]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Rework the decrypt ticket callback
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6
MC		 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
885 int testresult = 0;
886
7e885b7b
P		 887 new_called = remove_called = 0;
888
7d7f6834
RL		 889 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
890 TLS1_VERSION, TLS_MAX_VERSION,
891 &sctx, &cctx, cert, privkey)))
2cb4b5f6 892 return 0;
2cb4b5f6 893
7a301f08
MC		 894 /*
895 * Only allow the max protocol version so we can force a connection failure
896 * later
897 */
898 SSL_CTX_set_min_proto_version(cctx, maxprot);
899 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 900
901 /* Set up session cache */
7e885b7b 902 if (use_ext_cache) {
eaa776da
MC		 903 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
904 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
905 }
7e885b7b 906 if (use_int_cache) {
eaa776da
MC		 907 /* Also covers instance where both are set */
908 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
909 } else {
910 SSL_CTX_set_session_cache_mode(cctx,
911 SSL_SESS_CACHE_CLIENT
912 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
913 }
2cb4b5f6 914
710756a9
RS		 915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
916 NULL, NULL))
917 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
918 SSL_ERROR_NONE))
919 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 920 goto end;
2cb4b5f6 921
710756a9 922 /* Should fail because it should already be in the cache */
7e885b7b 923 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 924 goto end;
7a301f08
MC		 925 if (use_ext_cache
926 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
b4982125 927 goto end;
b4982125 928
c0537ebd
MC		 929 new_called = remove_called = 0;
930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
931 &clientssl2, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl2, sess1))
933 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
934 SSL_ERROR_NONE))
935 || !TEST_true(SSL_session_reused(clientssl2)))
936 goto end;
937
7a301f08
MC		 938 if (maxprot == TLS1_3_VERSION) {
939 /*
940 * In TLSv1.3 we should have created a new session even though we have
941 * resumed. The original session should also have been removed.
942 */
943 if (use_ext_cache
944 && (!TEST_int_eq(new_called, 1)
945 || !TEST_int_eq(remove_called, 1)))
946 goto end;
947 } else {
948 /*
949 * In TLSv1.2 we expect to have resumed so no sessions added or
950 * removed.
951 */
952 if (use_ext_cache
953 && (!TEST_int_eq(new_called, 0)
954 || !TEST_int_eq(remove_called, 0)))
955 goto end;
956 }
c0537ebd
MC		 957
958 SSL_SESSION_free(sess1);
959 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
960 goto end;
961 shutdown_ssl_connection(serverssl2, clientssl2);
962 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 963
964 new_called = remove_called = 0;
710756a9
RS		 965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
966 &clientssl2, NULL, NULL))
967 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
968 SSL_ERROR_NONE)))
2cb4b5f6 969 goto end;
2cb4b5f6 970
710756a9 971 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 972 goto end;
2cb4b5f6 973
7a301f08
MC		 974 if (use_ext_cache
975 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
eaa776da 976 goto end;
eaa776da 977
c0537ebd 978 new_called = remove_called = 0;
2cb4b5f6 979 /*
710756a9
RS		 980 * This should clear sess2 from the cache because it is a "bad" session.
981 * See SSL_set_session() documentation.
2cb4b5f6 982 */
710756a9 983 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 984 goto end;
7a301f08
MC		 985 if (use_ext_cache
986 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 987 goto end;
710756a9 988 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 989 goto end;
2cb4b5f6 990
7e885b7b 991 if (use_int_cache) {
710756a9
RS		 992 /* Should succeeded because it should not already be in the cache */
993 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
994 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 995 goto end;
eaa776da
MC		 996 }
997
c0537ebd 998 new_called = remove_called = 0;
eaa776da 999 /* This shouldn't be in the cache so should fail */
710756a9 1000 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1001 goto end;
2cb4b5f6 1002
7a301f08
MC		 1003 if (use_ext_cache
1004 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1005 goto end;
2cb4b5f6 1006
bf208d95 1007# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1008 new_called = remove_called = 0;
eaa776da
MC		 1009 /* Force a connection failure */
1010 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1012 &clientssl3, NULL, NULL))
1013 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1014 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1015 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1016 SSL_ERROR_NONE)))
eaa776da 1017 goto end;
b4982125 1018
eaa776da 1019 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1020 if (use_ext_cache
1021 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1022 goto end;
2cb4b5f6 1023
710756a9 1024 /* Should succeed because it should not already be in the cache */
7e885b7b 1025 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1026 goto end;
bf208d95 1027# endif
eaa776da 1028
7a301f08
MC		 1029 /* Now do some tests for server side caching */
1030 if (use_ext_cache) {
1031 SSL_CTX_sess_set_new_cb(cctx, NULL);
1032 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1033 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1034 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1035 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1036 get_sess_val = NULL;
1037 }
1038
1039 SSL_CTX_set_session_cache_mode(cctx, 0);
1040 /* Internal caching is the default on the server side */
1041 if (!use_int_cache)
1042 SSL_CTX_set_session_cache_mode(sctx,
1043 SSL_SESS_CACHE_SERVER
1044 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1045
1046 SSL_free(serverssl1);
1047 SSL_free(clientssl1);
1048 serverssl1 = clientssl1 = NULL;
1049 SSL_free(serverssl2);
1050 SSL_free(clientssl2);
1051 serverssl2 = clientssl2 = NULL;
1052 SSL_SESSION_free(sess1);
1053 sess1 = NULL;
1054 SSL_SESSION_free(sess2);
1055 sess2 = NULL;
1056
1057 SSL_CTX_set_max_proto_version(sctx, maxprot);
1058 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1059 new_called = remove_called = get_called = 0;
7a301f08
MC		 1060 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1061 NULL, NULL))
1062 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1063 SSL_ERROR_NONE))
1064 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1065 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1066 goto end;
1067
1068 /* Should fail because it should already be in the cache */
1069 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
1070 goto end;
1071
1072 if (use_ext_cache) {
1073 SSL_SESSION *tmp = sess2;
1074
0afca811
KY		 1075 if (!TEST_int_eq(new_called, 1)
1076 || !TEST_int_eq(remove_called, 0)
1077 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1078 goto end;
1079 /*
1080 * Delete the session from the internal cache to force a lookup from
1081 * the external cache. We take a copy first because
1082 * SSL_CTX_remove_session() also marks the session as non-resumable.
1083 */
3cb6a4d6
BK		 1084 if (use_int_cache) {
1085 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1086 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1087 goto end;
1088 SSL_SESSION_free(sess2);
1089 }
7a301f08
MC		 1090 sess2 = tmp;
1091 }
1092
0afca811 1093 new_called = remove_called = get_called = 0;
7a301f08
MC		 1094 get_sess_val = sess2;
1095 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1096 &clientssl2, NULL, NULL))
1097 || !TEST_true(SSL_set_session(clientssl2, sess1))
1098 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1099 SSL_ERROR_NONE))
1100 || !TEST_true(SSL_session_reused(clientssl2)))
1101 goto end;
1102
0afca811 1103 if (use_ext_cache) {
32305f88 1104 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1105 goto end;
1106
1107 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1108 /*
1109 * Every time we issue a NewSessionTicket we are creating a new
1110 * session for next time in TLSv1.3
1111 */
1112 if (!TEST_int_eq(new_called, 1)
1113 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1114 goto end;
1115 } else {
32305f88
MC		 1116 if (!TEST_int_eq(new_called, 0)
1117 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1118 goto end;
1119 }
1120 }
7a301f08 1121
2cb4b5f6 1122 testresult = 1;
eaa776da 1123
2cb4b5f6
MC		 1124 end:
1125 SSL_free(serverssl1);
1126 SSL_free(clientssl1);
1127 SSL_free(serverssl2);
1128 SSL_free(clientssl2);
bf208d95 1129# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1130 SSL_free(serverssl3);
1131 SSL_free(clientssl3);
bf208d95 1132# endif
2cb4b5f6
MC		 1133 SSL_SESSION_free(sess1);
1134 SSL_SESSION_free(sess2);
1135 SSL_CTX_free(sctx);
1136 SSL_CTX_free(cctx);
1137
1138 return testresult;
1139}
bf208d95 1140#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1141
7fb4c820
MC		 1142static int test_session_with_only_int_cache(void)
1143{
7a301f08
MC		 1144#ifndef OPENSSL_NO_TLS1_3
1145 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1146 return 0;
1147#endif
1148
1149#ifndef OPENSSL_NO_TLS1_2
1150 return execute_test_session(TLS1_2_VERSION, 1, 0);
1151#else
1152 return 1;
1153#endif
eaa776da
MC		 1154}
1155
7fb4c820
MC		 1156static int test_session_with_only_ext_cache(void)
1157{
7a301f08
MC		 1158#ifndef OPENSSL_NO_TLS1_3
1159 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1160 return 0;
1161#endif
1162
1163#ifndef OPENSSL_NO_TLS1_2
1164 return execute_test_session(TLS1_2_VERSION, 0, 1);
1165#else
1166 return 1;
1167#endif
eaa776da
MC		 1168}
1169
7fb4c820
MC		 1170static int test_session_with_both_cache(void)
1171{
7a301f08
MC		 1172#ifndef OPENSSL_NO_TLS1_3
1173 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1174 return 0;
1175#endif
1176
1177#ifndef OPENSSL_NO_TLS1_2
1178 return execute_test_session(TLS1_2_VERSION, 1, 1);
1179#else
1180 return 1;
1181#endif
eaa776da
MC		 1182}
1183
7d4488bb
MC		 1184#define USE_NULL 0
1185#define USE_BIO_1 1
1186#define USE_BIO_2 2
1187#define USE_DEFAULT 3
1188
1189#define CONNTYPE_CONNECTION_SUCCESS 0
1190#define CONNTYPE_CONNECTION_FAIL 1
1191#define CONNTYPE_NO_CONNECTION 2
1192
1193#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1194#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1195#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1196# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1197#else
1198# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1199#endif
1200
7fb4c820 1201
7d4488bb
MC		 1202#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1203 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1204 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1205
1206static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1207{
1208 switch (type) {
1209 case USE_NULL:
1210 *res = NULL;
1211 break;
1212 case USE_BIO_1:
1213 *res = bio1;
1214 break;
1215 case USE_BIO_2:
1216 *res = bio2;
1217 break;
1218 }
1219}
1220
7d4488bb
MC		 1221
1222/*
1223 * Tests calls to SSL_set_bio() under various conditions.
1224 *
1225 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1226 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1227 * then do more tests where we create a successful connection first using our
1228 * standard connection setup functions, and then call SSL_set_bio() with
1229 * various combinations of valid BIOs or NULL. We then repeat these tests
1230 * following a failed connection. In this last case we are looking to check that
1231 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1232 */
7fb4c820
MC		 1233static int test_ssl_set_bio(int idx)
1234{
7d4488bb 1235 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1236 BIO *bio1 = NULL;
1237 BIO *bio2 = NULL;
0fae8150 1238 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1239 SSL *serverssl = NULL, *clientssl = NULL;
1240 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1241 int testresult = 0;
1242
7d4488bb
MC		 1243 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1244 initrbio = idx % 3;
1245 idx /= 3;
1246 initwbio = idx % 3;
1247 idx /= 3;
1248 newrbio = idx % 3;
1249 idx /= 3;
1250 newwbio = idx % 3;
1251 conntype = CONNTYPE_NO_CONNECTION;
1252 } else {
1253 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1254 initrbio = initwbio = USE_DEFAULT;
1255 newrbio = idx % 2;
1256 idx /= 2;
1257 newwbio = idx % 2;
1258 idx /= 2;
1259 conntype = idx % 2;
1260 }
710756a9 1261
7d4488bb
MC		 1262 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1263 TLS1_VERSION, TLS_MAX_VERSION,
1264 &sctx, &cctx, cert, privkey)))
1265 goto end;
1266
1267 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1268 /*
1269 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1270 * because we reduced the number of tests in the definition of
1271 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1272 * mismatched protocol versions we will force a connection failure.
1273 */
1274 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1275 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1276 }
1277
1278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1279 NULL, NULL)))
710756a9 1280 goto end;
7fb4c820 1281
710756a9
RS		 1282 if (initrbio == USE_BIO_1
1283 || initwbio == USE_BIO_1
1284 || newrbio == USE_BIO_1
7fb4c820 1285 || newwbio == USE_BIO_1) {
710756a9 1286 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1287 goto end;
7fb4c820
MC		 1288 }
1289
710756a9
RS		 1290 if (initrbio == USE_BIO_2
1291 || initwbio == USE_BIO_2
1292 || newrbio == USE_BIO_2
7fb4c820 1293 || newwbio == USE_BIO_2) {
710756a9 1294 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1295 goto end;
7fb4c820
MC		 1296 }
1297
7d4488bb
MC		 1298 if (initrbio != USE_DEFAULT) {
1299 setupbio(&irbio, bio1, bio2, initrbio);
1300 setupbio(&iwbio, bio1, bio2, initwbio);
1301 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1302
7d4488bb
MC		 1303 /*
1304 * We want to maintain our own refs to these BIO, so do an up ref for
1305 * each BIO that will have ownership transferred in the SSL_set_bio()
1306 * call
1307 */
1308 if (irbio != NULL)
1309 BIO_up_ref(irbio);
1310 if (iwbio != NULL && iwbio != irbio)
1311 BIO_up_ref(iwbio);
1312 }
7fb4c820 1313
7d4488bb
MC		 1314 if (conntype != CONNTYPE_NO_CONNECTION
1315 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1316 SSL_ERROR_NONE)
1317 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1318 goto end;
7fb4c820
MC		 1319
1320 setupbio(&nrbio, bio1, bio2, newrbio);
1321 setupbio(&nwbio, bio1, bio2, newwbio);
1322
1323 /*
1324 * We will (maybe) transfer ownership again so do more up refs.
1325 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1326 * already been set!
1327 */
710756a9
RS		 1328 if (nrbio != NULL
1329 && nrbio != irbio
1330 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1331 BIO_up_ref(nrbio);
710756a9
RS		 1332 if (nwbio != NULL
1333 && nwbio != nrbio
1334 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1335 BIO_up_ref(nwbio);
1336
7d4488bb 1337 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1338
1339 testresult = 1;
1340
1341 end:
7fb4c820
MC		 1342 BIO_free(bio1);
1343 BIO_free(bio2);
710756a9 1344
7fb4c820
MC		 1345 /*
1346 * This test is checking that the ref counting for SSL_set_bio is correct.
1347 * If we get here and we did too many frees then we will fail in the above
1348 * functions. If we haven't done enough then this will only be detected in
1349 * a crypto-mdebug build
1350 */
7d4488bb
MC		 1351 SSL_free(serverssl);
1352 SSL_free(clientssl);
1353 SSL_CTX_free(sctx);
1354 SSL_CTX_free(cctx);
7fb4c820
MC		 1355 return testresult;
1356}
1357
7e885b7b 1358typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1359
7e885b7b 1360static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1361{
1362 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1363 SSL_CTX *ctx;
9a716987
MC		 1364 SSL *ssl = NULL;
1365 int testresult = 0;
1366
710756a9
RS		 1367 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1368 || !TEST_ptr(ssl = SSL_new(ctx))
1369 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1370 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1371 goto end;
9a716987
MC		 1372
1373 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1374
1375 /*
1376 * If anything goes wrong here then we could leak memory, so this will
1377 * be caught in a crypto-mdebug build
1378 */
1379 BIO_push(sslbio, membio1);
1380
69687aa8 1381 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1382 if (change_bio != NO_BIO_CHANGE) {
710756a9 1383 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1384 goto end;
7e885b7b 1385 if (change_bio == CHANGE_RBIO)
65e2d672 1386 SSL_set0_rbio(ssl, membio2);
9a716987 1387 else
65e2d672 1388 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1389 }
1390 ssl = NULL;
1391
7e885b7b 1392 if (pop_ssl)
9a716987
MC		 1393 BIO_pop(sslbio);
1394 else
1395 BIO_pop(membio1);
1396
1397 testresult = 1;
1398 end:
1399 BIO_free(membio1);
1400 BIO_free(sslbio);
1401 SSL_free(ssl);
1402 SSL_CTX_free(ctx);
1403
1404 return testresult;
1405}
1406
1407static int test_ssl_bio_pop_next_bio(void)
1408{
7e885b7b 1409 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1410}
1411
1412static int test_ssl_bio_pop_ssl_bio(void)
1413{
7e885b7b 1414 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1415}
1416
1417static int test_ssl_bio_change_rbio(void)
1418{
7e885b7b 1419 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1420}
1421
1422static int test_ssl_bio_change_wbio(void)
1423{
7e885b7b 1424 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1425}
1426
c423ecaa 1427#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1428typedef struct {
1429 /* The list of sig algs */
1430 const int *list;
1431 /* The length of the list */
1432 size_t listlen;
1433 /* A sigalgs list in string format */
1434 const char *liststr;
1435 /* Whether setting the list should succeed */
1436 int valid;
1437 /* Whether creating a connection with the list should succeed */
1438 int connsuccess;
1439} sigalgs_list;
1440
1441static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1442# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1443static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1444static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1445# endif
f1b25aae
MC		 1446static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1447static const int invalidlist2[] = {NID_sha256, NID_undef};
1448static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1449static const int invalidlist4[] = {NID_sha256};
1450static const sigalgs_list testsigalgs[] = {
1451 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1452# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1453 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1454 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1455# endif
f1b25aae 1456 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1457# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1458 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1459 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1460# endif
f1b25aae
MC		 1461 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1462 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1463 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1464 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1465 {NULL, 0, "RSA", 0, 0},
1466 {NULL, 0, "SHA256", 0, 0},
1467 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1468 {NULL, 0, "Invalid", 0, 0}
1469};
f1b25aae
MC		 1470
1471static int test_set_sigalgs(int idx)
1472{
1473 SSL_CTX *cctx = NULL, *sctx = NULL;
1474 SSL *clientssl = NULL, *serverssl = NULL;
1475 int testresult = 0;
1476 const sigalgs_list *curr;
1477 int testctx;
1478
1479 /* Should never happen */
710756a9 1480 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1481 return 0;
1482
1483 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1484 curr = testctx ? &testsigalgs[idx]
1485 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1486
7d7f6834
RL		 1487 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1488 TLS1_VERSION, TLS_MAX_VERSION,
1489 &sctx, &cctx, cert, privkey)))
f1b25aae 1490 return 0;
f1b25aae 1491
d2e491f2
MC		 1492 /*
1493 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1494 * for TLSv1.2 for now until we add a new API.
1495 */
1496 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1497
f1b25aae
MC		 1498 if (testctx) {
1499 int ret;
710756a9 1500
f1b25aae
MC		 1501 if (curr->list != NULL)
1502 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1503 else
1504 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1505
1506 if (!ret) {
1507 if (curr->valid)
710756a9 1508 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1509 else
1510 testresult = 1;
1511 goto end;
1512 }
1513 if (!curr->valid) {
710756a9 1514 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1515 goto end;
1516 }
1517 }
1518
710756a9
RS		 1519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1520 &clientssl, NULL, NULL)))
f1b25aae 1521 goto end;
f1b25aae
MC		 1522
1523 if (!testctx) {
1524 int ret;
1525
1526 if (curr->list != NULL)
1527 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1528 else
1529 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1530 if (!ret) {
1531 if (curr->valid)
710756a9 1532 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1533 else
1534 testresult = 1;
1535 goto end;
1536 }
710756a9 1537 if (!curr->valid)
f1b25aae 1538 goto end;
f1b25aae
MC		 1539 }
1540
710756a9
RS		 1541 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1542 SSL_ERROR_NONE),
1543 curr->connsuccess))
f1b25aae 1544 goto end;
f1b25aae
MC		 1545
1546 testresult = 1;
1547
1548 end:
1549 SSL_free(serverssl);
1550 SSL_free(clientssl);
1551 SSL_CTX_free(sctx);
1552 SSL_CTX_free(cctx);
1553
1554 return testresult;
1555}
c423ecaa 1556#endif
f1b25aae 1557
fff202e5
MC		 1558#ifndef OPENSSL_NO_TLS1_3
1559
57dee9bb
MC		 1560static SSL_SESSION *clientpsk = NULL;
1561static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1562static const char *pskid = "Identity";
1563static const char *srvid;
1564
1565static int use_session_cb_cnt = 0;
1566static int find_session_cb_cnt = 0;
532f9578
MC		 1567static int psk_client_cb_cnt = 0;
1568static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1569
1570static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1571 size_t *idlen, SSL_SESSION **sess)
1572{
1573 switch (++use_session_cb_cnt) {
1574 case 1:
1575 /* The first call should always have a NULL md */
1576 if (md != NULL)
1577 return 0;
1578 break;
1579
1580 case 2:
1581 /* The second call should always have an md */
1582 if (md == NULL)
1583 return 0;
1584 break;
1585
1586 default:
1587 /* We should only be called a maximum of twice */
1588 return 0;
1589 }
1590
57dee9bb
MC		 1591 if (clientpsk != NULL)
1592 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1593
57dee9bb 1594 *sess = clientpsk;
02a3ed5a
MC		 1595 *id = (const unsigned char *)pskid;
1596 *idlen = strlen(pskid);
1597
1598 return 1;
1599}
1600
c2b290c3 1601#ifndef OPENSSL_NO_PSK
532f9578
MC		 1602static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1603 unsigned int max_id_len,
1604 unsigned char *psk,
1605 unsigned int max_psk_len)
1606{
1607 unsigned int psklen = 0;
1608
1609 psk_client_cb_cnt++;
1610
1611 if (strlen(pskid) + 1 > max_id_len)
1612 return 0;
1613
1614 /* We should only ever be called a maximum of twice per connection */
1615 if (psk_client_cb_cnt > 2)
1616 return 0;
1617
1618 if (clientpsk == NULL)
1619 return 0;
1620
1621 /* We'll reuse the PSK we set up for TLSv1.3 */
1622 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1623 return 0;
1624 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1625 strncpy(id, pskid, max_id_len);
1626
1627 return psklen;
1628}
c2b290c3 1629#endif /* OPENSSL_NO_PSK */
532f9578 1630
02a3ed5a
MC		 1631static int find_session_cb(SSL *ssl, const unsigned char *identity,
1632 size_t identity_len, SSL_SESSION **sess)
1633{
1634 find_session_cb_cnt++;
1635
1636 /* We should only ever be called a maximum of twice per connection */
1637 if (find_session_cb_cnt > 2)
1638 return 0;
1639
57dee9bb 1640 if (serverpsk == NULL)
02a3ed5a
MC		 1641 return 0;
1642
1643 /* Identity should match that set by the client */
1644 if (strlen(srvid) != identity_len
1645 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1646 /* No PSK found, continue but without a PSK */
1647 *sess = NULL;
1648 return 1;
1649 }
1650
57dee9bb
MC		 1651 SSL_SESSION_up_ref(serverpsk);
1652 *sess = serverpsk;
02a3ed5a
MC		 1653
1654 return 1;
1655}
1656
c2b290c3 1657#ifndef OPENSSL_NO_PSK
532f9578
MC		 1658static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1659 unsigned char *psk, unsigned int max_psk_len)
1660{
1661 unsigned int psklen = 0;
1662
1663 psk_server_cb_cnt++;
1664
1665 /* We should only ever be called a maximum of twice per connection */
1666 if (find_session_cb_cnt > 2)
1667 return 0;
1668
1669 if (serverpsk == NULL)
1670 return 0;
1671
1672 /* Identity should match that set by the client */
1673 if (strcmp(srvid, identity) != 0) {
1674 return 0;
1675 }
1676
1677 /* We'll reuse the PSK we set up for TLSv1.3 */
1678 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1679 return 0;
1680 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1681
1682 return psklen;
1683}
c2b290c3 1684#endif /* OPENSSL_NO_PSK */
532f9578 1685
5f982038
MC		 1686#define MSG1 "Hello"
1687#define MSG2 "World."
1688#define MSG3 "This"
1689#define MSG4 "is"
1690#define MSG5 "a"
90049cea
MC		 1691#define MSG6 "test"
1692#define MSG7 "message."
5f982038 1693
02a3ed5a 1694#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1695#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1696
5f982038
MC		 1697/*
1698 * Helper method to setup objects for early data test. Caller frees objects on
1699 * error.
1700 */
1701static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1702 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1703{
7d7f6834
RL		 1704 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1705 TLS1_VERSION, TLS_MAX_VERSION,
1706 sctx, cctx, cert, privkey))
c39e4048 1707 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
c39e4048 1708 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1709 return 0;
5f982038 1710
02a3ed5a
MC		 1711 if (idx == 1) {
1712 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1713 SSL_CTX_set_read_ahead(*cctx, 1);
1714 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1715 } else if (idx == 2) {
1716 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1717 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1718 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1719 use_session_cb_cnt = 0;
1720 find_session_cb_cnt = 0;
1721 srvid = pskid;
3cb47b4e
MC		 1722 }
1723
710756a9 1724 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1725 NULL, NULL)))
1726 return 0;
1727
141e4709
MC		 1728 /*
1729 * For one of the run throughs (doesn't matter which one), we'll try sending
1730 * some SNI data in the initial ClientHello. This will be ignored (because
1731 * there is no SNI cb set up by the server), so it should not impact
1732 * early_data.
1733 */
1734 if (idx == 1
1735 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1736 return 0;
1737
02a3ed5a
MC		 1738 if (idx == 2) {
1739 /* Create the PSK */
1740 const SSL_CIPHER *cipher = NULL;
1741 const unsigned char key[] = {
1742 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1743 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1744 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1745 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1746 0x2c, 0x2d, 0x2e, 0x2f
1747 };
1748
1749 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1750 clientpsk = SSL_SESSION_new();
1751 if (!TEST_ptr(clientpsk)
02a3ed5a 1752 || !TEST_ptr(cipher)
57dee9bb 1753 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1754 sizeof(key)))
57dee9bb 1755 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1756 || !TEST_true(
57dee9bb 1757 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1758 TLS1_3_VERSION))
1759 /*
1760 * We just choose an arbitrary value for max_early_data which
1761 * should be big enough for testing purposes.
1762 */
57dee9bb
MC		 1763 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1764 0x100))
1765 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1766 SSL_SESSION_free(clientpsk);
1767 clientpsk = NULL;
02a3ed5a
MC		 1768 return 0;
1769 }
57dee9bb 1770 serverpsk = clientpsk;
02a3ed5a 1771
c20e3b28
MC		 1772 if (sess != NULL) {
1773 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1774 SSL_SESSION_free(clientpsk);
1775 SSL_SESSION_free(serverpsk);
1776 clientpsk = serverpsk = NULL;
1777 return 0;
1778 }
57dee9bb 1779 *sess = clientpsk;
c20e3b28 1780 }
02a3ed5a
MC		 1781 return 1;
1782 }
1783
1784 if (sess == NULL)
1785 return 1;
1786
1787 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1788 SSL_ERROR_NONE)))
5f982038 1789 return 0;
5f982038
MC		 1790
1791 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1792 SSL_shutdown(*clientssl);
1793 SSL_shutdown(*serverssl);
5f982038
MC		 1794 SSL_free(*serverssl);
1795 SSL_free(*clientssl);
1796 *serverssl = *clientssl = NULL;
1797
710756a9
RS		 1798 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1799 clientssl, NULL, NULL))
1800 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1801 return 0;
5f982038
MC		 1802
1803 return 1;
1804}
1805
3cb47b4e 1806static int test_early_data_read_write(int idx)
5f982038
MC		 1807{
1808 SSL_CTX *cctx = NULL, *sctx = NULL;
1809 SSL *clientssl = NULL, *serverssl = NULL;
1810 int testresult = 0;
1811 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1812 unsigned char buf[20], data[1024];
1813 size_t readbytes, written, eoedlen, rawread, rawwritten;
1814 BIO *rbio;
5f982038 1815
710756a9
RS		 1816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1817 &serverssl, &sess, idx)))
5f982038
MC		 1818 goto end;
1819
1820 /* Write and read some early data */
710756a9
RS		 1821 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1822 &written))
1823 || !TEST_size_t_eq(written, strlen(MSG1))
1824 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1825 sizeof(buf), &readbytes),
1826 SSL_READ_EARLY_DATA_SUCCESS)
1827 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1828 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1829 SSL_EARLY_DATA_ACCEPTED))
5f982038 1830 goto end;
5f982038
MC		 1831
1832 /*
09f28874 1833 * Server should be able to write data, and client should be able to
5f982038
MC		 1834 * read it.
1835 */
710756a9
RS		 1836 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1837 &written))
1838 || !TEST_size_t_eq(written, strlen(MSG2))
1839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1840 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1841 goto end;
5f982038
MC		 1842
1843 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1844 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1845 &written))
1846 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1847 goto end;
5f982038 1848
09f28874 1849 /* Server should still be able read early data after writing data */
710756a9
RS		 1850 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1851 &readbytes),
1852 SSL_READ_EARLY_DATA_SUCCESS)
1853 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1854 goto end;
5f982038 1855
09f28874 1856 /* Write more data from server and read it from client */
710756a9
RS		 1857 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1858 &written))
1859 || !TEST_size_t_eq(written, strlen(MSG4))
1860 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1861 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1862 goto end;
5f982038
MC		 1863
1864 /*
1865 * If client writes normal data it should mean writing early data is no
1866 * longer possible.
1867 */
710756a9
RS		 1868 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1869 || !TEST_size_t_eq(written, strlen(MSG5))
1870 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1871 SSL_EARLY_DATA_ACCEPTED))
5f982038 1872 goto end;
5f982038 1873
9b5c865d
MC		 1874 /*
1875 * At this point the client has written EndOfEarlyData, ClientFinished and
1876 * normal (fully protected) data. We are going to cause a delay between the
1877 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1878 * in the read BIO, and then just put back the EndOfEarlyData message.
1879 */
1880 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1881 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1882 || !TEST_size_t_lt(rawread, sizeof(data))
1883 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1884 goto end;
710756a9 1885
9b5c865d
MC		 1886 /* Record length is in the 4th and 5th bytes of the record header */
1887 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1888 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1889 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1890 goto end;
9b5c865d 1891
5f982038 1892 /* Server should be told that there is no more early data */
710756a9
RS		 1893 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1894 &readbytes),
1895 SSL_READ_EARLY_DATA_FINISH)
1896 || !TEST_size_t_eq(readbytes, 0))
5f982038 1897 goto end;
5f982038 1898
9b5c865d
MC		 1899 /*
1900 * Server has not finished init yet, so should still be able to write early
1901 * data.
1902 */
710756a9
RS		 1903 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1904 &written))
1905 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 1906 goto end;
9b5c865d 1907
f8a303fa 1908 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 1909 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1910 &rawwritten))
1911 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 1912 goto end;
f8a303fa 1913
5f982038 1914 /* Server should be able to read normal data */
710756a9
RS		 1915 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1916 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1917 goto end;
5f982038 1918
09f28874 1919 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1920 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1921 &written)))
5f982038 1922 goto end;
5f982038 1923 ERR_clear_error();
710756a9
RS		 1924 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1925 &readbytes),
1926 SSL_READ_EARLY_DATA_ERROR))
5f982038 1927 goto end;
5f982038
MC		 1928 ERR_clear_error();
1929
9b5c865d 1930 /* Client should be able to read the data sent by the server */
710756a9
RS		 1931 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1932 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 1933 goto end;
710756a9 1934
f8a303fa
MC		 1935 /*
1936 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1937 * We attempt a read which we do not expect to return any data.
1938 */
710756a9 1939 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
f8a303fa 1940 goto end;
5f982038 1941
90049cea 1942 /* Server should be able to write normal data */
710756a9
RS		 1943 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1944 || !TEST_size_t_eq(written, strlen(MSG7))
1945 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1946 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 1947 goto end;
90049cea 1948
c20e3b28 1949 SSL_SESSION_free(sess);
5f982038 1950 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 1951 use_session_cb_cnt = 0;
1952 find_session_cb_cnt = 0;
5f982038
MC		 1953
1954 SSL_shutdown(clientssl);
1955 SSL_shutdown(serverssl);
5f982038
MC		 1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = clientssl = NULL;
710756a9
RS		 1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 1962 goto end;
5f982038
MC		 1963
1964 /* Write and read some early data */
710756a9
RS		 1965 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1966 &written))
1967 || !TEST_size_t_eq(written, strlen(MSG1))
1968 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1969 &readbytes),
1970 SSL_READ_EARLY_DATA_SUCCESS)
1971 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 1972 goto end;
5f982038 1973
710756a9
RS		 1974 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1975 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 1976 goto end;
5f982038 1977
09f28874 1978 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1979 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1980 &written)))
5f982038 1981 goto end;
5f982038 1982 ERR_clear_error();
710756a9
RS		 1983 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1984 &readbytes),
1985 SSL_READ_EARLY_DATA_ERROR))
5f982038 1986 goto end;
5f982038
MC		 1987 ERR_clear_error();
1988
1989 /* Client and server should be able to write/read normal data */
710756a9
RS		 1990 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1991 || !TEST_size_t_eq(written, strlen(MSG5))
1992 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1993 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1994 goto end;
5f982038
MC		 1995
1996 testresult = 1;
1997
1998 end:
c20e3b28 1999 SSL_SESSION_free(sess);
57dee9bb
MC		 2000 SSL_SESSION_free(clientpsk);
2001 SSL_SESSION_free(serverpsk);
2002 clientpsk = serverpsk = NULL;
5f982038
MC		 2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 SSL_CTX_free(sctx);
2006 SSL_CTX_free(cctx);
5f982038
MC		 2007 return testresult;
2008}
2009
78fb5374
MC		 2010static int test_early_data_replay(int idx)
2011{
2012 SSL_CTX *cctx = NULL, *sctx = NULL;
2013 SSL *clientssl = NULL, *serverssl = NULL;
2014 int testresult = 0;
2015 SSL_SESSION *sess = NULL;
2016
2017 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2018 &serverssl, &sess, idx)))
2019 goto end;
2020
2021 /*
2022 * The server is configured to accept early data. Create a connection to
2023 * "use up" the ticket
2024 */
2025 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2026 || !TEST_true(SSL_session_reused(clientssl)))
2027 goto end;
2028
2029 SSL_shutdown(clientssl);
2030 SSL_shutdown(serverssl);
2031 SSL_free(serverssl);
2032 SSL_free(clientssl);
2033 serverssl = clientssl = NULL;
2034
2035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2036 &clientssl, NULL, NULL))
2037 || !TEST_true(SSL_set_session(clientssl, sess))
2038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2039 SSL_ERROR_NONE))
2040 /*
2041 * This time we should not have resumed the session because we
2042 * already used it once.
2043 */
2044 || !TEST_false(SSL_session_reused(clientssl)))
2045 goto end;
2046
2047 testresult = 1;
2048
2049 end:
c20e3b28 2050 SSL_SESSION_free(sess);
78fb5374
MC		 2051 SSL_SESSION_free(clientpsk);
2052 SSL_SESSION_free(serverpsk);
2053 clientpsk = serverpsk = NULL;
2054 SSL_free(serverssl);
2055 SSL_free(clientssl);
2056 SSL_CTX_free(sctx);
2057 SSL_CTX_free(cctx);
2058 return testresult;
2059}
2060
710756a9 2061/*
6b84e6bf
MC		 2062 * Helper function to test that a server attempting to read early data can
2063 * handle a connection from a client where the early data should be skipped.
710756a9 2064 */
6b84e6bf 2065static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 2066{
2067 SSL_CTX *cctx = NULL, *sctx = NULL;
2068 SSL *clientssl = NULL, *serverssl = NULL;
2069 int testresult = 0;
018fcbec 2070 SSL_SESSION *sess = NULL;
5f982038
MC		 2071 unsigned char buf[20];
2072 size_t readbytes, written;
2073
710756a9
RS		 2074 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2075 &serverssl, &sess, idx)))
5f982038
MC		 2076 goto end;
2077
6b84e6bf
MC		 2078 if (hrr) {
2079 /* Force an HRR to occur */
2080 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2081 goto end;
02a3ed5a
MC		 2082 } else if (idx == 2) {
2083 /*
2084 * We force early_data rejection by ensuring the PSK identity is
2085 * unrecognised
2086 */
2087 srvid = "Dummy Identity";
6b84e6bf
MC		 2088 } else {
2089 /*
2090 * Deliberately corrupt the creation time. We take 20 seconds off the
2091 * time. It could be any value as long as it is not within tolerance.
2092 * This should mean the ticket is rejected.
2093 */
5d99881e 2094 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2095 goto end;
2096 }
5f982038
MC		 2097
2098 /* Write some early data */
710756a9
RS		 2099 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2100 &written))
2101 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2102 goto end;
5f982038
MC		 2103
2104 /* Server should reject the early data and skip over it */
710756a9
RS		 2105 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2106 &readbytes),
2107 SSL_READ_EARLY_DATA_FINISH)
2108 || !TEST_size_t_eq(readbytes, 0)
2109 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2110 SSL_EARLY_DATA_REJECTED))
5f982038 2111 goto end;
5f982038 2112
6b84e6bf
MC		 2113 if (hrr) {
2114 /*
2115 * Finish off the handshake. We perform the same writes and reads as
2116 * further down but we expect them to fail due to the incomplete
2117 * handshake.
2118 */
2119 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2120 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2121 &readbytes)))
2122 goto end;
2123 }
2124
710756a9
RS		 2125 /* Should be able to send normal data despite rejection of early data */
2126 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2127 || !TEST_size_t_eq(written, strlen(MSG2))
2128 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2129 SSL_EARLY_DATA_REJECTED)
2130 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2131 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2132 goto end;
5f982038
MC		 2133
2134 testresult = 1;
2135
2136 end:
c20e3b28 2137 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2138 SSL_SESSION_free(serverpsk);
2139 clientpsk = serverpsk = NULL;
5f982038
MC		 2140 SSL_SESSION_free(sess);
2141 SSL_free(serverssl);
2142 SSL_free(clientssl);
2143 SSL_CTX_free(sctx);
2144 SSL_CTX_free(cctx);
5f982038
MC		 2145 return testresult;
2146}
2147
6b84e6bf
MC		 2148/*
2149 * Test that a server attempting to read early data can handle a connection
2150 * from a client where the early data is not acceptable.
2151 */
2152static int test_early_data_skip(int idx)
2153{
2154 return early_data_skip_helper(0, idx);
2155}
2156
2157/*
2158 * Test that a server attempting to read early data can handle a connection
2159 * from a client where an HRR occurs.
2160 */
2161static int test_early_data_skip_hrr(int idx)
2162{
2163 return early_data_skip_helper(1, idx);
2164}
2165
710756a9
RS		 2166/*
2167 * Test that a server attempting to read early data can handle a connection
2168 * from a client that doesn't send any.
2169 */
3cb47b4e 2170static int test_early_data_not_sent(int idx)
5f982038
MC		 2171{
2172 SSL_CTX *cctx = NULL, *sctx = NULL;
2173 SSL *clientssl = NULL, *serverssl = NULL;
2174 int testresult = 0;
018fcbec 2175 SSL_SESSION *sess = NULL;
5f982038
MC		 2176 unsigned char buf[20];
2177 size_t readbytes, written;
2178
710756a9
RS		 2179 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2180 &serverssl, &sess, idx)))
5f982038
MC		 2181 goto end;
2182
2183 /* Write some data - should block due to handshake with server */
2184 SSL_set_connect_state(clientssl);
710756a9 2185 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2186 goto end;
5f982038
MC		 2187
2188 /* Server should detect that early data has not been sent */
710756a9
RS		 2189 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2190 &readbytes),
2191 SSL_READ_EARLY_DATA_FINISH)
2192 || !TEST_size_t_eq(readbytes, 0)
2193 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2194 SSL_EARLY_DATA_NOT_SENT)
2195 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2196 SSL_EARLY_DATA_NOT_SENT))
5f982038 2197 goto end;
5f982038
MC		 2198
2199 /* Continue writing the message we started earlier */
710756a9
RS		 2200 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2201 || !TEST_size_t_eq(written, strlen(MSG1))
2202 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2203 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2204 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2205 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2206 goto end;
5f982038 2207
3cb47b4e
MC		 2208 /*
2209 * Should block due to the NewSessionTicket arrival unless we're using
c0638ade 2210 * read_ahead, or PSKs
3cb47b4e 2211 */
c0638ade 2212 if (idx != 1 && idx != 2) {
710756a9 2213 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 2214 goto end;
5f982038
MC		 2215 }
2216
710756a9
RS		 2217 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2218 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2219 goto end;
5f982038
MC		 2220
2221 testresult = 1;
2222
2223 end:
5f982038 2224 SSL_SESSION_free(sess);
c20e3b28 2225 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2226 SSL_SESSION_free(serverpsk);
2227 clientpsk = serverpsk = NULL;
5f982038
MC		 2228 SSL_free(serverssl);
2229 SSL_free(clientssl);
2230 SSL_CTX_free(sctx);
2231 SSL_CTX_free(cctx);
5f982038
MC		 2232 return testresult;
2233}
2234
976e5323
MC		 2235static int hostname_cb(SSL *s, int *al, void *arg)
2236{
2237 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2238
281bf233 2239 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2240 return SSL_TLSEXT_ERR_OK;
2241
2242 return SSL_TLSEXT_ERR_NOACK;
2243}
2244
2245static const char *servalpn;
2246
c7558d5b
PY		 2247static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2248 unsigned char *outlen, const unsigned char *in,
2249 unsigned int inlen, void *arg)
976e5323 2250{
c7558d5b 2251 unsigned int protlen = 0;
976e5323
MC		 2252 const unsigned char *prot;
2253
c7558d5b
PY		 2254 for (prot = in; prot < in + inlen; prot += protlen) {
2255 protlen = *prot++;
5d99881e 2256 if (in + inlen < prot + protlen)
976e5323
MC		 2257 return SSL_TLSEXT_ERR_NOACK;
2258
2259 if (protlen == strlen(servalpn)
0bd42fde 2260 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2261 *out = prot;
2262 *outlen = protlen;
2263 return SSL_TLSEXT_ERR_OK;
2264 }
2265 }
2266
2267 return SSL_TLSEXT_ERR_NOACK;
2268}
2269
57dee9bb 2270/* Test that a PSK can be used to send early_data */
976e5323
MC		 2271static int test_early_data_psk(int idx)
2272{
2273 SSL_CTX *cctx = NULL, *sctx = NULL;
2274 SSL *clientssl = NULL, *serverssl = NULL;
2275 int testresult = 0;
2276 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2277 unsigned char alpnlist[] = {
2278 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2279 'l', 'p', 'n'
2280 };
2281#define GOODALPNLEN 9
2282#define BADALPNLEN 8
2283#define GOODALPN (alpnlist)
2284#define BADALPN (alpnlist + GOODALPNLEN)
2285 int err = 0;
976e5323
MC		 2286 unsigned char buf[20];
2287 size_t readbytes, written;
57dee9bb 2288 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2289 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2290
2291 /* We always set this up with a final parameter of "2" for PSK */
2292 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2293 &serverssl, &sess, 2)))
2294 goto end;
2295
976e5323
MC		 2296 servalpn = "goodalpn";
2297
57dee9bb
MC		 2298 /*
2299 * Note: There is no test for inconsistent SNI with late client detection.
2300 * This is because servers do not acknowledge SNI even if they are using
2301 * it in a resumption handshake - so it is not actually possible for a
2302 * client to detect a problem.
2303 */
976e5323
MC		 2304 switch (idx) {
2305 case 0:
57dee9bb 2306 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2307 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2308 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2309 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2310 goto end;
2311 break;
2312
2313 case 1:
57dee9bb 2314 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2315 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2316 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2317 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2318 GOODALPNLEN))
2319 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2320 BADALPNLEN)))
976e5323
MC		 2321 goto end;
2322 break;
2323
2324 case 2:
2325 /*
2326 * Set invalid protocol version. Technically this affects PSKs without
2327 * early_data too, but we test it here because it is similar to the
2328 * SNI/ALPN consistency tests.
2329 */
2330 err = SSL_R_BAD_PSK;
2331 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2332 goto end;
2333 break;
2334
2335 case 3:
2336 /*
2337 * Set inconsistent SNI (server detected). In this case the connection
2338 * will succeed but reject early_data.
2339 */
281bf233
MC		 2340 SSL_SESSION_free(serverpsk);
2341 serverpsk = SSL_SESSION_dup(clientpsk);
2342 if (!TEST_ptr(serverpsk)
2343 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2344 goto end;
976e5323
MC		 2345 edstatus = SSL_EARLY_DATA_REJECTED;
2346 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2347 /* Fall through */
2348 case 4:
2349 /* Set consistent SNI */
976e5323
MC		 2350 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2351 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2352 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2353 hostname_cb)))
2354 goto end;
2355 break;
2356
2357 case 5:
2358 /*
2359 * Set inconsistent ALPN (server detected). In this case the connection
2360 * will succeed but reject early_data.
2361 */
2362 servalpn = "badalpn";
2363 edstatus = SSL_EARLY_DATA_REJECTED;
2364 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2365 /* Fall through */
2366 case 6:
976e5323 2367 /*
57dee9bb 2368 * Set consistent ALPN.
976e5323
MC		 2369 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2370 * accepts a list of protos (each one length prefixed).
2371 * SSL_set1_alpn_selected accepts a single protocol (not length
2372 * prefixed)
2373 */
57dee9bb
MC		 2374 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2375 GOODALPNLEN - 1))
2376 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2377 GOODALPNLEN)))
976e5323
MC		 2378 goto end;
2379
2380 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2381 break;
2382
57dee9bb
MC		 2383 case 7:
2384 /* Set inconsistent ALPN (late client detection) */
2385 SSL_SESSION_free(serverpsk);
2386 serverpsk = SSL_SESSION_dup(clientpsk);
2387 if (!TEST_ptr(serverpsk)
2388 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2389 BADALPN + 1,
2390 BADALPNLEN - 1))
2391 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2392 GOODALPN + 1,
2393 GOODALPNLEN - 1))
2394 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2395 sizeof(alpnlist))))
2396 goto end;
2397 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2398 edstatus = SSL_EARLY_DATA_ACCEPTED;
2399 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2400 /* SSL_connect() call should fail */
2401 connectres = -1;
2402 break;
2403
976e5323
MC		 2404 default:
2405 TEST_error("Bad test index");
2406 goto end;
2407 }
2408
2409 SSL_set_connect_state(clientssl);
2410 if (err != 0) {
2411 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2412 &written))
2413 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2414 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2415 goto end;
2416 } else {
2417 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2418 &written)))
2419 goto end;
2420
2421 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2422 &readbytes), readearlyres)
976e5323
MC		 2423 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2424 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2425 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2426 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2427 goto end;
2428 }
2429
2430 testresult = 1;
2431
2432 end:
c20e3b28 2433 SSL_SESSION_free(sess);
57dee9bb
MC		 2434 SSL_SESSION_free(clientpsk);
2435 SSL_SESSION_free(serverpsk);
2436 clientpsk = serverpsk = NULL;
976e5323
MC		 2437 SSL_free(serverssl);
2438 SSL_free(clientssl);
2439 SSL_CTX_free(sctx);
2440 SSL_CTX_free(cctx);
2441 return testresult;
2442}
2443
710756a9
RS		 2444/*
2445 * Test that a server that doesn't try to read early data can handle a
2446 * client sending some.
2447 */
3cb47b4e 2448static int test_early_data_not_expected(int idx)
5f982038
MC		 2449{
2450 SSL_CTX *cctx = NULL, *sctx = NULL;
2451 SSL *clientssl = NULL, *serverssl = NULL;
2452 int testresult = 0;
018fcbec 2453 SSL_SESSION *sess = NULL;
5f982038
MC		 2454 unsigned char buf[20];
2455 size_t readbytes, written;
2456
710756a9
RS		 2457 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2458 &serverssl, &sess, idx)))
5f982038
MC		 2459 goto end;
2460
2461 /* Write some early data */
710756a9
RS		 2462 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2463 &written)))
5f982038 2464 goto end;
5f982038
MC		 2465
2466 /*
2467 * Server should skip over early data and then block waiting for client to
2468 * continue handshake
2469 */
710756a9
RS		 2470 if (!TEST_int_le(SSL_accept(serverssl), 0)
2471 || !TEST_int_gt(SSL_connect(clientssl), 0)
2472 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2473 SSL_EARLY_DATA_REJECTED)
2474 || !TEST_int_gt(SSL_accept(serverssl), 0)
2475 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2476 SSL_EARLY_DATA_REJECTED))
5f982038 2477 goto end;
5f982038
MC		 2478
2479 /* Send some normal data from client to server */
710756a9
RS		 2480 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2481 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2482 goto end;
5f982038 2483
710756a9
RS		 2484 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2485 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2486 goto end;
5f982038
MC		 2487
2488 testresult = 1;
2489
2490 end:
5f982038 2491 SSL_SESSION_free(sess);
c20e3b28 2492 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2493 SSL_SESSION_free(serverpsk);
2494 clientpsk = serverpsk = NULL;
5f982038
MC		 2495 SSL_free(serverssl);
2496 SSL_free(clientssl);
2497 SSL_CTX_free(sctx);
2498 SSL_CTX_free(cctx);
5f982038
MC		 2499 return testresult;
2500}
2501
2502
2503# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2504/*
2505 * Test that a server attempting to read early data can handle a connection
2506 * from a TLSv1.2 client.
2507 */
3cb47b4e 2508static int test_early_data_tls1_2(int idx)
5f982038
MC		 2509{
2510 SSL_CTX *cctx = NULL, *sctx = NULL;
2511 SSL *clientssl = NULL, *serverssl = NULL;
2512 int testresult = 0;
2513 unsigned char buf[20];
2514 size_t readbytes, written;
2515
02a3ed5a
MC		 2516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2517 &serverssl, NULL, idx)))
5f982038 2518 goto end;
5f982038
MC		 2519
2520 /* Write some data - should block due to handshake with server */
2521 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2522 SSL_set_connect_state(clientssl);
710756a9 2523 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2524 goto end;
5f982038
MC		 2525
2526 /*
2527 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2528 * messages from client after ServerDone. Then SSL_read_early_data should
2529 * finish and detect that early data has not been sent
5f982038 2530 */
710756a9
RS		 2531 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2532 &readbytes),
2533 SSL_READ_EARLY_DATA_ERROR))
5f982038 2534 goto end;
5f982038
MC		 2535
2536 /*
2537 * Continue writing the message we started earlier. Will still block waiting
2538 * for the CCS/Finished from server
2539 */
710756a9
RS		 2540 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2541 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2542 &readbytes),
2543 SSL_READ_EARLY_DATA_FINISH)
2544 || !TEST_size_t_eq(readbytes, 0)
2545 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2546 SSL_EARLY_DATA_NOT_SENT))
5f982038 2547 goto end;
5f982038
MC		 2548
2549 /* Continue writing the message we started earlier */
710756a9
RS		 2550 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2551 || !TEST_size_t_eq(written, strlen(MSG1))
2552 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2553 SSL_EARLY_DATA_NOT_SENT)
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2556 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2557 || !TEST_size_t_eq(written, strlen(MSG2))
2558 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2559 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2560 goto end;
5f982038
MC		 2561
2562 testresult = 1;
2563
2564 end:
57dee9bb
MC		 2565 SSL_SESSION_free(clientpsk);
2566 SSL_SESSION_free(serverpsk);
2567 clientpsk = serverpsk = NULL;
5f982038
MC		 2568 SSL_free(serverssl);
2569 SSL_free(clientssl);
2570 SSL_CTX_free(sctx);
2571 SSL_CTX_free(cctx);
2572
2573 return testresult;
2574}
ca0413ae
MC		 2575# endif /* OPENSSL_NO_TLS1_2 */
2576
034cb87b
MC		 2577/*
2578 * Test configuring the TLSv1.3 ciphersuites
2579 *
2580 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2581 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2582 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2583 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2584 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2585 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2586 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2587 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2588 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2589 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2590 */
2591static int test_set_ciphersuite(int idx)
2592{
2593 SSL_CTX *cctx = NULL, *sctx = NULL;
2594 SSL *clientssl = NULL, *serverssl = NULL;
2595 int testresult = 0;
2596
2597 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2598 TLS1_VERSION, TLS_MAX_VERSION,
2599 &sctx, &cctx, cert, privkey))
2600 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2601 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2602 goto end;
2603
2604 if (idx >=4 && idx <= 7) {
2605 /* SSL_CTX explicit cipher list */
2606 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2607 goto end;
2608 }
2609
2610 if (idx == 0 || idx == 4) {
2611 /* Default ciphersuite */
2612 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2613 "TLS_AES_128_GCM_SHA256")))
2614 goto end;
2615 } else if (idx == 1 || idx == 5) {
2616 /* Non default ciphersuite */
2617 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2618 "TLS_AES_128_CCM_SHA256")))
2619 goto end;
2620 }
2621
2622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2623 &clientssl, NULL, NULL)))
2624 goto end;
2625
2626 if (idx == 8 || idx == 9) {
2627 /* SSL explicit cipher list */
2628 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2629 goto end;
2630 }
2631
2632 if (idx == 2 || idx == 6 || idx == 8) {
2633 /* Default ciphersuite */
2634 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2635 "TLS_AES_128_GCM_SHA256")))
2636 goto end;
2637 } else if (idx == 3 || idx == 7 || idx == 9) {
2638 /* Non default ciphersuite */
2639 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2640 "TLS_AES_128_CCM_SHA256")))
2641 goto end;
2642 }
2643
2644 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2645 goto end;
2646
2647 testresult = 1;
2648
2649 end:
2650 SSL_free(serverssl);
2651 SSL_free(clientssl);
2652 SSL_CTX_free(sctx);
2653 SSL_CTX_free(cctx);
2654
2655 return testresult;
2656}
2657
ca0413ae
MC		 2658static int test_ciphersuite_change(void)
2659{
2660 SSL_CTX *cctx = NULL, *sctx = NULL;
2661 SSL *clientssl = NULL, *serverssl = NULL;
2662 SSL_SESSION *clntsess = NULL;
2663 int testresult = 0;
2664 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2665
2666 /* Create a session based on SHA-256 */
7d7f6834
RL		 2667 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2668 TLS1_VERSION, TLS_MAX_VERSION,
2669 &sctx, &cctx, cert, privkey))
f865b081
MC		 2670 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2671 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2672 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2673 &clientssl, NULL, NULL))
2674 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2675 SSL_ERROR_NONE)))
2676 goto end;
2677
2678 clntsess = SSL_get1_session(clientssl);
2679 /* Save for later */
2680 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2681 SSL_shutdown(clientssl);
2682 SSL_shutdown(serverssl);
2683 SSL_free(serverssl);
2684 SSL_free(clientssl);
2685 serverssl = clientssl = NULL;
2686
71cff963 2687# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2688 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2689 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2690 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2691 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2692 NULL, NULL))
2693 || !TEST_true(SSL_set_session(clientssl, clntsess))
2694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2695 SSL_ERROR_NONE))
2696 || !TEST_true(SSL_session_reused(clientssl)))
2697 goto end;
2698
2699 SSL_SESSION_free(clntsess);
2700 clntsess = SSL_get1_session(clientssl);
2701 SSL_shutdown(clientssl);
2702 SSL_shutdown(serverssl);
2703 SSL_free(serverssl);
2704 SSL_free(clientssl);
2705 serverssl = clientssl = NULL;
71cff963 2706# endif
ca0413ae
MC		 2707
2708 /*
2709 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2710 * succeeds but does not resume.
ca0413ae 2711 */
f865b081 2712 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2713 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2714 NULL, NULL))
2715 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2716 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2717 SSL_ERROR_SSL))
0de6d66d 2718 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2719 goto end;
2720
2721 SSL_SESSION_free(clntsess);
2722 clntsess = NULL;
2723 SSL_shutdown(clientssl);
2724 SSL_shutdown(serverssl);
2725 SSL_free(serverssl);
2726 SSL_free(clientssl);
2727 serverssl = clientssl = NULL;
2728
2729 /* Create a session based on SHA384 */
f865b081 2730 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2731 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2732 &clientssl, NULL, NULL))
2733 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2734 SSL_ERROR_NONE)))
2735 goto end;
2736
2737 clntsess = SSL_get1_session(clientssl);
2738 SSL_shutdown(clientssl);
2739 SSL_shutdown(serverssl);
2740 SSL_free(serverssl);
2741 SSL_free(clientssl);
2742 serverssl = clientssl = NULL;
2743
f865b081
MC		 2744 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2745 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2746 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2747 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2748 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2749 NULL, NULL))
2750 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2751 /*
2752 * We use SSL_ERROR_WANT_READ below so that we can pause the
2753 * connection after the initial ClientHello has been sent to
2754 * enable us to make some session changes.
2755 */
ca0413ae
MC		 2756 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2757 SSL_ERROR_WANT_READ)))
2758 goto end;
2759
2760 /* Trick the client into thinking this session is for a different digest */
2761 clntsess->cipher = aes_128_gcm_sha256;
2762 clntsess->cipher_id = clntsess->cipher->id;
2763
2764 /*
3b0e88d3
MC		 2765 * Continue the previously started connection. Server has selected a SHA-384
2766 * ciphersuite, but client thinks the session is for SHA-256, so it should
2767 * bail out.
ca0413ae
MC		 2768 */
2769 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2770 SSL_ERROR_SSL))
2771 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2772 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2773 goto end;
2774
2775 testresult = 1;
2776
2777 end:
2778 SSL_SESSION_free(clntsess);
2779 SSL_free(serverssl);
2780 SSL_free(clientssl);
2781 SSL_CTX_free(sctx);
2782 SSL_CTX_free(cctx);
2783
2784 return testresult;
2785}
2786
0d8da779
MC		 2787/*
2788 * Test TLSv1.3 PSKs
2789 * Test 0 = Test new style callbacks
2790 * Test 1 = Test both new and old style callbacks
2791 * Test 2 = Test old style callbacks
2792 * Test 3 = Test old style callbacks with no certificate
2793 */
532f9578 2794static int test_tls13_psk(int idx)
ca8c71ba
MC		 2795{
2796 SSL_CTX *sctx = NULL, *cctx = NULL;
2797 SSL *serverssl = NULL, *clientssl = NULL;
2798 const SSL_CIPHER *cipher = NULL;
2799 const unsigned char key[] = {
2800 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2801 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2802 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2803 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2804 };
2805 int testresult = 0;
2806
7d7f6834
RL		 2807 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2808 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 2809 &sctx, &cctx, idx == 3 ? NULL : cert,
2810 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 2811 goto end;
2812
0d8da779
MC		 2813 if (idx != 3) {
2814 /*
2815 * We use a ciphersuite with SHA256 to ease testing old style PSK
2816 * callbacks which will always default to SHA256. This should not be
2817 * necessary if we have no cert/priv key. In that case the server should
2818 * prefer SHA256 automatically.
2819 */
2820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2821 "TLS_AES_128_GCM_SHA256")))
2822 goto end;
2823 }
532f9578
MC		 2824
2825 /*
2826 * Test 0: New style callbacks only
2827 * Test 1: New and old style callbacks (only the new ones should be used)
2828 * Test 2: Old style callbacks only
2829 */
2830 if (idx == 0 || idx == 1) {
2831 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2832 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2833 }
c2b290c3 2834#ifndef OPENSSL_NO_PSK
0d8da779 2835 if (idx >= 1) {
532f9578
MC		 2836 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2837 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2838 }
c2b290c3 2839#endif
ca8c71ba 2840 srvid = pskid;
02a3ed5a
MC		 2841 use_session_cb_cnt = 0;
2842 find_session_cb_cnt = 0;
532f9578
MC		 2843 psk_client_cb_cnt = 0;
2844 psk_server_cb_cnt = 0;
ca8c71ba 2845
0d8da779
MC		 2846 if (idx != 3) {
2847 /*
2848 * Check we can create a connection if callback decides not to send a
2849 * PSK
2850 */
2851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2852 NULL, NULL))
2853 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2854 SSL_ERROR_NONE))
2855 || !TEST_false(SSL_session_reused(clientssl))
2856 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 2857 goto end;
532f9578 2858
0d8da779
MC		 2859 if (idx == 0 || idx == 1) {
2860 if (!TEST_true(use_session_cb_cnt == 1)
2861 || !TEST_true(find_session_cb_cnt == 0)
2862 /*
2863 * If no old style callback then below should be 0
2864 * otherwise 1
2865 */
2866 || !TEST_true(psk_client_cb_cnt == idx)
2867 || !TEST_true(psk_server_cb_cnt == 0))
2868 goto end;
2869 } else {
2870 if (!TEST_true(use_session_cb_cnt == 0)
2871 || !TEST_true(find_session_cb_cnt == 0)
2872 || !TEST_true(psk_client_cb_cnt == 1)
2873 || !TEST_true(psk_server_cb_cnt == 0))
2874 goto end;
2875 }
2876
2877 shutdown_ssl_connection(serverssl, clientssl);
2878 serverssl = clientssl = NULL;
2879 use_session_cb_cnt = psk_client_cb_cnt = 0;
2880 }
ca8c71ba
MC		 2881
2882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2883 NULL, NULL)))
2884 goto end;
2885
2886 /* Create the PSK */
532f9578 2887 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 2888 clientpsk = SSL_SESSION_new();
2889 if (!TEST_ptr(clientpsk)
ca8c71ba 2890 || !TEST_ptr(cipher)
57dee9bb
MC		 2891 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2892 sizeof(key)))
2893 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2894 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2895 TLS1_3_VERSION))
2896 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2897 goto end;
57dee9bb 2898 serverpsk = clientpsk;
ca8c71ba
MC		 2899
2900 /* Check we can create a connection and the PSK is used */
2901 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2902 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2903 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2904 goto end;
2905
532f9578
MC		 2906 if (idx == 0 || idx == 1) {
2907 if (!TEST_true(use_session_cb_cnt == 1)
2908 || !TEST_true(find_session_cb_cnt == 1)
2909 || !TEST_true(psk_client_cb_cnt == 0)
2910 || !TEST_true(psk_server_cb_cnt == 0))
2911 goto end;
2912 } else {
2913 if (!TEST_true(use_session_cb_cnt == 0)
2914 || !TEST_true(find_session_cb_cnt == 0)
2915 || !TEST_true(psk_client_cb_cnt == 1)
2916 || !TEST_true(psk_server_cb_cnt == 1))
2917 goto end;
2918 }
2919
ca8c71ba
MC		 2920 shutdown_ssl_connection(serverssl, clientssl);
2921 serverssl = clientssl = NULL;
2922 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2923 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 2924
2925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2926 NULL, NULL)))
2927 goto end;
2928
2929 /* Force an HRR */
2930 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2931 goto end;
2932
2933 /*
2934 * Check we can create a connection, the PSK is used and the callbacks are
2935 * called twice.
2936 */
2937 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2938 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2939 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2940 goto end;
2941
532f9578
MC		 2942 if (idx == 0 || idx == 1) {
2943 if (!TEST_true(use_session_cb_cnt == 2)
2944 || !TEST_true(find_session_cb_cnt == 2)
2945 || !TEST_true(psk_client_cb_cnt == 0)
2946 || !TEST_true(psk_server_cb_cnt == 0))
2947 goto end;
2948 } else {
2949 if (!TEST_true(use_session_cb_cnt == 0)
2950 || !TEST_true(find_session_cb_cnt == 0)
2951 || !TEST_true(psk_client_cb_cnt == 2)
2952 || !TEST_true(psk_server_cb_cnt == 2))
2953 goto end;
2954 }
2955
ca8c71ba
MC		 2956 shutdown_ssl_connection(serverssl, clientssl);
2957 serverssl = clientssl = NULL;
2958 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2959 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 2960
0d8da779
MC		 2961 if (idx != 3) {
2962 /*
2963 * Check that if the server rejects the PSK we can still connect, but with
2964 * a full handshake
2965 */
2966 srvid = "Dummy Identity";
2967 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2968 NULL, NULL))
2969 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2970 SSL_ERROR_NONE))
2971 || !TEST_false(SSL_session_reused(clientssl))
2972 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 2973 goto end;
532f9578 2974
0d8da779
MC		 2975 if (idx == 0 || idx == 1) {
2976 if (!TEST_true(use_session_cb_cnt == 1)
2977 || !TEST_true(find_session_cb_cnt == 1)
2978 || !TEST_true(psk_client_cb_cnt == 0)
2979 /*
2980 * If no old style callback then below should be 0
2981 * otherwise 1
2982 */
2983 || !TEST_true(psk_server_cb_cnt == idx))
2984 goto end;
2985 } else {
2986 if (!TEST_true(use_session_cb_cnt == 0)
2987 || !TEST_true(find_session_cb_cnt == 0)
2988 || !TEST_true(psk_client_cb_cnt == 1)
2989 || !TEST_true(psk_server_cb_cnt == 1))
2990 goto end;
2991 }
2992
2993 shutdown_ssl_connection(serverssl, clientssl);
2994 serverssl = clientssl = NULL;
2995 }
ca8c71ba
MC		 2996 testresult = 1;
2997
2998 end:
57dee9bb
MC		 2999 SSL_SESSION_free(clientpsk);
3000 SSL_SESSION_free(serverpsk);
3001 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3002 SSL_free(serverssl);
3003 SSL_free(clientssl);
3004 SSL_CTX_free(sctx);
3005 SSL_CTX_free(cctx);
3006 return testresult;
3007}
3008
c7b8ff25
MC		 3009static unsigned char cookie_magic_value[] = "cookie magic";
3010
3011static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3012 unsigned int *cookie_len)
3013{
3014 /*
3015 * Not suitable as a real cookie generation function but good enough for
3016 * testing!
3017 */
97ea1e7f
MC		 3018 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3019 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3020
3021 return 1;
3022}
3023
3024static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3025 unsigned int cookie_len)
3026{
97ea1e7f 3027 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3028 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3029 return 1;
3030
3031 return 0;
3032}
3033
3fa2812f
BS		 3034static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3035 size_t *cookie_len)
3036{
3037 unsigned int temp;
3038 int res = generate_cookie_callback(ssl, cookie, &temp);
3039 *cookie_len = temp;
3040 return res;
3041}
3042
3043static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3044 size_t cookie_len)
3045{
3046 return verify_cookie_callback(ssl, cookie, cookie_len);
3047}
3048
c7b8ff25
MC		 3049static int test_stateless(void)
3050{
3051 SSL_CTX *sctx = NULL, *cctx = NULL;
3052 SSL *serverssl = NULL, *clientssl = NULL;
3053 int testresult = 0;
3054
7d7f6834
RL		 3055 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3056 TLS1_VERSION, TLS_MAX_VERSION,
3057 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3058 goto end;
3059
e440f513
MC		 3060 /* The arrival of CCS messages can confuse the test */
3061 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3062
3063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3064 NULL, NULL))
3065 /* Send the first ClientHello */
3066 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3067 SSL_ERROR_WANT_READ))
3068 /*
3069 * This should fail with a -1 return because we have no callbacks
3070 * set up
3071 */
3072 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3073 goto end;
3074
3075 /* Fatal error so abandon the connection from this client */
3076 SSL_free(clientssl);
3077 clientssl = NULL;
3078
c7b8ff25 3079 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3080 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3081 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3082
e440f513
MC		 3083 /*
3084 * Create a new connection from the client (we can reuse the server SSL
3085 * object).
3086 */
c7b8ff25
MC		 3087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3088 NULL, NULL))
3089 /* Send the first ClientHello */
3090 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3091 SSL_ERROR_WANT_READ))
3092 /* This should fail because there is no cookie */
e440f513 3093 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3094 goto end;
3095
3096 /* Abandon the connection from this client */
3097 SSL_free(clientssl);
3098 clientssl = NULL;
3099
3100 /*
3101 * Now create a connection from a new client but with the same server SSL
3102 * object
3103 */
3104 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3105 NULL, NULL))
3106 /* Send the first ClientHello */
3107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3108 SSL_ERROR_WANT_READ))
3109 /* This should fail because there is no cookie */
e440f513 3110 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3111 /* Send the second ClientHello */
3112 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3113 SSL_ERROR_WANT_READ))
3114 /* This should succeed because a cookie is now present */
e440f513 3115 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3116 /* Complete the connection */
3117 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3118 SSL_ERROR_NONE)))
3119 goto end;
3120
3121 shutdown_ssl_connection(serverssl, clientssl);
3122 serverssl = clientssl = NULL;
3123 testresult = 1;
3124
3125 end:
3126 SSL_free(serverssl);
3127 SSL_free(clientssl);
3128 SSL_CTX_free(sctx);
3129 SSL_CTX_free(cctx);
3130 return testresult;
3131
3132}
ca0413ae 3133#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3134
a37008d9
MC		 3135static int clntaddoldcb = 0;
3136static int clntparseoldcb = 0;
3137static int srvaddoldcb = 0;
3138static int srvparseoldcb = 0;
3139static int clntaddnewcb = 0;
3140static int clntparsenewcb = 0;
3141static int srvaddnewcb = 0;
3142static int srvparsenewcb = 0;
bb01ef3f 3143static int snicb = 0;
a37008d9
MC		 3144
3145#define TEST_EXT_TYPE1 0xff00
3146
3147static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3148 size_t *outlen, int *al, void *add_arg)
3149{
3150 int *server = (int *)add_arg;
3151 unsigned char *data;
3152
3153 if (SSL_is_server(s))
3154 srvaddoldcb++;
3155 else
3156 clntaddoldcb++;
3157
710756a9
RS		 3158 if (*server != SSL_is_server(s)
3159 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3160 return -1;
3161
3162 *data = 1;
3163 *out = data;
3164 *outlen = sizeof(char);
a37008d9
MC		 3165 return 1;
3166}
3167
3168static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3169 void *add_arg)
3170{
3171 OPENSSL_free((unsigned char *)out);
3172}
3173
3174static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3175 size_t inlen, int *al, void *parse_arg)
3176{
3177 int *server = (int *)parse_arg;
3178
3179 if (SSL_is_server(s))
3180 srvparseoldcb++;
3181 else
3182 clntparseoldcb++;
3183
710756a9
RS		 3184 if (*server != SSL_is_server(s)
3185 || inlen != sizeof(char)
3186 || *in != 1)
a37008d9
MC		 3187 return -1;
3188
3189 return 1;
3190}
3191
3192static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3193 const unsigned char **out, size_t *outlen, X509 *x,
3194 size_t chainidx, int *al, void *add_arg)
3195{
3196 int *server = (int *)add_arg;
3197 unsigned char *data;
3198
3199 if (SSL_is_server(s))
3200 srvaddnewcb++;
3201 else
3202 clntaddnewcb++;
3203
710756a9
RS		 3204 if (*server != SSL_is_server(s)
3205 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3206 return -1;
3207
3208 *data = 1;
3209 *out = data;
710756a9 3210 *outlen = sizeof(*data);
a37008d9
MC		 3211 return 1;
3212}
3213
3214static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3215 const unsigned char *out, void *add_arg)
3216{
3217 OPENSSL_free((unsigned char *)out);
3218}
3219
3220static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3221 const unsigned char *in, size_t inlen, X509 *x,
3222 size_t chainidx, int *al, void *parse_arg)
3223{
3224 int *server = (int *)parse_arg;
3225
3226 if (SSL_is_server(s))
3227 srvparsenewcb++;
3228 else
3229 clntparsenewcb++;
3230
710756a9
RS		 3231 if (*server != SSL_is_server(s)
3232 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3233 return -1;
3234
3235 return 1;
3236}
bb01ef3f
MC		 3237
3238static int sni_cb(SSL *s, int *al, void *arg)
3239{
3240 SSL_CTX *ctx = (SSL_CTX *)arg;
3241
3242 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3243 *al = SSL_AD_INTERNAL_ERROR;
3244 return SSL_TLSEXT_ERR_ALERT_FATAL;
3245 }
3246 snicb++;
3247 return SSL_TLSEXT_ERR_OK;
3248}
3249
a37008d9
MC		 3250/*
3251 * Custom call back tests.
3252 * Test 0: Old style callbacks in TLSv1.2
3253 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3254 * Test 2: New style callbacks in TLSv1.2 with SNI
3255 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3256 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3257 */
710756a9
RS		 3258static int test_custom_exts(int tst)
3259{
bb01ef3f 3260 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3261 SSL *clientssl = NULL, *serverssl = NULL;
3262 int testresult = 0;
3263 static int server = 1;
3264 static int client = 0;
3265 SSL_SESSION *sess = NULL;
3266 unsigned int context;
3267
c423ecaa
MC		 3268#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3269 /* Skip tests for TLSv1.2 and below in this case */
3270 if (tst < 3)
3271 return 1;
3272#endif
3273
a37008d9
MC		 3274 /* Reset callback counters */
3275 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3276 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3277 snicb = 0;
a37008d9 3278
7d7f6834
RL		 3279 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3280 TLS1_VERSION, TLS_MAX_VERSION,
3281 &sctx, &cctx, cert, privkey)))
710756a9 3282 goto end;
a37008d9 3283
bb01ef3f 3284 if (tst == 2
7d7f6834
RL		 3285 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3286 TLS1_VERSION, TLS_MAX_VERSION,
3287 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3288 goto end;
3289
3290
3291 if (tst < 3) {
a37008d9
MC		 3292 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3293 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3294 if (sctx2 != NULL)
3295 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3296 }
3297
bb01ef3f 3298 if (tst == 4) {
710756a9
RS		 3299 context = SSL_EXT_CLIENT_HELLO
3300 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3301 | SSL_EXT_TLS1_3_SERVER_HELLO
3302 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3303 | SSL_EXT_TLS1_3_CERTIFICATE
3304 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3305 } else {
710756a9
RS		 3306 context = SSL_EXT_CLIENT_HELLO
3307 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3308 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3309 }
3310
3311 /* Create a client side custom extension */
3312 if (tst == 0) {
710756a9
RS		 3313 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3314 old_add_cb, old_free_cb,
3315 &client, old_parse_cb,
3316 &client)))
3317 goto end;
a37008d9 3318 } else {
710756a9
RS		 3319 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3320 new_add_cb, new_free_cb,
3321 &client, new_parse_cb, &client)))
3322 goto end;
a37008d9
MC		 3323 }
3324
3325 /* Should not be able to add duplicates */
710756a9
RS		 3326 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3327 old_add_cb, old_free_cb,
3328 &client, old_parse_cb,
3329 &client))
3330 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3331 context, new_add_cb,
3332 new_free_cb, &client,
3333 new_parse_cb, &client)))
3334 goto end;
a37008d9
MC		 3335
3336 /* Create a server side custom extension */
3337 if (tst == 0) {
710756a9
RS		 3338 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3339 old_add_cb, old_free_cb,
3340 &server, old_parse_cb,
3341 &server)))
3342 goto end;
a37008d9 3343 } else {
710756a9
RS		 3344 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3345 new_add_cb, new_free_cb,
3346 &server, new_parse_cb, &server)))
3347 goto end;
bb01ef3f
MC		 3348 if (sctx2 != NULL
3349 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3350 context, new_add_cb,
3351 new_free_cb, &server,
3352 new_parse_cb, &server)))
3353 goto end;
a37008d9
MC		 3354 }
3355
3356 /* Should not be able to add duplicates */
710756a9
RS		 3357 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3358 old_add_cb, old_free_cb,
3359 &server, old_parse_cb,
3360 &server))
3361 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3362 context, new_add_cb,
3363 new_free_cb, &server,
3364 new_parse_cb, &server)))
a37008d9 3365 goto end;
a37008d9 3366
bb01ef3f
MC		 3367 if (tst == 2) {
3368 /* Set up SNI */
3369 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3370 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3371 goto end;
3372 }
3373
710756a9
RS		 3374 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3375 &clientssl, NULL, NULL))
3376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3377 SSL_ERROR_NONE)))
a37008d9 3378 goto end;
a37008d9
MC		 3379
3380 if (tst == 0) {
710756a9
RS		 3381 if (clntaddoldcb != 1
3382 || clntparseoldcb != 1
3383 || srvaddoldcb != 1
3384 || srvparseoldcb != 1)
a37008d9 3385 goto end;
bb01ef3f 3386 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3387 if (clntaddnewcb != 1
3388 || clntparsenewcb != 1
3389 || srvaddnewcb != 1
bb01ef3f
MC		 3390 || srvparsenewcb != 1
3391 || (tst != 2 && snicb != 0)
3392 || (tst == 2 && snicb != 1))
a37008d9 3393 goto end;
a37008d9 3394 } else {
710756a9
RS		 3395 if (clntaddnewcb != 1
3396 || clntparsenewcb != 4
3397 || srvaddnewcb != 4
3398 || srvparsenewcb != 1)
a37008d9 3399 goto end;
a37008d9
MC		 3400 }
3401
3402 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3403 SSL_shutdown(clientssl);
3404 SSL_shutdown(serverssl);
a37008d9
MC		 3405 SSL_free(serverssl);
3406 SSL_free(clientssl);
3407 serverssl = clientssl = NULL;
3408
bb01ef3f
MC		 3409 if (tst == 3) {
3410 /* We don't bother with the resumption aspects for this test */
3411 testresult = 1;
3412 goto end;
3413 }
3414
710756a9
RS		 3415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3416 NULL, NULL))
3417 || !TEST_true(SSL_set_session(clientssl, sess))
3418 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3419 SSL_ERROR_NONE)))
a37008d9 3420 goto end;
a37008d9
MC		 3421
3422 /*
3423 * For a resumed session we expect to add the ClientHello extension. For the
3424 * old style callbacks we ignore it on the server side because they set
3425 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3426 * them.
3427 */
3428 if (tst == 0) {
710756a9
RS		 3429 if (clntaddoldcb != 2
3430 || clntparseoldcb != 1
3431 || srvaddoldcb != 1
3432 || srvparseoldcb != 1)
a37008d9 3433 goto end;
bb01ef3f 3434 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3435 if (clntaddnewcb != 2
3436 || clntparsenewcb != 2
3437 || srvaddnewcb != 2
3438 || srvparsenewcb != 2)
a37008d9 3439 goto end;
a37008d9
MC		 3440 } else {
3441 /* No Certificate message extensions in the resumption handshake */
710756a9
RS		 3442 if (clntaddnewcb != 2
3443 || clntparsenewcb != 7
3444 || srvaddnewcb != 7
3445 || srvparsenewcb != 2)
a37008d9 3446 goto end;
a37008d9
MC		 3447 }
3448
3449 testresult = 1;
3450
3451end:
3452 SSL_SESSION_free(sess);
3453 SSL_free(serverssl);
3454 SSL_free(clientssl);
bb01ef3f 3455 SSL_CTX_free(sctx2);
a37008d9
MC		 3456 SSL_CTX_free(sctx);
3457 SSL_CTX_free(cctx);
a37008d9
MC		 3458 return testresult;
3459}
3460
16afd71c
MC		 3461/*
3462 * Test loading of serverinfo data in various formats. test_sslmessages actually
3463 * tests to make sure the extensions appear in the handshake
3464 */
3465static int test_serverinfo(int tst)
3466{
3467 unsigned int version;
3468 unsigned char *sibuf;
3469 size_t sibuflen;
3470 int ret, expected, testresult = 0;
3471 SSL_CTX *ctx;
3472
3473 ctx = SSL_CTX_new(TLS_method());
3474 if (!TEST_ptr(ctx))
3475 goto end;
3476
3477 if ((tst & 0x01) == 0x01)
3478 version = SSL_SERVERINFOV2;
3479 else
3480 version = SSL_SERVERINFOV1;
3481
3482 if ((tst & 0x02) == 0x02) {
3483 sibuf = serverinfov2;
3484 sibuflen = sizeof(serverinfov2);
3485 expected = (version == SSL_SERVERINFOV2);
3486 } else {
3487 sibuf = serverinfov1;
3488 sibuflen = sizeof(serverinfov1);
3489 expected = (version == SSL_SERVERINFOV1);
3490 }
3491
3492 if ((tst & 0x04) == 0x04) {
3493 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3494 } else {
3495 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3496
3497 /*
3498 * The version variable is irrelevant in this case - it's what is in the
3499 * buffer that matters
3500 */
3501 if ((tst & 0x02) == 0x02)
3502 expected = 0;
3503 else
3504 expected = 1;
3505 }
3506
3507 if (!TEST_true(ret == expected))
3508 goto end;
3509
3510 testresult = 1;
3511
3512 end:
3513 SSL_CTX_free(ctx);
3514
3515 return testresult;
3516}
3517
2197d1df
MC		 3518/*
3519 * Test that SSL_export_keying_material() produces expected results. There are
3520 * no test vectors so all we do is test that both sides of the communication
3521 * produce the same results for different protocol versions.
3522 */
3523static int test_export_key_mat(int tst)
3524{
a599574b 3525 int testresult = 0;
2197d1df
MC		 3526 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3527 SSL *clientssl = NULL, *serverssl = NULL;
3528 const char label[] = "test label";
3529 const unsigned char context[] = "context";
3530 const unsigned char *emptycontext = NULL;
3531 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3532 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3533 const int protocols[] = {
3534 TLS1_VERSION,
3535 TLS1_1_VERSION,
3536 TLS1_2_VERSION,
3537 TLS1_3_VERSION
3538 };
2197d1df
MC		 3539
3540#ifdef OPENSSL_NO_TLS1
3541 if (tst == 0)
3542 return 1;
3543#endif
3544#ifdef OPENSSL_NO_TLS1_1
3545 if (tst == 1)
3546 return 1;
3547#endif
3548#ifdef OPENSSL_NO_TLS1_2
3549 if (tst == 2)
3550 return 1;
3551#endif
3552#ifdef OPENSSL_NO_TLS1_3
3553 if (tst == 3)
3554 return 1;
3555#endif
7d7f6834
RL		 3556 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3557 TLS1_VERSION, TLS_MAX_VERSION,
3558 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3559 goto end;
3560
a599574b
MC		 3561 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3562 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3563 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3564
3565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3566 NULL))
3567 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3568 SSL_ERROR_NONE)))
3569 goto end;
3570
3571 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3572 sizeof(ckeymat1), label,
3573 sizeof(label) - 1, context,
3574 sizeof(context) - 1, 1), 1)
3575 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3576 sizeof(ckeymat2), label,
3577 sizeof(label) - 1,
3578 emptycontext,
3579 0, 1), 1)
3580 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3581 sizeof(ckeymat3), label,
3582 sizeof(label) - 1,
3583 NULL, 0, 0), 1)
3584 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3585 sizeof(skeymat1), label,
3586 sizeof(label) - 1,
3587 context,
3588 sizeof(context) -1, 1),
3589 1)
3590 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3591 sizeof(skeymat2), label,
3592 sizeof(label) - 1,
3593 emptycontext,
3594 0, 1), 1)
3595 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3596 sizeof(skeymat3), label,
3597 sizeof(label) - 1,
3598 NULL, 0, 0), 1)
3599 /*
3600 * Check that both sides created the same key material with the
3601 * same context.
3602 */
3603 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3604 sizeof(skeymat1))
3605 /*
3606 * Check that both sides created the same key material with an
3607 * empty context.
3608 */
3609 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3610 sizeof(skeymat2))
3611 /*
3612 * Check that both sides created the same key material without a
3613 * context.
3614 */
3615 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3616 sizeof(skeymat3))
3617 /* Different contexts should produce different results */
3618 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3619 sizeof(ckeymat2)))
3620 goto end;
3621
3622 /*
3623 * Check that an empty context and no context produce different results in
3624 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3625 */
3626 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3627 sizeof(ckeymat3)))
3628 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3629 sizeof(ckeymat3))))
3630 goto end;
3631
3632 testresult = 1;
3633
3634 end:
3635 SSL_free(serverssl);
3636 SSL_free(clientssl);
3637 SSL_CTX_free(sctx2);
3638 SSL_CTX_free(sctx);
3639 SSL_CTX_free(cctx);
3640
3641 return testresult;
3642}
3643
b38ede80
TT		 3644#ifndef OPENSSL_NO_TLS1_3
3645/*
3646 * Test that SSL_export_keying_material_early() produces expected
3647 * results. There are no test vectors so all we do is test that both
3648 * sides of the communication produce the same results for different
3649 * protocol versions.
3650 */
3651static int test_export_key_mat_early(int idx)
3652{
3653 static const char label[] = "test label";
3654 static const unsigned char context[] = "context";
3655 int testresult = 0;
3656 SSL_CTX *cctx = NULL, *sctx = NULL;
3657 SSL *clientssl = NULL, *serverssl = NULL;
3658 SSL_SESSION *sess = NULL;
3659 const unsigned char *emptycontext = NULL;
3660 unsigned char ckeymat1[80], ckeymat2[80];
3661 unsigned char skeymat1[80], skeymat2[80];
3662 unsigned char buf[1];
3663 size_t readbytes, written;
3664
3665 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3666 &sess, idx)))
3667 goto end;
3668
3669 /* Here writing 0 length early data is enough. */
3670 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3671 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3672 &readbytes),
3673 SSL_READ_EARLY_DATA_ERROR)
3674 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3675 SSL_EARLY_DATA_ACCEPTED))
3676 goto end;
3677
3678 if (!TEST_int_eq(SSL_export_keying_material_early(
3679 clientssl, ckeymat1, sizeof(ckeymat1), label,
3680 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3681 || !TEST_int_eq(SSL_export_keying_material_early(
3682 clientssl, ckeymat2, sizeof(ckeymat2), label,
3683 sizeof(label) - 1, emptycontext, 0), 1)
3684 || !TEST_int_eq(SSL_export_keying_material_early(
3685 serverssl, skeymat1, sizeof(skeymat1), label,
3686 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3687 || !TEST_int_eq(SSL_export_keying_material_early(
3688 serverssl, skeymat2, sizeof(skeymat2), label,
3689 sizeof(label) - 1, emptycontext, 0), 1)
3690 /*
3691 * Check that both sides created the same key material with the
3692 * same context.
3693 */
3694 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3695 sizeof(skeymat1))
3696 /*
3697 * Check that both sides created the same key material with an
3698 * empty context.
3699 */
3700 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3701 sizeof(skeymat2))
3702 /* Different contexts should produce different results */
3703 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3704 sizeof(ckeymat2)))
3705 goto end;
3706
3707 testresult = 1;
3708
3709 end:
c20e3b28 3710 SSL_SESSION_free(sess);
b38ede80
TT		 3711 SSL_SESSION_free(clientpsk);
3712 SSL_SESSION_free(serverpsk);
34ff74eb 3713 clientpsk = serverpsk = NULL;
b38ede80
TT		 3714 SSL_free(serverssl);
3715 SSL_free(clientssl);
3716 SSL_CTX_free(sctx);
3717 SSL_CTX_free(cctx);
3718
3719 return testresult;
3720}
3721#endif /* OPENSSL_NO_TLS1_3 */
3722
e11b6aa4
MC		 3723static int test_ssl_clear(int idx)
3724{
3725 SSL_CTX *cctx = NULL, *sctx = NULL;
3726 SSL *clientssl = NULL, *serverssl = NULL;
3727 int testresult = 0;
3728
3729#ifdef OPENSSL_NO_TLS1_2
3730 if (idx == 1)
3731 return 1;
3732#endif
3733
3734 /* Create an initial connection */
7d7f6834
RL		 3735 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3736 TLS1_VERSION, TLS_MAX_VERSION,
3737 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 3738 || (idx == 1
3739 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3740 TLS1_2_VERSION)))
3741 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3742 &clientssl, NULL, NULL))
3743 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3744 SSL_ERROR_NONE)))
3745 goto end;
3746
3747 SSL_shutdown(clientssl);
3748 SSL_shutdown(serverssl);
3749 SSL_free(serverssl);
3750 serverssl = NULL;
3751
3752 /* Clear clientssl - we're going to reuse the object */
3753 if (!TEST_true(SSL_clear(clientssl)))
3754 goto end;
3755
3756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3757 NULL, NULL))
3758 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3759 SSL_ERROR_NONE))
3760 || !TEST_true(SSL_session_reused(clientssl)))
3761 goto end;
3762
3763 SSL_shutdown(clientssl);
3764 SSL_shutdown(serverssl);
3765
3766 testresult = 1;
3767
3768 end:
3769 SSL_free(serverssl);
3770 SSL_free(clientssl);
3771 SSL_CTX_free(sctx);
3772 SSL_CTX_free(cctx);
3773
3774 return testresult;
3775}
3776
cf72c757
F		 3777/* Parse CH and retrieve any MFL extension value if present */
3778static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3779{
3780 long len;
3781 unsigned char *data;
3782 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3783 unsigned int MFL_code = 0, type = 0;
3784
3785 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3786 goto end;
3787
3788 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3789 /* Skip the record header */
3790 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3791 /* Skip the handshake message header */
3792 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3793 /* Skip client version and random */
3794 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3795 + SSL3_RANDOM_SIZE))
3796 /* Skip session id */
3797 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3798 /* Skip ciphers */
3799 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3800 /* Skip compression */
3801 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3802 /* Extensions len */
3803 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3804 goto end;
3805
3806 /* Loop through all extensions */
3807 while (PACKET_remaining(&pkt2)) {
3808 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3809 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3810 goto end;
3811
3812 if (type == TLSEXT_TYPE_max_fragment_length) {
3813 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3814 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3815 goto end;
3816
3817 *mfl_codemfl_code = MFL_code;
3818 return 1;
3819 }
3820 }
3821
3822 end:
3823 return 0;
3824}
3825
3826/* Maximum-Fragment-Length TLS extension mode to test */
3827static const unsigned char max_fragment_len_test[] = {
3828 TLSEXT_max_fragment_length_512,
3829 TLSEXT_max_fragment_length_1024,
3830 TLSEXT_max_fragment_length_2048,
3831 TLSEXT_max_fragment_length_4096
3832};
3833
3834static int test_max_fragment_len_ext(int idx_tst)
3835{
3836 SSL_CTX *ctx;
3837 SSL *con = NULL;
3838 int testresult = 0, MFL_mode = 0;
3839 BIO *rbio, *wbio;
3840
3841 ctx = SSL_CTX_new(TLS_method());
3842 if (!TEST_ptr(ctx))
3843 goto end;
3844
3845 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3846 ctx, max_fragment_len_test[idx_tst])))
3847 goto end;
3848
3849 con = SSL_new(ctx);
3850 if (!TEST_ptr(con))
3851 goto end;
3852
3853 rbio = BIO_new(BIO_s_mem());
3854 wbio = BIO_new(BIO_s_mem());
3855 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3856 BIO_free(rbio);
3857 BIO_free(wbio);
3858 goto end;
3859 }
3860
3861 SSL_set_bio(con, rbio, wbio);
3862 SSL_set_connect_state(con);
3863
3864 if (!TEST_int_le(SSL_connect(con), 0)) {
3865 /* This shouldn't succeed because we don't have a server! */
3866 goto end;
3867 }
3868
3869 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3870 /* no MFL in client hello */
3871 goto end;
3872 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3873 goto end;
3874
3875 testresult = 1;
3876
3877end:
3878 SSL_free(con);
3879 SSL_CTX_free(ctx);
3880
3881 return testresult;
3882}
3883
9d75dce3
TS		 3884#ifndef OPENSSL_NO_TLS1_3
3885static int test_pha_key_update(void)
3886{
3887 SSL_CTX *cctx = NULL, *sctx = NULL;
3888 SSL *clientssl = NULL, *serverssl = NULL;
3889 int testresult = 0;
3890
7d7f6834
RL		 3891 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3892 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 3893 &sctx, &cctx, cert, privkey)))
3894 return 0;
3895
3896 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3897 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3898 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3899 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3900 goto end;
3901
3902
3903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3904 NULL, NULL)))
3905 goto end;
3906
3907 SSL_force_post_handshake_auth(clientssl);
3908
3909 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3910 SSL_ERROR_NONE)))
3911 goto end;
3912
3913 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3914 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3915 goto end;
3916
3917 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3918 goto end;
3919
3920 /* Start handshake on the server */
3921 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3922 goto end;
3923
3924 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3925 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3926 SSL_ERROR_NONE)))
3927 goto end;
3928
3929 SSL_shutdown(clientssl);
3930 SSL_shutdown(serverssl);
3931
3932 testresult = 1;
3933
3934 end:
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 SSL_CTX_free(sctx);
3938 SSL_CTX_free(cctx);
3939 return testresult;
3940}
3941#endif
3942
76fd7a1d
MC		 3943#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
3944
3945static SRP_VBASE *vbase = NULL;
3946
3947static int ssl_srp_cb(SSL *s, int *ad, void *arg)
3948{
3949 int ret = SSL3_AL_FATAL;
3950 char *username;
3951 SRP_user_pwd *user = NULL;
3952
3953 username = SSL_get_srp_username(s);
3954 if (username == NULL) {
3955 *ad = SSL_AD_INTERNAL_ERROR;
3956 goto err;
3957 }
3958
3959 user = SRP_VBASE_get1_by_user(vbase, username);
3960 if (user == NULL) {
3961 *ad = SSL_AD_INTERNAL_ERROR;
3962 goto err;
3963 }
3964
3965 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
3966 user->info) <= 0) {
3967 *ad = SSL_AD_INTERNAL_ERROR;
3968 goto err;
3969 }
3970
3971 ret = 0;
3972
3973 err:
3974 SRP_user_pwd_free(user);
3975 return ret;
3976}
3977
3978static int create_new_vfile(char *userid, char *password, const char *filename)
3979{
3980 char *gNid = NULL;
3981 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
3982 TXT_DB *db = NULL;
3983 int ret = 0;
3984 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
3985 size_t i;
3986
3987 if (!TEST_ptr(dummy) || !TEST_ptr(row))
3988 goto end;
3989
3990 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
3991 &row[DB_srpverifier], NULL, NULL);
3992 if (!TEST_ptr(gNid))
3993 goto end;
3994
3995 /*
3996 * The only way to create an empty TXT_DB is to provide a BIO with no data
3997 * in it!
3998 */
3999 db = TXT_DB_read(dummy, DB_NUMBER);
4000 if (!TEST_ptr(db))
4001 goto end;
4002
4003 out = BIO_new_file(filename, "w");
4004 if (!TEST_ptr(out))
4005 goto end;
4006
4007 row[DB_srpid] = OPENSSL_strdup(userid);
4008 row[DB_srptype] = OPENSSL_strdup("V");
4009 row[DB_srpgN] = OPENSSL_strdup(gNid);
4010
4011 if (!TEST_ptr(row[DB_srpid])
4012 || !TEST_ptr(row[DB_srptype])
4013 || !TEST_ptr(row[DB_srpgN])
4014 || !TEST_true(TXT_DB_insert(db, row)))
4015 goto end;
4016
4017 row = NULL;
4018
4019 if (!TXT_DB_write(out, db))
4020 goto end;
4021
4022 ret = 1;
4023 end:
4024 if (row != NULL) {
4025 for (i = 0; i < DB_NUMBER; i++)
4026 OPENSSL_free(row[i]);
4027 }
4028 OPENSSL_free(row);
4029 BIO_free(dummy);
4030 BIO_free(out);
4031 TXT_DB_free(db);
4032
4033 return ret;
4034}
4035
4036static int create_new_vbase(char *userid, char *password)
4037{
4038 BIGNUM *verifier = NULL, *salt = NULL;
4039 const SRP_gN *lgN = NULL;
4040 SRP_user_pwd *user_pwd = NULL;
4041 int ret = 0;
4042
4043 lgN = SRP_get_default_gN(NULL);
4044 if (!TEST_ptr(lgN))
4045 goto end;
4046
4047 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4048 lgN->N, lgN->g)))
4049 goto end;
4050
4051 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4052 if (!TEST_ptr(user_pwd))
4053 goto end;
4054
4055 user_pwd->N = lgN->N;
4056 user_pwd->g = lgN->g;
4057 user_pwd->id = OPENSSL_strdup(userid);
4058 if (!TEST_ptr(user_pwd->id))
4059 goto end;
4060
4061 user_pwd->v = verifier;
4062 user_pwd->s = salt;
4063 verifier = salt = NULL;
4064
4065 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4066 goto end;
4067 user_pwd = NULL;
4068
4069 ret = 1;
4070end:
4071 SRP_user_pwd_free(user_pwd);
4072 BN_free(salt);
4073 BN_free(verifier);
4074
4075 return ret;
4076}
4077
4078/*
4079 * SRP tests
4080 *
4081 * Test 0: Simple successful SRP connection, new vbase
4082 * Test 1: Connection failure due to bad password, new vbase
4083 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4084 * Test 3: Connection failure due to bad password, vbase loaded from existing
4085 * file
4086 * Test 4: Simple successful SRP connection, vbase loaded from new file
4087 * Test 5: Connection failure due to bad password, vbase loaded from new file
4088 */
4089static int test_srp(int tst)
4090{
4091 char *userid = "test", *password = "password", *tstsrpfile;
4092 SSL_CTX *cctx = NULL, *sctx = NULL;
4093 SSL *clientssl = NULL, *serverssl = NULL;
4094 int ret, testresult = 0;
4095
4096 vbase = SRP_VBASE_new(NULL);
4097 if (!TEST_ptr(vbase))
4098 goto end;
4099
4100 if (tst == 0 || tst == 1) {
4101 if (!TEST_true(create_new_vbase(userid, password)))
4102 goto end;
4103 } else {
4104 if (tst == 4 || tst == 5) {
4105 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4106 goto end;
4107 tstsrpfile = tmpfilename;
4108 } else {
4109 tstsrpfile = srpvfile;
4110 }
4111 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4112 goto end;
4113 }
4114
4115 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4116 TLS1_VERSION, TLS_MAX_VERSION,
4117 &sctx, &cctx, cert, privkey)))
4118 goto end;
4119
4120 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4121 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4122 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4123 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4124 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4125 goto end;
4126
4127 if (tst % 2 == 1) {
4128 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4129 goto end;
4130 } else {
4131 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4132 goto end;
4133 }
4134
4135 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4136 NULL, NULL)))
4137 goto end;
4138
4139 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4140 if (ret) {
4141 if (!TEST_true(tst % 2 == 0))
4142 goto end;
4143 } else {
4144 if (!TEST_true(tst % 2 == 1))
4145 goto end;
4146 }
4147
4148 testresult = 1;
4149
4150 end:
4151 SRP_VBASE_free(vbase);
4152 vbase = NULL;
4153 SSL_free(serverssl);
4154 SSL_free(clientssl);
4155 SSL_CTX_free(sctx);
4156 SSL_CTX_free(cctx);
4157
4158 return testresult;
4159}
4160#endif
4161
5718fe45
MC		 4162static int info_cb_failed = 0;
4163static int info_cb_offset = 0;
4164static int info_cb_this_state = -1;
4165
4166static struct info_cb_states_st {
4167 int where;
4168 const char *statestr;
4169} info_cb_states[][60] = {
4170 {
4171 /* TLSv1.2 server followed by resumption */
4172 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4173 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4174 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4175 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4176 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4177 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4178 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4179 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4180 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4181 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4182 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4183 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4184 {SSL_CB_EXIT, NULL}, {0, NULL},
4185 }, {
4186 /* TLSv1.2 client followed by resumption */
4187 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4188 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4189 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4190 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4191 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4192 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4193 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4194 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4195 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4196 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4197 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4198 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4199 }, {
4200 /* TLSv1.3 server followed by resumption */
4201 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4202 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4203 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4204 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4205 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4206 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4207 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4208 {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4209 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4210 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4211 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4212 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4213 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4214 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
4215 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4216 }, {
4217 /* TLSv1.3 client followed by resumption */
4218 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4219 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4220 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4221 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4222 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4223 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4224 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4225 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4226 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4227 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4228 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4229 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4230 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4231 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4232 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4233 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4234 }, {
4235 /* TLSv1.3 server, early_data */
4236 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4237 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4238 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4239 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4240 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4241 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4242 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4243 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4244 {SSL_CB_EXIT, NULL}, {0, NULL},
4245 }, {
4246 /* TLSv1.3 client, early_data */
4247 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4248 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4250 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4251 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4252 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4253 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4254 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4255 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4256 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4257 }, {
4258 {0, NULL},
4259 }
4260};
4261
4262static void sslapi_info_callback(const SSL *s, int where, int ret)
4263{
4264 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4265
4266 /* We do not ever expect a connection to fail in this test */
4267 if (!TEST_false(ret == 0)) {
4268 info_cb_failed = 1;
4269 return;
4270 }
4271
4272 /*
4273 * Do some sanity checks. We never expect these things to happen in this
4274 * test
4275 */
4276 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4277 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4278 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4279 info_cb_failed = 1;
4280 return;
4281 }
4282
4283 /* Now check we're in the right state */
4284 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4285 info_cb_failed = 1;
4286 return;
4287 }
4288 if ((where & SSL_CB_LOOP) != 0
4289 && !TEST_int_eq(strcmp(SSL_state_string(s),
4290 state[info_cb_this_state].statestr), 0)) {
4291 info_cb_failed = 1;
4292 return;
4293 }
033c181b
MC		 4294
4295 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4296 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4297 info_cb_failed = 1;
4298 return;
4299 }
5718fe45
MC		 4300}
4301
4302/*
4303 * Test the info callback gets called when we expect it to.
4304 *
4305 * Test 0: TLSv1.2, server
4306 * Test 1: TLSv1.2, client
4307 * Test 2: TLSv1.3, server
4308 * Test 3: TLSv1.3, client
4309 * Test 4: TLSv1.3, server, early_data
4310 * Test 5: TLSv1.3, client, early_data
4311 */
4312static int test_info_callback(int tst)
4313{
4314 SSL_CTX *cctx = NULL, *sctx = NULL;
4315 SSL *clientssl = NULL, *serverssl = NULL;
4316 SSL_SESSION *clntsess = NULL;
4317 int testresult = 0;
4318 int tlsvers;
4319
4320 if (tst < 2) {
4321#ifndef OPENSSL_NO_TLS1_2
4322 tlsvers = TLS1_2_VERSION;
4323#else
4324 return 1;
4325#endif
4326 } else {
4327#ifndef OPENSSL_NO_TLS1_3
4328 tlsvers = TLS1_3_VERSION;
4329#else
4330 return 1;
4331#endif
4332 }
4333
4334 /* Reset globals */
4335 info_cb_failed = 0;
4336 info_cb_this_state = -1;
4337 info_cb_offset = tst;
4338
6e07834c 4339#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4340 if (tst >= 4) {
4341 SSL_SESSION *sess = NULL;
4342 size_t written, readbytes;
4343 unsigned char buf[80];
4344
4345 /* early_data tests */
4346 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4347 &serverssl, &sess, 0)))
4348 goto end;
4349
4350 /* We don't actually need this reference */
4351 SSL_SESSION_free(sess);
4352
4353 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4354 sslapi_info_callback);
4355
4356 /* Write and read some early data and then complete the connection */
4357 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4358 &written))
4359 || !TEST_size_t_eq(written, strlen(MSG1))
4360 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4361 sizeof(buf), &readbytes),
4362 SSL_READ_EARLY_DATA_SUCCESS)
4363 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4364 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4365 SSL_EARLY_DATA_ACCEPTED)
4366 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4367 SSL_ERROR_NONE))
4368 || !TEST_false(info_cb_failed))
4369 goto end;
4370
4371 testresult = 1;
4372 goto end;
4373 }
6e07834c 4374#endif
5718fe45
MC		 4375
4376 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4377 TLS_client_method(),
4378 tlsvers, tlsvers, &sctx, &cctx, cert,
4379 privkey)))
4380 goto end;
4381
4382 /*
4383 * For even numbered tests we check the server callbacks. For odd numbers we
4384 * check the client.
4385 */
4386 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4387 sslapi_info_callback);
4388
4389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4390 &clientssl, NULL, NULL))
4391 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4392 SSL_ERROR_NONE))
4393 || !TEST_false(info_cb_failed))
4394 goto end;
4395
4396
4397
4398 clntsess = SSL_get1_session(clientssl);
4399 SSL_shutdown(clientssl);
4400 SSL_shutdown(serverssl);
4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 serverssl = clientssl = NULL;
4404
4405 /* Now do a resumption */
4406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4407 NULL))
4408 || !TEST_true(SSL_set_session(clientssl, clntsess))
4409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4410 SSL_ERROR_NONE))
4411 || !TEST_true(SSL_session_reused(clientssl))
4412 || !TEST_false(info_cb_failed))
4413 goto end;
4414
4415 testresult = 1;
4416
4417 end:
4418 SSL_free(serverssl);
4419 SSL_free(clientssl);
4420 SSL_SESSION_free(clntsess);
4421 SSL_CTX_free(sctx);
4422 SSL_CTX_free(cctx);
4423 return testresult;
4424}
4425
4a432af8
MC		 4426static int test_ssl_pending(int tst)
4427{
4428 SSL_CTX *cctx = NULL, *sctx = NULL;
4429 SSL *clientssl = NULL, *serverssl = NULL;
4430 int testresult = 0;
4431 char msg[] = "A test message";
4432 char buf[5];
4433 size_t written, readbytes;
4434
4435 if (tst == 0) {
4436 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4437 TLS_client_method(),
4438 TLS1_VERSION, TLS_MAX_VERSION,
4439 &sctx, &cctx, cert, privkey)))
4440 goto end;
4441 } else {
4442#ifndef OPENSSL_NO_DTLS
4443 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4444 DTLS_client_method(),
4445 DTLS1_VERSION, DTLS_MAX_VERSION,
4446 &sctx, &cctx, cert, privkey)))
4447 goto end;
4448#else
4449 return 1;
4450#endif
4451 }
4452
4453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4454 NULL, NULL))
4455 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4456 SSL_ERROR_NONE)))
4457 goto end;
4458
e8251092
MC		 4459 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4460 || !TEST_false(SSL_has_pending(clientssl))
4461 || !TEST_int_eq(SSL_pending(serverssl), 0)
4462 || !TEST_false(SSL_has_pending(serverssl))
4463 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4464 || !TEST_size_t_eq(written, sizeof(msg))
4465 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4466 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4467 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4468 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4469 goto end;
4470
4471 testresult = 1;
4472
4473 end:
4474 SSL_free(serverssl);
4475 SSL_free(clientssl);
4476 SSL_CTX_free(sctx);
4477 SSL_CTX_free(cctx);
4478
4479 return testresult;
4480}
4481
e401389a
MC		 4482static struct {
4483 unsigned int maxprot;
4484 const char *clntciphers;
4485 const char *clnttls13ciphers;
4486 const char *srvrciphers;
4487 const char *srvrtls13ciphers;
4488 const char *shared;
4489} shared_ciphers_data[] = {
60155b9a
MC		 4490/*
4491 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4492 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4493 */
4494#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4495 {
4496 TLS1_2_VERSION,
4497 "AES128-SHA:AES256-SHA",
4498 NULL,
4499 "AES256-SHA:DHE-RSA-AES128-SHA",
4500 NULL,
4501 "AES256-SHA"
4502 },
4503 {
4504 TLS1_2_VERSION,
4505 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4506 NULL,
4507 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4508 NULL,
4509 "AES128-SHA:AES256-SHA"
4510 },
4511 {
4512 TLS1_2_VERSION,
4513 "AES128-SHA:AES256-SHA",
4514 NULL,
4515 "AES128-SHA:DHE-RSA-AES128-SHA",
4516 NULL,
4517 "AES128-SHA"
4518 },
60155b9a
MC		 4519#endif
4520/*
4521 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4522 * enabled.
4523 */
4524#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4525 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4526 {
4527 TLS1_3_VERSION,
4528 "AES128-SHA:AES256-SHA",
4529 NULL,
4530 "AES256-SHA:AES128-SHA256",
4531 NULL,
4532 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4533 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4534 },
60155b9a
MC		 4535#endif
4536#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4537 {
4538 TLS1_3_VERSION,
4539 "AES128-SHA",
4540 "TLS_AES_256_GCM_SHA384",
4541 "AES256-SHA",
4542 "TLS_AES_256_GCM_SHA384",
4543 "TLS_AES_256_GCM_SHA384"
4544 },
4545#endif
4546};
4547
4548static int test_ssl_get_shared_ciphers(int tst)
4549{
4550 SSL_CTX *cctx = NULL, *sctx = NULL;
4551 SSL *clientssl = NULL, *serverssl = NULL;
4552 int testresult = 0;
4553 char buf[1024];
4554
4555 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4556 TLS_client_method(),
4557 TLS1_VERSION,
4558 shared_ciphers_data[tst].maxprot,
4559 &sctx, &cctx, cert, privkey)))
4560 goto end;
4561
4562 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4563 shared_ciphers_data[tst].clntciphers))
4564 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4565 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4566 shared_ciphers_data[tst].clnttls13ciphers)))
4567 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4568 shared_ciphers_data[tst].srvrciphers))
4569 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4570 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4571 shared_ciphers_data[tst].srvrtls13ciphers))))
4572 goto end;
4573
4574
4575 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4576 NULL, NULL))
4577 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4578 SSL_ERROR_NONE)))
4579 goto end;
4580
4581 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4582 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4583 TEST_info("Shared ciphers are: %s\n", buf);
4584 goto end;
4585 }
4586
4587 testresult = 1;
4588
4589 end:
4590 SSL_free(serverssl);
4591 SSL_free(clientssl);
4592 SSL_CTX_free(sctx);
4593 SSL_CTX_free(cctx);
4594
4595 return testresult;
4596}
4597
d0191fe0 4598static const char *appdata = "Hello World";
61fb5923
MC		 4599static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4600static int tick_key_renew = 0;
4601static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4602
4603static int gen_tick_cb(SSL *s, void *arg)
4604{
4605 gen_tick_called = 1;
4606
4607 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4608 strlen(appdata));
4609}
4610
4611static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4612 const unsigned char *keyname,
4613 size_t keyname_length,
61fb5923
MC		 4614 SSL_TICKET_STATUS status,
4615 void *arg)
d0191fe0
MC		 4616{
4617 void *tickdata;
4618 size_t tickdlen;
4619
4620 dec_tick_called = 1;
4621
61fb5923
MC		 4622 if (status == SSL_TICKET_EMPTY)
4623 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4624
61fb5923
MC		 4625 if (!TEST_true(status == SSL_TICKET_SUCCESS
4626 || status == SSL_TICKET_SUCCESS_RENEW))
4627 return SSL_TICKET_RETURN_ABORT;
4628
4629 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4630 &tickdlen))
d0191fe0
MC		 4631 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4632 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4633 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4634
61fb5923
MC		 4635 if (tick_key_cb_called) {
4636 /* Don't change what the ticket key callback wanted to do */
4637 switch (status) {
4638 case SSL_TICKET_NO_DECRYPT:
4639 return SSL_TICKET_RETURN_IGNORE_RENEW;
4640
4641 case SSL_TICKET_SUCCESS:
4642 return SSL_TICKET_RETURN_USE;
d0191fe0 4643
61fb5923
MC		 4644 case SSL_TICKET_SUCCESS_RENEW:
4645 return SSL_TICKET_RETURN_USE_RENEW;
4646
4647 default:
4648 return SSL_TICKET_RETURN_ABORT;
4649 }
4650 }
4651 return tick_dec_ret;
4652
4653}
d0191fe0
MC		 4654
4655static int tick_key_cb(SSL *s, unsigned char key_name[16],
4656 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4657 HMAC_CTX *hctx, int enc)
4658{
4659 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4660 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4661
61fb5923 4662 tick_key_cb_called = 1;
d0191fe0
MC		 4663 memset(iv, 0, AES_BLOCK_SIZE);
4664 memset(key_name, 0, 16);
4665 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4666 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4667 EVP_sha256(), NULL))
4668 return -1;
4669
61fb5923 4670 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4671}
4672
4673/*
4674 * Test the various ticket callbacks
61fb5923
MC		 4675 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4676 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4677 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4678 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4679 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4680 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4681 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4682 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4683 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4684 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4685 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4686 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4687 */
4688static int test_ticket_callbacks(int tst)
4689{
4690 SSL_CTX *cctx = NULL, *sctx = NULL;
4691 SSL *clientssl = NULL, *serverssl = NULL;
4692 SSL_SESSION *clntsess = NULL;
4693 int testresult = 0;
4694
4695#ifdef OPENSSL_NO_TLS1_2
4696 if (tst % 2 == 0);
4697 return 1;
4698#endif
4699#ifdef OPENSSL_NO_TLS1_3
4700 if (tst % 2 == 1);
4701 return 1;
4702#endif
4703
61fb5923 4704 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 4705
4706 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 4707 if (tst == 10 || tst == 11)
4708 tick_key_renew = 1;
d0191fe0 4709 else
61fb5923
MC		 4710 tick_key_renew = 0;
4711
4712 /* Which tests the decrypt ticket callback should request renewal for */
4713 switch (tst) {
4714 case 0:
4715 case 1:
4716 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4717 break;
4718
4719 case 2:
4720 case 3:
4721 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4722 break;
4723
4724 case 4:
4725 case 5:
4726 tick_dec_ret = SSL_TICKET_RETURN_USE;
4727 break;
4728
4729 case 6:
4730 case 7:
4731 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4732 break;
4733
4734 default:
4735 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4736 }
d0191fe0
MC		 4737
4738 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4739 TLS_client_method(),
4740 TLS1_VERSION,
61fb5923
MC		 4741 ((tst % 2) == 0) ? TLS1_2_VERSION
4742 : TLS1_3_VERSION,
d0191fe0
MC		 4743 &sctx, &cctx, cert, privkey)))
4744 goto end;
4745
61fb5923
MC		 4746 /*
4747 * We only want sessions to resume from tickets - not the session cache. So
4748 * switch the cache off.
4749 */
4750 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4751 goto end;
4752
d0191fe0
MC		 4753 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4754 NULL)))
4755 goto end;
4756
61fb5923 4757 if (tst >= 8
d0191fe0
MC		 4758 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4759 goto end;
4760
4761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4762 NULL, NULL))
4763 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4764 SSL_ERROR_NONE)))
4765 goto end;
4766
61fb5923
MC		 4767 /*
4768 * The decrypt ticket key callback in TLSv1.2 should be called even though
4769 * we have no ticket yet, because it gets called with a status of
4770 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4771 * actually send any ticket data). This does not happen in TLSv1.3 because
4772 * it is not valid to send empty ticket data in TLSv1.3.
4773 */
d0191fe0 4774 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 4775 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 4776 goto end;
4777
4778 gen_tick_called = dec_tick_called = 0;
4779
4780 clntsess = SSL_get1_session(clientssl);
4781 SSL_shutdown(clientssl);
4782 SSL_shutdown(serverssl);
4783 SSL_free(serverssl);
4784 SSL_free(clientssl);
4785 serverssl = clientssl = NULL;
4786
4787 /* Now do a resumption */
4788 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4789 NULL))
4790 || !TEST_true(SSL_set_session(clientssl, clntsess))
4791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 4792 SSL_ERROR_NONE)))
d0191fe0
MC		 4793 goto end;
4794
61fb5923
MC		 4795 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4796 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4797 if (!TEST_false(SSL_session_reused(clientssl)))
4798 goto end;
4799 } else {
4800 if (!TEST_true(SSL_session_reused(clientssl)))
4801 goto end;
4802 }
4803
d0191fe0 4804 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 4805 (tick_key_renew
4806 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4807 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4808 ? 1 : 0)
d0191fe0
MC		 4809 || !TEST_int_eq(dec_tick_called, 1))
4810 goto end;
4811
4812 testresult = 1;
4813
4814 end:
4815 SSL_SESSION_free(clntsess);
4816 SSL_free(serverssl);
4817 SSL_free(clientssl);
4818 SSL_CTX_free(sctx);
4819 SSL_CTX_free(cctx);
4820
4821 return testresult;
4822}
4823
ad887416 4824int setup_tests(void)
2cb4b5f6 4825{
ad887416 4826 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 4827 || !TEST_ptr(privkey = test_get_argument(1))
4828 || !TEST_ptr(srpvfile = test_get_argument(2))
4829 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 4830 return 0;
2cb4b5f6 4831
f297e4ec
RS		 4832 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4833#ifdef OPENSSL_NO_CRYPTO_MDEBUG
4834 TEST_error("not supported in this build");
4835 return 0;
4836#else
4837 int i, mcount, rcount, fcount;
4838
4839 for (i = 0; i < 4; i++)
4840 test_export_key_mat(i);
4841 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4842 test_printf_stdout("malloc %d realloc %d free %d\n",
4843 mcount, rcount, fcount);
4844 return 1;
4845#endif
4846 }
4847
84d5549e 4848 ADD_TEST(test_large_message_tls);
7856332e 4849 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 4850#ifndef OPENSSL_NO_DTLS
84d5549e 4851 ADD_TEST(test_large_message_dtls);
55386bef 4852#endif
8f8c11d8 4853#ifndef OPENSSL_NO_OCSP
c887104f 4854 ADD_TEST(test_tlsext_status_type);
8f8c11d8 4855#endif
eaa776da
MC		 4856 ADD_TEST(test_session_with_only_int_cache);
4857 ADD_TEST(test_session_with_only_ext_cache);
4858 ADD_TEST(test_session_with_both_cache);
7fb4c820 4859 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 4860 ADD_TEST(test_ssl_bio_pop_next_bio);
4861 ADD_TEST(test_ssl_bio_pop_ssl_bio);
4862 ADD_TEST(test_ssl_bio_change_rbio);
4863 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 4864#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 4865 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 4866 ADD_TEST(test_keylog);
c423ecaa 4867#endif
6acdd3e5
CB		 4868#ifndef OPENSSL_NO_TLS1_3
4869 ADD_TEST(test_keylog_no_master_key);
4870#endif
e9ee6536 4871#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 4872 ADD_TEST(test_client_hello_cb);
5f982038
MC		 4873#endif
4874#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 4875 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 4876 /*
4877 * We don't do replay tests for external PSK. Replay protection isn't used
4878 * in that scenario.
4879 */
4880 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 4881 ADD_ALL_TESTS(test_early_data_skip, 3);
4882 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
4883 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 4884 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 4885 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 4886# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 4887 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 4888# endif
e9ee6536 4889#endif
a273157a 4890#ifndef OPENSSL_NO_TLS1_3
034cb87b 4891 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 4892 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 4893#ifdef OPENSSL_NO_PSK
4894 ADD_ALL_TESTS(test_tls13_psk, 1);
4895#else
0d8da779 4896 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 4897#endif /* OPENSSL_NO_PSK */
bb01ef3f 4898 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 4899 ADD_TEST(test_stateless);
9d75dce3 4900 ADD_TEST(test_pha_key_update);
a273157a 4901#else
bb01ef3f 4902 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 4903#endif
16afd71c 4904 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 4905 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 4906#ifndef OPENSSL_NO_TLS1_3
4907 ADD_ALL_TESTS(test_export_key_mat_early, 3);
4908#endif
e11b6aa4 4909 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 4910 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 4911#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4912 ADD_ALL_TESTS(test_srp, 6);
4913#endif
5718fe45 4914 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 4915 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 4916 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 4917 ADD_ALL_TESTS(test_ticket_callbacks, 12);
ad887416
P		 4918 return 1;
4919}
2cb4b5f6 4920
ad887416
P		 4921void cleanup_tests(void)
4922{
fa454945 4923 bio_s_mempacket_test_free();
2cb4b5f6 4924}
A mirror of the official openssl repository