 2184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2185 &clientssl, NULL, NULL)))
2186 goto end;
2187
2188 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2189 SSL_ERROR_NONE))
2190 /* Check we got the number of tickets we were expecting */
2191 || !TEST_int_eq(idx, new_called))
2192 goto end;
04d7814a 2193
03cdf559
MC		 2194 SSL_shutdown(clientssl);
2195 SSL_shutdown(serverssl);
2196 SSL_free(serverssl);
2197 SSL_free(clientssl);
2198 SSL_CTX_free(sctx);
2199 SSL_CTX_free(cctx);
2200 clientssl = serverssl = NULL;
2201 sctx = cctx = NULL;
2202
2203 /*
2204 * Now we try to resume with the tickets we previously created. The
2205 * resumption attempt is expected to fail (because we're now using a new
2206 * SSL_CTX). We should see idx number of tickets issued again.
2207 */
2208
2209 /* Stop caching sessions - just count them */
2210 do_cache = 0;
2211
fbe9dafd 2212 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2213 goto end;
2214
2215 if (!check_resumption(idx, sctx, cctx, 0))
2216 goto end;
2217
2218 /* Start again with caching sessions */
2219 new_called = 0;
2220 do_cache = 1;
fbe9dafd
MC		 2221 SSL_CTX_free(sctx);
2222 SSL_CTX_free(cctx);
2223 sctx = cctx = NULL;
03cdf559 2224
fbe9dafd 2225 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2226 goto end;
36ff232c
MC		 2227
2228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2229 &clientssl, NULL, NULL)))
2230 goto end;
2231
32097b33 2232 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2233
2234 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2235 SSL_ERROR_NONE))
2236 /* Check we got the number of tickets we were expecting */
2237 || !TEST_int_eq(idx, new_called))
2238 goto end;
2239
2240 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2241 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2242 || !TEST_int_eq(idx * 2, new_called))
2243 goto end;
2244
36ff232c
MC		 2245 SSL_shutdown(clientssl);
2246 SSL_shutdown(serverssl);
2247 SSL_free(serverssl);
2248 SSL_free(clientssl);
2249 serverssl = clientssl = NULL;
2250
c22365b3
MC		 2251 /* Stop caching sessions - just count them */
2252 do_cache = 0;
2253
03cdf559
MC		 2254 /*
2255 * Check we can resume with all the tickets we created. This time around the
2256 * resumptions should all be successful.
2257 */
2258 if (!check_resumption(idx, sctx, cctx, 1))
2259 goto end;
36ff232c
MC		 2260
2261 testresult = 1;
2262
2263 end:
2264 SSL_free(serverssl);
2265 SSL_free(clientssl);
c22365b3 2266 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2267 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2268 sesscache[j] = NULL;
2269 }
36ff232c
MC		 2270 SSL_CTX_free(sctx);
2271 SSL_CTX_free(cctx);
2272
2273 return testresult;
2274}
04d7814a
MC		 2275
2276static int test_stateless_tickets(int idx)
2277{
2278 return test_tickets(0, idx);
2279}
2280
2281static int test_stateful_tickets(int idx)
2282{
2283 return test_tickets(1, idx);
2284}
8614a4eb
MC		 2285
2286static int test_psk_tickets(void)
2287{
2288 SSL_CTX *sctx = NULL, *cctx = NULL;
2289 SSL *serverssl = NULL, *clientssl = NULL;
2290 int testresult = 0;
2291 int sess_id_ctx = 1;
2292
5e30f2fd
MC		 2293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2294 TLS_client_method(), TLS1_VERSION, 0,
2295 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2296 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2297 (void *)&sess_id_ctx,
2298 sizeof(sess_id_ctx))))
2299 goto end;
2300
2301 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2302 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2303 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2304 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2305 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2306 use_session_cb_cnt = 0;
2307 find_session_cb_cnt = 0;
2308 srvid = pskid;
2309 new_called = 0;
2310
2311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2312 NULL, NULL)))
2313 goto end;
2314 clientpsk = serverpsk = create_a_psk(clientssl);
2315 if (!TEST_ptr(clientpsk))
2316 goto end;
2317 SSL_SESSION_up_ref(clientpsk);
2318
2319 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2320 SSL_ERROR_NONE))
2321 || !TEST_int_eq(1, find_session_cb_cnt)
2322 || !TEST_int_eq(1, use_session_cb_cnt)
2323 /* We should always get 1 ticket when using external PSK */
2324 || !TEST_int_eq(1, new_called))
2325 goto end;
2326
2327 testresult = 1;
2328
2329 end:
2330 SSL_free(serverssl);
2331 SSL_free(clientssl);
2332 SSL_CTX_free(sctx);
2333 SSL_CTX_free(cctx);
2334 SSL_SESSION_free(clientpsk);
2335 SSL_SESSION_free(serverpsk);
2336 clientpsk = serverpsk = NULL;
2337
2338 return testresult;
2339}
f0049b86
BK		 2340
2341static int test_extra_tickets(int idx)
2342{
2343 SSL_CTX *sctx = NULL, *cctx = NULL;
2344 SSL *serverssl = NULL, *clientssl = NULL;
2345 BIO *bretry = BIO_new(bio_s_always_retry());
2346 BIO *tmp = NULL;
2347 int testresult = 0;
2348 int stateful = 0;
2349 size_t nbytes;
2350 unsigned char c, buf[1];
2351
2352 new_called = 0;
2353 do_cache = 1;
2354
2355 if (idx >= 3) {
2356 idx -= 3;
2357 stateful = 1;
2358 }
2359
2360 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2361 goto end;
2362 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2363 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2364 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2365
2366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2367 &clientssl, NULL, NULL)))
2368 goto end;
2369
2370 /*
2371 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2372 * incremented by both client and server.
2373 */
2374 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2375 SSL_ERROR_NONE))
2376 /* Check we got the number of tickets we were expecting */
2377 || !TEST_int_eq(idx * 2, new_called)
2378 || !TEST_true(SSL_new_session_ticket(serverssl))
2379 || !TEST_true(SSL_new_session_ticket(serverssl))
2380 || !TEST_int_eq(idx * 2, new_called))
2381 goto end;
2382
2383 /* Now try a (real) write to actually send the tickets */
2384 c = '1';
2385 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2386 || !TEST_size_t_eq(1, nbytes)
2387 || !TEST_int_eq(idx * 2 + 2, new_called)
2388 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2389 || !TEST_int_eq(idx * 2 + 4, new_called)
2390 || !TEST_int_eq(sizeof(buf), nbytes)
2391 || !TEST_int_eq(c, buf[0])
2392 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2393 goto end;
2394
2395 /* Try with only requesting one new ticket, too */
2396 c = '2';
2397 new_called = 0;
2398 if (!TEST_true(SSL_new_session_ticket(serverssl))
2399 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2400 || !TEST_size_t_eq(sizeof(c), nbytes)
2401 || !TEST_int_eq(1, new_called)
2402 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2403 || !TEST_int_eq(2, new_called)
2404 || !TEST_size_t_eq(sizeof(buf), nbytes)
2405 || !TEST_int_eq(c, buf[0]))
2406 goto end;
2407
2408 /* Do it again but use dummy writes to drive the ticket generation */
2409 c = '3';
2410 new_called = 0;
2411 if (!TEST_true(SSL_new_session_ticket(serverssl))
2412 || !TEST_true(SSL_new_session_ticket(serverssl))
2413 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2414 || !TEST_size_t_eq(0, nbytes)
2415 || !TEST_int_eq(2, new_called)
2416 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2417 || !TEST_int_eq(4, new_called))
2418 goto end;
2419
2420 /*
2421 * Use the always-retry BIO to exercise the logic that forces ticket
2422 * generation to wait until a record boundary.
2423 */
2424 c = '4';
2425 new_called = 0;
2426 tmp = SSL_get_wbio(serverssl);
2427 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2428 tmp = NULL;
2429 goto end;
2430 }
2431 SSL_set0_wbio(serverssl, bretry);
2432 bretry = NULL;
2433 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2434 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2435 || !TEST_size_t_eq(nbytes, 0))
2436 goto end;
2437 /* Restore a BIO that will let the write succeed */
2438 SSL_set0_wbio(serverssl, tmp);
2439 tmp = NULL;
2440 /* These calls should just queue the request and not send anything. */
2441 if (!TEST_true(SSL_new_session_ticket(serverssl))
2442 || !TEST_true(SSL_new_session_ticket(serverssl))
2443 || !TEST_int_eq(0, new_called))
2444 goto end;
2445 /* Re-do the write; still no tickets sent */
2446 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2447 || !TEST_size_t_eq(1, nbytes)
2448 || !TEST_int_eq(0, new_called)
2449 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2450 || !TEST_int_eq(0, new_called)
2451 || !TEST_int_eq(sizeof(buf), nbytes)
2452 || !TEST_int_eq(c, buf[0])
2453 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2454 goto end;
2455 /* Now the *next* write should send the tickets */
2456 c = '5';
2457 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2458 || !TEST_size_t_eq(1, nbytes)
2459 || !TEST_int_eq(2, new_called)
2460 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2461 || !TEST_int_eq(4, new_called)
2462 || !TEST_int_eq(sizeof(buf), nbytes)
2463 || !TEST_int_eq(c, buf[0])
2464 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2465 goto end;
2466
2467 SSL_shutdown(clientssl);
2468 SSL_shutdown(serverssl);
2469 testresult = 1;
2470
2471 end:
2472 BIO_free(bretry);
2473 BIO_free(tmp);
2474 SSL_free(serverssl);
2475 SSL_free(clientssl);
2476 SSL_CTX_free(sctx);
2477 SSL_CTX_free(cctx);
2478 clientssl = serverssl = NULL;
2479 sctx = cctx = NULL;
2480 return testresult;
2481}
04225915 2482#endif
36ff232c 2483
7d4488bb
MC		 2484#define USE_NULL 0
2485#define USE_BIO_1 1
2486#define USE_BIO_2 2
2487#define USE_DEFAULT 3
2488
2489#define CONNTYPE_CONNECTION_SUCCESS 0
2490#define CONNTYPE_CONNECTION_FAIL 1
2491#define CONNTYPE_NO_CONNECTION 2
2492
2493#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2494#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2495#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2496# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2497#else
2498# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2499#endif
2500
7d4488bb
MC		 2501#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2502 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2503 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2504
2505static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2506{
2507 switch (type) {
2508 case USE_NULL:
2509 *res = NULL;
2510 break;
2511 case USE_BIO_1:
2512 *res = bio1;
2513 break;
2514 case USE_BIO_2:
2515 *res = bio2;
2516 break;
2517 }
2518}
2519
7d4488bb
MC		 2520
2521/*
2522 * Tests calls to SSL_set_bio() under various conditions.
2523 *
2524 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2525 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2526 * then do more tests where we create a successful connection first using our
2527 * standard connection setup functions, and then call SSL_set_bio() with
2528 * various combinations of valid BIOs or NULL. We then repeat these tests
2529 * following a failed connection. In this last case we are looking to check that
2530 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2531 */
7fb4c820
MC		 2532static int test_ssl_set_bio(int idx)
2533{
7d4488bb 2534 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2535 BIO *bio1 = NULL;
2536 BIO *bio2 = NULL;
0fae8150 2537 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2538 SSL *serverssl = NULL, *clientssl = NULL;
2539 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2540 int testresult = 0;
2541
7d4488bb
MC		 2542 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2543 initrbio = idx % 3;
2544 idx /= 3;
2545 initwbio = idx % 3;
2546 idx /= 3;
2547 newrbio = idx % 3;
2548 idx /= 3;
2549 newwbio = idx % 3;
2550 conntype = CONNTYPE_NO_CONNECTION;
2551 } else {
2552 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2553 initrbio = initwbio = USE_DEFAULT;
2554 newrbio = idx % 2;
2555 idx /= 2;
2556 newwbio = idx % 2;
2557 idx /= 2;
2558 conntype = idx % 2;
2559 }
710756a9 2560
5e30f2fd
MC		 2561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2562 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2563 &sctx, &cctx, cert, privkey)))
2564 goto end;
2565
2566 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2567 /*
2568 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2569 * because we reduced the number of tests in the definition of
2570 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2571 * mismatched protocol versions we will force a connection failure.
2572 */
2573 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2574 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2575 }
2576
2577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2578 NULL, NULL)))
710756a9 2579 goto end;
7fb4c820 2580
710756a9
RS		 2581 if (initrbio == USE_BIO_1
2582 || initwbio == USE_BIO_1
2583 || newrbio == USE_BIO_1
7fb4c820 2584 || newwbio == USE_BIO_1) {
710756a9 2585 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2586 goto end;
7fb4c820
MC		 2587 }
2588
710756a9
RS		 2589 if (initrbio == USE_BIO_2
2590 || initwbio == USE_BIO_2
2591 || newrbio == USE_BIO_2
7fb4c820 2592 || newwbio == USE_BIO_2) {
710756a9 2593 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2594 goto end;
7fb4c820
MC		 2595 }
2596
7d4488bb
MC		 2597 if (initrbio != USE_DEFAULT) {
2598 setupbio(&irbio, bio1, bio2, initrbio);
2599 setupbio(&iwbio, bio1, bio2, initwbio);
2600 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2601
7d4488bb
MC		 2602 /*
2603 * We want to maintain our own refs to these BIO, so do an up ref for
2604 * each BIO that will have ownership transferred in the SSL_set_bio()
2605 * call
2606 */
2607 if (irbio != NULL)
2608 BIO_up_ref(irbio);
2609 if (iwbio != NULL && iwbio != irbio)
2610 BIO_up_ref(iwbio);
2611 }
7fb4c820 2612
7d4488bb
MC		 2613 if (conntype != CONNTYPE_NO_CONNECTION
2614 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2615 SSL_ERROR_NONE)
2616 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2617 goto end;
7fb4c820
MC		 2618
2619 setupbio(&nrbio, bio1, bio2, newrbio);
2620 setupbio(&nwbio, bio1, bio2, newwbio);
2621
2622 /*
2623 * We will (maybe) transfer ownership again so do more up refs.
2624 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2625 * already been set!
2626 */
710756a9
RS		 2627 if (nrbio != NULL
2628 && nrbio != irbio
2629 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2630 BIO_up_ref(nrbio);
710756a9
RS		 2631 if (nwbio != NULL
2632 && nwbio != nrbio
2633 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2634 BIO_up_ref(nwbio);
2635
7d4488bb 2636 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2637
2638 testresult = 1;
2639
2640 end:
7fb4c820
MC		 2641 BIO_free(bio1);
2642 BIO_free(bio2);
710756a9 2643
7fb4c820
MC		 2644 /*
2645 * This test is checking that the ref counting for SSL_set_bio is correct.
2646 * If we get here and we did too many frees then we will fail in the above
742ccab3 2647 * functions.
7fb4c820 2648 */
7d4488bb
MC		 2649 SSL_free(serverssl);
2650 SSL_free(clientssl);
2651 SSL_CTX_free(sctx);
2652 SSL_CTX_free(cctx);
7fb4c820
MC		 2653 return testresult;
2654}
2655
7e885b7b 2656typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2657
7e885b7b 2658static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2659{
2660 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2661 SSL_CTX *ctx;
9a716987
MC		 2662 SSL *ssl = NULL;
2663 int testresult = 0;
2664
d8652be0 2665 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2666 || !TEST_ptr(ssl = SSL_new(ctx))
2667 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2668 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2669 goto end;
9a716987
MC		 2670
2671 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2672
2673 /*
742ccab3 2674 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2675 */
2676 BIO_push(sslbio, membio1);
2677
69687aa8 2678 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2679 if (change_bio != NO_BIO_CHANGE) {
710756a9 2680 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2681 goto end;
7e885b7b 2682 if (change_bio == CHANGE_RBIO)
65e2d672 2683 SSL_set0_rbio(ssl, membio2);
9a716987 2684 else
65e2d672 2685 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2686 }
2687 ssl = NULL;
2688
7e885b7b 2689 if (pop_ssl)
9a716987
MC		 2690 BIO_pop(sslbio);
2691 else
2692 BIO_pop(membio1);
2693
2694 testresult = 1;
2695 end:
2696 BIO_free(membio1);
2697 BIO_free(sslbio);
2698 SSL_free(ssl);
2699 SSL_CTX_free(ctx);
2700
2701 return testresult;
2702}
2703
2704static int test_ssl_bio_pop_next_bio(void)
2705{
7e885b7b 2706 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2707}
2708
2709static int test_ssl_bio_pop_ssl_bio(void)
2710{
7e885b7b 2711 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2712}
2713
2714static int test_ssl_bio_change_rbio(void)
2715{
7e885b7b 2716 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2717}
2718
2719static int test_ssl_bio_change_wbio(void)
2720{
7e885b7b 2721 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2722}
2723
c423ecaa 2724#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2725typedef struct {
2726 /* The list of sig algs */
2727 const int *list;
2728 /* The length of the list */
2729 size_t listlen;
2730 /* A sigalgs list in string format */
2731 const char *liststr;
2732 /* Whether setting the list should succeed */
2733 int valid;
2734 /* Whether creating a connection with the list should succeed */
2735 int connsuccess;
2736} sigalgs_list;
2737
2738static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2739# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2740static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2741static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2742# endif
f1b25aae
MC		 2743static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2744static const int invalidlist2[] = {NID_sha256, NID_undef};
2745static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2746static const int invalidlist4[] = {NID_sha256};
2747static const sigalgs_list testsigalgs[] = {
2748 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2749# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2750 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2751 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2752# endif
f1b25aae 2753 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2754# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2755 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2756 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2757# endif
f1b25aae
MC		 2758 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2759 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2760 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2761 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2762 {NULL, 0, "RSA", 0, 0},
2763 {NULL, 0, "SHA256", 0, 0},
2764 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2765 {NULL, 0, "Invalid", 0, 0}
2766};
f1b25aae
MC		 2767
2768static int test_set_sigalgs(int idx)
2769{
2770 SSL_CTX *cctx = NULL, *sctx = NULL;
2771 SSL *clientssl = NULL, *serverssl = NULL;
2772 int testresult = 0;
2773 const sigalgs_list *curr;
2774 int testctx;
2775
2776 /* Should never happen */
710756a9 2777 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2778 return 0;
2779
2780 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2781 curr = testctx ? &testsigalgs[idx]
2782 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2783
5e30f2fd
MC		 2784 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2785 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2786 &sctx, &cctx, cert, privkey)))
f1b25aae 2787 return 0;
f1b25aae 2788
d2e491f2
MC		 2789 /*
2790 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2791 * for TLSv1.2 for now until we add a new API.
2792 */
2793 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2794
f1b25aae
MC		 2795 if (testctx) {
2796 int ret;
710756a9 2797
f1b25aae
MC		 2798 if (curr->list != NULL)
2799 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2800 else
2801 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2802
2803 if (!ret) {
2804 if (curr->valid)
710756a9 2805 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2806 else
2807 testresult = 1;
2808 goto end;
2809 }
2810 if (!curr->valid) {
710756a9 2811 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2812 goto end;
2813 }
2814 }
2815
710756a9
RS		 2816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2817 &clientssl, NULL, NULL)))
f1b25aae 2818 goto end;
f1b25aae
MC		 2819
2820 if (!testctx) {
2821 int ret;
2822
2823 if (curr->list != NULL)
2824 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2825 else
2826 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2827 if (!ret) {
2828 if (curr->valid)
710756a9 2829 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2830 else
2831 testresult = 1;
2832 goto end;
2833 }
710756a9 2834 if (!curr->valid)
f1b25aae 2835 goto end;
f1b25aae
MC		 2836 }
2837
710756a9
RS		 2838 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2839 SSL_ERROR_NONE),
2840 curr->connsuccess))
f1b25aae 2841 goto end;
f1b25aae
MC		 2842
2843 testresult = 1;
2844
2845 end:
2846 SSL_free(serverssl);
2847 SSL_free(clientssl);
2848 SSL_CTX_free(sctx);
2849 SSL_CTX_free(cctx);
2850
2851 return testresult;
2852}
c423ecaa 2853#endif
f1b25aae 2854
fff202e5 2855#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2856static int psk_client_cb_cnt = 0;
2857static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2858
2859static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2860 size_t *idlen, SSL_SESSION **sess)
2861{
2862 switch (++use_session_cb_cnt) {
2863 case 1:
2864 /* The first call should always have a NULL md */
2865 if (md != NULL)
2866 return 0;
2867 break;
2868
2869 case 2:
2870 /* The second call should always have an md */
2871 if (md == NULL)
2872 return 0;
2873 break;
2874
2875 default:
2876 /* We should only be called a maximum of twice */
2877 return 0;
2878 }
2879
57dee9bb
MC		 2880 if (clientpsk != NULL)
2881 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2882
57dee9bb 2883 *sess = clientpsk;
02a3ed5a
MC		 2884 *id = (const unsigned char *)pskid;
2885 *idlen = strlen(pskid);
2886
2887 return 1;
2888}
2889
c2b290c3 2890#ifndef OPENSSL_NO_PSK
532f9578
MC		 2891static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2892 unsigned int max_id_len,
2893 unsigned char *psk,
2894 unsigned int max_psk_len)
2895{
2896 unsigned int psklen = 0;
2897
2898 psk_client_cb_cnt++;
2899
2900 if (strlen(pskid) + 1 > max_id_len)
2901 return 0;
2902
2903 /* We should only ever be called a maximum of twice per connection */
2904 if (psk_client_cb_cnt > 2)
2905 return 0;
2906
2907 if (clientpsk == NULL)
2908 return 0;
2909
2910 /* We'll reuse the PSK we set up for TLSv1.3 */
2911 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2912 return 0;
2913 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2914 strncpy(id, pskid, max_id_len);
2915
2916 return psklen;
2917}
c2b290c3 2918#endif /* OPENSSL_NO_PSK */
532f9578 2919
02a3ed5a
MC		 2920static int find_session_cb(SSL *ssl, const unsigned char *identity,
2921 size_t identity_len, SSL_SESSION **sess)
2922{
2923 find_session_cb_cnt++;
2924
2925 /* We should only ever be called a maximum of twice per connection */
2926 if (find_session_cb_cnt > 2)
2927 return 0;
2928
57dee9bb 2929 if (serverpsk == NULL)
02a3ed5a
MC		 2930 return 0;
2931
2932 /* Identity should match that set by the client */
2933 if (strlen(srvid) != identity_len
2934 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2935 /* No PSK found, continue but without a PSK */
2936 *sess = NULL;
2937 return 1;
2938 }
2939
57dee9bb
MC		 2940 SSL_SESSION_up_ref(serverpsk);
2941 *sess = serverpsk;
02a3ed5a
MC		 2942
2943 return 1;
2944}
2945
c2b290c3 2946#ifndef OPENSSL_NO_PSK
532f9578
MC		 2947static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2948 unsigned char *psk, unsigned int max_psk_len)
2949{
2950 unsigned int psklen = 0;
2951
2952 psk_server_cb_cnt++;
2953
2954 /* We should only ever be called a maximum of twice per connection */
2955 if (find_session_cb_cnt > 2)
2956 return 0;
2957
2958 if (serverpsk == NULL)
2959 return 0;
2960
2961 /* Identity should match that set by the client */
2962 if (strcmp(srvid, identity) != 0) {
2963 return 0;
2964 }
2965
2966 /* We'll reuse the PSK we set up for TLSv1.3 */
2967 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2968 return 0;
2969 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2970
2971 return psklen;
2972}
c2b290c3 2973#endif /* OPENSSL_NO_PSK */
532f9578 2974
5f982038
MC		 2975#define MSG1 "Hello"
2976#define MSG2 "World."
2977#define MSG3 "This"
2978#define MSG4 "is"
2979#define MSG5 "a"
90049cea
MC		 2980#define MSG6 "test"
2981#define MSG7 "message."
5f982038 2982
532f9578 2983#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 2984#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2985#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2986#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2987#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 2988
8614a4eb
MC		 2989
2990static SSL_SESSION *create_a_psk(SSL *ssl)
2991{
2992 const SSL_CIPHER *cipher = NULL;
2993 const unsigned char key[] = {
2994 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2995 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2996 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2997 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2998 0x2c, 0x2d, 0x2e, 0x2f
2999 };
3000 SSL_SESSION *sess = NULL;
3001
3002 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3003 sess = SSL_SESSION_new();
3004 if (!TEST_ptr(sess)
3005 || !TEST_ptr(cipher)
3006 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3007 sizeof(key)))
3008 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3009 || !TEST_true(
3010 SSL_SESSION_set_protocol_version(sess,
3011 TLS1_3_VERSION))) {
3012 SSL_SESSION_free(sess);
3013 return NULL;
3014 }
3015 return sess;
3016}
3017
5f982038
MC		 3018/*
3019 * Helper method to setup objects for early data test. Caller frees objects on
3020 * error.
3021 */
3022static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3023 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3024{
5a421415 3025 if (*sctx == NULL
5e30f2fd 3026 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3027 TLS_client_method(),
5c587fb6 3028 TLS1_VERSION, 0,
5a421415
MC		 3029 sctx, cctx, cert, privkey)))
3030 return 0;
3031
3032 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3033 return 0;
5f982038 3034
02a3ed5a
MC		 3035 if (idx == 1) {
3036 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3037 SSL_CTX_set_read_ahead(*cctx, 1);
3038 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3039 } else if (idx == 2) {
3040 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3041 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3042 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3043 use_session_cb_cnt = 0;
3044 find_session_cb_cnt = 0;
3045 srvid = pskid;
3cb47b4e
MC		 3046 }
3047
710756a9 3048 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3049 NULL, NULL)))
3050 return 0;
3051
141e4709
MC		 3052 /*
3053 * For one of the run throughs (doesn't matter which one), we'll try sending
3054 * some SNI data in the initial ClientHello. This will be ignored (because
3055 * there is no SNI cb set up by the server), so it should not impact
3056 * early_data.
3057 */
3058 if (idx == 1
3059 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3060 return 0;
3061
02a3ed5a 3062 if (idx == 2) {
8614a4eb 3063 clientpsk = create_a_psk(*clientssl);
57dee9bb 3064 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3065 /*
3066 * We just choose an arbitrary value for max_early_data which
3067 * should be big enough for testing purposes.
3068 */
57dee9bb
MC		 3069 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3070 0x100))
3071 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3072 SSL_SESSION_free(clientpsk);
3073 clientpsk = NULL;
02a3ed5a
MC		 3074 return 0;
3075 }
57dee9bb 3076 serverpsk = clientpsk;
02a3ed5a 3077
c20e3b28
MC		 3078 if (sess != NULL) {
3079 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3080 SSL_SESSION_free(clientpsk);
3081 SSL_SESSION_free(serverpsk);
3082 clientpsk = serverpsk = NULL;
3083 return 0;
3084 }
57dee9bb 3085 *sess = clientpsk;
c20e3b28 3086 }
02a3ed5a
MC		 3087 return 1;
3088 }
3089
3090 if (sess == NULL)
3091 return 1;
3092
3093 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3094 SSL_ERROR_NONE)))
5f982038 3095 return 0;
5f982038
MC		 3096
3097 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3098 SSL_shutdown(*clientssl);
3099 SSL_shutdown(*serverssl);
5f982038
MC		 3100 SSL_free(*serverssl);
3101 SSL_free(*clientssl);
3102 *serverssl = *clientssl = NULL;
3103
710756a9
RS		 3104 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3105 clientssl, NULL, NULL))
3106 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3107 return 0;
5f982038
MC		 3108
3109 return 1;
3110}
3111
3cb47b4e 3112static int test_early_data_read_write(int idx)
5f982038
MC		 3113{
3114 SSL_CTX *cctx = NULL, *sctx = NULL;
3115 SSL *clientssl = NULL, *serverssl = NULL;
3116 int testresult = 0;
3117 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3118 unsigned char buf[20], data[1024];
3119 size_t readbytes, written, eoedlen, rawread, rawwritten;
3120 BIO *rbio;
5f982038 3121
710756a9
RS		 3122 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3123 &serverssl, &sess, idx)))
5f982038
MC		 3124 goto end;
3125
3126 /* Write and read some early data */
710756a9
RS		 3127 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3128 &written))
3129 || !TEST_size_t_eq(written, strlen(MSG1))
3130 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3131 sizeof(buf), &readbytes),
3132 SSL_READ_EARLY_DATA_SUCCESS)
3133 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3134 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3135 SSL_EARLY_DATA_ACCEPTED))
5f982038 3136 goto end;
5f982038
MC		 3137
3138 /*
09f28874 3139 * Server should be able to write data, and client should be able to
5f982038
MC		 3140 * read it.
3141 */
710756a9
RS		 3142 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3143 &written))
3144 || !TEST_size_t_eq(written, strlen(MSG2))
3145 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3146 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3147 goto end;
5f982038
MC		 3148
3149 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3150 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3151 &written))
3152 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3153 goto end;
5f982038 3154
09f28874 3155 /* Server should still be able read early data after writing data */
710756a9
RS		 3156 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3157 &readbytes),
3158 SSL_READ_EARLY_DATA_SUCCESS)
3159 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3160 goto end;
5f982038 3161
09f28874 3162 /* Write more data from server and read it from client */
710756a9
RS		 3163 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3164 &written))
3165 || !TEST_size_t_eq(written, strlen(MSG4))
3166 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3167 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3168 goto end;
5f982038
MC		 3169
3170 /*
3171 * If client writes normal data it should mean writing early data is no
3172 * longer possible.
3173 */
710756a9
RS		 3174 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3175 || !TEST_size_t_eq(written, strlen(MSG5))
3176 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3177 SSL_EARLY_DATA_ACCEPTED))
5f982038 3178 goto end;
5f982038 3179
9b5c865d
MC		 3180 /*
3181 * At this point the client has written EndOfEarlyData, ClientFinished and
3182 * normal (fully protected) data. We are going to cause a delay between the
3183 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3184 * in the read BIO, and then just put back the EndOfEarlyData message.
3185 */
3186 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3187 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3188 || !TEST_size_t_lt(rawread, sizeof(data))
3189 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3190 goto end;
710756a9 3191
9b5c865d
MC		 3192 /* Record length is in the 4th and 5th bytes of the record header */
3193 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3194 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3195 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3196 goto end;
9b5c865d 3197
5f982038 3198 /* Server should be told that there is no more early data */
710756a9
RS		 3199 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3200 &readbytes),
3201 SSL_READ_EARLY_DATA_FINISH)
3202 || !TEST_size_t_eq(readbytes, 0))
5f982038 3203 goto end;
5f982038 3204
9b5c865d
MC		 3205 /*
3206 * Server has not finished init yet, so should still be able to write early
3207 * data.
3208 */
710756a9
RS		 3209 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3210 &written))
3211 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3212 goto end;
9b5c865d 3213
f8a303fa 3214 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3215 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3216 &rawwritten))
3217 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3218 goto end;
f8a303fa 3219
5f982038 3220 /* Server should be able to read normal data */
710756a9
RS		 3221 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3222 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3223 goto end;
5f982038 3224
09f28874 3225 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3226 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3227 &written)))
5f982038 3228 goto end;
5f982038 3229 ERR_clear_error();
710756a9
RS		 3230 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3231 &readbytes),
3232 SSL_READ_EARLY_DATA_ERROR))
5f982038 3233 goto end;
5f982038
MC		 3234 ERR_clear_error();
3235
9b5c865d 3236 /* Client should be able to read the data sent by the server */
710756a9
RS		 3237 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3238 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3239 goto end;
710756a9 3240
f8a303fa 3241 /*
36ff232c
MC		 3242 * Make sure we process the two NewSessionTickets. These arrive
3243 * post-handshake. We attempt reads which we do not expect to return any
3244 * data.
f8a303fa 3245 */
36ff232c
MC		 3246 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3247 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3248 &readbytes)))
f8a303fa 3249 goto end;
5f982038 3250
90049cea 3251 /* Server should be able to write normal data */
710756a9
RS		 3252 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3253 || !TEST_size_t_eq(written, strlen(MSG7))
3254 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3255 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3256 goto end;
90049cea 3257
c20e3b28 3258 SSL_SESSION_free(sess);
5f982038 3259 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3260 use_session_cb_cnt = 0;
3261 find_session_cb_cnt = 0;
5f982038
MC		 3262
3263 SSL_shutdown(clientssl);
3264 SSL_shutdown(serverssl);
5f982038
MC		 3265 SSL_free(serverssl);
3266 SSL_free(clientssl);
3267 serverssl = clientssl = NULL;
710756a9
RS		 3268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3269 &clientssl, NULL, NULL))
3270 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3271 goto end;
5f982038
MC		 3272
3273 /* Write and read some early data */
710756a9
RS		 3274 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3275 &written))
3276 || !TEST_size_t_eq(written, strlen(MSG1))
3277 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3278 &readbytes),
3279 SSL_READ_EARLY_DATA_SUCCESS)
3280 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3281 goto end;
5f982038 3282
710756a9
RS		 3283 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3284 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3285 goto end;
5f982038 3286
09f28874 3287 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3288 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3289 &written)))
5f982038 3290 goto end;
5f982038 3291 ERR_clear_error();
710756a9
RS		 3292 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3293 &readbytes),
3294 SSL_READ_EARLY_DATA_ERROR))
5f982038 3295 goto end;
5f982038
MC		 3296 ERR_clear_error();
3297
3298 /* Client and server should be able to write/read normal data */
710756a9
RS		 3299 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3300 || !TEST_size_t_eq(written, strlen(MSG5))
3301 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3302 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3303 goto end;
5f982038
MC		 3304
3305 testresult = 1;
3306
3307 end:
c20e3b28 3308 SSL_SESSION_free(sess);
57dee9bb
MC		 3309 SSL_SESSION_free(clientpsk);
3310 SSL_SESSION_free(serverpsk);
3311 clientpsk = serverpsk = NULL;
5f982038
MC		 3312 SSL_free(serverssl);
3313 SSL_free(clientssl);
3314 SSL_CTX_free(sctx);
3315 SSL_CTX_free(cctx);
5f982038
MC		 3316 return testresult;
3317}
3318
5a421415
MC		 3319static int allow_ed_cb_called = 0;
3320
3321static int allow_early_data_cb(SSL *s, void *arg)
3322{
3323 int *usecb = (int *)arg;
3324
3325 allow_ed_cb_called++;
3326
3327 if (*usecb == 1)
3328 return 0;
3329
3330 return 1;
3331}
3332
3333/*
3334 * idx == 0: Standard early_data setup
3335 * idx == 1: early_data setup using read_ahead
3336 * usecb == 0: Don't use a custom early data callback
3337 * usecb == 1: Use a custom early data callback and reject the early data
3338 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3339 * confopt == 0: Configure anti-replay directly
3340 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3341 */
3bb5e5b0 3342static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3343{
3344 SSL_CTX *cctx = NULL, *sctx = NULL;
3345 SSL *clientssl = NULL, *serverssl = NULL;
3346 int testresult = 0;
3347 SSL_SESSION *sess = NULL;
5a421415
MC		 3348 size_t readbytes, written;
3349 unsigned char buf[20];
3350
3351 allow_ed_cb_called = 0;
3352
5e30f2fd
MC		 3353 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3354 TLS_client_method(), TLS1_VERSION, 0,
3355 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3356 return 0;
3357
3358 if (usecb > 0) {
3bb5e5b0
MC		 3359 if (confopt == 0) {
3360 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3361 } else {
3362 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3363
3364 if (!TEST_ptr(confctx))
3365 goto end;
3366 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3367 | SSL_CONF_FLAG_SERVER);
3368 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3369 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3370 2)) {
3371 SSL_CONF_CTX_free(confctx);
3372 goto end;
3373 }
3374 SSL_CONF_CTX_free(confctx);
3375 }
5a421415
MC		 3376 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3377 }
78fb5374
MC		 3378
3379 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3380 &serverssl, &sess, idx)))
3381 goto end;
3382
3383 /*
3384 * The server is configured to accept early data. Create a connection to
3385 * "use up" the ticket
3386 */
3387 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3388 || !TEST_true(SSL_session_reused(clientssl)))
3389 goto end;
3390
3391 SSL_shutdown(clientssl);
3392 SSL_shutdown(serverssl);
3393 SSL_free(serverssl);
3394 SSL_free(clientssl);
3395 serverssl = clientssl = NULL;
3396
3397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3398 &clientssl, NULL, NULL))
5a421415
MC		 3399 || !TEST_true(SSL_set_session(clientssl, sess)))
3400 goto end;
3401
3402 /* Write and read some early data */
3403 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3404 &written))
3405 || !TEST_size_t_eq(written, strlen(MSG1)))
3406 goto end;
3407
3408 if (usecb <= 1) {
3409 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3410 &readbytes),
3411 SSL_READ_EARLY_DATA_FINISH)
3412 /*
3413 * The ticket was reused, so the we should have rejected the
3414 * early data
3415 */
3416 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3417 SSL_EARLY_DATA_REJECTED))
3418 goto end;
3419 } else {
3420 /* In this case the callback decides to accept the early data */
3421 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3422 &readbytes),
3423 SSL_READ_EARLY_DATA_SUCCESS)
3424 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3425 /*
3426 * Server will have sent its flight so client can now send
3427 * end of early data and complete its half of the handshake
3428 */
3429 || !TEST_int_gt(SSL_connect(clientssl), 0)
3430 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3431 &readbytes),
3432 SSL_READ_EARLY_DATA_FINISH)
3433 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3434 SSL_EARLY_DATA_ACCEPTED))
3435 goto end;
3436 }
3437
3438 /* Complete the connection */
3439 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3440 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3441 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3442 goto end;
3443
3444 testresult = 1;
3445
3446 end:
c20e3b28 3447 SSL_SESSION_free(sess);
78fb5374
MC		 3448 SSL_SESSION_free(clientpsk);
3449 SSL_SESSION_free(serverpsk);
3450 clientpsk = serverpsk = NULL;
3451 SSL_free(serverssl);
3452 SSL_free(clientssl);
3453 SSL_CTX_free(sctx);
3454 SSL_CTX_free(cctx);
3455 return testresult;
3456}
3457
5a421415
MC		 3458static int test_early_data_replay(int idx)
3459{
3bb5e5b0 3460 int ret = 1, usecb, confopt;
5a421415 3461
3bb5e5b0
MC		 3462 for (usecb = 0; usecb < 3; usecb++) {
3463 for (confopt = 0; confopt < 2; confopt++)
3464 ret &= test_early_data_replay_int(idx, usecb, confopt);
3465 }
5a421415
MC		 3466
3467 return ret;
3468}
3469
710756a9 3470/*
6b84e6bf
MC		 3471 * Helper function to test that a server attempting to read early data can
3472 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3473 * testtype: 0 == No HRR
3474 * testtype: 1 == HRR
0efa0ba4
MC		 3475 * testtype: 2 == HRR, invalid early_data sent after HRR
3476 * testtype: 3 == recv_max_early_data set to 0
710756a9 3477 */
0d1b7789 3478static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3479{
3480 SSL_CTX *cctx = NULL, *sctx = NULL;
3481 SSL *clientssl = NULL, *serverssl = NULL;
3482 int testresult = 0;
018fcbec 3483 SSL_SESSION *sess = NULL;
5f982038
MC		 3484 unsigned char buf[20];
3485 size_t readbytes, written;
3486
710756a9
RS		 3487 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3488 &serverssl, &sess, idx)))
5f982038
MC		 3489 goto end;
3490
0efa0ba4 3491 if (testtype == 1 || testtype == 2) {
6b84e6bf 3492 /* Force an HRR to occur */
dbc6268f
MC		 3493#if defined(OPENSSL_NO_EC)
3494 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3495 goto end;
3496#else
6b84e6bf
MC		 3497 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3498 goto end;
dbc6268f 3499#endif
02a3ed5a
MC		 3500 } else if (idx == 2) {
3501 /*
3502 * We force early_data rejection by ensuring the PSK identity is
3503 * unrecognised
3504 */
3505 srvid = "Dummy Identity";
6b84e6bf
MC		 3506 } else {
3507 /*
3508 * Deliberately corrupt the creation time. We take 20 seconds off the
3509 * time. It could be any value as long as it is not within tolerance.
3510 * This should mean the ticket is rejected.
3511 */
5d99881e 3512 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3513 goto end;
3514 }
5f982038 3515
0efa0ba4 3516 if (testtype == 3
0d1b7789
MC		 3517 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3518 goto end;
3519
5f982038 3520 /* Write some early data */
710756a9
RS		 3521 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3522 &written))
3523 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3524 goto end;
5f982038 3525
0d1b7789 3526 /* Server should reject the early data */
710756a9
RS		 3527 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3528 &readbytes),
3529 SSL_READ_EARLY_DATA_FINISH)
3530 || !TEST_size_t_eq(readbytes, 0)
3531 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3532 SSL_EARLY_DATA_REJECTED))
5f982038 3533 goto end;
5f982038 3534
0efa0ba4
MC		 3535 switch (testtype) {
3536 case 0:
3537 /* Nothing to do */
3538 break;
3539
3540 case 1:
6b84e6bf
MC		 3541 /*
3542 * Finish off the handshake. We perform the same writes and reads as
3543 * further down but we expect them to fail due to the incomplete
3544 * handshake.
3545 */
3546 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3547 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3548 &readbytes)))
3549 goto end;
0efa0ba4
MC		 3550 break;
3551
3552 case 2:
3553 {
3554 BIO *wbio = SSL_get_wbio(clientssl);
3555 /* A record that will appear as bad early_data */
3556 const unsigned char bad_early_data[] = {
3557 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3558 };
3559
3560 /*
3561 * We force the client to attempt a write. This will fail because
3562 * we're still in the handshake. It will cause the second
3563 * ClientHello to be sent.
3564 */
3565 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3566 &written)))
3567 goto end;
3568
3569 /*
3570 * Inject some early_data after the second ClientHello. This should
3571 * cause the server to fail
3572 */
3573 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3574 sizeof(bad_early_data), &written)))
3575 goto end;
3576 }
3577 /* fallthrough */
3578
3579 case 3:
0d1b7789 3580 /*
0efa0ba4
MC		 3581 * This client has sent more early_data than we are willing to skip
3582 * (case 3) or sent invalid early_data (case 2) so the connection should
3583 * abort.
0d1b7789
MC		 3584 */
3585 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3586 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3587 goto end;
3588
3589 /* Connection has failed - nothing more to do */
3590 testresult = 1;
3591 goto end;
0efa0ba4
MC		 3592
3593 default:
3594 TEST_error("Invalid test type");
3595 goto end;
6b84e6bf
MC		 3596 }
3597
0d1b7789
MC		 3598 /*
3599 * Should be able to send normal data despite rejection of early data. The
3600 * early_data should be skipped.
3601 */
710756a9
RS		 3602 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3603 || !TEST_size_t_eq(written, strlen(MSG2))
3604 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3605 SSL_EARLY_DATA_REJECTED)
3606 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3607 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3608 goto end;
5f982038
MC		 3609
3610 testresult = 1;
3611
3612 end:
c20e3b28 3613 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3614 SSL_SESSION_free(serverpsk);
3615 clientpsk = serverpsk = NULL;
5f982038
MC		 3616 SSL_SESSION_free(sess);
3617 SSL_free(serverssl);
3618 SSL_free(clientssl);
3619 SSL_CTX_free(sctx);
3620 SSL_CTX_free(cctx);
5f982038
MC		 3621 return testresult;
3622}
3623
6b84e6bf
MC		 3624/*
3625 * Test that a server attempting to read early data can handle a connection
3626 * from a client where the early data is not acceptable.
3627 */
3628static int test_early_data_skip(int idx)
3629{
3630 return early_data_skip_helper(0, idx);
3631}
3632
3633/*
3634 * Test that a server attempting to read early data can handle a connection
3635 * from a client where an HRR occurs.
3636 */
3637static int test_early_data_skip_hrr(int idx)
3638{
3639 return early_data_skip_helper(1, idx);
3640}
3641
0efa0ba4
MC		 3642/*
3643 * Test that a server attempting to read early data can handle a connection
3644 * from a client where an HRR occurs and correctly fails if early_data is sent
3645 * after the HRR
3646 */
3647static int test_early_data_skip_hrr_fail(int idx)
3648{
3649 return early_data_skip_helper(2, idx);
3650}
3651
0d1b7789
MC		 3652/*
3653 * Test that a server attempting to read early data will abort if it tries to
3654 * skip over too much.
3655 */
3656static int test_early_data_skip_abort(int idx)
3657{
0efa0ba4 3658 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3659}
3660
710756a9
RS		 3661/*
3662 * Test that a server attempting to read early data can handle a connection
3663 * from a client that doesn't send any.
3664 */
3cb47b4e 3665static int test_early_data_not_sent(int idx)
5f982038
MC		 3666{
3667 SSL_CTX *cctx = NULL, *sctx = NULL;
3668 SSL *clientssl = NULL, *serverssl = NULL;
3669 int testresult = 0;
018fcbec 3670 SSL_SESSION *sess = NULL;
5f982038
MC		 3671 unsigned char buf[20];
3672 size_t readbytes, written;
3673
710756a9
RS		 3674 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3675 &serverssl, &sess, idx)))
5f982038
MC		 3676 goto end;
3677
3678 /* Write some data - should block due to handshake with server */
3679 SSL_set_connect_state(clientssl);
710756a9 3680 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3681 goto end;
5f982038
MC		 3682
3683 /* Server should detect that early data has not been sent */
710756a9
RS		 3684 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3685 &readbytes),
3686 SSL_READ_EARLY_DATA_FINISH)
3687 || !TEST_size_t_eq(readbytes, 0)
3688 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3689 SSL_EARLY_DATA_NOT_SENT)
3690 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3691 SSL_EARLY_DATA_NOT_SENT))
5f982038 3692 goto end;
5f982038
MC		 3693
3694 /* Continue writing the message we started earlier */
710756a9
RS		 3695 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3696 || !TEST_size_t_eq(written, strlen(MSG1))
3697 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3698 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3699 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3700 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3701 goto end;
5f982038 3702
710756a9
RS		 3703 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3704 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3705 goto end;
5f982038
MC		 3706
3707 testresult = 1;
3708
3709 end:
5f982038 3710 SSL_SESSION_free(sess);
c20e3b28 3711 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3712 SSL_SESSION_free(serverpsk);
3713 clientpsk = serverpsk = NULL;
5f982038
MC		 3714 SSL_free(serverssl);
3715 SSL_free(clientssl);
3716 SSL_CTX_free(sctx);
3717 SSL_CTX_free(cctx);
5f982038
MC		 3718 return testresult;
3719}
3720
976e5323
MC		 3721static const char *servalpn;
3722
c7558d5b
PY		 3723static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3724 unsigned char *outlen, const unsigned char *in,
3725 unsigned int inlen, void *arg)
976e5323 3726{
c7558d5b 3727 unsigned int protlen = 0;
976e5323
MC		 3728 const unsigned char *prot;
3729
c7558d5b
PY		 3730 for (prot = in; prot < in + inlen; prot += protlen) {
3731 protlen = *prot++;
5d99881e 3732 if (in + inlen < prot + protlen)
976e5323
MC		 3733 return SSL_TLSEXT_ERR_NOACK;
3734
3735 if (protlen == strlen(servalpn)
0bd42fde 3736 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3737 *out = prot;
3738 *outlen = protlen;
3739 return SSL_TLSEXT_ERR_OK;
3740 }
3741 }
3742
3743 return SSL_TLSEXT_ERR_NOACK;
3744}
3745
57dee9bb 3746/* Test that a PSK can be used to send early_data */
976e5323
MC		 3747static int test_early_data_psk(int idx)
3748{
3749 SSL_CTX *cctx = NULL, *sctx = NULL;
3750 SSL *clientssl = NULL, *serverssl = NULL;
3751 int testresult = 0;
3752 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3753 unsigned char alpnlist[] = {
3754 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3755 'l', 'p', 'n'
3756 };
3757#define GOODALPNLEN 9
3758#define BADALPNLEN 8
3759#define GOODALPN (alpnlist)
3760#define BADALPN (alpnlist + GOODALPNLEN)
3761 int err = 0;
976e5323
MC		 3762 unsigned char buf[20];
3763 size_t readbytes, written;
57dee9bb 3764 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3765 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3766
3767 /* We always set this up with a final parameter of "2" for PSK */
3768 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3769 &serverssl, &sess, 2)))
3770 goto end;
3771
976e5323
MC		 3772 servalpn = "goodalpn";
3773
57dee9bb
MC		 3774 /*
3775 * Note: There is no test for inconsistent SNI with late client detection.
3776 * This is because servers do not acknowledge SNI even if they are using
3777 * it in a resumption handshake - so it is not actually possible for a
3778 * client to detect a problem.
3779 */
976e5323
MC		 3780 switch (idx) {
3781 case 0:
57dee9bb 3782 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3783 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3784 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3785 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3786 goto end;
3787 break;
3788
3789 case 1:
57dee9bb 3790 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3791 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3792 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3793 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3794 GOODALPNLEN))
3795 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3796 BADALPNLEN)))
976e5323
MC		 3797 goto end;
3798 break;
3799
3800 case 2:
3801 /*
3802 * Set invalid protocol version. Technically this affects PSKs without
3803 * early_data too, but we test it here because it is similar to the
3804 * SNI/ALPN consistency tests.
3805 */
3806 err = SSL_R_BAD_PSK;
3807 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3808 goto end;
3809 break;
3810
3811 case 3:
3812 /*
49ef3d07
MC		 3813 * Set inconsistent SNI (server side). In this case the connection
3814 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3815 * is associated with each handshake - not the session. Therefore it
3816 * should not matter that we used a different server name last time.
976e5323 3817 */
281bf233
MC		 3818 SSL_SESSION_free(serverpsk);
3819 serverpsk = SSL_SESSION_dup(clientpsk);
3820 if (!TEST_ptr(serverpsk)
3821 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3822 goto end;
976e5323
MC		 3823 /* Fall through */
3824 case 4:
3825 /* Set consistent SNI */
976e5323
MC		 3826 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3827 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3828 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3829 hostname_cb)))
3830 goto end;
3831 break;
3832
3833 case 5:
3834 /*
3835 * Set inconsistent ALPN (server detected). In this case the connection
3836 * will succeed but reject early_data.
3837 */
3838 servalpn = "badalpn";
3839 edstatus = SSL_EARLY_DATA_REJECTED;
3840 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3841 /* Fall through */
3842 case 6:
976e5323 3843 /*
57dee9bb 3844 * Set consistent ALPN.
976e5323
MC		 3845 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3846 * accepts a list of protos (each one length prefixed).
3847 * SSL_set1_alpn_selected accepts a single protocol (not length
3848 * prefixed)
3849 */
57dee9bb
MC		 3850 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3851 GOODALPNLEN - 1))
3852 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3853 GOODALPNLEN)))
976e5323
MC		 3854 goto end;
3855
3856 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3857 break;
3858
57dee9bb
MC		 3859 case 7:
3860 /* Set inconsistent ALPN (late client detection) */
3861 SSL_SESSION_free(serverpsk);
3862 serverpsk = SSL_SESSION_dup(clientpsk);
3863 if (!TEST_ptr(serverpsk)
3864 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3865 BADALPN + 1,
3866 BADALPNLEN - 1))
3867 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3868 GOODALPN + 1,
3869 GOODALPNLEN - 1))
3870 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3871 sizeof(alpnlist))))
3872 goto end;
3873 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3874 edstatus = SSL_EARLY_DATA_ACCEPTED;
3875 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3876 /* SSL_connect() call should fail */
3877 connectres = -1;
3878 break;
3879
976e5323
MC		 3880 default:
3881 TEST_error("Bad test index");
3882 goto end;
3883 }
3884
3885 SSL_set_connect_state(clientssl);
3886 if (err != 0) {
3887 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3888 &written))
3889 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3890 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3891 goto end;
3892 } else {
3893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3894 &written)))
3895 goto end;
3896
3897 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3898 &readbytes), readearlyres)
976e5323
MC		 3899 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3900 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3901 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3902 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3903 goto end;
3904 }
3905
3906 testresult = 1;
3907
3908 end:
c20e3b28 3909 SSL_SESSION_free(sess);
57dee9bb
MC		 3910 SSL_SESSION_free(clientpsk);
3911 SSL_SESSION_free(serverpsk);
3912 clientpsk = serverpsk = NULL;
976e5323
MC		 3913 SSL_free(serverssl);
3914 SSL_free(clientssl);
3915 SSL_CTX_free(sctx);
3916 SSL_CTX_free(cctx);
3917 return testresult;
3918}
3919
0b2b0be9 3920/*
3921 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3922 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3923 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3924 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3925 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3926 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3927 */
3928static int test_early_data_psk_with_all_ciphers(int idx)
3929{
3930 SSL_CTX *cctx = NULL, *sctx = NULL;
3931 SSL *clientssl = NULL, *serverssl = NULL;
3932 int testresult = 0;
3933 SSL_SESSION *sess = NULL;
3934 unsigned char buf[20];
3935 size_t readbytes, written;
3936 const SSL_CIPHER *cipher;
3937 const char *cipher_str[] = {
3938 TLS1_3_RFC_AES_128_GCM_SHA256,
3939 TLS1_3_RFC_AES_256_GCM_SHA384,
3940# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3941 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3942# else
3943 NULL,
3944# endif
3945 TLS1_3_RFC_AES_128_CCM_SHA256,
3946 TLS1_3_RFC_AES_128_CCM_8_SHA256
3947 };
3948 const unsigned char *cipher_bytes[] = {
3949 TLS13_AES_128_GCM_SHA256_BYTES,
3950 TLS13_AES_256_GCM_SHA384_BYTES,
3951# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3952 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3953# else
3954 NULL,
3955# endif
3956 TLS13_AES_128_CCM_SHA256_BYTES,
3957 TLS13_AES_128_CCM_8_SHA256_BYTES
3958 };
3959
3960 if (cipher_str[idx] == NULL)
3961 return 1;
3962 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3963 if (idx == 2 && is_fips == 1)
3964 return 1;
3965
3966 /* We always set this up with a final parameter of "2" for PSK */
3967 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3968 &serverssl, &sess, 2)))
3969 goto end;
3970
3971 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3972 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3973 goto end;
3974
3975 /*
3976 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3977 * and assigns to both client and server with incremented reference
3978 * and the same instance is updated in 'sess'.
3979 * So updating ciphersuite in 'sess' which will get reflected in
3980 * PSK handshake using psk use sess and find sess cb.
3981 */
3982 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3983 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3984 goto end;
3985
3986 SSL_set_connect_state(clientssl);
3987 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3988 &written)))
3989 goto end;
3990
3991 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3992 &readbytes),
3993 SSL_READ_EARLY_DATA_SUCCESS)
3994 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3995 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3996 SSL_EARLY_DATA_ACCEPTED)
3997 || !TEST_int_eq(SSL_connect(clientssl), 1)
3998 || !TEST_int_eq(SSL_accept(serverssl), 1))
3999 goto end;
4000
4001 /* Send some normal data from client to server */
4002 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4003 || !TEST_size_t_eq(written, strlen(MSG2)))
4004 goto end;
4005
4006 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4007 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4008 goto end;
4009
4010 testresult = 1;
4011 end:
4012 SSL_SESSION_free(sess);
4013 SSL_SESSION_free(clientpsk);
4014 SSL_SESSION_free(serverpsk);
4015 clientpsk = serverpsk = NULL;
4016 if (clientssl != NULL)
4017 SSL_shutdown(clientssl);
4018 if (serverssl != NULL)
4019 SSL_shutdown(serverssl);
4020 SSL_free(serverssl);
4021 SSL_free(clientssl);
4022 SSL_CTX_free(sctx);
4023 SSL_CTX_free(cctx);
4024 return testresult;
4025}
4026
710756a9
RS		 4027/*
4028 * Test that a server that doesn't try to read early data can handle a
4029 * client sending some.
4030 */
3cb47b4e 4031static int test_early_data_not_expected(int idx)
5f982038
MC		 4032{
4033 SSL_CTX *cctx = NULL, *sctx = NULL;
4034 SSL *clientssl = NULL, *serverssl = NULL;
4035 int testresult = 0;
018fcbec 4036 SSL_SESSION *sess = NULL;
5f982038
MC		 4037 unsigned char buf[20];
4038 size_t readbytes, written;
4039
710756a9
RS		 4040 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4041 &serverssl, &sess, idx)))
5f982038
MC		 4042 goto end;
4043
4044 /* Write some early data */
710756a9
RS		 4045 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4046 &written)))
5f982038 4047 goto end;
5f982038
MC		 4048
4049 /*
4050 * Server should skip over early data and then block waiting for client to
4051 * continue handshake
4052 */
710756a9
RS		 4053 if (!TEST_int_le(SSL_accept(serverssl), 0)
4054 || !TEST_int_gt(SSL_connect(clientssl), 0)
4055 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4056 SSL_EARLY_DATA_REJECTED)
4057 || !TEST_int_gt(SSL_accept(serverssl), 0)
4058 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4059 SSL_EARLY_DATA_REJECTED))
5f982038 4060 goto end;
5f982038
MC		 4061
4062 /* Send some normal data from client to server */
710756a9
RS		 4063 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4064 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4065 goto end;
5f982038 4066
710756a9
RS		 4067 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4068 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4069 goto end;
5f982038
MC		 4070
4071 testresult = 1;
4072
4073 end:
5f982038 4074 SSL_SESSION_free(sess);
c20e3b28 4075 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4076 SSL_SESSION_free(serverpsk);
4077 clientpsk = serverpsk = NULL;
5f982038
MC		 4078 SSL_free(serverssl);
4079 SSL_free(clientssl);
4080 SSL_CTX_free(sctx);
4081 SSL_CTX_free(cctx);
5f982038
MC		 4082 return testresult;
4083}
4084
4085
4086# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4087/*
4088 * Test that a server attempting to read early data can handle a connection
4089 * from a TLSv1.2 client.
4090 */
3cb47b4e 4091static int test_early_data_tls1_2(int idx)
5f982038
MC		 4092{
4093 SSL_CTX *cctx = NULL, *sctx = NULL;
4094 SSL *clientssl = NULL, *serverssl = NULL;
4095 int testresult = 0;
4096 unsigned char buf[20];
4097 size_t readbytes, written;
4098
02a3ed5a
MC		 4099 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4100 &serverssl, NULL, idx)))
5f982038 4101 goto end;
5f982038
MC		 4102
4103 /* Write some data - should block due to handshake with server */
4104 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4105 SSL_set_connect_state(clientssl);
710756a9 4106 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4107 goto end;
5f982038
MC		 4108
4109 /*
4110 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4111 * messages from client after ServerDone. Then SSL_read_early_data should
4112 * finish and detect that early data has not been sent
5f982038 4113 */
710756a9
RS		 4114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4115 &readbytes),
4116 SSL_READ_EARLY_DATA_ERROR))
5f982038 4117 goto end;
5f982038
MC		 4118
4119 /*
4120 * Continue writing the message we started earlier. Will still block waiting
4121 * for the CCS/Finished from server
4122 */
710756a9
RS		 4123 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4124 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4125 &readbytes),
4126 SSL_READ_EARLY_DATA_FINISH)
4127 || !TEST_size_t_eq(readbytes, 0)
4128 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4129 SSL_EARLY_DATA_NOT_SENT))
5f982038 4130 goto end;
5f982038
MC		 4131
4132 /* Continue writing the message we started earlier */
710756a9
RS		 4133 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4134 || !TEST_size_t_eq(written, strlen(MSG1))
4135 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4136 SSL_EARLY_DATA_NOT_SENT)
4137 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4138 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4139 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4140 || !TEST_size_t_eq(written, strlen(MSG2))
4141 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4142 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4143 goto end;
5f982038
MC		 4144
4145 testresult = 1;
4146
4147 end:
57dee9bb
MC		 4148 SSL_SESSION_free(clientpsk);
4149 SSL_SESSION_free(serverpsk);
4150 clientpsk = serverpsk = NULL;
5f982038
MC		 4151 SSL_free(serverssl);
4152 SSL_free(clientssl);
4153 SSL_CTX_free(sctx);
4154 SSL_CTX_free(cctx);
4155
4156 return testresult;
4157}
ca0413ae
MC		 4158# endif /* OPENSSL_NO_TLS1_2 */
4159
034cb87b
MC		 4160/*
4161 * Test configuring the TLSv1.3 ciphersuites
4162 *
4163 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4164 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4165 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4166 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4167 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4168 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4169 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4170 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4171 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4172 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4173 */
4174static int test_set_ciphersuite(int idx)
4175{
4176 SSL_CTX *cctx = NULL, *sctx = NULL;
4177 SSL *clientssl = NULL, *serverssl = NULL;
4178 int testresult = 0;
4179
5e30f2fd
MC		 4180 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4181 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4182 &sctx, &cctx, cert, privkey))
4183 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4184 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4185 goto end;
4186
4187 if (idx >=4 && idx <= 7) {
4188 /* SSL_CTX explicit cipher list */
4189 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4190 goto end;
4191 }
4192
4193 if (idx == 0 || idx == 4) {
4194 /* Default ciphersuite */
4195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4196 "TLS_AES_128_GCM_SHA256")))
4197 goto end;
4198 } else if (idx == 1 || idx == 5) {
4199 /* Non default ciphersuite */
4200 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4201 "TLS_AES_128_CCM_SHA256")))
4202 goto end;
4203 }
4204
4205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4206 &clientssl, NULL, NULL)))
4207 goto end;
4208
4209 if (idx == 8 || idx == 9) {
4210 /* SSL explicit cipher list */
4211 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4212 goto end;
4213 }
4214
4215 if (idx == 2 || idx == 6 || idx == 8) {
4216 /* Default ciphersuite */
4217 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4218 "TLS_AES_128_GCM_SHA256")))
4219 goto end;
4220 } else if (idx == 3 || idx == 7 || idx == 9) {
4221 /* Non default ciphersuite */
4222 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4223 "TLS_AES_128_CCM_SHA256")))
4224 goto end;
4225 }
4226
4227 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4228 goto end;
4229
4230 testresult = 1;
4231
4232 end:
4233 SSL_free(serverssl);
4234 SSL_free(clientssl);
4235 SSL_CTX_free(sctx);
4236 SSL_CTX_free(cctx);
4237
4238 return testresult;
4239}
4240
ca0413ae
MC		 4241static int test_ciphersuite_change(void)
4242{
4243 SSL_CTX *cctx = NULL, *sctx = NULL;
4244 SSL *clientssl = NULL, *serverssl = NULL;
4245 SSL_SESSION *clntsess = NULL;
4246 int testresult = 0;
4247 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4248
4249 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4251 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4252 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4253 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4254 "TLS_AES_128_GCM_SHA256:"
4255 "TLS_AES_256_GCM_SHA384:"
4256 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4257 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4258 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4259 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4260 &clientssl, NULL, NULL))
4261 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4262 SSL_ERROR_NONE)))
4263 goto end;
4264
4265 clntsess = SSL_get1_session(clientssl);
4266 /* Save for later */
4267 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4268 SSL_shutdown(clientssl);
4269 SSL_shutdown(serverssl);
4270 SSL_free(serverssl);
4271 SSL_free(clientssl);
4272 serverssl = clientssl = NULL;
4273
4274 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4275 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4276 "TLS_AES_128_CCM_SHA256"))
4277 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4278 &clientssl, NULL, NULL))
ca0413ae
MC		 4279 || !TEST_true(SSL_set_session(clientssl, clntsess))
4280 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4281 SSL_ERROR_NONE))
4282 || !TEST_true(SSL_session_reused(clientssl)))
4283 goto end;
4284
4285 SSL_SESSION_free(clntsess);
4286 clntsess = SSL_get1_session(clientssl);
4287 SSL_shutdown(clientssl);
4288 SSL_shutdown(serverssl);
4289 SSL_free(serverssl);
4290 SSL_free(clientssl);
4291 serverssl = clientssl = NULL;
4292
4293 /*
4294 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4295 * succeeds but does not resume.
ca0413ae 4296 */
f865b081 4297 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4298 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4299 NULL, NULL))
4300 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4302 SSL_ERROR_SSL))
0de6d66d 4303 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4304 goto end;
4305
4306 SSL_SESSION_free(clntsess);
4307 clntsess = NULL;
4308 SSL_shutdown(clientssl);
4309 SSL_shutdown(serverssl);
4310 SSL_free(serverssl);
4311 SSL_free(clientssl);
4312 serverssl = clientssl = NULL;
4313
4314 /* Create a session based on SHA384 */
f865b081 4315 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4316 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4317 &clientssl, NULL, NULL))
4318 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4319 SSL_ERROR_NONE)))
4320 goto end;
4321
4322 clntsess = SSL_get1_session(clientssl);
4323 SSL_shutdown(clientssl);
4324 SSL_shutdown(serverssl);
4325 SSL_free(serverssl);
4326 SSL_free(clientssl);
4327 serverssl = clientssl = NULL;
4328
f865b081
MC		 4329 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4330 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4331 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4332 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4333 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4334 NULL, NULL))
4335 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4336 /*
4337 * We use SSL_ERROR_WANT_READ below so that we can pause the
4338 * connection after the initial ClientHello has been sent to
4339 * enable us to make some session changes.
4340 */
ca0413ae
MC		 4341 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4342 SSL_ERROR_WANT_READ)))
4343 goto end;
4344
4345 /* Trick the client into thinking this session is for a different digest */
4346 clntsess->cipher = aes_128_gcm_sha256;
4347 clntsess->cipher_id = clntsess->cipher->id;
4348
4349 /*
3b0e88d3
MC		 4350 * Continue the previously started connection. Server has selected a SHA-384
4351 * ciphersuite, but client thinks the session is for SHA-256, so it should
4352 * bail out.
ca0413ae
MC		 4353 */
4354 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4355 SSL_ERROR_SSL))
4356 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4357 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4358 goto end;
4359
4360 testresult = 1;
4361
4362 end:
4363 SSL_SESSION_free(clntsess);
4364 SSL_free(serverssl);
4365 SSL_free(clientssl);
4366 SSL_CTX_free(sctx);
4367 SSL_CTX_free(cctx);
4368
4369 return testresult;
4370}
4371
8e63900a 4372/*
5bf2eade 4373 * Test TLSv1.3 Key exchange
4374 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4375 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4376 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4377 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4378 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4379 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4380 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4381 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4382 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4383 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4384 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4385 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4386 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4387 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4388 */
db26ec80 4389static int test_key_exchange(int idx)
8e63900a 4390{
4391 SSL_CTX *sctx = NULL, *cctx = NULL;
4392 SSL *serverssl = NULL, *clientssl = NULL;
4393 int testresult = 0;
5bf2eade 4394# ifndef OPENSSL_NO_EC
4395 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4396 NID_secp521r1, NID_X25519, NID_X448};
4397# endif
4398# ifndef OPENSSL_NO_DH
8e63900a 4399 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4400 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4401# endif
fb8c6db4 4402 int kexch_alg;
4403 int *kexch_groups = &kexch_alg;
4404 int kexch_groups_size = 1;
8e63900a 4405 int max_version = TLS1_3_VERSION;
becbacd7 4406 char *kexch_name0 = NULL;
8e63900a 4407
4408 switch (idx) {
5bf2eade 4409# ifndef OPENSSL_NO_EC
db26ec80 4410# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4411 case 12:
fb8c6db4 4412 max_version = TLS1_2_VERSION;
db26ec80 4413# endif
fb8c6db4 4414 /* Fall through */
4415 case 0:
4416 kexch_groups = ecdhe_kexch_groups;
4417 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4418 kexch_name0 = "secp256r1";
fb8c6db4 4419 break;
5bf2eade 4420 case 1:
fb8c6db4 4421 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4422 kexch_name0 = "secp256r1";
fb8c6db4 4423 break;
5bf2eade 4424 case 2:
fb8c6db4 4425 kexch_alg = NID_secp384r1;
becbacd7 4426 kexch_name0 = "secp384r1";
fb8c6db4 4427 break;
5bf2eade 4428 case 3:
fb8c6db4 4429 kexch_alg = NID_secp521r1;
becbacd7 4430 kexch_name0 = "secp521r1";
fb8c6db4 4431 break;
5bf2eade 4432 case 4:
fb8c6db4 4433 kexch_alg = NID_X25519;
becbacd7 4434 kexch_name0 = "x25519";
fb8c6db4 4435 break;
5bf2eade 4436 case 5:
fb8c6db4 4437 kexch_alg = NID_X448;
becbacd7 4438 kexch_name0 = "x448";
fb8c6db4 4439 break;
5bf2eade 4440# endif
4441# ifndef OPENSSL_NO_DH
db26ec80 4442# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4443 case 13:
dbc6268f 4444 max_version = TLS1_2_VERSION;
becbacd7 4445 kexch_name0 = "ffdhe2048";
db26ec80 4446# endif
dbc6268f 4447 /* Fall through */
5bf2eade 4448 case 6:
8e63900a 4449 kexch_groups = ffdhe_kexch_groups;
4450 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4451 kexch_name0 = "ffdhe2048";
8e63900a 4452 break;
5bf2eade 4453 case 7:
fb8c6db4 4454 kexch_alg = NID_ffdhe2048;
becbacd7 4455 kexch_name0 = "ffdhe2048";
fb8c6db4 4456 break;
5bf2eade 4457 case 8:
fb8c6db4 4458 kexch_alg = NID_ffdhe3072;
becbacd7 4459 kexch_name0 = "ffdhe3072";
fb8c6db4 4460 break;
5bf2eade 4461 case 9:
fb8c6db4 4462 kexch_alg = NID_ffdhe4096;
becbacd7 4463 kexch_name0 = "ffdhe4096";
fb8c6db4 4464 break;
5bf2eade 4465 case 10:
fb8c6db4 4466 kexch_alg = NID_ffdhe6144;
becbacd7 4467 kexch_name0 = "ffdhe6144";
fb8c6db4 4468 break;
5bf2eade 4469 case 11:
fb8c6db4 4470 kexch_alg = NID_ffdhe8192;
becbacd7 4471 kexch_name0 = "ffdhe8192";
8e63900a 4472 break;
5bf2eade 4473# endif
6597d62b
MC		 4474 default:
4475 /* We're skipping this test */
4476 return 1;
8e63900a 4477 }
4478
5e30f2fd
MC		 4479 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4480 TLS_client_method(), TLS1_VERSION,
4481 max_version, &sctx, &cctx, cert,
4482 privkey)))
8e63900a 4483 goto end;
4484
5bf2eade 4485 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4486 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4487 goto end;
4488
5bf2eade 4489 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4490 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4491 goto end;
4492
5bf2eade 4493 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4494 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4495 goto end;
4496
dbc6268f
MC		 4497 /*
4498 * Must include an EC ciphersuite so that we send supported groups in
4499 * TLSv1.2
4500 */
5bf2eade 4501# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4502 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4503 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4504 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4505 goto end;
5bf2eade 4506# endif
8e63900a 4507
4508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4509 NULL, NULL)))
4510 goto end;
4511
4512 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4513 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4514 goto end;
4515
5bf2eade 4516 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4517 goto end;
8e63900a 4518
dbc6268f 4519 /*
5bf2eade 4520 * If Handshake succeeds the negotiated kexch alg should be the first one in
4521 * configured, except in the case of FFDHE groups (idx 13), which are
4522 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4523 */
4524 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4525 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4526 goto end;
becbacd7
MB		 4527
4528 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4529 kexch_name0))
4530 goto end;
4531
fb8c6db4 4532 if (max_version == TLS1_3_VERSION) {
4533 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4534 goto end;
4535 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4536 goto end;
4537 }
8e63900a 4538
4539 testresult = 1;
4540 end:
4541 SSL_free(serverssl);
4542 SSL_free(clientssl);
4543 SSL_CTX_free(sctx);
4544 SSL_CTX_free(cctx);
4545 return testresult;
4546}
4547
5bf2eade 4548/*
4549 * Test TLSv1.3 Cipher Suite
4550 * Test 0 = Set TLS1.3 cipher on context
4551 * Test 1 = Set TLS1.3 cipher on SSL
4552 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4553 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4554 */
4555static int test_tls13_ciphersuite(int idx)
4556{
4557 SSL_CTX *sctx = NULL, *cctx = NULL;
4558 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4559 static const struct {
4560 const char *ciphername;
4561 int fipscapable;
4562 } t13_ciphers[] = {
4563 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4564 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4565 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4566# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4567 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4568 { TLS1_3_RFC_AES_256_GCM_SHA384
4569 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4570# endif
4f6c7044 4571 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4572 };
4573 const char *t13_cipher = NULL;
4574 const char *t12_cipher = NULL;
4575 const char *negotiated_scipher;
4576 const char *negotiated_ccipher;
4577 int set_at_ctx = 0;
4578 int set_at_ssl = 0;
4579 int testresult = 0;
4580 int max_ver;
4581 size_t i;
4582
4583 switch (idx) {
4584 case 0:
4585 set_at_ctx = 1;
4586 break;
4587 case 1:
4588 set_at_ssl = 1;
4589 break;
4590 case 2:
4591 set_at_ctx = 1;
2d900758 4592 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4593 break;
4594 case 3:
4595 set_at_ssl = 1;
2d900758 4596 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4597 break;
4598 }
4599
4600 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4601# ifdef OPENSSL_NO_TLS1_2
4602 if (max_ver == TLS1_2_VERSION)
4603 continue;
4604# endif
4605 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4606 if (is_fips && !t13_ciphers[i].fipscapable)
4607 continue;
4608 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4609 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4610 TLS_client_method(),
4611 TLS1_VERSION, max_ver,
4612 &sctx, &cctx, cert, privkey)))
4613 goto end;
4614
4615 if (set_at_ctx) {
4616 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4617 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4618 goto end;
4619 if (t12_cipher != NULL) {
4620 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4621 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4622 t12_cipher)))
4623 goto end;
4624 }
4625 }
4626
4627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4628 &clientssl, NULL, NULL)))
4629 goto end;
4630
4631 if (set_at_ssl) {
4632 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4633 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4634 goto end;
4635 if (t12_cipher != NULL) {
4636 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4637 || !TEST_true(SSL_set_cipher_list(clientssl,
4638 t12_cipher)))
4639 goto end;
4640 }
4641 }
4642
4643 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4644 SSL_ERROR_NONE)))
4645 goto end;
4646
4647 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4648 serverssl));
4649 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4650 clientssl));
4651 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4652 goto end;
4653
4654 /*
4655 * TEST_strn_eq is used below because t13_cipher can contain
4656 * multiple ciphersuites
4657 */
4658 if (max_ver == TLS1_3_VERSION
4659 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4660 strlen(negotiated_scipher)))
4661 goto end;
4662
4663# ifndef OPENSSL_NO_TLS1_2
4664 /* Below validation is not done when t12_cipher is NULL */
4665 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4666 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4667 goto end;
4668# endif
4669
4670 SSL_free(serverssl);
4671 serverssl = NULL;
4672 SSL_free(clientssl);
4673 clientssl = NULL;
4674 SSL_CTX_free(sctx);
4675 sctx = NULL;
4676 SSL_CTX_free(cctx);
4677 cctx = NULL;
4678 }
4679 }
4680
4681 testresult = 1;
4682 end:
4683 SSL_free(serverssl);
4684 SSL_free(clientssl);
4685 SSL_CTX_free(sctx);
4686 SSL_CTX_free(cctx);
4687 return testresult;
4688}
4689
0d8da779
MC		 4690/*
4691 * Test TLSv1.3 PSKs
4692 * Test 0 = Test new style callbacks
4693 * Test 1 = Test both new and old style callbacks
4694 * Test 2 = Test old style callbacks
4695 * Test 3 = Test old style callbacks with no certificate
4696 */
532f9578 4697static int test_tls13_psk(int idx)
ca8c71ba
MC		 4698{
4699 SSL_CTX *sctx = NULL, *cctx = NULL;
4700 SSL *serverssl = NULL, *clientssl = NULL;
4701 const SSL_CIPHER *cipher = NULL;
4702 const unsigned char key[] = {
4703 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4704 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4705 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4706 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4707 };
4708 int testresult = 0;
4709
5e30f2fd
MC		 4710 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4711 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4712 &sctx, &cctx, idx == 3 ? NULL : cert,
4713 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4714 goto end;
4715
0d8da779
MC		 4716 if (idx != 3) {
4717 /*
4718 * We use a ciphersuite with SHA256 to ease testing old style PSK
4719 * callbacks which will always default to SHA256. This should not be
4720 * necessary if we have no cert/priv key. In that case the server should
4721 * prefer SHA256 automatically.
4722 */
4723 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4724 "TLS_AES_128_GCM_SHA256")))
4725 goto end;
4f6c7044
MC		 4726 } else {
4727 /*
4728 * As noted above the server should prefer SHA256 automatically. However
4729 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4730 * code works even if we are testing with only the FIPS provider loaded.
4731 */
4732 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4733 "TLS_AES_256_GCM_SHA384:"
4734 "TLS_AES_128_GCM_SHA256")))
4735 goto end;
0d8da779 4736 }
532f9578
MC		 4737
4738 /*
4739 * Test 0: New style callbacks only
4740 * Test 1: New and old style callbacks (only the new ones should be used)
4741 * Test 2: Old style callbacks only
4742 */
4743 if (idx == 0 || idx == 1) {
4744 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4745 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4746 }
c2b290c3 4747#ifndef OPENSSL_NO_PSK
0d8da779 4748 if (idx >= 1) {
532f9578
MC		 4749 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4750 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4751 }
c2b290c3 4752#endif
ca8c71ba 4753 srvid = pskid;
02a3ed5a
MC		 4754 use_session_cb_cnt = 0;
4755 find_session_cb_cnt = 0;
532f9578
MC		 4756 psk_client_cb_cnt = 0;
4757 psk_server_cb_cnt = 0;
ca8c71ba 4758
0d8da779
MC		 4759 if (idx != 3) {
4760 /*
4761 * Check we can create a connection if callback decides not to send a
4762 * PSK
4763 */
4764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4765 NULL, NULL))
4766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4767 SSL_ERROR_NONE))
4768 || !TEST_false(SSL_session_reused(clientssl))
4769 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4770 goto end;
532f9578 4771
0d8da779
MC		 4772 if (idx == 0 || idx == 1) {
4773 if (!TEST_true(use_session_cb_cnt == 1)
4774 || !TEST_true(find_session_cb_cnt == 0)
4775 /*
4776 * If no old style callback then below should be 0
4777 * otherwise 1
4778 */
4779 || !TEST_true(psk_client_cb_cnt == idx)
4780 || !TEST_true(psk_server_cb_cnt == 0))
4781 goto end;
4782 } else {
4783 if (!TEST_true(use_session_cb_cnt == 0)
4784 || !TEST_true(find_session_cb_cnt == 0)
4785 || !TEST_true(psk_client_cb_cnt == 1)
4786 || !TEST_true(psk_server_cb_cnt == 0))
4787 goto end;
4788 }
4789
4790 shutdown_ssl_connection(serverssl, clientssl);
4791 serverssl = clientssl = NULL;
4792 use_session_cb_cnt = psk_client_cb_cnt = 0;
4793 }
ca8c71ba
MC		 4794
4795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4796 NULL, NULL)))
4797 goto end;
4798
4799 /* Create the PSK */
532f9578 4800 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4801 clientpsk = SSL_SESSION_new();
4802 if (!TEST_ptr(clientpsk)
ca8c71ba 4803 || !TEST_ptr(cipher)
57dee9bb
MC		 4804 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4805 sizeof(key)))
4806 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4807 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4808 TLS1_3_VERSION))
4809 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4810 goto end;
57dee9bb 4811 serverpsk = clientpsk;
ca8c71ba
MC		 4812
4813 /* Check we can create a connection and the PSK is used */
4814 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4815 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4816 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4817 goto end;
4818
532f9578
MC		 4819 if (idx == 0 || idx == 1) {
4820 if (!TEST_true(use_session_cb_cnt == 1)
4821 || !TEST_true(find_session_cb_cnt == 1)
4822 || !TEST_true(psk_client_cb_cnt == 0)
4823 || !TEST_true(psk_server_cb_cnt == 0))
4824 goto end;
4825 } else {
4826 if (!TEST_true(use_session_cb_cnt == 0)
4827 || !TEST_true(find_session_cb_cnt == 0)
4828 || !TEST_true(psk_client_cb_cnt == 1)
4829 || !TEST_true(psk_server_cb_cnt == 1))
4830 goto end;
4831 }
4832
ca8c71ba
MC		 4833 shutdown_ssl_connection(serverssl, clientssl);
4834 serverssl = clientssl = NULL;
4835 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4836 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4837
4838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4839 NULL, NULL)))
4840 goto end;
4841
4842 /* Force an HRR */
dbc6268f
MC		 4843#if defined(OPENSSL_NO_EC)
4844 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4845 goto end;
4846#else
ca8c71ba
MC		 4847 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4848 goto end;
dbc6268f 4849#endif
ca8c71ba
MC		 4850
4851 /*
4852 * Check we can create a connection, the PSK is used and the callbacks are
4853 * called twice.
4854 */
4855 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4856 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4857 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4858 goto end;
4859
532f9578
MC		 4860 if (idx == 0 || idx == 1) {
4861 if (!TEST_true(use_session_cb_cnt == 2)
4862 || !TEST_true(find_session_cb_cnt == 2)
4863 || !TEST_true(psk_client_cb_cnt == 0)
4864 || !TEST_true(psk_server_cb_cnt == 0))
4865 goto end;
4866 } else {
4867 if (!TEST_true(use_session_cb_cnt == 0)
4868 || !TEST_true(find_session_cb_cnt == 0)
4869 || !TEST_true(psk_client_cb_cnt == 2)
4870 || !TEST_true(psk_server_cb_cnt == 2))
4871 goto end;
4872 }
4873
ca8c71ba
MC		 4874 shutdown_ssl_connection(serverssl, clientssl);
4875 serverssl = clientssl = NULL;
4876 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4877 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4878
0d8da779
MC		 4879 if (idx != 3) {
4880 /*
4881 * Check that if the server rejects the PSK we can still connect, but with
4882 * a full handshake
4883 */
4884 srvid = "Dummy Identity";
4885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4886 NULL, NULL))
4887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4888 SSL_ERROR_NONE))
4889 || !TEST_false(SSL_session_reused(clientssl))
4890 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4891 goto end;
532f9578 4892
0d8da779
MC		 4893 if (idx == 0 || idx == 1) {
4894 if (!TEST_true(use_session_cb_cnt == 1)
4895 || !TEST_true(find_session_cb_cnt == 1)
4896 || !TEST_true(psk_client_cb_cnt == 0)
4897 /*
4898 * If no old style callback then below should be 0
4899 * otherwise 1
4900 */
4901 || !TEST_true(psk_server_cb_cnt == idx))
4902 goto end;
4903 } else {
4904 if (!TEST_true(use_session_cb_cnt == 0)
4905 || !TEST_true(find_session_cb_cnt == 0)
4906 || !TEST_true(psk_client_cb_cnt == 1)
4907 || !TEST_true(psk_server_cb_cnt == 1))
4908 goto end;
4909 }
4910
4911 shutdown_ssl_connection(serverssl, clientssl);
4912 serverssl = clientssl = NULL;
4913 }
ca8c71ba
MC		 4914 testresult = 1;
4915
4916 end:
57dee9bb
MC		 4917 SSL_SESSION_free(clientpsk);
4918 SSL_SESSION_free(serverpsk);
4919 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4920 SSL_free(serverssl);
4921 SSL_free(clientssl);
4922 SSL_CTX_free(sctx);
4923 SSL_CTX_free(cctx);
4924 return testresult;
4925}
4926
c7b8ff25
MC		 4927static unsigned char cookie_magic_value[] = "cookie magic";
4928
4929static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4930 unsigned int *cookie_len)
4931{
4932 /*
4933 * Not suitable as a real cookie generation function but good enough for
4934 * testing!
4935 */
97ea1e7f
MC		 4936 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4937 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4938
4939 return 1;
4940}
4941
4942static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4943 unsigned int cookie_len)
4944{
97ea1e7f 4945 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4946 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4947 return 1;
4948
4949 return 0;
4950}
4951
3fa2812f
BS		 4952static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4953 size_t *cookie_len)
4954{
4955 unsigned int temp;
4956 int res = generate_cookie_callback(ssl, cookie, &temp);
4957 *cookie_len = temp;
4958 return res;
4959}
4960
4961static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4962 size_t cookie_len)
4963{
4964 return verify_cookie_callback(ssl, cookie, cookie_len);
4965}
4966
c7b8ff25
MC		 4967static int test_stateless(void)
4968{
4969 SSL_CTX *sctx = NULL, *cctx = NULL;
4970 SSL *serverssl = NULL, *clientssl = NULL;
4971 int testresult = 0;
4972
5e30f2fd
MC		 4973 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4974 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4975 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4976 goto end;
4977
e440f513
MC		 4978 /* The arrival of CCS messages can confuse the test */
4979 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4980
4981 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4982 NULL, NULL))
4983 /* Send the first ClientHello */
4984 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4985 SSL_ERROR_WANT_READ))
4986 /*
4987 * This should fail with a -1 return because we have no callbacks
4988 * set up
4989 */
4990 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4991 goto end;
4992
4993 /* Fatal error so abandon the connection from this client */
4994 SSL_free(clientssl);
4995 clientssl = NULL;
4996
c7b8ff25 4997 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4998 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4999 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5000
e440f513
MC		 5001 /*
5002 * Create a new connection from the client (we can reuse the server SSL
5003 * object).
5004 */
c7b8ff25
MC		 5005 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5006 NULL, NULL))
5007 /* Send the first ClientHello */
5008 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5009 SSL_ERROR_WANT_READ))
5010 /* This should fail because there is no cookie */
e440f513 5011 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5012 goto end;
5013
5014 /* Abandon the connection from this client */
5015 SSL_free(clientssl);
5016 clientssl = NULL;
5017
5018 /*
5019 * Now create a connection from a new client but with the same server SSL
5020 * object
5021 */
5022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5023 NULL, NULL))
5024 /* Send the first ClientHello */
5025 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5026 SSL_ERROR_WANT_READ))
5027 /* This should fail because there is no cookie */
e440f513 5028 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5029 /* Send the second ClientHello */
5030 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5031 SSL_ERROR_WANT_READ))
5032 /* This should succeed because a cookie is now present */
e440f513 5033 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5034 /* Complete the connection */
5035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5036 SSL_ERROR_NONE)))
5037 goto end;
5038
5039 shutdown_ssl_connection(serverssl, clientssl);
5040 serverssl = clientssl = NULL;
5041 testresult = 1;
5042
5043 end:
5044 SSL_free(serverssl);
5045 SSL_free(clientssl);
5046 SSL_CTX_free(sctx);
5047 SSL_CTX_free(cctx);
5048 return testresult;
5049
5050}
ca0413ae 5051#endif /* OPENSSL_NO_TLS1_3 */
5f982038 5052
a37008d9
MC		 5053static int clntaddoldcb = 0;
5054static int clntparseoldcb = 0;
5055static int srvaddoldcb = 0;
5056static int srvparseoldcb = 0;
5057static int clntaddnewcb = 0;
5058static int clntparsenewcb = 0;
5059static int srvaddnewcb = 0;
5060static int srvparsenewcb = 0;
bb01ef3f 5061static int snicb = 0;
a37008d9
MC		 5062
5063#define TEST_EXT_TYPE1 0xff00
5064
5065static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5066 size_t *outlen, int *al, void *add_arg)
5067{
5068 int *server = (int *)add_arg;
5069 unsigned char *data;
5070
5071 if (SSL_is_server(s))
5072 srvaddoldcb++;
5073 else
5074 clntaddoldcb++;
5075
710756a9
RS		 5076 if (*server != SSL_is_server(s)
5077 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5078 return -1;
5079
5080 *data = 1;
5081 *out = data;
5082 *outlen = sizeof(char);
a37008d9
MC		 5083 return 1;
5084}
5085
5086static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5087 void *add_arg)
5088{
5089 OPENSSL_free((unsigned char *)out);
5090}
5091
5092static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5093 size_t inlen, int *al, void *parse_arg)
5094{
5095 int *server = (int *)parse_arg;
5096
5097 if (SSL_is_server(s))
5098 srvparseoldcb++;
5099 else
5100 clntparseoldcb++;
5101
710756a9
RS		 5102 if (*server != SSL_is_server(s)
5103 || inlen != sizeof(char)
5104 || *in != 1)
a37008d9
MC		 5105 return -1;
5106
5107 return 1;
5108}
5109
5110static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5111 const unsigned char **out, size_t *outlen, X509 *x,
5112 size_t chainidx, int *al, void *add_arg)
5113{
5114 int *server = (int *)add_arg;
5115 unsigned char *data;
5116
5117 if (SSL_is_server(s))
5118 srvaddnewcb++;
5119 else
5120 clntaddnewcb++;
5121
710756a9
RS		 5122 if (*server != SSL_is_server(s)
5123 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5124 return -1;
5125
5126 *data = 1;
5127 *out = data;
710756a9 5128 *outlen = sizeof(*data);
a37008d9
MC		 5129 return 1;
5130}
5131
5132static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5133 const unsigned char *out, void *add_arg)
5134{
5135 OPENSSL_free((unsigned char *)out);
5136}
5137
5138static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5139 const unsigned char *in, size_t inlen, X509 *x,
5140 size_t chainidx, int *al, void *parse_arg)
5141{
5142 int *server = (int *)parse_arg;
5143
5144 if (SSL_is_server(s))
5145 srvparsenewcb++;
5146 else
5147 clntparsenewcb++;
5148
710756a9
RS		 5149 if (*server != SSL_is_server(s)
5150 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5151 return -1;
5152
5153 return 1;
5154}
bb01ef3f
MC		 5155
5156static int sni_cb(SSL *s, int *al, void *arg)
5157{
5158 SSL_CTX *ctx = (SSL_CTX *)arg;
5159
5160 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5161 *al = SSL_AD_INTERNAL_ERROR;
5162 return SSL_TLSEXT_ERR_ALERT_FATAL;
5163 }
5164 snicb++;
5165 return SSL_TLSEXT_ERR_OK;
5166}
5167
a37008d9
MC		 5168/*
5169 * Custom call back tests.
5170 * Test 0: Old style callbacks in TLSv1.2
5171 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5172 * Test 2: New style callbacks in TLSv1.2 with SNI
5173 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5174 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5175 */
710756a9
RS		 5176static int test_custom_exts(int tst)
5177{
bb01ef3f 5178 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5179 SSL *clientssl = NULL, *serverssl = NULL;
5180 int testresult = 0;
5181 static int server = 1;
5182 static int client = 0;
5183 SSL_SESSION *sess = NULL;
5184 unsigned int context;
5185
c423ecaa
MC		 5186#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5187 /* Skip tests for TLSv1.2 and below in this case */
5188 if (tst < 3)
5189 return 1;
5190#endif
5191
a37008d9
MC		 5192 /* Reset callback counters */
5193 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5194 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5195 snicb = 0;
a37008d9 5196
5e30f2fd
MC		 5197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5198 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5199 &sctx, &cctx, cert, privkey)))
710756a9 5200 goto end;
a37008d9 5201
bb01ef3f 5202 if (tst == 2
5e30f2fd 5203 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5204 TLS1_VERSION, 0,
7d7f6834 5205 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5206 goto end;
5207
5208
5209 if (tst < 3) {
a37008d9
MC		 5210 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5211 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5212 if (sctx2 != NULL)
5213 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5214 }
5215
bb01ef3f 5216 if (tst == 4) {
710756a9
RS		 5217 context = SSL_EXT_CLIENT_HELLO
5218 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5219 | SSL_EXT_TLS1_3_SERVER_HELLO
5220 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5221 | SSL_EXT_TLS1_3_CERTIFICATE
5222 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5223 } else {
710756a9
RS		 5224 context = SSL_EXT_CLIENT_HELLO
5225 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5226 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5227 }
5228
5229 /* Create a client side custom extension */
5230 if (tst == 0) {
710756a9
RS		 5231 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5232 old_add_cb, old_free_cb,
5233 &client, old_parse_cb,
5234 &client)))
5235 goto end;
a37008d9 5236 } else {
710756a9
RS		 5237 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5238 new_add_cb, new_free_cb,
5239 &client, new_parse_cb, &client)))
5240 goto end;
a37008d9
MC		 5241 }
5242
5243 /* Should not be able to add duplicates */
710756a9
RS		 5244 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5245 old_add_cb, old_free_cb,
5246 &client, old_parse_cb,
5247 &client))
5248 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5249 context, new_add_cb,
5250 new_free_cb, &client,
5251 new_parse_cb, &client)))
5252 goto end;
a37008d9
MC		 5253
5254 /* Create a server side custom extension */
5255 if (tst == 0) {
710756a9
RS		 5256 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5257 old_add_cb, old_free_cb,
5258 &server, old_parse_cb,
5259 &server)))
5260 goto end;
a37008d9 5261 } else {
710756a9
RS		 5262 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5263 new_add_cb, new_free_cb,
5264 &server, new_parse_cb, &server)))
5265 goto end;
bb01ef3f
MC		 5266 if (sctx2 != NULL
5267 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5268 context, new_add_cb,
5269 new_free_cb, &server,
5270 new_parse_cb, &server)))
5271 goto end;
a37008d9
MC		 5272 }
5273
5274 /* Should not be able to add duplicates */
710756a9
RS		 5275 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5276 old_add_cb, old_free_cb,
5277 &server, old_parse_cb,
5278 &server))
5279 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5280 context, new_add_cb,
5281 new_free_cb, &server,
5282 new_parse_cb, &server)))
a37008d9 5283 goto end;
a37008d9 5284
bb01ef3f
MC		 5285 if (tst == 2) {
5286 /* Set up SNI */
5287 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5288 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5289 goto end;
5290 }
5291
710756a9
RS		 5292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5293 &clientssl, NULL, NULL))
5294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5295 SSL_ERROR_NONE)))
a37008d9 5296 goto end;
a37008d9
MC		 5297
5298 if (tst == 0) {
710756a9
RS		 5299 if (clntaddoldcb != 1
5300 || clntparseoldcb != 1
5301 || srvaddoldcb != 1
5302 || srvparseoldcb != 1)
a37008d9 5303 goto end;
bb01ef3f 5304 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5305 if (clntaddnewcb != 1
5306 || clntparsenewcb != 1
5307 || srvaddnewcb != 1
bb01ef3f
MC		 5308 || srvparsenewcb != 1
5309 || (tst != 2 && snicb != 0)
5310 || (tst == 2 && snicb != 1))
a37008d9 5311 goto end;
a37008d9 5312 } else {
36ff232c 5313 /* In this case there 2 NewSessionTicket messages created */
710756a9 5314 if (clntaddnewcb != 1
36ff232c
MC		 5315 || clntparsenewcb != 5
5316 || srvaddnewcb != 5
710756a9 5317 || srvparsenewcb != 1)
a37008d9 5318 goto end;
a37008d9
MC		 5319 }
5320
5321 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5322 SSL_shutdown(clientssl);
5323 SSL_shutdown(serverssl);
a37008d9
MC		 5324 SSL_free(serverssl);
5325 SSL_free(clientssl);
5326 serverssl = clientssl = NULL;
5327
bb01ef3f
MC		 5328 if (tst == 3) {
5329 /* We don't bother with the resumption aspects for this test */
5330 testresult = 1;
5331 goto end;
5332 }
5333
710756a9
RS		 5334 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5335 NULL, NULL))
5336 || !TEST_true(SSL_set_session(clientssl, sess))
5337 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5338 SSL_ERROR_NONE)))
a37008d9 5339 goto end;
a37008d9
MC		 5340
5341 /*
5342 * For a resumed session we expect to add the ClientHello extension. For the
5343 * old style callbacks we ignore it on the server side because they set
5344 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5345 * them.
5346 */
5347 if (tst == 0) {
710756a9
RS		 5348 if (clntaddoldcb != 2
5349 || clntparseoldcb != 1
5350 || srvaddoldcb != 1
5351 || srvparseoldcb != 1)
a37008d9 5352 goto end;
bb01ef3f 5353 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5354 if (clntaddnewcb != 2
5355 || clntparsenewcb != 2
5356 || srvaddnewcb != 2
5357 || srvparsenewcb != 2)
a37008d9 5358 goto end;
a37008d9 5359 } else {
36ff232c
MC		 5360 /*
5361 * No Certificate message extensions in the resumption handshake,
5362 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5363 */
710756a9 5364 if (clntaddnewcb != 2
36ff232c
MC		 5365 || clntparsenewcb != 8
5366 || srvaddnewcb != 8
710756a9 5367 || srvparsenewcb != 2)
a37008d9 5368 goto end;
a37008d9
MC		 5369 }
5370
5371 testresult = 1;
5372
5373end:
5374 SSL_SESSION_free(sess);
5375 SSL_free(serverssl);
5376 SSL_free(clientssl);
bb01ef3f 5377 SSL_CTX_free(sctx2);
a37008d9
MC		 5378 SSL_CTX_free(sctx);
5379 SSL_CTX_free(cctx);
a37008d9
MC		 5380 return testresult;
5381}
5382
16afd71c
MC		 5383/*
5384 * Test loading of serverinfo data in various formats. test_sslmessages actually
5385 * tests to make sure the extensions appear in the handshake
5386 */
5387static int test_serverinfo(int tst)
5388{
5389 unsigned int version;
5390 unsigned char *sibuf;
5391 size_t sibuflen;
5392 int ret, expected, testresult = 0;
5393 SSL_CTX *ctx;
5394
d8652be0 5395 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5396 if (!TEST_ptr(ctx))
5397 goto end;
5398
5399 if ((tst & 0x01) == 0x01)
5400 version = SSL_SERVERINFOV2;
5401 else
5402 version = SSL_SERVERINFOV1;
5403
5404 if ((tst & 0x02) == 0x02) {
5405 sibuf = serverinfov2;
5406 sibuflen = sizeof(serverinfov2);
5407 expected = (version == SSL_SERVERINFOV2);
5408 } else {
5409 sibuf = serverinfov1;
5410 sibuflen = sizeof(serverinfov1);
5411 expected = (version == SSL_SERVERINFOV1);
5412 }
5413
5414 if ((tst & 0x04) == 0x04) {
5415 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5416 } else {
5417 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5418
5419 /*
5420 * The version variable is irrelevant in this case - it's what is in the
5421 * buffer that matters
5422 */
5423 if ((tst & 0x02) == 0x02)
5424 expected = 0;
5425 else
5426 expected = 1;
5427 }
5428
5429 if (!TEST_true(ret == expected))
5430 goto end;
5431
5432 testresult = 1;
5433
5434 end:
5435 SSL_CTX_free(ctx);
5436
5437 return testresult;
5438}
5439
2197d1df
MC		 5440/*
5441 * Test that SSL_export_keying_material() produces expected results. There are
5442 * no test vectors so all we do is test that both sides of the communication
5443 * produce the same results for different protocol versions.
5444 */
0fb2815b
MC		 5445#define SMALL_LABEL_LEN 10
5446#define LONG_LABEL_LEN 249
2197d1df
MC		 5447static int test_export_key_mat(int tst)
5448{
a599574b 5449 int testresult = 0;
2197d1df
MC		 5450 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5451 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5452 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5453 const unsigned char context[] = "context";
5454 const unsigned char *emptycontext = NULL;
5455 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5456 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5457 size_t labellen;
a599574b
MC		 5458 const int protocols[] = {
5459 TLS1_VERSION,
5460 TLS1_1_VERSION,
5461 TLS1_2_VERSION,
0fb2815b
MC		 5462 TLS1_3_VERSION,
5463 TLS1_3_VERSION,
a599574b
MC		 5464 TLS1_3_VERSION
5465 };
2197d1df
MC		 5466
5467#ifdef OPENSSL_NO_TLS1
5468 if (tst == 0)
5469 return 1;
5470#endif
5471#ifdef OPENSSL_NO_TLS1_1
5472 if (tst == 1)
5473 return 1;
5474#endif
4f6c7044
MC		 5475 if (is_fips && (tst == 0 || tst == 1))
5476 return 1;
2197d1df
MC		 5477#ifdef OPENSSL_NO_TLS1_2
5478 if (tst == 2)
5479 return 1;
5480#endif
5481#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5482 if (tst >= 3)
2197d1df
MC		 5483 return 1;
5484#endif
5e30f2fd
MC		 5485 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5486 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5487 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5488 goto end;
5489
a599574b
MC		 5490 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5491 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5492 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5493 if ((protocols[tst] < TLS1_2_VERSION) &&
5494 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5495 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5496 goto end;
2197d1df
MC		 5497
5498 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5499 NULL)))
5500 goto end;
5501
5502 /*
5503 * Premature call of SSL_export_keying_material should just fail.
5504 */
5505 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5506 sizeof(ckeymat1), label,
5507 SMALL_LABEL_LEN + 1, context,
5508 sizeof(context) - 1, 1), 0))
5509 goto end;
5510
5511 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5512 SSL_ERROR_NONE)))
2197d1df
MC		 5513 goto end;
5514
0fb2815b
MC		 5515 if (tst == 5) {
5516 /*
5517 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5518 * go over that.
5519 */
5520 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5521 sizeof(ckeymat1), label,
5522 LONG_LABEL_LEN + 1, context,
5523 sizeof(context) - 1, 1), 0))
5524 goto end;
5525
5526 testresult = 1;
5527 goto end;
5528 } else if (tst == 4) {
5529 labellen = LONG_LABEL_LEN;
5530 } else {
5531 labellen = SMALL_LABEL_LEN;
5532 }
5533
2197d1df
MC		 5534 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5535 sizeof(ckeymat1), label,
0fb2815b 5536 labellen, context,
2197d1df
MC		 5537 sizeof(context) - 1, 1), 1)
5538 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5539 sizeof(ckeymat2), label,
0fb2815b 5540 labellen,
2197d1df
MC		 5541 emptycontext,
5542 0, 1), 1)
5543 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5544 sizeof(ckeymat3), label,
0fb2815b 5545 labellen,
2197d1df
MC		 5546 NULL, 0, 0), 1)
5547 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5548 sizeof(skeymat1), label,
0fb2815b 5549 labellen,
2197d1df
MC		 5550 context,
5551 sizeof(context) -1, 1),
5552 1)
5553 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5554 sizeof(skeymat2), label,
0fb2815b 5555 labellen,
2197d1df
MC		 5556 emptycontext,
5557 0, 1), 1)
5558 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5559 sizeof(skeymat3), label,
0fb2815b 5560 labellen,
2197d1df
MC		 5561 NULL, 0, 0), 1)
5562 /*
5563 * Check that both sides created the same key material with the
5564 * same context.
5565 */
5566 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5567 sizeof(skeymat1))
5568 /*
5569 * Check that both sides created the same key material with an
5570 * empty context.
5571 */
5572 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5573 sizeof(skeymat2))
5574 /*
5575 * Check that both sides created the same key material without a
5576 * context.
5577 */
5578 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5579 sizeof(skeymat3))
5580 /* Different contexts should produce different results */
5581 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5582 sizeof(ckeymat2)))
5583 goto end;
5584
5585 /*
5586 * Check that an empty context and no context produce different results in
5587 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5588 */
0fb2815b 5589 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5590 sizeof(ckeymat3)))
0fb2815b
MC		 5591 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5592 sizeof(ckeymat3))))
2197d1df
MC		 5593 goto end;
5594
5595 testresult = 1;
5596
5597 end:
5598 SSL_free(serverssl);
5599 SSL_free(clientssl);
5600 SSL_CTX_free(sctx2);
5601 SSL_CTX_free(sctx);
5602 SSL_CTX_free(cctx);
5603
5604 return testresult;
5605}
5606
b38ede80
TT		 5607#ifndef OPENSSL_NO_TLS1_3
5608/*
5609 * Test that SSL_export_keying_material_early() produces expected
5610 * results. There are no test vectors so all we do is test that both
5611 * sides of the communication produce the same results for different
5612 * protocol versions.
5613 */
5614static int test_export_key_mat_early(int idx)
5615{
5616 static const char label[] = "test label";
5617 static const unsigned char context[] = "context";
5618 int testresult = 0;
5619 SSL_CTX *cctx = NULL, *sctx = NULL;
5620 SSL *clientssl = NULL, *serverssl = NULL;
5621 SSL_SESSION *sess = NULL;
5622 const unsigned char *emptycontext = NULL;
5623 unsigned char ckeymat1[80], ckeymat2[80];
5624 unsigned char skeymat1[80], skeymat2[80];
5625 unsigned char buf[1];
5626 size_t readbytes, written;
5627
5628 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5629 &sess, idx)))
5630 goto end;
5631
5632 /* Here writing 0 length early data is enough. */
5633 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5634 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5635 &readbytes),
5636 SSL_READ_EARLY_DATA_ERROR)
5637 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5638 SSL_EARLY_DATA_ACCEPTED))
5639 goto end;
5640
5641 if (!TEST_int_eq(SSL_export_keying_material_early(
5642 clientssl, ckeymat1, sizeof(ckeymat1), label,
5643 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5644 || !TEST_int_eq(SSL_export_keying_material_early(
5645 clientssl, ckeymat2, sizeof(ckeymat2), label,
5646 sizeof(label) - 1, emptycontext, 0), 1)
5647 || !TEST_int_eq(SSL_export_keying_material_early(
5648 serverssl, skeymat1, sizeof(skeymat1), label,
5649 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5650 || !TEST_int_eq(SSL_export_keying_material_early(
5651 serverssl, skeymat2, sizeof(skeymat2), label,
5652 sizeof(label) - 1, emptycontext, 0), 1)
5653 /*
5654 * Check that both sides created the same key material with the
5655 * same context.
5656 */
5657 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5658 sizeof(skeymat1))
5659 /*
5660 * Check that both sides created the same key material with an
5661 * empty context.
5662 */
5663 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5664 sizeof(skeymat2))
5665 /* Different contexts should produce different results */
5666 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5667 sizeof(ckeymat2)))
5668 goto end;
5669
5670 testresult = 1;
5671
5672 end:
c20e3b28 5673 SSL_SESSION_free(sess);
b38ede80
TT		 5674 SSL_SESSION_free(clientpsk);
5675 SSL_SESSION_free(serverpsk);
34ff74eb 5676 clientpsk = serverpsk = NULL;
b38ede80
TT		 5677 SSL_free(serverssl);
5678 SSL_free(clientssl);
5679 SSL_CTX_free(sctx);
5680 SSL_CTX_free(cctx);
5681
5682 return testresult;
5683}
3409a5ff
MC		 5684
5685#define NUM_KEY_UPDATE_MESSAGES 40
5686/*
5687 * Test KeyUpdate.
5688 */
5689static int test_key_update(void)
5690{
5691 SSL_CTX *cctx = NULL, *sctx = NULL;
5692 SSL *clientssl = NULL, *serverssl = NULL;
5693 int testresult = 0, i, j;
5694 char buf[20];
5695 static char *mess = "A test message";
5696
5e30f2fd 5697 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5698 TLS_client_method(),
5699 TLS1_3_VERSION,
5700 0,
5701 &sctx, &cctx, cert, privkey))
5702 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5703 NULL, NULL))
5704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5705 SSL_ERROR_NONE)))
5706 goto end;
5707
5708 for (j = 0; j < 2; j++) {
5709 /* Send lots of KeyUpdate messages */
5710 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5711 if (!TEST_true(SSL_key_update(clientssl,
5712 (j == 0)
5713 ? SSL_KEY_UPDATE_NOT_REQUESTED
5714 : SSL_KEY_UPDATE_REQUESTED))
5715 || !TEST_true(SSL_do_handshake(clientssl)))
5716 goto end;
5717 }
5718
5719 /* Check that sending and receiving app data is ok */
5720 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5721 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5722 strlen(mess)))
5723 goto end;
a77b4dba
MC		 5724
5725 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5726 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5727 strlen(mess)))
5728 goto end;
3409a5ff
MC		 5729 }
5730
5731 testresult = 1;
5732
5733 end:
5734 SSL_free(serverssl);
5735 SSL_free(clientssl);
5736 SSL_CTX_free(sctx);
5737 SSL_CTX_free(cctx);
5738
5739 return testresult;
5740}
a77b4dba
MC		 5741
5742/*
5743 * Test we can handle a KeyUpdate (update requested) message while write data
5744 * is pending.
5745 * Test 0: Client sends KeyUpdate while Server is writing
5746 * Test 1: Server sends KeyUpdate while Client is writing
5747 */
5748static int test_key_update_in_write(int tst)
5749{
5750 SSL_CTX *cctx = NULL, *sctx = NULL;
5751 SSL *clientssl = NULL, *serverssl = NULL;
5752 int testresult = 0;
5753 char buf[20];
5754 static char *mess = "A test message";
5755 BIO *bretry = BIO_new(bio_s_always_retry());
5756 BIO *tmp = NULL;
5757 SSL *peerupdate = NULL, *peerwrite = NULL;
5758
5759 if (!TEST_ptr(bretry)
5e30f2fd 5760 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5761 TLS_client_method(),
5762 TLS1_3_VERSION,
5763 0,
5764 &sctx, &cctx, cert, privkey))
5765 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5766 NULL, NULL))
5767 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5768 SSL_ERROR_NONE)))
5769 goto end;
5770
5771 peerupdate = tst == 0 ? clientssl : serverssl;
5772 peerwrite = tst == 0 ? serverssl : clientssl;
5773
5774 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5775 || !TEST_true(SSL_do_handshake(peerupdate)))
5776 goto end;
5777
5778 /* Swap the writing endpoint's write BIO to force a retry */
5779 tmp = SSL_get_wbio(peerwrite);
5780 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5781 tmp = NULL;
5782 goto end;
5783 }
5784 SSL_set0_wbio(peerwrite, bretry);
5785 bretry = NULL;
5786
5787 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5788 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5789 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5790 goto end;
5791
5792 /* Reinstate the original writing endpoint's write BIO */
5793 SSL_set0_wbio(peerwrite, tmp);
5794 tmp = NULL;
5795
5796 /* Now read some data - we will read the key update */
5797 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5798 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5799 goto end;
5800
5801 /*
5802 * Complete the write we started previously and read it from the other
5803 * endpoint
5804 */
5805 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5806 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5807 goto end;
5808
5809 /* Write more data to ensure we send the KeyUpdate message back */
5810 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5811 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5812 goto end;
5813
5814 testresult = 1;
5815
5816 end:
5817 SSL_free(serverssl);
5818 SSL_free(clientssl);
5819 SSL_CTX_free(sctx);
5820 SSL_CTX_free(cctx);
5821 BIO_free(bretry);
5822 BIO_free(tmp);
5823
5824 return testresult;
5825}
b38ede80
TT		 5826#endif /* OPENSSL_NO_TLS1_3 */
5827
e11b6aa4
MC		 5828static int test_ssl_clear(int idx)
5829{
5830 SSL_CTX *cctx = NULL, *sctx = NULL;
5831 SSL *clientssl = NULL, *serverssl = NULL;
5832 int testresult = 0;
5833
5834#ifdef OPENSSL_NO_TLS1_2
5835 if (idx == 1)
5836 return 1;
5837#endif
5838
5839 /* Create an initial connection */
5e30f2fd
MC		 5840 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5841 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5842 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5843 || (idx == 1
5844 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5845 TLS1_2_VERSION)))
5846 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5847 &clientssl, NULL, NULL))
5848 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5849 SSL_ERROR_NONE)))
5850 goto end;
5851
5852 SSL_shutdown(clientssl);
5853 SSL_shutdown(serverssl);
5854 SSL_free(serverssl);
5855 serverssl = NULL;
5856
5857 /* Clear clientssl - we're going to reuse the object */
5858 if (!TEST_true(SSL_clear(clientssl)))
5859 goto end;
5860
5861 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5862 NULL, NULL))
5863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5864 SSL_ERROR_NONE))
5865 || !TEST_true(SSL_session_reused(clientssl)))
5866 goto end;
5867
5868 SSL_shutdown(clientssl);
5869 SSL_shutdown(serverssl);
5870
5871 testresult = 1;
5872
5873 end:
5874 SSL_free(serverssl);
5875 SSL_free(clientssl);
5876 SSL_CTX_free(sctx);
5877 SSL_CTX_free(cctx);
5878
5879 return testresult;
5880}
5881
cf72c757
F		 5882/* Parse CH and retrieve any MFL extension value if present */
5883static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5884{
5885 long len;
5886 unsigned char *data;
72962d02 5887 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5888 unsigned int MFL_code = 0, type = 0;
5889
5890 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5891 goto end;
5892
72962d02
P		 5893 memset(&pkt, 0, sizeof(pkt));
5894 memset(&pkt2, 0, sizeof(pkt2));
5895 memset(&pkt3, 0, sizeof(pkt3));
5896
cf72c757
F		 5897 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5898 /* Skip the record header */
5899 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5900 /* Skip the handshake message header */
5901 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5902 /* Skip client version and random */
5903 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5904 + SSL3_RANDOM_SIZE))
5905 /* Skip session id */
5906 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5907 /* Skip ciphers */
5908 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5909 /* Skip compression */
5910 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5911 /* Extensions len */
5912 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5913 goto end;
5914
5915 /* Loop through all extensions */
5916 while (PACKET_remaining(&pkt2)) {
5917 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5918 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5919 goto end;
5920
5921 if (type == TLSEXT_TYPE_max_fragment_length) {
5922 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5923 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5924 goto end;
5925
5926 *mfl_codemfl_code = MFL_code;
5927 return 1;
5928 }
5929 }
5930
5931 end:
5932 return 0;
5933}
5934
5935/* Maximum-Fragment-Length TLS extension mode to test */
5936static const unsigned char max_fragment_len_test[] = {
5937 TLSEXT_max_fragment_length_512,
5938 TLSEXT_max_fragment_length_1024,
5939 TLSEXT_max_fragment_length_2048,
5940 TLSEXT_max_fragment_length_4096
5941};
5942
5943static int test_max_fragment_len_ext(int idx_tst)
5944{
5945 SSL_CTX *ctx;
5946 SSL *con = NULL;
5947 int testresult = 0, MFL_mode = 0;
5948 BIO *rbio, *wbio;
5949
d8652be0 5950 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
cf72c757
F		 5951 if (!TEST_ptr(ctx))
5952 goto end;
5953
5954 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5955 ctx, max_fragment_len_test[idx_tst])))
5956 goto end;
5957
5958 con = SSL_new(ctx);
5959 if (!TEST_ptr(con))
5960 goto end;
5961
5962 rbio = BIO_new(BIO_s_mem());
5963 wbio = BIO_new(BIO_s_mem());
5964 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5965 BIO_free(rbio);
5966 BIO_free(wbio);
5967 goto end;
5968 }
5969
5970 SSL_set_bio(con, rbio, wbio);
5971 SSL_set_connect_state(con);
5972
5973 if (!TEST_int_le(SSL_connect(con), 0)) {
5974 /* This shouldn't succeed because we don't have a server! */
5975 goto end;
5976 }
5977
5978 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5979 /* no MFL in client hello */
5980 goto end;
5981 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5982 goto end;
5983
5984 testresult = 1;
5985
5986end:
5987 SSL_free(con);
5988 SSL_CTX_free(ctx);
5989
5990 return testresult;
5991}
5992
9d75dce3
TS		 5993#ifndef OPENSSL_NO_TLS1_3
5994static int test_pha_key_update(void)
5995{
5996 SSL_CTX *cctx = NULL, *sctx = NULL;
5997 SSL *clientssl = NULL, *serverssl = NULL;
5998 int testresult = 0;
5999
5e30f2fd
MC		 6000 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6001 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6002 &sctx, &cctx, cert, privkey)))
6003 return 0;
6004
6005 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6006 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6007 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6008 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6009 goto end;
6010
e97be718 6011 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6012
6013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6014 NULL, NULL)))
6015 goto end;
6016
9d75dce3
TS		 6017 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6018 SSL_ERROR_NONE)))
6019 goto end;
6020
6021 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6022 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6023 goto end;
6024
6025 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6026 goto end;
6027
6028 /* Start handshake on the server */
6029 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6030 goto end;
6031
6032 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6033 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6034 SSL_ERROR_NONE)))
6035 goto end;
6036
6037 SSL_shutdown(clientssl);
6038 SSL_shutdown(serverssl);
6039
6040 testresult = 1;
6041
6042 end:
6043 SSL_free(serverssl);
6044 SSL_free(clientssl);
6045 SSL_CTX_free(sctx);
6046 SSL_CTX_free(cctx);
6047 return testresult;
6048}
6049#endif
6050
76fd7a1d
MC		 6051#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6052
6053static SRP_VBASE *vbase = NULL;
6054
6055static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6056{
6057 int ret = SSL3_AL_FATAL;
6058 char *username;
6059 SRP_user_pwd *user = NULL;
6060
6061 username = SSL_get_srp_username(s);
6062 if (username == NULL) {
6063 *ad = SSL_AD_INTERNAL_ERROR;
6064 goto err;
6065 }
6066
6067 user = SRP_VBASE_get1_by_user(vbase, username);
6068 if (user == NULL) {
6069 *ad = SSL_AD_INTERNAL_ERROR;
6070 goto err;
6071 }
6072
6073 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6074 user->info) <= 0) {
6075 *ad = SSL_AD_INTERNAL_ERROR;
6076 goto err;
6077 }
6078
6079 ret = 0;
6080
6081 err:
6082 SRP_user_pwd_free(user);
6083 return ret;
6084}
6085
6086static int create_new_vfile(char *userid, char *password, const char *filename)
6087{
6088 char *gNid = NULL;
6089 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6090 TXT_DB *db = NULL;
6091 int ret = 0;
6092 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6093 size_t i;
6094
6095 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6096 goto end;
6097
20c00d0a 6098 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6099 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6100 if (!TEST_ptr(gNid))
6101 goto end;
6102
6103 /*
6104 * The only way to create an empty TXT_DB is to provide a BIO with no data
6105 * in it!
6106 */
6107 db = TXT_DB_read(dummy, DB_NUMBER);
6108 if (!TEST_ptr(db))
6109 goto end;
6110
6111 out = BIO_new_file(filename, "w");
6112 if (!TEST_ptr(out))
6113 goto end;
6114
6115 row[DB_srpid] = OPENSSL_strdup(userid);
6116 row[DB_srptype] = OPENSSL_strdup("V");
6117 row[DB_srpgN] = OPENSSL_strdup(gNid);
6118
6119 if (!TEST_ptr(row[DB_srpid])
6120 || !TEST_ptr(row[DB_srptype])
6121 || !TEST_ptr(row[DB_srpgN])
6122 || !TEST_true(TXT_DB_insert(db, row)))
6123 goto end;
6124
6125 row = NULL;
6126
6127 if (!TXT_DB_write(out, db))
6128 goto end;
6129
6130 ret = 1;
6131 end:
6132 if (row != NULL) {
6133 for (i = 0; i < DB_NUMBER; i++)
6134 OPENSSL_free(row[i]);
6135 }
6136 OPENSSL_free(row);
6137 BIO_free(dummy);
6138 BIO_free(out);
6139 TXT_DB_free(db);
6140
6141 return ret;
6142}
6143
6144static int create_new_vbase(char *userid, char *password)
6145{
6146 BIGNUM *verifier = NULL, *salt = NULL;
6147 const SRP_gN *lgN = NULL;
6148 SRP_user_pwd *user_pwd = NULL;
6149 int ret = 0;
6150
6151 lgN = SRP_get_default_gN(NULL);
6152 if (!TEST_ptr(lgN))
6153 goto end;
6154
20c00d0a 6155 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6156 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6157 goto end;
6158
6159 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6160 if (!TEST_ptr(user_pwd))
6161 goto end;
6162
6163 user_pwd->N = lgN->N;
6164 user_pwd->g = lgN->g;
6165 user_pwd->id = OPENSSL_strdup(userid);
6166 if (!TEST_ptr(user_pwd->id))
6167 goto end;
6168
6169 user_pwd->v = verifier;
6170 user_pwd->s = salt;
6171 verifier = salt = NULL;
6172
6173 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6174 goto end;
6175 user_pwd = NULL;
6176
6177 ret = 1;
6178end:
6179 SRP_user_pwd_free(user_pwd);
6180 BN_free(salt);
6181 BN_free(verifier);
6182
6183 return ret;
6184}
6185
6186/*
6187 * SRP tests
6188 *
6189 * Test 0: Simple successful SRP connection, new vbase
6190 * Test 1: Connection failure due to bad password, new vbase
6191 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6192 * Test 3: Connection failure due to bad password, vbase loaded from existing
6193 * file
6194 * Test 4: Simple successful SRP connection, vbase loaded from new file
6195 * Test 5: Connection failure due to bad password, vbase loaded from new file
6196 */
6197static int test_srp(int tst)
6198{
6199 char *userid = "test", *password = "password", *tstsrpfile;
6200 SSL_CTX *cctx = NULL, *sctx = NULL;
6201 SSL *clientssl = NULL, *serverssl = NULL;
6202 int ret, testresult = 0;
6203
6204 vbase = SRP_VBASE_new(NULL);
6205 if (!TEST_ptr(vbase))
6206 goto end;
6207
6208 if (tst == 0 || tst == 1) {
6209 if (!TEST_true(create_new_vbase(userid, password)))
6210 goto end;
6211 } else {
6212 if (tst == 4 || tst == 5) {
6213 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6214 goto end;
6215 tstsrpfile = tmpfilename;
6216 } else {
6217 tstsrpfile = srpvfile;
6218 }
6219 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6220 goto end;
6221 }
6222
5e30f2fd
MC		 6223 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6224 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6225 &sctx, &cctx, cert, privkey)))
6226 goto end;
6227
6228 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6229 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6230 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6231 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6232 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6233 goto end;
6234
6235 if (tst % 2 == 1) {
6236 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6237 goto end;
6238 } else {
6239 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6240 goto end;
6241 }
6242
6243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6244 NULL, NULL)))
6245 goto end;
6246
6247 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6248 if (ret) {
6249 if (!TEST_true(tst % 2 == 0))
6250 goto end;
6251 } else {
6252 if (!TEST_true(tst % 2 == 1))
6253 goto end;
6254 }
6255
6256 testresult = 1;
6257
6258 end:
6259 SRP_VBASE_free(vbase);
6260 vbase = NULL;
6261 SSL_free(serverssl);
6262 SSL_free(clientssl);
6263 SSL_CTX_free(sctx);
6264 SSL_CTX_free(cctx);
6265
6266 return testresult;
6267}
6268#endif
6269
5718fe45
MC		 6270static int info_cb_failed = 0;
6271static int info_cb_offset = 0;
6272static int info_cb_this_state = -1;
6273
6274static struct info_cb_states_st {
6275 int where;
6276 const char *statestr;
6277} info_cb_states[][60] = {
6278 {
6279 /* TLSv1.2 server followed by resumption */
6280 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6281 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6282 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6283 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6284 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6285 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6286 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6287 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6288 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6289 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6290 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6291 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6292 {SSL_CB_EXIT, NULL}, {0, NULL},
6293 }, {
6294 /* TLSv1.2 client followed by resumption */
6295 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6296 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6297 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6298 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6299 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6300 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6301 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6302 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6303 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6304 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6305 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6306 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6307 }, {
6308 /* TLSv1.3 server followed by resumption */
6309 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6310 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6311 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6312 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6313 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6314 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6315 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6316 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6317 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6318 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6319 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6320 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6321 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6322 }, {
6323 /* TLSv1.3 client followed by resumption */
6324 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6325 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6326 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6327 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6328 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6329 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6330 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6331 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6332 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6333 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6334 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6335 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6336 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6337 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6338 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6339 }, {
6340 /* TLSv1.3 server, early_data */
6341 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6342 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6343 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6344 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6346 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6347 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6348 {SSL_CB_EXIT, NULL}, {0, NULL},
6349 }, {
6350 /* TLSv1.3 client, early_data */
6351 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6352 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6353 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6354 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6355 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6356 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6357 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6358 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6359 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6360 }, {
6361 {0, NULL},
6362 }
6363};
6364
6365static void sslapi_info_callback(const SSL *s, int where, int ret)
6366{
6367 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6368
6369 /* We do not ever expect a connection to fail in this test */
6370 if (!TEST_false(ret == 0)) {
6371 info_cb_failed = 1;
6372 return;
6373 }
6374
6375 /*
6376 * Do some sanity checks. We never expect these things to happen in this
6377 * test
6378 */
6379 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6380 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6381 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6382 info_cb_failed = 1;
6383 return;
6384 }
6385
6386 /* Now check we're in the right state */
6387 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6388 info_cb_failed = 1;
6389 return;
6390 }
6391 if ((where & SSL_CB_LOOP) != 0
6392 && !TEST_int_eq(strcmp(SSL_state_string(s),
6393 state[info_cb_this_state].statestr), 0)) {
6394 info_cb_failed = 1;
6395 return;
6396 }
033c181b 6397
4af5836b
MC		 6398 /*
6399 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6400 */
6401 if ((where & SSL_CB_HANDSHAKE_DONE)
6402 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6403 info_cb_failed = 1;
6404 return;
6405 }
5718fe45
MC		 6406}
6407
6408/*
6409 * Test the info callback gets called when we expect it to.
6410 *
6411 * Test 0: TLSv1.2, server
6412 * Test 1: TLSv1.2, client
6413 * Test 2: TLSv1.3, server
6414 * Test 3: TLSv1.3, client
6415 * Test 4: TLSv1.3, server, early_data
6416 * Test 5: TLSv1.3, client, early_data
6417 */
6418static int test_info_callback(int tst)
6419{
6420 SSL_CTX *cctx = NULL, *sctx = NULL;
6421 SSL *clientssl = NULL, *serverssl = NULL;
6422 SSL_SESSION *clntsess = NULL;
6423 int testresult = 0;
6424 int tlsvers;
6425
6426 if (tst < 2) {
1aac20f5
MC		 6427/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6428#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6429 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6430 tlsvers = TLS1_2_VERSION;
6431#else
6432 return 1;
6433#endif
6434 } else {
6435#ifndef OPENSSL_NO_TLS1_3
6436 tlsvers = TLS1_3_VERSION;
6437#else
6438 return 1;
6439#endif
6440 }
6441
6442 /* Reset globals */
6443 info_cb_failed = 0;
6444 info_cb_this_state = -1;
6445 info_cb_offset = tst;
6446
6e07834c 6447#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6448 if (tst >= 4) {
6449 SSL_SESSION *sess = NULL;
6450 size_t written, readbytes;
6451 unsigned char buf[80];
6452
6453 /* early_data tests */
6454 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6455 &serverssl, &sess, 0)))
6456 goto end;
6457
6458 /* We don't actually need this reference */
6459 SSL_SESSION_free(sess);
6460
6461 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6462 sslapi_info_callback);
6463
6464 /* Write and read some early data and then complete the connection */
6465 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6466 &written))
6467 || !TEST_size_t_eq(written, strlen(MSG1))
6468 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6469 sizeof(buf), &readbytes),
6470 SSL_READ_EARLY_DATA_SUCCESS)
6471 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6473 SSL_EARLY_DATA_ACCEPTED)
6474 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6475 SSL_ERROR_NONE))
6476 || !TEST_false(info_cb_failed))
6477 goto end;
6478
6479 testresult = 1;
6480 goto end;
6481 }
6e07834c 6482#endif
5718fe45 6483
5e30f2fd 6484 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6485 TLS_client_method(),
6486 tlsvers, tlsvers, &sctx, &cctx, cert,
6487 privkey)))
6488 goto end;
6489
33c39a06
MC		 6490 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6491 goto end;
6492
5718fe45
MC		 6493 /*
6494 * For even numbered tests we check the server callbacks. For odd numbers we
6495 * check the client.
6496 */
6497 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6498 sslapi_info_callback);
6499
6500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6501 &clientssl, NULL, NULL))
6502 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6503 SSL_ERROR_NONE))
6504 || !TEST_false(info_cb_failed))
6505 goto end;
6506
6507
6508
6509 clntsess = SSL_get1_session(clientssl);
6510 SSL_shutdown(clientssl);
6511 SSL_shutdown(serverssl);
6512 SSL_free(serverssl);
6513 SSL_free(clientssl);
6514 serverssl = clientssl = NULL;
6515
6516 /* Now do a resumption */
6517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6518 NULL))
6519 || !TEST_true(SSL_set_session(clientssl, clntsess))
6520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6521 SSL_ERROR_NONE))
6522 || !TEST_true(SSL_session_reused(clientssl))
6523 || !TEST_false(info_cb_failed))
6524 goto end;
6525
6526 testresult = 1;
6527
6528 end:
6529 SSL_free(serverssl);
6530 SSL_free(clientssl);
6531 SSL_SESSION_free(clntsess);
6532 SSL_CTX_free(sctx);
6533 SSL_CTX_free(cctx);
6534 return testresult;
6535}
6536
4a432af8
MC		 6537static int test_ssl_pending(int tst)
6538{
6539 SSL_CTX *cctx = NULL, *sctx = NULL;
6540 SSL *clientssl = NULL, *serverssl = NULL;
6541 int testresult = 0;
6542 char msg[] = "A test message";
6543 char buf[5];
6544 size_t written, readbytes;
6545
6546 if (tst == 0) {
5e30f2fd 6547 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6548 TLS_client_method(),
5c587fb6 6549 TLS1_VERSION, 0,
4a432af8
MC		 6550 &sctx, &cctx, cert, privkey)))
6551 goto end;
6552 } else {
6553#ifndef OPENSSL_NO_DTLS
5e30f2fd 6554 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6555 DTLS_client_method(),
5c587fb6 6556 DTLS1_VERSION, 0,
4a432af8
MC		 6557 &sctx, &cctx, cert, privkey)))
6558 goto end;
6559#else
6560 return 1;
6561#endif
6562 }
6563
6564 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6565 NULL, NULL))
6566 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6567 SSL_ERROR_NONE)))
6568 goto end;
6569
e8251092
MC		 6570 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6571 || !TEST_false(SSL_has_pending(clientssl))
6572 || !TEST_int_eq(SSL_pending(serverssl), 0)
6573 || !TEST_false(SSL_has_pending(serverssl))
6574 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6575 || !TEST_size_t_eq(written, sizeof(msg))
6576 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6577 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6578 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6579 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6580 goto end;
6581
6582 testresult = 1;
6583
6584 end:
6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6587 SSL_CTX_free(sctx);
6588 SSL_CTX_free(cctx);
6589
6590 return testresult;
6591}
6592
e401389a
MC		 6593static struct {
6594 unsigned int maxprot;
6595 const char *clntciphers;
6596 const char *clnttls13ciphers;
6597 const char *srvrciphers;
6598 const char *srvrtls13ciphers;
6599 const char *shared;
a96e6c34 6600 const char *fipsshared;
e401389a 6601} shared_ciphers_data[] = {
60155b9a
MC		 6602/*
6603 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6604 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6605 */
6606#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6607 {
6608 TLS1_2_VERSION,
6609 "AES128-SHA:AES256-SHA",
6610 NULL,
6611 "AES256-SHA:DHE-RSA-AES128-SHA",
6612 NULL,
a96e6c34 6613 "AES256-SHA",
e401389a
MC		 6614 "AES256-SHA"
6615 },
a96e6c34
MC		 6616# if !defined(OPENSSL_NO_CHACHA) \
6617 && !defined(OPENSSL_NO_POLY1305) \
6618 && !defined(OPENSSL_NO_EC)
6619 {
6620 TLS1_2_VERSION,
6621 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6622 NULL,
6623 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6624 NULL,
6625 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6626 "AES128-SHA"
6627 },
6628# endif
e401389a
MC		 6629 {
6630 TLS1_2_VERSION,
6631 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6632 NULL,
6633 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6634 NULL,
a96e6c34 6635 "AES128-SHA:AES256-SHA",
e401389a
MC		 6636 "AES128-SHA:AES256-SHA"
6637 },
6638 {
6639 TLS1_2_VERSION,
6640 "AES128-SHA:AES256-SHA",
6641 NULL,
6642 "AES128-SHA:DHE-RSA-AES128-SHA",
6643 NULL,
a96e6c34 6644 "AES128-SHA",
e401389a
MC		 6645 "AES128-SHA"
6646 },
60155b9a
MC		 6647#endif
6648/*
6649 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6650 * enabled.
6651 */
6652#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6653 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6654 {
6655 TLS1_3_VERSION,
6656 "AES128-SHA:AES256-SHA",
6657 NULL,
6658 "AES256-SHA:AES128-SHA256",
6659 NULL,
6660 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6661 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6662 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6663 },
60155b9a
MC		 6664#endif
6665#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6666 {
6667 TLS1_3_VERSION,
6668 "AES128-SHA",
6669 "TLS_AES_256_GCM_SHA384",
6670 "AES256-SHA",
6671 "TLS_AES_256_GCM_SHA384",
a96e6c34 6672 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6673 "TLS_AES_256_GCM_SHA384"
6674 },
6675#endif
6676};
6677
a96e6c34 6678static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6679{
6680 SSL_CTX *cctx = NULL, *sctx = NULL;
6681 SSL *clientssl = NULL, *serverssl = NULL;
6682 int testresult = 0;
6683 char buf[1024];
b4250010 6684 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6685
6686 if (!TEST_ptr(tmplibctx))
6687 goto end;
6688
6689 /*
6690 * Regardless of whether we're testing with the FIPS provider loaded into
6691 * libctx, we want one peer to always use the full set of ciphersuites
6692 * available. Therefore we use a separate libctx with the default provider
6693 * loaded into it. We run the same tests twice - once with the client side
6694 * having the full set of ciphersuites and once with the server side.
6695 */
6696 if (clnt) {
d8652be0 6697 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6698 if (!TEST_ptr(cctx))
6699 goto end;
6700 } else {
d8652be0 6701 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6702 if (!TEST_ptr(sctx))
6703 goto end;
6704 }
e401389a 6705
5e30f2fd 6706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6707 TLS_client_method(),
6708 TLS1_VERSION,
6709 shared_ciphers_data[tst].maxprot,
6710 &sctx, &cctx, cert, privkey)))
6711 goto end;
6712
6713 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6714 shared_ciphers_data[tst].clntciphers))
6715 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6716 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6717 shared_ciphers_data[tst].clnttls13ciphers)))
6718 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6719 shared_ciphers_data[tst].srvrciphers))
6720 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6721 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6722 shared_ciphers_data[tst].srvrtls13ciphers))))
6723 goto end;
6724
6725
6726 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6727 NULL, NULL))
6728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6729 SSL_ERROR_NONE)))
6730 goto end;
6731
6732 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6733 || !TEST_int_eq(strcmp(buf,
6734 is_fips
6735 ? shared_ciphers_data[tst].fipsshared
6736 : shared_ciphers_data[tst].shared),
6737 0)) {
e401389a
MC		 6738 TEST_info("Shared ciphers are: %s\n", buf);
6739 goto end;
6740 }
6741
6742 testresult = 1;
6743
6744 end:
6745 SSL_free(serverssl);
6746 SSL_free(clientssl);
6747 SSL_CTX_free(sctx);
6748 SSL_CTX_free(cctx);
b4250010 6749 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6750
6751 return testresult;
6752}
6753
a96e6c34
MC		 6754static int test_ssl_get_shared_ciphers(int tst)
6755{
6756 return int_test_ssl_get_shared_ciphers(tst, 0)
6757 && int_test_ssl_get_shared_ciphers(tst, 1);
6758}
6759
6760
d0191fe0 6761static const char *appdata = "Hello World";
61fb5923
MC		 6762static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6763static int tick_key_renew = 0;
6764static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6765
6766static int gen_tick_cb(SSL *s, void *arg)
6767{
6768 gen_tick_called = 1;
6769
6770 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6771 strlen(appdata));
6772}
6773
6774static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6775 const unsigned char *keyname,
6776 size_t keyname_length,
61fb5923
MC		 6777 SSL_TICKET_STATUS status,
6778 void *arg)
d0191fe0
MC		 6779{
6780 void *tickdata;
6781 size_t tickdlen;
6782
6783 dec_tick_called = 1;
6784
61fb5923
MC		 6785 if (status == SSL_TICKET_EMPTY)
6786 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6787
61fb5923
MC		 6788 if (!TEST_true(status == SSL_TICKET_SUCCESS
6789 || status == SSL_TICKET_SUCCESS_RENEW))
6790 return SSL_TICKET_RETURN_ABORT;
6791
6792 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6793 &tickdlen))
d0191fe0
MC		 6794 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6795 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6796 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6797
61fb5923
MC		 6798 if (tick_key_cb_called) {
6799 /* Don't change what the ticket key callback wanted to do */
6800 switch (status) {
6801 case SSL_TICKET_NO_DECRYPT:
6802 return SSL_TICKET_RETURN_IGNORE_RENEW;
6803
6804 case SSL_TICKET_SUCCESS:
6805 return SSL_TICKET_RETURN_USE;
d0191fe0 6806
61fb5923
MC		 6807 case SSL_TICKET_SUCCESS_RENEW:
6808 return SSL_TICKET_RETURN_USE_RENEW;
6809
6810 default:
6811 return SSL_TICKET_RETURN_ABORT;
6812 }
6813 }
6814 return tick_dec_ret;
6815
6816}
d0191fe0 6817
a76ce286 6818#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6819static int tick_key_cb(SSL *s, unsigned char key_name[16],
6820 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6821 HMAC_CTX *hctx, int enc)
6822{
6823 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6824 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6825 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6826 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6827 int ret;
d0191fe0 6828
61fb5923 6829 tick_key_cb_called = 1;
d0191fe0
MC		 6830 memset(iv, 0, AES_BLOCK_SIZE);
6831 memset(key_name, 0, 16);
5e30f2fd
MC		 6832 if (aes128cbc == NULL
6833 || sha256 == NULL
6834 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6835 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6836 NULL))
6837 ret = -1;
6838 else
6839 ret = tick_key_renew ? 2 : 1;
d0191fe0 6840
5e30f2fd
MC		 6841 EVP_CIPHER_free(aes128cbc);
6842 EVP_MD_free(sha256);
6843
6844 return ret;
d0191fe0 6845}
a76ce286
P		 6846#endif
6847
6848static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6849 unsigned char iv[EVP_MAX_IV_LENGTH],
6850 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6851{
6852 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6853 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6854 OSSL_PARAM params[3];
5e30f2fd
MC		 6855 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6856 int ret;
a76ce286
P		 6857
6858 tick_key_cb_called = 1;
6859 memset(iv, 0, AES_BLOCK_SIZE);
6860 memset(key_name, 0, 16);
6861 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6862 "SHA256", 0);
6863 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6864 tick_hmac_key,
6865 sizeof(tick_hmac_key));
6866 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6867 if (aes128cbc == NULL
6868 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 6869 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 6870 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6871 ret = -1;
6872 else
6873 ret = tick_key_renew ? 2 : 1;
6874
6875 EVP_CIPHER_free(aes128cbc);
a76ce286 6876
5e30f2fd 6877 return ret;
a76ce286 6878}
d0191fe0
MC		 6879
6880/*
6881 * Test the various ticket callbacks
61fb5923
MC		 6882 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6883 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6884 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6885 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6886 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6887 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6888 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6889 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6890 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6891 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6892 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6893 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6894 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6895 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6896 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6897 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6898 */
6899static int test_ticket_callbacks(int tst)
6900{
6901 SSL_CTX *cctx = NULL, *sctx = NULL;
6902 SSL *clientssl = NULL, *serverssl = NULL;
6903 SSL_SESSION *clntsess = NULL;
6904 int testresult = 0;
6905
6906#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6907 if (tst % 2 == 0)
d0191fe0
MC		 6908 return 1;
6909#endif
6910#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6911 if (tst % 2 == 1)
d0191fe0
MC		 6912 return 1;
6913#endif
a76ce286
P		 6914#ifdef OPENSSL_NO_DEPRECATED_3_0
6915 if (tst >= 8 && tst <= 11)
6916 return 1;
6917#endif
d0191fe0 6918
61fb5923 6919 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6920
6921 /* Which tests the ticket key callback should request renewal for */
a76ce286 6922 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6923 tick_key_renew = 1;
d0191fe0 6924 else
61fb5923
MC		 6925 tick_key_renew = 0;
6926
6927 /* Which tests the decrypt ticket callback should request renewal for */
6928 switch (tst) {
6929 case 0:
6930 case 1:
6931 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6932 break;
6933
6934 case 2:
6935 case 3:
6936 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6937 break;
6938
6939 case 4:
6940 case 5:
6941 tick_dec_ret = SSL_TICKET_RETURN_USE;
6942 break;
6943
6944 case 6:
6945 case 7:
6946 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6947 break;
6948
6949 default:
6950 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6951 }
d0191fe0 6952
5e30f2fd 6953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6954 TLS_client_method(),
6955 TLS1_VERSION,
61fb5923
MC		 6956 ((tst % 2) == 0) ? TLS1_2_VERSION
6957 : TLS1_3_VERSION,
d0191fe0
MC		 6958 &sctx, &cctx, cert, privkey)))
6959 goto end;
6960
61fb5923
MC		 6961 /*
6962 * We only want sessions to resume from tickets - not the session cache. So
6963 * switch the cache off.
6964 */
6965 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6966 goto end;
6967
d0191fe0
MC		 6968 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6969 NULL)))
6970 goto end;
6971
a76ce286
P		 6972 if (tst >= 12) {
6973 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6974 goto end;
6975#ifndef OPENSSL_NO_DEPRECATED_3_0
6976 } else if (tst >= 8) {
6977 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6978 goto end;
6979#endif
6980 }
d0191fe0
MC		 6981
6982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6983 NULL, NULL))
6984 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6985 SSL_ERROR_NONE)))
6986 goto end;
6987
61fb5923
MC		 6988 /*
6989 * The decrypt ticket key callback in TLSv1.2 should be called even though
6990 * we have no ticket yet, because it gets called with a status of
6991 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6992 * actually send any ticket data). This does not happen in TLSv1.3 because
6993 * it is not valid to send empty ticket data in TLSv1.3.
6994 */
d0191fe0 6995 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6996 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6997 goto end;
6998
6999 gen_tick_called = dec_tick_called = 0;
7000
7001 clntsess = SSL_get1_session(clientssl);
7002 SSL_shutdown(clientssl);
7003 SSL_shutdown(serverssl);
7004 SSL_free(serverssl);
7005 SSL_free(clientssl);
7006 serverssl = clientssl = NULL;
7007
7008 /* Now do a resumption */
7009 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7010 NULL))
7011 || !TEST_true(SSL_set_session(clientssl, clntsess))
7012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7013 SSL_ERROR_NONE)))
d0191fe0
MC		 7014 goto end;
7015
61fb5923
MC		 7016 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7017 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7018 if (!TEST_false(SSL_session_reused(clientssl)))
7019 goto end;
7020 } else {
7021 if (!TEST_true(SSL_session_reused(clientssl)))
7022 goto end;
7023 }
7024
d0191fe0 7025 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7026 (tick_key_renew
7027 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7028 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7029 ? 1 : 0)
d0191fe0
MC		 7030 || !TEST_int_eq(dec_tick_called, 1))
7031 goto end;
7032
7033 testresult = 1;
7034
7035 end:
7036 SSL_SESSION_free(clntsess);
7037 SSL_free(serverssl);
7038 SSL_free(clientssl);
7039 SSL_CTX_free(sctx);
7040 SSL_CTX_free(cctx);
7041
7042 return testresult;
7043}
7044
e638112e
DB		 7045/*
7046 * Test incorrect shutdown.
7047 * Test 0: client does not shutdown properly,
7048 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7049 * server should get SSL_ERROR_SSL
7050 * Test 1: client does not shutdown properly,
7051 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7052 * server should get SSL_ERROR_ZERO_RETURN
7053 */
7054static int test_incorrect_shutdown(int tst)
7055{
7056 SSL_CTX *cctx = NULL, *sctx = NULL;
7057 SSL *clientssl = NULL, *serverssl = NULL;
7058 int testresult = 0;
7059 char buf[80];
7060 BIO *c2s;
7061
7062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7063 TLS_client_method(), 0, 0,
7064 &sctx, &cctx, cert, privkey)))
7065 goto end;
7066
7067 if (tst == 1)
7068 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7069
7070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7071 NULL, NULL)))
7072 goto end;
7073
7074 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7075 SSL_ERROR_NONE)))
7076 goto end;
7077
7078 c2s = SSL_get_rbio(serverssl);
7079 BIO_set_mem_eof_return(c2s, 0);
7080
7081 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7082 goto end;
7083
7084 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7085 goto end;
7086 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7087 goto end;
7088
7089 testresult = 1;
7090
7091 end:
7092 SSL_free(serverssl);
7093 SSL_free(clientssl);
7094 SSL_CTX_free(sctx);
7095 SSL_CTX_free(cctx);
7096
7097 return testresult;
7098}
7099
c748834f
MC		 7100/*
7101 * Test bi-directional shutdown.
7102 * Test 0: TLSv1.2
7103 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7104 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7105 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7106 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7107 * sends key update, client reads it
57d7b988
MC		 7108 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7109 * sends CertificateRequest, client reads and ignores it
7110 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7111 * doesn't read it
7112 */
7113static int test_shutdown(int tst)
7114{
7115 SSL_CTX *cctx = NULL, *sctx = NULL;
7116 SSL *clientssl = NULL, *serverssl = NULL;
7117 int testresult = 0;
7118 char msg[] = "A test message";
7119 char buf[80];
7120 size_t written, readbytes;
80eff008 7121 SSL_SESSION *sess;
c748834f
MC		 7122
7123#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7124 if (tst <= 1)
c748834f
MC		 7125 return 1;
7126#endif
7127#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7128 if (tst >= 2)
c748834f
MC		 7129 return 1;
7130#endif
7131
5e30f2fd 7132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7133 TLS_client_method(),
7134 TLS1_VERSION,
7135 (tst <= 1) ? TLS1_2_VERSION
7136 : TLS1_3_VERSION,
57d7b988
MC		 7137 &sctx, &cctx, cert, privkey)))
7138 goto end;
7139
7140 if (tst == 5)
7141 SSL_CTX_set_post_handshake_auth(cctx, 1);
7142
7143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7144 NULL, NULL)))
7145 goto end;
7146
7147 if (tst == 3) {
7148 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7149 SSL_ERROR_NONE, 1))
80eff008
KR		 7150 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7151 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7152 goto end;
7153 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7154 SSL_ERROR_NONE))
7155 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7156 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7157 goto end;
7158 }
7159
7160 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7161 goto end;
7162
7163 if (tst >= 4) {
7164 /*
7165 * Reading on the server after the client has sent close_notify should
7166 * fail and provide SSL_ERROR_ZERO_RETURN
7167 */
7168 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7169 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7170 SSL_ERROR_ZERO_RETURN)
7171 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7172 SSL_RECEIVED_SHUTDOWN)
7173 /*
7174 * Even though we're shutdown on receive we should still be
7175 * able to write.
7176 */
80eff008
KR		 7177 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7178 goto end;
57d7b988
MC		 7179 if (tst == 4
7180 && !TEST_true(SSL_key_update(serverssl,
7181 SSL_KEY_UPDATE_REQUESTED)))
7182 goto end;
7183 if (tst == 5) {
7184 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7185 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7186 goto end;
7187 }
7188 if ((tst == 4 || tst == 5)
7189 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7190 goto end;
7191 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7192 goto end;
57d7b988 7193 if (tst == 4 || tst == 5) {
80eff008 7194 /* Should still be able to read data from server */
c748834f 7195 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7196 &readbytes))
7197 || !TEST_size_t_eq(readbytes, sizeof(msg))
7198 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7199 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7200 &readbytes))
c748834f
MC		 7201 || !TEST_size_t_eq(readbytes, sizeof(msg))
7202 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7203 goto end;
7204 }
7205 }
7206
7207 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7208 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7209 goto end;
7210
7211 if (tst < 4) {
7212 /*
7213 * For these tests the client has sent close_notify but it has not yet
7214 * been received by the server. The server has not sent close_notify
7215 * yet.
7216 */
7217 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7218 /*
7219 * Writing on the server after sending close_notify shouldn't
7220 * be possible.
7221 */
7222 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7223 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7224 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7225 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7226 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7227 goto end;
57d7b988 7228 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7229 /*
7230 * In this test the client has sent close_notify and it has been
7231 * received by the server which has responded with a close_notify. The
358ffa05 7232 * client needs to read the close_notify sent by the server.
c748834f 7233 */
80eff008
KR		 7234 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7235 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7236 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7237 goto end;
358ffa05
MC		 7238 } else {
7239 /*
57d7b988 7240 * tst == 6
358ffa05
MC		 7241 *
7242 * The client has sent close_notify and is expecting a close_notify
7243 * back, but instead there is application data first. The shutdown
7244 * should fail with a fatal error.
7245 */
7246 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7247 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7248 goto end;
c748834f
MC		 7249 }
7250
7251 testresult = 1;
7252
7253 end:
7254 SSL_free(serverssl);
7255 SSL_free(clientssl);
7256 SSL_CTX_free(sctx);
7257 SSL_CTX_free(cctx);
7258
7259 return testresult;
7260}
7261
7f1d923a 7262#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7263static int cert_cb_cnt;
7264
7265static int cert_cb(SSL *s, void *arg)
7266{
7267 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7268 BIO *in = NULL;
7269 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7270 X509 *x509 = NULL, *rootx = NULL;
7271 STACK_OF(X509) *chain = NULL;
7272 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7273 int ret = 0;
cd6fe29f
MC		 7274
7275 if (cert_cb_cnt == 0) {
7276 /* Suspend the handshake */
7277 cert_cb_cnt++;
7278 return -1;
7279 } else if (cert_cb_cnt == 1) {
7280 /*
7281 * Update the SSL_CTX, set the certificate and private key and then
7282 * continue the handshake normally.
7283 */
7284 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7285 return 0;
7286
7287 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7288 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7289 SSL_FILETYPE_PEM))
7290 || !TEST_true(SSL_check_private_key(s)))
7291 return 0;
7292 cert_cb_cnt++;
7293 return 1;
7cb8fb07
BK		 7294 } else if (cert_cb_cnt == 3) {
7295 int rv;
1a2a3a42
MC		 7296
7297 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7298 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7299 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7300 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7301 goto out;
7302 chain = sk_X509_new_null();
7303 if (!TEST_ptr(chain))
7304 goto out;
7cb8fb07 7305 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7306 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7307 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7308 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7309 || !TEST_true(sk_X509_push(chain, rootx)))
7310 goto out;
7311 rootx = NULL;
7312 BIO_free(in);
7313 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7314 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7315 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7316 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7317 goto out;
7318 BIO_free(in);
7319 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7320 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7321 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7322 NULL, NULL,
7323 libctx, NULL)))
7cb8fb07 7324 goto out;
1a2a3a42 7325 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7326 /*
7327 * If the cert doesn't show as valid here (e.g., because we don't
7328 * have any shared sigalgs), then we will not set it, and there will
7329 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7330 * will cause tls_choose_sigalgs() to fail the connection.
7331 */
1a2a3a42
MC		 7332 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7333 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7334 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7335 goto out;
7336 }
1a2a3a42
MC		 7337
7338 ret = 1;
cd6fe29f
MC		 7339 }
7340
7341 /* Abort the handshake */
7cb8fb07 7342 out:
1a2a3a42
MC		 7343 OPENSSL_free(ecdsacert);
7344 OPENSSL_free(ecdsakey);
7345 OPENSSL_free(rootfile);
7cb8fb07
BK		 7346 BIO_free(in);
7347 EVP_PKEY_free(pkey);
7348 X509_free(x509);
1a2a3a42
MC		 7349 X509_free(rootx);
7350 sk_X509_pop_free(chain, X509_free);
7351 return ret;
cd6fe29f
MC		 7352}
7353
7354/*
7355 * Test the certificate callback.
7356 * Test 0: Callback fails
7357 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7358 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7359 * Test 3: Success - Call SSL_check_chain from the callback
7360 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7361 * chain
7362 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7363 */
7364static int test_cert_cb_int(int prot, int tst)
7365{
7366 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7367 SSL *clientssl = NULL, *serverssl = NULL;
7368 int testresult = 0, ret;
7369
1a2a3a42
MC		 7370#ifdef OPENSSL_NO_EC
7371 /* We use an EC cert in these tests, so we skip in a no-ec build */
7372 if (tst >= 3)
7373 return 1;
7374#endif
7375
5e30f2fd 7376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7377 TLS_client_method(),
7378 TLS1_VERSION,
7379 prot,
7380 &sctx, &cctx, NULL, NULL)))
7381 goto end;
7382
7383 if (tst == 0)
7384 cert_cb_cnt = -1;
1a2a3a42 7385 else if (tst >= 3)
7cb8fb07 7386 cert_cb_cnt = 3;
cd6fe29f
MC		 7387 else
7388 cert_cb_cnt = 0;
1a2a3a42 7389
cd6fe29f
MC		 7390 if (tst == 2)
7391 snictx = SSL_CTX_new(TLS_server_method());
7392 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7393
7394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7395 NULL, NULL)))
7396 goto end;
7397
1a2a3a42
MC		 7398 if (tst == 4) {
7399 /*
7400 * We cause SSL_check_chain() to fail by specifying sig_algs that
7401 * the chain doesn't meet (the root uses an RSA cert)
7402 */
7403 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7404 "ecdsa_secp256r1_sha256")))
7405 goto end;
7406 } else if (tst == 5) {
7407 /*
7408 * We cause SSL_check_chain() to fail by specifying sig_algs that
7409 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7410 */
7411 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7412 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7413 goto end;
7414 }
7415
cd6fe29f 7416 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7417 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7418 || (tst > 0
7419 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7420 goto end;
7421 }
7422
7423 testresult = 1;
7424
7425 end:
7426 SSL_free(serverssl);
7427 SSL_free(clientssl);
7428 SSL_CTX_free(sctx);
7429 SSL_CTX_free(cctx);
7430 SSL_CTX_free(snictx);
7431
7432 return testresult;
7433}
7f1d923a 7434#endif
cd6fe29f
MC		 7435
7436static int test_cert_cb(int tst)
7437{
7438 int testresult = 1;
7439
7440#ifndef OPENSSL_NO_TLS1_2
7441 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7442#endif
7f1d923a 7443#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7444 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7445#endif
7446
7447 return testresult;
7448}
7449
6e46c065
MC		 7450static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7451{
8c2bfd25 7452 X509 *xcert;
6e46c065
MC		 7453 EVP_PKEY *privpkey;
7454 BIO *in = NULL;
6725682d 7455 BIO *priv_in = NULL;
6e46c065 7456
8c2bfd25
TS		 7457 /* Check that SSL_get0_peer_certificate() returns something sensible */
7458 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7459 return 0;
6e46c065
MC		 7460
7461 in = BIO_new_file(cert, "r");
7462 if (!TEST_ptr(in))
7463 return 0;
7464
d8652be0 7465 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7466 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7467 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7468 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7469 NULL, NULL,
7470 libctx, NULL)))
6725682d 7471 goto err;
6e46c065
MC		 7472
7473 *x509 = xcert;
7474 *pkey = privpkey;
7475
6725682d
SL		 7476 BIO_free(in);
7477 BIO_free(priv_in);
6e46c065 7478 return 1;
6725682d
SL		 7479err:
7480 X509_free(xcert);
7481 BIO_free(in);
7482 BIO_free(priv_in);
7483 return 0;
6e46c065
MC		 7484}
7485
7486static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7487{
7488 return 1;
7489}
7490
7491static int test_client_cert_cb(int tst)
7492{
7493 SSL_CTX *cctx = NULL, *sctx = NULL;
7494 SSL *clientssl = NULL, *serverssl = NULL;
7495 int testresult = 0;
7496
7497#ifdef OPENSSL_NO_TLS1_2
7498 if (tst == 0)
7499 return 1;
7500#endif
7501#ifdef OPENSSL_NO_TLS1_3
7502 if (tst == 1)
7503 return 1;
7504#endif
7505
5e30f2fd 7506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7507 TLS_client_method(),
7508 TLS1_VERSION,
7509 tst == 0 ? TLS1_2_VERSION
7510 : TLS1_3_VERSION,
7511 &sctx, &cctx, cert, privkey)))
7512 goto end;
7513
7514 /*
7515 * Test that setting a client_cert_cb results in a client certificate being
7516 * sent.
7517 */
7518 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7519 SSL_CTX_set_verify(sctx,
7520 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7521 verify_cb);
fb8c8359
MC		 7522
7523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7524 NULL, NULL))
7525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7526 SSL_ERROR_NONE)))
7527 goto end;
7528
7529 testresult = 1;
7530
7531 end:
7532 SSL_free(serverssl);
7533 SSL_free(clientssl);
7534 SSL_CTX_free(sctx);
7535 SSL_CTX_free(cctx);
7536
7537 return testresult;
7538}
7539
7540#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7541/*
7542 * Test setting certificate authorities on both client and server.
7543 *
7544 * Test 0: SSL_CTX_set0_CA_list() only
7545 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7546 * Test 2: Only SSL_CTX_set_client_CA_list()
7547 */
7548static int test_ca_names_int(int prot, int tst)
7549{
7550 SSL_CTX *cctx = NULL, *sctx = NULL;
7551 SSL *clientssl = NULL, *serverssl = NULL;
7552 int testresult = 0;
7553 size_t i;
7554 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7555 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7556 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7557 const STACK_OF(X509_NAME) *sktmp = NULL;
7558
7559 for (i = 0; i < OSSL_NELEM(name); i++) {
7560 name[i] = X509_NAME_new();
7561 if (!TEST_ptr(name[i])
7562 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7563 MBSTRING_ASC,
7564 (unsigned char *)
7565 strnames[i],
7566 -1, -1, 0)))
7567 goto end;
7568 }
7569
5e30f2fd 7570 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7571 TLS_client_method(),
7572 TLS1_VERSION,
7573 prot,
7574 &sctx, &cctx, cert, privkey)))
7575 goto end;
7576
7577 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7578
7579 if (tst == 0 || tst == 1) {
7580 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7581 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7582 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7583 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7584 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7585 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7586 goto end;
7587
7588 SSL_CTX_set0_CA_list(sctx, sk1);
7589 SSL_CTX_set0_CA_list(cctx, sk2);
7590 sk1 = sk2 = NULL;
7591 }
7592 if (tst == 1 || tst == 2) {
7593 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7594 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7595 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7596 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7597 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7598 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7599 goto end;
7600
7601 SSL_CTX_set_client_CA_list(sctx, sk1);
7602 SSL_CTX_set_client_CA_list(cctx, sk2);
7603 sk1 = sk2 = NULL;
7604 }
7605
6e46c065
MC		 7606 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7607 NULL, NULL))
7608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7609 SSL_ERROR_NONE)))
7610 goto end;
7611
fb8c8359
MC		 7612 /*
7613 * We only expect certificate authorities to have been sent to the server
7614 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7615 */
7616 sktmp = SSL_get0_peer_CA_list(serverssl);
7617 if (prot == TLS1_3_VERSION
7618 && (tst == 0 || tst == 1)) {
7619 if (!TEST_ptr(sktmp)
7620 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7621 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7622 name[0]), 0)
7623 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7624 name[1]), 0))
7625 goto end;
7626 } else if (!TEST_ptr_null(sktmp)) {
7627 goto end;
7628 }
7629
7630 /*
7631 * In all tests we expect certificate authorities to have been sent to the
7632 * client. However, SSL_set_client_CA_list() should override
7633 * SSL_set0_CA_list()
7634 */
7635 sktmp = SSL_get0_peer_CA_list(clientssl);
7636 if (!TEST_ptr(sktmp)
7637 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7638 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7639 name[tst == 0 ? 0 : 2]), 0)
7640 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7641 name[tst == 0 ? 1 : 3]), 0))
7642 goto end;
7643
6e46c065
MC		 7644 testresult = 1;
7645
7646 end:
7647 SSL_free(serverssl);
7648 SSL_free(clientssl);
7649 SSL_CTX_free(sctx);
7650 SSL_CTX_free(cctx);
fb8c8359
MC		 7651 for (i = 0; i < OSSL_NELEM(name); i++)
7652 X509_NAME_free(name[i]);
7653 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7654 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7655
7656 return testresult;
7657}
7658#endif
7659
7660static int test_ca_names(int tst)
7661{
7662 int testresult = 1;
7663
7664#ifndef OPENSSL_NO_TLS1_2
7665 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7666#endif
7667#ifndef OPENSSL_NO_TLS1_3
7668 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7669#endif
6e46c065
MC		 7670
7671 return testresult;
7672}
7673
0d2bfe52
SL		 7674#ifndef OPENSSL_NO_TLS1_2
7675static const char *multiblock_cipherlist_data[]=
7676{
7677 "AES128-SHA",
7678 "AES128-SHA256",
7679 "AES256-SHA",
7680 "AES256-SHA256",
7681};
7682
7683/* Reduce the fragment size - so the multiblock test buffer can be small */
7684# define MULTIBLOCK_FRAGSIZE 512
7685
7686static int test_multiblock_write(int test_index)
7687{
7688 static const char *fetchable_ciphers[]=
7689 {
7690 "AES-128-CBC-HMAC-SHA1",
7691 "AES-128-CBC-HMAC-SHA256",
7692 "AES-256-CBC-HMAC-SHA1",
7693 "AES-256-CBC-HMAC-SHA256"
7694 };
7695 const char *cipherlist = multiblock_cipherlist_data[test_index];
7696 const SSL_METHOD *smeth = TLS_server_method();
7697 const SSL_METHOD *cmeth = TLS_client_method();
7698 int min_version = TLS1_VERSION;
7699 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7700 SSL_CTX *cctx = NULL, *sctx = NULL;
7701 SSL *clientssl = NULL, *serverssl = NULL;
7702 int testresult = 0;
7703
7704 /*
7705 * Choose a buffer large enough to perform a multi-block operation
7706 * i.e: write_len >= 4 * frag_size
7707 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7708 */
7709 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7710 unsigned char buf[sizeof(msg)], *p = buf;
7711 size_t readbytes, written, len;
7712 EVP_CIPHER *ciph = NULL;
7713
7714 /*
7715 * Check if the cipher exists before attempting to use it since it only has
7716 * a hardware specific implementation.
7717 */
7718 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7719 if (ciph == NULL) {
7720 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7721 return 1;
7722 }
7723 EVP_CIPHER_free(ciph);
7724
7725 /* Set up a buffer with some data that will be sent to the client */
7726 RAND_bytes(msg, sizeof(msg));
7727
5e30f2fd
MC		 7728 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7729 max_version, &sctx, &cctx, cert,
7730 privkey)))
0d2bfe52
SL		 7731 goto end;
7732
7733 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7734 goto end;
7735
7736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7737 NULL, NULL)))
7738 goto end;
7739
7740 /* settings to force it to use AES-CBC-HMAC_SHA */
7741 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7742 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7743 goto end;
7744
7745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7746 goto end;
7747
7748 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7749 || !TEST_size_t_eq(written, sizeof(msg)))
7750 goto end;
7751
7752 len = written;
7753 while (len > 0) {
7754 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7755 goto end;
7756 p += readbytes;
7757 len -= readbytes;
7758 }
7759 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7760 goto end;
7761
7762 testresult = 1;
7763end:
7764 SSL_free(serverssl);
7765 SSL_free(clientssl);
7766 SSL_CTX_free(sctx);
7767 SSL_CTX_free(cctx);
7768
7769 return testresult;
7770}
7771#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7772
49ef3d07
MC		 7773/*
7774 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7775 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7776 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7777 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7778 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7779 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7780 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7781 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7782 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7783 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7784 */
7785static int test_servername(int tst)
7786{
7787 SSL_CTX *cctx = NULL, *sctx = NULL;
7788 SSL *clientssl = NULL, *serverssl = NULL;
7789 int testresult = 0;
7790 SSL_SESSION *sess = NULL;
7791 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7792
7793#ifdef OPENSSL_NO_TLS1_2
7794 if (tst <= 4)
7795 return 1;
7796#endif
7797#ifdef OPENSSL_NO_TLS1_3
7798 if (tst >= 5)
7799 return 1;
7800#endif
7801
5e30f2fd 7802 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7803 TLS_client_method(),
7804 TLS1_VERSION,
7805 (tst <= 4) ? TLS1_2_VERSION
7806 : TLS1_3_VERSION,
7807 &sctx, &cctx, cert, privkey))
7808 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7809 NULL, NULL)))
7810 goto end;
7811
7812 if (tst != 1 && tst != 6) {
7813 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7814 hostname_cb)))
7815 goto end;
7816 }
7817
7818 if (tst != 3 && tst != 8) {
7819 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7820 goto end;
7821 sexpectedhost = cexpectedhost = "goodhost";
7822 }
7823
7824 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7825 goto end;
7826
7827 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7828 cexpectedhost)
7829 || !TEST_str_eq(SSL_get_servername(serverssl,
7830 TLSEXT_NAMETYPE_host_name),
7831 sexpectedhost))
7832 goto end;
7833
7834 /* Now repeat with a resumption handshake */
7835
7836 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7837 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7838 || !TEST_true(SSL_SESSION_is_resumable(sess))
7839 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7840 goto end;
7841
7842 SSL_free(clientssl);
7843 SSL_free(serverssl);
7844 clientssl = serverssl = NULL;
7845
7846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7847 NULL)))
7848 goto end;
7849
7850 if (!TEST_true(SSL_set_session(clientssl, sess)))
7851 goto end;
7852
7853 sexpectedhost = cexpectedhost = "goodhost";
7854 if (tst == 2 || tst == 7) {
7855 /* Set an inconsistent hostname */
7856 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7857 goto end;
7858 /*
7859 * In TLSv1.2 we expect the hostname from the original handshake, in
7860 * TLSv1.3 we expect the hostname from this handshake
7861 */
7862 if (tst == 7)
7863 sexpectedhost = cexpectedhost = "altgoodhost";
7864
7865 if (!TEST_str_eq(SSL_get_servername(clientssl,
7866 TLSEXT_NAMETYPE_host_name),
7867 "altgoodhost"))
7868 goto end;
7869 } else if (tst == 4 || tst == 9) {
7870 /*
7871 * A TLSv1.3 session does not associate a session with a servername,
7872 * but a TLSv1.2 session does.
7873 */
7874 if (tst == 9)
7875 sexpectedhost = cexpectedhost = NULL;
7876
7877 if (!TEST_str_eq(SSL_get_servername(clientssl,
7878 TLSEXT_NAMETYPE_host_name),
7879 cexpectedhost))
7880 goto end;
7881 } else {
7882 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7883 goto end;
7884 /*
7885 * In a TLSv1.2 resumption where the hostname was not acknowledged
7886 * we expect the hostname on the server to be empty. On the client we
7887 * return what was requested in this case.
7888 *
7889 * Similarly if the client didn't set a hostname on an original TLSv1.2
7890 * session but is now, the server hostname will be empty, but the client
7891 * is as we set it.
7892 */
7893 if (tst == 1 || tst == 3)
7894 sexpectedhost = NULL;
7895
7896 if (!TEST_str_eq(SSL_get_servername(clientssl,
7897 TLSEXT_NAMETYPE_host_name),
7898 "goodhost"))
7899 goto end;
7900 }
7901
7902 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7903 goto end;
7904
7905 if (!TEST_true(SSL_session_reused(clientssl))
7906 || !TEST_true(SSL_session_reused(serverssl))
7907 || !TEST_str_eq(SSL_get_servername(clientssl,
7908 TLSEXT_NAMETYPE_host_name),
7909 cexpectedhost)
7910 || !TEST_str_eq(SSL_get_servername(serverssl,
7911 TLSEXT_NAMETYPE_host_name),
7912 sexpectedhost))
7913 goto end;
7914
7915 testresult = 1;
7916
7917 end:
7918 SSL_SESSION_free(sess);
7919 SSL_free(serverssl);
7920 SSL_free(clientssl);
7921 SSL_CTX_free(sctx);
7922 SSL_CTX_free(cctx);
7923
7924 return testresult;
7925}
7926
b1fdbc68
MC		 7927#if !defined(OPENSSL_NO_EC) \
7928 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 7929/*
7930 * Test that if signature algorithms are not available, then we do not offer or
7931 * accept them.
7932 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7933 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7934 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7935 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7936 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7937 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7938 */
7939static int test_sigalgs_available(int idx)
7940{
7941 SSL_CTX *cctx = NULL, *sctx = NULL;
7942 SSL *clientssl = NULL, *serverssl = NULL;
7943 int testresult = 0;
b4250010
DMSP		 7944 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7945 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 7946 OSSL_PROVIDER *filterprov = NULL;
7947 int sig, hash;
7948
7949 if (!TEST_ptr(tmpctx))
7950 goto end;
7951
7952 if (idx != 0 && idx != 3) {
7953 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7954 filter_provider_init)))
7955 goto end;
7956
7957 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7958 if (!TEST_ptr(filterprov))
7959 goto end;
7960
7961 if (idx < 3) {
7962 /*
7963 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7964 * or accepted for the peer that uses this libctx. Note that libssl
7965 * *requires* SHA2-256 to be available so we cannot disable that. We
7966 * also need SHA1 for our certificate.
7967 */
7968 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7969 "SHA2-256:SHA1")))
7970 goto end;
7971 } else {
7972 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7973 "ECDSA"))
7974 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7975 "EC:X25519:X448")))
7976 goto end;
7977 }
7978
7979 if (idx == 1 || idx == 4)
7980 clientctx = tmpctx;
7981 else
7982 serverctx = tmpctx;
7983 }
7984
d8652be0
MC		 7985 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7986 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 7987 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7988 goto end;
b3842539
MC		 7989
7990 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7991 TLS_client_method(),
7992 TLS1_VERSION,
7993 0,
7994 &sctx, &cctx, cert, privkey)))
7995 goto end;
7996
b1fdbc68
MC		 7997 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7998 if (idx < 4) {
7999 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8000 "ECDHE-RSA-AES128-GCM-SHA256")))
8001 goto end;
8002 } else {
8003 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8004 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8005 goto end;
8006 }
8007
b3842539
MC		 8008 if (idx < 3) {
8009 if (!SSL_CTX_set1_sigalgs_list(cctx,
8010 "rsa_pss_rsae_sha384"
8011 ":rsa_pss_rsae_sha256")
8012 || !SSL_CTX_set1_sigalgs_list(sctx,
8013 "rsa_pss_rsae_sha384"
8014 ":rsa_pss_rsae_sha256"))
8015 goto end;
8016 } else {
8017 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8018 || !SSL_CTX_set1_sigalgs_list(sctx,
8019 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8020 goto end;
8021 }
8022
8023 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8024 SSL_FILETYPE_PEM), 1)
8025 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8026 privkey2,
8027 SSL_FILETYPE_PEM), 1)
8028 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8029 goto end;
8030
8031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8032 NULL, NULL)))
8033 goto end;
8034
8035 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8036 goto end;
8037
8038 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8039 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8040 NULL, NULL),
8041 (idx == 0 || idx == 3) ? 2 : 1))
8042 goto end;
8043
8044 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8045 goto end;
8046
8047 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8048 : NID_rsassaPss))
8049 goto end;
8050
8051 testresult = 1;
8052
8053 end:
8054 SSL_free(serverssl);
8055 SSL_free(clientssl);
8056 SSL_CTX_free(sctx);
8057 SSL_CTX_free(cctx);
8058 OSSL_PROVIDER_unload(filterprov);
b4250010 8059 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8060
8061 return testresult;
8062}
b1fdbc68
MC		 8063#endif /*
8064 * !defined(OPENSSL_NO_EC) \
8065 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
8066 */
b3842539 8067
0c13cdf8 8068#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8069static int test_pluggable_group(int idx)
0c13cdf8
MC		 8070{
8071 SSL_CTX *cctx = NULL, *sctx = NULL;
8072 SSL *clientssl = NULL, *serverssl = NULL;
8073 int testresult = 0;
8074 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8075 /* Check that we are not impacted by a provider without any groups */
8076 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8077 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8078
5ae54dba 8079 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8080 goto end;
8081
5ae54dba
MC		 8082 if (legacyprov == NULL) {
8083 /*
8084 * In this case we assume we've been built with "no-legacy" and skip
8085 * this test (there is no OPENSSL_NO_LEGACY)
8086 */
8087 testresult = 1;
8088 goto end;
8089 }
8090
0c13cdf8
MC		 8091 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8092 TLS_client_method(),
8093 TLS1_3_VERSION,
8094 TLS1_3_VERSION,
8095 &sctx, &cctx, cert, privkey))
8096 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8097 NULL, NULL)))
8098 goto end;
8099
c8e3a4c6
NT		 8100 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8101 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8102 goto end;
8103
8104 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8105 goto end;
8106
becbacd7
MB		 8107 if (!TEST_str_eq(group_name,
8108 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8109 goto end;
8110
0c13cdf8
MC		 8111 testresult = 1;
8112
8113 end:
8114 SSL_free(serverssl);
8115 SSL_free(clientssl);
8116 SSL_CTX_free(sctx);
8117 SSL_CTX_free(cctx);
8118 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8119 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8120
8121 return testresult;
8122}
8123#endif
b3842539 8124
49a36a52
MC		 8125#ifndef OPENSSL_NO_TLS1_2
8126static int test_ssl_dup(void)
8127{
8128 SSL_CTX *cctx = NULL, *sctx = NULL;
8129 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8130 int testresult = 0;
8131 BIO *rbio = NULL, *wbio = NULL;
8132
8133 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8134 TLS_client_method(),
8135 0,
8136 0,
8137 &sctx, &cctx, cert, privkey)))
8138 goto end;
8139
8140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8141 NULL, NULL)))
8142 goto end;
8143
8144 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8145 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8146 goto end;
8147
8148 client2ssl = SSL_dup(clientssl);
8149 rbio = SSL_get_rbio(clientssl);
8150 if (!TEST_ptr(rbio)
8151 || !TEST_true(BIO_up_ref(rbio)))
8152 goto end;
8153 SSL_set0_rbio(client2ssl, rbio);
8154 rbio = NULL;
8155
8156 wbio = SSL_get_wbio(clientssl);
8157 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8158 goto end;
8159 SSL_set0_wbio(client2ssl, wbio);
8160 rbio = NULL;
8161
8162 if (!TEST_ptr(client2ssl)
8163 /* Handshake not started so pointers should be different */
8164 || !TEST_ptr_ne(clientssl, client2ssl))
8165 goto end;
8166
8167 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8168 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8169 goto end;
8170
8171 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8172 goto end;
8173
8174 SSL_free(clientssl);
8175 clientssl = SSL_dup(client2ssl);
8176 if (!TEST_ptr(clientssl)
8177 /* Handshake has finished so pointers should be the same */
8178 || !TEST_ptr_eq(clientssl, client2ssl))
8179 goto end;
8180
8181 testresult = 1;
8182
8183 end:
8184 SSL_free(serverssl);
8185 SSL_free(clientssl);
8186 SSL_free(client2ssl);
8187 SSL_CTX_free(sctx);
8188 SSL_CTX_free(cctx);
8189
8190 return testresult;
8191}
33c39a06
MC		 8192
8193# ifndef OPENSSL_NO_DH
8194
8195static EVP_PKEY *tmp_dh_params = NULL;
8196
8197/* Helper function for the test_set_tmp_dh() tests */
8198static EVP_PKEY *get_tmp_dh_params(void)
8199{
8200 if (tmp_dh_params == NULL) {
8201 BIGNUM *p = NULL;
8202 OSSL_PARAM_BLD *tmpl = NULL;
8203 EVP_PKEY_CTX *pctx = NULL;
8204 OSSL_PARAM *params = NULL;
8205 EVP_PKEY *dhpkey = NULL;
8206
8207 p = BN_get_rfc3526_prime_2048(NULL);
8208 if (!TEST_ptr(p))
8209 goto end;
8210
8211 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8212 if (!TEST_ptr(pctx)
8213 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx)))
8214 goto end;
8215
8216 tmpl = OSSL_PARAM_BLD_new();
8217 if (!TEST_ptr(tmpl)
8218 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8219 OSSL_PKEY_PARAM_FFC_P,
8220 p))
8221 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8222 OSSL_PKEY_PARAM_FFC_G,
8223 2)))
8224 goto end;
8225
8226 params = OSSL_PARAM_BLD_to_param(tmpl);
8227 if (!TEST_ptr(params)
8228 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params)))
8229 goto end;
8230
8231 tmp_dh_params = dhpkey;
8232 end:
8233 BN_free(p);
8234 EVP_PKEY_CTX_free(pctx);
8235 OSSL_PARAM_BLD_free(tmpl);
8236 OSSL_PARAM_BLD_free_params(params);
8237 }
8238
8239 if (!EVP_PKEY_up_ref(tmp_dh_params))
8240 return NULL;
8241
8242 return tmp_dh_params;
8243}
8244
39f3427d 8245# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 8246/* Callback used by test_set_tmp_dh() */
8247static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8248{
8249 EVP_PKEY *dhpkey = get_tmp_dh_params();
8250 DH *ret = NULL;
8251
8252 if (!TEST_ptr(dhpkey))
8253 return NULL;
8254
8255 ret = EVP_PKEY_get0_DH(dhpkey);
8256
8257 EVP_PKEY_free(dhpkey);
8258
8259 return ret;
8260}
8261# endif
8262
8263/*
8264 * Test the various methods for setting temporary DH parameters
8265 *
8266 * Test 0: Default (no auto) setting
8267 * Test 1: Explicit SSL_CTX auto off
8268 * Test 2: Explicit SSL auto off
8269 * Test 3: Explicit SSL_CTX auto on
8270 * Test 4: Explicit SSL auto on
8271 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8272 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8273 *
8274 * The following are testing deprecated APIs, so we only run them if available
8275 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8276 * Test 8: Explicit SSL auto off, custom DH params via DH
8277 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8278 * Test 10: Explicit SSL auto off, custom DH params via callback
8279 */
8280static int test_set_tmp_dh(int idx)
8281{
8282 SSL_CTX *cctx = NULL, *sctx = NULL;
8283 SSL *clientssl = NULL, *serverssl = NULL;
8284 int testresult = 0;
8285 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8286 int expected = (idx <= 2) ? 0 : 1;
8287 EVP_PKEY *dhpkey = NULL;
8288# ifndef OPENSSL_NO_DEPRECATED_3_0
8289 DH *dh = NULL;
8290# else
8291
8292 if (idx >= 7)
8293 return 1;
8294# endif
8295
8296 if (idx >= 5 && idx <= 8) {
8297 dhpkey = get_tmp_dh_params();
8298 if (!TEST_ptr(dhpkey))
8299 goto end;
8300 }
8301# ifndef OPENSSL_NO_DEPRECATED_3_0
8302 if (idx == 7 || idx == 8) {
8303 dh = EVP_PKEY_get0_DH(dhpkey);
8304 if (!TEST_ptr(dh))
8305 goto end;
8306 }
8307# endif
8308
8309 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8310 TLS_client_method(),
8311 0,
8312 0,
8313 &sctx, &cctx, cert, privkey)))
8314 goto end;
8315
8316 if ((idx & 1) == 1) {
8317 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8318 goto end;
8319 }
8320
8321 if (idx == 5) {
8322 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8323 goto end;
8324 dhpkey = NULL;
8325 }
8326# ifndef OPENSSL_NO_DEPRECATED_3_0
8327 else if (idx == 7) {
8328 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8329 goto end;
8330 } else if (idx == 9) {
8331 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8332 }
8333# endif
8334
8335 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8336 NULL, NULL)))
8337 goto end;
8338
8339 if ((idx & 1) == 0 && idx != 0) {
8340 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8341 goto end;
8342 }
8343 if (idx == 6) {
8344 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8345 goto end;
8346 dhpkey = NULL;
8347 }
8348# ifndef OPENSSL_NO_DEPRECATED_3_0
8349 else if (idx == 8) {
8350 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8351 goto end;
8352 } else if (idx == 10) {
8353 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8354 }
8355# endif
8356
8357 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8358 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8359 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8360 goto end;
8361
8362 /*
8363 * If autoon then we should succeed. Otherwise we expect failure because
8364 * there are no parameters
8365 */
8366 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8367 SSL_ERROR_NONE), expected))
8368 goto end;
8369
8370 testresult = 1;
8371
8372 end:
8373 SSL_free(serverssl);
8374 SSL_free(clientssl);
8375 SSL_CTX_free(sctx);
8376 SSL_CTX_free(cctx);
8377 EVP_PKEY_free(dhpkey);
8378
8379 return testresult;
8380}
3105d846
MC		 8381
8382/*
8383 * Test the auto DH keys are appropriately sized
8384 */
8385static int test_dh_auto(int idx)
8386{
8387 SSL_CTX *cctx = NULL, *sctx = NULL;
8388 SSL *clientssl = NULL, *serverssl = NULL;
8389 int testresult = 0;
8390 EVP_PKEY *tmpkey = NULL;
8391 char *thiscert = NULL, *thiskey = NULL;
8392 size_t expdhsize = 0;
8393 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8394
8395 switch (idx) {
8396 case 0:
8397 /* The FIPS provider doesn't support this DH size - so we ignore it */
8398 if (is_fips)
8399 return 1;
8400 thiscert = cert1024;
8401 thiskey = privkey1024;
8402 expdhsize = 1024;
8403 break;
8404 case 1:
8405 /* 2048 bit prime */
8406 thiscert = cert;
8407 thiskey = privkey;
8408 expdhsize = 2048;
8409 break;
8410 case 2:
8411 thiscert = cert3072;
8412 thiskey = privkey3072;
8413 expdhsize = 3072;
8414 break;
8415 case 3:
8416 thiscert = cert4096;
8417 thiskey = privkey4096;
8418 expdhsize = 4096;
8419 break;
8420 case 4:
8421 thiscert = cert8192;
8422 thiskey = privkey8192;
8423 expdhsize = 8192;
8424 break;
8425 /* No certificate cases */
8426 case 5:
8427 /* The FIPS provider doesn't support this DH size - so we ignore it */
8428 if (is_fips)
8429 return 1;
8430 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8431 expdhsize = 1024;
8432 break;
8433 case 6:
8434 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8435 expdhsize = 3072;
8436 break;
8437 default:
8438 TEST_error("Invalid text index");
8439 goto end;
8440 }
8441
8442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8443 TLS_client_method(),
8444 0,
8445 0,
8446 &sctx, &cctx, thiscert, thiskey)))
8447 goto end;
8448
8449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8450 NULL, NULL)))
8451 goto end;
8452
8453 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8454 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8455 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8456 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8457 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8458 goto end;
8459
8460 /*
8461 * Send the server's first flight. At this point the server has created the
8462 * temporary DH key but hasn't finished using it yet. Once used it is
8463 * removed, so we cannot test it.
8464 */
8465 if (!TEST_int_le(SSL_connect(clientssl), 0)
8466 || !TEST_int_le(SSL_accept(serverssl), 0))
8467 goto end;
8468
8469 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8470 goto end;
8471 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8472 goto end;
8473
8474 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8475 goto end;
8476
8477 testresult = 1;
8478
8479 end:
8480 SSL_free(serverssl);
8481 SSL_free(clientssl);
8482 SSL_CTX_free(sctx);
8483 SSL_CTX_free(cctx);
8484 EVP_PKEY_free(tmpkey);
8485
8486 return testresult;
8487
8488}
33c39a06
MC		 8489# endif /* OPENSSL_NO_DH */
8490#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8491
6582661f
MC		 8492#ifndef OPENSSL_NO_TLS1_3
8493/*
8494 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8495 * that it works even without a certificate configured for the original
8496 * SSL_CTX
8497 */
8498static int test_sni_tls13(void)
8499{
8500 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8501 SSL *clientssl = NULL, *serverssl = NULL;
8502 int testresult = 0;
8503
8504 /* Reset callback counter */
8505 snicb = 0;
8506
8507 /* Create an initial SSL_CTX with no certificate configured */
8508 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8509 if (!TEST_ptr(sctx))
8510 goto end;
8511 /* Require TLSv1.3 as a minimum */
8512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8513 TLS_client_method(), TLS1_3_VERSION, 0,
8514 &sctx2, &cctx, cert, privkey)))
8515 goto end;
8516
8517 /* Set up SNI */
8518 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8519 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8520 goto end;
8521
8522 /*
8523 * Connection should still succeed because the final SSL_CTX has the right
8524 * certificates configured.
8525 */
8526 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8527 &clientssl, NULL, NULL))
8528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8529 SSL_ERROR_NONE)))
8530 goto end;
8531
8532 /* We should have had the SNI callback called exactly once */
8533 if (!TEST_int_eq(snicb, 1))
8534 goto end;
8535
8536 testresult = 1;
8537
8538end:
8539 SSL_free(serverssl);
8540 SSL_free(clientssl);
8541 SSL_CTX_free(sctx2);
8542 SSL_CTX_free(sctx);
8543 SSL_CTX_free(cctx);
8544 return testresult;
8545}
8546#endif
8547
5e30f2fd 8548OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8549
ad887416 8550int setup_tests(void)
2cb4b5f6 8551{
5e30f2fd
MC		 8552 char *modulename;
8553 char *configfile;
8554
b4250010 8555 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8556 if (!TEST_ptr(libctx))
8557 return 0;
8558
8559 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8560
8561 /*
8562 * Verify that the default and fips providers in the default libctx are not
8563 * available
8564 */
8565 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8566 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8567 return 0;
8568
8d242823
MC		 8569 if (!test_skip_common_options()) {
8570 TEST_error("Error parsing test options\n");
8571 return 0;
8572 }
8573
1a2a3a42
MC		 8574 if (!TEST_ptr(certsdir = test_get_argument(0))
8575 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8576 || !TEST_ptr(tmpfilename = test_get_argument(2))
8577 || !TEST_ptr(modulename = test_get_argument(3))
8578 || !TEST_ptr(configfile = test_get_argument(4)))
8579 return 0;
8580
b4250010 8581 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8582 return 0;
8583
8584 /* Check we have the expected provider available */
8585 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8586 return 0;
8587
8588 /* Check the default provider is not available */
8589 if (strcmp(modulename, "default") != 0
8590 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8591 return 0;
2cb4b5f6 8592
4f6c7044
MC		 8593 if (strcmp(modulename, "fips") == 0)
8594 is_fips = 1;
8595
0c13cdf8
MC		 8596 /*
8597 * We add, but don't load the test "tls-provider". We'll load it when we
8598 * need it.
8599 */
8600 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8601 tls_provider_init)))
8602 return 0;
8603
8604
f297e4ec
RS		 8605 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8606#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8607 TEST_error("not supported in this build");
8608 return 0;
8609#else
8610 int i, mcount, rcount, fcount;
8611
8612 for (i = 0; i < 4; i++)
8613 test_export_key_mat(i);
8614 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8615 test_printf_stdout("malloc %d realloc %d free %d\n",
8616 mcount, rcount, fcount);
8617 return 1;
8618#endif
8619 }
8620
1a2a3a42
MC		 8621 cert = test_mk_file_path(certsdir, "servercert.pem");
8622 if (cert == NULL)
b3842539 8623 goto err;
1a2a3a42
MC		 8624
8625 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8626 if (privkey == NULL)
8627 goto err;
8628
8629 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8630 if (cert2 == NULL)
8631 goto err;
8632
8633 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8634 if (privkey2 == NULL)
8635 goto err;
1a2a3a42 8636
3105d846
MC		 8637 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8638 if (cert1024 == NULL)
8639 goto err;
8640
8641 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8642 if (privkey1024 == NULL)
8643 goto err;
8644
8645 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8646 if (cert3072 == NULL)
8647 goto err;
8648
8649 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8650 if (privkey3072 == NULL)
8651 goto err;
8652
8653 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8654 if (cert4096 == NULL)
8655 goto err;
8656
8657 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8658 if (privkey4096 == NULL)
8659 goto err;
8660
8661 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8662 if (cert8192 == NULL)
8663 goto err;
8664
8665 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8666 if (privkey8192 == NULL)
8667 goto err;
8668
da4db160 8669#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
c8e3a4c6 8670# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
da4db160
VF		 8671 ADD_ALL_TESTS(test_ktls, 32);
8672 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8673# endif
fe5d9450 8674#endif
84d5549e 8675 ADD_TEST(test_large_message_tls);
7856332e 8676 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8677#ifndef OPENSSL_NO_DTLS
84d5549e 8678 ADD_TEST(test_large_message_dtls);
55386bef 8679#endif
163b8016 8680 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8681#ifndef OPENSSL_NO_OCSP
c887104f 8682 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8683#endif
eaa776da
MC		 8684 ADD_TEST(test_session_with_only_int_cache);
8685 ADD_TEST(test_session_with_only_ext_cache);
8686 ADD_TEST(test_session_with_both_cache);
90fc2c26 8687 ADD_TEST(test_session_wo_ca_names);
36ff232c 8688#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8689 ADD_ALL_TESTS(test_stateful_tickets, 3);
8690 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8691 ADD_TEST(test_psk_tickets);
f0049b86 8692 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8693#endif
7fb4c820 8694 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8695 ADD_TEST(test_ssl_bio_pop_next_bio);
8696 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8697 ADD_TEST(test_ssl_bio_change_rbio);
8698 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8699#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8700 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8701 ADD_TEST(test_keylog);
c423ecaa 8702#endif
6acdd3e5
CB		 8703#ifndef OPENSSL_NO_TLS1_3
8704 ADD_TEST(test_keylog_no_master_key);
8705#endif
0c3eb279 8706 ADD_TEST(test_client_cert_verify_cb);
e9ee6536 8707#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8708 ADD_TEST(test_client_hello_cb);
088dfa13 8709 ADD_TEST(test_no_ems);
3cd14e5e 8710 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8711#endif
8712#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8713 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8714 /*
8715 * We don't do replay tests for external PSK. Replay protection isn't used
8716 * in that scenario.
8717 */
8718 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8719 ADD_ALL_TESTS(test_early_data_skip, 3);
8720 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8721 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8722 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8723 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8724 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8725 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8726 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8727# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8728 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8729# endif
e9ee6536 8730#endif
a273157a 8731#ifndef OPENSSL_NO_TLS1_3
034cb87b 8732 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8733 ADD_TEST(test_ciphersuite_change);
5bf2eade 8734 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8735# ifdef OPENSSL_NO_PSK
c2b290c3 8736 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8737# else
0d8da779 8738 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8739# endif /* OPENSSL_NO_PSK */
8740# ifndef OPENSSL_NO_TLS1_2
8741 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8742 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8743# else
8744 /* Test with only TLSv1.3 versions */
8745 ADD_ALL_TESTS(test_key_exchange, 12);
8746# endif
bb01ef3f 8747 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8748 ADD_TEST(test_stateless);
9d75dce3 8749 ADD_TEST(test_pha_key_update);
a273157a 8750#else
bb01ef3f 8751 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8752#endif
16afd71c 8753 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8754 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8755#ifndef OPENSSL_NO_TLS1_3
8756 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8757 ADD_TEST(test_key_update);
a77b4dba 8758 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8759#endif
e11b6aa4 8760 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8761 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8762#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8763 ADD_ALL_TESTS(test_srp, 6);
8764#endif
5718fe45 8765 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8766 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8767 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8768 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8769 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8770 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8771 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8772 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8773 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8774#ifndef OPENSSL_NO_TLS1_2
8775 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8776#endif
49ef3d07 8777 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68
MC		 8778#if !defined(OPENSSL_NO_EC) \
8779 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 8780 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8781#endif
8782#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8783 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8784#endif
8785#ifndef OPENSSL_NO_TLS1_2
8786 ADD_TEST(test_ssl_dup);
33c39a06
MC		 8787# ifndef OPENSSL_NO_DH
8788 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 8789 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 8790# endif
6582661f
MC		 8791#endif
8792#ifndef OPENSSL_NO_TLS1_3
8793 ADD_TEST(test_sni_tls13);
b3842539 8794#endif
ad887416 8795 return 1;
b3842539
MC		 8796
8797 err:
8798 OPENSSL_free(cert);
8799 OPENSSL_free(privkey);
8800 OPENSSL_free(cert2);
8801 OPENSSL_free(privkey2);
8802 return 0;
ad887416 8803}
2cb4b5f6 8804
ad887416
P		 8805void cleanup_tests(void)
8806{
8778f0eb 8807# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 8808 EVP_PKEY_free(tmp_dh_params);
8809#endif
1a2a3a42
MC		 8810 OPENSSL_free(cert);
8811 OPENSSL_free(privkey);
b3842539
MC		 8812 OPENSSL_free(cert2);
8813 OPENSSL_free(privkey2);
3105d846
MC		 8814 OPENSSL_free(cert1024);
8815 OPENSSL_free(privkey1024);
8816 OPENSSL_free(cert3072);
8817 OPENSSL_free(privkey3072);
8818 OPENSSL_free(cert4096);
8819 OPENSSL_free(privkey4096);
8820 OPENSSL_free(cert8192);
8821 OPENSSL_free(privkey8192);
fa454945 8822 bio_s_mempacket_test_free();
a77b4dba 8823 bio_s_always_retry_free();
5e30f2fd 8824 OSSL_PROVIDER_unload(defctxnull);
b4250010 8825 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8826}
A mirror of the official openssl repository