]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add SSL_get0_group_name() to get name of the group used for KEX
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
fe5d9450 42#include "internal/ktls.h"
706457b7 43#include "../ssl/ssl_local.h"
0755722c 44#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 45#include "filterprov.h"
2cb4b5f6 46
a763ca11
MC		 47#undef OSSL_NO_USABLE_TLS1_3
48#if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50/*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54# define OSSL_NO_USABLE_TLS1_3
55#endif
56
0c13cdf8
MC		 57/* Defined in tls-provider.c */
58int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
852c2ed2 62
b4250010 63static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 64static OSSL_PROVIDER *defctxnull = NULL;
65
a763ca11 66#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 67
68static SSL_SESSION *clientpsk = NULL;
69static SSL_SESSION *serverpsk = NULL;
70static const char *pskid = "Identity";
71static const char *srvid;
72
73static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78static int use_session_cb_cnt = 0;
79static int find_session_cb_cnt = 0;
80
10836921 81static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
8614a4eb
MC		 82#endif
83
1a2a3a42 84static char *certsdir = NULL;
2cb4b5f6
MC		 85static char *cert = NULL;
86static char *privkey = NULL;
b3842539
MC		 87static char *cert2 = NULL;
88static char *privkey2 = NULL;
3105d846
MC		 89static char *cert1024 = NULL;
90static char *privkey1024 = NULL;
91static char *cert3072 = NULL;
92static char *privkey3072 = NULL;
93static char *cert4096 = NULL;
94static char *privkey4096 = NULL;
95static char *cert8192 = NULL;
96static char *privkey8192 = NULL;
76fd7a1d
MC		 97static char *srpvfile = NULL;
98static char *tmpfilename = NULL;
b2b8d188 99static char *dhfile = NULL;
2cb4b5f6 100
4f6c7044 101static int is_fips = 0;
50ea5cdc 102static int fips_ems_check = 0;
4f6c7044 103
cffe973c 104#define LOG_BUFFER_SIZE 2048
6acdd3e5 105static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 106static size_t server_log_buffer_index = 0;
6acdd3e5 107static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 108static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 109static int error_writing_log = 0;
110
8f8c11d8 111#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 112static const unsigned char orespder[] = "Dummy OCSP Response";
113static int ocsp_server_called = 0;
114static int ocsp_client_called = 0;
115
116static int cdummyarg = 1;
117static X509 *ocspcert = NULL;
8f8c11d8 118#endif
ba881d3b 119
84d5549e 120#define NUM_EXTRA_CERTS 40
cf72c757 121#define CLIENT_VERSION_LEN 2
84d5549e 122
f1a5939f
CB		 123/*
124 * This structure is used to validate that the correct number of log messages
125 * of various types are emitted when emitting secret logs.
126 */
127struct sslapitest_log_counts {
128 unsigned int rsa_key_exchange_count;
129 unsigned int master_secret_count;
cffe973c 130 unsigned int client_early_secret_count;
f1a5939f
CB		 131 unsigned int client_handshake_secret_count;
132 unsigned int server_handshake_secret_count;
133 unsigned int client_application_secret_count;
134 unsigned int server_application_secret_count;
01a2a654 135 unsigned int early_exporter_secret_count;
6329ce8f 136 unsigned int exporter_secret_count;
f1a5939f
CB		 137};
138
16afd71c 139
104a733d
MC		 140static int hostname_cb(SSL *s, int *al, void *arg)
141{
142 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
143
144 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145 || strcmp(hostname, "altgoodhost") == 0))
146 return SSL_TLSEXT_ERR_OK;
147
148 return SSL_TLSEXT_ERR_NOACK;
149}
150
710756a9
RS		 151static void client_keylog_callback(const SSL *ssl, const char *line)
152{
6acdd3e5
CB		 153 int line_length = strlen(line);
154
155 /* If the log doesn't fit, error out. */
710756a9
RS		 156 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157 TEST_info("Client log too full");
6acdd3e5
CB		 158 error_writing_log = 1;
159 return;
160 }
161
162 strcat(client_log_buffer, line);
163 client_log_buffer_index += line_length;
710756a9 164 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 165}
166
710756a9
RS		 167static void server_keylog_callback(const SSL *ssl, const char *line)
168{
6acdd3e5
CB		 169 int line_length = strlen(line);
170
171 /* If the log doesn't fit, error out. */
710756a9 172 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 173 TEST_info("Server log too full");
6acdd3e5
CB		 174 error_writing_log = 1;
175 return;
176 }
177
178 strcat(server_log_buffer, line);
179 server_log_buffer_index += line_length;
710756a9 180 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 181}
182
183static int compare_hex_encoded_buffer(const char *hex_encoded,
184 size_t hex_length,
185 const uint8_t *raw,
710756a9
RS		 186 size_t raw_length)
187{
188 size_t i, j;
189 char hexed[3];
6acdd3e5 190
710756a9 191 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 192 return 1;
6acdd3e5 193
710756a9 194 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 195 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 196 if (!TEST_int_eq(hexed[0], hex_encoded[j])
197 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 198 return 1;
6acdd3e5
CB		 199 }
200
201 return 0;
202}
203
204static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 205 const SSL_SESSION *session,
710756a9
RS		 206 struct sslapitest_log_counts *expected)
207{
6acdd3e5
CB		 208 char *token = NULL;
209 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210 size_t client_random_size = SSL3_RANDOM_SIZE;
211 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 213 unsigned int rsa_key_exchange_count = 0;
214 unsigned int master_secret_count = 0;
cffe973c 215 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 216 unsigned int client_handshake_secret_count = 0;
217 unsigned int server_handshake_secret_count = 0;
218 unsigned int client_application_secret_count = 0;
219 unsigned int server_application_secret_count = 0;
01a2a654 220 unsigned int early_exporter_secret_count = 0;
6329ce8f 221 unsigned int exporter_secret_count = 0;
6acdd3e5 222
710756a9
RS		 223 for (token = strtok(buffer, " \n"); token != NULL;
224 token = strtok(NULL, " \n")) {
6acdd3e5 225 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 226 /*
227 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 228 * hex-encoded encrypted secret, then the hex-encoded pre-master
229 * secret.
230 */
710756a9 231 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 232 return 0;
710756a9 233 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 234 return 0;
710756a9 235 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 236 return 0;
f1a5939f
CB		 237 /*
238 * We can't sensibly check the log because the premaster secret is
239 * transient, and OpenSSL doesn't keep hold of it once the master
240 * secret is generated.
241 */
242 rsa_key_exchange_count++;
6acdd3e5 243 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 244 /*
245 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 246 * client random, then the hex-encoded master secret.
247 */
248 client_random_size = SSL_get_client_random(ssl,
249 actual_client_random,
250 SSL3_RANDOM_SIZE);
710756a9 251 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 252 return 0;
6acdd3e5 253
710756a9 254 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 255 return 0;
710756a9 256 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 257 return 0;
710756a9
RS		 258 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259 actual_client_random,
260 client_random_size)))
f1a5939f 261 return 0;
6acdd3e5 262
710756a9 263 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 264 return 0;
6acdd3e5
CB		 265 master_key_size = SSL_SESSION_get_master_key(session,
266 actual_master_key,
267 master_key_size);
710756a9 268 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 269 return 0;
710756a9
RS		 270 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
271 actual_master_key,
272 master_key_size)))
f1a5939f 273 return 0;
f1a5939f 274 master_secret_count++;
cffe973c
PW		 275 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 277 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 279 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 280 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 281 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 282 /*
283 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284 * client random, and then the hex-encoded secret. In this case,
285 * we treat all of these secrets identically and then just
286 * distinguish between them when counting what we saw.
287 */
cffe973c
PW		 288 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289 client_early_secret_count++;
290 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 291 client_handshake_secret_count++;
292 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293 server_handshake_secret_count++;
294 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295 client_application_secret_count++;
296 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297 server_application_secret_count++;
01a2a654
PW		 298 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299 early_exporter_secret_count++;
6329ce8f
PW		 300 else if (strcmp(token, "EXPORTER_SECRET") == 0)
301 exporter_secret_count++;
f1a5939f
CB		 302
303 client_random_size = SSL_get_client_random(ssl,
304 actual_client_random,
305 SSL3_RANDOM_SIZE);
710756a9 306 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 307 return 0;
f1a5939f 308
710756a9 309 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 310 return 0;
710756a9 311 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 312 return 0;
710756a9
RS		 313 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314 actual_client_random,
315 client_random_size)))
f1a5939f 316 return 0;
6acdd3e5 317
710756a9 318 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 319 return 0;
6acdd3e5 320 } else {
710756a9 321 TEST_info("Unexpected token %s\n", token);
f1a5939f 322 return 0;
6acdd3e5 323 }
6acdd3e5
CB		 324 }
325
710756a9
RS		 326 /* Got what we expected? */
327 if (!TEST_size_t_eq(rsa_key_exchange_count,
328 expected->rsa_key_exchange_count)
329 || !TEST_size_t_eq(master_secret_count,
330 expected->master_secret_count)
cffe973c
PW		 331 || !TEST_size_t_eq(client_early_secret_count,
332 expected->client_early_secret_count)
710756a9
RS		 333 || !TEST_size_t_eq(client_handshake_secret_count,
334 expected->client_handshake_secret_count)
335 || !TEST_size_t_eq(server_handshake_secret_count,
336 expected->server_handshake_secret_count)
337 || !TEST_size_t_eq(client_application_secret_count,
338 expected->client_application_secret_count)
339 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 340 expected->server_application_secret_count)
01a2a654
PW		 341 || !TEST_size_t_eq(early_exporter_secret_count,
342 expected->early_exporter_secret_count)
6329ce8f
PW		 343 || !TEST_size_t_eq(exporter_secret_count,
344 expected->exporter_secret_count))
710756a9
RS		 345 return 0;
346 return 1;
6acdd3e5
CB		 347}
348
a763ca11 349#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 350static int test_keylog(void)
351{
6acdd3e5
CB		 352 SSL_CTX *cctx = NULL, *sctx = NULL;
353 SSL *clientssl = NULL, *serverssl = NULL;
354 int testresult = 0;
6fc1e624 355 struct sslapitest_log_counts expected;
6acdd3e5
CB		 356
357 /* Clean up logging space */
6fc1e624 358 memset(&expected, 0, sizeof(expected));
710756a9
RS		 359 memset(client_log_buffer, 0, sizeof(client_log_buffer));
360 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 361 client_log_buffer_index = 0;
362 server_log_buffer_index = 0;
363 error_writing_log = 0;
364
5e30f2fd 365 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 366 TLS_client_method(),
5c587fb6 367 TLS1_VERSION, 0,
710756a9 368 &sctx, &cctx, cert, privkey)))
6acdd3e5 369 return 0;
6acdd3e5
CB		 370
371 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374
f0deb4d3 375 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 376 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 377 goto end;
f0deb4d3 378
cf10df81
RS		 379 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 381 goto end;
6acdd3e5 382 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 383 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384 == client_keylog_callback))
6acdd3e5 385 goto end;
710756a9 386 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 387 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388 == server_keylog_callback))
6acdd3e5 389 goto end;
6acdd3e5 390
710756a9
RS		 391 /* Now do a handshake and check that the logs have been written to. */
392 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393 &clientssl, NULL, NULL))
394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
395 SSL_ERROR_NONE))
396 || !TEST_false(error_writing_log)
397 || !TEST_int_gt(client_log_buffer_index, 0)
398 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 399 goto end;
6acdd3e5 400
f1a5939f
CB		 401 /*
402 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 403 * do that by using strtok and confirming that we have more or less the
f1a5939f 404 * data we expect. For both client and server, we expect to see one master
a63fa5f7 405 * secret. The client should also see an RSA key exchange.
6acdd3e5 406 */
f1a5939f
CB		 407 expected.rsa_key_exchange_count = 1;
408 expected.master_secret_count = 1;
710756a9
RS		 409 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410 SSL_get_session(clientssl), &expected)))
6acdd3e5 411 goto end;
f1a5939f
CB		 412
413 expected.rsa_key_exchange_count = 0;
710756a9
RS		 414 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415 SSL_get_session(serverssl), &expected)))
6acdd3e5 416 goto end;
6acdd3e5
CB		 417
418 testresult = 1;
419
420end:
421 SSL_free(serverssl);
422 SSL_free(clientssl);
423 SSL_CTX_free(sctx);
424 SSL_CTX_free(cctx);
425
426 return testresult;
427}
c423ecaa 428#endif
6acdd3e5 429
a763ca11 430#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 431static int test_keylog_no_master_key(void)
432{
6acdd3e5
CB		 433 SSL_CTX *cctx = NULL, *sctx = NULL;
434 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 435 SSL_SESSION *sess = NULL;
6acdd3e5 436 int testresult = 0;
6fc1e624 437 struct sslapitest_log_counts expected;
cffe973c
PW		 438 unsigned char buf[1];
439 size_t readbytes, written;
6acdd3e5
CB		 440
441 /* Clean up logging space */
6fc1e624 442 memset(&expected, 0, sizeof(expected));
710756a9
RS		 443 memset(client_log_buffer, 0, sizeof(client_log_buffer));
444 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 445 client_log_buffer_index = 0;
446 server_log_buffer_index = 0;
447 error_writing_log = 0;
448
5e30f2fd
MC		 449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 451 &sctx, &cctx, cert, privkey))
452 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 453 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 454 return 0;
6acdd3e5 455
cf10df81
RS		 456 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 458 goto end;
6acdd3e5
CB		 459
460 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462 == client_keylog_callback))
6acdd3e5 463 goto end;
6acdd3e5 464
710756a9 465 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467 == server_keylog_callback))
6acdd3e5 468 goto end;
6acdd3e5 469
710756a9
RS		 470 /* Now do a handshake and check that the logs have been written to. */
471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472 &clientssl, NULL, NULL))
473 || !TEST_true(create_ssl_connection(serverssl, clientssl,
474 SSL_ERROR_NONE))
475 || !TEST_false(error_writing_log))
6acdd3e5 476 goto end;
6acdd3e5 477
f1a5939f
CB		 478 /*
479 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 480 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 481 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 482 */
f1a5939f
CB		 483 expected.client_handshake_secret_count = 1;
484 expected.server_handshake_secret_count = 1;
485 expected.client_application_secret_count = 1;
486 expected.server_application_secret_count = 1;
6329ce8f 487 expected.exporter_secret_count = 1;
710756a9
RS		 488 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489 SSL_get_session(clientssl), &expected))
490 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491 SSL_get_session(serverssl),
492 &expected)))
6acdd3e5 493 goto end;
6acdd3e5 494
cffe973c
PW		 495 /* Terminate old session and resume with early data. */
496 sess = SSL_get1_session(clientssl);
497 SSL_shutdown(clientssl);
498 SSL_shutdown(serverssl);
499 SSL_free(serverssl);
500 SSL_free(clientssl);
501 serverssl = clientssl = NULL;
502
503 /* Reset key log */
504 memset(client_log_buffer, 0, sizeof(client_log_buffer));
505 memset(server_log_buffer, 0, sizeof(server_log_buffer));
506 client_log_buffer_index = 0;
507 server_log_buffer_index = 0;
508
509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510 &clientssl, NULL, NULL))
511 || !TEST_true(SSL_set_session(clientssl, sess))
512 /* Here writing 0 length early data is enough. */
513 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515 &readbytes),
516 SSL_READ_EARLY_DATA_ERROR)
517 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518 SSL_EARLY_DATA_ACCEPTED)
519 || !TEST_true(create_ssl_connection(serverssl, clientssl,
520 SSL_ERROR_NONE))
521 || !TEST_true(SSL_session_reused(clientssl)))
522 goto end;
523
524 /* In addition to the previous entries, expect early secrets. */
525 expected.client_early_secret_count = 1;
01a2a654 526 expected.early_exporter_secret_count = 1;
cffe973c
PW		 527 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528 SSL_get_session(clientssl), &expected))
529 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530 SSL_get_session(serverssl),
531 &expected)))
532 goto end;
533
6acdd3e5
CB		 534 testresult = 1;
535
536end:
cffe973c 537 SSL_SESSION_free(sess);
6acdd3e5
CB		 538 SSL_free(serverssl);
539 SSL_free(clientssl);
540 SSL_CTX_free(sctx);
541 SSL_CTX_free(cctx);
542
543 return testresult;
544}
545#endif
546
0c3eb279
DDO		 547static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
548{
549 int res = X509_verify_cert(ctx);
dfb39f73
TM		 550 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551 SSL *ssl;
552
553 /* this should not happen but check anyway */
554 if (idx < 0
555 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556 return 0;
0c3eb279
DDO		 557
558 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 560 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561 return SSL_set_retry_verify(ssl);
562
0c3eb279
DDO		 563 return res;
564}
565
566static int test_client_cert_verify_cb(void)
567{
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
578 int testresult = 0;
579
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
583 goto end;
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 goto end;
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 goto end;
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
595 goto end;
596
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
600 goto end;
601
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 goto end;
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 goto end;
610 crt1 = NULL;
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
612 goto end;
613 crt2 = NULL;
614
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
617 SSL_ERROR_NONE)))
618 goto end;
619
620 testresult = 1;
621
622end:
623 X509_free(crt1);
624 X509_free(crt2);
c38048e7
P		 625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
627 SSL_free(clientssl);
628 }
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
631 SSL_free(serverssl);
632 }
0c3eb279
DDO		 633 SSL_CTX_free(sctx);
634 SSL_CTX_free(cctx);
635
636 OPENSSL_free(skey);
637 OPENSSL_free(leaf);
638 OPENSSL_free(int2);
639 OPENSSL_free(int1);
640 OPENSSL_free(root);
641
642 return testresult;
643}
644
4e4ae840
SL		 645static int test_ssl_build_cert_chain(void)
646{
647 int ret = 0;
648 SSL_CTX *ssl_ctx = NULL;
649 SSL *ssl = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 goto end;
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 goto end;
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 goto end;
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
664 goto end;
665 ret = 1;
666end:
667 SSL_free(ssl);
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
670 OPENSSL_free(skey);
671 return ret;
672}
673
c7debe81
TM		 674static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
675{
676 static const char pass[] = "testpass";
677
678 if (!TEST_int_eq(size, PEM_BUFSIZE))
679 return -1;
680
681 memcpy(buf, pass, sizeof(pass) - 1);
682 return sizeof(pass) - 1;
683}
684
4e4ae840
SL		 685static int test_ssl_ctx_build_cert_chain(void)
686{
687 int ret = 0;
688 SSL_CTX *ctx = NULL;
c7debe81 689 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 690 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
691
692 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
693 goto end;
c7debe81 694 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 695 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698 SSL_FILETYPE_PEM), 1)
699 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
700 goto end;
701 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702 | SSL_BUILD_CHAIN_FLAG_CHECK)))
703 goto end;
704 ret = 1;
705end:
706 SSL_CTX_free(ctx);
707 OPENSSL_free(leaf_chain);
708 OPENSSL_free(skey);
709 return ret;
710}
711
e9ee6536 712#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 713static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 714{
715 int *ctr = arg;
716 const unsigned char *p;
8ea404fb 717 int *exts;
2afaee51
BK		 718 /* We only configure two ciphers, but the SCSV is added automatically. */
719#ifdef OPENSSL_NO_EC
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
721#else
722 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
723 0x2c, 0x00, 0xff};
724#endif
8ea404fb
BK		 725 const int expected_extensions[] = {
726#ifndef OPENSSL_NO_EC
727 11, 10,
728#endif
10ed1b72 729 35, 22, 23, 13};
2afaee51
BK		 730 size_t len;
731
732 /* Make sure we can defer processing and get called back. */
733 if ((*ctr)++ == 0)
f1b97da1 734 return SSL_CLIENT_HELLO_RETRY;
2afaee51 735
a9c0d8be 736 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 737 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 738 || !TEST_size_t_eq(
739 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 740 || !TEST_int_eq(*p, 0))
f1b97da1 741 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 742 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 743 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 744 if (len != OSSL_NELEM(expected_extensions) ||
745 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 746 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 747 OPENSSL_free(exts);
f1b97da1 748 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 749 }
750 OPENSSL_free(exts);
f1b97da1 751 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 752}
753
a9c0d8be 754static int test_client_hello_cb(void)
710756a9 755{
2afaee51
BK		 756 SSL_CTX *cctx = NULL, *sctx = NULL;
757 SSL *clientssl = NULL, *serverssl = NULL;
758 int testctr = 0, testresult = 0;
759
5e30f2fd
MC		 760 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 762 &sctx, &cctx, cert, privkey)))
2afaee51 763 goto end;
a9c0d8be 764 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 765
2afaee51
BK		 766 /* The gimpy cipher list we configure can't do TLS 1.3. */
767 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 768
710756a9
RS		 769 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
770 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
772 &clientssl, NULL, NULL))
773 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 774 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 775 /*
776 * Passing a -1 literal is a hack since
777 * the real value was lost.
778 * */
a9c0d8be
DB		 779 || !TEST_int_eq(SSL_get_error(serverssl, -1),
780 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
782 SSL_ERROR_NONE)))
2afaee51 783 goto end;
2afaee51
BK		 784
785 testresult = 1;
786
088dfa13
TS		 787end:
788 SSL_free(serverssl);
789 SSL_free(clientssl);
790 SSL_CTX_free(sctx);
791 SSL_CTX_free(cctx);
792
793 return testresult;
794}
795
796static int test_no_ems(void)
797{
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
50ea5cdc 800 int testresult = 0, status;
088dfa13 801
5e30f2fd 802 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 803 TLS1_VERSION, TLS1_2_VERSION,
804 &sctx, &cctx, cert, privkey)) {
805 printf("Unable to create SSL_CTX pair\n");
806 goto end;
807 }
808
809 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
810
811 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
812 printf("Unable to create SSL objects\n");
813 goto end;
814 }
815
50ea5cdc 816 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
817 if (fips_ems_check) {
818 if (status == 1) {
819 printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
820 goto end;
821 }
822 } else {
823 if (!status) {
824 printf("Creating SSL connection failed\n");
825 goto end;
826 }
827 if (SSL_get_extms_support(serverssl)) {
828 printf("Server reports Extended Master Secret support\n");
829 goto end;
830 }
831 if (SSL_get_extms_support(clientssl)) {
832 printf("Client reports Extended Master Secret support\n");
833 goto end;
834 }
088dfa13
TS		 835 }
836 testresult = 1;
837
2afaee51
BK		 838end:
839 SSL_free(serverssl);
840 SSL_free(clientssl);
841 SSL_CTX_free(sctx);
842 SSL_CTX_free(cctx);
843
844 return testresult;
845}
846
3cd14e5e
BK		 847/*
848 * Very focused test to exercise a single case in the server-side state
849 * machine, when the ChangeCipherState message needs to actually change
850 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 851 * encryption to real encryption).
3cd14e5e
BK		 852 */
853static int test_ccs_change_cipher(void)
854{
855 SSL_CTX *cctx = NULL, *sctx = NULL;
856 SSL *clientssl = NULL, *serverssl = NULL;
857 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
858 int testresult = 0;
859 int i;
860 unsigned char buf;
861 size_t readbytes;
862
863 /*
e304aa87 864 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 865 * a different cipher in the second connection.
866 */
5e30f2fd 867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 868 TLS_client_method(),
869 TLS1_VERSION, TLS1_2_VERSION,
870 &sctx, &cctx, cert, privkey))
871 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
872 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
873 NULL, NULL))
874 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
875 || !TEST_true(create_ssl_connection(serverssl, clientssl,
876 SSL_ERROR_NONE))
877 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
878 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
879 goto end;
880
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
883
884 /* Resume, preferring a different cipher. Our server will force the
885 * same cipher to be used as the initial handshake. */
886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
887 NULL, NULL))
888 || !TEST_true(SSL_set_session(clientssl, sess))
889 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
891 SSL_ERROR_NONE))
892 || !TEST_true(SSL_session_reused(clientssl))
893 || !TEST_true(SSL_session_reused(serverssl))
894 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
895 || !TEST_ptr_eq(sesspre, sesspost)
896 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
897 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
898 goto end;
899 shutdown_ssl_connection(serverssl, clientssl);
900 serverssl = clientssl = NULL;
901
902 /*
903 * Now create a fresh connection and try to renegotiate a different
904 * cipher on it.
905 */
b3e6d666
BK		 906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
907 NULL, NULL))
3cd14e5e
BK		 908 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
910 SSL_ERROR_NONE))
911 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
913 || !TEST_true(SSL_renegotiate(clientssl))
914 || !TEST_true(SSL_renegotiate_pending(clientssl)))
915 goto end;
916 /* Actually drive the renegotiation. */
917 for (i = 0; i < 3; i++) {
918 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
920 goto end;
921 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
922 SSL_ERROR_WANT_READ)) {
923 goto end;
924 }
925 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
926 if (!TEST_ulong_eq(readbytes, 0))
927 goto end;
928 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
929 SSL_ERROR_WANT_READ)) {
930 goto end;
931 }
932 }
933 /* sesspre and sesspost should be different since the cipher changed. */
934 if (!TEST_false(SSL_renegotiate_pending(clientssl))
935 || !TEST_false(SSL_session_reused(clientssl))
936 || !TEST_false(SSL_session_reused(serverssl))
937 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
938 || !TEST_ptr_ne(sesspre, sesspost)
939 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
940 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
941 goto end;
942
943 shutdown_ssl_connection(serverssl, clientssl);
944 serverssl = clientssl = NULL;
945
946 testresult = 1;
947
948end:
949 SSL_free(serverssl);
950 SSL_free(clientssl);
951 SSL_CTX_free(sctx);
952 SSL_CTX_free(cctx);
953 SSL_SESSION_free(sess);
954
955 return testresult;
956}
fb121631 957#endif
3cd14e5e 958
84d5549e 959static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 960 const SSL_METHOD *cmeth,
961 int min_version, int max_version,
962 int read_ahead)
84d5549e
MC		 963{
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
966 int testresult = 0;
967 int i;
710756a9 968 BIO *certbio = NULL;
84d5549e
MC		 969 X509 *chaincert = NULL;
970 int certlen;
971
710756a9 972 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 973 goto end;
6725682d 974
d8652be0 975 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 976 goto end;
977
978 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
979 goto end;
fa454945
MC		 980 BIO_free(certbio);
981 certbio = NULL;
84d5549e 982
5e30f2fd
MC		 983 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
984 max_version, &sctx, &cctx, cert,
985 privkey)))
84d5549e 986 goto end;
84d5549e 987
8ce390e1
MC		 988#ifdef OPENSSL_NO_DTLS1_2
989 if (smeth == DTLS_server_method()) {
990 /*
991 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
992 * level 0
993 */
994 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
995 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
996 "DEFAULT:@SECLEVEL=0")))
997 goto end;
998 }
999#endif
1000
710756a9 1001 if (read_ahead) {
7856332e
MC		 1002 /*
1003 * Test that read_ahead works correctly when dealing with large
1004 * records
1005 */
1006 SSL_CTX_set_read_ahead(cctx, 1);
1007 }
1008
84d5549e
MC		 1009 /*
1010 * We assume the supplied certificate is big enough so that if we add
1011 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1012 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1013 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1014 * test we need to have a message larger than that.
84d5549e
MC		 1015 */
1016 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1017 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1018 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1019 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1020 if (!X509_up_ref(chaincert))
84d5549e 1021 goto end;
84d5549e 1022 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1023 X509_free(chaincert);
1024 goto end;
1025 }
1026 }
1027
710756a9
RS		 1028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1029 NULL, NULL))
1030 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1031 SSL_ERROR_NONE)))
84d5549e 1032 goto end;
84d5549e 1033
4bf08600
MC		 1034 /*
1035 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1036 * doesn't leak.
4bf08600 1037 */
710756a9 1038 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1039 goto end;
84d5549e 1040
4bf08600 1041 testresult = 1;
84d5549e 1042 end:
6725682d 1043 BIO_free(certbio);
84d5549e
MC		 1044 X509_free(chaincert);
1045 SSL_free(serverssl);
1046 SSL_free(clientssl);
1047 SSL_CTX_free(sctx);
1048 SSL_CTX_free(cctx);
1049
1050 return testresult;
1051}
1052
da4db160 1053#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1054 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1055/* sock must be connected */
1056static int ktls_chk_platform(int sock)
1057{
1058 if (!ktls_enable(sock))
1059 return 0;
1060 return 1;
1061}
1062
e1fdd526 1063static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1064{
1065 static char count = 1;
1066 unsigned char cbuf[16000] = {0};
1067 unsigned char sbuf[16000];
1068 size_t err = 0;
e1fdd526
JB		 1069 char crec_wseq_before[SEQ_NUM_SIZE];
1070 char crec_wseq_after[SEQ_NUM_SIZE];
1071 char crec_rseq_before[SEQ_NUM_SIZE];
1072 char crec_rseq_after[SEQ_NUM_SIZE];
1073 char srec_wseq_before[SEQ_NUM_SIZE];
1074 char srec_wseq_after[SEQ_NUM_SIZE];
1075 char srec_rseq_before[SEQ_NUM_SIZE];
1076 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1077 SSL_CONNECTION *clientsc, *serversc;
1078
1079 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1080 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1081 goto end;
fe5d9450
BP		 1082
1083 cbuf[0] = count++;
2c50d7fb
MC		 1084 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1086 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1087 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1088
1089 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1090 goto end;
1091
1092 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1093 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1094 goto end;
1095 }
1096 }
1097
1098 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1099 goto end;
1100
1101 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1102 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1103 goto end;
1104 }
1105 }
1106
2c50d7fb
MC		 1107 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1109 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1110 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1111
1112 /* verify the payload */
1113 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1114 goto end;
1115
e1fdd526
JB		 1116 /*
1117 * If ktls is used then kernel sequences are used instead of
1118 * OpenSSL sequences
1119 */
38b051a1 1120 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1121 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1122 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1123 goto end;
1124 } else {
e1fdd526
JB		 1125 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1126 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1127 goto end;
1128 }
1129
38b051a1 1130 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1131 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1132 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1133 goto end;
1134 } else {
e1fdd526
JB		 1135 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1136 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1137 goto end;
1138 }
1139
38b051a1 1140 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1141 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1142 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1143 goto end;
1144 } else {
e1fdd526
JB		 1145 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1146 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1147 goto end;
1148 }
1149
38b051a1 1150 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1151 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1152 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1153 goto end;
1154 } else {
e1fdd526
JB		 1155 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1156 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1157 goto end;
1158 }
fe5d9450
BP		 1159
1160 return 1;
1161end:
1162 return 0;
1163}
1164
a3a54179 1165static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1166 int tls_version, const char *cipher)
fe5d9450
BP		 1167{
1168 SSL_CTX *cctx = NULL, *sctx = NULL;
1169 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1170 int ktls_used = 0, testresult = 0;
1171 int cfd = -1, sfd = -1;
1172 int rx_supported;
38b051a1 1173 SSL_CONNECTION *clientsc, *serversc;
fe5d9450 1174
0c593328 1175 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
fe5d9450
BP		 1176 goto end;
1177
1178 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1179 if (!ktls_chk_platform(cfd)) {
1180 testresult = TEST_skip("Kernel does not support KTLS");
1181 goto end;
1182 }
fe5d9450 1183
a5d8a2f8
DB		 1184 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1185 testresult = TEST_skip("CHACHA is not supported in FIPS");
1186 goto end;
1187 }
1188
fe5d9450 1189 /* Create a session based on SHA-256 */
5e30f2fd 1190 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1191 TLS_client_method(),
da4db160 1192 tls_version, tls_version,
e1fdd526
JB		 1193 &sctx, &cctx, cert, privkey)))
1194 goto end;
1195
1196 if (tls_version == TLS1_3_VERSION) {
1197 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1198 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1199 goto end;
1200 } else {
1201 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1202 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1203 goto end;
1204 }
1205
1206 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1207 &clientssl, sfd, cfd)))
fe5d9450
BP		 1208 goto end;
1209
38b051a1
TM		 1210 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1211 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1212 goto end;
1213
a3a54179
MC		 1214 if (cis_ktls) {
1215 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1216 goto end;
1217 }
1218
a3a54179 1219 if (sis_ktls) {
e1fdd526 1220 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1221 goto end;
1222 }
1223
e1fdd526 1224 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1225 goto end;
1226
e1fdd526
JB		 1227 /*
1228 * The running kernel may not support a given cipher suite
1229 * or direction, so just check that KTLS isn't used when it
1230 * isn't enabled.
1231 */
a3a54179 1232 if (!cis_ktls) {
38b051a1 1233 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1234 goto end;
1235 } else {
38b051a1 1236 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1237 ktls_used = 1;
fe5d9450
BP		 1238 }
1239
a3a54179 1240 if (!sis_ktls) {
38b051a1 1241 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1242 goto end;
1243 } else {
38b051a1 1244 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1245 ktls_used = 1;
fe5d9450
BP		 1246 }
1247
a3a54179 1248#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1249 rx_supported = 0;
1250#else
7c78932b 1251 rx_supported = 1;
a3a54179 1252#endif
e1fdd526 1253 if (!cis_ktls || !rx_supported) {
38b051a1 1254 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1255 goto end;
1256 } else {
38b051a1 1257 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1258 ktls_used = 1;
2fab79af
BP		 1259 }
1260
e1fdd526 1261 if (!sis_ktls || !rx_supported) {
38b051a1 1262 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1263 goto end;
1264 } else {
38b051a1 1265 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1266 ktls_used = 1;
1267 }
1268
1269 if ((cis_ktls || sis_ktls) && !ktls_used) {
1270 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1271 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1272 "TLS 1.2", cipher);
1273 goto end;
2fab79af
BP		 1274 }
1275
e1fdd526 1276 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1277 goto end;
1278
1279 testresult = 1;
1280end:
1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
e1fdd526
JB		 1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
fe5d9450
BP		 1296 return testresult;
1297}
1298
7c3a7561
BP		 1299#define SENDFILE_SZ (16 * 4096)
1300#define SENDFILE_CHUNK (4 * 4096)
1301#define min(a,b) ((a) > (b) ? (b) : (a))
1302
cd715b7e
MM		 1303static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
7c3a7561
BP		 1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
e1fdd526 1310 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
38b051a1 1315 SSL_CONNECTION *serversc;
7c3a7561
BP		 1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
0c593328 1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
7c3a7561
BP		 1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
e1fdd526 1325 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1326 goto end;
1327 }
1328
a5d8a2f8
DB		 1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
7c3a7561 1334 /* Create a session based on SHA-256 */
5e30f2fd 1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1336 TLS_client_method(),
da4db160 1337 tls_version, tls_version,
e1fdd526
JB		 1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
38b051a1
TM		 1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
e1fdd526 1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1359 goto end;
1360
cd715b7e
MM		 1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
7c3a7561 1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1368 SSL_ERROR_NONE)))
7c3a7561
BP		 1369 goto end;
1370
38b051a1 1371 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
c9007bda 1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1379 goto end;
1380
7c3a7561
BP		 1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
e1fdd526
JB		 1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
7c3a7561
BP		 1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443}
1444
e1fdd526
JB		 1445static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448} ktls_test_ciphers[] = {
1449# if !defined(OPENSSL_NO_TLS1_2)
1450# ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455# endif
1456# ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458# endif
11bac1b4 1459# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1460# ifndef OPENSSL_NO_EC
11bac1b4 1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1462# endif
11bac1b4 1463# endif
e1fdd526
JB		 1464# endif
1465# if !defined(OSSL_NO_USABLE_TLS1_3)
1466# ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468# endif
1469# ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471# endif
1472# ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474# endif
11bac1b4
JB		 1475# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477# endif
e1fdd526
JB		 1478# endif
1479};
1480
1481#define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
da4db160
VF		 1484static int test_ktls(int test)
1485{
e1fdd526 1486 struct ktls_test_cipher *cipher;
a3a54179 1487 int cis_ktls, sis_ktls;
da4db160 1488
2cff17fd 1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1490 cipher = &ktls_test_ciphers[test / 4];
da4db160 1491
a3a54179
MC		 1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
cd03b5dc 1494
e1fdd526
JB		 1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
2fab79af
BP		 1497}
1498
cd715b7e 1499static int test_ktls_sendfile(int test)
fe5d9450 1500{
e1fdd526 1501 struct ktls_test_cipher *cipher;
cd715b7e 1502 int tst = test >> 1;
da4db160 1503
2cff17fd 1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1505 cipher = &ktls_test_ciphers[tst];
da4db160 1506
cd715b7e
MM		 1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
fe5d9450 1509}
fe5d9450
BP		 1510#endif
1511
84d5549e
MC		 1512static int test_large_message_tls(void)
1513{
7856332e 1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 0);
7856332e
MC		 1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1521 TLS1_VERSION, 0, 1);
84d5549e
MC		 1522}
1523
55386bef 1524#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1525static int test_large_message_dtls(void)
1526{
8ce390e1
MC		 1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
7856332e
MC		 1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
84d5549e 1536 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1537 DTLS_client_method(),
5c587fb6 1538 DTLS1_VERSION, 0, 0);
84d5549e 1539}
55386bef 1540#endif
84d5549e 1541
3ff0a48a
MC		 1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
2fda45d5
MC		 1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return 1;
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return 1;
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return 1;
1599#endif
1600
2fda45d5
MC		 1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return 1;
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617#else
1618 return 1;
1619#endif
1620
3ff0a48a
MC		 1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
2fda45d5 1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
2fda45d5 1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
2fda45d5 1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701}
1702
163b8016
ME		 1703static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1704 const SSL_METHOD *cmeth,
1705 int min_version, int max_version)
1706{
1707 size_t i;
1708 SSL_CTX *cctx = NULL, *sctx = NULL;
1709 SSL *clientssl = NULL, *serverssl = NULL;
1710 int testresult = 0;
2eb91b0e 1711 const unsigned char *zbuf;
38b051a1 1712 SSL_CONNECTION *serversc;
eddb067e 1713 TLS_RECORD *rr;
163b8016
ME		 1714
1715 static unsigned char cbuf[16000];
1716 static unsigned char sbuf[16000];
1717
1718 if (!TEST_true(create_ssl_ctx_pair(libctx,
1719 smeth, cmeth,
1720 min_version, max_version,
1721 &sctx, &cctx, cert,
1722 privkey)))
1723 goto end;
1724
8ce390e1
MC		 1725#ifdef OPENSSL_NO_DTLS1_2
1726 if (smeth == DTLS_server_method()) {
1727# ifdef OPENSSL_NO_DTLS1_2
1728 /* Not supported in the FIPS provider */
1729 if (is_fips) {
1730 testresult = 1;
1731 goto end;
1732 };
1733# endif
1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
1743#endif
1744
163b8016
ME		 1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
38b051a1
TM		 1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
eddb067e 1776 rr = serversc->rlayer.tlsrecs;
4030869d 1777
eddb067e
MC		 1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
163b8016
ME		 1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809}
1810
1811static int test_cleanse_plaintext(void)
1812{
1813#if !defined(OPENSSL_NO_TLS1_2)
1814 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1815 TLS_client_method(),
1816 TLS1_2_VERSION,
1817 TLS1_2_VERSION)))
1818 return 0;
1819
1820#endif
1821
a763ca11 1822#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1823 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1824 TLS_client_method(),
1825 TLS1_3_VERSION,
1826 TLS1_3_VERSION)))
1827 return 0;
1828#endif
1829
1830#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1831
163b8016
ME		 1832 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1833 DTLS_client_method(),
1834 DTLS1_VERSION,
1835 0)))
1836 return 0;
1837#endif
1838 return 1;
1839}
1840
8f8c11d8 1841#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1842static int ocsp_server_cb(SSL *s, void *arg)
1843{
1844 int *argi = (int *)arg;
710756a9 1845 unsigned char *copy = NULL;
ba881d3b
MC		 1846 STACK_OF(OCSP_RESPID) *ids = NULL;
1847 OCSP_RESPID *id = NULL;
1848
1849 if (*argi == 2) {
1850 /* In this test we are expecting exactly 1 OCSP_RESPID */
1851 SSL_get_tlsext_status_ids(s, &ids);
1852 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1853 return SSL_TLSEXT_ERR_ALERT_FATAL;
1854
1855 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1856 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858 } else if (*argi != 1) {
1859 return SSL_TLSEXT_ERR_ALERT_FATAL;
1860 }
1861
710756a9 1862 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864
711d5a2f
P		 1865 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1866 sizeof(orespder)))) {
1867 OPENSSL_free(copy);
1868 return SSL_TLSEXT_ERR_ALERT_FATAL;
1869 }
ba881d3b 1870 ocsp_server_called = 1;
ba881d3b
MC		 1871 return SSL_TLSEXT_ERR_OK;
1872}
1873
1874static int ocsp_client_cb(SSL *s, void *arg)
1875{
1876 int *argi = (int *)arg;
1877 const unsigned char *respderin;
1878 size_t len;
1879
1880 if (*argi != 1 && *argi != 2)
1881 return 0;
1882
1883 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1884 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1885 return 0;
1886
1887 ocsp_client_called = 1;
ba881d3b
MC		 1888 return 1;
1889}
1890
2cb4b5f6
MC		 1891static int test_tlsext_status_type(void)
1892{
ba881d3b
MC		 1893 SSL_CTX *cctx = NULL, *sctx = NULL;
1894 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1895 int testresult = 0;
ba881d3b
MC		 1896 STACK_OF(OCSP_RESPID) *ids = NULL;
1897 OCSP_RESPID *id = NULL;
1898 BIO *certbio = NULL;
2cb4b5f6 1899
5e30f2fd 1900 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1901 TLS1_VERSION, 0,
7d7f6834 1902 &sctx, &cctx, cert, privkey))
ba881d3b 1903 return 0;
2cb4b5f6 1904
710756a9 1905 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1906 goto end;
2cb4b5f6 1907
ba881d3b 1908 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1909
ba881d3b 1910 clientssl = SSL_new(cctx);
710756a9
RS		 1911 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1912 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1913 TLSEXT_STATUSTYPE_ocsp))
1914 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1915 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1916 goto end;
2cb4b5f6 1917
ba881d3b
MC		 1918 SSL_free(clientssl);
1919 clientssl = NULL;
2cb4b5f6 1920
710756a9
RS		 1921 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1922 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1923 goto end;
2cb4b5f6 1924
ba881d3b 1925 clientssl = SSL_new(cctx);
710756a9 1926 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1927 goto end;
ba881d3b
MC		 1928 SSL_free(clientssl);
1929 clientssl = NULL;
1930
1931 /*
1932 * Now actually do a handshake and check OCSP information is exchanged and
1933 * the callbacks get called
1934 */
ba881d3b
MC		 1935 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1936 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1937 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1938 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1940 &clientssl, NULL, NULL))
1941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1942 SSL_ERROR_NONE))
1943 || !TEST_true(ocsp_client_called)
1944 || !TEST_true(ocsp_server_called))
ba881d3b 1945 goto end;
ba881d3b
MC		 1946 SSL_free(serverssl);
1947 SSL_free(clientssl);
1948 serverssl = NULL;
1949 clientssl = NULL;
1950
1951 /* Try again but this time force the server side callback to fail */
1952 ocsp_client_called = 0;
1953 ocsp_server_called = 0;
1954 cdummyarg = 0;
710756a9
RS		 1955 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1956 &clientssl, NULL, NULL))
1957 /* This should fail because the callback will fail */
1958 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1959 SSL_ERROR_NONE))
1960 || !TEST_false(ocsp_client_called)
1961 || !TEST_false(ocsp_server_called))
ba881d3b 1962 goto end;
ba881d3b
MC		 1963 SSL_free(serverssl);
1964 SSL_free(clientssl);
1965 serverssl = NULL;
1966 clientssl = NULL;
1967
1968 /*
1969 * This time we'll get the client to send an OCSP_RESPID that it will
1970 * accept.
1971 */
1972 ocsp_client_called = 0;
1973 ocsp_server_called = 0;
1974 cdummyarg = 2;
710756a9
RS		 1975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1976 &clientssl, NULL, NULL)))
ba881d3b 1977 goto end;
ba881d3b
MC		 1978
1979 /*
1980 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1981 * specific one. We'll use the server cert.
ba881d3b 1982 */
710756a9
RS		 1983 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1984 || !TEST_ptr(id = OCSP_RESPID_new())
1985 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1986 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1987 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1988 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1989 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1990 goto end;
ba881d3b
MC		 1991 id = NULL;
1992 SSL_set_tlsext_status_ids(clientssl, ids);
1993 /* Control has been transferred */
1994 ids = NULL;
1995
1996 BIO_free(certbio);
1997 certbio = NULL;
1998
710756a9
RS		 1999 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2000 SSL_ERROR_NONE))
2001 || !TEST_true(ocsp_client_called)
2002 || !TEST_true(ocsp_server_called))
ba881d3b 2003 goto end;
ba881d3b 2004
2cb4b5f6
MC		 2005 testresult = 1;
2006
2007 end:
ba881d3b
MC		 2008 SSL_free(serverssl);
2009 SSL_free(clientssl);
2010 SSL_CTX_free(sctx);
2011 SSL_CTX_free(cctx);
2012 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2013 OCSP_RESPID_free(id);
2014 BIO_free(certbio);
2015 X509_free(ocspcert);
2016 ocspcert = NULL;
2cb4b5f6
MC		 2017
2018 return testresult;
2019}
8f8c11d8 2020#endif
2cb4b5f6 2021
a763ca11 2022#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2023static int new_called, remove_called, get_called;
eaa776da 2024
eaa776da
MC		 2025static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2026{
2027 new_called++;
c0537ebd
MC		 2028 /*
2029 * sess has been up-refed for us, but we don't actually need it so free it
2030 * immediately.
2031 */
2032 SSL_SESSION_free(sess);
eaa776da
MC		 2033 return 1;
2034}
2035
2036static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2037{
2038 remove_called++;
2039}
2040
7a301f08
MC		 2041static SSL_SESSION *get_sess_val = NULL;
2042
2043static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2044 int *copy)
2045{
0afca811 2046 get_called++;
7a301f08
MC		 2047 *copy = 1;
2048 return get_sess_val;
2049}
2050
7a301f08 2051static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2052 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2053{
2054 SSL_CTX *sctx = NULL, *cctx = NULL;
2055 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2056 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2057# ifndef OPENSSL_NO_TLS1_1
eaa776da 2058 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2059# endif
2cb4b5f6 2060 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2061 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2062
7e885b7b
P		 2063 new_called = remove_called = 0;
2064
36ff232c
MC		 2065 /* TLSv1.3 sends 2 NewSessionTickets */
2066 if (maxprot == TLS1_3_VERSION)
2067 numnewsesstick = 2;
2068
5e30f2fd
MC		 2069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2070 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2071 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2072 return 0;
2cb4b5f6 2073
7a301f08
MC		 2074 /*
2075 * Only allow the max protocol version so we can force a connection failure
2076 * later
2077 */
2078 SSL_CTX_set_min_proto_version(cctx, maxprot);
2079 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2080
2081 /* Set up session cache */
7e885b7b 2082 if (use_ext_cache) {
eaa776da
MC		 2083 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2084 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2085 }
7e885b7b 2086 if (use_int_cache) {
eaa776da
MC		 2087 /* Also covers instance where both are set */
2088 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2089 } else {
2090 SSL_CTX_set_session_cache_mode(cctx,
2091 SSL_SESS_CACHE_CLIENT
2092 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2093 }
2cb4b5f6 2094
90fc2c26
NM		 2095 if (s_options) {
2096 SSL_CTX_set_options(sctx, s_options);
2097 }
2098
710756a9
RS		 2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2100 NULL, NULL))
2101 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2102 SSL_ERROR_NONE))
2103 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2104 goto end;
2cb4b5f6 2105
710756a9 2106 /* Should fail because it should already be in the cache */
7e885b7b 2107 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2108 goto end;
7a301f08 2109 if (use_ext_cache
36ff232c
MC		 2110 && (!TEST_int_eq(new_called, numnewsesstick)
2111
2112 || !TEST_int_eq(remove_called, 0)))
b4982125 2113 goto end;
b4982125 2114
c0537ebd
MC		 2115 new_called = remove_called = 0;
2116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2117 &clientssl2, NULL, NULL))
2118 || !TEST_true(SSL_set_session(clientssl2, sess1))
2119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2120 SSL_ERROR_NONE))
2121 || !TEST_true(SSL_session_reused(clientssl2)))
2122 goto end;
2123
7a301f08
MC		 2124 if (maxprot == TLS1_3_VERSION) {
2125 /*
2126 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2127 * resumed. Since we attempted a resume we should also have removed the
2128 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2129 */
2130 if (use_ext_cache
2131 && (!TEST_int_eq(new_called, 1)
4cb00457 2132 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2133 goto end;
2134 } else {
2135 /*
2136 * In TLSv1.2 we expect to have resumed so no sessions added or
2137 * removed.
2138 */
2139 if (use_ext_cache
2140 && (!TEST_int_eq(new_called, 0)
2141 || !TEST_int_eq(remove_called, 0)))
2142 goto end;
2143 }
c0537ebd
MC		 2144
2145 SSL_SESSION_free(sess1);
2146 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2147 goto end;
2148 shutdown_ssl_connection(serverssl2, clientssl2);
2149 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2150
2151 new_called = remove_called = 0;
710756a9
RS		 2152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2153 &clientssl2, NULL, NULL))
2154 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2155 SSL_ERROR_NONE)))
2cb4b5f6 2156 goto end;
2cb4b5f6 2157
710756a9 2158 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2159 goto end;
2cb4b5f6 2160
7a301f08 2161 if (use_ext_cache
36ff232c
MC		 2162 && (!TEST_int_eq(new_called, numnewsesstick)
2163 || !TEST_int_eq(remove_called, 0)))
eaa776da 2164 goto end;
eaa776da 2165
c0537ebd 2166 new_called = remove_called = 0;
2cb4b5f6 2167 /*
710756a9
RS		 2168 * This should clear sess2 from the cache because it is a "bad" session.
2169 * See SSL_set_session() documentation.
2cb4b5f6 2170 */
710756a9 2171 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2172 goto end;
7a301f08
MC		 2173 if (use_ext_cache
2174 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2175 goto end;
710756a9 2176 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2177 goto end;
2cb4b5f6 2178
7e885b7b 2179 if (use_int_cache) {
710756a9
RS		 2180 /* Should succeeded because it should not already be in the cache */
2181 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2182 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2183 goto end;
eaa776da
MC		 2184 }
2185
c0537ebd 2186 new_called = remove_called = 0;
eaa776da 2187 /* This shouldn't be in the cache so should fail */
710756a9 2188 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2189 goto end;
2cb4b5f6 2190
7a301f08
MC		 2191 if (use_ext_cache
2192 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2193 goto end;
2cb4b5f6 2194
bf208d95 2195# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2196 new_called = remove_called = 0;
eaa776da
MC		 2197 /* Force a connection failure */
2198 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2200 &clientssl3, NULL, NULL))
2201 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2202 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2203 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2204 SSL_ERROR_NONE)))
eaa776da 2205 goto end;
b4982125 2206
eaa776da 2207 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2208 if (use_ext_cache
2209 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2210 goto end;
2cb4b5f6 2211
710756a9 2212 /* Should succeed because it should not already be in the cache */
7e885b7b 2213 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2214 goto end;
bf208d95 2215# endif
eaa776da 2216
7a301f08
MC		 2217 /* Now do some tests for server side caching */
2218 if (use_ext_cache) {
2219 SSL_CTX_sess_set_new_cb(cctx, NULL);
2220 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2221 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2222 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2223 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2224 get_sess_val = NULL;
2225 }
2226
2227 SSL_CTX_set_session_cache_mode(cctx, 0);
2228 /* Internal caching is the default on the server side */
2229 if (!use_int_cache)
2230 SSL_CTX_set_session_cache_mode(sctx,
2231 SSL_SESS_CACHE_SERVER
2232 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2233
2234 SSL_free(serverssl1);
2235 SSL_free(clientssl1);
2236 serverssl1 = clientssl1 = NULL;
2237 SSL_free(serverssl2);
2238 SSL_free(clientssl2);
2239 serverssl2 = clientssl2 = NULL;
2240 SSL_SESSION_free(sess1);
2241 sess1 = NULL;
2242 SSL_SESSION_free(sess2);
2243 sess2 = NULL;
2244
2245 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2246 if (maxprot == TLS1_2_VERSION)
2247 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2248 new_called = remove_called = get_called = 0;
7a301f08
MC		 2249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2250 NULL, NULL))
2251 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2252 SSL_ERROR_NONE))
2253 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2254 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2255 goto end;
2256
ee94ec2e
MC		 2257 if (use_int_cache) {
2258 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2259 /*
2260 * In TLSv1.3 it should not have been added to the internal cache,
2261 * except in the case where we also have an external cache (in that
2262 * case it gets added to the cache in order to generate remove
2263 * events after timeout).
2264 */
2265 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2266 goto end;
2267 } else {
2268 /* Should fail because it should already be in the cache */
2269 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2270 goto end;
2271 }
2272 }
7a301f08
MC		 2273
2274 if (use_ext_cache) {
2275 SSL_SESSION *tmp = sess2;
2276
36ff232c 2277 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2278 || !TEST_int_eq(remove_called, 0)
2279 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2280 goto end;
2281 /*
2282 * Delete the session from the internal cache to force a lookup from
2283 * the external cache. We take a copy first because
2284 * SSL_CTX_remove_session() also marks the session as non-resumable.
2285 */
ee94ec2e 2286 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6 2287 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
9fdf9a44
WL		 2288 || !TEST_true(sess2->owner != NULL)
2289 || !TEST_true(tmp->owner == NULL)
2290 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
3cb6a4d6
BK		 2291 goto end;
2292 SSL_SESSION_free(sess2);
2293 }
7a301f08
MC		 2294 sess2 = tmp;
2295 }
2296
0afca811 2297 new_called = remove_called = get_called = 0;
7a301f08
MC		 2298 get_sess_val = sess2;
2299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2300 &clientssl2, NULL, NULL))
2301 || !TEST_true(SSL_set_session(clientssl2, sess1))
2302 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2303 SSL_ERROR_NONE))
2304 || !TEST_true(SSL_session_reused(clientssl2)))
2305 goto end;
2306
0afca811 2307 if (use_ext_cache) {
32305f88 2308 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2309 goto end;
2310
2311 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2312 if (!TEST_int_eq(new_called, 1)
2313 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2314 goto end;
2315 } else {
32305f88
MC		 2316 if (!TEST_int_eq(new_called, 0)
2317 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2318 goto end;
2319 }
2320 }
4842a27b
TS		 2321 /*
2322 * Make a small cache, force out all other sessions but
2323 * sess2, try to add sess1, which should succeed. Then
2324 * make sure it's there by checking the owners. Despite
2325 * the timeouts, sess1 should have kicked out sess2
2326 */
2327
2328 /* Make sess1 expire before sess2 */
2329 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2330 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2331 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2332 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2333 goto end;
2334
2335 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2336 goto end;
2337
2338 /* Don't care about results - cache should only be sess2 at end */
2339 SSL_CTX_add_session(sctx, sess1);
2340 SSL_CTX_add_session(sctx, sess2);
2341
2342 /* Now add sess1, and make sure it remains, despite timeout */
2343 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2344 || !TEST_ptr(sess1->owner)
2345 || !TEST_ptr_null(sess2->owner))
2346 goto end;
7a301f08 2347
2cb4b5f6 2348 testresult = 1;
eaa776da 2349
2cb4b5f6
MC		 2350 end:
2351 SSL_free(serverssl1);
2352 SSL_free(clientssl1);
2353 SSL_free(serverssl2);
2354 SSL_free(clientssl2);
bf208d95 2355# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2356 SSL_free(serverssl3);
2357 SSL_free(clientssl3);
bf208d95 2358# endif
2cb4b5f6
MC		 2359 SSL_SESSION_free(sess1);
2360 SSL_SESSION_free(sess2);
2361 SSL_CTX_free(sctx);
2362 SSL_CTX_free(cctx);
2363
2364 return testresult;
2365}
a763ca11 2366#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2367
7fb4c820
MC		 2368static int test_session_with_only_int_cache(void)
2369{
a763ca11 2370#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2371 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2372 return 0;
2373#endif
2374
2375#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2376 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2377#else
2378 return 1;
2379#endif
eaa776da
MC		 2380}
2381
7fb4c820
MC		 2382static int test_session_with_only_ext_cache(void)
2383{
a763ca11 2384#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2385 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2386 return 0;
2387#endif
2388
2389#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2390 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2391#else
2392 return 1;
2393#endif
eaa776da
MC		 2394}
2395
7fb4c820
MC		 2396static int test_session_with_both_cache(void)
2397{
a763ca11 2398#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2399 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2400 return 0;
2401#endif
2402
2403#ifndef OPENSSL_NO_TLS1_2
2404 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2405#else
2406 return 1;
2407#endif
2408}
2409
2410static int test_session_wo_ca_names(void)
2411{
a763ca11 2412#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2413 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2414 return 0;
2415#endif
2416
2417#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2418 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2419#else
2420 return 1;
2421#endif
eaa776da
MC		 2422}
2423
90fc2c26 2424
a763ca11 2425#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2426static SSL_SESSION *sesscache[6];
2427static int do_cache;
36ff232c
MC		 2428
2429static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2430{
c22365b3
MC		 2431 if (do_cache) {
2432 sesscache[new_called] = sess;
2433 } else {
2434 /* We don't need the reference to the session, so free it */
2435 SSL_SESSION_free(sess);
2436 }
2437 new_called++;
2438
2439 return 1;
2440}
2441
2442static int post_handshake_verify(SSL *sssl, SSL *cssl)
2443{
2444 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2445 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2446 return 0;
2447
2448 /* Start handshake on the server and client */
2449 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2450 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2451 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2452 || !TEST_true(create_ssl_connection(sssl, cssl,
2453 SSL_ERROR_NONE)))
2454 return 0;
36ff232c
MC		 2455
2456 return 1;
2457}
2458
fbe9dafd 2459static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2460 SSL_CTX **cctx)
2461{
2462 int sess_id_ctx = 1;
2463
5e30f2fd
MC		 2464 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2465 TLS_client_method(), TLS1_VERSION, 0,
2466 sctx, cctx, cert, privkey))
03cdf559
MC		 2467 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2468 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2469 (void *)&sess_id_ctx,
2470 sizeof(sess_id_ctx))))
2471 return 0;
2472
2473 if (stateful)
2474 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2475
2476 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2477 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2478 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2479
2480 return 1;
2481}
2482
2483static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2484{
2485 SSL *serverssl = NULL, *clientssl = NULL;
2486 int i;
2487
2488 /* Test that we can resume with all the tickets we got given */
2489 for (i = 0; i < idx * 2; i++) {
2490 new_called = 0;
2491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2492 &clientssl, NULL, NULL))
2493 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2494 goto end;
2495
32097b33 2496 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2497
2498 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2499 SSL_ERROR_NONE)))
2500 goto end;
2501
2502 /*
2503 * Following a successful resumption we only get 1 ticket. After a
2504 * failed one we should get idx tickets.
2505 */
2506 if (succ) {
2507 if (!TEST_true(SSL_session_reused(clientssl))
2508 || !TEST_int_eq(new_called, 1))
2509 goto end;
2510 } else {
2511 if (!TEST_false(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, idx))
2513 goto end;
2514 }
2515
2516 new_called = 0;
2517 /* After a post-handshake authentication we should get 1 new ticket */
2518 if (succ
2519 && (!post_handshake_verify(serverssl, clientssl)
2520 || !TEST_int_eq(new_called, 1)))
2521 goto end;
2522
2523 SSL_shutdown(clientssl);
2524 SSL_shutdown(serverssl);
2525 SSL_free(serverssl);
2526 SSL_free(clientssl);
2527 serverssl = clientssl = NULL;
2528 SSL_SESSION_free(sesscache[i]);
2529 sesscache[i] = NULL;
2530 }
2531
2532 return 1;
2533
2534 end:
2535 SSL_free(clientssl);
2536 SSL_free(serverssl);
2537 return 0;
2538}
2539
04d7814a 2540static int test_tickets(int stateful, int idx)
36ff232c
MC		 2541{
2542 SSL_CTX *sctx = NULL, *cctx = NULL;
2543 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2544 int testresult = 0;
36ff232c
MC		 2545 size_t j;
2546
2547 /* idx is the test number, but also the number of tickets we want */
2548
2549 new_called = 0;
c22365b3 2550 do_cache = 1;
36ff232c 2551
fbe9dafd 2552 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2553 goto end;
2554
03cdf559
MC		 2555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2556 &clientssl, NULL, NULL)))
2557 goto end;
2558
2559 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2560 SSL_ERROR_NONE))
2561 /* Check we got the number of tickets we were expecting */
2562 || !TEST_int_eq(idx, new_called))
2563 goto end;
04d7814a 2564
03cdf559
MC		 2565 SSL_shutdown(clientssl);
2566 SSL_shutdown(serverssl);
2567 SSL_free(serverssl);
2568 SSL_free(clientssl);
2569 SSL_CTX_free(sctx);
2570 SSL_CTX_free(cctx);
2571 clientssl = serverssl = NULL;
2572 sctx = cctx = NULL;
2573
2574 /*
2575 * Now we try to resume with the tickets we previously created. The
2576 * resumption attempt is expected to fail (because we're now using a new
2577 * SSL_CTX). We should see idx number of tickets issued again.
2578 */
2579
2580 /* Stop caching sessions - just count them */
2581 do_cache = 0;
2582
fbe9dafd 2583 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2584 goto end;
2585
2586 if (!check_resumption(idx, sctx, cctx, 0))
2587 goto end;
2588
2589 /* Start again with caching sessions */
2590 new_called = 0;
2591 do_cache = 1;
fbe9dafd
MC		 2592 SSL_CTX_free(sctx);
2593 SSL_CTX_free(cctx);
2594 sctx = cctx = NULL;
03cdf559 2595
fbe9dafd 2596 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2597 goto end;
36ff232c
MC		 2598
2599 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2600 &clientssl, NULL, NULL)))
2601 goto end;
2602
32097b33 2603 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2604
2605 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2606 SSL_ERROR_NONE))
2607 /* Check we got the number of tickets we were expecting */
2608 || !TEST_int_eq(idx, new_called))
2609 goto end;
2610
2611 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2612 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2613 || !TEST_int_eq(idx * 2, new_called))
2614 goto end;
2615
36ff232c
MC		 2616 SSL_shutdown(clientssl);
2617 SSL_shutdown(serverssl);
2618 SSL_free(serverssl);
2619 SSL_free(clientssl);
2620 serverssl = clientssl = NULL;
2621
c22365b3
MC		 2622 /* Stop caching sessions - just count them */
2623 do_cache = 0;
2624
03cdf559
MC		 2625 /*
2626 * Check we can resume with all the tickets we created. This time around the
2627 * resumptions should all be successful.
2628 */
2629 if (!check_resumption(idx, sctx, cctx, 1))
2630 goto end;
36ff232c
MC		 2631
2632 testresult = 1;
2633
2634 end:
2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
c22365b3 2637 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2638 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2639 sesscache[j] = NULL;
2640 }
36ff232c
MC		 2641 SSL_CTX_free(sctx);
2642 SSL_CTX_free(cctx);
2643
2644 return testresult;
2645}
04d7814a
MC		 2646
2647static int test_stateless_tickets(int idx)
2648{
2649 return test_tickets(0, idx);
2650}
2651
2652static int test_stateful_tickets(int idx)
2653{
2654 return test_tickets(1, idx);
2655}
8614a4eb
MC		 2656
2657static int test_psk_tickets(void)
2658{
2659 SSL_CTX *sctx = NULL, *cctx = NULL;
2660 SSL *serverssl = NULL, *clientssl = NULL;
2661 int testresult = 0;
2662 int sess_id_ctx = 1;
2663
5e30f2fd
MC		 2664 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2665 TLS_client_method(), TLS1_VERSION, 0,
2666 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2667 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2668 (void *)&sess_id_ctx,
2669 sizeof(sess_id_ctx))))
2670 goto end;
2671
2672 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2673 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2674 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2675 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2676 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2677 use_session_cb_cnt = 0;
2678 find_session_cb_cnt = 0;
2679 srvid = pskid;
2680 new_called = 0;
2681
2682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2683 NULL, NULL)))
2684 goto end;
10836921 2685 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
8614a4eb
MC		 2686 if (!TEST_ptr(clientpsk))
2687 goto end;
2688 SSL_SESSION_up_ref(clientpsk);
2689
2690 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2691 SSL_ERROR_NONE))
2692 || !TEST_int_eq(1, find_session_cb_cnt)
2693 || !TEST_int_eq(1, use_session_cb_cnt)
2694 /* We should always get 1 ticket when using external PSK */
2695 || !TEST_int_eq(1, new_called))
2696 goto end;
2697
2698 testresult = 1;
2699
2700 end:
2701 SSL_free(serverssl);
2702 SSL_free(clientssl);
2703 SSL_CTX_free(sctx);
2704 SSL_CTX_free(cctx);
2705 SSL_SESSION_free(clientpsk);
2706 SSL_SESSION_free(serverpsk);
2707 clientpsk = serverpsk = NULL;
2708
2709 return testresult;
2710}
f0049b86
BK		 2711
2712static int test_extra_tickets(int idx)
2713{
2714 SSL_CTX *sctx = NULL, *cctx = NULL;
2715 SSL *serverssl = NULL, *clientssl = NULL;
2716 BIO *bretry = BIO_new(bio_s_always_retry());
2717 BIO *tmp = NULL;
2718 int testresult = 0;
2719 int stateful = 0;
2720 size_t nbytes;
2721 unsigned char c, buf[1];
2722
2723 new_called = 0;
2724 do_cache = 1;
2725
2726 if (idx >= 3) {
2727 idx -= 3;
2728 stateful = 1;
2729 }
2730
2731 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2732 goto end;
2733 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2734 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2735 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2736
2737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2738 &clientssl, NULL, NULL)))
2739 goto end;
2740
2741 /*
2742 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2743 * incremented by both client and server.
2744 */
2745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2746 SSL_ERROR_NONE))
2747 /* Check we got the number of tickets we were expecting */
2748 || !TEST_int_eq(idx * 2, new_called)
2749 || !TEST_true(SSL_new_session_ticket(serverssl))
2750 || !TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_int_eq(idx * 2, new_called))
2752 goto end;
2753
2754 /* Now try a (real) write to actually send the tickets */
2755 c = '1';
2756 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2757 || !TEST_size_t_eq(1, nbytes)
2758 || !TEST_int_eq(idx * 2 + 2, new_called)
2759 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2760 || !TEST_int_eq(idx * 2 + 4, new_called)
2761 || !TEST_int_eq(sizeof(buf), nbytes)
2762 || !TEST_int_eq(c, buf[0])
2763 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2764 goto end;
2765
2766 /* Try with only requesting one new ticket, too */
2767 c = '2';
2768 new_called = 0;
2769 if (!TEST_true(SSL_new_session_ticket(serverssl))
2770 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2771 || !TEST_size_t_eq(sizeof(c), nbytes)
2772 || !TEST_int_eq(1, new_called)
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2774 || !TEST_int_eq(2, new_called)
2775 || !TEST_size_t_eq(sizeof(buf), nbytes)
2776 || !TEST_int_eq(c, buf[0]))
2777 goto end;
2778
2779 /* Do it again but use dummy writes to drive the ticket generation */
2780 c = '3';
2781 new_called = 0;
2782 if (!TEST_true(SSL_new_session_ticket(serverssl))
2783 || !TEST_true(SSL_new_session_ticket(serverssl))
2784 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2785 || !TEST_size_t_eq(0, nbytes)
2786 || !TEST_int_eq(2, new_called)
2787 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2788 || !TEST_int_eq(4, new_called))
2789 goto end;
2790
a0bbcb42
BK		 2791 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2792 c = '4';
2793 new_called = 0;
2794 if (!TEST_true(SSL_new_session_ticket(serverssl))
2795 || !TEST_true(SSL_new_session_ticket(serverssl))
2796 || !TEST_true(SSL_do_handshake(serverssl))
2797 || !TEST_int_eq(2, new_called)
2798 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2799 || !TEST_int_eq(4, new_called))
2800 goto end;
2801
f0049b86
BK		 2802 /*
2803 * Use the always-retry BIO to exercise the logic that forces ticket
2804 * generation to wait until a record boundary.
2805 */
a0bbcb42 2806 c = '5';
f0049b86
BK		 2807 new_called = 0;
2808 tmp = SSL_get_wbio(serverssl);
2809 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2810 tmp = NULL;
2811 goto end;
2812 }
2813 SSL_set0_wbio(serverssl, bretry);
2814 bretry = NULL;
2815 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2816 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2817 || !TEST_size_t_eq(nbytes, 0))
2818 goto end;
2819 /* Restore a BIO that will let the write succeed */
2820 SSL_set0_wbio(serverssl, tmp);
2821 tmp = NULL;
a0bbcb42
BK		 2822 /*
2823 * These calls should just queue the request and not send anything
2824 * even if we explicitly try to hit the state machine.
2825 */
f0049b86
BK		 2826 if (!TEST_true(SSL_new_session_ticket(serverssl))
2827 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2830 || !TEST_int_eq(0, new_called))
2831 goto end;
2832 /* Re-do the write; still no tickets sent */
2833 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2834 || !TEST_size_t_eq(1, nbytes)
2835 || !TEST_int_eq(0, new_called)
2836 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2837 || !TEST_int_eq(0, new_called)
2838 || !TEST_int_eq(sizeof(buf), nbytes)
2839 || !TEST_int_eq(c, buf[0])
2840 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2841 goto end;
a0bbcb42
BK		 2842 /* Even trying to hit the state machine now will still not send tickets */
2843 if (!TEST_true(SSL_do_handshake(serverssl))
2844 || !TEST_int_eq(0, new_called))
2845 goto end;
f0049b86 2846 /* Now the *next* write should send the tickets */
a0bbcb42 2847 c = '6';
f0049b86
BK		 2848 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2849 || !TEST_size_t_eq(1, nbytes)
2850 || !TEST_int_eq(2, new_called)
2851 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2852 || !TEST_int_eq(4, new_called)
2853 || !TEST_int_eq(sizeof(buf), nbytes)
2854 || !TEST_int_eq(c, buf[0])
2855 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2856 goto end;
2857
2858 SSL_shutdown(clientssl);
2859 SSL_shutdown(serverssl);
2860 testresult = 1;
2861
2862 end:
2863 BIO_free(bretry);
2864 BIO_free(tmp);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 SSL_CTX_free(sctx);
2868 SSL_CTX_free(cctx);
2869 clientssl = serverssl = NULL;
2870 sctx = cctx = NULL;
2871 return testresult;
2872}
04225915 2873#endif
36ff232c 2874
7d4488bb
MC		 2875#define USE_NULL 0
2876#define USE_BIO_1 1
2877#define USE_BIO_2 2
2878#define USE_DEFAULT 3
2879
2880#define CONNTYPE_CONNECTION_SUCCESS 0
2881#define CONNTYPE_CONNECTION_FAIL 1
2882#define CONNTYPE_NO_CONNECTION 2
2883
2884#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2885#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2886#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2887# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2888#else
2889# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2890#endif
2891
7d4488bb
MC		 2892#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2893 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2894 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2895
2896static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2897{
2898 switch (type) {
2899 case USE_NULL:
2900 *res = NULL;
2901 break;
2902 case USE_BIO_1:
2903 *res = bio1;
2904 break;
2905 case USE_BIO_2:
2906 *res = bio2;
2907 break;
2908 }
2909}
2910
7d4488bb
MC		 2911
2912/*
2913 * Tests calls to SSL_set_bio() under various conditions.
2914 *
2915 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2916 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2917 * then do more tests where we create a successful connection first using our
2918 * standard connection setup functions, and then call SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL. We then repeat these tests
2920 * following a failed connection. In this last case we are looking to check that
2921 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2922 */
7fb4c820
MC		 2923static int test_ssl_set_bio(int idx)
2924{
7d4488bb 2925 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2926 BIO *bio1 = NULL;
2927 BIO *bio2 = NULL;
0fae8150 2928 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2929 SSL *serverssl = NULL, *clientssl = NULL;
2930 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2931 int testresult = 0;
2932
7d4488bb
MC		 2933 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2934 initrbio = idx % 3;
2935 idx /= 3;
2936 initwbio = idx % 3;
2937 idx /= 3;
2938 newrbio = idx % 3;
2939 idx /= 3;
2940 newwbio = idx % 3;
2941 conntype = CONNTYPE_NO_CONNECTION;
2942 } else {
2943 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2944 initrbio = initwbio = USE_DEFAULT;
2945 newrbio = idx % 2;
2946 idx /= 2;
2947 newwbio = idx % 2;
2948 idx /= 2;
2949 conntype = idx % 2;
2950 }
710756a9 2951
5e30f2fd
MC		 2952 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2953 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2954 &sctx, &cctx, cert, privkey)))
2955 goto end;
2956
2957 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2958 /*
2959 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2960 * because we reduced the number of tests in the definition of
2961 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2962 * mismatched protocol versions we will force a connection failure.
2963 */
2964 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2965 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2966 }
2967
2968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2969 NULL, NULL)))
710756a9 2970 goto end;
7fb4c820 2971
710756a9
RS		 2972 if (initrbio == USE_BIO_1
2973 || initwbio == USE_BIO_1
2974 || newrbio == USE_BIO_1
7fb4c820 2975 || newwbio == USE_BIO_1) {
710756a9 2976 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2977 goto end;
7fb4c820
MC		 2978 }
2979
710756a9
RS		 2980 if (initrbio == USE_BIO_2
2981 || initwbio == USE_BIO_2
2982 || newrbio == USE_BIO_2
7fb4c820 2983 || newwbio == USE_BIO_2) {
710756a9 2984 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2985 goto end;
7fb4c820
MC		 2986 }
2987
7d4488bb
MC		 2988 if (initrbio != USE_DEFAULT) {
2989 setupbio(&irbio, bio1, bio2, initrbio);
2990 setupbio(&iwbio, bio1, bio2, initwbio);
2991 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2992
7d4488bb
MC		 2993 /*
2994 * We want to maintain our own refs to these BIO, so do an up ref for
2995 * each BIO that will have ownership transferred in the SSL_set_bio()
2996 * call
2997 */
2998 if (irbio != NULL)
2999 BIO_up_ref(irbio);
3000 if (iwbio != NULL && iwbio != irbio)
3001 BIO_up_ref(iwbio);
3002 }
7fb4c820 3003
7d4488bb
MC		 3004 if (conntype != CONNTYPE_NO_CONNECTION
3005 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3006 SSL_ERROR_NONE)
3007 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3008 goto end;
7fb4c820
MC		 3009
3010 setupbio(&nrbio, bio1, bio2, newrbio);
3011 setupbio(&nwbio, bio1, bio2, newwbio);
3012
3013 /*
3014 * We will (maybe) transfer ownership again so do more up refs.
3015 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3016 * already been set!
3017 */
710756a9
RS		 3018 if (nrbio != NULL
3019 && nrbio != irbio
3020 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3021 BIO_up_ref(nrbio);
710756a9
RS		 3022 if (nwbio != NULL
3023 && nwbio != nrbio
3024 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3025 BIO_up_ref(nwbio);
3026
7d4488bb 3027 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3028
3029 testresult = 1;
3030
3031 end:
7fb4c820
MC		 3032 BIO_free(bio1);
3033 BIO_free(bio2);
710756a9 3034
7fb4c820
MC		 3035 /*
3036 * This test is checking that the ref counting for SSL_set_bio is correct.
3037 * If we get here and we did too many frees then we will fail in the above
742ccab3 3038 * functions.
7fb4c820 3039 */
7d4488bb
MC		 3040 SSL_free(serverssl);
3041 SSL_free(clientssl);
3042 SSL_CTX_free(sctx);
3043 SSL_CTX_free(cctx);
7fb4c820
MC		 3044 return testresult;
3045}
3046
7e885b7b 3047typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3048
7e885b7b 3049static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3050{
3051 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3052 SSL_CTX *ctx;
9a716987
MC		 3053 SSL *ssl = NULL;
3054 int testresult = 0;
3055
d8652be0 3056 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3057 || !TEST_ptr(ssl = SSL_new(ctx))
3058 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3059 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3060 goto end;
9a716987
MC		 3061
3062 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3063
3064 /*
742ccab3 3065 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3066 */
3067 BIO_push(sslbio, membio1);
3068
69687aa8 3069 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3070 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3071 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3072 ssl = NULL;
9a716987 3073 goto end;
493e7898 3074 }
7e885b7b 3075 if (change_bio == CHANGE_RBIO)
65e2d672 3076 SSL_set0_rbio(ssl, membio2);
9a716987 3077 else
65e2d672 3078 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3079 }
3080 ssl = NULL;
3081
7e885b7b 3082 if (pop_ssl)
9a716987
MC		 3083 BIO_pop(sslbio);
3084 else
3085 BIO_pop(membio1);
3086
3087 testresult = 1;
3088 end:
3089 BIO_free(membio1);
3090 BIO_free(sslbio);
3091 SSL_free(ssl);
3092 SSL_CTX_free(ctx);
3093
3094 return testresult;
3095}
3096
3097static int test_ssl_bio_pop_next_bio(void)
3098{
7e885b7b 3099 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3100}
3101
3102static int test_ssl_bio_pop_ssl_bio(void)
3103{
7e885b7b 3104 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3105}
3106
3107static int test_ssl_bio_change_rbio(void)
3108{
7e885b7b 3109 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3110}
3111
3112static int test_ssl_bio_change_wbio(void)
3113{
7e885b7b 3114 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3115}
3116
a763ca11 3117#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3118typedef struct {
3119 /* The list of sig algs */
3120 const int *list;
3121 /* The length of the list */
3122 size_t listlen;
3123 /* A sigalgs list in string format */
3124 const char *liststr;
3125 /* Whether setting the list should succeed */
3126 int valid;
3127 /* Whether creating a connection with the list should succeed */
3128 int connsuccess;
3129} sigalgs_list;
3130
3131static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3132# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3133static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3134static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3135# endif
f1b25aae
MC		 3136static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3137static const int invalidlist2[] = {NID_sha256, NID_undef};
3138static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3139static const int invalidlist4[] = {NID_sha256};
3140static const sigalgs_list testsigalgs[] = {
3141 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3142# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3143 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3144 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3145# endif
f1b25aae 3146 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 3147# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3148 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3149 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3150# endif
f1b25aae
MC		 3151 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3152 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3153 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3154 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3155 {NULL, 0, "RSA", 0, 0},
3156 {NULL, 0, "SHA256", 0, 0},
3157 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3158 {NULL, 0, "Invalid", 0, 0}
3159};
f1b25aae
MC		 3160
3161static int test_set_sigalgs(int idx)
3162{
3163 SSL_CTX *cctx = NULL, *sctx = NULL;
3164 SSL *clientssl = NULL, *serverssl = NULL;
3165 int testresult = 0;
3166 const sigalgs_list *curr;
3167 int testctx;
3168
3169 /* Should never happen */
710756a9 3170 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3171 return 0;
3172
3173 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3174 curr = testctx ? &testsigalgs[idx]
3175 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3176
5e30f2fd
MC		 3177 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3178 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3179 &sctx, &cctx, cert, privkey)))
f1b25aae 3180 return 0;
f1b25aae 3181
d2e491f2
MC		 3182 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3183
f1b25aae
MC		 3184 if (testctx) {
3185 int ret;
710756a9 3186
f1b25aae
MC		 3187 if (curr->list != NULL)
3188 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3189 else
3190 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3191
3192 if (!ret) {
3193 if (curr->valid)
710756a9 3194 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3195 else
3196 testresult = 1;
3197 goto end;
3198 }
3199 if (!curr->valid) {
710756a9 3200 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3201 goto end;
3202 }
3203 }
3204
710756a9
RS		 3205 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3206 &clientssl, NULL, NULL)))
f1b25aae 3207 goto end;
f1b25aae
MC		 3208
3209 if (!testctx) {
3210 int ret;
3211
3212 if (curr->list != NULL)
3213 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3214 else
3215 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3216 if (!ret) {
3217 if (curr->valid)
710756a9 3218 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3219 else
3220 testresult = 1;
3221 goto end;
3222 }
710756a9 3223 if (!curr->valid)
f1b25aae 3224 goto end;
f1b25aae
MC		 3225 }
3226
710756a9
RS		 3227 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3228 SSL_ERROR_NONE),
3229 curr->connsuccess))
f1b25aae 3230 goto end;
f1b25aae
MC		 3231
3232 testresult = 1;
3233
3234 end:
3235 SSL_free(serverssl);
3236 SSL_free(clientssl);
3237 SSL_CTX_free(sctx);
3238 SSL_CTX_free(cctx);
3239
3240 return testresult;
3241}
c423ecaa 3242#endif
f1b25aae 3243
a763ca11 3244#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3245static int psk_client_cb_cnt = 0;
3246static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3247
3248static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3249 size_t *idlen, SSL_SESSION **sess)
3250{
3251 switch (++use_session_cb_cnt) {
3252 case 1:
3253 /* The first call should always have a NULL md */
3254 if (md != NULL)
3255 return 0;
3256 break;
3257
3258 case 2:
3259 /* The second call should always have an md */
3260 if (md == NULL)
3261 return 0;
3262 break;
3263
3264 default:
3265 /* We should only be called a maximum of twice */
3266 return 0;
3267 }
3268
57dee9bb
MC		 3269 if (clientpsk != NULL)
3270 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3271
57dee9bb 3272 *sess = clientpsk;
02a3ed5a
MC		 3273 *id = (const unsigned char *)pskid;
3274 *idlen = strlen(pskid);
3275
3276 return 1;
3277}
3278
c2b290c3 3279#ifndef OPENSSL_NO_PSK
532f9578
MC		 3280static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3281 unsigned int max_id_len,
3282 unsigned char *psk,
3283 unsigned int max_psk_len)
3284{
3285 unsigned int psklen = 0;
3286
3287 psk_client_cb_cnt++;
3288
3289 if (strlen(pskid) + 1 > max_id_len)
3290 return 0;
3291
3292 /* We should only ever be called a maximum of twice per connection */
3293 if (psk_client_cb_cnt > 2)
3294 return 0;
3295
3296 if (clientpsk == NULL)
3297 return 0;
3298
3299 /* We'll reuse the PSK we set up for TLSv1.3 */
3300 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3301 return 0;
3302 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3303 strncpy(id, pskid, max_id_len);
3304
3305 return psklen;
3306}
c2b290c3 3307#endif /* OPENSSL_NO_PSK */
532f9578 3308
02a3ed5a
MC		 3309static int find_session_cb(SSL *ssl, const unsigned char *identity,
3310 size_t identity_len, SSL_SESSION **sess)
3311{
3312 find_session_cb_cnt++;
3313
3314 /* We should only ever be called a maximum of twice per connection */
3315 if (find_session_cb_cnt > 2)
3316 return 0;
3317
57dee9bb 3318 if (serverpsk == NULL)
02a3ed5a
MC		 3319 return 0;
3320
3321 /* Identity should match that set by the client */
3322 if (strlen(srvid) != identity_len
3323 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3324 /* No PSK found, continue but without a PSK */
3325 *sess = NULL;
3326 return 1;
3327 }
3328
57dee9bb
MC		 3329 SSL_SESSION_up_ref(serverpsk);
3330 *sess = serverpsk;
02a3ed5a
MC		 3331
3332 return 1;
3333}
3334
c2b290c3 3335#ifndef OPENSSL_NO_PSK
532f9578
MC		 3336static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3337 unsigned char *psk, unsigned int max_psk_len)
3338{
3339 unsigned int psklen = 0;
3340
3341 psk_server_cb_cnt++;
3342
3343 /* We should only ever be called a maximum of twice per connection */
3344 if (find_session_cb_cnt > 2)
3345 return 0;
3346
3347 if (serverpsk == NULL)
3348 return 0;
3349
3350 /* Identity should match that set by the client */
3351 if (strcmp(srvid, identity) != 0) {
3352 return 0;
3353 }
3354
3355 /* We'll reuse the PSK we set up for TLSv1.3 */
3356 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3357 return 0;
3358 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3359
3360 return psklen;
3361}
c2b290c3 3362#endif /* OPENSSL_NO_PSK */
532f9578 3363
5f982038
MC		 3364#define MSG1 "Hello"
3365#define MSG2 "World."
3366#define MSG3 "This"
3367#define MSG4 "is"
3368#define MSG5 "a"
90049cea
MC		 3369#define MSG6 "test"
3370#define MSG7 "message."
5f982038 3371
532f9578 3372#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3373#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3374#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3375#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3376#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3377
8614a4eb 3378
10836921 3379static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
8614a4eb
MC		 3380{
3381 const SSL_CIPHER *cipher = NULL;
3382 const unsigned char key[] = {
3383 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3384 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3385 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3386 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
10836921 3387 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
8614a4eb
MC		 3388 };
3389 SSL_SESSION *sess = NULL;
3390
10836921
MC		 3391 if (mdsize == SHA384_DIGEST_LENGTH) {
3392 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3393 } else if (mdsize == SHA256_DIGEST_LENGTH) {
3394 /*
3395 * Any ciphersuite using SHA256 will do - it will be compatible with
3396 * the actual ciphersuite selected as long as it too is based on SHA256
3397 */
3398 cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3399 } else {
3400 /* Should not happen */
3401 return NULL;
3402 }
8614a4eb
MC		 3403 sess = SSL_SESSION_new();
3404 if (!TEST_ptr(sess)
3405 || !TEST_ptr(cipher)
10836921 3406 || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
8614a4eb
MC		 3407 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3408 || !TEST_true(
3409 SSL_SESSION_set_protocol_version(sess,
3410 TLS1_3_VERSION))) {
3411 SSL_SESSION_free(sess);
3412 return NULL;
3413 }
3414 return sess;
3415}
3416
2be5065b
MC		 3417static int artificial_ticket_time = 0;
3418
3419static int ed_gen_cb(SSL *s, void *arg)
3420{
3421 SSL_SESSION *sess = SSL_get0_session(s);
3422
3423 if (sess == NULL)
3424 return 0;
3425
3426 /*
3427 * Artificially give the ticket some age. Just do it for the number of
3428 * tickets we've been told to do.
3429 */
3430 if (artificial_ticket_time == 0)
3431 return 1;
3432 artificial_ticket_time--;
3433
3434 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3435 return 0;
3436
3437 return 1;
3438}
3439
5f982038
MC		 3440/*
3441 * Helper method to setup objects for early data test. Caller frees objects on
3442 * error.
3443 */
3444static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
10836921
MC		 3445 SSL **serverssl, SSL_SESSION **sess, int idx,
3446 size_t mdsize)
5f982038 3447{
2be5065b
MC		 3448 int artificial = (artificial_ticket_time > 0);
3449
5a421415 3450 if (*sctx == NULL
5e30f2fd 3451 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3452 TLS_client_method(),
5c587fb6 3453 TLS1_VERSION, 0,
5a421415
MC		 3454 sctx, cctx, cert, privkey)))
3455 return 0;
3456
2be5065b
MC		 3457 if (artificial)
3458 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3459
5a421415 3460 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3461 return 0;
5f982038 3462
02a3ed5a
MC		 3463 if (idx == 1) {
3464 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3465 SSL_CTX_set_read_ahead(*cctx, 1);
3466 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3467 } else if (idx == 2) {
3468 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3469 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3470 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3471 use_session_cb_cnt = 0;
3472 find_session_cb_cnt = 0;
3473 srvid = pskid;
3cb47b4e
MC		 3474 }
3475
710756a9 3476 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3477 NULL, NULL)))
3478 return 0;
3479
141e4709
MC		 3480 /*
3481 * For one of the run throughs (doesn't matter which one), we'll try sending
3482 * some SNI data in the initial ClientHello. This will be ignored (because
3483 * there is no SNI cb set up by the server), so it should not impact
3484 * early_data.
3485 */
3486 if (idx == 1
3487 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3488 return 0;
3489
02a3ed5a 3490 if (idx == 2) {
10836921 3491 clientpsk = create_a_psk(*clientssl, mdsize);
57dee9bb 3492 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3493 /*
3494 * We just choose an arbitrary value for max_early_data which
3495 * should be big enough for testing purposes.
3496 */
57dee9bb
MC		 3497 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3498 0x100))
3499 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3500 SSL_SESSION_free(clientpsk);
3501 clientpsk = NULL;
02a3ed5a
MC		 3502 return 0;
3503 }
57dee9bb 3504 serverpsk = clientpsk;
02a3ed5a 3505
c20e3b28
MC		 3506 if (sess != NULL) {
3507 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3508 SSL_SESSION_free(clientpsk);
3509 SSL_SESSION_free(serverpsk);
3510 clientpsk = serverpsk = NULL;
3511 return 0;
3512 }
57dee9bb 3513 *sess = clientpsk;
c20e3b28 3514 }
02a3ed5a
MC		 3515 return 1;
3516 }
3517
3518 if (sess == NULL)
3519 return 1;
3520
3521 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3522 SSL_ERROR_NONE)))
5f982038 3523 return 0;
5f982038
MC		 3524
3525 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3526 SSL_shutdown(*clientssl);
3527 SSL_shutdown(*serverssl);
5f982038
MC		 3528 SSL_free(*serverssl);
3529 SSL_free(*clientssl);
3530 *serverssl = *clientssl = NULL;
3531
2be5065b
MC		 3532 /*
3533 * Artificially give the ticket some age to match the artificial age we
3534 * gave it on the server side
3535 */
3536 if (artificial
3537 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3538 SSL_SESSION_get_time(*sess) - 10), 0))
3539 return 0;
3540
710756a9
RS		 3541 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3542 clientssl, NULL, NULL))
3543 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3544 return 0;
5f982038
MC		 3545
3546 return 1;
3547}
3548
3cb47b4e 3549static int test_early_data_read_write(int idx)
5f982038
MC		 3550{
3551 SSL_CTX *cctx = NULL, *sctx = NULL;
3552 SSL *clientssl = NULL, *serverssl = NULL;
3553 int testresult = 0;
3554 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3555 unsigned char buf[20], data[1024];
3556 size_t readbytes, written, eoedlen, rawread, rawwritten;
3557 BIO *rbio;
5f982038 3558
2be5065b
MC		 3559 /* Artificially give the next 2 tickets some age for non PSK sessions */
3560 if (idx != 2)
3561 artificial_ticket_time = 2;
710756a9 3562 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3563 &serverssl, &sess, idx,
3564 SHA384_DIGEST_LENGTH))) {
2be5065b 3565 artificial_ticket_time = 0;
5f982038 3566 goto end;
2be5065b
MC		 3567 }
3568 artificial_ticket_time = 0;
5f982038
MC		 3569
3570 /* Write and read some early data */
710756a9
RS		 3571 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3572 &written))
3573 || !TEST_size_t_eq(written, strlen(MSG1))
3574 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3575 sizeof(buf), &readbytes),
3576 SSL_READ_EARLY_DATA_SUCCESS)
3577 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3578 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3579 SSL_EARLY_DATA_ACCEPTED))
5f982038 3580 goto end;
5f982038
MC		 3581
3582 /*
09f28874 3583 * Server should be able to write data, and client should be able to
5f982038
MC		 3584 * read it.
3585 */
710756a9
RS		 3586 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3587 &written))
3588 || !TEST_size_t_eq(written, strlen(MSG2))
3589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3590 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3591 goto end;
5f982038
MC		 3592
3593 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3594 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3595 &written))
3596 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3597 goto end;
5f982038 3598
09f28874 3599 /* Server should still be able read early data after writing data */
710756a9
RS		 3600 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3601 &readbytes),
3602 SSL_READ_EARLY_DATA_SUCCESS)
3603 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3604 goto end;
5f982038 3605
09f28874 3606 /* Write more data from server and read it from client */
710756a9
RS		 3607 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3608 &written))
3609 || !TEST_size_t_eq(written, strlen(MSG4))
3610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3611 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3612 goto end;
5f982038
MC		 3613
3614 /*
3615 * If client writes normal data it should mean writing early data is no
3616 * longer possible.
3617 */
710756a9
RS		 3618 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3619 || !TEST_size_t_eq(written, strlen(MSG5))
3620 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3621 SSL_EARLY_DATA_ACCEPTED))
5f982038 3622 goto end;
5f982038 3623
9b5c865d
MC		 3624 /*
3625 * At this point the client has written EndOfEarlyData, ClientFinished and
3626 * normal (fully protected) data. We are going to cause a delay between the
3627 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3628 * in the read BIO, and then just put back the EndOfEarlyData message.
3629 */
3630 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3631 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3632 || !TEST_size_t_lt(rawread, sizeof(data))
3633 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3634 goto end;
710756a9 3635
9b5c865d
MC		 3636 /* Record length is in the 4th and 5th bytes of the record header */
3637 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3638 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3639 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3640 goto end;
9b5c865d 3641
5f982038 3642 /* Server should be told that there is no more early data */
710756a9
RS		 3643 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3644 &readbytes),
3645 SSL_READ_EARLY_DATA_FINISH)
3646 || !TEST_size_t_eq(readbytes, 0))
5f982038 3647 goto end;
5f982038 3648
9b5c865d
MC		 3649 /*
3650 * Server has not finished init yet, so should still be able to write early
3651 * data.
3652 */
710756a9
RS		 3653 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3654 &written))
3655 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3656 goto end;
9b5c865d 3657
f8a303fa 3658 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3659 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3660 &rawwritten))
3661 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3662 goto end;
f8a303fa 3663
5f982038 3664 /* Server should be able to read normal data */
710756a9
RS		 3665 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3666 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3667 goto end;
5f982038 3668
09f28874 3669 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3670 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3671 &written)))
5f982038 3672 goto end;
5f982038 3673 ERR_clear_error();
710756a9
RS		 3674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3675 &readbytes),
3676 SSL_READ_EARLY_DATA_ERROR))
5f982038 3677 goto end;
5f982038
MC		 3678 ERR_clear_error();
3679
9b5c865d 3680 /* Client should be able to read the data sent by the server */
710756a9
RS		 3681 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3683 goto end;
710756a9 3684
f8a303fa 3685 /*
36ff232c
MC		 3686 * Make sure we process the two NewSessionTickets. These arrive
3687 * post-handshake. We attempt reads which we do not expect to return any
3688 * data.
f8a303fa 3689 */
36ff232c
MC		 3690 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3692 &readbytes)))
f8a303fa 3693 goto end;
5f982038 3694
90049cea 3695 /* Server should be able to write normal data */
710756a9
RS		 3696 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3697 || !TEST_size_t_eq(written, strlen(MSG7))
3698 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3699 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3700 goto end;
90049cea 3701
c20e3b28 3702 SSL_SESSION_free(sess);
5f982038 3703 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3704 use_session_cb_cnt = 0;
3705 find_session_cb_cnt = 0;
5f982038
MC		 3706
3707 SSL_shutdown(clientssl);
3708 SSL_shutdown(serverssl);
5f982038
MC		 3709 SSL_free(serverssl);
3710 SSL_free(clientssl);
3711 serverssl = clientssl = NULL;
710756a9
RS		 3712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3713 &clientssl, NULL, NULL))
3714 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3715 goto end;
5f982038
MC		 3716
3717 /* Write and read some early data */
710756a9
RS		 3718 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3719 &written))
3720 || !TEST_size_t_eq(written, strlen(MSG1))
3721 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3722 &readbytes),
3723 SSL_READ_EARLY_DATA_SUCCESS)
3724 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3725 goto end;
5f982038 3726
710756a9
RS		 3727 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3728 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3729 goto end;
5f982038 3730
09f28874 3731 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3732 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3733 &written)))
5f982038 3734 goto end;
5f982038 3735 ERR_clear_error();
710756a9
RS		 3736 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3737 &readbytes),
3738 SSL_READ_EARLY_DATA_ERROR))
5f982038 3739 goto end;
5f982038
MC		 3740 ERR_clear_error();
3741
3742 /* Client and server should be able to write/read normal data */
710756a9
RS		 3743 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3744 || !TEST_size_t_eq(written, strlen(MSG5))
3745 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3746 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3747 goto end;
5f982038
MC		 3748
3749 testresult = 1;
3750
3751 end:
c20e3b28 3752 SSL_SESSION_free(sess);
57dee9bb
MC		 3753 SSL_SESSION_free(clientpsk);
3754 SSL_SESSION_free(serverpsk);
3755 clientpsk = serverpsk = NULL;
5f982038
MC		 3756 SSL_free(serverssl);
3757 SSL_free(clientssl);
3758 SSL_CTX_free(sctx);
3759 SSL_CTX_free(cctx);
5f982038
MC		 3760 return testresult;
3761}
3762
5a421415
MC		 3763static int allow_ed_cb_called = 0;
3764
3765static int allow_early_data_cb(SSL *s, void *arg)
3766{
3767 int *usecb = (int *)arg;
3768
3769 allow_ed_cb_called++;
3770
3771 if (*usecb == 1)
3772 return 0;
3773
3774 return 1;
3775}
3776
3777/*
3778 * idx == 0: Standard early_data setup
3779 * idx == 1: early_data setup using read_ahead
3780 * usecb == 0: Don't use a custom early data callback
3781 * usecb == 1: Use a custom early data callback and reject the early data
3782 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3783 * confopt == 0: Configure anti-replay directly
3784 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3785 */
3bb5e5b0 3786static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3787{
3788 SSL_CTX *cctx = NULL, *sctx = NULL;
3789 SSL *clientssl = NULL, *serverssl = NULL;
3790 int testresult = 0;
3791 SSL_SESSION *sess = NULL;
5a421415
MC		 3792 size_t readbytes, written;
3793 unsigned char buf[20];
3794
3795 allow_ed_cb_called = 0;
3796
5e30f2fd
MC		 3797 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3798 TLS_client_method(), TLS1_VERSION, 0,
3799 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3800 return 0;
3801
3802 if (usecb > 0) {
3bb5e5b0
MC		 3803 if (confopt == 0) {
3804 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3805 } else {
3806 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3807
3808 if (!TEST_ptr(confctx))
3809 goto end;
3810 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3811 | SSL_CONF_FLAG_SERVER);
3812 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3813 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3814 2)) {
3815 SSL_CONF_CTX_free(confctx);
3816 goto end;
3817 }
3818 SSL_CONF_CTX_free(confctx);
3819 }
5a421415
MC		 3820 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3821 }
78fb5374
MC		 3822
3823 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3824 &serverssl, &sess, idx,
3825 SHA384_DIGEST_LENGTH)))
78fb5374
MC		 3826 goto end;
3827
3828 /*
3829 * The server is configured to accept early data. Create a connection to
3830 * "use up" the ticket
3831 */
3832 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3833 || !TEST_true(SSL_session_reused(clientssl)))
3834 goto end;
3835
3836 SSL_shutdown(clientssl);
3837 SSL_shutdown(serverssl);
3838 SSL_free(serverssl);
3839 SSL_free(clientssl);
3840 serverssl = clientssl = NULL;
3841
3842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3843 &clientssl, NULL, NULL))
5a421415
MC		 3844 || !TEST_true(SSL_set_session(clientssl, sess)))
3845 goto end;
3846
3847 /* Write and read some early data */
3848 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3849 &written))
3850 || !TEST_size_t_eq(written, strlen(MSG1)))
3851 goto end;
3852
3853 if (usecb <= 1) {
3854 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3855 &readbytes),
3856 SSL_READ_EARLY_DATA_FINISH)
3857 /*
3858 * The ticket was reused, so the we should have rejected the
3859 * early data
3860 */
3861 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3862 SSL_EARLY_DATA_REJECTED))
3863 goto end;
3864 } else {
3865 /* In this case the callback decides to accept the early data */
3866 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3867 &readbytes),
3868 SSL_READ_EARLY_DATA_SUCCESS)
3869 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3870 /*
3871 * Server will have sent its flight so client can now send
3872 * end of early data and complete its half of the handshake
3873 */
3874 || !TEST_int_gt(SSL_connect(clientssl), 0)
3875 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3876 &readbytes),
3877 SSL_READ_EARLY_DATA_FINISH)
3878 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3879 SSL_EARLY_DATA_ACCEPTED))
3880 goto end;
3881 }
3882
3883 /* Complete the connection */
3884 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3885 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3886 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3887 goto end;
3888
3889 testresult = 1;
3890
3891 end:
c20e3b28 3892 SSL_SESSION_free(sess);
78fb5374
MC		 3893 SSL_SESSION_free(clientpsk);
3894 SSL_SESSION_free(serverpsk);
3895 clientpsk = serverpsk = NULL;
3896 SSL_free(serverssl);
3897 SSL_free(clientssl);
3898 SSL_CTX_free(sctx);
3899 SSL_CTX_free(cctx);
3900 return testresult;
3901}
3902
5a421415
MC		 3903static int test_early_data_replay(int idx)
3904{
3bb5e5b0 3905 int ret = 1, usecb, confopt;
5a421415 3906
3bb5e5b0
MC		 3907 for (usecb = 0; usecb < 3; usecb++) {
3908 for (confopt = 0; confopt < 2; confopt++)
3909 ret &= test_early_data_replay_int(idx, usecb, confopt);
3910 }
5a421415
MC		 3911
3912 return ret;
3913}
3914
10836921
MC		 3915static const char *ciphersuites[] = {
3916 "TLS_AES_128_CCM_8_SHA256",
3917 "TLS_AES_128_GCM_SHA256",
3918 "TLS_AES_256_GCM_SHA384",
3919 "TLS_AES_128_CCM_SHA256",
3920#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3921 "TLS_CHACHA20_POLY1305_SHA256"
3922#endif
3923};
3924
710756a9 3925/*
6b84e6bf
MC		 3926 * Helper function to test that a server attempting to read early data can
3927 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3928 * testtype: 0 == No HRR
3929 * testtype: 1 == HRR
0efa0ba4
MC		 3930 * testtype: 2 == HRR, invalid early_data sent after HRR
3931 * testtype: 3 == recv_max_early_data set to 0
710756a9 3932 */
10836921 3933static int early_data_skip_helper(int testtype, int cipher, int idx)
5f982038
MC		 3934{
3935 SSL_CTX *cctx = NULL, *sctx = NULL;
3936 SSL *clientssl = NULL, *serverssl = NULL;
3937 int testresult = 0;
018fcbec 3938 SSL_SESSION *sess = NULL;
5f982038
MC		 3939 unsigned char buf[20];
3940 size_t readbytes, written;
3941
10836921
MC		 3942 if (is_fips && cipher == 4)
3943 return 1;
3944
3945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3946 TLS_client_method(),
3947 TLS1_VERSION, 0,
3948 &sctx, &cctx, cert, privkey)))
3949 goto end;
3950
3951 if (cipher == 0) {
3952 SSL_CTX_set_security_level(sctx, 0);
3953 SSL_CTX_set_security_level(cctx, 0);
3954 }
3955
3956 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3957 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3958 goto end;
3959
710756a9 3960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3961 &serverssl, &sess, idx,
3962 cipher == 2 ? SHA384_DIGEST_LENGTH
3963 : SHA256_DIGEST_LENGTH)))
5f982038
MC		 3964 goto end;
3965
0efa0ba4 3966 if (testtype == 1 || testtype == 2) {
6b84e6bf 3967 /* Force an HRR to occur */
dbc6268f
MC		 3968#if defined(OPENSSL_NO_EC)
3969 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3970 goto end;
3971#else
6b84e6bf
MC		 3972 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3973 goto end;
dbc6268f 3974#endif
02a3ed5a
MC		 3975 } else if (idx == 2) {
3976 /*
3977 * We force early_data rejection by ensuring the PSK identity is
3978 * unrecognised
3979 */
3980 srvid = "Dummy Identity";
6b84e6bf
MC		 3981 } else {
3982 /*
3983 * Deliberately corrupt the creation time. We take 20 seconds off the
3984 * time. It could be any value as long as it is not within tolerance.
3985 * This should mean the ticket is rejected.
3986 */
5d99881e 3987 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3988 goto end;
3989 }
5f982038 3990
0efa0ba4 3991 if (testtype == 3
0d1b7789
MC		 3992 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3993 goto end;
3994
5f982038 3995 /* Write some early data */
710756a9
RS		 3996 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3997 &written))
3998 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3999 goto end;
5f982038 4000
0d1b7789 4001 /* Server should reject the early data */
710756a9
RS		 4002 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4003 &readbytes),
4004 SSL_READ_EARLY_DATA_FINISH)
4005 || !TEST_size_t_eq(readbytes, 0)
4006 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4007 SSL_EARLY_DATA_REJECTED))
5f982038 4008 goto end;
5f982038 4009
0efa0ba4
MC		 4010 switch (testtype) {
4011 case 0:
4012 /* Nothing to do */
4013 break;
4014
4015 case 1:
6b84e6bf
MC		 4016 /*
4017 * Finish off the handshake. We perform the same writes and reads as
4018 * further down but we expect them to fail due to the incomplete
4019 * handshake.
4020 */
4021 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4022 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4023 &readbytes)))
4024 goto end;
0efa0ba4
MC		 4025 break;
4026
4027 case 2:
4028 {
4029 BIO *wbio = SSL_get_wbio(clientssl);
4030 /* A record that will appear as bad early_data */
4031 const unsigned char bad_early_data[] = {
4032 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4033 };
4034
4035 /*
4036 * We force the client to attempt a write. This will fail because
4037 * we're still in the handshake. It will cause the second
4038 * ClientHello to be sent.
4039 */
4040 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4041 &written)))
4042 goto end;
4043
4044 /*
4045 * Inject some early_data after the second ClientHello. This should
4046 * cause the server to fail
4047 */
4048 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4049 sizeof(bad_early_data), &written)))
4050 goto end;
4051 }
4052 /* fallthrough */
4053
4054 case 3:
0d1b7789 4055 /*
0efa0ba4
MC		 4056 * This client has sent more early_data than we are willing to skip
4057 * (case 3) or sent invalid early_data (case 2) so the connection should
4058 * abort.
0d1b7789
MC		 4059 */
4060 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4061 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4062 goto end;
4063
4064 /* Connection has failed - nothing more to do */
4065 testresult = 1;
4066 goto end;
0efa0ba4
MC		 4067
4068 default:
4069 TEST_error("Invalid test type");
4070 goto end;
6b84e6bf
MC		 4071 }
4072
10836921 4073 ERR_clear_error();
0d1b7789
MC		 4074 /*
4075 * Should be able to send normal data despite rejection of early data. The
4076 * early_data should be skipped.
4077 */
710756a9
RS		 4078 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4079 || !TEST_size_t_eq(written, strlen(MSG2))
4080 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4081 SSL_EARLY_DATA_REJECTED)
4082 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4083 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4084 goto end;
5f982038 4085
10836921
MC		 4086 /*
4087 * Failure to decrypt early data records should not leave spurious errors
4088 * on the error stack
4089 */
4090 if (!TEST_long_eq(ERR_peek_error(), 0))
4091 goto end;
4092
5f982038
MC		 4093 testresult = 1;
4094
4095 end:
c20e3b28 4096 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4097 SSL_SESSION_free(serverpsk);
4098 clientpsk = serverpsk = NULL;
5f982038
MC		 4099 SSL_SESSION_free(sess);
4100 SSL_free(serverssl);
4101 SSL_free(clientssl);
4102 SSL_CTX_free(sctx);
4103 SSL_CTX_free(cctx);
5f982038
MC		 4104 return testresult;
4105}
4106
6b84e6bf
MC		 4107/*
4108 * Test that a server attempting to read early data can handle a connection
4109 * from a client where the early data is not acceptable.
4110 */
4111static int test_early_data_skip(int idx)
4112{
10836921
MC		 4113 return early_data_skip_helper(0,
4114 idx % OSSL_NELEM(ciphersuites),
4115 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4116}
4117
4118/*
4119 * Test that a server attempting to read early data can handle a connection
4120 * from a client where an HRR occurs.
4121 */
4122static int test_early_data_skip_hrr(int idx)
4123{
10836921
MC		 4124 return early_data_skip_helper(1,
4125 idx % OSSL_NELEM(ciphersuites),
4126 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4127}
4128
0efa0ba4
MC		 4129/*
4130 * Test that a server attempting to read early data can handle a connection
4131 * from a client where an HRR occurs and correctly fails if early_data is sent
4132 * after the HRR
4133 */
4134static int test_early_data_skip_hrr_fail(int idx)
4135{
10836921
MC		 4136 return early_data_skip_helper(2,
4137 idx % OSSL_NELEM(ciphersuites),
4138 idx / OSSL_NELEM(ciphersuites));
0efa0ba4
MC		 4139}
4140
0d1b7789
MC		 4141/*
4142 * Test that a server attempting to read early data will abort if it tries to
4143 * skip over too much.
4144 */
4145static int test_early_data_skip_abort(int idx)
4146{
10836921
MC		 4147 return early_data_skip_helper(3,
4148 idx % OSSL_NELEM(ciphersuites),
4149 idx / OSSL_NELEM(ciphersuites));
0d1b7789
MC		 4150}
4151
710756a9
RS		 4152/*
4153 * Test that a server attempting to read early data can handle a connection
4154 * from a client that doesn't send any.
4155 */
3cb47b4e 4156static int test_early_data_not_sent(int idx)
5f982038
MC		 4157{
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4160 int testresult = 0;
018fcbec 4161 SSL_SESSION *sess = NULL;
5f982038
MC		 4162 unsigned char buf[20];
4163 size_t readbytes, written;
4164
710756a9 4165 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4166 &serverssl, &sess, idx,
4167 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4168 goto end;
4169
4170 /* Write some data - should block due to handshake with server */
4171 SSL_set_connect_state(clientssl);
710756a9 4172 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4173 goto end;
5f982038
MC		 4174
4175 /* Server should detect that early data has not been sent */
710756a9
RS		 4176 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4177 &readbytes),
4178 SSL_READ_EARLY_DATA_FINISH)
4179 || !TEST_size_t_eq(readbytes, 0)
4180 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4181 SSL_EARLY_DATA_NOT_SENT)
4182 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4183 SSL_EARLY_DATA_NOT_SENT))
5f982038 4184 goto end;
5f982038
MC		 4185
4186 /* Continue writing the message we started earlier */
710756a9
RS		 4187 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4188 || !TEST_size_t_eq(written, strlen(MSG1))
4189 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4190 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4191 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4192 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4193 goto end;
5f982038 4194
710756a9
RS		 4195 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4196 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4197 goto end;
5f982038
MC		 4198
4199 testresult = 1;
4200
4201 end:
5f982038 4202 SSL_SESSION_free(sess);
c20e3b28 4203 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4204 SSL_SESSION_free(serverpsk);
4205 clientpsk = serverpsk = NULL;
5f982038
MC		 4206 SSL_free(serverssl);
4207 SSL_free(clientssl);
4208 SSL_CTX_free(sctx);
4209 SSL_CTX_free(cctx);
5f982038
MC		 4210 return testresult;
4211}
4212
976e5323
MC		 4213static const char *servalpn;
4214
c7558d5b
PY		 4215static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4216 unsigned char *outlen, const unsigned char *in,
4217 unsigned int inlen, void *arg)
976e5323 4218{
c7558d5b 4219 unsigned int protlen = 0;
976e5323
MC		 4220 const unsigned char *prot;
4221
c7558d5b
PY		 4222 for (prot = in; prot < in + inlen; prot += protlen) {
4223 protlen = *prot++;
5d99881e 4224 if (in + inlen < prot + protlen)
976e5323
MC		 4225 return SSL_TLSEXT_ERR_NOACK;
4226
4227 if (protlen == strlen(servalpn)
0bd42fde 4228 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4229 *out = prot;
4230 *outlen = protlen;
4231 return SSL_TLSEXT_ERR_OK;
4232 }
4233 }
4234
4235 return SSL_TLSEXT_ERR_NOACK;
4236}
4237
57dee9bb 4238/* Test that a PSK can be used to send early_data */
976e5323
MC		 4239static int test_early_data_psk(int idx)
4240{
4241 SSL_CTX *cctx = NULL, *sctx = NULL;
4242 SSL *clientssl = NULL, *serverssl = NULL;
4243 int testresult = 0;
4244 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4245 unsigned char alpnlist[] = {
4246 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4247 'l', 'p', 'n'
4248 };
4249#define GOODALPNLEN 9
4250#define BADALPNLEN 8
4251#define GOODALPN (alpnlist)
4252#define BADALPN (alpnlist + GOODALPNLEN)
4253 int err = 0;
976e5323
MC		 4254 unsigned char buf[20];
4255 size_t readbytes, written;
57dee9bb 4256 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4257 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4258
4259 /* We always set this up with a final parameter of "2" for PSK */
4260 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4261 &serverssl, &sess, 2,
4262 SHA384_DIGEST_LENGTH)))
976e5323
MC		 4263 goto end;
4264
976e5323
MC		 4265 servalpn = "goodalpn";
4266
57dee9bb
MC		 4267 /*
4268 * Note: There is no test for inconsistent SNI with late client detection.
4269 * This is because servers do not acknowledge SNI even if they are using
4270 * it in a resumption handshake - so it is not actually possible for a
4271 * client to detect a problem.
4272 */
976e5323
MC		 4273 switch (idx) {
4274 case 0:
57dee9bb 4275 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4276 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4277 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4278 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4279 goto end;
4280 break;
4281
4282 case 1:
57dee9bb 4283 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4284 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4285 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4286 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4287 GOODALPNLEN))
4288 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4289 BADALPNLEN)))
976e5323
MC		 4290 goto end;
4291 break;
4292
4293 case 2:
4294 /*
4295 * Set invalid protocol version. Technically this affects PSKs without
4296 * early_data too, but we test it here because it is similar to the
4297 * SNI/ALPN consistency tests.
4298 */
4299 err = SSL_R_BAD_PSK;
4300 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4301 goto end;
4302 break;
4303
4304 case 3:
4305 /*
49ef3d07
MC		 4306 * Set inconsistent SNI (server side). In this case the connection
4307 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4308 * is associated with each handshake - not the session. Therefore it
4309 * should not matter that we used a different server name last time.
976e5323 4310 */
281bf233
MC		 4311 SSL_SESSION_free(serverpsk);
4312 serverpsk = SSL_SESSION_dup(clientpsk);
4313 if (!TEST_ptr(serverpsk)
4314 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4315 goto end;
976e5323
MC		 4316 /* Fall through */
4317 case 4:
4318 /* Set consistent SNI */
976e5323
MC		 4319 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4320 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4321 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4322 hostname_cb)))
4323 goto end;
4324 break;
4325
4326 case 5:
4327 /*
4328 * Set inconsistent ALPN (server detected). In this case the connection
4329 * will succeed but reject early_data.
4330 */
4331 servalpn = "badalpn";
4332 edstatus = SSL_EARLY_DATA_REJECTED;
4333 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4334 /* Fall through */
4335 case 6:
976e5323 4336 /*
57dee9bb 4337 * Set consistent ALPN.
976e5323
MC		 4338 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4339 * accepts a list of protos (each one length prefixed).
4340 * SSL_set1_alpn_selected accepts a single protocol (not length
4341 * prefixed)
4342 */
57dee9bb
MC		 4343 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4344 GOODALPNLEN - 1))
4345 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4346 GOODALPNLEN)))
976e5323
MC		 4347 goto end;
4348
4349 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4350 break;
4351
57dee9bb
MC		 4352 case 7:
4353 /* Set inconsistent ALPN (late client detection) */
4354 SSL_SESSION_free(serverpsk);
4355 serverpsk = SSL_SESSION_dup(clientpsk);
4356 if (!TEST_ptr(serverpsk)
4357 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4358 BADALPN + 1,
4359 BADALPNLEN - 1))
4360 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4361 GOODALPN + 1,
4362 GOODALPNLEN - 1))
4363 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4364 sizeof(alpnlist))))
4365 goto end;
4366 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4367 edstatus = SSL_EARLY_DATA_ACCEPTED;
4368 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4369 /* SSL_connect() call should fail */
4370 connectres = -1;
4371 break;
4372
976e5323
MC		 4373 default:
4374 TEST_error("Bad test index");
4375 goto end;
4376 }
4377
4378 SSL_set_connect_state(clientssl);
4379 if (err != 0) {
4380 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4381 &written))
4382 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4383 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4384 goto end;
4385 } else {
4386 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4387 &written)))
4388 goto end;
4389
4390 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4391 &readbytes), readearlyres)
976e5323
MC		 4392 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4393 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4394 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4395 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4396 goto end;
4397 }
4398
4399 testresult = 1;
4400
4401 end:
c20e3b28 4402 SSL_SESSION_free(sess);
57dee9bb
MC		 4403 SSL_SESSION_free(clientpsk);
4404 SSL_SESSION_free(serverpsk);
4405 clientpsk = serverpsk = NULL;
976e5323
MC		 4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 SSL_CTX_free(sctx);
4409 SSL_CTX_free(cctx);
4410 return testresult;
4411}
4412
0b2b0be9 4413/*
4414 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4415 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4416 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4417 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4418 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4419 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4420 */
4421static int test_early_data_psk_with_all_ciphers(int idx)
4422{
4423 SSL_CTX *cctx = NULL, *sctx = NULL;
4424 SSL *clientssl = NULL, *serverssl = NULL;
4425 int testresult = 0;
4426 SSL_SESSION *sess = NULL;
4427 unsigned char buf[20];
4428 size_t readbytes, written;
4429 const SSL_CIPHER *cipher;
4430 const char *cipher_str[] = {
4431 TLS1_3_RFC_AES_128_GCM_SHA256,
4432 TLS1_3_RFC_AES_256_GCM_SHA384,
4433# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4434 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4435# else
4436 NULL,
4437# endif
4438 TLS1_3_RFC_AES_128_CCM_SHA256,
4439 TLS1_3_RFC_AES_128_CCM_8_SHA256
4440 };
4441 const unsigned char *cipher_bytes[] = {
4442 TLS13_AES_128_GCM_SHA256_BYTES,
4443 TLS13_AES_256_GCM_SHA384_BYTES,
4444# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4445 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4446# else
4447 NULL,
4448# endif
4449 TLS13_AES_128_CCM_SHA256_BYTES,
4450 TLS13_AES_128_CCM_8_SHA256_BYTES
4451 };
4452
4453 if (cipher_str[idx] == NULL)
4454 return 1;
4455 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4456 if (idx == 2 && is_fips == 1)
4457 return 1;
4458
4459 /* We always set this up with a final parameter of "2" for PSK */
4460 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4461 &serverssl, &sess, 2,
4462 SHA384_DIGEST_LENGTH)))
0b2b0be9 4463 goto end;
4464
e0710222
P		 4465 if (idx == 4) {
4466 /* CCM8 ciphers are considered low security due to their short tag */
4467 SSL_set_security_level(clientssl, 0);
4468 SSL_set_security_level(serverssl, 0);
4469 }
4470
0b2b0be9 4471 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4472 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4473 goto end;
4474
4475 /*
4476 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4477 * and assigns to both client and server with incremented reference
4478 * and the same instance is updated in 'sess'.
4479 * So updating ciphersuite in 'sess' which will get reflected in
4480 * PSK handshake using psk use sess and find sess cb.
4481 */
4482 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4483 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4484 goto end;
4485
4486 SSL_set_connect_state(clientssl);
4487 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4488 &written)))
4489 goto end;
4490
4491 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4492 &readbytes),
4493 SSL_READ_EARLY_DATA_SUCCESS)
4494 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4495 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4496 SSL_EARLY_DATA_ACCEPTED)
4497 || !TEST_int_eq(SSL_connect(clientssl), 1)
4498 || !TEST_int_eq(SSL_accept(serverssl), 1))
4499 goto end;
4500
4501 /* Send some normal data from client to server */
4502 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4503 || !TEST_size_t_eq(written, strlen(MSG2)))
4504 goto end;
4505
4506 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4507 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4508 goto end;
4509
4510 testresult = 1;
4511 end:
4512 SSL_SESSION_free(sess);
4513 SSL_SESSION_free(clientpsk);
4514 SSL_SESSION_free(serverpsk);
4515 clientpsk = serverpsk = NULL;
4516 if (clientssl != NULL)
4517 SSL_shutdown(clientssl);
4518 if (serverssl != NULL)
4519 SSL_shutdown(serverssl);
4520 SSL_free(serverssl);
4521 SSL_free(clientssl);
4522 SSL_CTX_free(sctx);
4523 SSL_CTX_free(cctx);
4524 return testresult;
4525}
4526
710756a9
RS		 4527/*
4528 * Test that a server that doesn't try to read early data can handle a
4529 * client sending some.
4530 */
3cb47b4e 4531static int test_early_data_not_expected(int idx)
5f982038
MC		 4532{
4533 SSL_CTX *cctx = NULL, *sctx = NULL;
4534 SSL *clientssl = NULL, *serverssl = NULL;
4535 int testresult = 0;
018fcbec 4536 SSL_SESSION *sess = NULL;
5f982038
MC		 4537 unsigned char buf[20];
4538 size_t readbytes, written;
4539
710756a9 4540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4541 &serverssl, &sess, idx,
4542 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4543 goto end;
4544
4545 /* Write some early data */
710756a9
RS		 4546 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4547 &written)))
5f982038 4548 goto end;
5f982038
MC		 4549
4550 /*
4551 * Server should skip over early data and then block waiting for client to
4552 * continue handshake
4553 */
710756a9
RS		 4554 if (!TEST_int_le(SSL_accept(serverssl), 0)
4555 || !TEST_int_gt(SSL_connect(clientssl), 0)
4556 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4557 SSL_EARLY_DATA_REJECTED)
4558 || !TEST_int_gt(SSL_accept(serverssl), 0)
4559 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4560 SSL_EARLY_DATA_REJECTED))
5f982038 4561 goto end;
5f982038
MC		 4562
4563 /* Send some normal data from client to server */
710756a9
RS		 4564 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4565 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4566 goto end;
5f982038 4567
710756a9
RS		 4568 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4569 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4570 goto end;
5f982038
MC		 4571
4572 testresult = 1;
4573
4574 end:
5f982038 4575 SSL_SESSION_free(sess);
c20e3b28 4576 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4577 SSL_SESSION_free(serverpsk);
4578 clientpsk = serverpsk = NULL;
5f982038
MC		 4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4581 SSL_CTX_free(sctx);
4582 SSL_CTX_free(cctx);
5f982038
MC		 4583 return testresult;
4584}
4585
4586
4587# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4588/*
4589 * Test that a server attempting to read early data can handle a connection
4590 * from a TLSv1.2 client.
4591 */
3cb47b4e 4592static int test_early_data_tls1_2(int idx)
5f982038
MC		 4593{
4594 SSL_CTX *cctx = NULL, *sctx = NULL;
4595 SSL *clientssl = NULL, *serverssl = NULL;
4596 int testresult = 0;
4597 unsigned char buf[20];
4598 size_t readbytes, written;
4599
02a3ed5a 4600 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4601 &serverssl, NULL, idx,
4602 SHA384_DIGEST_LENGTH)))
5f982038 4603 goto end;
5f982038
MC		 4604
4605 /* Write some data - should block due to handshake with server */
4606 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4607 SSL_set_connect_state(clientssl);
710756a9 4608 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4609 goto end;
5f982038
MC		 4610
4611 /*
4612 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4613 * messages from client after ServerDone. Then SSL_read_early_data should
4614 * finish and detect that early data has not been sent
5f982038 4615 */
710756a9
RS		 4616 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4617 &readbytes),
4618 SSL_READ_EARLY_DATA_ERROR))
5f982038 4619 goto end;
5f982038
MC		 4620
4621 /*
4622 * Continue writing the message we started earlier. Will still block waiting
4623 * for the CCS/Finished from server
4624 */
710756a9
RS		 4625 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4626 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4627 &readbytes),
4628 SSL_READ_EARLY_DATA_FINISH)
4629 || !TEST_size_t_eq(readbytes, 0)
4630 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4631 SSL_EARLY_DATA_NOT_SENT))
5f982038 4632 goto end;
5f982038
MC		 4633
4634 /* Continue writing the message we started earlier */
710756a9
RS		 4635 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4636 || !TEST_size_t_eq(written, strlen(MSG1))
4637 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4638 SSL_EARLY_DATA_NOT_SENT)
4639 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4640 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4641 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4642 || !TEST_size_t_eq(written, strlen(MSG2))
4643 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4644 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4645 goto end;
5f982038
MC		 4646
4647 testresult = 1;
4648
4649 end:
57dee9bb
MC		 4650 SSL_SESSION_free(clientpsk);
4651 SSL_SESSION_free(serverpsk);
4652 clientpsk = serverpsk = NULL;
5f982038
MC		 4653 SSL_free(serverssl);
4654 SSL_free(clientssl);
4655 SSL_CTX_free(sctx);
4656 SSL_CTX_free(cctx);
4657
4658 return testresult;
4659}
ca0413ae
MC		 4660# endif /* OPENSSL_NO_TLS1_2 */
4661
034cb87b
MC		 4662/*
4663 * Test configuring the TLSv1.3 ciphersuites
4664 *
4665 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4666 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4667 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4668 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4669 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4670 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4671 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4672 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4673 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4674 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4675 */
4676static int test_set_ciphersuite(int idx)
4677{
4678 SSL_CTX *cctx = NULL, *sctx = NULL;
4679 SSL *clientssl = NULL, *serverssl = NULL;
4680 int testresult = 0;
4681
5e30f2fd
MC		 4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4684 &sctx, &cctx, cert, privkey))
4685 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4686 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4687 goto end;
4688
4689 if (idx >=4 && idx <= 7) {
4690 /* SSL_CTX explicit cipher list */
4691 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4692 goto end;
4693 }
4694
4695 if (idx == 0 || idx == 4) {
4696 /* Default ciphersuite */
4697 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4698 "TLS_AES_128_GCM_SHA256")))
4699 goto end;
4700 } else if (idx == 1 || idx == 5) {
4701 /* Non default ciphersuite */
4702 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4703 "TLS_AES_128_CCM_SHA256")))
4704 goto end;
4705 }
4706
4707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4708 &clientssl, NULL, NULL)))
4709 goto end;
4710
4711 if (idx == 8 || idx == 9) {
4712 /* SSL explicit cipher list */
4713 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4714 goto end;
4715 }
4716
4717 if (idx == 2 || idx == 6 || idx == 8) {
4718 /* Default ciphersuite */
4719 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4720 "TLS_AES_128_GCM_SHA256")))
4721 goto end;
4722 } else if (idx == 3 || idx == 7 || idx == 9) {
4723 /* Non default ciphersuite */
4724 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4725 "TLS_AES_128_CCM_SHA256")))
4726 goto end;
4727 }
4728
4729 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4730 goto end;
4731
4732 testresult = 1;
4733
4734 end:
4735 SSL_free(serverssl);
4736 SSL_free(clientssl);
4737 SSL_CTX_free(sctx);
4738 SSL_CTX_free(cctx);
4739
4740 return testresult;
4741}
4742
ca0413ae
MC		 4743static int test_ciphersuite_change(void)
4744{
4745 SSL_CTX *cctx = NULL, *sctx = NULL;
4746 SSL *clientssl = NULL, *serverssl = NULL;
4747 SSL_SESSION *clntsess = NULL;
4748 int testresult = 0;
4749 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4750
4751 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4753 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4754 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4755 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4756 "TLS_AES_128_GCM_SHA256:"
4757 "TLS_AES_256_GCM_SHA384:"
4758 "TLS_AES_128_CCM_SHA256"))
f865b081 4759 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4760 "TLS_AES_128_GCM_SHA256")))
4761 goto end;
4762
4763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4764 NULL, NULL))
ca0413ae
MC		 4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4766 SSL_ERROR_NONE)))
4767 goto end;
4768
4769 clntsess = SSL_get1_session(clientssl);
4770 /* Save for later */
4771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4777
4778 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4780 "TLS_AES_128_CCM_SHA256"))
4781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4782 &clientssl, NULL, NULL))
ca0413ae
MC		 4783 || !TEST_true(SSL_set_session(clientssl, clntsess))
4784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4785 SSL_ERROR_NONE))
4786 || !TEST_true(SSL_session_reused(clientssl)))
4787 goto end;
4788
4789 SSL_SESSION_free(clntsess);
4790 clntsess = SSL_get1_session(clientssl);
4791 SSL_shutdown(clientssl);
4792 SSL_shutdown(serverssl);
4793 SSL_free(serverssl);
4794 SSL_free(clientssl);
4795 serverssl = clientssl = NULL;
4796
4797 /*
4798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4799 * succeeds but does not resume.
ca0413ae 4800 */
f865b081 4801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4803 NULL, NULL))
4804 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4806 SSL_ERROR_SSL))
0de6d66d 4807 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4808 goto end;
4809
4810 SSL_SESSION_free(clntsess);
4811 clntsess = NULL;
4812 SSL_shutdown(clientssl);
4813 SSL_shutdown(serverssl);
4814 SSL_free(serverssl);
4815 SSL_free(clientssl);
4816 serverssl = clientssl = NULL;
4817
4818 /* Create a session based on SHA384 */
f865b081 4819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4821 &clientssl, NULL, NULL))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4823 SSL_ERROR_NONE)))
4824 goto end;
4825
4826 clntsess = SSL_get1_session(clientssl);
4827 SSL_shutdown(clientssl);
4828 SSL_shutdown(serverssl);
4829 SSL_free(serverssl);
4830 SSL_free(clientssl);
4831 serverssl = clientssl = NULL;
4832
f865b081
MC		 4833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4836 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4838 NULL, NULL))
4839 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4840 /*
4841 * We use SSL_ERROR_WANT_READ below so that we can pause the
4842 * connection after the initial ClientHello has been sent to
4843 * enable us to make some session changes.
4844 */
ca0413ae
MC		 4845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4846 SSL_ERROR_WANT_READ)))
4847 goto end;
4848
4849 /* Trick the client into thinking this session is for a different digest */
4850 clntsess->cipher = aes_128_gcm_sha256;
4851 clntsess->cipher_id = clntsess->cipher->id;
4852
4853 /*
3b0e88d3
MC		 4854 * Continue the previously started connection. Server has selected a SHA-384
4855 * ciphersuite, but client thinks the session is for SHA-256, so it should
4856 * bail out.
ca0413ae
MC		 4857 */
4858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4859 SSL_ERROR_SSL))
4860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4862 goto end;
4863
4864 testresult = 1;
4865
4866 end:
4867 SSL_SESSION_free(clntsess);
4868 SSL_free(serverssl);
4869 SSL_free(clientssl);
4870 SSL_CTX_free(sctx);
4871 SSL_CTX_free(cctx);
4872
4873 return testresult;
4874}
4875
8e63900a 4876/*
5bf2eade 4877 * Test TLSv1.3 Key exchange
4878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4892 */
f89d3d69
BK		 4893# ifndef OPENSSL_NO_EC
4894static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4895 NID_secp521r1, NID_X25519, NID_X448};
4896# endif
4897# ifndef OPENSSL_NO_DH
4898static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4899 NID_ffdhe6144, NID_ffdhe8192};
4900# endif
db26ec80 4901static int test_key_exchange(int idx)
8e63900a 4902{
4903 SSL_CTX *sctx = NULL, *cctx = NULL;
4904 SSL *serverssl = NULL, *clientssl = NULL;
4905 int testresult = 0;
fb8c6db4 4906 int kexch_alg;
4907 int *kexch_groups = &kexch_alg;
4908 int kexch_groups_size = 1;
8e63900a 4909 int max_version = TLS1_3_VERSION;
becbacd7 4910 char *kexch_name0 = NULL;
8e63900a 4911
4912 switch (idx) {
5bf2eade 4913# ifndef OPENSSL_NO_EC
db26ec80 4914# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4915 case 12:
fb8c6db4 4916 max_version = TLS1_2_VERSION;
db26ec80 4917# endif
fb8c6db4 4918 /* Fall through */
4919 case 0:
4920 kexch_groups = ecdhe_kexch_groups;
4921 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4922 kexch_name0 = "secp256r1";
fb8c6db4 4923 break;
5bf2eade 4924 case 1:
fb8c6db4 4925 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4926 kexch_name0 = "secp256r1";
fb8c6db4 4927 break;
5bf2eade 4928 case 2:
fb8c6db4 4929 kexch_alg = NID_secp384r1;
becbacd7 4930 kexch_name0 = "secp384r1";
fb8c6db4 4931 break;
5bf2eade 4932 case 3:
fb8c6db4 4933 kexch_alg = NID_secp521r1;
becbacd7 4934 kexch_name0 = "secp521r1";
fb8c6db4 4935 break;
5bf2eade 4936 case 4:
fb8c6db4 4937 kexch_alg = NID_X25519;
becbacd7 4938 kexch_name0 = "x25519";
fb8c6db4 4939 break;
5bf2eade 4940 case 5:
fb8c6db4 4941 kexch_alg = NID_X448;
becbacd7 4942 kexch_name0 = "x448";
fb8c6db4 4943 break;
5bf2eade 4944# endif
4945# ifndef OPENSSL_NO_DH
db26ec80 4946# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4947 case 13:
dbc6268f 4948 max_version = TLS1_2_VERSION;
becbacd7 4949 kexch_name0 = "ffdhe2048";
db26ec80 4950# endif
dbc6268f 4951 /* Fall through */
5bf2eade 4952 case 6:
8e63900a 4953 kexch_groups = ffdhe_kexch_groups;
4954 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4955 kexch_name0 = "ffdhe2048";
8e63900a 4956 break;
5bf2eade 4957 case 7:
fb8c6db4 4958 kexch_alg = NID_ffdhe2048;
becbacd7 4959 kexch_name0 = "ffdhe2048";
fb8c6db4 4960 break;
5bf2eade 4961 case 8:
fb8c6db4 4962 kexch_alg = NID_ffdhe3072;
becbacd7 4963 kexch_name0 = "ffdhe3072";
fb8c6db4 4964 break;
5bf2eade 4965 case 9:
fb8c6db4 4966 kexch_alg = NID_ffdhe4096;
becbacd7 4967 kexch_name0 = "ffdhe4096";
fb8c6db4 4968 break;
5bf2eade 4969 case 10:
fb8c6db4 4970 kexch_alg = NID_ffdhe6144;
becbacd7 4971 kexch_name0 = "ffdhe6144";
fb8c6db4 4972 break;
5bf2eade 4973 case 11:
fb8c6db4 4974 kexch_alg = NID_ffdhe8192;
becbacd7 4975 kexch_name0 = "ffdhe8192";
8e63900a 4976 break;
5bf2eade 4977# endif
6597d62b
MC		 4978 default:
4979 /* We're skipping this test */
4980 return 1;
8e63900a 4981 }
4982
5e30f2fd
MC		 4983 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4984 TLS_client_method(), TLS1_VERSION,
4985 max_version, &sctx, &cctx, cert,
4986 privkey)))
8e63900a 4987 goto end;
4988
5bf2eade 4989 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4990 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4991 goto end;
4992
5bf2eade 4993 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4994 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4995 goto end;
4996
5bf2eade 4997 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4998 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4999 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5000 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 5001 goto end;
5002
dbc6268f
MC		 5003 /*
5004 * Must include an EC ciphersuite so that we send supported groups in
5005 * TLSv1.2
5006 */
5bf2eade 5007# ifndef OPENSSL_NO_TLS1_2
dbc6268f 5008 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 5009 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5010 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 5011 goto end;
5bf2eade 5012# endif
8e63900a 5013
5014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5015 NULL, NULL)))
5016 goto end;
5017
5018 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5019 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5020 goto end;
5021
5bf2eade 5022 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 5023 goto end;
8e63900a 5024
dbc6268f 5025 /*
5bf2eade 5026 * If Handshake succeeds the negotiated kexch alg should be the first one in
5027 * configured, except in the case of FFDHE groups (idx 13), which are
5028 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 5029 */
5030 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 5031 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 5032 goto end;
becbacd7
MB		 5033
5034 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5035 kexch_name0))
5036 goto end;
5037
75d48520
BK		 5038 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5039 if (idx != 13) {
68668243
AB		 5040 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5041 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5042 goto end;
fb8c6db4 5043 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5044 goto end;
5045 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5046 goto end;
5047 }
8e63900a 5048
5049 testresult = 1;
5050 end:
5051 SSL_free(serverssl);
5052 SSL_free(clientssl);
5053 SSL_CTX_free(sctx);
5054 SSL_CTX_free(cctx);
5055 return testresult;
5056}
5057
c9cddf05
P		 5058# if !defined(OPENSSL_NO_TLS1_2) \
5059 && !defined(OPENSSL_NO_EC) \
5060 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 5061static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5062 int isecdhe, int idx)
5063{
5064 int kexch_alg;
5065 int *kexch_groups = &kexch_alg;
5066 int numec, numff;
5067
5068 numec = OSSL_NELEM(ecdhe_kexch_groups);
5069 numff = OSSL_NELEM(ffdhe_kexch_groups);
5070 if (isecdhe)
5071 kexch_alg = ecdhe_kexch_groups[idx];
5072 else
5073 kexch_alg = ffdhe_kexch_groups[idx];
5074
5075 if (clientmulti) {
5076 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5077 return 0;
5078 if (isecdhe) {
5079 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5080 numec)))
5081 return 0;
5082 } else {
5083 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5084 numff)))
5085 return 0;
5086 }
5087 } else {
5088 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5089 return 0;
5090 if (isecdhe) {
5091 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5092 numec)))
5093 return 0;
5094 } else {
5095 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5096 numff)))
5097 return 0;
5098 }
5099 }
5100 return 1;
5101}
5102
5103/*-
5104 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5105 * Run through both the ECDHE and FFDHE group lists used in the previous
5106 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5107 * confirming the expected result; then perform a resumption handshake
5108 * while offering the same group list, and another resumption handshake
5109 * offering a different group list. The returned value should be the
5110 * negotiated group for the initial handshake; for TLS 1.3 resumption
5111 * handshakes the returned value will be negotiated on the resumption
5112 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5113 * be cached in the session from the original handshake, regardless of what
5114 * was offered in the resumption ClientHello.
5115 *
5116 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5117 * E tests of ECDHE with TLS 1.3, server only has one group
5118 * F tests of FFDHE with TLS 1.3, server only has one group
5119 * E tests of ECDHE with TLS 1.2, server only has one group
5120 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5121 * E tests of ECDHE with TLS 1.3, client sends only one group
5122 * F tests of FFDHE with TLS 1.3, client sends only one group
5123 * E tests of ECDHE with TLS 1.2, client sends only one group
5124 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5125 */
5126static int test_negotiated_group(int idx)
5127{
5128 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5129 int expectednid;
5130 SSL_CTX *sctx = NULL, *cctx = NULL;
5131 SSL *serverssl = NULL, *clientssl = NULL;
5132 SSL_SESSION *origsess = NULL;
5133 int testresult = 0;
5134 int kexch_alg;
5135 int max_version = TLS1_3_VERSION;
5136
5137 numec = OSSL_NELEM(ecdhe_kexch_groups);
5138 numff = OSSL_NELEM(ffdhe_kexch_groups);
5139 numgroups = numec + numff;
5140 clientmulti = (idx < 2 * numgroups);
5141 idx = idx % (2 * numgroups);
5142 istls13 = (idx < numgroups);
5143 idx = idx % numgroups;
5144 isecdhe = (idx < numec);
5145 if (!isecdhe)
5146 idx -= numec;
5147 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5148 if (isecdhe)
5149 kexch_alg = ecdhe_kexch_groups[idx];
5150 else
5151 kexch_alg = ffdhe_kexch_groups[idx];
5152 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5153 if (!istls13 && !isecdhe)
5154 expectednid = NID_undef;
5155 else
5156 expectednid = kexch_alg;
5157
5158 if (!istls13)
5159 max_version = TLS1_2_VERSION;
5160
5161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5162 TLS_client_method(), TLS1_VERSION,
5163 max_version, &sctx, &cctx, cert,
5164 privkey)))
5165 goto end;
5166
5167 /*
5168 * Force (EC)DHE ciphers for TLS 1.2.
5169 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5170 */
5171 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5172 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5173 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5174 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5175 goto end;
5176 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5177 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5178 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5179 goto end;
5180
5181 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5182 NULL, NULL)))
5183 goto end;
5184
5185 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5186 idx)))
5187 goto end;
5188
5189 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5190 goto end;
5191
5192 /* Initial handshake; always the configured one */
5193 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5194 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5195 goto end;
5196
5197 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5198 goto end;
5199
5200 SSL_shutdown(clientssl);
5201 SSL_shutdown(serverssl);
5202 SSL_free(serverssl);
5203 SSL_free(clientssl);
5204 serverssl = clientssl = NULL;
5205
5206 /* First resumption attempt; use the same config as initial handshake */
5207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5208 NULL, NULL))
5209 || !TEST_true(SSL_set_session(clientssl, origsess))
5210 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5211 isecdhe, idx)))
5212 goto end;
5213
5214 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5215 || !TEST_true(SSL_session_reused(clientssl)))
5216 goto end;
5217
5218 /* Still had better agree, since nothing changed... */
5219 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5220 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5221 goto end;
5222
5223 SSL_shutdown(clientssl);
5224 SSL_shutdown(serverssl);
5225 SSL_free(serverssl);
5226 SSL_free(clientssl);
5227 serverssl = clientssl = NULL;
5228
5229 /*-
5230 * Second resumption attempt
5231 * The party that picks one group changes it, which we effectuate by
5232 * changing 'idx' and updating what we expect.
5233 */
5234 if (idx == 0)
5235 idx = 1;
5236 else
5237 idx--;
5238 if (istls13) {
5239 if (isecdhe)
5240 expectednid = ecdhe_kexch_groups[idx];
5241 else
5242 expectednid = ffdhe_kexch_groups[idx];
5243 /* Verify that we are changing what we expect. */
5244 if (!TEST_int_ne(expectednid, kexch_alg))
5245 goto end;
5246 } else {
5247 /* TLS 1.2 only supports named groups for ECDHE. */
5248 if (isecdhe)
5249 expectednid = kexch_alg;
5250 else
5251 expectednid = 0;
5252 }
5253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5254 NULL, NULL))
5255 || !TEST_true(SSL_set_session(clientssl, origsess))
5256 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5257 isecdhe, idx)))
5258 goto end;
5259
5260 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5261 || !TEST_true(SSL_session_reused(clientssl)))
5262 goto end;
5263
5264 /* Check that we get what we expected */
5265 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5266 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5267 goto end;
5268
5269 testresult = 1;
5270 end:
5271 SSL_free(serverssl);
5272 SSL_free(clientssl);
5273 SSL_CTX_free(sctx);
5274 SSL_CTX_free(cctx);
5275 SSL_SESSION_free(origsess);
5276 return testresult;
5277}
5278# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5279
5bf2eade 5280/*
5281 * Test TLSv1.3 Cipher Suite
5282 * Test 0 = Set TLS1.3 cipher on context
5283 * Test 1 = Set TLS1.3 cipher on SSL
5284 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5285 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5286 */
5287static int test_tls13_ciphersuite(int idx)
5288{
5289 SSL_CTX *sctx = NULL, *cctx = NULL;
5290 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5291 static const struct {
5292 const char *ciphername;
5293 int fipscapable;
e0710222 5294 int low_security;
4f6c7044 5295 } t13_ciphers[] = {
e0710222
P		 5296 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5297 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5298 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5299# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5300 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5301 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5302 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5303# endif
e0710222
P		 5304 /* CCM8 ciphers are considered low security due to their short tag */
5305 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5306 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5307 };
5308 const char *t13_cipher = NULL;
5309 const char *t12_cipher = NULL;
5310 const char *negotiated_scipher;
5311 const char *negotiated_ccipher;
5312 int set_at_ctx = 0;
5313 int set_at_ssl = 0;
5314 int testresult = 0;
5315 int max_ver;
5316 size_t i;
5317
5318 switch (idx) {
5319 case 0:
5320 set_at_ctx = 1;
5321 break;
5322 case 1:
5323 set_at_ssl = 1;
5324 break;
5325 case 2:
5326 set_at_ctx = 1;
2d900758 5327 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5328 break;
5329 case 3:
5330 set_at_ssl = 1;
2d900758 5331 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5332 break;
5333 }
5334
5335 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5336# ifdef OPENSSL_NO_TLS1_2
5337 if (max_ver == TLS1_2_VERSION)
5338 continue;
5339# endif
5340 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5341 if (is_fips && !t13_ciphers[i].fipscapable)
5342 continue;
5343 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5344 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5345 TLS_client_method(),
5346 TLS1_VERSION, max_ver,
5347 &sctx, &cctx, cert, privkey)))
5348 goto end;
5349
e0710222
P		 5350 if (t13_ciphers[i].low_security) {
5351 SSL_CTX_set_security_level(sctx, 0);
5352 SSL_CTX_set_security_level(cctx, 0);
5353 }
5354
5bf2eade 5355 if (set_at_ctx) {
5356 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5357 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5358 goto end;
5359 if (t12_cipher != NULL) {
5360 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5361 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5362 t12_cipher)))
5363 goto end;
5364 }
5365 }
5366
5367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5368 &clientssl, NULL, NULL)))
5369 goto end;
5370
5371 if (set_at_ssl) {
5372 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5373 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5374 goto end;
5375 if (t12_cipher != NULL) {
5376 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5377 || !TEST_true(SSL_set_cipher_list(clientssl,
5378 t12_cipher)))
5379 goto end;
5380 }
5381 }
5382
5383 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5384 SSL_ERROR_NONE)))
5385 goto end;
5386
5387 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5388 serverssl));
5389 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5390 clientssl));
5391 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5392 goto end;
5393
5394 /*
5395 * TEST_strn_eq is used below because t13_cipher can contain
5396 * multiple ciphersuites
5397 */
5398 if (max_ver == TLS1_3_VERSION
5399 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5400 strlen(negotiated_scipher)))
5401 goto end;
5402
5403# ifndef OPENSSL_NO_TLS1_2
5404 /* Below validation is not done when t12_cipher is NULL */
5405 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5406 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5407 goto end;
5408# endif
5409
5410 SSL_free(serverssl);
5411 serverssl = NULL;
5412 SSL_free(clientssl);
5413 clientssl = NULL;
5414 SSL_CTX_free(sctx);
5415 sctx = NULL;
5416 SSL_CTX_free(cctx);
5417 cctx = NULL;
5418 }
5419 }
5420
5421 testresult = 1;
5422 end:
5423 SSL_free(serverssl);
5424 SSL_free(clientssl);
5425 SSL_CTX_free(sctx);
5426 SSL_CTX_free(cctx);
5427 return testresult;
5428}
5429
0d8da779
MC		 5430/*
5431 * Test TLSv1.3 PSKs
5432 * Test 0 = Test new style callbacks
5433 * Test 1 = Test both new and old style callbacks
5434 * Test 2 = Test old style callbacks
5435 * Test 3 = Test old style callbacks with no certificate
5436 */
532f9578 5437static int test_tls13_psk(int idx)
ca8c71ba
MC		 5438{
5439 SSL_CTX *sctx = NULL, *cctx = NULL;
5440 SSL *serverssl = NULL, *clientssl = NULL;
5441 const SSL_CIPHER *cipher = NULL;
5442 const unsigned char key[] = {
5443 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5444 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5445 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5446 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5447 };
5448 int testresult = 0;
5449
5e30f2fd
MC		 5450 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5451 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5452 &sctx, &cctx, idx == 3 ? NULL : cert,
5453 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5454 goto end;
5455
0d8da779
MC		 5456 if (idx != 3) {
5457 /*
5458 * We use a ciphersuite with SHA256 to ease testing old style PSK
5459 * callbacks which will always default to SHA256. This should not be
5460 * necessary if we have no cert/priv key. In that case the server should
5461 * prefer SHA256 automatically.
5462 */
5463 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5464 "TLS_AES_128_GCM_SHA256")))
5465 goto end;
4f6c7044
MC		 5466 } else {
5467 /*
5468 * As noted above the server should prefer SHA256 automatically. However
5469 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5470 * code works even if we are testing with only the FIPS provider loaded.
5471 */
5472 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5473 "TLS_AES_256_GCM_SHA384:"
5474 "TLS_AES_128_GCM_SHA256")))
5475 goto end;
0d8da779 5476 }
532f9578
MC		 5477
5478 /*
5479 * Test 0: New style callbacks only
5480 * Test 1: New and old style callbacks (only the new ones should be used)
5481 * Test 2: Old style callbacks only
5482 */
5483 if (idx == 0 || idx == 1) {
5484 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5485 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5486 }
c2b290c3 5487#ifndef OPENSSL_NO_PSK
0d8da779 5488 if (idx >= 1) {
532f9578
MC		 5489 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5490 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5491 }
c2b290c3 5492#endif
ca8c71ba 5493 srvid = pskid;
02a3ed5a
MC		 5494 use_session_cb_cnt = 0;
5495 find_session_cb_cnt = 0;
532f9578
MC		 5496 psk_client_cb_cnt = 0;
5497 psk_server_cb_cnt = 0;
ca8c71ba 5498
0d8da779
MC		 5499 if (idx != 3) {
5500 /*
5501 * Check we can create a connection if callback decides not to send a
5502 * PSK
5503 */
5504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505 NULL, NULL))
5506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5507 SSL_ERROR_NONE))
5508 || !TEST_false(SSL_session_reused(clientssl))
5509 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5510 goto end;
532f9578 5511
0d8da779
MC		 5512 if (idx == 0 || idx == 1) {
5513 if (!TEST_true(use_session_cb_cnt == 1)
5514 || !TEST_true(find_session_cb_cnt == 0)
5515 /*
5516 * If no old style callback then below should be 0
5517 * otherwise 1
5518 */
5519 || !TEST_true(psk_client_cb_cnt == idx)
5520 || !TEST_true(psk_server_cb_cnt == 0))
5521 goto end;
5522 } else {
5523 if (!TEST_true(use_session_cb_cnt == 0)
5524 || !TEST_true(find_session_cb_cnt == 0)
5525 || !TEST_true(psk_client_cb_cnt == 1)
5526 || !TEST_true(psk_server_cb_cnt == 0))
5527 goto end;
5528 }
5529
5530 shutdown_ssl_connection(serverssl, clientssl);
5531 serverssl = clientssl = NULL;
5532 use_session_cb_cnt = psk_client_cb_cnt = 0;
5533 }
ca8c71ba
MC		 5534
5535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5536 NULL, NULL)))
5537 goto end;
5538
5539 /* Create the PSK */
532f9578 5540 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5541 clientpsk = SSL_SESSION_new();
5542 if (!TEST_ptr(clientpsk)
ca8c71ba 5543 || !TEST_ptr(cipher)
57dee9bb
MC		 5544 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5545 sizeof(key)))
5546 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5547 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5548 TLS1_3_VERSION))
5549 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5550 goto end;
57dee9bb 5551 serverpsk = clientpsk;
ca8c71ba
MC		 5552
5553 /* Check we can create a connection and the PSK is used */
5554 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5555 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5556 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5557 goto end;
5558
532f9578
MC		 5559 if (idx == 0 || idx == 1) {
5560 if (!TEST_true(use_session_cb_cnt == 1)
5561 || !TEST_true(find_session_cb_cnt == 1)
5562 || !TEST_true(psk_client_cb_cnt == 0)
5563 || !TEST_true(psk_server_cb_cnt == 0))
5564 goto end;
5565 } else {
5566 if (!TEST_true(use_session_cb_cnt == 0)
5567 || !TEST_true(find_session_cb_cnt == 0)
5568 || !TEST_true(psk_client_cb_cnt == 1)
5569 || !TEST_true(psk_server_cb_cnt == 1))
5570 goto end;
5571 }
5572
ca8c71ba
MC		 5573 shutdown_ssl_connection(serverssl, clientssl);
5574 serverssl = clientssl = NULL;
5575 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5576 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5577
5578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5579 NULL, NULL)))
5580 goto end;
5581
5582 /* Force an HRR */
dbc6268f
MC		 5583#if defined(OPENSSL_NO_EC)
5584 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5585 goto end;
5586#else
ca8c71ba
MC		 5587 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5588 goto end;
dbc6268f 5589#endif
ca8c71ba
MC		 5590
5591 /*
5592 * Check we can create a connection, the PSK is used and the callbacks are
5593 * called twice.
5594 */
5595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5596 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5597 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5598 goto end;
5599
532f9578
MC		 5600 if (idx == 0 || idx == 1) {
5601 if (!TEST_true(use_session_cb_cnt == 2)
5602 || !TEST_true(find_session_cb_cnt == 2)
5603 || !TEST_true(psk_client_cb_cnt == 0)
5604 || !TEST_true(psk_server_cb_cnt == 0))
5605 goto end;
5606 } else {
5607 if (!TEST_true(use_session_cb_cnt == 0)
5608 || !TEST_true(find_session_cb_cnt == 0)
5609 || !TEST_true(psk_client_cb_cnt == 2)
5610 || !TEST_true(psk_server_cb_cnt == 2))
5611 goto end;
5612 }
5613
ca8c71ba
MC		 5614 shutdown_ssl_connection(serverssl, clientssl);
5615 serverssl = clientssl = NULL;
5616 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5617 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5618
0d8da779
MC		 5619 if (idx != 3) {
5620 /*
5621 * Check that if the server rejects the PSK we can still connect, but with
5622 * a full handshake
5623 */
5624 srvid = "Dummy Identity";
5625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5626 NULL, NULL))
5627 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5628 SSL_ERROR_NONE))
5629 || !TEST_false(SSL_session_reused(clientssl))
5630 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5631 goto end;
532f9578 5632
0d8da779
MC		 5633 if (idx == 0 || idx == 1) {
5634 if (!TEST_true(use_session_cb_cnt == 1)
5635 || !TEST_true(find_session_cb_cnt == 1)
5636 || !TEST_true(psk_client_cb_cnt == 0)
5637 /*
5638 * If no old style callback then below should be 0
5639 * otherwise 1
5640 */
5641 || !TEST_true(psk_server_cb_cnt == idx))
5642 goto end;
5643 } else {
5644 if (!TEST_true(use_session_cb_cnt == 0)
5645 || !TEST_true(find_session_cb_cnt == 0)
5646 || !TEST_true(psk_client_cb_cnt == 1)
5647 || !TEST_true(psk_server_cb_cnt == 1))
5648 goto end;
5649 }
5650
5651 shutdown_ssl_connection(serverssl, clientssl);
5652 serverssl = clientssl = NULL;
5653 }
ca8c71ba
MC		 5654 testresult = 1;
5655
5656 end:
57dee9bb
MC		 5657 SSL_SESSION_free(clientpsk);
5658 SSL_SESSION_free(serverpsk);
5659 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5660 SSL_free(serverssl);
5661 SSL_free(clientssl);
5662 SSL_CTX_free(sctx);
5663 SSL_CTX_free(cctx);
5664 return testresult;
5665}
5666
c7b8ff25
MC		 5667static unsigned char cookie_magic_value[] = "cookie magic";
5668
5669static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5670 unsigned int *cookie_len)
5671{
5672 /*
5673 * Not suitable as a real cookie generation function but good enough for
5674 * testing!
5675 */
97ea1e7f
MC		 5676 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5677 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5678
5679 return 1;
5680}
5681
5682static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5683 unsigned int cookie_len)
5684{
97ea1e7f 5685 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5686 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5687 return 1;
5688
5689 return 0;
5690}
5691
3fa2812f
BS		 5692static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5693 size_t *cookie_len)
5694{
5695 unsigned int temp;
5696 int res = generate_cookie_callback(ssl, cookie, &temp);
5697 *cookie_len = temp;
5698 return res;
5699}
5700
5701static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5702 size_t cookie_len)
5703{
5704 return verify_cookie_callback(ssl, cookie, cookie_len);
5705}
5706
c7b8ff25
MC		 5707static int test_stateless(void)
5708{
5709 SSL_CTX *sctx = NULL, *cctx = NULL;
5710 SSL *serverssl = NULL, *clientssl = NULL;
5711 int testresult = 0;
5712
5e30f2fd
MC		 5713 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5714 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5715 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5716 goto end;
5717
e440f513
MC		 5718 /* The arrival of CCS messages can confuse the test */
5719 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5720
5721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5722 NULL, NULL))
5723 /* Send the first ClientHello */
5724 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5725 SSL_ERROR_WANT_READ))
5726 /*
5727 * This should fail with a -1 return because we have no callbacks
5728 * set up
5729 */
5730 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5731 goto end;
5732
5733 /* Fatal error so abandon the connection from this client */
5734 SSL_free(clientssl);
5735 clientssl = NULL;
5736
c7b8ff25 5737 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5738 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5739 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5740
e440f513
MC		 5741 /*
5742 * Create a new connection from the client (we can reuse the server SSL
5743 * object).
5744 */
c7b8ff25
MC		 5745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5746 NULL, NULL))
5747 /* Send the first ClientHello */
5748 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5749 SSL_ERROR_WANT_READ))
5750 /* This should fail because there is no cookie */
e440f513 5751 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5752 goto end;
5753
5754 /* Abandon the connection from this client */
5755 SSL_free(clientssl);
5756 clientssl = NULL;
5757
5758 /*
5759 * Now create a connection from a new client but with the same server SSL
5760 * object
5761 */
5762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5763 NULL, NULL))
5764 /* Send the first ClientHello */
5765 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5766 SSL_ERROR_WANT_READ))
5767 /* This should fail because there is no cookie */
e440f513 5768 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5769 /* Send the second ClientHello */
5770 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5771 SSL_ERROR_WANT_READ))
5772 /* This should succeed because a cookie is now present */
e440f513 5773 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5774 /* Complete the connection */
5775 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5776 SSL_ERROR_NONE)))
5777 goto end;
5778
5779 shutdown_ssl_connection(serverssl, clientssl);
5780 serverssl = clientssl = NULL;
5781 testresult = 1;
5782
5783 end:
5784 SSL_free(serverssl);
5785 SSL_free(clientssl);
5786 SSL_CTX_free(sctx);
5787 SSL_CTX_free(cctx);
5788 return testresult;
5789
5790}
a763ca11 5791#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5792
a37008d9
MC		 5793static int clntaddoldcb = 0;
5794static int clntparseoldcb = 0;
5795static int srvaddoldcb = 0;
5796static int srvparseoldcb = 0;
5797static int clntaddnewcb = 0;
5798static int clntparsenewcb = 0;
5799static int srvaddnewcb = 0;
5800static int srvparsenewcb = 0;
bb01ef3f 5801static int snicb = 0;
a37008d9
MC		 5802
5803#define TEST_EXT_TYPE1 0xff00
5804
5805static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5806 size_t *outlen, int *al, void *add_arg)
5807{
5808 int *server = (int *)add_arg;
5809 unsigned char *data;
5810
5811 if (SSL_is_server(s))
5812 srvaddoldcb++;
5813 else
5814 clntaddoldcb++;
5815
710756a9
RS		 5816 if (*server != SSL_is_server(s)
5817 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5818 return -1;
5819
5820 *data = 1;
5821 *out = data;
5822 *outlen = sizeof(char);
a37008d9
MC		 5823 return 1;
5824}
5825
5826static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5827 void *add_arg)
5828{
5829 OPENSSL_free((unsigned char *)out);
5830}
5831
5832static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5833 size_t inlen, int *al, void *parse_arg)
5834{
5835 int *server = (int *)parse_arg;
5836
5837 if (SSL_is_server(s))
5838 srvparseoldcb++;
5839 else
5840 clntparseoldcb++;
5841
710756a9
RS		 5842 if (*server != SSL_is_server(s)
5843 || inlen != sizeof(char)
5844 || *in != 1)
a37008d9
MC		 5845 return -1;
5846
5847 return 1;
5848}
5849
5850static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5851 const unsigned char **out, size_t *outlen, X509 *x,
5852 size_t chainidx, int *al, void *add_arg)
5853{
5854 int *server = (int *)add_arg;
5855 unsigned char *data;
5856
5857 if (SSL_is_server(s))
5858 srvaddnewcb++;
5859 else
5860 clntaddnewcb++;
5861
710756a9
RS		 5862 if (*server != SSL_is_server(s)
5863 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5864 return -1;
5865
5866 *data = 1;
5867 *out = data;
710756a9 5868 *outlen = sizeof(*data);
a37008d9
MC		 5869 return 1;
5870}
5871
5872static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5873 const unsigned char *out, void *add_arg)
5874{
5875 OPENSSL_free((unsigned char *)out);
5876}
5877
5878static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5879 const unsigned char *in, size_t inlen, X509 *x,
5880 size_t chainidx, int *al, void *parse_arg)
5881{
5882 int *server = (int *)parse_arg;
5883
5884 if (SSL_is_server(s))
5885 srvparsenewcb++;
5886 else
5887 clntparsenewcb++;
5888
710756a9
RS		 5889 if (*server != SSL_is_server(s)
5890 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5891 return -1;
5892
5893 return 1;
5894}
bb01ef3f
MC		 5895
5896static int sni_cb(SSL *s, int *al, void *arg)
5897{
5898 SSL_CTX *ctx = (SSL_CTX *)arg;
5899
5900 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5901 *al = SSL_AD_INTERNAL_ERROR;
5902 return SSL_TLSEXT_ERR_ALERT_FATAL;
5903 }
5904 snicb++;
5905 return SSL_TLSEXT_ERR_OK;
5906}
5907
0db3a990
MC		 5908static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5909{
5910 return 1;
5911}
5912
a37008d9
MC		 5913/*
5914 * Custom call back tests.
5915 * Test 0: Old style callbacks in TLSv1.2
5916 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5917 * Test 2: New style callbacks in TLSv1.2 with SNI
5918 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5919 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5920 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5921 */
710756a9
RS		 5922static int test_custom_exts(int tst)
5923{
bb01ef3f 5924 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5925 SSL *clientssl = NULL, *serverssl = NULL;
5926 int testresult = 0;
5927 static int server = 1;
5928 static int client = 0;
5929 SSL_SESSION *sess = NULL;
5930 unsigned int context;
5931
a763ca11 5932#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5933 /* Skip tests for TLSv1.2 and below in this case */
5934 if (tst < 3)
5935 return 1;
5936#endif
5937
a37008d9
MC		 5938 /* Reset callback counters */
5939 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5940 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5941 snicb = 0;
a37008d9 5942
5e30f2fd
MC		 5943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5944 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5945 &sctx, &cctx, cert, privkey)))
710756a9 5946 goto end;
a37008d9 5947
bb01ef3f 5948 if (tst == 2
5e30f2fd 5949 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5950 TLS1_VERSION, 0,
7d7f6834 5951 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5952 goto end;
5953
5954
5955 if (tst < 3) {
a37008d9
MC		 5956 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5957 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5958 if (sctx2 != NULL)
5959 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5960 }
5961
0db3a990
MC		 5962 if (tst == 5) {
5963 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5964 | SSL_EXT_TLS1_3_CERTIFICATE;
5965 SSL_CTX_set_verify(sctx,
5966 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5967 verify_cb);
5968 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5969 SSL_FILETYPE_PEM), 1)
5970 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5971 SSL_FILETYPE_PEM), 1)
5972 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5973 goto end;
5974 } else if (tst == 4) {
710756a9
RS		 5975 context = SSL_EXT_CLIENT_HELLO
5976 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5977 | SSL_EXT_TLS1_3_SERVER_HELLO
5978 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5979 | SSL_EXT_TLS1_3_CERTIFICATE
5980 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5981 } else {
710756a9
RS		 5982 context = SSL_EXT_CLIENT_HELLO
5983 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5984 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5985 }
5986
5987 /* Create a client side custom extension */
5988 if (tst == 0) {
710756a9
RS		 5989 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5990 old_add_cb, old_free_cb,
5991 &client, old_parse_cb,
5992 &client)))
5993 goto end;
a37008d9 5994 } else {
710756a9
RS		 5995 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5996 new_add_cb, new_free_cb,
5997 &client, new_parse_cb, &client)))
5998 goto end;
a37008d9
MC		 5999 }
6000
6001 /* Should not be able to add duplicates */
710756a9
RS		 6002 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6003 old_add_cb, old_free_cb,
6004 &client, old_parse_cb,
6005 &client))
6006 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6007 context, new_add_cb,
6008 new_free_cb, &client,
6009 new_parse_cb, &client)))
6010 goto end;
a37008d9
MC		 6011
6012 /* Create a server side custom extension */
6013 if (tst == 0) {
710756a9
RS		 6014 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6015 old_add_cb, old_free_cb,
6016 &server, old_parse_cb,
6017 &server)))
6018 goto end;
a37008d9 6019 } else {
710756a9
RS		 6020 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6021 new_add_cb, new_free_cb,
6022 &server, new_parse_cb, &server)))
6023 goto end;
bb01ef3f
MC		 6024 if (sctx2 != NULL
6025 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6026 context, new_add_cb,
6027 new_free_cb, &server,
6028 new_parse_cb, &server)))
6029 goto end;
a37008d9
MC		 6030 }
6031
6032 /* Should not be able to add duplicates */
710756a9
RS		 6033 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6034 old_add_cb, old_free_cb,
6035 &server, old_parse_cb,
6036 &server))
6037 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6038 context, new_add_cb,
6039 new_free_cb, &server,
6040 new_parse_cb, &server)))
a37008d9 6041 goto end;
a37008d9 6042
bb01ef3f
MC		 6043 if (tst == 2) {
6044 /* Set up SNI */
6045 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6046 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6047 goto end;
6048 }
6049
710756a9
RS		 6050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6051 &clientssl, NULL, NULL))
6052 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6053 SSL_ERROR_NONE)))
a37008d9 6054 goto end;
a37008d9
MC		 6055
6056 if (tst == 0) {
710756a9
RS		 6057 if (clntaddoldcb != 1
6058 || clntparseoldcb != 1
6059 || srvaddoldcb != 1
6060 || srvparseoldcb != 1)
a37008d9 6061 goto end;
bb01ef3f 6062 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6063 if (clntaddnewcb != 1
6064 || clntparsenewcb != 1
6065 || srvaddnewcb != 1
bb01ef3f
MC		 6066 || srvparsenewcb != 1
6067 || (tst != 2 && snicb != 0)
6068 || (tst == 2 && snicb != 1))
a37008d9 6069 goto end;
0db3a990
MC		 6070 } else if (tst == 5) {
6071 if (clntaddnewcb != 1
6072 || clntparsenewcb != 1
6073 || srvaddnewcb != 1
6074 || srvparsenewcb != 1)
6075 goto end;
a37008d9 6076 } else {
36ff232c 6077 /* In this case there 2 NewSessionTicket messages created */
710756a9 6078 if (clntaddnewcb != 1
36ff232c
MC		 6079 || clntparsenewcb != 5
6080 || srvaddnewcb != 5
710756a9 6081 || srvparsenewcb != 1)
a37008d9 6082 goto end;
a37008d9
MC		 6083 }
6084
6085 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6086 SSL_shutdown(clientssl);
6087 SSL_shutdown(serverssl);
a37008d9
MC		 6088 SSL_free(serverssl);
6089 SSL_free(clientssl);
6090 serverssl = clientssl = NULL;
6091
0db3a990
MC		 6092 if (tst == 3 || tst == 5) {
6093 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6094 testresult = 1;
6095 goto end;
6096 }
6097
710756a9
RS		 6098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6099 NULL, NULL))
6100 || !TEST_true(SSL_set_session(clientssl, sess))
6101 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6102 SSL_ERROR_NONE)))
a37008d9 6103 goto end;
a37008d9
MC		 6104
6105 /*
6106 * For a resumed session we expect to add the ClientHello extension. For the
6107 * old style callbacks we ignore it on the server side because they set
6108 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6109 * them.
6110 */
6111 if (tst == 0) {
710756a9
RS		 6112 if (clntaddoldcb != 2
6113 || clntparseoldcb != 1
6114 || srvaddoldcb != 1
6115 || srvparseoldcb != 1)
a37008d9 6116 goto end;
bb01ef3f 6117 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6118 if (clntaddnewcb != 2
6119 || clntparsenewcb != 2
6120 || srvaddnewcb != 2
6121 || srvparsenewcb != 2)
a37008d9 6122 goto end;
a37008d9 6123 } else {
36ff232c
MC		 6124 /*
6125 * No Certificate message extensions in the resumption handshake,
6126 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6127 */
710756a9 6128 if (clntaddnewcb != 2
36ff232c
MC		 6129 || clntparsenewcb != 8
6130 || srvaddnewcb != 8
710756a9 6131 || srvparsenewcb != 2)
a37008d9 6132 goto end;
a37008d9
MC		 6133 }
6134
6135 testresult = 1;
6136
6137end:
6138 SSL_SESSION_free(sess);
6139 SSL_free(serverssl);
6140 SSL_free(clientssl);
bb01ef3f 6141 SSL_CTX_free(sctx2);
a37008d9
MC		 6142 SSL_CTX_free(sctx);
6143 SSL_CTX_free(cctx);
a37008d9
MC		 6144 return testresult;
6145}
6146
555dd939 6147#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6148
555dd939
DF		 6149#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6150 | SSL_EXT_CLIENT_HELLO \
6151 | SSL_EXT_TLS1_2_SERVER_HELLO \
6152 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6153
555dd939
DF		 6154#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6155 | SSL_EXT_TLS1_2_SERVER_HELLO \
6156 | SSL_EXT_CLIENT_HELLO)
16afd71c 6157
555dd939
DF		 6158#define SERVERINFO_CUSTOM \
6159 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6160 0x00, 0x03, \
6161 0x04, 0x05, 0x06 \
6162
6163static const unsigned char serverinfo_custom_tls13[] = {
6164 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6165 SERVERINFO_CUSTOM
6166};
6167static const unsigned char serverinfo_custom_v2[] = {
6168 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6169 SERVERINFO_CUSTOM
6170};
6171static const unsigned char serverinfo_custom_v1[] = {
6172 SERVERINFO_CUSTOM
6173};
6174static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6175static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6176static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6177
6178static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6179 unsigned int context,
6180 const unsigned char *in,
6181 size_t inlen, X509 *x,
6182 size_t chainidx, int *al,
6183 void *parse_arg)
6184{
6185 const size_t len = serverinfo_custom_v1_len;
6186 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6187 int *p_cb_result = (int*)parse_arg;
6188 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6189 return 1;
6190}
6191
6192static int test_serverinfo_custom(const int idx)
6193{
6194 SSL_CTX *sctx = NULL, *cctx = NULL;
6195 SSL *clientssl = NULL, *serverssl = NULL;
6196 int testresult = 0;
6197 int cb_result = 0;
6198
6199 /*
6200 * Following variables are set in the switch statement
6201 * according to the test iteration.
6202 * Default values do not make much sense: test would fail with them.
6203 */
6204 int serverinfo_version = 0;
6205 int protocol_version = 0;
6206 unsigned int extension_context = 0;
6207 const unsigned char *si = NULL;
6208 size_t si_len = 0;
6209
6210 const int call_use_serverinfo_ex = idx > 0;
6211 switch (idx) {
6212 case 0: /* FALLTHROUGH */
6213 case 1:
6214 serverinfo_version = SSL_SERVERINFOV1;
6215 protocol_version = TLS1_2_VERSION;
6216 extension_context = SYNTHV1CONTEXT;
6217 si = serverinfo_custom_v1;
6218 si_len = serverinfo_custom_v1_len;
6219 break;
6220 case 2:
6221 serverinfo_version = SSL_SERVERINFOV2;
6222 protocol_version = TLS1_2_VERSION;
6223 extension_context = SYNTHV1CONTEXT;
6224 si = serverinfo_custom_v2;
6225 si_len = serverinfo_custom_v2_len;
6226 break;
6227 case 3:
6228 serverinfo_version = SSL_SERVERINFOV2;
6229 protocol_version = TLS1_3_VERSION;
6230 extension_context = TLS13CONTEXT;
6231 si = serverinfo_custom_tls13;
6232 si_len = serverinfo_custom_tls13_len;
6233 break;
16afd71c
MC		 6234 }
6235
555dd939
DF		 6236 if (!TEST_true(create_ssl_ctx_pair(libctx,
6237 TLS_method(),
6238 TLS_method(),
6239 protocol_version,
6240 protocol_version,
6241 &sctx, &cctx, cert, privkey)))
6242 goto end;
16afd71c 6243
555dd939
DF		 6244 if (call_use_serverinfo_ex) {
6245 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6246 si, si_len)))
6247 goto end;
6248 } else {
6249 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6250 goto end;
16afd71c
MC		 6251 }
6252
555dd939
DF		 6253 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6254 extension_context,
6255 NULL, NULL, NULL,
6256 serverinfo_custom_parse_cb,
6257 &cb_result))
6258 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6259 NULL, NULL))
6260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6261 SSL_ERROR_NONE))
6262 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6263 goto end;
6264
6265 if (!TEST_true(cb_result))
16afd71c
MC		 6266 goto end;
6267
6268 testresult = 1;
6269
6270 end:
555dd939
DF		 6271 SSL_free(serverssl);
6272 SSL_free(clientssl);
6273 SSL_CTX_free(sctx);
6274 SSL_CTX_free(cctx);
16afd71c
MC		 6275
6276 return testresult;
6277}
555dd939 6278#endif
16afd71c 6279
2197d1df
MC		 6280/*
6281 * Test that SSL_export_keying_material() produces expected results. There are
6282 * no test vectors so all we do is test that both sides of the communication
6283 * produce the same results for different protocol versions.
6284 */
0fb2815b
MC		 6285#define SMALL_LABEL_LEN 10
6286#define LONG_LABEL_LEN 249
2197d1df
MC		 6287static int test_export_key_mat(int tst)
6288{
a599574b 6289 int testresult = 0;
2197d1df
MC		 6290 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6291 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6292 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6293 const unsigned char context[] = "context";
6294 const unsigned char *emptycontext = NULL;
6295 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6296 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 6297 size_t labellen;
a599574b
MC		 6298 const int protocols[] = {
6299 TLS1_VERSION,
6300 TLS1_1_VERSION,
6301 TLS1_2_VERSION,
0fb2815b
MC		 6302 TLS1_3_VERSION,
6303 TLS1_3_VERSION,
a599574b
MC		 6304 TLS1_3_VERSION
6305 };
2197d1df
MC		 6306
6307#ifdef OPENSSL_NO_TLS1
6308 if (tst == 0)
6309 return 1;
6310#endif
6311#ifdef OPENSSL_NO_TLS1_1
6312 if (tst == 1)
6313 return 1;
6314#endif
4f6c7044
MC		 6315 if (is_fips && (tst == 0 || tst == 1))
6316 return 1;
2197d1df
MC		 6317#ifdef OPENSSL_NO_TLS1_2
6318 if (tst == 2)
6319 return 1;
6320#endif
a763ca11 6321#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6322 if (tst >= 3)
2197d1df
MC		 6323 return 1;
6324#endif
5e30f2fd
MC		 6325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6326 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6327 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6328 goto end;
6329
a599574b
MC		 6330 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6331 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6332 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6333 if ((protocols[tst] < TLS1_2_VERSION) &&
6334 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6335 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6336 goto end;
2197d1df
MC		 6337
6338 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6339 NULL)))
6340 goto end;
6341
6342 /*
6343 * Premature call of SSL_export_keying_material should just fail.
6344 */
6345 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6346 sizeof(ckeymat1), label,
6347 SMALL_LABEL_LEN + 1, context,
6348 sizeof(context) - 1, 1), 0))
6349 goto end;
6350
6351 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6352 SSL_ERROR_NONE)))
2197d1df
MC		 6353 goto end;
6354
0fb2815b
MC		 6355 if (tst == 5) {
6356 /*
6357 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6358 * go over that.
6359 */
6360 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6361 sizeof(ckeymat1), label,
6362 LONG_LABEL_LEN + 1, context,
6363 sizeof(context) - 1, 1), 0))
6364 goto end;
6365
6366 testresult = 1;
6367 goto end;
6368 } else if (tst == 4) {
6369 labellen = LONG_LABEL_LEN;
6370 } else {
6371 labellen = SMALL_LABEL_LEN;
6372 }
6373
2197d1df
MC		 6374 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6375 sizeof(ckeymat1), label,
0fb2815b 6376 labellen, context,
2197d1df
MC		 6377 sizeof(context) - 1, 1), 1)
6378 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6379 sizeof(ckeymat2), label,
0fb2815b 6380 labellen,
2197d1df
MC		 6381 emptycontext,
6382 0, 1), 1)
6383 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6384 sizeof(ckeymat3), label,
0fb2815b 6385 labellen,
2197d1df
MC		 6386 NULL, 0, 0), 1)
6387 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6388 sizeof(skeymat1), label,
0fb2815b 6389 labellen,
2197d1df
MC		 6390 context,
6391 sizeof(context) -1, 1),
6392 1)
6393 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6394 sizeof(skeymat2), label,
0fb2815b 6395 labellen,
2197d1df
MC		 6396 emptycontext,
6397 0, 1), 1)
6398 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6399 sizeof(skeymat3), label,
0fb2815b 6400 labellen,
2197d1df
MC		 6401 NULL, 0, 0), 1)
6402 /*
6403 * Check that both sides created the same key material with the
6404 * same context.
6405 */
6406 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6407 sizeof(skeymat1))
6408 /*
6409 * Check that both sides created the same key material with an
6410 * empty context.
6411 */
6412 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6413 sizeof(skeymat2))
6414 /*
6415 * Check that both sides created the same key material without a
6416 * context.
6417 */
6418 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6419 sizeof(skeymat3))
6420 /* Different contexts should produce different results */
6421 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6422 sizeof(ckeymat2)))
6423 goto end;
6424
6425 /*
6426 * Check that an empty context and no context produce different results in
6427 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6428 */
0fb2815b 6429 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6430 sizeof(ckeymat3)))
0fb2815b
MC		 6431 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6432 sizeof(ckeymat3))))
2197d1df
MC		 6433 goto end;
6434
6435 testresult = 1;
6436
6437 end:
6438 SSL_free(serverssl);
6439 SSL_free(clientssl);
6440 SSL_CTX_free(sctx2);
6441 SSL_CTX_free(sctx);
6442 SSL_CTX_free(cctx);
6443
6444 return testresult;
6445}
6446
a763ca11 6447#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6448/*
6449 * Test that SSL_export_keying_material_early() produces expected
6450 * results. There are no test vectors so all we do is test that both
6451 * sides of the communication produce the same results for different
6452 * protocol versions.
6453 */
6454static int test_export_key_mat_early(int idx)
6455{
6456 static const char label[] = "test label";
6457 static const unsigned char context[] = "context";
6458 int testresult = 0;
6459 SSL_CTX *cctx = NULL, *sctx = NULL;
6460 SSL *clientssl = NULL, *serverssl = NULL;
6461 SSL_SESSION *sess = NULL;
6462 const unsigned char *emptycontext = NULL;
6463 unsigned char ckeymat1[80], ckeymat2[80];
6464 unsigned char skeymat1[80], skeymat2[80];
6465 unsigned char buf[1];
6466 size_t readbytes, written;
6467
6468 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
10836921 6469 &sess, idx, SHA384_DIGEST_LENGTH)))
b38ede80
TT		 6470 goto end;
6471
6472 /* Here writing 0 length early data is enough. */
6473 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6474 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6475 &readbytes),
6476 SSL_READ_EARLY_DATA_ERROR)
6477 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6478 SSL_EARLY_DATA_ACCEPTED))
6479 goto end;
6480
6481 if (!TEST_int_eq(SSL_export_keying_material_early(
6482 clientssl, ckeymat1, sizeof(ckeymat1), label,
6483 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6484 || !TEST_int_eq(SSL_export_keying_material_early(
6485 clientssl, ckeymat2, sizeof(ckeymat2), label,
6486 sizeof(label) - 1, emptycontext, 0), 1)
6487 || !TEST_int_eq(SSL_export_keying_material_early(
6488 serverssl, skeymat1, sizeof(skeymat1), label,
6489 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6490 || !TEST_int_eq(SSL_export_keying_material_early(
6491 serverssl, skeymat2, sizeof(skeymat2), label,
6492 sizeof(label) - 1, emptycontext, 0), 1)
6493 /*
6494 * Check that both sides created the same key material with the
6495 * same context.
6496 */
6497 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6498 sizeof(skeymat1))
6499 /*
6500 * Check that both sides created the same key material with an
6501 * empty context.
6502 */
6503 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6504 sizeof(skeymat2))
6505 /* Different contexts should produce different results */
6506 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6507 sizeof(ckeymat2)))
6508 goto end;
6509
6510 testresult = 1;
6511
6512 end:
c20e3b28 6513 SSL_SESSION_free(sess);
b38ede80
TT		 6514 SSL_SESSION_free(clientpsk);
6515 SSL_SESSION_free(serverpsk);
34ff74eb 6516 clientpsk = serverpsk = NULL;
b38ede80
TT		 6517 SSL_free(serverssl);
6518 SSL_free(clientssl);
6519 SSL_CTX_free(sctx);
6520 SSL_CTX_free(cctx);
6521
6522 return testresult;
6523}
3409a5ff
MC		 6524
6525#define NUM_KEY_UPDATE_MESSAGES 40
6526/*
6527 * Test KeyUpdate.
6528 */
6529static int test_key_update(void)
6530{
6531 SSL_CTX *cctx = NULL, *sctx = NULL;
6532 SSL *clientssl = NULL, *serverssl = NULL;
6533 int testresult = 0, i, j;
6534 char buf[20];
6535 static char *mess = "A test message";
6536
5e30f2fd 6537 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6538 TLS_client_method(),
6539 TLS1_3_VERSION,
6540 0,
6541 &sctx, &cctx, cert, privkey))
6542 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6543 NULL, NULL))
6544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6545 SSL_ERROR_NONE)))
6546 goto end;
6547
6548 for (j = 0; j < 2; j++) {
6549 /* Send lots of KeyUpdate messages */
6550 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6551 if (!TEST_true(SSL_key_update(clientssl,
6552 (j == 0)
6553 ? SSL_KEY_UPDATE_NOT_REQUESTED
6554 : SSL_KEY_UPDATE_REQUESTED))
6555 || !TEST_true(SSL_do_handshake(clientssl)))
6556 goto end;
6557 }
6558
6559 /* Check that sending and receiving app data is ok */
6560 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6561 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6562 strlen(mess)))
6563 goto end;
a77b4dba
MC		 6564
6565 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6566 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6567 strlen(mess)))
6568 goto end;
3409a5ff
MC		 6569 }
6570
6571 testresult = 1;
6572
6573 end:
6574 SSL_free(serverssl);
6575 SSL_free(clientssl);
6576 SSL_CTX_free(sctx);
6577 SSL_CTX_free(cctx);
6578
6579 return testresult;
6580}
a77b4dba
MC		 6581
6582/*
0c48fda8 6583 * Test we can handle a KeyUpdate (update requested) message while
6584 * write data is pending in peer.
a77b4dba
MC		 6585 * Test 0: Client sends KeyUpdate while Server is writing
6586 * Test 1: Server sends KeyUpdate while Client is writing
6587 */
0c48fda8 6588static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6589{
6590 SSL_CTX *cctx = NULL, *sctx = NULL;
6591 SSL *clientssl = NULL, *serverssl = NULL;
6592 int testresult = 0;
6593 char buf[20];
6594 static char *mess = "A test message";
6595 BIO *bretry = BIO_new(bio_s_always_retry());
6596 BIO *tmp = NULL;
6597 SSL *peerupdate = NULL, *peerwrite = NULL;
6598
6599 if (!TEST_ptr(bretry)
5e30f2fd 6600 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6601 TLS_client_method(),
6602 TLS1_3_VERSION,
6603 0,
6604 &sctx, &cctx, cert, privkey))
6605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6606 NULL, NULL))
6607 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6608 SSL_ERROR_NONE)))
6609 goto end;
6610
6611 peerupdate = tst == 0 ? clientssl : serverssl;
6612 peerwrite = tst == 0 ? serverssl : clientssl;
6613
6614 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6615 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6616 goto end;
6617
6618 /* Swap the writing endpoint's write BIO to force a retry */
6619 tmp = SSL_get_wbio(peerwrite);
6620 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6621 tmp = NULL;
6622 goto end;
6623 }
6624 SSL_set0_wbio(peerwrite, bretry);
6625 bretry = NULL;
6626
6627 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6628 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6629 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6630 goto end;
6631
6632 /* Reinstate the original writing endpoint's write BIO */
6633 SSL_set0_wbio(peerwrite, tmp);
6634 tmp = NULL;
6635
6636 /* Now read some data - we will read the key update */
6637 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6638 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6639 goto end;
6640
6641 /*
6642 * Complete the write we started previously and read it from the other
6643 * endpoint
6644 */
6645 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6646 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6647 goto end;
6648
6649 /* Write more data to ensure we send the KeyUpdate message back */
6650 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6651 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6652 goto end;
6653
6654 testresult = 1;
6655
6656 end:
6657 SSL_free(serverssl);
6658 SSL_free(clientssl);
6659 SSL_CTX_free(sctx);
6660 SSL_CTX_free(cctx);
6661 BIO_free(bretry);
6662 BIO_free(tmp);
6663
6664 return testresult;
6665}
0c48fda8 6666
6667/*
6668 * Test we can handle a KeyUpdate (update requested) message while
6669 * peer read data is pending after peer accepted keyupdate(the msg header
6670 * had been read 5 bytes).
6671 * Test 0: Client sends KeyUpdate while Server is reading
6672 * Test 1: Server sends KeyUpdate while Client is reading
6673 */
6674static int test_key_update_peer_in_read(int tst)
6675{
6676 SSL_CTX *cctx = NULL, *sctx = NULL;
6677 SSL *clientssl = NULL, *serverssl = NULL;
6678 int testresult = 0;
6679 char prbuf[515], lwbuf[515] = {0};
6680 static char *mess = "A test message";
6681 BIO *lbio = NULL, *pbio = NULL;
6682 SSL *local = NULL, *peer = NULL;
6683
6684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6685 TLS_client_method(),
6686 TLS1_3_VERSION,
6687 0,
6688 &sctx, &cctx, cert, privkey))
6689 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6690 NULL, NULL))
6691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6692 SSL_ERROR_NONE)))
6693 goto end;
6694
6695 local = tst == 0 ? clientssl : serverssl;
6696 peer = tst == 0 ? serverssl : clientssl;
6697
6698 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6699 goto end;
6700
6701 SSL_set_bio(local, lbio, lbio);
6702 SSL_set_bio(peer, pbio, pbio);
6703
6704 /*
6705 * we first write keyupdate msg then appdata in local
6706 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6707 * lwbuf app data msg size + key updata msg size > 512(the size of
6708 * the bio pair buffer)
6709 */
6710 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6711 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6712 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6713 goto end;
6714
6715 /*
6716 * first read keyupdate msg in peer in peer
6717 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6718 */
6719 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6720 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6721 goto end;
6722
6723 /* Now write some data in peer - we will write the key update */
6724 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6725 goto end;
6726
6727 /*
6728 * write data in local previously that we will complete
6729 * read data in peer previously that we will complete
6730 */
6731 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6732 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6733 goto end;
6734
6735 /* check that sending and receiving appdata ok */
6736 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6737 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6738 goto end;
6739
6740 testresult = 1;
6741
6742 end:
6743 SSL_free(serverssl);
6744 SSL_free(clientssl);
6745 SSL_CTX_free(sctx);
6746 SSL_CTX_free(cctx);
6747
6748 return testresult;
6749}
6750
6751/*
6752 * Test we can't send a KeyUpdate (update requested) message while
6753 * local write data is pending.
6754 * Test 0: Client sends KeyUpdate while Client is writing
6755 * Test 1: Server sends KeyUpdate while Server is writing
6756 */
6757static int test_key_update_local_in_write(int tst)
6758{
6759 SSL_CTX *cctx = NULL, *sctx = NULL;
6760 SSL *clientssl = NULL, *serverssl = NULL;
6761 int testresult = 0;
6762 char buf[20];
6763 static char *mess = "A test message";
6764 BIO *bretry = BIO_new(bio_s_always_retry());
6765 BIO *tmp = NULL;
6766 SSL *local = NULL, *peer = NULL;
6767
6768 if (!TEST_ptr(bretry)
6769 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6770 TLS_client_method(),
6771 TLS1_3_VERSION,
6772 0,
6773 &sctx, &cctx, cert, privkey))
6774 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6775 NULL, NULL))
6776 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6777 SSL_ERROR_NONE)))
6778 goto end;
6779
6780 local = tst == 0 ? clientssl : serverssl;
6781 peer = tst == 0 ? serverssl : clientssl;
6782
6783 /* Swap the writing endpoint's write BIO to force a retry */
6784 tmp = SSL_get_wbio(local);
6785 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6786 tmp = NULL;
6787 goto end;
6788 }
6789 SSL_set0_wbio(local, bretry);
6790 bretry = NULL;
6791
6792 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6793 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6794 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6795 goto end;
6796
6797 /* Reinstate the original writing endpoint's write BIO */
6798 SSL_set0_wbio(local, tmp);
6799 tmp = NULL;
6800
6801 /* SSL_key_update will fail, because writing in local*/
6802 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6803 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6804 goto end;
6805
6806 ERR_clear_error();
6807 /* write data in local previously that we will complete */
6808 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6809 goto end;
6810
6811 /* SSL_key_update will succeed because there is no pending write data */
6812 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6813 || !TEST_int_eq(SSL_do_handshake(local), 1))
6814 goto end;
6815
6816 /*
6817 * we write some appdata in local
6818 * read data in peer - we will read the keyupdate msg
6819 */
6820 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6821 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6822 goto end;
6823
6824 /* Write more peer more data to ensure we send the keyupdate message back */
6825 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6826 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6827 goto end;
6828
6829 testresult = 1;
6830
6831 end:
6832 SSL_free(serverssl);
6833 SSL_free(clientssl);
6834 SSL_CTX_free(sctx);
6835 SSL_CTX_free(cctx);
6836 BIO_free(bretry);
6837 BIO_free(tmp);
6838
6839 return testresult;
6840}
6841
6842/*
6843 * Test we can handle a KeyUpdate (update requested) message while
6844 * local read data is pending(the msg header had been read 5 bytes).
6845 * Test 0: Client sends KeyUpdate while Client is reading
6846 * Test 1: Server sends KeyUpdate while Server is reading
6847 */
6848static int test_key_update_local_in_read(int tst)
6849{
6850 SSL_CTX *cctx = NULL, *sctx = NULL;
6851 SSL *clientssl = NULL, *serverssl = NULL;
6852 int testresult = 0;
6853 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6854 static char *mess = "A test message";
6855 BIO *lbio = NULL, *pbio = NULL;
6856 SSL *local = NULL, *peer = NULL;
6857
6858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6859 TLS_client_method(),
6860 TLS1_3_VERSION,
6861 0,
6862 &sctx, &cctx, cert, privkey))
6863 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6864 NULL, NULL))
6865 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6866 SSL_ERROR_NONE)))
6867 goto end;
6868
6869 local = tst == 0 ? clientssl : serverssl;
6870 peer = tst == 0 ? serverssl : clientssl;
6871
6872 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6873 goto end;
6874
6875 SSL_set_bio(local, lbio, lbio);
6876 SSL_set_bio(peer, pbio, pbio);
6877
6878 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6879 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6880 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6881 goto end;
6882
6883 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6884 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6885 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6886 goto end;
6887
6888 /* SSL_do_handshake will send keyupdate msg */
6889 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6890 || !TEST_int_eq(SSL_do_handshake(local), 1))
6891 goto end;
6892
6893 /*
6894 * write data in peer previously that we will complete
6895 * read data in local previously that we will complete
6896 */
6897 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6898 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6899 goto end;
6900
6901 /*
6902 * write data in local
6903 * read data in peer - we will read the key update
6904 */
6905 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6906 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6907 goto end;
6908
6909 /* Write more peer data to ensure we send the keyupdate message back */
6910 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6911 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6912 goto end;
6913
6914 testresult = 1;
6915
6916 end:
6917 SSL_free(serverssl);
6918 SSL_free(clientssl);
6919 SSL_CTX_free(sctx);
6920 SSL_CTX_free(cctx);
6921
6922 return testresult;
6923}
a763ca11 6924#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6925
e11b6aa4
MC		 6926static int test_ssl_clear(int idx)
6927{
6928 SSL_CTX *cctx = NULL, *sctx = NULL;
6929 SSL *clientssl = NULL, *serverssl = NULL;
6930 int testresult = 0;
6931
6932#ifdef OPENSSL_NO_TLS1_2
6933 if (idx == 1)
6934 return 1;
6935#endif
6936
6937 /* Create an initial connection */
5e30f2fd
MC		 6938 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6939 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6940 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6941 || (idx == 1
6942 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6943 TLS1_2_VERSION)))
6944 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6945 &clientssl, NULL, NULL))
6946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6947 SSL_ERROR_NONE)))
6948 goto end;
6949
6950 SSL_shutdown(clientssl);
6951 SSL_shutdown(serverssl);
6952 SSL_free(serverssl);
6953 serverssl = NULL;
6954
6955 /* Clear clientssl - we're going to reuse the object */
6956 if (!TEST_true(SSL_clear(clientssl)))
6957 goto end;
6958
6959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6960 NULL, NULL))
6961 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6962 SSL_ERROR_NONE))
6963 || !TEST_true(SSL_session_reused(clientssl)))
6964 goto end;
6965
6966 SSL_shutdown(clientssl);
6967 SSL_shutdown(serverssl);
6968
6969 testresult = 1;
6970
6971 end:
6972 SSL_free(serverssl);
6973 SSL_free(clientssl);
6974 SSL_CTX_free(sctx);
6975 SSL_CTX_free(cctx);
6976
6977 return testresult;
6978}
6979
cf72c757
F		 6980/* Parse CH and retrieve any MFL extension value if present */
6981static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6982{
6983 long len;
6984 unsigned char *data;
72962d02 6985 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6986 unsigned int MFL_code = 0, type = 0;
6987
1287dabd 6988 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6989 goto end;
6990
72962d02
P		 6991 memset(&pkt, 0, sizeof(pkt));
6992 memset(&pkt2, 0, sizeof(pkt2));
6993 memset(&pkt3, 0, sizeof(pkt3));
6994
9ba18520 6995 if (!TEST_long_gt(len, 0)
1287dabd 6996 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6997 /* Skip the record header */
6998 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6999 /* Skip the handshake message header */
7000 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7001 /* Skip client version and random */
7002 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7003 + SSL3_RANDOM_SIZE))
7004 /* Skip session id */
7005 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7006 /* Skip ciphers */
7007 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7008 /* Skip compression */
7009 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7010 /* Extensions len */
7011 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7012 goto end;
7013
7014 /* Loop through all extensions */
7015 while (PACKET_remaining(&pkt2)) {
7016 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7017 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7018 goto end;
7019
7020 if (type == TLSEXT_TYPE_max_fragment_length) {
7021 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7022 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7023 goto end;
7024
7025 *mfl_codemfl_code = MFL_code;
7026 return 1;
7027 }
7028 }
7029
7030 end:
7031 return 0;
7032}
7033
7034/* Maximum-Fragment-Length TLS extension mode to test */
7035static const unsigned char max_fragment_len_test[] = {
7036 TLSEXT_max_fragment_length_512,
7037 TLSEXT_max_fragment_length_1024,
7038 TLSEXT_max_fragment_length_2048,
7039 TLSEXT_max_fragment_length_4096
7040};
7041
7042static int test_max_fragment_len_ext(int idx_tst)
7043{
a763ca11 7044 SSL_CTX *ctx = NULL;
cf72c757
F		 7045 SSL *con = NULL;
7046 int testresult = 0, MFL_mode = 0;
7047 BIO *rbio, *wbio;
7048
a763ca11
MC		 7049 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7050 TLS1_VERSION, 0, NULL, &ctx, NULL,
7051 NULL)))
7052 return 0;
cf72c757
F		 7053
7054 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7055 ctx, max_fragment_len_test[idx_tst])))
7056 goto end;
7057
7058 con = SSL_new(ctx);
7059 if (!TEST_ptr(con))
7060 goto end;
7061
7062 rbio = BIO_new(BIO_s_mem());
7063 wbio = BIO_new(BIO_s_mem());
7064 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7065 BIO_free(rbio);
7066 BIO_free(wbio);
7067 goto end;
7068 }
7069
7070 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 7071
7072 if (!TEST_int_le(SSL_connect(con), 0)) {
7073 /* This shouldn't succeed because we don't have a server! */
7074 goto end;
7075 }
7076
7077 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7078 /* no MFL in client hello */
7079 goto end;
7080 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7081 goto end;
7082
7083 testresult = 1;
7084
7085end:
7086 SSL_free(con);
7087 SSL_CTX_free(ctx);
7088
7089 return testresult;
7090}
7091
a763ca11 7092#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7093static int test_pha_key_update(void)
7094{
7095 SSL_CTX *cctx = NULL, *sctx = NULL;
7096 SSL *clientssl = NULL, *serverssl = NULL;
7097 int testresult = 0;
7098
5e30f2fd
MC		 7099 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7100 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7101 &sctx, &cctx, cert, privkey)))
7102 return 0;
7103
7104 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7105 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7106 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7107 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7108 goto end;
7109
e97be718 7110 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7111
7112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7113 NULL, NULL)))
7114 goto end;
7115
9d75dce3
TS		 7116 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7117 SSL_ERROR_NONE)))
7118 goto end;
7119
7120 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7121 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7122 goto end;
7123
7124 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7125 goto end;
7126
7127 /* Start handshake on the server */
7128 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7129 goto end;
7130
7131 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7132 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7133 SSL_ERROR_NONE)))
7134 goto end;
7135
7136 SSL_shutdown(clientssl);
7137 SSL_shutdown(serverssl);
7138
7139 testresult = 1;
7140
7141 end:
7142 SSL_free(serverssl);
7143 SSL_free(clientssl);
7144 SSL_CTX_free(sctx);
7145 SSL_CTX_free(cctx);
7146 return testresult;
7147}
7148#endif
7149
76fd7a1d
MC		 7150#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7151
7152static SRP_VBASE *vbase = NULL;
7153
7154static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7155{
7156 int ret = SSL3_AL_FATAL;
7157 char *username;
7158 SRP_user_pwd *user = NULL;
7159
7160 username = SSL_get_srp_username(s);
7161 if (username == NULL) {
7162 *ad = SSL_AD_INTERNAL_ERROR;
7163 goto err;
7164 }
7165
7166 user = SRP_VBASE_get1_by_user(vbase, username);
7167 if (user == NULL) {
7168 *ad = SSL_AD_INTERNAL_ERROR;
7169 goto err;
7170 }
7171
7172 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7173 user->info) <= 0) {
7174 *ad = SSL_AD_INTERNAL_ERROR;
7175 goto err;
7176 }
7177
7178 ret = 0;
7179
7180 err:
7181 SRP_user_pwd_free(user);
7182 return ret;
7183}
7184
7185static int create_new_vfile(char *userid, char *password, const char *filename)
7186{
7187 char *gNid = NULL;
7188 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7189 TXT_DB *db = NULL;
7190 int ret = 0;
7191 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7192 size_t i;
7193
7194 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7195 goto end;
7196
20c00d0a 7197 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7198 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7199 if (!TEST_ptr(gNid))
7200 goto end;
7201
7202 /*
7203 * The only way to create an empty TXT_DB is to provide a BIO with no data
7204 * in it!
7205 */
7206 db = TXT_DB_read(dummy, DB_NUMBER);
7207 if (!TEST_ptr(db))
7208 goto end;
7209
7210 out = BIO_new_file(filename, "w");
7211 if (!TEST_ptr(out))
7212 goto end;
7213
7214 row[DB_srpid] = OPENSSL_strdup(userid);
7215 row[DB_srptype] = OPENSSL_strdup("V");
7216 row[DB_srpgN] = OPENSSL_strdup(gNid);
7217
7218 if (!TEST_ptr(row[DB_srpid])
7219 || !TEST_ptr(row[DB_srptype])
7220 || !TEST_ptr(row[DB_srpgN])
7221 || !TEST_true(TXT_DB_insert(db, row)))
7222 goto end;
7223
7224 row = NULL;
7225
aba9943f 7226 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7227 goto end;
7228
7229 ret = 1;
7230 end:
7231 if (row != NULL) {
7232 for (i = 0; i < DB_NUMBER; i++)
7233 OPENSSL_free(row[i]);
7234 }
7235 OPENSSL_free(row);
7236 BIO_free(dummy);
7237 BIO_free(out);
7238 TXT_DB_free(db);
7239
7240 return ret;
7241}
7242
7243static int create_new_vbase(char *userid, char *password)
7244{
7245 BIGNUM *verifier = NULL, *salt = NULL;
7246 const SRP_gN *lgN = NULL;
7247 SRP_user_pwd *user_pwd = NULL;
7248 int ret = 0;
7249
7250 lgN = SRP_get_default_gN(NULL);
7251 if (!TEST_ptr(lgN))
7252 goto end;
7253
20c00d0a 7254 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7255 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7256 goto end;
7257
7258 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7259 if (!TEST_ptr(user_pwd))
7260 goto end;
7261
7262 user_pwd->N = lgN->N;
7263 user_pwd->g = lgN->g;
7264 user_pwd->id = OPENSSL_strdup(userid);
7265 if (!TEST_ptr(user_pwd->id))
7266 goto end;
7267
7268 user_pwd->v = verifier;
7269 user_pwd->s = salt;
7270 verifier = salt = NULL;
7271
7272 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7273 goto end;
7274 user_pwd = NULL;
7275
7276 ret = 1;
7277end:
7278 SRP_user_pwd_free(user_pwd);
7279 BN_free(salt);
7280 BN_free(verifier);
7281
7282 return ret;
7283}
7284
7285/*
7286 * SRP tests
7287 *
7288 * Test 0: Simple successful SRP connection, new vbase
7289 * Test 1: Connection failure due to bad password, new vbase
7290 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7291 * Test 3: Connection failure due to bad password, vbase loaded from existing
7292 * file
7293 * Test 4: Simple successful SRP connection, vbase loaded from new file
7294 * Test 5: Connection failure due to bad password, vbase loaded from new file
7295 */
7296static int test_srp(int tst)
7297{
7298 char *userid = "test", *password = "password", *tstsrpfile;
7299 SSL_CTX *cctx = NULL, *sctx = NULL;
7300 SSL *clientssl = NULL, *serverssl = NULL;
7301 int ret, testresult = 0;
7302
7303 vbase = SRP_VBASE_new(NULL);
7304 if (!TEST_ptr(vbase))
7305 goto end;
7306
7307 if (tst == 0 || tst == 1) {
7308 if (!TEST_true(create_new_vbase(userid, password)))
7309 goto end;
7310 } else {
7311 if (tst == 4 || tst == 5) {
7312 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7313 goto end;
7314 tstsrpfile = tmpfilename;
7315 } else {
7316 tstsrpfile = srpvfile;
7317 }
7318 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7319 goto end;
7320 }
7321
5e30f2fd
MC		 7322 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7323 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7324 &sctx, &cctx, cert, privkey)))
7325 goto end;
7326
7327 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7328 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7329 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7330 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7331 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7332 goto end;
7333
7334 if (tst % 2 == 1) {
7335 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7336 goto end;
7337 } else {
7338 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7339 goto end;
7340 }
7341
7342 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7343 NULL, NULL)))
7344 goto end;
7345
7346 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7347 if (ret) {
7348 if (!TEST_true(tst % 2 == 0))
7349 goto end;
7350 } else {
7351 if (!TEST_true(tst % 2 == 1))
7352 goto end;
7353 }
7354
7355 testresult = 1;
7356
7357 end:
7358 SRP_VBASE_free(vbase);
7359 vbase = NULL;
7360 SSL_free(serverssl);
7361 SSL_free(clientssl);
7362 SSL_CTX_free(sctx);
7363 SSL_CTX_free(cctx);
7364
7365 return testresult;
7366}
7367#endif
7368
5718fe45
MC		 7369static int info_cb_failed = 0;
7370static int info_cb_offset = 0;
7371static int info_cb_this_state = -1;
7372
7373static struct info_cb_states_st {
7374 int where;
7375 const char *statestr;
7376} info_cb_states[][60] = {
7377 {
7378 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7379 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7380 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7381 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7382 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7383 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7384 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7385 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7386 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7387 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7388 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7389 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7390 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7391 {SSL_CB_EXIT, NULL}, {0, NULL},
7392 }, {
7393 /* TLSv1.2 client followed by resumption */
e0f69c35 7394 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7395 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7396 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7397 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7398 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7399 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7400 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7401 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7402 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7403 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7404 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7405 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7406 }, {
7407 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7408 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7409 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7410 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7411 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7412 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7413 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7414 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7415 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7416 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7417 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7418 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7419 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7420 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7421 }, {
7422 /* TLSv1.3 client followed by resumption */
e0f69c35 7423 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7424 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7425 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7426 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7427 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7428 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7429 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7430 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7431 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7432 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7433 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7434 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7435 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7436 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7437 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7438 }, {
7439 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7440 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7441 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7442 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7443 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7444 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7445 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7446 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7447 {SSL_CB_EXIT, NULL}, {0, NULL},
7448 }, {
7449 /* TLSv1.3 client, early_data */
e0f69c35 7450 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7451 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7452 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7453 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7454 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7455 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7456 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7457 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7458 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7459 }, {
7460 /* TLSv1.3 server, certificate compression, followed by resumption */
7461 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7462 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7463 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7464 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7465 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7466 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7467 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7468 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7469 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7470 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7471 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7472 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7473 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7474 }, {
7475 /* TLSv1.3 client, certificate compression, followed by resumption */
7476 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7477 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7478 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7479 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7480 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7481 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7482 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7483 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7484 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7485 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7486 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7487 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7488 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7489 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7490 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7491 }, {
7492 {0, NULL},
7493 }
7494};
7495
7496static void sslapi_info_callback(const SSL *s, int where, int ret)
7497{
7498 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7499
7500 /* We do not ever expect a connection to fail in this test */
7501 if (!TEST_false(ret == 0)) {
7502 info_cb_failed = 1;
7503 return;
7504 }
7505
7506 /*
7507 * Do some sanity checks. We never expect these things to happen in this
7508 * test
7509 */
7510 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7511 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7512 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7513 info_cb_failed = 1;
7514 return;
7515 }
7516
7517 /* Now check we're in the right state */
7518 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7519 info_cb_failed = 1;
7520 return;
7521 }
7522 if ((where & SSL_CB_LOOP) != 0
7523 && !TEST_int_eq(strcmp(SSL_state_string(s),
7524 state[info_cb_this_state].statestr), 0)) {
7525 info_cb_failed = 1;
7526 return;
7527 }
033c181b 7528
4af5836b
MC		 7529 /*
7530 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7531 */
7532 if ((where & SSL_CB_HANDSHAKE_DONE)
7533 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7534 info_cb_failed = 1;
7535 return;
7536 }
5718fe45
MC		 7537}
7538
7539/*
7540 * Test the info callback gets called when we expect it to.
7541 *
7542 * Test 0: TLSv1.2, server
7543 * Test 1: TLSv1.2, client
7544 * Test 2: TLSv1.3, server
7545 * Test 3: TLSv1.3, client
7546 * Test 4: TLSv1.3, server, early_data
7547 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7548 * Test 6: TLSv1.3, server, compressed certificate
7549 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7550 */
7551static int test_info_callback(int tst)
7552{
7553 SSL_CTX *cctx = NULL, *sctx = NULL;
7554 SSL *clientssl = NULL, *serverssl = NULL;
7555 SSL_SESSION *clntsess = NULL;
7556 int testresult = 0;
7557 int tlsvers;
7558
7559 if (tst < 2) {
1aac20f5
MC		 7560/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7561#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7562 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7563 tlsvers = TLS1_2_VERSION;
7564#else
7565 return 1;
7566#endif
7567 } else {
a763ca11 7568#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7569 tlsvers = TLS1_3_VERSION;
7570#else
7571 return 1;
7572#endif
7573 }
7574
7575 /* Reset globals */
7576 info_cb_failed = 0;
7577 info_cb_this_state = -1;
7578 info_cb_offset = tst;
7579
a763ca11 7580#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7581 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7582 SSL_SESSION *sess = NULL;
7583 size_t written, readbytes;
7584 unsigned char buf[80];
7585
7586 /* early_data tests */
7587 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 7588 &serverssl, &sess, 0,
7589 SHA384_DIGEST_LENGTH)))
5718fe45
MC		 7590 goto end;
7591
7592 /* We don't actually need this reference */
7593 SSL_SESSION_free(sess);
7594
7595 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7596 sslapi_info_callback);
7597
7598 /* Write and read some early data and then complete the connection */
7599 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7600 &written))
7601 || !TEST_size_t_eq(written, strlen(MSG1))
7602 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7603 sizeof(buf), &readbytes),
7604 SSL_READ_EARLY_DATA_SUCCESS)
7605 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7606 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7607 SSL_EARLY_DATA_ACCEPTED)
7608 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7609 SSL_ERROR_NONE))
7610 || !TEST_false(info_cb_failed))
7611 goto end;
7612
7613 testresult = 1;
7614 goto end;
7615 }
6e07834c 7616#endif
5718fe45 7617
5e30f2fd 7618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7619 TLS_client_method(),
7620 tlsvers, tlsvers, &sctx, &cctx, cert,
7621 privkey)))
7622 goto end;
7623
33c39a06
MC		 7624 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7625 goto end;
7626
5718fe45
MC		 7627 /*
7628 * For even numbered tests we check the server callbacks. For odd numbers we
7629 * check the client.
7630 */
7631 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7632 sslapi_info_callback);
b67cb09f
TS		 7633 if (tst >= 6) {
7634 if (!SSL_CTX_compress_certs(sctx, 0))
7635 goto end;
7636 }
5718fe45
MC		 7637
7638 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7639 &clientssl, NULL, NULL))
7640 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7641 SSL_ERROR_NONE))
7642 || !TEST_false(info_cb_failed))
7643 goto end;
7644
7645
7646
7647 clntsess = SSL_get1_session(clientssl);
7648 SSL_shutdown(clientssl);
7649 SSL_shutdown(serverssl);
7650 SSL_free(serverssl);
7651 SSL_free(clientssl);
7652 serverssl = clientssl = NULL;
7653
7654 /* Now do a resumption */
7655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7656 NULL))
7657 || !TEST_true(SSL_set_session(clientssl, clntsess))
7658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7659 SSL_ERROR_NONE))
7660 || !TEST_true(SSL_session_reused(clientssl))
7661 || !TEST_false(info_cb_failed))
7662 goto end;
7663
7664 testresult = 1;
7665
7666 end:
7667 SSL_free(serverssl);
7668 SSL_free(clientssl);
7669 SSL_SESSION_free(clntsess);
7670 SSL_CTX_free(sctx);
7671 SSL_CTX_free(cctx);
7672 return testresult;
7673}
7674
4a432af8
MC		 7675static int test_ssl_pending(int tst)
7676{
7677 SSL_CTX *cctx = NULL, *sctx = NULL;
7678 SSL *clientssl = NULL, *serverssl = NULL;
7679 int testresult = 0;
7680 char msg[] = "A test message";
7681 char buf[5];
7682 size_t written, readbytes;
7683
7684 if (tst == 0) {
5e30f2fd 7685 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7686 TLS_client_method(),
5c587fb6 7687 TLS1_VERSION, 0,
4a432af8
MC		 7688 &sctx, &cctx, cert, privkey)))
7689 goto end;
7690 } else {
7691#ifndef OPENSSL_NO_DTLS
5e30f2fd 7692 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7693 DTLS_client_method(),
5c587fb6 7694 DTLS1_VERSION, 0,
4a432af8
MC		 7695 &sctx, &cctx, cert, privkey)))
7696 goto end;
8ce390e1
MC		 7697
7698# ifdef OPENSSL_NO_DTLS1_2
7699 /* Not supported in the FIPS provider */
7700 if (is_fips) {
7701 testresult = 1;
7702 goto end;
7703 };
7704 /*
7705 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7706 * level 0
7707 */
7708 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7709 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7710 "DEFAULT:@SECLEVEL=0")))
7711 goto end;
7712# endif
4a432af8
MC		 7713#else
7714 return 1;
7715#endif
7716 }
7717
7718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7719 NULL, NULL))
7720 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7721 SSL_ERROR_NONE)))
7722 goto end;
7723
e8251092
MC		 7724 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7725 || !TEST_false(SSL_has_pending(clientssl))
7726 || !TEST_int_eq(SSL_pending(serverssl), 0)
7727 || !TEST_false(SSL_has_pending(serverssl))
7728 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7729 || !TEST_size_t_eq(written, sizeof(msg))
7730 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7731 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7732 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7733 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7734 goto end;
7735
7736 testresult = 1;
7737
7738 end:
7739 SSL_free(serverssl);
7740 SSL_free(clientssl);
7741 SSL_CTX_free(sctx);
7742 SSL_CTX_free(cctx);
7743
7744 return testresult;
7745}
7746
e401389a
MC		 7747static struct {
7748 unsigned int maxprot;
7749 const char *clntciphers;
7750 const char *clnttls13ciphers;
7751 const char *srvrciphers;
7752 const char *srvrtls13ciphers;
7753 const char *shared;
a96e6c34 7754 const char *fipsshared;
e401389a 7755} shared_ciphers_data[] = {
60155b9a
MC		 7756/*
7757 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7758 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7759 */
a763ca11 7760#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7761 {
7762 TLS1_2_VERSION,
7763 "AES128-SHA:AES256-SHA",
7764 NULL,
7765 "AES256-SHA:DHE-RSA-AES128-SHA",
7766 NULL,
a96e6c34 7767 "AES256-SHA",
e401389a
MC		 7768 "AES256-SHA"
7769 },
a96e6c34
MC		 7770# if !defined(OPENSSL_NO_CHACHA) \
7771 && !defined(OPENSSL_NO_POLY1305) \
7772 && !defined(OPENSSL_NO_EC)
7773 {
7774 TLS1_2_VERSION,
7775 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7776 NULL,
7777 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7778 NULL,
7779 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7780 "AES128-SHA"
7781 },
7782# endif
e401389a
MC		 7783 {
7784 TLS1_2_VERSION,
7785 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7786 NULL,
7787 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7788 NULL,
a96e6c34 7789 "AES128-SHA:AES256-SHA",
e401389a
MC		 7790 "AES128-SHA:AES256-SHA"
7791 },
7792 {
7793 TLS1_2_VERSION,
7794 "AES128-SHA:AES256-SHA",
7795 NULL,
7796 "AES128-SHA:DHE-RSA-AES128-SHA",
7797 NULL,
a96e6c34 7798 "AES128-SHA",
e401389a
MC		 7799 "AES128-SHA"
7800 },
60155b9a
MC		 7801#endif
7802/*
7803 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7804 * enabled.
7805 */
a763ca11 7806#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7807 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7808 {
7809 TLS1_3_VERSION,
7810 "AES128-SHA:AES256-SHA",
7811 NULL,
7812 "AES256-SHA:AES128-SHA256",
7813 NULL,
7814 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7815 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7816 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7817 },
60155b9a 7818#endif
a763ca11 7819#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7820 {
7821 TLS1_3_VERSION,
7822 "AES128-SHA",
7823 "TLS_AES_256_GCM_SHA384",
7824 "AES256-SHA",
7825 "TLS_AES_256_GCM_SHA384",
a96e6c34 7826 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7827 "TLS_AES_256_GCM_SHA384"
7828 },
7829#endif
7830};
7831
a96e6c34 7832static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7833{
7834 SSL_CTX *cctx = NULL, *sctx = NULL;
7835 SSL *clientssl = NULL, *serverssl = NULL;
7836 int testresult = 0;
7837 char buf[1024];
b4250010 7838 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7839
7840 if (!TEST_ptr(tmplibctx))
7841 goto end;
7842
7843 /*
7844 * Regardless of whether we're testing with the FIPS provider loaded into
7845 * libctx, we want one peer to always use the full set of ciphersuites
7846 * available. Therefore we use a separate libctx with the default provider
7847 * loaded into it. We run the same tests twice - once with the client side
7848 * having the full set of ciphersuites and once with the server side.
7849 */
7850 if (clnt) {
d8652be0 7851 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7852 if (!TEST_ptr(cctx))
7853 goto end;
7854 } else {
d8652be0 7855 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7856 if (!TEST_ptr(sctx))
7857 goto end;
7858 }
e401389a 7859
5e30f2fd 7860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7861 TLS_client_method(),
7862 TLS1_VERSION,
7863 shared_ciphers_data[tst].maxprot,
7864 &sctx, &cctx, cert, privkey)))
7865 goto end;
7866
7867 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7868 shared_ciphers_data[tst].clntciphers))
7869 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7870 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7871 shared_ciphers_data[tst].clnttls13ciphers)))
7872 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7873 shared_ciphers_data[tst].srvrciphers))
7874 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7875 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7876 shared_ciphers_data[tst].srvrtls13ciphers))))
7877 goto end;
7878
7879
7880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7881 NULL, NULL))
7882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7883 SSL_ERROR_NONE)))
7884 goto end;
7885
7886 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7887 || !TEST_int_eq(strcmp(buf,
7888 is_fips
7889 ? shared_ciphers_data[tst].fipsshared
7890 : shared_ciphers_data[tst].shared),
7891 0)) {
e401389a
MC		 7892 TEST_info("Shared ciphers are: %s\n", buf);
7893 goto end;
7894 }
7895
7896 testresult = 1;
7897
7898 end:
7899 SSL_free(serverssl);
7900 SSL_free(clientssl);
7901 SSL_CTX_free(sctx);
7902 SSL_CTX_free(cctx);
b4250010 7903 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7904
7905 return testresult;
7906}
7907
a96e6c34
MC		 7908static int test_ssl_get_shared_ciphers(int tst)
7909{
7910 return int_test_ssl_get_shared_ciphers(tst, 0)
7911 && int_test_ssl_get_shared_ciphers(tst, 1);
7912}
7913
7914
d0191fe0 7915static const char *appdata = "Hello World";
61fb5923
MC		 7916static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7917static int tick_key_renew = 0;
7918static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7919
7920static int gen_tick_cb(SSL *s, void *arg)
7921{
7922 gen_tick_called = 1;
7923
7924 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7925 strlen(appdata));
7926}
7927
7928static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7929 const unsigned char *keyname,
7930 size_t keyname_length,
61fb5923
MC		 7931 SSL_TICKET_STATUS status,
7932 void *arg)
d0191fe0
MC		 7933{
7934 void *tickdata;
7935 size_t tickdlen;
7936
7937 dec_tick_called = 1;
7938
61fb5923
MC		 7939 if (status == SSL_TICKET_EMPTY)
7940 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7941
61fb5923
MC		 7942 if (!TEST_true(status == SSL_TICKET_SUCCESS
7943 || status == SSL_TICKET_SUCCESS_RENEW))
7944 return SSL_TICKET_RETURN_ABORT;
7945
7946 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7947 &tickdlen))
d0191fe0
MC		 7948 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7949 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7950 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7951
61fb5923
MC		 7952 if (tick_key_cb_called) {
7953 /* Don't change what the ticket key callback wanted to do */
7954 switch (status) {
7955 case SSL_TICKET_NO_DECRYPT:
7956 return SSL_TICKET_RETURN_IGNORE_RENEW;
7957
7958 case SSL_TICKET_SUCCESS:
7959 return SSL_TICKET_RETURN_USE;
d0191fe0 7960
61fb5923
MC		 7961 case SSL_TICKET_SUCCESS_RENEW:
7962 return SSL_TICKET_RETURN_USE_RENEW;
7963
7964 default:
7965 return SSL_TICKET_RETURN_ABORT;
7966 }
7967 }
7968 return tick_dec_ret;
7969
7970}
d0191fe0 7971
a76ce286 7972#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7973static int tick_key_cb(SSL *s, unsigned char key_name[16],
7974 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7975 HMAC_CTX *hctx, int enc)
7976{
7977 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7978 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 7979 EVP_CIPHER *aes128cbc;
7980 EVP_MD *sha256;
5e30f2fd 7981 int ret;
d0191fe0 7982
61fb5923 7983 tick_key_cb_called = 1;
3b7a3241
MC		 7984
7985 if (tick_key_renew == -1)
7986 return 0;
7987
7988 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7989 if (!TEST_ptr(aes128cbc))
7990 return 0;
7991 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7992 if (!TEST_ptr(sha256)) {
7993 EVP_CIPHER_free(aes128cbc);
7994 return 0;
7995 }
7996
d0191fe0
MC		 7997 memset(iv, 0, AES_BLOCK_SIZE);
7998 memset(key_name, 0, 16);
5e30f2fd
MC		 7999 if (aes128cbc == NULL
8000 || sha256 == NULL
8001 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8002 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8003 NULL))
8004 ret = -1;
8005 else
8006 ret = tick_key_renew ? 2 : 1;
d0191fe0 8007
5e30f2fd
MC		 8008 EVP_CIPHER_free(aes128cbc);
8009 EVP_MD_free(sha256);
8010
8011 return ret;
d0191fe0 8012}
a76ce286
P		 8013#endif
8014
8015static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8016 unsigned char iv[EVP_MAX_IV_LENGTH],
8017 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8018{
8019 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8020 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 8021 OSSL_PARAM params[2];
3b7a3241 8022 EVP_CIPHER *aes128cbc;
5e30f2fd 8023 int ret;
a76ce286
P		 8024
8025 tick_key_cb_called = 1;
3b7a3241
MC		 8026
8027 if (tick_key_renew == -1)
8028 return 0;
8029
8030 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8031 if (!TEST_ptr(aes128cbc))
8032 return 0;
8033
a76ce286
P		 8034 memset(iv, 0, AES_BLOCK_SIZE);
8035 memset(key_name, 0, 16);
8036 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8037 "SHA256", 0);
77e4ae58 8038 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 8039 if (aes128cbc == NULL
8040 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 8041 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8042 params))
5e30f2fd
MC		 8043 ret = -1;
8044 else
8045 ret = tick_key_renew ? 2 : 1;
8046
8047 EVP_CIPHER_free(aes128cbc);
a76ce286 8048
5e30f2fd 8049 return ret;
a76ce286 8050}
d0191fe0
MC		 8051
8052/*
8053 * Test the various ticket callbacks
61fb5923
MC		 8054 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8055 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8056 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8057 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8058 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8059 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8060 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8061 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 8062 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8063 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8064 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8065 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 8066 * Test 12: TLSv1.2, old ticket key callback, no ticket
8067 * Test 13: TLSv1.3, old ticket key callback, no ticket
8068 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8069 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8070 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8071 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8072 * Test 18: TLSv1.2, ticket key callback, no ticket
8073 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 8074 */
8075static int test_ticket_callbacks(int tst)
8076{
8077 SSL_CTX *cctx = NULL, *sctx = NULL;
8078 SSL *clientssl = NULL, *serverssl = NULL;
8079 SSL_SESSION *clntsess = NULL;
8080 int testresult = 0;
8081
8082#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8083 if (tst % 2 == 0)
d0191fe0
MC		 8084 return 1;
8085#endif
a763ca11 8086#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8087 if (tst % 2 == 1)
d0191fe0
MC		 8088 return 1;
8089#endif
a76ce286 8090#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8091 if (tst >= 8 && tst <= 13)
a76ce286
P		 8092 return 1;
8093#endif
d0191fe0 8094
61fb5923 8095 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8096
8097 /* Which tests the ticket key callback should request renewal for */
3c95ef22 8098
3b7a3241 8099 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8100 tick_key_renew = 1;
3b7a3241
MC		 8101 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8102 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8103 else
61fb5923
MC		 8104 tick_key_renew = 0;
8105
8106 /* Which tests the decrypt ticket callback should request renewal for */
8107 switch (tst) {
8108 case 0:
8109 case 1:
8110 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8111 break;
8112
8113 case 2:
8114 case 3:
8115 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8116 break;
8117
8118 case 4:
8119 case 5:
8120 tick_dec_ret = SSL_TICKET_RETURN_USE;
8121 break;
8122
8123 case 6:
8124 case 7:
8125 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8126 break;
8127
8128 default:
8129 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8130 }
d0191fe0 8131
5e30f2fd 8132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8133 TLS_client_method(),
8134 TLS1_VERSION,
61fb5923
MC		 8135 ((tst % 2) == 0) ? TLS1_2_VERSION
8136 : TLS1_3_VERSION,
d0191fe0
MC		 8137 &sctx, &cctx, cert, privkey)))
8138 goto end;
8139
61fb5923
MC		 8140 /*
8141 * We only want sessions to resume from tickets - not the session cache. So
8142 * switch the cache off.
8143 */
8144 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8145 goto end;
8146
d0191fe0
MC		 8147 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8148 NULL)))
8149 goto end;
8150
3b7a3241 8151 if (tst >= 14) {
a76ce286
P		 8152 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8153 goto end;
8154#ifndef OPENSSL_NO_DEPRECATED_3_0
8155 } else if (tst >= 8) {
8156 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8157 goto end;
8158#endif
8159 }
d0191fe0
MC		 8160
8161 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8162 NULL, NULL))
8163 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8164 SSL_ERROR_NONE)))
8165 goto end;
8166
61fb5923
MC		 8167 /*
8168 * The decrypt ticket key callback in TLSv1.2 should be called even though
8169 * we have no ticket yet, because it gets called with a status of
8170 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8171 * actually send any ticket data). This does not happen in TLSv1.3 because
8172 * it is not valid to send empty ticket data in TLSv1.3.
8173 */
d0191fe0 8174 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8175 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8176 goto end;
8177
8178 gen_tick_called = dec_tick_called = 0;
8179
8180 clntsess = SSL_get1_session(clientssl);
8181 SSL_shutdown(clientssl);
8182 SSL_shutdown(serverssl);
8183 SSL_free(serverssl);
8184 SSL_free(clientssl);
8185 serverssl = clientssl = NULL;
8186
8187 /* Now do a resumption */
8188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8189 NULL))
8190 || !TEST_true(SSL_set_session(clientssl, clntsess))
8191 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8192 SSL_ERROR_NONE)))
d0191fe0
MC		 8193 goto end;
8194
61fb5923 8195 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8196 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8197 || tick_key_renew == -1) {
61fb5923
MC		 8198 if (!TEST_false(SSL_session_reused(clientssl)))
8199 goto end;
8200 } else {
8201 if (!TEST_true(SSL_session_reused(clientssl)))
8202 goto end;
8203 }
8204
d0191fe0 8205 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8206 (tick_key_renew
8207 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8208 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8209 ? 1 : 0)
3b7a3241
MC		 8210 /* There is no ticket to decrypt in tests 13 and 19 */
8211 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8212 goto end;
8213
8214 testresult = 1;
8215
8216 end:
8217 SSL_SESSION_free(clntsess);
8218 SSL_free(serverssl);
8219 SSL_free(clientssl);
8220 SSL_CTX_free(sctx);
8221 SSL_CTX_free(cctx);
8222
8223 return testresult;
8224}
8225
e638112e
DB		 8226/*
8227 * Test incorrect shutdown.
8228 * Test 0: client does not shutdown properly,
8229 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8230 * server should get SSL_ERROR_SSL
8231 * Test 1: client does not shutdown properly,
8232 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8233 * server should get SSL_ERROR_ZERO_RETURN
8234 */
8235static int test_incorrect_shutdown(int tst)
8236{
8237 SSL_CTX *cctx = NULL, *sctx = NULL;
8238 SSL *clientssl = NULL, *serverssl = NULL;
8239 int testresult = 0;
8240 char buf[80];
8241 BIO *c2s;
8242
8243 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8244 TLS_client_method(), 0, 0,
8245 &sctx, &cctx, cert, privkey)))
8246 goto end;
8247
8248 if (tst == 1)
8249 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8250
8251 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8252 NULL, NULL)))
8253 goto end;
8254
8255 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8256 SSL_ERROR_NONE)))
8257 goto end;
8258
8259 c2s = SSL_get_rbio(serverssl);
8260 BIO_set_mem_eof_return(c2s, 0);
8261
8262 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8263 goto end;
8264
8265 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8266 goto end;
8267 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8268 goto end;
8269
8270 testresult = 1;
8271
8272 end:
8273 SSL_free(serverssl);
8274 SSL_free(clientssl);
8275 SSL_CTX_free(sctx);
8276 SSL_CTX_free(cctx);
8277
8278 return testresult;
8279}
8280
c748834f
MC		 8281/*
8282 * Test bi-directional shutdown.
8283 * Test 0: TLSv1.2
8284 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8285 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8286 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8287 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8288 * sends key update, client reads it
57d7b988
MC		 8289 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8290 * sends CertificateRequest, client reads and ignores it
8291 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8292 * doesn't read it
8293 */
8294static int test_shutdown(int tst)
8295{
8296 SSL_CTX *cctx = NULL, *sctx = NULL;
8297 SSL *clientssl = NULL, *serverssl = NULL;
8298 int testresult = 0;
8299 char msg[] = "A test message";
8300 char buf[80];
8301 size_t written, readbytes;
80eff008 8302 SSL_SESSION *sess;
c748834f
MC		 8303
8304#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8305 if (tst <= 1)
c748834f
MC		 8306 return 1;
8307#endif
a763ca11 8308#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8309 if (tst >= 2)
c748834f
MC		 8310 return 1;
8311#endif
8312
5e30f2fd 8313 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8314 TLS_client_method(),
8315 TLS1_VERSION,
8316 (tst <= 1) ? TLS1_2_VERSION
8317 : TLS1_3_VERSION,
57d7b988
MC		 8318 &sctx, &cctx, cert, privkey)))
8319 goto end;
8320
8321 if (tst == 5)
8322 SSL_CTX_set_post_handshake_auth(cctx, 1);
8323
8324 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8325 NULL, NULL)))
8326 goto end;
8327
8328 if (tst == 3) {
8329 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8330 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8331 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8332 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8333 goto end;
8334 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8335 SSL_ERROR_NONE))
8336 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8337 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8338 goto end;
8339 }
8340
8341 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8342 goto end;
8343
8344 if (tst >= 4) {
8345 /*
8346 * Reading on the server after the client has sent close_notify should
8347 * fail and provide SSL_ERROR_ZERO_RETURN
8348 */
8349 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8350 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8351 SSL_ERROR_ZERO_RETURN)
8352 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8353 SSL_RECEIVED_SHUTDOWN)
8354 /*
8355 * Even though we're shutdown on receive we should still be
8356 * able to write.
8357 */
80eff008
KR		 8358 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8359 goto end;
57d7b988
MC		 8360 if (tst == 4
8361 && !TEST_true(SSL_key_update(serverssl,
8362 SSL_KEY_UPDATE_REQUESTED)))
8363 goto end;
8364 if (tst == 5) {
8365 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8366 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8367 goto end;
8368 }
8369 if ((tst == 4 || tst == 5)
8370 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8371 goto end;
8372 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8373 goto end;
57d7b988 8374 if (tst == 4 || tst == 5) {
80eff008 8375 /* Should still be able to read data from server */
c748834f 8376 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8377 &readbytes))
8378 || !TEST_size_t_eq(readbytes, sizeof(msg))
8379 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8380 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8381 &readbytes))
c748834f
MC		 8382 || !TEST_size_t_eq(readbytes, sizeof(msg))
8383 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8384 goto end;
8385 }
8386 }
8387
8388 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8389 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8390 goto end;
8391
8392 if (tst < 4) {
8393 /*
8394 * For these tests the client has sent close_notify but it has not yet
8395 * been received by the server. The server has not sent close_notify
8396 * yet.
8397 */
8398 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8399 /*
8400 * Writing on the server after sending close_notify shouldn't
8401 * be possible.
8402 */
8403 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8404 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8405 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8406 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8407 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8408 goto end;
57d7b988 8409 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8410 /*
8411 * In this test the client has sent close_notify and it has been
8412 * received by the server which has responded with a close_notify. The
358ffa05 8413 * client needs to read the close_notify sent by the server.
c748834f 8414 */
80eff008
KR		 8415 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8416 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8417 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8418 goto end;
358ffa05
MC		 8419 } else {
8420 /*
57d7b988 8421 * tst == 6
358ffa05
MC		 8422 *
8423 * The client has sent close_notify and is expecting a close_notify
8424 * back, but instead there is application data first. The shutdown
8425 * should fail with a fatal error.
8426 */
8427 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8428 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8429 goto end;
c748834f
MC		 8430 }
8431
8432 testresult = 1;
8433
8434 end:
8435 SSL_free(serverssl);
8436 SSL_free(clientssl);
8437 SSL_CTX_free(sctx);
8438 SSL_CTX_free(cctx);
8439
8440 return testresult;
8441}
8442
cbf965b4
MC		 8443/*
8444 * Test that sending close_notify alerts works correctly in the case of a
8445 * retryable write failure.
8446 */
8447static int test_async_shutdown(void)
8448{
8449 SSL_CTX *cctx = NULL, *sctx = NULL;
8450 SSL *clientssl = NULL, *serverssl = NULL;
8451 int testresult = 0;
8452 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8453
8454 if (!TEST_ptr(bretry))
8455 goto end;
8456
8457 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8458 TLS_client_method(),
8459 0, 0,
8460 &sctx, &cctx, cert, privkey)))
8461 goto end;
8462
8463 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8464 NULL)))
8465 goto end;
8466
8467 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8468 goto end;
8469
8470 /* Close write side of clientssl */
8471 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8472 goto end;
8473
8474 tmp = SSL_get_wbio(serverssl);
8475 if (!TEST_true(BIO_up_ref(tmp))) {
8476 tmp = NULL;
8477 goto end;
8478 }
8479 SSL_set0_wbio(serverssl, bretry);
8480 bretry = NULL;
8481
8482 /* First server shutdown should fail because of a retrable write failure */
8483 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8484 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8485 goto end;
8486
8487 /* Second server shutdown should fail for the same reason */
8488 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8489 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8490 goto end;
8491
8492 SSL_set0_wbio(serverssl, tmp);
8493 tmp = NULL;
8494
8495 /* Third server shutdown should send close_notify */
8496 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8497 goto end;
8498
8499 /* Fourth server shutdown should read close_notify from client and finish */
8500 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8501 goto end;
8502
8503 /* Client should also successfully fully shutdown */
8504 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8505 goto end;
8506
8507 testresult = 1;
8508 end:
8509 SSL_free(serverssl);
8510 SSL_free(clientssl);
8511 SSL_CTX_free(sctx);
8512 SSL_CTX_free(cctx);
8513 BIO_free(bretry);
8514 BIO_free(tmp);
8515
8516 return testresult;
8517}
8518
a763ca11 8519#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8520static int cert_cb_cnt;
8521
8522static int cert_cb(SSL *s, void *arg)
8523{
8524 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8525 BIO *in = NULL;
8526 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8527 X509 *x509 = NULL, *rootx = NULL;
8528 STACK_OF(X509) *chain = NULL;
8529 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8530 int ret = 0;
cd6fe29f
MC		 8531
8532 if (cert_cb_cnt == 0) {
8533 /* Suspend the handshake */
8534 cert_cb_cnt++;
8535 return -1;
8536 } else if (cert_cb_cnt == 1) {
8537 /*
8538 * Update the SSL_CTX, set the certificate and private key and then
8539 * continue the handshake normally.
8540 */
8541 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8542 return 0;
8543
8544 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8545 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8546 SSL_FILETYPE_PEM))
8547 || !TEST_true(SSL_check_private_key(s)))
8548 return 0;
8549 cert_cb_cnt++;
8550 return 1;
7cb8fb07
BK		 8551 } else if (cert_cb_cnt == 3) {
8552 int rv;
1a2a3a42
MC		 8553
8554 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8555 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8556 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8557 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8558 goto out;
8559 chain = sk_X509_new_null();
8560 if (!TEST_ptr(chain))
8561 goto out;
7cb8fb07 8562 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8563 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8564 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8565 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8566 || !TEST_true(sk_X509_push(chain, rootx)))
8567 goto out;
8568 rootx = NULL;
8569 BIO_free(in);
8570 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8571 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8572 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8573 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8574 goto out;
8575 BIO_free(in);
8576 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8577 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8578 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8579 NULL, NULL,
8580 libctx, NULL)))
7cb8fb07 8581 goto out;
1a2a3a42 8582 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8583 /*
8584 * If the cert doesn't show as valid here (e.g., because we don't
8585 * have any shared sigalgs), then we will not set it, and there will
8586 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8587 * will cause tls_choose_sigalgs() to fail the connection.
8588 */
1a2a3a42
MC		 8589 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8590 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8591 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8592 goto out;
8593 }
1a2a3a42
MC		 8594
8595 ret = 1;
cd6fe29f
MC		 8596 }
8597
8598 /* Abort the handshake */
7cb8fb07 8599 out:
1a2a3a42
MC		 8600 OPENSSL_free(ecdsacert);
8601 OPENSSL_free(ecdsakey);
8602 OPENSSL_free(rootfile);
7cb8fb07
BK		 8603 BIO_free(in);
8604 EVP_PKEY_free(pkey);
8605 X509_free(x509);
1a2a3a42 8606 X509_free(rootx);
79b2a2f2 8607 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8608 return ret;
cd6fe29f
MC		 8609}
8610
8611/*
8612 * Test the certificate callback.
8613 * Test 0: Callback fails
8614 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8615 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8616 * Test 3: Success - Call SSL_check_chain from the callback
8617 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8618 * chain
8619 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8620 */
8621static int test_cert_cb_int(int prot, int tst)
8622{
8623 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8624 SSL *clientssl = NULL, *serverssl = NULL;
8625 int testresult = 0, ret;
8626
1a2a3a42
MC		 8627#ifdef OPENSSL_NO_EC
8628 /* We use an EC cert in these tests, so we skip in a no-ec build */
8629 if (tst >= 3)
8630 return 1;
8631#endif
8632
5e30f2fd 8633 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8634 TLS_client_method(),
8635 TLS1_VERSION,
8636 prot,
8637 &sctx, &cctx, NULL, NULL)))
8638 goto end;
8639
8640 if (tst == 0)
8641 cert_cb_cnt = -1;
1a2a3a42 8642 else if (tst >= 3)
7cb8fb07 8643 cert_cb_cnt = 3;
cd6fe29f
MC		 8644 else
8645 cert_cb_cnt = 0;
1a2a3a42 8646
b0317df2 8647 if (tst == 2) {
7e1eda48 8648 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8649 if (!TEST_ptr(snictx))
8650 goto end;
8651 }
8652
cd6fe29f
MC		 8653 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8654
8655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8656 NULL, NULL)))
8657 goto end;
8658
1a2a3a42
MC		 8659 if (tst == 4) {
8660 /*
8661 * We cause SSL_check_chain() to fail by specifying sig_algs that
8662 * the chain doesn't meet (the root uses an RSA cert)
8663 */
8664 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8665 "ecdsa_secp256r1_sha256")))
8666 goto end;
8667 } else if (tst == 5) {
8668 /*
8669 * We cause SSL_check_chain() to fail by specifying sig_algs that
8670 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8671 */
8672 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8673 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8674 goto end;
8675 }
8676
cd6fe29f 8677 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8678 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8679 || (tst > 0
8680 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8681 goto end;
8682 }
8683
8684 testresult = 1;
8685
8686 end:
8687 SSL_free(serverssl);
8688 SSL_free(clientssl);
8689 SSL_CTX_free(sctx);
8690 SSL_CTX_free(cctx);
8691 SSL_CTX_free(snictx);
8692
8693 return testresult;
8694}
7f1d923a 8695#endif
cd6fe29f
MC		 8696
8697static int test_cert_cb(int tst)
8698{
8699 int testresult = 1;
8700
8701#ifndef OPENSSL_NO_TLS1_2
8702 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8703#endif
a763ca11 8704#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8705 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8706#endif
8707
8708 return testresult;
8709}
8710
6e46c065
MC		 8711static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8712{
8c2bfd25 8713 X509 *xcert;
6e46c065
MC		 8714 EVP_PKEY *privpkey;
8715 BIO *in = NULL;
6725682d 8716 BIO *priv_in = NULL;
6e46c065 8717
8c2bfd25
TS		 8718 /* Check that SSL_get0_peer_certificate() returns something sensible */
8719 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8720 return 0;
6e46c065
MC		 8721
8722 in = BIO_new_file(cert, "r");
8723 if (!TEST_ptr(in))
8724 return 0;
8725
d8652be0 8726 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8727 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8728 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8729 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8730 NULL, NULL,
8731 libctx, NULL)))
6725682d 8732 goto err;
6e46c065
MC		 8733
8734 *x509 = xcert;
8735 *pkey = privpkey;
8736
6725682d
SL		 8737 BIO_free(in);
8738 BIO_free(priv_in);
6e46c065 8739 return 1;
6725682d
SL		 8740err:
8741 X509_free(xcert);
8742 BIO_free(in);
8743 BIO_free(priv_in);
8744 return 0;
6e46c065
MC		 8745}
8746
6e46c065
MC		 8747static int test_client_cert_cb(int tst)
8748{
8749 SSL_CTX *cctx = NULL, *sctx = NULL;
8750 SSL *clientssl = NULL, *serverssl = NULL;
8751 int testresult = 0;
8752
8753#ifdef OPENSSL_NO_TLS1_2
8754 if (tst == 0)
8755 return 1;
8756#endif
a763ca11 8757#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8758 if (tst == 1)
8759 return 1;
8760#endif
8761
5e30f2fd 8762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8763 TLS_client_method(),
8764 TLS1_VERSION,
8765 tst == 0 ? TLS1_2_VERSION
8766 : TLS1_3_VERSION,
8767 &sctx, &cctx, cert, privkey)))
8768 goto end;
8769
8770 /*
8771 * Test that setting a client_cert_cb results in a client certificate being
8772 * sent.
8773 */
8774 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8775 SSL_CTX_set_verify(sctx,
8776 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8777 verify_cb);
fb8c8359
MC		 8778
8779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8780 NULL, NULL))
8781 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8782 SSL_ERROR_NONE)))
8783 goto end;
8784
8785 testresult = 1;
8786
8787 end:
8788 SSL_free(serverssl);
8789 SSL_free(clientssl);
8790 SSL_CTX_free(sctx);
8791 SSL_CTX_free(cctx);
8792
8793 return testresult;
8794}
8795
a763ca11 8796#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8797/*
8798 * Test setting certificate authorities on both client and server.
8799 *
8800 * Test 0: SSL_CTX_set0_CA_list() only
8801 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8802 * Test 2: Only SSL_CTX_set_client_CA_list()
8803 */
8804static int test_ca_names_int(int prot, int tst)
8805{
8806 SSL_CTX *cctx = NULL, *sctx = NULL;
8807 SSL *clientssl = NULL, *serverssl = NULL;
8808 int testresult = 0;
8809 size_t i;
8810 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8811 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8812 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8813 const STACK_OF(X509_NAME) *sktmp = NULL;
8814
8815 for (i = 0; i < OSSL_NELEM(name); i++) {
8816 name[i] = X509_NAME_new();
8817 if (!TEST_ptr(name[i])
8818 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8819 MBSTRING_ASC,
8820 (unsigned char *)
8821 strnames[i],
8822 -1, -1, 0)))
8823 goto end;
8824 }
8825
5e30f2fd 8826 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8827 TLS_client_method(),
8828 TLS1_VERSION,
8829 prot,
8830 &sctx, &cctx, cert, privkey)))
8831 goto end;
8832
8833 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8834
8835 if (tst == 0 || tst == 1) {
8836 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8837 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8838 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8839 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8840 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8841 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8842 goto end;
8843
8844 SSL_CTX_set0_CA_list(sctx, sk1);
8845 SSL_CTX_set0_CA_list(cctx, sk2);
8846 sk1 = sk2 = NULL;
8847 }
8848 if (tst == 1 || tst == 2) {
8849 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8850 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8851 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8852 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8853 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8854 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8855 goto end;
8856
8857 SSL_CTX_set_client_CA_list(sctx, sk1);
8858 SSL_CTX_set_client_CA_list(cctx, sk2);
8859 sk1 = sk2 = NULL;
8860 }
8861
6e46c065
MC		 8862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8863 NULL, NULL))
8864 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8865 SSL_ERROR_NONE)))
8866 goto end;
8867
fb8c8359
MC		 8868 /*
8869 * We only expect certificate authorities to have been sent to the server
8870 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8871 */
8872 sktmp = SSL_get0_peer_CA_list(serverssl);
8873 if (prot == TLS1_3_VERSION
8874 && (tst == 0 || tst == 1)) {
8875 if (!TEST_ptr(sktmp)
8876 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8877 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8878 name[0]), 0)
8879 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8880 name[1]), 0))
8881 goto end;
8882 } else if (!TEST_ptr_null(sktmp)) {
8883 goto end;
8884 }
8885
8886 /*
8887 * In all tests we expect certificate authorities to have been sent to the
8888 * client. However, SSL_set_client_CA_list() should override
8889 * SSL_set0_CA_list()
8890 */
8891 sktmp = SSL_get0_peer_CA_list(clientssl);
8892 if (!TEST_ptr(sktmp)
8893 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8894 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8895 name[tst == 0 ? 0 : 2]), 0)
8896 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8897 name[tst == 0 ? 1 : 3]), 0))
8898 goto end;
8899
6e46c065
MC		 8900 testresult = 1;
8901
8902 end:
8903 SSL_free(serverssl);
8904 SSL_free(clientssl);
8905 SSL_CTX_free(sctx);
8906 SSL_CTX_free(cctx);
fb8c8359
MC		 8907 for (i = 0; i < OSSL_NELEM(name); i++)
8908 X509_NAME_free(name[i]);
8909 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8910 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8911
8912 return testresult;
8913}
8914#endif
8915
8916static int test_ca_names(int tst)
8917{
8918 int testresult = 1;
8919
8920#ifndef OPENSSL_NO_TLS1_2
8921 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8922#endif
a763ca11 8923#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8924 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8925#endif
6e46c065
MC		 8926
8927 return testresult;
8928}
8929
0d2bfe52
SL		 8930#ifndef OPENSSL_NO_TLS1_2
8931static const char *multiblock_cipherlist_data[]=
8932{
8933 "AES128-SHA",
8934 "AES128-SHA256",
8935 "AES256-SHA",
8936 "AES256-SHA256",
8937};
8938
8939/* Reduce the fragment size - so the multiblock test buffer can be small */
8940# define MULTIBLOCK_FRAGSIZE 512
8941
8942static int test_multiblock_write(int test_index)
8943{
8944 static const char *fetchable_ciphers[]=
8945 {
8946 "AES-128-CBC-HMAC-SHA1",
8947 "AES-128-CBC-HMAC-SHA256",
8948 "AES-256-CBC-HMAC-SHA1",
8949 "AES-256-CBC-HMAC-SHA256"
8950 };
8951 const char *cipherlist = multiblock_cipherlist_data[test_index];
8952 const SSL_METHOD *smeth = TLS_server_method();
8953 const SSL_METHOD *cmeth = TLS_client_method();
8954 int min_version = TLS1_VERSION;
8955 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8956 SSL_CTX *cctx = NULL, *sctx = NULL;
8957 SSL *clientssl = NULL, *serverssl = NULL;
8958 int testresult = 0;
8959
8960 /*
8961 * Choose a buffer large enough to perform a multi-block operation
8962 * i.e: write_len >= 4 * frag_size
8963 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8964 */
8965 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8966 unsigned char buf[sizeof(msg)], *p = buf;
8967 size_t readbytes, written, len;
8968 EVP_CIPHER *ciph = NULL;
8969
8970 /*
8971 * Check if the cipher exists before attempting to use it since it only has
8972 * a hardware specific implementation.
8973 */
7c82a7a8 8974 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 8975 if (ciph == NULL) {
8976 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8977 return 1;
8978 }
8979 EVP_CIPHER_free(ciph);
8980
8981 /* Set up a buffer with some data that will be sent to the client */
8982 RAND_bytes(msg, sizeof(msg));
8983
5e30f2fd
MC		 8984 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8985 max_version, &sctx, &cctx, cert,
8986 privkey)))
0d2bfe52
SL		 8987 goto end;
8988
8989 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8990 goto end;
8991
8992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8993 NULL, NULL)))
8994 goto end;
8995
8996 /* settings to force it to use AES-CBC-HMAC_SHA */
8997 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8998 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8999 goto end;
9000
9001 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9002 goto end;
9003
9004 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9005 || !TEST_size_t_eq(written, sizeof(msg)))
9006 goto end;
9007
9008 len = written;
9009 while (len > 0) {
9010 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9011 goto end;
9012 p += readbytes;
9013 len -= readbytes;
9014 }
9015 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9016 goto end;
9017
9018 testresult = 1;
9019end:
9020 SSL_free(serverssl);
9021 SSL_free(clientssl);
9022 SSL_CTX_free(sctx);
9023 SSL_CTX_free(cctx);
9024
9025 return testresult;
9026}
9027#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 9028
25959e04
TS		 9029static int test_session_timeout(int test)
9030{
9031 /*
9032 * Test session ordering and timeout
9033 * Can't explicitly test performance of the new code,
9034 * but can test to see if the ordering of the sessions
9035 * are correct, and they they are removed as expected
9036 */
9037 SSL_SESSION *early = NULL;
9038 SSL_SESSION *middle = NULL;
9039 SSL_SESSION *late = NULL;
9040 SSL_CTX *ctx;
9041 int testresult = 0;
9042 long now = (long)time(NULL);
9043#define TIMEOUT 10
9044
9045 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9046 || !TEST_ptr(early = SSL_SESSION_new())
9047 || !TEST_ptr(middle = SSL_SESSION_new())
9048 || !TEST_ptr(late = SSL_SESSION_new()))
9049 goto end;
9050
9051 /* assign unique session ids */
9052 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9053 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9054 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9055 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9056 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9057 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9058
9059 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9060 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9061 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9062 goto end;
9063
9064 /* Make sure they are all added */
9065 if (!TEST_ptr(early->prev)
9066 || !TEST_ptr(middle->prev)
9067 || !TEST_ptr(late->prev))
9068 goto end;
9069
9070 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9071 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9072 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9073 goto end;
9074
9075 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9076 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9077 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9078 goto end;
9079
9080 /* Make sure they are all still there */
9081 if (!TEST_ptr(early->prev)
9082 || !TEST_ptr(middle->prev)
9083 || !TEST_ptr(late->prev))
9084 goto end;
9085
9086 /* Make sure they are in the expected order */
9087 if (!TEST_ptr_eq(late->next, middle)
9088 || !TEST_ptr_eq(middle->next, early)
9089 || !TEST_ptr_eq(early->prev, middle)
9090 || !TEST_ptr_eq(middle->prev, late))
9091 goto end;
9092
9093 /* This should remove "early" */
9094 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9095 if (!TEST_ptr_null(early->prev)
9096 || !TEST_ptr(middle->prev)
9097 || !TEST_ptr(late->prev))
9098 goto end;
9099
9100 /* This should remove "middle" */
9101 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9102 if (!TEST_ptr_null(early->prev)
9103 || !TEST_ptr_null(middle->prev)
9104 || !TEST_ptr(late->prev))
9105 goto end;
9106
9107 /* This should remove "late" */
9108 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9109 if (!TEST_ptr_null(early->prev)
9110 || !TEST_ptr_null(middle->prev)
9111 || !TEST_ptr_null(late->prev))
9112 goto end;
9113
9114 /* Add them back in again */
9115 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9116 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9117 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9118 goto end;
9119
9120 /* Make sure they are all added */
9121 if (!TEST_ptr(early->prev)
9122 || !TEST_ptr(middle->prev)
9123 || !TEST_ptr(late->prev))
9124 goto end;
9125
9126 /* This should remove all of them */
9127 SSL_CTX_flush_sessions(ctx, 0);
9128 if (!TEST_ptr_null(early->prev)
9129 || !TEST_ptr_null(middle->prev)
9130 || !TEST_ptr_null(late->prev))
9131 goto end;
9132
9133 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9134 | SSL_CTX_get_session_cache_mode(ctx));
9135
9136 /* make sure |now| is NOT equal to the current time */
9137 now -= 10;
9138 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9139 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9140 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9141 goto end;
9142
9143 testresult = 1;
9144 end:
9145 SSL_CTX_free(ctx);
9146 SSL_SESSION_free(early);
9147 SSL_SESSION_free(middle);
9148 SSL_SESSION_free(late);
9149 return testresult;
9150}
9151
49ef3d07
MC		 9152/*
9153 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9154 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9155 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9156 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9157 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9158 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9159 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9160 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9161 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9162 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9163 */
9164static int test_servername(int tst)
9165{
9166 SSL_CTX *cctx = NULL, *sctx = NULL;
9167 SSL *clientssl = NULL, *serverssl = NULL;
9168 int testresult = 0;
9169 SSL_SESSION *sess = NULL;
9170 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9171
9172#ifdef OPENSSL_NO_TLS1_2
9173 if (tst <= 4)
9174 return 1;
9175#endif
a763ca11 9176#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9177 if (tst >= 5)
9178 return 1;
9179#endif
9180
5e30f2fd 9181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9182 TLS_client_method(),
9183 TLS1_VERSION,
9184 (tst <= 4) ? TLS1_2_VERSION
9185 : TLS1_3_VERSION,
9186 &sctx, &cctx, cert, privkey))
9187 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9188 NULL, NULL)))
9189 goto end;
9190
9191 if (tst != 1 && tst != 6) {
9192 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9193 hostname_cb)))
9194 goto end;
9195 }
9196
9197 if (tst != 3 && tst != 8) {
9198 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9199 goto end;
9200 sexpectedhost = cexpectedhost = "goodhost";
9201 }
9202
9203 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9204 goto end;
9205
9206 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9207 cexpectedhost)
9208 || !TEST_str_eq(SSL_get_servername(serverssl,
9209 TLSEXT_NAMETYPE_host_name),
9210 sexpectedhost))
9211 goto end;
9212
9213 /* Now repeat with a resumption handshake */
9214
9215 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9216 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9217 || !TEST_true(SSL_SESSION_is_resumable(sess))
9218 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9219 goto end;
9220
9221 SSL_free(clientssl);
9222 SSL_free(serverssl);
9223 clientssl = serverssl = NULL;
9224
9225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9226 NULL)))
9227 goto end;
9228
9229 if (!TEST_true(SSL_set_session(clientssl, sess)))
9230 goto end;
9231
9232 sexpectedhost = cexpectedhost = "goodhost";
9233 if (tst == 2 || tst == 7) {
9234 /* Set an inconsistent hostname */
9235 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9236 goto end;
9237 /*
9238 * In TLSv1.2 we expect the hostname from the original handshake, in
9239 * TLSv1.3 we expect the hostname from this handshake
9240 */
9241 if (tst == 7)
9242 sexpectedhost = cexpectedhost = "altgoodhost";
9243
9244 if (!TEST_str_eq(SSL_get_servername(clientssl,
9245 TLSEXT_NAMETYPE_host_name),
9246 "altgoodhost"))
9247 goto end;
9248 } else if (tst == 4 || tst == 9) {
9249 /*
9250 * A TLSv1.3 session does not associate a session with a servername,
9251 * but a TLSv1.2 session does.
9252 */
9253 if (tst == 9)
9254 sexpectedhost = cexpectedhost = NULL;
9255
9256 if (!TEST_str_eq(SSL_get_servername(clientssl,
9257 TLSEXT_NAMETYPE_host_name),
9258 cexpectedhost))
9259 goto end;
9260 } else {
9261 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9262 goto end;
9263 /*
9264 * In a TLSv1.2 resumption where the hostname was not acknowledged
9265 * we expect the hostname on the server to be empty. On the client we
9266 * return what was requested in this case.
9267 *
9268 * Similarly if the client didn't set a hostname on an original TLSv1.2
9269 * session but is now, the server hostname will be empty, but the client
9270 * is as we set it.
9271 */
9272 if (tst == 1 || tst == 3)
9273 sexpectedhost = NULL;
9274
9275 if (!TEST_str_eq(SSL_get_servername(clientssl,
9276 TLSEXT_NAMETYPE_host_name),
9277 "goodhost"))
9278 goto end;
9279 }
9280
9281 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9282 goto end;
9283
9284 if (!TEST_true(SSL_session_reused(clientssl))
9285 || !TEST_true(SSL_session_reused(serverssl))
9286 || !TEST_str_eq(SSL_get_servername(clientssl,
9287 TLSEXT_NAMETYPE_host_name),
9288 cexpectedhost)
9289 || !TEST_str_eq(SSL_get_servername(serverssl,
9290 TLSEXT_NAMETYPE_host_name),
9291 sexpectedhost))
9292 goto end;
9293
9294 testresult = 1;
9295
9296 end:
9297 SSL_SESSION_free(sess);
9298 SSL_free(serverssl);
9299 SSL_free(clientssl);
9300 SSL_CTX_free(sctx);
9301 SSL_CTX_free(cctx);
9302
9303 return testresult;
9304}
9305
b1fdbc68 9306#if !defined(OPENSSL_NO_EC) \
a763ca11 9307 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9308/*
9309 * Test that if signature algorithms are not available, then we do not offer or
9310 * accept them.
9311 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9312 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9313 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9314 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9315 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9316 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9317 */
9318static int test_sigalgs_available(int idx)
9319{
9320 SSL_CTX *cctx = NULL, *sctx = NULL;
9321 SSL *clientssl = NULL, *serverssl = NULL;
9322 int testresult = 0;
b4250010
DMSP		 9323 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9324 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9325 OSSL_PROVIDER *filterprov = NULL;
9326 int sig, hash;
9327
9328 if (!TEST_ptr(tmpctx))
9329 goto end;
9330
9331 if (idx != 0 && idx != 3) {
9332 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9333 filter_provider_init)))
9334 goto end;
9335
9336 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9337 if (!TEST_ptr(filterprov))
9338 goto end;
9339
9340 if (idx < 3) {
9341 /*
9342 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9343 * or accepted for the peer that uses this libctx. Note that libssl
9344 * *requires* SHA2-256 to be available so we cannot disable that. We
9345 * also need SHA1 for our certificate.
9346 */
9347 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9348 "SHA2-256:SHA1")))
9349 goto end;
9350 } else {
9351 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9352 "ECDSA"))
9353 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9354 "EC:X25519:X448")))
9355 goto end;
9356 }
9357
9358 if (idx == 1 || idx == 4)
9359 clientctx = tmpctx;
9360 else
9361 serverctx = tmpctx;
9362 }
9363
d8652be0
MC		 9364 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9365 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9366 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9367 goto end;
b3842539 9368
b4c4a2c6
TM		 9369 if (idx != 5) {
9370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9371 TLS_client_method(),
9372 TLS1_VERSION,
9373 0,
9374 &sctx, &cctx, cert, privkey)))
9375 goto end;
9376 } else {
9377 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9378 TLS_client_method(),
9379 TLS1_VERSION,
9380 0,
9381 &sctx, &cctx, cert2, privkey2)))
9382 goto end;
9383 }
b3842539 9384
b1fdbc68
MC		 9385 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9386 if (idx < 4) {
9387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9388 "ECDHE-RSA-AES128-GCM-SHA256")))
9389 goto end;
9390 } else {
9391 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9392 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9393 goto end;
9394 }
9395
b3842539
MC		 9396 if (idx < 3) {
9397 if (!SSL_CTX_set1_sigalgs_list(cctx,
9398 "rsa_pss_rsae_sha384"
9399 ":rsa_pss_rsae_sha256")
9400 || !SSL_CTX_set1_sigalgs_list(sctx,
9401 "rsa_pss_rsae_sha384"
9402 ":rsa_pss_rsae_sha256"))
9403 goto end;
9404 } else {
9405 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9406 || !SSL_CTX_set1_sigalgs_list(sctx,
9407 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9408 goto end;
9409 }
9410
b4c4a2c6
TM		 9411 if (idx != 5
9412 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9413 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9414 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9415 privkey2,
9416 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9417 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9418 goto end;
9419
9420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9421 NULL, NULL)))
b3842539
MC		 9422 goto end;
9423
9424 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9425 goto end;
9426
9427 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9428 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9429 NULL, NULL),
9430 (idx == 0 || idx == 3) ? 2 : 1))
9431 goto end;
9432
9433 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9434 goto end;
9435
9436 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9437 : NID_rsassaPss))
9438 goto end;
9439
b0001d0c 9440 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9441
9442 end:
9443 SSL_free(serverssl);
9444 SSL_free(clientssl);
9445 SSL_CTX_free(sctx);
9446 SSL_CTX_free(cctx);
9447 OSSL_PROVIDER_unload(filterprov);
b4250010 9448 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9449
9450 return testresult;
9451}
b1fdbc68
MC		 9452#endif /*
9453 * !defined(OPENSSL_NO_EC) \
a763ca11 9454 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9455 */
b3842539 9456
0c13cdf8 9457#ifndef OPENSSL_NO_TLS1_3
a763ca11 9458/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9459static int test_pluggable_group(int idx)
0c13cdf8
MC		 9460{
9461 SSL_CTX *cctx = NULL, *sctx = NULL;
9462 SSL *clientssl = NULL, *serverssl = NULL;
9463 int testresult = 0;
9464 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9465 /* Check that we are not impacted by a provider without any groups */
9466 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 9467 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 9468
5ae54dba 9469 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9470 goto end;
9471
5ae54dba
MC		 9472 if (legacyprov == NULL) {
9473 /*
9474 * In this case we assume we've been built with "no-legacy" and skip
9475 * this test (there is no OPENSSL_NO_LEGACY)
9476 */
9477 testresult = 1;
9478 goto end;
9479 }
9480
0c13cdf8
MC		 9481 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9482 TLS_client_method(),
9483 TLS1_3_VERSION,
9484 TLS1_3_VERSION,
9485 &sctx, &cctx, cert, privkey))
9486 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9487 NULL, NULL)))
9488 goto end;
9489
c8e3a4c6
NT		 9490 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9491 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9492 goto end;
9493
9494 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9495 goto end;
9496
becbacd7
MB		 9497 if (!TEST_str_eq(group_name,
9498 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9499 goto end;
9500
68668243
AB		 9501 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9502 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9503 goto end;
9504
0c13cdf8
MC		 9505 testresult = 1;
9506
9507 end:
9508 SSL_free(serverssl);
9509 SSL_free(clientssl);
9510 SSL_CTX_free(sctx);
9511 SSL_CTX_free(cctx);
9512 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9513 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9514
9515 return testresult;
9516}
ee58915c
MB		 9517
9518/*
9519 * This function triggers encode, decode and sign functions
9520 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9521 * creating private key and certificate files for use in TLS testing.
9522 */
9523static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9524{
9525 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9526 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9527 EVP_PKEY *pkey = NULL;
9528 X509 *x509 = X509_new();
9529 X509_NAME *name = NULL;
9530 BIO *keybio = NULL, *certbio = NULL;
9531 int ret = 1;
9532
9533 if (!TEST_ptr(evpctx)
9534 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9535 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9536 || !TEST_ptr(pkey)
9537 || !TEST_ptr(x509)
9538 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9539 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9540 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9541 || !TEST_true(X509_set_pubkey(x509, pkey))
9542 || !TEST_ptr(name = X509_get_subject_name(x509))
9543 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9544 (unsigned char *)"CH", -1, -1, 0))
9545 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9546 (unsigned char *)"test.org", -1, -1, 0))
9547 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9548 (unsigned char *)"localhost", -1, -1, 0))
9549 || !TEST_true(X509_set_issuer_name(x509, name))
9550 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9551 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9552 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9553 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9554 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9555 ret = 0;
9556
9557 EVP_PKEY_free(pkey);
9558 X509_free(x509);
9559 EVP_PKEY_CTX_free(evpctx);
9560 BIO_free(keybio);
9561 BIO_free(certbio);
9562 return ret;
9563}
9564
9565/*
9566 * Test that signature algorithms loaded via the provider interface can
9567 * correctly establish a TLS (1.3) connection.
9568 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9569 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
3c95ef22
TS		 9570 * Test 2: Test 0 using RPK
9571 * Test 3: Test 1 using RPK
ee58915c
MB		 9572 */
9573static int test_pluggable_signature(int idx)
9574{
3c95ef22 9575 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
ee58915c
MB		 9576 SSL_CTX *cctx = NULL, *sctx = NULL;
9577 SSL *clientssl = NULL, *serverssl = NULL;
9578 int testresult = 0;
9579 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9580 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9581 char *certfilename = "tls-prov-cert.pem";
9582 char *privkeyfilename = "tls-prov-key.pem";
3c95ef22
TS		 9583 int sigidx = idx % 2;
9584 int rpkidx = idx / 2;
ee58915c
MB		 9585
9586 /* create key and certificate for the different algorithm types */
9587 if (!TEST_ptr(tlsprov)
3c95ef22 9588 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
ee58915c
MB		 9589 goto end;
9590
9591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9592 TLS_client_method(),
9593 TLS1_3_VERSION,
9594 TLS1_3_VERSION,
9595 &sctx, &cctx, certfilename, privkeyfilename))
9596 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9597 NULL, NULL)))
9598 goto end;
9599
3c95ef22
TS		 9600 /* Enable RPK for server cert */
9601 if (rpkidx) {
9602 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9603 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9604 goto end;
9605 }
9606
ee58915c
MB		 9607 /* This is necessary to pass minimal setup w/o other groups configured */
9608 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9609 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9610 goto end;
9611
9612 /*
9613 * If this connection gets established, it must have been completed
9614 * via the tls-provider-implemented "hmacsig" algorithm, testing
9615 * both sign and verify functions during handshake.
9616 */
9617 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9618 goto end;
9619
3c95ef22
TS		 9620 /* If using RPK, make sure we got one */
9621 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9622 goto end;
9623
ee58915c
MB		 9624 testresult = 1;
9625
9626 end:
9627 SSL_free(serverssl);
9628 SSL_free(clientssl);
9629 SSL_CTX_free(sctx);
9630 SSL_CTX_free(cctx);
9631 OSSL_PROVIDER_unload(tlsprov);
9632 OSSL_PROVIDER_unload(defaultprov);
9633
9634 return testresult;
9635}
0c13cdf8 9636#endif
b3842539 9637
49a36a52
MC		 9638#ifndef OPENSSL_NO_TLS1_2
9639static int test_ssl_dup(void)
9640{
9641 SSL_CTX *cctx = NULL, *sctx = NULL;
9642 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9643 int testresult = 0;
9644 BIO *rbio = NULL, *wbio = NULL;
9645
9646 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9647 TLS_client_method(),
9648 0,
9649 0,
9650 &sctx, &cctx, cert, privkey)))
9651 goto end;
9652
9653 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9654 NULL, NULL)))
9655 goto end;
9656
9657 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9658 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9659 goto end;
9660
9661 client2ssl = SSL_dup(clientssl);
9662 rbio = SSL_get_rbio(clientssl);
9663 if (!TEST_ptr(rbio)
9664 || !TEST_true(BIO_up_ref(rbio)))
9665 goto end;
9666 SSL_set0_rbio(client2ssl, rbio);
9667 rbio = NULL;
9668
9669 wbio = SSL_get_wbio(clientssl);
9670 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9671 goto end;
9672 SSL_set0_wbio(client2ssl, wbio);
9673 rbio = NULL;
9674
9675 if (!TEST_ptr(client2ssl)
9676 /* Handshake not started so pointers should be different */
9677 || !TEST_ptr_ne(clientssl, client2ssl))
9678 goto end;
9679
9680 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9681 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9682 goto end;
9683
9684 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9685 goto end;
9686
9687 SSL_free(clientssl);
9688 clientssl = SSL_dup(client2ssl);
9689 if (!TEST_ptr(clientssl)
9690 /* Handshake has finished so pointers should be the same */
9691 || !TEST_ptr_eq(clientssl, client2ssl))
9692 goto end;
9693
9694 testresult = 1;
9695
9696 end:
9697 SSL_free(serverssl);
9698 SSL_free(clientssl);
9699 SSL_free(client2ssl);
9700 SSL_CTX_free(sctx);
9701 SSL_CTX_free(cctx);
9702
9703 return testresult;
9704}
33c39a06
MC		 9705
9706# ifndef OPENSSL_NO_DH
9707
9708static EVP_PKEY *tmp_dh_params = NULL;
9709
9710/* Helper function for the test_set_tmp_dh() tests */
9711static EVP_PKEY *get_tmp_dh_params(void)
9712{
9713 if (tmp_dh_params == NULL) {
9714 BIGNUM *p = NULL;
9715 OSSL_PARAM_BLD *tmpl = NULL;
9716 EVP_PKEY_CTX *pctx = NULL;
9717 OSSL_PARAM *params = NULL;
9718 EVP_PKEY *dhpkey = NULL;
9719
9720 p = BN_get_rfc3526_prime_2048(NULL);
9721 if (!TEST_ptr(p))
9722 goto end;
9723
9724 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9725 if (!TEST_ptr(pctx)
884400d7 9726 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9727 goto end;
9728
9729 tmpl = OSSL_PARAM_BLD_new();
9730 if (!TEST_ptr(tmpl)
9731 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9732 OSSL_PKEY_PARAM_FFC_P,
9733 p))
9734 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9735 OSSL_PKEY_PARAM_FFC_G,
9736 2)))
9737 goto end;
9738
9739 params = OSSL_PARAM_BLD_to_param(tmpl);
9740 if (!TEST_ptr(params)
884400d7 9741 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9742 EVP_PKEY_KEY_PARAMETERS,
9743 params), 1))
33c39a06
MC		 9744 goto end;
9745
9746 tmp_dh_params = dhpkey;
9747 end:
9748 BN_free(p);
9749 EVP_PKEY_CTX_free(pctx);
9750 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9751 OSSL_PARAM_free(params);
33c39a06
MC		 9752 }
9753
f1619160 9754 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9755 return NULL;
9756
9757 return tmp_dh_params;
9758}
9759
39f3427d 9760# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9761/* Callback used by test_set_tmp_dh() */
9762static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9763{
9764 EVP_PKEY *dhpkey = get_tmp_dh_params();
9765 DH *ret = NULL;
9766
9767 if (!TEST_ptr(dhpkey))
9768 return NULL;
9769
7bc0fdd3
MC		 9770 /*
9771 * libssl does not free the returned DH, so we free it now knowing that even
9772 * after we free dhpkey, there will still be a reference to the owning
9773 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9774 * of time we need it for.
9775 */
9776 ret = EVP_PKEY_get1_DH(dhpkey);
9777 DH_free(ret);
33c39a06
MC		 9778
9779 EVP_PKEY_free(dhpkey);
9780
9781 return ret;
9782}
9783# endif
9784
9785/*
9786 * Test the various methods for setting temporary DH parameters
9787 *
9788 * Test 0: Default (no auto) setting
9789 * Test 1: Explicit SSL_CTX auto off
9790 * Test 2: Explicit SSL auto off
9791 * Test 3: Explicit SSL_CTX auto on
9792 * Test 4: Explicit SSL auto on
9793 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9794 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9795 *
9796 * The following are testing deprecated APIs, so we only run them if available
9797 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9798 * Test 8: Explicit SSL auto off, custom DH params via DH
9799 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9800 * Test 10: Explicit SSL auto off, custom DH params via callback
9801 */
9802static int test_set_tmp_dh(int idx)
9803{
9804 SSL_CTX *cctx = NULL, *sctx = NULL;
9805 SSL *clientssl = NULL, *serverssl = NULL;
9806 int testresult = 0;
9807 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9808 int expected = (idx <= 2) ? 0 : 1;
9809 EVP_PKEY *dhpkey = NULL;
9810# ifndef OPENSSL_NO_DEPRECATED_3_0
9811 DH *dh = NULL;
9812# else
9813
9814 if (idx >= 7)
9815 return 1;
9816# endif
9817
9818 if (idx >= 5 && idx <= 8) {
9819 dhpkey = get_tmp_dh_params();
9820 if (!TEST_ptr(dhpkey))
9821 goto end;
9822 }
9823# ifndef OPENSSL_NO_DEPRECATED_3_0
9824 if (idx == 7 || idx == 8) {
7bc0fdd3 9825 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9826 if (!TEST_ptr(dh))
9827 goto end;
9828 }
9829# endif
9830
9831 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9832 TLS_client_method(),
9833 0,
9834 0,
9835 &sctx, &cctx, cert, privkey)))
9836 goto end;
9837
9838 if ((idx & 1) == 1) {
9839 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9840 goto end;
9841 }
9842
9843 if (idx == 5) {
9844 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9845 goto end;
9846 dhpkey = NULL;
9847 }
9848# ifndef OPENSSL_NO_DEPRECATED_3_0
9849 else if (idx == 7) {
9850 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9851 goto end;
9852 } else if (idx == 9) {
9853 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9854 }
9855# endif
9856
9857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9858 NULL, NULL)))
9859 goto end;
9860
9861 if ((idx & 1) == 0 && idx != 0) {
9862 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9863 goto end;
9864 }
9865 if (idx == 6) {
9866 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9867 goto end;
9868 dhpkey = NULL;
9869 }
9870# ifndef OPENSSL_NO_DEPRECATED_3_0
9871 else if (idx == 8) {
9872 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9873 goto end;
9874 } else if (idx == 10) {
9875 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9876 }
9877# endif
9878
9879 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9880 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9881 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9882 goto end;
9883
9884 /*
9885 * If autoon then we should succeed. Otherwise we expect failure because
9886 * there are no parameters
9887 */
9888 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9889 SSL_ERROR_NONE), expected))
9890 goto end;
9891
9892 testresult = 1;
9893
9894 end:
7bc0fdd3
MC		 9895# ifndef OPENSSL_NO_DEPRECATED_3_0
9896 DH_free(dh);
9897# endif
33c39a06
MC		 9898 SSL_free(serverssl);
9899 SSL_free(clientssl);
9900 SSL_CTX_free(sctx);
9901 SSL_CTX_free(cctx);
9902 EVP_PKEY_free(dhpkey);
9903
9904 return testresult;
9905}
3105d846
MC		 9906
9907/*
9908 * Test the auto DH keys are appropriately sized
9909 */
9910static int test_dh_auto(int idx)
9911{
61cab650
MC		 9912 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9913 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9914 SSL *clientssl = NULL, *serverssl = NULL;
9915 int testresult = 0;
9916 EVP_PKEY *tmpkey = NULL;
9917 char *thiscert = NULL, *thiskey = NULL;
9918 size_t expdhsize = 0;
9919 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9920
61cab650
MC		 9921 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9922 goto end;
9923
3105d846
MC		 9924 switch (idx) {
9925 case 0:
9926 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9927 if (is_fips) {
9928 testresult = 1;
9929 goto end;
9930 }
3105d846
MC		 9931 thiscert = cert1024;
9932 thiskey = privkey1024;
9933 expdhsize = 1024;
61cab650
MC		 9934 SSL_CTX_set_security_level(sctx, 1);
9935 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9936 break;
9937 case 1:
9938 /* 2048 bit prime */
9939 thiscert = cert;
9940 thiskey = privkey;
9941 expdhsize = 2048;
9942 break;
9943 case 2:
9944 thiscert = cert3072;
9945 thiskey = privkey3072;
9946 expdhsize = 3072;
9947 break;
9948 case 3:
9949 thiscert = cert4096;
9950 thiskey = privkey4096;
9951 expdhsize = 4096;
9952 break;
9953 case 4:
9954 thiscert = cert8192;
9955 thiskey = privkey8192;
9956 expdhsize = 8192;
9957 break;
9958 /* No certificate cases */
9959 case 5:
9960 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9961 if (is_fips) {
9962 testresult = 1;
9963 goto end;
9964 }
3105d846
MC		 9965 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9966 expdhsize = 1024;
9967 break;
9968 case 6:
9969 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9970 expdhsize = 3072;
9971 break;
9972 default:
9973 TEST_error("Invalid text index");
9974 goto end;
9975 }
9976
61cab650
MC		 9977 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9978 NULL,
3105d846
MC		 9979 0,
9980 0,
9981 &sctx, &cctx, thiscert, thiskey)))
9982 goto end;
9983
9984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9985 NULL, NULL)))
9986 goto end;
9987
9988 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9989 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9990 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9991 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9992 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9993 goto end;
9994
9995 /*
9996 * Send the server's first flight. At this point the server has created the
9997 * temporary DH key but hasn't finished using it yet. Once used it is
9998 * removed, so we cannot test it.
9999 */
10000 if (!TEST_int_le(SSL_connect(clientssl), 0)
10001 || !TEST_int_le(SSL_accept(serverssl), 0))
10002 goto end;
10003
10004 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10005 goto end;
ed576acd 10006 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 10007 goto end;
10008
10009 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10010 goto end;
10011
10012 testresult = 1;
10013
10014 end:
10015 SSL_free(serverssl);
10016 SSL_free(clientssl);
10017 SSL_CTX_free(sctx);
10018 SSL_CTX_free(cctx);
10019 EVP_PKEY_free(tmpkey);
10020
10021 return testresult;
10022
10023}
33c39a06
MC		 10024# endif /* OPENSSL_NO_DH */
10025#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 10026
a763ca11 10027#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 10028/*
10029 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10030 * that it works even without a certificate configured for the original
10031 * SSL_CTX
10032 */
10033static int test_sni_tls13(void)
10034{
10035 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10036 SSL *clientssl = NULL, *serverssl = NULL;
10037 int testresult = 0;
10038
10039 /* Reset callback counter */
10040 snicb = 0;
10041
10042 /* Create an initial SSL_CTX with no certificate configured */
10043 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10044 if (!TEST_ptr(sctx))
10045 goto end;
10046 /* Require TLSv1.3 as a minimum */
10047 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10048 TLS_client_method(), TLS1_3_VERSION, 0,
10049 &sctx2, &cctx, cert, privkey)))
10050 goto end;
10051
10052 /* Set up SNI */
10053 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10054 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10055 goto end;
10056
10057 /*
10058 * Connection should still succeed because the final SSL_CTX has the right
10059 * certificates configured.
10060 */
10061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10062 &clientssl, NULL, NULL))
10063 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10064 SSL_ERROR_NONE)))
10065 goto end;
10066
10067 /* We should have had the SNI callback called exactly once */
10068 if (!TEST_int_eq(snicb, 1))
10069 goto end;
10070
10071 testresult = 1;
10072
10073end:
10074 SSL_free(serverssl);
10075 SSL_free(clientssl);
10076 SSL_CTX_free(sctx2);
10077 SSL_CTX_free(sctx);
10078 SSL_CTX_free(cctx);
10079 return testresult;
10080}
0089cc7f
TS		 10081
10082/*
10083 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10084 * 0 = TLSv1.2
10085 * 1 = TLSv1.3
10086 */
10087static int test_ticket_lifetime(int idx)
10088{
10089 SSL_CTX *cctx = NULL, *sctx = NULL;
10090 SSL *clientssl = NULL, *serverssl = NULL;
10091 int testresult = 0;
10092 int version = TLS1_3_VERSION;
10093
10094#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10095#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10096
10097 if (idx == 0) {
40fb5a4c
TS		 10098#ifdef OPENSSL_NO_TLS1_2
10099 return TEST_skip("TLS 1.2 is disabled.");
10100#else
0089cc7f 10101 version = TLS1_2_VERSION;
40fb5a4c 10102#endif
0089cc7f
TS		 10103 }
10104
10105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10106 TLS_client_method(), version, version,
10107 &sctx, &cctx, cert, privkey)))
10108 goto end;
10109
10110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10111 &clientssl, NULL, NULL)))
10112 goto end;
10113
10114 /*
10115 * Set the timeout to be more than 1 week
10116 * make sure the returned value is the default
10117 */
10118 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10119 SSL_get_default_timeout(serverssl)))
10120 goto end;
10121
10122 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10123 goto end;
10124
10125 if (idx == 0) {
10126 /* TLSv1.2 uses the set value */
10127 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10128 goto end;
10129 } else {
10130 /* TLSv1.3 uses the limited value */
10131 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10132 goto end;
10133 }
10134 testresult = 1;
10135
10136end:
10137 SSL_free(serverssl);
10138 SSL_free(clientssl);
10139 SSL_CTX_free(sctx);
10140 SSL_CTX_free(cctx);
10141 return testresult;
10142}
6582661f 10143#endif
feba11cf
TS		 10144/*
10145 * Test that setting an ALPN does not violate RFC
10146 */
10147static int test_set_alpn(void)
10148{
10149 SSL_CTX *ctx = NULL;
10150 SSL *ssl = NULL;
10151 int testresult = 0;
10152
10153 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10154 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10155 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10156 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10157 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10158 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10159
10160 /* Create an initial SSL_CTX with no certificate configured */
10161 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10162 if (!TEST_ptr(ctx))
10163 goto end;
10164
10165 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10166 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10167 goto end;
10168 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10169 goto end;
10170 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10171 goto end;
10172 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10173 goto end;
10174 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10175 goto end;
10176 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10177 goto end;
10178 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10179 goto end;
10180 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10181 goto end;
10182 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10183 goto end;
10184
10185 ssl = SSL_new(ctx);
10186 if (!TEST_ptr(ssl))
10187 goto end;
10188
10189 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10190 goto end;
10191 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10192 goto end;
10193 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10194 goto end;
10195 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10196 goto end;
10197 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10198 goto end;
10199 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10200 goto end;
10201 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10202 goto end;
10203 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10204 goto end;
10205 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10206 goto end;
10207
10208 testresult = 1;
10209
10210end:
10211 SSL_free(ssl);
10212 SSL_CTX_free(ctx);
10213 return testresult;
10214}
6582661f 10215
948cf521
HL		 10216/*
10217 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10218 */
10219static int test_set_verify_cert_store_ssl_ctx(void)
10220{
10221 SSL_CTX *ctx = NULL;
10222 int testresult = 0;
10223 X509_STORE *store = NULL, *new_store = NULL,
10224 *cstore = NULL, *new_cstore = NULL;
10225
10226 /* Create an initial SSL_CTX. */
10227 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10228 if (!TEST_ptr(ctx))
10229 goto end;
10230
10231 /* Retrieve verify store pointer. */
10232 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10233 goto end;
10234
10235 /* Retrieve chain store pointer. */
10236 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10237 goto end;
10238
10239 /* We haven't set any yet, so this should be NULL. */
10240 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10241 goto end;
10242
10243 /* Create stores. We use separate stores so pointers are different. */
10244 new_store = X509_STORE_new();
10245 if (!TEST_ptr(new_store))
10246 goto end;
10247
10248 new_cstore = X509_STORE_new();
10249 if (!TEST_ptr(new_cstore))
10250 goto end;
10251
10252 /* Set stores. */
10253 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10254 goto end;
10255
10256 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10257 goto end;
10258
10259 /* Should be able to retrieve the same pointer. */
10260 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10261 goto end;
10262
10263 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10264 goto end;
10265
10266 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10267 goto end;
10268
10269 /* Should be able to unset again. */
10270 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10271 goto end;
10272
10273 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10274 goto end;
10275
10276 /* Should now be NULL. */
10277 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10278 goto end;
10279
10280 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10281 goto end;
10282
10283 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10284 goto end;
10285
10286 testresult = 1;
10287
10288end:
10289 X509_STORE_free(new_store);
10290 X509_STORE_free(new_cstore);
10291 SSL_CTX_free(ctx);
10292 return testresult;
10293}
10294
10295/*
10296 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10297 */
10298static int test_set_verify_cert_store_ssl(void)
10299{
10300 SSL_CTX *ctx = NULL;
10301 SSL *ssl = NULL;
10302 int testresult = 0;
10303 X509_STORE *store = NULL, *new_store = NULL,
10304 *cstore = NULL, *new_cstore = NULL;
10305
10306 /* Create an initial SSL_CTX. */
10307 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10308 if (!TEST_ptr(ctx))
10309 goto end;
10310
10311 /* Create an SSL object. */
10312 ssl = SSL_new(ctx);
10313 if (!TEST_ptr(ssl))
10314 goto end;
10315
10316 /* Retrieve verify store pointer. */
10317 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10318 goto end;
10319
10320 /* Retrieve chain store pointer. */
10321 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10322 goto end;
10323
10324 /* We haven't set any yet, so this should be NULL. */
10325 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10326 goto end;
10327
10328 /* Create stores. We use separate stores so pointers are different. */
10329 new_store = X509_STORE_new();
10330 if (!TEST_ptr(new_store))
10331 goto end;
10332
10333 new_cstore = X509_STORE_new();
10334 if (!TEST_ptr(new_cstore))
10335 goto end;
10336
10337 /* Set stores. */
10338 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10339 goto end;
10340
10341 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10342 goto end;
10343
10344 /* Should be able to retrieve the same pointer. */
10345 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10346 goto end;
10347
10348 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10349 goto end;
10350
10351 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10352 goto end;
10353
10354 /* Should be able to unset again. */
10355 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10356 goto end;
10357
10358 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10359 goto end;
10360
10361 /* Should now be NULL. */
10362 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10363 goto end;
10364
10365 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10366 goto end;
10367
10368 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10369 goto end;
10370
10371 testresult = 1;
10372
10373end:
10374 X509_STORE_free(new_store);
10375 X509_STORE_free(new_cstore);
10376 SSL_free(ssl);
10377 SSL_CTX_free(ctx);
10378 return testresult;
10379}
10380
10381
dfccfde0
CH		 10382static int test_inherit_verify_param(void)
10383{
10384 int testresult = 0;
10385
10386 SSL_CTX *ctx = NULL;
10387 X509_VERIFY_PARAM *cp = NULL;
10388 SSL *ssl = NULL;
10389 X509_VERIFY_PARAM *sp = NULL;
10390 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10391
10392 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10393 if (!TEST_ptr(ctx))
10394 goto end;
10395
10396 cp = SSL_CTX_get0_param(ctx);
10397 if (!TEST_ptr(cp))
10398 goto end;
10399 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10400 goto end;
10401
10402 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10403
10404 ssl = SSL_new(ctx);
10405 if (!TEST_ptr(ssl))
10406 goto end;
10407
10408 sp = SSL_get0_param(ssl);
10409 if (!TEST_ptr(sp))
10410 goto end;
10411 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10412 goto end;
10413
10414 testresult = 1;
10415
10416 end:
10417 SSL_free(ssl);
10418 SSL_CTX_free(ctx);
10419
10420 return testresult;
10421}
10422
b2b8d188
DF		 10423static int test_load_dhfile(void)
10424{
10425#ifndef OPENSSL_NO_DH
10426 int testresult = 0;
10427
10428 SSL_CTX *ctx = NULL;
10429 SSL_CONF_CTX *cctx = NULL;
10430
10431 if (dhfile == NULL)
10432 return 1;
10433
10434 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10435 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10436 goto end;
10437
10438 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10439 SSL_CONF_CTX_set_flags(cctx,
10440 SSL_CONF_FLAG_CERTIFICATE
10441 | SSL_CONF_FLAG_SERVER
10442 | SSL_CONF_FLAG_FILE);
10443
10444 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10445 goto end;
10446
10447 testresult = 1;
10448end:
10449 SSL_CONF_CTX_free(cctx);
10450 SSL_CTX_free(ctx);
10451
10452 return testresult;
10453#else
10454 return TEST_skip("DH not supported by this build");
10455#endif
10456}
10457
f7565348
MC		 10458#ifndef OSSL_NO_USABLE_TLS1_3
10459/* Test that read_ahead works across a key change */
10460static int test_read_ahead_key_change(void)
10461{
10462 SSL_CTX *cctx = NULL, *sctx = NULL;
10463 SSL *clientssl = NULL, *serverssl = NULL;
10464 int testresult = 0;
10465 char *msg = "Hello World";
10466 size_t written, readbytes;
10467 char buf[80];
10468 int i;
10469
10470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10471 TLS_client_method(), TLS1_3_VERSION, 0,
10472 &sctx, &cctx, cert, privkey)))
10473 goto end;
10474
10475 SSL_CTX_set_read_ahead(sctx, 1);
10476
10477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10478 &clientssl, NULL, NULL)))
10479 goto end;
10480
10481 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10482 goto end;
10483
10484 /* Write some data, send a key update, write more data */
10485 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10486 || !TEST_size_t_eq(written, strlen(msg)))
10487 goto end;
10488
10489 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10490 goto end;
10491
10492 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10493 || !TEST_size_t_eq(written, strlen(msg)))
10494 goto end;
10495
10496 /*
10497 * Since read_ahead is on the first read below should read the record with
10498 * the first app data, the second record with the key update message, and
10499 * the third record with the app data all in one go. We should be able to
10500 * still process the read_ahead data correctly even though it crosses
10501 * epochs
10502 */
10503 for (i = 0; i < 2; i++) {
10504 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10505 &readbytes)))
10506 goto end;
10507
10508 buf[readbytes] = '\0';
10509 if (!TEST_str_eq(buf, msg))
10510 goto end;
10511 }
10512
10513 testresult = 1;
10514
10515end:
10516 SSL_free(serverssl);
10517 SSL_free(clientssl);
10518 SSL_CTX_free(sctx);
10519 SSL_CTX_free(cctx);
10520 return testresult;
10521}
f3f8e53c
MC		 10522
10523static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10524{
10525 int *called = arg;
10526
10527 switch ((*called)++) {
10528 case 0:
10529 /* Add some padding to first record */
10530 return 512;
10531 case 1:
10532 /* Maximally pad the second record */
10533 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10534 case 2:
10535 /*
10536 * Exceeding the maximum padding should be fine. It should just pad to
10537 * the maximum anyway
10538 */
10539 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10540 case 3:
10541 /*
10542 * Very large padding should also be ok. Should just pad to the maximum
10543 * allowed
10544 */
10545 return SIZE_MAX;
10546 default:
10547 return 0;
10548 }
10549}
10550
10551/*
10552 * Test that setting record padding in TLSv1.3 works as expected
10553 * Test 0: Record padding callback on the SSL_CTX
10554 * Test 1: Record padding callback on the SSL
10555 * Test 2: Record block padding on the SSL_CTX
10556 * Test 3: Record block padding on the SSL
10557 */
10558static int test_tls13_record_padding(int idx)
10559{
10560 SSL_CTX *cctx = NULL, *sctx = NULL;
10561 SSL *clientssl = NULL, *serverssl = NULL;
10562 int testresult = 0;
10563 char *msg = "Hello World";
10564 size_t written, readbytes;
10565 char buf[80];
10566 int i;
10567 int called = 0;
10568
10569 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10570 TLS_client_method(), TLS1_3_VERSION, 0,
10571 &sctx, &cctx, cert, privkey)))
10572 goto end;
10573
10574 if (idx == 0) {
10575 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10576 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10577 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10578 goto end;
10579 } else if (idx == 2) {
10580 /* Exceeding the max plain length should fail */
10581 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10582 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10583 goto end;
10584 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10585 goto end;
10586 }
10587
10588 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10589 &clientssl, NULL, NULL)))
10590 goto end;
10591
10592 if (idx == 1) {
10593 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10594 SSL_set_record_padding_callback_arg(clientssl, &called);
10595 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10596 goto end;
10597 } else if (idx == 3) {
10598 /* Exceeding the max plain length should fail */
10599 if (!TEST_false(SSL_set_block_padding(clientssl,
10600 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10601 goto end;
10602 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10603 goto end;
10604 }
10605
10606 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10607 goto end;
10608
10609 called = 0;
10610 /*
10611 * Write some data, then check we can read it. Do this four times to check
10612 * we can continue to write and read padded data after the initial record
10613 * padding has been added. We don't actually check that the padding has
10614 * been applied to the record - just that we can continue to communicate
10615 * normally and that the callback has been called (if appropriate).
10616 */
10617 for (i = 0; i < 4; i++) {
10618 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10619 || !TEST_size_t_eq(written, strlen(msg)))
10620 goto end;
10621
10622 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10623 &readbytes))
10624 || !TEST_size_t_eq(written, readbytes))
10625 goto end;
10626
10627 buf[readbytes] = '\0';
10628 if (!TEST_str_eq(buf, msg))
10629 goto end;
10630 }
10631
10632 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10633 goto end;
10634
10635 testresult = 1;
10636end:
10637 SSL_free(serverssl);
10638 SSL_free(clientssl);
10639 SSL_CTX_free(sctx);
10640 SSL_CTX_free(cctx);
10641 return testresult;
10642}
f7565348
MC		 10643#endif /* OSSL_NO_USABLE_TLS1_3 */
10644
b718f6fc
MC		 10645#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10646/*
10647 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10648 * support this yet. The only pipeline capable cipher that we have is in the
10649 * dasync engine (providers don't support this yet), so we have to use
10650 * deprecated APIs for this test.
10651 *
10652 * Test 0: Client has pipelining enabled, server does not
10653 * Test 1: Server has pipelining enabled, client does not
10654 * Test 2: Client has pipelining enabled, server does not: not enough data to
10655 * fill all the pipelines
10656 * Test 3: Client has pipelining enabled, server does not: not enough data to
10657 * fill all the pipelines by more than a full pipeline's worth
10658 * Test 4: Client has pipelining enabled, server does not: more data than all
10659 * the available pipelines can take
10660 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10661 */
10662static int test_pipelining(int idx)
10663{
10664 SSL_CTX *cctx = NULL, *sctx = NULL;
10665 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10666 int testresult = 0, numreads;
10667 /* A 55 byte message */
10668 unsigned char *msg = (unsigned char *)
10669 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10670 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10671 size_t expectedreads;
10672 unsigned char *buf = NULL;
10673 ENGINE *e;
10674
10675 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10676 return 0;
10677
10678 if (!TEST_true(ENGINE_init(e))) {
10679 ENGINE_free(e);
10680 return 0;
10681 }
10682
10683 if (!TEST_true(ENGINE_register_ciphers(e)))
10684 goto end;
10685
10686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10687 TLS_client_method(), 0,
10688 TLS1_2_VERSION, &sctx, &cctx, cert,
10689 privkey)))
10690 goto end;
10691
10692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10693 &clientssl, NULL, NULL)))
10694 goto end;
10695
10696 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10697 goto end;
10698
10699 /* peera is always configured for pipelining, while peerb is not. */
10700 if (idx == 1) {
10701 peera = serverssl;
10702 peerb = clientssl;
10703
10704 } else {
10705 peera = clientssl;
10706 peerb = serverssl;
10707 }
10708
10709 if (idx == 5) {
10710 numpipes = 2;
10711 /* Maximum allowed fragment size */
10712 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10713 msglen = fragsize * numpipes;
10714 msg = OPENSSL_malloc(msglen);
10715 if (!TEST_ptr(msg))
10716 goto end;
10717 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10718 goto end;
10719 } else if (idx == 4) {
10720 msglen = 55;
10721 } else {
10722 msglen = 50;
10723 }
10724 if (idx == 2)
10725 msglen -= 2; /* Send 2 less bytes */
10726 else if (idx == 3)
10727 msglen -= 12; /* Send 12 less bytes */
10728
10729 buf = OPENSSL_malloc(msglen);
10730 if (!TEST_ptr(buf))
10731 goto end;
10732
10733 if (idx == 5) {
10734 /*
10735 * Test that setting a split send fragment longer than the maximum
10736 * allowed fails
10737 */
10738 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10739 goto end;
10740 }
10741
10742 /*
10743 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10744 * (50 bytes in total). This is a ridiculously small number of bytes -
10745 * but sufficient for our purposes
10746 */
10747 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10748 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10749 goto end;
10750
10751 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10752 goto end;
10753
10754 /* Write some data from peera to peerb */
10755 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10756 || !TEST_size_t_eq(written, msglen))
10757 goto end;
10758
10759 /*
10760 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10761 * have been used - except in test 3 where only |numpipes - 1| pipelines
10762 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10763 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10764 * expect this to be read in |numpipes| or |numpipes - 1| separate
10765 * SSL_read_ex calls. In the case of test 4, there is then one additional
10766 * read for left over data that couldn't fit in the previous pipelines
10767 */
10768 for (offset = 0, numreads = 0;
10769 offset < msglen;
10770 offset += readbytes, numreads++) {
10771 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10772 msglen - offset, &readbytes)))
10773 goto end;
10774 }
10775
10776 expectedreads = idx == 4 ? numpipes + 1
10777 : (idx == 3 ? numpipes - 1 : numpipes);
10778 if (!TEST_mem_eq(msg, msglen, buf, offset)
10779 || !TEST_int_eq(numreads, expectedreads))
10780 goto end;
10781
10782 /*
10783 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10784 * chunks to exercise the read pipelining code on peera.
10785 */
10786 for (offset = 0; offset < msglen; offset += fragsize) {
10787 size_t sendlen = msglen - offset;
10788
10789 if (sendlen > fragsize)
10790 sendlen = fragsize;
10791 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10792 || !TEST_size_t_eq(written, sendlen))
10793 goto end;
10794 }
10795
10796 /*
10797 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10798 * separate chunks (depending on which test we are running). If the
10799 * pipelining is working then we expect peera to read up to numpipes chunks
10800 * and process them in parallel, giving back the complete result in a single
10801 * call to SSL_read_ex
10802 */
10803 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10804 || !TEST_size_t_le(readbytes, msglen))
10805 goto end;
10806
10807 if (idx == 4) {
10808 size_t readbytes2;
10809
10810 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10811 msglen - readbytes, &readbytes2)))
10812 goto end;
10813 readbytes += readbytes2;
10814 if (!TEST_size_t_le(readbytes, msglen))
10815 goto end;
10816 }
10817
10818 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10819 goto end;
10820
10821 testresult = 1;
10822end:
10823 SSL_free(serverssl);
10824 SSL_free(clientssl);
10825 SSL_CTX_free(sctx);
10826 SSL_CTX_free(cctx);
10827 ENGINE_unregister_ciphers(e);
10828 ENGINE_finish(e);
10829 ENGINE_free(e);
10830 OPENSSL_free(buf);
10831 if (idx == 5)
10832 OPENSSL_free(msg);
10833 return testresult;
10834}
10835#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10836
843f6e27
MC		 10837static int check_version_string(SSL *s, int version)
10838{
10839 const char *verstr = NULL;
10840
10841 switch (version) {
10842 case SSL3_VERSION:
10843 verstr = "SSLv3";
10844 break;
10845 case TLS1_VERSION:
10846 verstr = "TLSv1";
10847 break;
10848 case TLS1_1_VERSION:
10849 verstr = "TLSv1.1";
10850 break;
10851 case TLS1_2_VERSION:
10852 verstr = "TLSv1.2";
10853 break;
10854 case TLS1_3_VERSION:
10855 verstr = "TLSv1.3";
10856 break;
10857 case DTLS1_VERSION:
10858 verstr = "DTLSv1";
10859 break;
10860 case DTLS1_2_VERSION:
10861 verstr = "DTLSv1.2";
10862 }
10863
10864 return TEST_str_eq(verstr, SSL_get_version(s));
10865}
10866
10867/*
10868 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10869 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10870 * test_version() in quicapitest.c which does the same thing for QUIC
10871 * connections.
10872 */
10873static int test_version(int idx)
10874{
10875 SSL_CTX *cctx = NULL, *sctx = NULL;
10876 SSL *clientssl = NULL, *serverssl = NULL;
10877 int testresult = 0, version;
10878 const SSL_METHOD *servmeth = TLS_server_method();
10879 const SSL_METHOD *clientmeth = TLS_client_method();
10880
10881 switch (idx) {
10882#if !defined(OPENSSL_NO_SSL3)
10883 case 0:
10884 version = SSL3_VERSION;
10885 break;
10886#endif
10887#if !defined(OPENSSL_NO_TLS1)
10888 case 1:
10889 version = TLS1_VERSION;
10890 break;
10891#endif
10892#if !defined(OPENSSL_NO_TLS1_2)
10893 case 2:
10894 version = TLS1_2_VERSION;
10895 break;
10896#endif
10897#if !defined(OSSL_NO_USABLE_TLS1_3)
10898 case 3:
10899 version = TLS1_3_VERSION;
10900 break;
10901#endif
10902#if !defined(OPENSSL_NO_DTLS1)
10903 case 4:
10904 version = DTLS1_VERSION;
10905 break;
10906#endif
10907#if !defined(OPENSSL_NO_DTLS1_2)
10908 case 5:
10909 version = DTLS1_2_VERSION;
10910 break;
10911#endif
10912 /*
10913 * NB we do not support QUIC in this test. That is covered by quicapitest.c
10914 * We also don't support DTLS1_BAD_VER since we have no server support for
10915 * that.
10916 */
10917 default:
10918 TEST_skip("Unsupported protocol version");
10919 return 1;
10920 }
10921
10922 if (is_fips
10923 && (version == SSL3_VERSION
10924 || version == TLS1_VERSION
10925 || version == DTLS1_VERSION)) {
10926 TEST_skip("Protocol version not supported with FIPS");
10927 return 1;
10928 }
10929
10930#if !defined(OPENSSL_NO_DTLS)
10931 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10932 servmeth = DTLS_server_method();
10933 clientmeth = DTLS_client_method();
10934 }
10935#endif
10936
10937 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
10938 version, &sctx, &cctx, cert, privkey)))
10939 goto end;
10940
10941 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
10942 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
10943 "DEFAULT:@SECLEVEL=0")))
10944 goto end;
10945
10946 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10947 &clientssl, NULL, NULL)))
10948 goto end;
10949
10950 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10951 goto end;
10952
10953 if (!TEST_int_eq(SSL_version(serverssl), version)
10954 || !TEST_int_eq(SSL_version(clientssl), version)
10955 || !TEST_true(check_version_string(serverssl, version))
10956 || !TEST_true(check_version_string(clientssl, version)))
10957 goto end;
10958
10959 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
10960 if (!TEST_true(SSL_is_dtls(serverssl))
10961 || !TEST_true(SSL_is_dtls(clientssl))
10962 || !TEST_false(SSL_is_tls(serverssl))
10963 || !TEST_false(SSL_is_tls(clientssl))
10964 || !TEST_false(SSL_is_quic(serverssl))
10965 || !TEST_false(SSL_is_quic(clientssl)))
10966 goto end;
10967 } else {
10968 if (!TEST_true(SSL_is_tls(serverssl))
10969 || !TEST_true(SSL_is_tls(clientssl))
10970 || !TEST_false(SSL_is_dtls(serverssl))
10971 || !TEST_false(SSL_is_dtls(clientssl))
10972 || !TEST_false(SSL_is_quic(serverssl))
10973 || !TEST_false(SSL_is_quic(clientssl)))
10974 goto end;
10975 }
10976
10977 testresult = 1;
10978end:
10979 SSL_free(serverssl);
10980 SSL_free(clientssl);
10981 SSL_CTX_free(sctx);
10982 SSL_CTX_free(cctx);
10983 return testresult;
10984}
10985
79ee0172
MC		 10986/*
10987 * Test that the SSL_rstate_string*() APIs return sane results
10988 */
10989static int test_rstate_string(void)
10990{
10991 SSL_CTX *cctx = NULL, *sctx = NULL;
10992 SSL *clientssl = NULL, *serverssl = NULL;
10993 int testresult = 0, version;
10994 const SSL_METHOD *servmeth = TLS_server_method();
10995 const SSL_METHOD *clientmeth = TLS_client_method();
10996 size_t written, readbytes;
10997 unsigned char buf[2];
10998 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
10999 SSL3_RT_APPLICATION_DATA,
11000 TLS1_2_VERSION_MAJOR,
11001 0, /* To be filled in later */
11002 0,
11003 1
11004 };
11005
11006 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11007 0, &sctx, &cctx, cert, privkey)))
11008 goto end;
11009
11010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11011 &clientssl, NULL, NULL)))
11012 goto end;
11013
11014 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11015 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11016 goto end;
11017
11018 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11019 goto end;
11020
11021 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11022 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11023 goto end;
11024
11025 /* Fill in the correct version for the record header */
11026 version = SSL_version(serverssl);
11027 if (version == TLS1_3_VERSION)
11028 version = TLS1_2_VERSION;
11029 dummyheader[2] = version & 0xff;
11030
11031 /*
11032 * Send a dummy header. If we continued to read the body as well this
11033 * would fail with a bad record mac, but we're not going to go that far.
11034 */
11035 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11036 sizeof(dummyheader), &written))
11037 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11038 goto end;
11039
11040 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11041 goto end;
11042
11043 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11044 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11045 goto end;
11046
11047 testresult = 1;
11048end:
11049 SSL_free(serverssl);
11050 SSL_free(clientssl);
11051 SSL_CTX_free(sctx);
11052 SSL_CTX_free(cctx);
11053 return testresult;
11054}
11055
b2b8d188 11056OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 11057
ad887416 11058int setup_tests(void)
2cb4b5f6 11059{
5e30f2fd
MC		 11060 char *modulename;
11061 char *configfile;
11062
b4250010 11063 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 11064 if (!TEST_ptr(libctx))
11065 return 0;
11066
11067 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11068
11069 /*
11070 * Verify that the default and fips providers in the default libctx are not
11071 * available
11072 */
11073 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11074 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11075 return 0;
11076
8d242823
MC		 11077 if (!test_skip_common_options()) {
11078 TEST_error("Error parsing test options\n");
11079 return 0;
11080 }
11081
1a2a3a42
MC		 11082 if (!TEST_ptr(certsdir = test_get_argument(0))
11083 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 11084 || !TEST_ptr(tmpfilename = test_get_argument(2))
11085 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 11086 || !TEST_ptr(configfile = test_get_argument(4))
11087 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 11088 return 0;
11089
b4250010 11090 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 11091 return 0;
11092
11093 /* Check we have the expected provider available */
11094 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11095 return 0;
11096
11097 /* Check the default provider is not available */
11098 if (strcmp(modulename, "default") != 0
11099 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 11100 return 0;
2cb4b5f6 11101
50ea5cdc 11102 if (strcmp(modulename, "fips") == 0) {
11103 OSSL_PROVIDER *prov = NULL;
11104 OSSL_PARAM params[2];
11105
4f6c7044
MC		 11106 is_fips = 1;
11107
50ea5cdc 11108 prov = OSSL_PROVIDER_load(libctx, "fips");
11109 if (prov != NULL) {
11110 /* Query the fips provider to check if the check ems option is enabled */
11111 params[0] =
11112 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11113 &fips_ems_check);
11114 params[1] = OSSL_PARAM_construct_end();
11115 OSSL_PROVIDER_get_params(prov, params);
11116 OSSL_PROVIDER_unload(prov);
11117 }
11118 }
11119
0c13cdf8
MC		 11120 /*
11121 * We add, but don't load the test "tls-provider". We'll load it when we
11122 * need it.
11123 */
11124 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11125 tls_provider_init)))
11126 return 0;
11127
11128
f297e4ec
RS		 11129 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11130#ifdef OPENSSL_NO_CRYPTO_MDEBUG
11131 TEST_error("not supported in this build");
11132 return 0;
11133#else
11134 int i, mcount, rcount, fcount;
11135
11136 for (i = 0; i < 4; i++)
11137 test_export_key_mat(i);
11138 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11139 test_printf_stdout("malloc %d realloc %d free %d\n",
11140 mcount, rcount, fcount);
11141 return 1;
11142#endif
11143 }
11144
1a2a3a42
MC		 11145 cert = test_mk_file_path(certsdir, "servercert.pem");
11146 if (cert == NULL)
b3842539 11147 goto err;
1a2a3a42
MC		 11148
11149 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 11150 if (privkey == NULL)
11151 goto err;
11152
11153 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11154 if (cert2 == NULL)
11155 goto err;
11156
11157 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11158 if (privkey2 == NULL)
11159 goto err;
1a2a3a42 11160
3105d846
MC		 11161 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11162 if (cert1024 == NULL)
11163 goto err;
11164
11165 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11166 if (privkey1024 == NULL)
11167 goto err;
11168
11169 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11170 if (cert3072 == NULL)
11171 goto err;
11172
11173 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11174 if (privkey3072 == NULL)
11175 goto err;
11176
11177 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11178 if (cert4096 == NULL)
11179 goto err;
11180
11181 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11182 if (privkey4096 == NULL)
11183 goto err;
11184
11185 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11186 if (cert8192 == NULL)
11187 goto err;
11188
11189 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11190 if (privkey8192 == NULL)
11191 goto err;
11192
50ea5cdc 11193 if (fips_ems_check) {
11194#ifndef OPENSSL_NO_TLS1_2
11195 ADD_TEST(test_no_ems);
11196#endif
11197 return 1;
11198 }
da4db160 11199#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 11200# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 11201 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 11202 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 11203# endif
fe5d9450 11204#endif
84d5549e 11205 ADD_TEST(test_large_message_tls);
7856332e 11206 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 11207#ifndef OPENSSL_NO_DTLS
84d5549e 11208 ADD_TEST(test_large_message_dtls);
55386bef 11209#endif
2fda45d5 11210 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 11211 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 11212#ifndef OPENSSL_NO_OCSP
c887104f 11213 ADD_TEST(test_tlsext_status_type);
8f8c11d8 11214#endif
eaa776da
MC		 11215 ADD_TEST(test_session_with_only_int_cache);
11216 ADD_TEST(test_session_with_only_ext_cache);
11217 ADD_TEST(test_session_with_both_cache);
90fc2c26 11218 ADD_TEST(test_session_wo_ca_names);
a763ca11 11219#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 11220 ADD_ALL_TESTS(test_stateful_tickets, 3);
11221 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 11222 ADD_TEST(test_psk_tickets);
f0049b86 11223 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 11224#endif
7fb4c820 11225 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 11226 ADD_TEST(test_ssl_bio_pop_next_bio);
11227 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11228 ADD_TEST(test_ssl_bio_change_rbio);
11229 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 11230#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 11231 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 11232 ADD_TEST(test_keylog);
c423ecaa 11233#endif
a763ca11 11234#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 11235 ADD_TEST(test_keylog_no_master_key);
11236#endif
0c3eb279 11237 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 11238 ADD_TEST(test_ssl_build_cert_chain);
11239 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 11240#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 11241 ADD_TEST(test_client_hello_cb);
088dfa13 11242 ADD_TEST(test_no_ems);
3cd14e5e 11243 ADD_TEST(test_ccs_change_cipher);
5f982038 11244#endif
a763ca11 11245#ifndef OSSL_NO_USABLE_TLS1_3
10836921 11246 ADD_ALL_TESTS(test_early_data_read_write, 6);
78fb5374
MC		 11247 /*
11248 * We don't do replay tests for external PSK. Replay protection isn't used
11249 * in that scenario.
11250 */
11251 ADD_ALL_TESTS(test_early_data_replay, 2);
10836921
MC		 11252 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11253 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11254 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11255 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
02a3ed5a 11256 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 11257 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 11258 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 11259 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 11260# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 11261 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 11262# endif
e9ee6536 11263#endif
a763ca11 11264#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 11265 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 11266 ADD_TEST(test_ciphersuite_change);
5bf2eade 11267 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11268# ifdef OPENSSL_NO_PSK
c2b290c3 11269 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 11270# else
0d8da779 11271 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 11272# endif /* OPENSSL_NO_PSK */
11273# ifndef OPENSSL_NO_TLS1_2
11274 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 11275 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 11276# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11277 ADD_ALL_TESTS(test_negotiated_group,
11278 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11279 + OSSL_NELEM(ffdhe_kexch_groups)));
11280# endif
5bf2eade 11281# else
11282 /* Test with only TLSv1.3 versions */
11283 ADD_ALL_TESTS(test_key_exchange, 12);
11284# endif
0db3a990 11285 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 11286 ADD_TEST(test_stateless);
9d75dce3 11287 ADD_TEST(test_pha_key_update);
a273157a 11288#else
bb01ef3f 11289 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 11290#endif
0fb2815b 11291 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 11292#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 11293 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 11294 ADD_TEST(test_key_update);
0c48fda8 11295 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11296 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11297 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11298 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 11299#endif
e11b6aa4 11300 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 11301 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 11302#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11303 ADD_ALL_TESTS(test_srp, 6);
11304#endif
b67cb09f
TS		 11305#if !defined(OPENSSL_NO_COMP_ALG)
11306 /* Add compression case */
11307 ADD_ALL_TESTS(test_info_callback, 8);
11308#else
5718fe45 11309 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 11310#endif
4a432af8 11311 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 11312 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 11313 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 11314 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 11315 ADD_TEST(test_async_shutdown);
e638112e 11316 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 11317 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 11318 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 11319 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 11320#ifndef OPENSSL_NO_TLS1_2
11321 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11322#endif
49ef3d07 11323 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 11324#if !defined(OPENSSL_NO_EC) \
a763ca11 11325 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 11326 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 11327#endif
11328#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 11329 ADD_ALL_TESTS(test_pluggable_group, 2);
3c95ef22 11330 ADD_ALL_TESTS(test_pluggable_signature, 4);
49a36a52
MC		 11331#endif
11332#ifndef OPENSSL_NO_TLS1_2
11333 ADD_TEST(test_ssl_dup);
33c39a06
MC		 11334# ifndef OPENSSL_NO_DH
11335 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 11336 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 11337# endif
6582661f 11338#endif
a763ca11 11339#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 11340 ADD_TEST(test_sni_tls13);
0089cc7f 11341 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 11342#endif
dfccfde0 11343 ADD_TEST(test_inherit_verify_param);
feba11cf 11344 ADD_TEST(test_set_alpn);
948cf521
HL		 11345 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11346 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 11347 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 11348 ADD_TEST(test_load_dhfile);
f7565348
MC		 11349#ifndef OSSL_NO_USABLE_TLS1_3
11350 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 11351 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 11352#endif
11353#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11354 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 11355#endif
11356#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11357 ADD_ALL_TESTS(test_pipelining, 6);
f7565348 11358#endif
843f6e27 11359 ADD_ALL_TESTS(test_version, 6);
79ee0172 11360 ADD_TEST(test_rstate_string);
ad887416 11361 return 1;
b3842539
MC		 11362
11363 err:
11364 OPENSSL_free(cert);
11365 OPENSSL_free(privkey);
11366 OPENSSL_free(cert2);
11367 OPENSSL_free(privkey2);
11368 return 0;
ad887416 11369}
2cb4b5f6 11370
ad887416
P		 11371void cleanup_tests(void)
11372{
8778f0eb 11373# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 11374 EVP_PKEY_free(tmp_dh_params);
11375#endif
1a2a3a42
MC		 11376 OPENSSL_free(cert);
11377 OPENSSL_free(privkey);
b3842539
MC		 11378 OPENSSL_free(cert2);
11379 OPENSSL_free(privkey2);
3105d846
MC		 11380 OPENSSL_free(cert1024);
11381 OPENSSL_free(privkey1024);
11382 OPENSSL_free(cert3072);
11383 OPENSSL_free(privkey3072);
11384 OPENSSL_free(cert4096);
11385 OPENSSL_free(privkey4096);
11386 OPENSSL_free(cert8192);
11387 OPENSSL_free(privkey8192);
fa454945 11388 bio_s_mempacket_test_free();
a77b4dba 11389 bio_s_always_retry_free();
5e30f2fd 11390 OSSL_PROVIDER_unload(defctxnull);
b4250010 11391 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 11392}
A mirror of the official openssl repository