]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove spurious error queue entries on early data
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
fe5d9450 42#include "internal/ktls.h"
706457b7 43#include "../ssl/ssl_local.h"
0755722c 44#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 45#include "filterprov.h"
2cb4b5f6 46
a763ca11
MC		 47#undef OSSL_NO_USABLE_TLS1_3
48#if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50/*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54# define OSSL_NO_USABLE_TLS1_3
55#endif
56
0c13cdf8
MC		 57/* Defined in tls-provider.c */
58int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
852c2ed2 62
b4250010 63static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 64static OSSL_PROVIDER *defctxnull = NULL;
65
a763ca11 66#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 67
68static SSL_SESSION *clientpsk = NULL;
69static SSL_SESSION *serverpsk = NULL;
70static const char *pskid = "Identity";
71static const char *srvid;
72
73static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78static int use_session_cb_cnt = 0;
79static int find_session_cb_cnt = 0;
80
81static SSL_SESSION *create_a_psk(SSL *ssl);
82#endif
83
1a2a3a42 84static char *certsdir = NULL;
2cb4b5f6
MC		 85static char *cert = NULL;
86static char *privkey = NULL;
b3842539
MC		 87static char *cert2 = NULL;
88static char *privkey2 = NULL;
3105d846
MC		 89static char *cert1024 = NULL;
90static char *privkey1024 = NULL;
91static char *cert3072 = NULL;
92static char *privkey3072 = NULL;
93static char *cert4096 = NULL;
94static char *privkey4096 = NULL;
95static char *cert8192 = NULL;
96static char *privkey8192 = NULL;
76fd7a1d
MC		 97static char *srpvfile = NULL;
98static char *tmpfilename = NULL;
b2b8d188 99static char *dhfile = NULL;
2cb4b5f6 100
4f6c7044
MC		 101static int is_fips = 0;
102
cffe973c 103#define LOG_BUFFER_SIZE 2048
6acdd3e5 104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t server_log_buffer_index = 0;
6acdd3e5 106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 107static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 108static int error_writing_log = 0;
109
8f8c11d8 110#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
8f8c11d8 117#endif
ba881d3b 118
84d5549e 119#define NUM_EXTRA_CERTS 40
cf72c757 120#define CLIENT_VERSION_LEN 2
84d5549e 121
f1a5939f
CB		 122/*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
cffe973c 129 unsigned int client_early_secret_count;
f1a5939f
CB		 130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
01a2a654 134 unsigned int early_exporter_secret_count;
6329ce8f 135 unsigned int exporter_secret_count;
f1a5939f
CB		 136};
137
16afd71c 138
104a733d
MC		 139static int hostname_cb(SSL *s, int *al, void *arg)
140{
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148}
149
710756a9
RS		 150static void client_keylog_callback(const SSL *ssl, const char *line)
151{
6acdd3e5
CB		 152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
710756a9
RS		 155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
6acdd3e5
CB		 157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
710756a9 163 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 164}
165
710756a9
RS		 166static void server_keylog_callback(const SSL *ssl, const char *line)
167{
6acdd3e5
CB		 168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
710756a9 171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 172 TEST_info("Server log too full");
6acdd3e5
CB		 173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
710756a9 179 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 180}
181
182static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
710756a9
RS		 185 size_t raw_length)
186{
187 size_t i, j;
188 char hexed[3];
6acdd3e5 189
710756a9 190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 191 return 1;
6acdd3e5 192
710756a9 193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 194 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 197 return 1;
6acdd3e5
CB		 198 }
199
200 return 0;
201}
202
203static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 204 const SSL_SESSION *session,
710756a9
RS		 205 struct sslapitest_log_counts *expected)
206{
6acdd3e5
CB		 207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
cffe973c 214 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
01a2a654 219 unsigned int early_exporter_secret_count = 0;
6329ce8f 220 unsigned int exporter_secret_count = 0;
6acdd3e5 221
710756a9
RS		 222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
6acdd3e5 224 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
710756a9 230 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 231 return 0;
710756a9 232 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 233 return 0;
710756a9 234 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 235 return 0;
f1a5939f
CB		 236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
6acdd3e5 242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
710756a9 250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 251 return 0;
6acdd3e5 252
710756a9 253 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 254 return 0;
710756a9 255 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 256 return 0;
710756a9
RS		 257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
f1a5939f 260 return 0;
6acdd3e5 261
710756a9 262 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 263 return 0;
6acdd3e5
CB		 264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
710756a9 267 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 268 return 0;
710756a9
RS		 269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
f1a5939f 272 return 0;
f1a5939f 273 master_secret_count++;
cffe973c
PW		 274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 280 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
cffe973c
PW		 287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
01a2a654
PW		 297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
6329ce8f
PW		 299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
f1a5939f
CB		 301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
710756a9 305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 306 return 0;
f1a5939f 307
710756a9 308 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 309 return 0;
710756a9 310 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 311 return 0;
710756a9
RS		 312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
f1a5939f 315 return 0;
6acdd3e5 316
710756a9 317 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 318 return 0;
6acdd3e5 319 } else {
710756a9 320 TEST_info("Unexpected token %s\n", token);
f1a5939f 321 return 0;
6acdd3e5 322 }
6acdd3e5
CB		 323 }
324
710756a9
RS		 325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
cffe973c
PW		 330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
710756a9
RS		 332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 339 expected->server_application_secret_count)
01a2a654
PW		 340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
6329ce8f
PW		 342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
710756a9
RS		 344 return 0;
345 return 1;
6acdd3e5
CB		 346}
347
a763ca11 348#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 349static int test_keylog(void)
350{
6acdd3e5
CB		 351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
6fc1e624 354 struct sslapitest_log_counts expected;
6acdd3e5
CB		 355
356 /* Clean up logging space */
6fc1e624 357 memset(&expected, 0, sizeof(expected));
710756a9
RS		 358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
5e30f2fd 364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 365 TLS_client_method(),
5c587fb6 366 TLS1_VERSION, 0,
710756a9 367 &sctx, &cctx, cert, privkey)))
6acdd3e5 368 return 0;
6acdd3e5
CB		 369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
f0deb4d3 374 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 376 goto end;
f0deb4d3 377
cf10df81
RS		 378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 380 goto end;
6acdd3e5 381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
6acdd3e5 384 goto end;
710756a9 385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
6acdd3e5 388 goto end;
6acdd3e5 389
710756a9
RS		 390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 398 goto end;
6acdd3e5 399
f1a5939f
CB		 400 /*
401 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 402 * do that by using strtok and confirming that we have more or less the
f1a5939f 403 * data we expect. For both client and server, we expect to see one master
a63fa5f7 404 * secret. The client should also see an RSA key exchange.
6acdd3e5 405 */
f1a5939f
CB		 406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
710756a9
RS		 408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
6acdd3e5 410 goto end;
f1a5939f
CB		 411
412 expected.rsa_key_exchange_count = 0;
710756a9
RS		 413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
6acdd3e5 415 goto end;
6acdd3e5
CB		 416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
c423ecaa 427#endif
6acdd3e5 428
a763ca11 429#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 430static int test_keylog_no_master_key(void)
431{
6acdd3e5
CB		 432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 434 SSL_SESSION *sess = NULL;
6acdd3e5 435 int testresult = 0;
6fc1e624 436 struct sslapitest_log_counts expected;
cffe973c
PW		 437 unsigned char buf[1];
438 size_t readbytes, written;
6acdd3e5
CB		 439
440 /* Clean up logging space */
6fc1e624 441 memset(&expected, 0, sizeof(expected));
710756a9
RS		 442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
5e30f2fd
MC		 448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 452 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 453 return 0;
6acdd3e5 454
cf10df81
RS		 455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 457 goto end;
6acdd3e5
CB		 458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
6acdd3e5 462 goto end;
6acdd3e5 463
710756a9 464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
6acdd3e5 467 goto end;
6acdd3e5 468
710756a9
RS		 469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
6acdd3e5 475 goto end;
6acdd3e5 476
f1a5939f
CB		 477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 480 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 481 */
f1a5939f
CB		 482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
6329ce8f 486 expected.exporter_secret_count = 1;
710756a9
RS		 487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
6acdd3e5 492 goto end;
6acdd3e5 493
cffe973c
PW		 494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
01a2a654 525 expected.early_exporter_secret_count = 1;
cffe973c
PW		 526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
6acdd3e5
CB		 533 testresult = 1;
534
535end:
cffe973c 536 SSL_SESSION_free(sess);
6acdd3e5
CB		 537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
0c3eb279
DDO		 546static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547{
548 int res = X509_verify_cert(ctx);
dfb39f73
TM		 549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
0c3eb279
DDO		 556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
0c3eb279
DDO		 562 return res;
563}
564
565static int test_client_cert_verify_cb(void)
566{
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621end:
622 X509_free(crt1);
623 X509_free(crt2);
c38048e7
P		 624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
0c3eb279
DDO		 632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
4e4ae840
SL		 644static int test_ssl_build_cert_chain(void)
645{
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671}
672
c7debe81
TM		 673static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674{
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682}
683
4e4ae840
SL		 684static int test_ssl_ctx_build_cert_chain(void)
685{
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
c7debe81 688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
c7debe81 693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709}
710
e9ee6536 711#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 712static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 713{
714 int *ctr = arg;
715 const unsigned char *p;
8ea404fb 716 int *exts;
2afaee51
BK		 717 /* We only configure two ciphers, but the SCSV is added automatically. */
718#ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720#else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723#endif
8ea404fb
BK		 724 const int expected_extensions[] = {
725#ifndef OPENSSL_NO_EC
726 11, 10,
727#endif
10ed1b72 728 35, 22, 23, 13};
2afaee51
BK		 729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
f1b97da1 733 return SSL_CLIENT_HELLO_RETRY;
2afaee51 734
a9c0d8be 735 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 739 || !TEST_int_eq(*p, 0))
f1b97da1 740 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 742 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 745 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 746 OPENSSL_free(exts);
f1b97da1 747 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 748 }
749 OPENSSL_free(exts);
f1b97da1 750 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 751}
752
a9c0d8be 753static int test_client_hello_cb(void)
710756a9 754{
2afaee51
BK		 755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
5e30f2fd
MC		 759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 761 &sctx, &cctx, cert, privkey)))
2afaee51 762 goto end;
a9c0d8be 763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 764
2afaee51
BK		 765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 767
710756a9
RS		 768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
a9c0d8be
DB		 778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
2afaee51 782 goto end;
2afaee51
BK		 783
784 testresult = 1;
785
088dfa13
TS		 786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0;
800
5e30f2fd 801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
817 goto end;
818 }
819
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
822 goto end;
823 }
824
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
827 goto end;
828 }
829 testresult = 1;
830
2afaee51
BK		 831end:
832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836
837 return testresult;
838}
839
3cd14e5e
BK		 840/*
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 844 * encryption to real encryption).
3cd14e5e
BK		 845 */
846static int test_ccs_change_cipher(void)
847{
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
851 int testresult = 0;
852 int i;
853 unsigned char buf;
854 size_t readbytes;
855
856 /*
e304aa87 857 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 858 * a different cipher in the second connection.
859 */
5e30f2fd 860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 861 TLS_client_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
866 NULL, NULL))
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
869 SSL_ERROR_NONE))
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
872 goto end;
873
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
876
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
880 NULL, NULL))
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
891 goto end;
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
894
895 /*
896 * Now create a fresh connection and try to renegotiate a different
897 * cipher on it.
898 */
b3e6d666
BK		 899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
900 NULL, NULL))
3cd14e5e
BK		 901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
903 SSL_ERROR_NONE))
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
908 goto end;
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
913 goto end;
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
916 goto end;
917 }
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
920 goto end;
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
923 goto end;
924 }
925 }
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
934 goto end;
935
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
938
939 testresult = 1;
940
941end:
942 SSL_free(serverssl);
943 SSL_free(clientssl);
944 SSL_CTX_free(sctx);
945 SSL_CTX_free(cctx);
946 SSL_SESSION_free(sess);
947
948 return testresult;
949}
fb121631 950#endif
3cd14e5e 951
84d5549e 952static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
955 int read_ahead)
84d5549e
MC		 956{
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
959 int testresult = 0;
960 int i;
710756a9 961 BIO *certbio = NULL;
84d5549e
MC		 962 X509 *chaincert = NULL;
963 int certlen;
964
710756a9 965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 966 goto end;
6725682d 967
d8652be0 968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 969 goto end;
970
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
972 goto end;
fa454945
MC		 973 BIO_free(certbio);
974 certbio = NULL;
84d5549e 975
5e30f2fd
MC		 976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
84d5549e 979 goto end;
84d5549e 980
8ce390e1
MC		 981#ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992#endif
993
710756a9 994 if (read_ahead) {
7856332e
MC		 995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
84d5549e
MC		 1002 /*
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
84d5549e
MC		 1008 */
1009 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1013 if (!X509_up_ref(chaincert))
84d5549e 1014 goto end;
84d5549e 1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1016 X509_free(chaincert);
1017 goto end;
1018 }
1019 }
1020
710756a9
RS		 1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1022 NULL, NULL))
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1024 SSL_ERROR_NONE)))
84d5549e 1025 goto end;
84d5549e 1026
4bf08600
MC		 1027 /*
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1029 * doesn't leak.
4bf08600 1030 */
710756a9 1031 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1032 goto end;
84d5549e 1033
4bf08600 1034 testresult = 1;
84d5549e 1035 end:
6725682d 1036 BIO_free(certbio);
84d5549e
MC		 1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1040 SSL_CTX_free(sctx);
1041 SSL_CTX_free(cctx);
1042
1043 return testresult;
1044}
1045
da4db160 1046#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1048/* sock must be connected */
1049static int ktls_chk_platform(int sock)
1050{
1051 if (!ktls_enable(sock))
1052 return 0;
1053 return 1;
1054}
1055
e1fdd526 1056static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1057{
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1061 size_t err = 0;
e1fdd526
JB		 1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1070 SSL_CONNECTION *clientsc, *serversc;
1071
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1074 goto end;
fe5d9450
BP		 1075
1076 cbuf[0] = count++;
2c50d7fb
MC		 1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1081
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1083 goto end;
1084
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1087 goto end;
1088 }
1089 }
1090
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1092 goto end;
1093
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1096 goto end;
1097 }
1098 }
1099
2c50d7fb
MC		 1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1104
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1107 goto end;
1108
e1fdd526
JB		 1109 /*
1110 * If ktls is used then kernel sequences are used instead of
1111 * OpenSSL sequences
1112 */
38b051a1 1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1116 goto end;
1117 } else {
e1fdd526
JB		 1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1120 goto end;
1121 }
1122
38b051a1 1123 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1126 goto end;
1127 } else {
e1fdd526
JB		 1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1130 goto end;
1131 }
1132
38b051a1 1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1136 goto end;
1137 } else {
e1fdd526
JB		 1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1140 goto end;
1141 }
1142
38b051a1 1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1146 goto end;
1147 } else {
e1fdd526
JB		 1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1150 goto end;
1151 }
fe5d9450
BP		 1152
1153 return 1;
1154end:
1155 return 0;
1156}
1157
a3a54179 1158static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1159 int tls_version, const char *cipher)
fe5d9450
BP		 1160{
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1165 int rx_supported;
38b051a1 1166 SSL_CONNECTION *clientsc, *serversc;
fe5d9450
BP		 1167
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1169 goto end;
1170
1171 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1174 goto end;
1175 }
fe5d9450 1176
a5d8a2f8
DB		 1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1179 goto end;
1180 }
1181
fe5d9450 1182 /* Create a session based on SHA-256 */
5e30f2fd 1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1184 TLS_client_method(),
da4db160 1185 tls_version, tls_version,
e1fdd526
JB		 1186 &sctx, &cctx, cert, privkey)))
1187 goto end;
1188
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1192 goto end;
1193 } else {
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1196 goto end;
1197 }
1198
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
fe5d9450
BP		 1201 goto end;
1202
38b051a1
TM		 1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1205 goto end;
1206
a3a54179
MC		 1207 if (cis_ktls) {
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1209 goto end;
1210 }
1211
a3a54179 1212 if (sis_ktls) {
e1fdd526 1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1214 goto end;
1215 }
1216
e1fdd526 1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1218 goto end;
1219
e1fdd526
JB		 1220 /*
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1223 * isn't enabled.
1224 */
a3a54179 1225 if (!cis_ktls) {
38b051a1 1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1227 goto end;
1228 } else {
38b051a1 1229 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1230 ktls_used = 1;
fe5d9450
BP		 1231 }
1232
a3a54179 1233 if (!sis_ktls) {
38b051a1 1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1235 goto end;
1236 } else {
38b051a1 1237 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1238 ktls_used = 1;
fe5d9450
BP		 1239 }
1240
a3a54179 1241#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1242 rx_supported = 0;
1243#else
7c78932b 1244 rx_supported = 1;
a3a54179 1245#endif
e1fdd526 1246 if (!cis_ktls || !rx_supported) {
38b051a1 1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1248 goto end;
1249 } else {
38b051a1 1250 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1251 ktls_used = 1;
2fab79af
BP		 1252 }
1253
e1fdd526 1254 if (!sis_ktls || !rx_supported) {
38b051a1 1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1256 goto end;
1257 } else {
38b051a1 1258 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1259 ktls_used = 1;
1260 }
1261
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1265 "TLS 1.2", cipher);
1266 goto end;
2fab79af
BP		 1267 }
1268
e1fdd526 1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1270 goto end;
1271
1272 testresult = 1;
1273end:
1274 if (clientssl) {
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1277 }
1278 if (serverssl) {
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1281 }
1282 SSL_CTX_free(sctx);
1283 SSL_CTX_free(cctx);
1284 serverssl = clientssl = NULL;
e1fdd526
JB		 1285 if (cfd != -1)
1286 close(cfd);
1287 if (sfd != -1)
1288 close(sfd);
fe5d9450
BP		 1289 return testresult;
1290}
1291
7c3a7561
BP		 1292#define SENDFILE_SZ (16 * 4096)
1293#define SENDFILE_CHUNK (4 * 4096)
1294#define min(a,b) ((a) > (b) ? (b) : (a))
1295
cd715b7e
MM		 1296static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1297 int zerocopy)
7c3a7561
BP		 1298{
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
e1fdd526 1303 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
38b051a1 1308 SSL_CONNECTION *serversc;
7c3a7561
BP		 1309
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1314 goto end;
1315
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
e1fdd526 1318 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1319 goto end;
1320 }
1321
a5d8a2f8
DB		 1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1324 goto end;
1325 }
1326
7c3a7561 1327 /* Create a session based on SHA-256 */
5e30f2fd 1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1329 TLS_client_method(),
da4db160 1330 tls_version, tls_version,
e1fdd526
JB		 1331 &sctx, &cctx, cert, privkey)))
1332 goto end;
1333
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1337 goto end;
1338 } else {
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1341 goto end;
1342 }
1343
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1346 goto end;
1347
38b051a1
TM		 1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1349 goto end;
1350
e1fdd526 1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1352 goto end;
1353
cd715b7e
MM		 1354 if (zerocopy) {
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1357 goto end;
1358 }
1359
7c3a7561 1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1361 SSL_ERROR_NONE)))
7c3a7561
BP		 1362 goto end;
1363
38b051a1 1364 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1367 "TLS 1.2", cipher);
1368 goto end;
1369 }
1370
c9007bda 1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1372 goto end;
1373
7c3a7561
BP		 1374 out = BIO_new_file(tmpfilename, "wb");
1375 if (!TEST_ptr(out))
1376 goto end;
1377
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1379 goto end;
1380
1381 BIO_free(out);
1382 out = NULL;
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1385 ffd = fileno(ffdp);
1386
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1390 ffd,
1391 chunk_off,
1392 chunk_size,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1395 goto end;
1396 }
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1401 goto end;
1402 }
1403
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1406 chunk_size,
1407 buf + chunk_off,
1408 chunk_size))
1409 goto end;
1410
1411 chunk_off += chunk_size;
1412 }
1413
1414 testresult = 1;
1415end:
1416 if (clientssl) {
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1419 }
1420 if (serverssl) {
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1423 }
1424 SSL_CTX_free(sctx);
1425 SSL_CTX_free(cctx);
1426 serverssl = clientssl = NULL;
1427 BIO_free(out);
1428 BIO_free(in);
e1fdd526
JB		 1429 if (cfd != -1)
1430 close(cfd);
1431 if (sfd != -1)
1432 close(sfd);
7c3a7561
BP		 1433 OPENSSL_free(buf);
1434 OPENSSL_free(buf_dst);
1435 return testresult;
1436}
1437
e1fdd526
JB		 1438static struct ktls_test_cipher {
1439 int tls_version;
1440 const char *cipher;
1441} ktls_test_ciphers[] = {
1442# if !defined(OPENSSL_NO_TLS1_2)
1443# ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1445# endif
1446# ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1448# endif
1449# ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1451# endif
11bac1b4 1452# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1453# ifndef OPENSSL_NO_EC
11bac1b4 1454 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1455# endif
11bac1b4 1456# endif
e1fdd526
JB		 1457# endif
1458# if !defined(OSSL_NO_USABLE_TLS1_3)
1459# ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1461# endif
1462# ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1464# endif
1465# ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1467# endif
11bac1b4
JB		 1468# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1470# endif
e1fdd526
JB		 1471# endif
1472};
1473
1474#define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1476
da4db160
VF		 1477static int test_ktls(int test)
1478{
e1fdd526 1479 struct ktls_test_cipher *cipher;
a3a54179 1480 int cis_ktls, sis_ktls;
da4db160 1481
2cff17fd 1482 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1483 cipher = &ktls_test_ciphers[test / 4];
da4db160 1484
a3a54179
MC		 1485 cis_ktls = (test & 1) != 0;
1486 sis_ktls = (test & 2) != 0;
cd03b5dc 1487
e1fdd526
JB		 1488 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1489 cipher->cipher);
2fab79af
BP		 1490}
1491
cd715b7e 1492static int test_ktls_sendfile(int test)
fe5d9450 1493{
e1fdd526 1494 struct ktls_test_cipher *cipher;
cd715b7e 1495 int tst = test >> 1;
da4db160 1496
2cff17fd 1497 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1498 cipher = &ktls_test_ciphers[tst];
da4db160 1499
cd715b7e
MM		 1500 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1501 test & 1);
fe5d9450 1502}
fe5d9450
BP		 1503#endif
1504
84d5549e
MC		 1505static int test_large_message_tls(void)
1506{
7856332e 1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1508 TLS1_VERSION, 0, 0);
7856332e
MC		 1509}
1510
1511static int test_large_message_tls_read_ahead(void)
1512{
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1514 TLS1_VERSION, 0, 1);
84d5549e
MC		 1515}
1516
55386bef 1517#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1518static int test_large_message_dtls(void)
1519{
8ce390e1
MC		 1520# ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1522 if (is_fips)
1523 return 1;
1524# endif
7856332e
MC		 1525 /*
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1528 */
84d5549e 1529 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1530 DTLS_client_method(),
5c587fb6 1531 DTLS1_VERSION, 0, 0);
84d5549e 1532}
55386bef 1533#endif
84d5549e 1534
3ff0a48a
MC		 1535/*
1536 * Test we can successfully send the maximum amount of application data. We
1537 * test each protocol version individually, each with and without EtM enabled.
1538 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1539 * simpler this way. We also test all combinations with and without the
1540 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1541 * underlying buffer.
1542 */
1543static int test_large_app_data(int tst)
1544{
1545 SSL_CTX *cctx = NULL, *sctx = NULL;
1546 SSL *clientssl = NULL, *serverssl = NULL;
1547 int testresult = 0, prot;
1548 unsigned char *msg, *buf = NULL;
1549 size_t written, readbytes;
2fda45d5
MC		 1550 const SSL_METHOD *smeth = TLS_server_method();
1551 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1552
1553 switch (tst >> 2) {
1554 case 0:
1555#ifndef OSSL_NO_USABLE_TLS1_3
1556 prot = TLS1_3_VERSION;
1557 break;
1558#else
1559 return 1;
1560#endif
1561
1562 case 1:
1563#ifndef OPENSSL_NO_TLS1_2
1564 prot = TLS1_2_VERSION;
1565 break;
1566#else
1567 return 1;
1568#endif
1569
1570 case 2:
1571#ifndef OPENSSL_NO_TLS1_1
1572 prot = TLS1_1_VERSION;
1573 break;
1574#else
1575 return 1;
1576#endif
1577
1578 case 3:
1579#ifndef OPENSSL_NO_TLS1
1580 prot = TLS1_VERSION;
1581 break;
1582#else
1583 return 1;
1584#endif
1585
1586 case 4:
1587#ifndef OPENSSL_NO_SSL3
1588 prot = SSL3_VERSION;
1589 break;
1590#else
1591 return 1;
1592#endif
1593
2fda45d5
MC		 1594 case 5:
1595#ifndef OPENSSL_NO_DTLS1_2
1596 prot = DTLS1_2_VERSION;
1597 smeth = DTLS_server_method();
1598 cmeth = DTLS_client_method();
1599 break;
1600#else
1601 return 1;
1602#endif
1603
1604 case 6:
1605#ifndef OPENSSL_NO_DTLS1
1606 prot = DTLS1_VERSION;
1607 smeth = DTLS_server_method();
1608 cmeth = DTLS_client_method();
1609 break;
1610#else
1611 return 1;
1612#endif
1613
3ff0a48a
MC		 1614 default:
1615 /* Shouldn't happen */
1616 return 0;
1617 }
1618
2fda45d5 1619 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1620 return 1;
1621
1622 /* Maximal sized message of zeros */
1623 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1624 if (!TEST_ptr(msg))
1625 goto end;
1626
1627 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1628 if (!TEST_ptr(buf))
1629 goto end;
1630 /* Set whole buffer to all bits set */
1631 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1632
2fda45d5 1633 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1634 &sctx, &cctx, cert, privkey)))
1635 goto end;
1636
2fda45d5 1637 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1638 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1640 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1641 "DEFAULT:@SECLEVEL=0")))
1642 goto end;
1643 }
1644
1645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1646 &clientssl, NULL, NULL)))
1647 goto end;
1648
1649 if ((tst & 1) != 0) {
1650 /* Setting this option gives us a minimally sized underlying buffer */
1651 if (!TEST_true(SSL_set_options(serverssl,
1652 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1653 || !TEST_true(SSL_set_options(clientssl,
1654 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1655 goto end;
1656 }
1657
1658 if ((tst & 2) != 0) {
1659 /*
1660 * Setting this option means the MAC is added before encryption
1661 * giving us a larger record for the encryption process
1662 */
1663 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1664 || !TEST_true(SSL_set_options(clientssl,
1665 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1666 goto end;
1667 }
1668
1669 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1670 goto end;
1671
1672 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1673 &written))
1674 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1675 goto end;
1676
1677 /* We provide a buffer slightly larger than what we are actually expecting */
1678 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1679 &readbytes)))
1680 goto end;
1681
1682 if (!TEST_mem_eq(msg, written, buf, readbytes))
1683 goto end;
1684
1685 testresult = 1;
1686end:
1687 OPENSSL_free(msg);
1688 OPENSSL_free(buf);
1689 SSL_free(serverssl);
1690 SSL_free(clientssl);
1691 SSL_CTX_free(sctx);
1692 SSL_CTX_free(cctx);
1693 return testresult;
1694}
1695
163b8016
ME		 1696static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1697 const SSL_METHOD *cmeth,
1698 int min_version, int max_version)
1699{
1700 size_t i;
1701 SSL_CTX *cctx = NULL, *sctx = NULL;
1702 SSL *clientssl = NULL, *serverssl = NULL;
1703 int testresult = 0;
163b8016 1704 void *zbuf;
38b051a1 1705 SSL_CONNECTION *serversc;
eddb067e 1706 TLS_RECORD *rr;
163b8016
ME		 1707
1708 static unsigned char cbuf[16000];
1709 static unsigned char sbuf[16000];
1710
1711 if (!TEST_true(create_ssl_ctx_pair(libctx,
1712 smeth, cmeth,
1713 min_version, max_version,
1714 &sctx, &cctx, cert,
1715 privkey)))
1716 goto end;
1717
8ce390e1
MC		 1718#ifdef OPENSSL_NO_DTLS1_2
1719 if (smeth == DTLS_server_method()) {
1720# ifdef OPENSSL_NO_DTLS1_2
1721 /* Not supported in the FIPS provider */
1722 if (is_fips) {
1723 testresult = 1;
1724 goto end;
1725 };
1726# endif
1727 /*
1728 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1729 * level 0
1730 */
1731 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1732 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1733 "DEFAULT:@SECLEVEL=0")))
1734 goto end;
1735 }
1736#endif
1737
163b8016
ME		 1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1739 NULL, NULL)))
1740 goto end;
1741
1742 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1743 goto end;
1744
1745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 SSL_ERROR_NONE)))
1747 goto end;
1748
1749 for (i = 0; i < sizeof(cbuf); i++) {
1750 cbuf[i] = i & 0xff;
1751 }
1752
1753 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1754 goto end;
1755
1756 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1757 goto end;
1758
1759 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1760 goto end;
1761
1762 /*
1763 * Since we called SSL_peek(), we know the data in the record
1764 * layer is a plaintext record. We can gather the pointer to check
1765 * for zeroization after SSL_read().
1766 */
38b051a1
TM		 1767 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1768 goto end;
eddb067e 1769 rr = serversc->rlayer.tlsrecs;
4030869d 1770
eddb067e
MC		 1771 zbuf = &rr->data[rr->off];
1772 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1773 goto end;
163b8016
ME		 1774
1775 /*
1776 * After SSL_peek() the plaintext must still be stored in the
1777 * record.
1778 */
1779 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1780 goto end;
1781
1782 memset(sbuf, 0, sizeof(sbuf));
1783 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1784 goto end;
1785
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 /* Check if rbuf is cleansed */
1790 memset(cbuf, 0, sizeof(cbuf));
1791 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1792 goto end;
1793
1794 testresult = 1;
1795 end:
1796 SSL_free(serverssl);
1797 SSL_free(clientssl);
1798 SSL_CTX_free(sctx);
1799 SSL_CTX_free(cctx);
1800
1801 return testresult;
1802}
1803
1804static int test_cleanse_plaintext(void)
1805{
1806#if !defined(OPENSSL_NO_TLS1_2)
1807 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1808 TLS_client_method(),
1809 TLS1_2_VERSION,
1810 TLS1_2_VERSION)))
1811 return 0;
1812
1813#endif
1814
a763ca11 1815#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1816 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1817 TLS_client_method(),
1818 TLS1_3_VERSION,
1819 TLS1_3_VERSION)))
1820 return 0;
1821#endif
1822
1823#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1824
163b8016
ME		 1825 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1826 DTLS_client_method(),
1827 DTLS1_VERSION,
1828 0)))
1829 return 0;
1830#endif
1831 return 1;
1832}
1833
8f8c11d8 1834#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1835static int ocsp_server_cb(SSL *s, void *arg)
1836{
1837 int *argi = (int *)arg;
710756a9 1838 unsigned char *copy = NULL;
ba881d3b
MC		 1839 STACK_OF(OCSP_RESPID) *ids = NULL;
1840 OCSP_RESPID *id = NULL;
1841
1842 if (*argi == 2) {
1843 /* In this test we are expecting exactly 1 OCSP_RESPID */
1844 SSL_get_tlsext_status_ids(s, &ids);
1845 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1846 return SSL_TLSEXT_ERR_ALERT_FATAL;
1847
1848 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1849 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1850 return SSL_TLSEXT_ERR_ALERT_FATAL;
1851 } else if (*argi != 1) {
1852 return SSL_TLSEXT_ERR_ALERT_FATAL;
1853 }
1854
710756a9 1855 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857
711d5a2f
P		 1858 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1859 sizeof(orespder)))) {
1860 OPENSSL_free(copy);
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 }
ba881d3b 1863 ocsp_server_called = 1;
ba881d3b
MC		 1864 return SSL_TLSEXT_ERR_OK;
1865}
1866
1867static int ocsp_client_cb(SSL *s, void *arg)
1868{
1869 int *argi = (int *)arg;
1870 const unsigned char *respderin;
1871 size_t len;
1872
1873 if (*argi != 1 && *argi != 2)
1874 return 0;
1875
1876 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1877 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1878 return 0;
1879
1880 ocsp_client_called = 1;
ba881d3b
MC		 1881 return 1;
1882}
1883
2cb4b5f6
MC		 1884static int test_tlsext_status_type(void)
1885{
ba881d3b
MC		 1886 SSL_CTX *cctx = NULL, *sctx = NULL;
1887 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1888 int testresult = 0;
ba881d3b
MC		 1889 STACK_OF(OCSP_RESPID) *ids = NULL;
1890 OCSP_RESPID *id = NULL;
1891 BIO *certbio = NULL;
2cb4b5f6 1892
5e30f2fd 1893 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1894 TLS1_VERSION, 0,
7d7f6834 1895 &sctx, &cctx, cert, privkey))
ba881d3b 1896 return 0;
2cb4b5f6 1897
710756a9 1898 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1899 goto end;
2cb4b5f6 1900
ba881d3b 1901 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1902
ba881d3b 1903 clientssl = SSL_new(cctx);
710756a9
RS		 1904 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1905 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1906 TLSEXT_STATUSTYPE_ocsp))
1907 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1908 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1909 goto end;
2cb4b5f6 1910
ba881d3b
MC		 1911 SSL_free(clientssl);
1912 clientssl = NULL;
2cb4b5f6 1913
710756a9
RS		 1914 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1915 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1916 goto end;
2cb4b5f6 1917
ba881d3b 1918 clientssl = SSL_new(cctx);
710756a9 1919 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1920 goto end;
ba881d3b
MC		 1921 SSL_free(clientssl);
1922 clientssl = NULL;
1923
1924 /*
1925 * Now actually do a handshake and check OCSP information is exchanged and
1926 * the callbacks get called
1927 */
ba881d3b
MC		 1928 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1929 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1930 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1931 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1933 &clientssl, NULL, NULL))
1934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1935 SSL_ERROR_NONE))
1936 || !TEST_true(ocsp_client_called)
1937 || !TEST_true(ocsp_server_called))
ba881d3b 1938 goto end;
ba881d3b
MC		 1939 SSL_free(serverssl);
1940 SSL_free(clientssl);
1941 serverssl = NULL;
1942 clientssl = NULL;
1943
1944 /* Try again but this time force the server side callback to fail */
1945 ocsp_client_called = 0;
1946 ocsp_server_called = 0;
1947 cdummyarg = 0;
710756a9
RS		 1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1949 &clientssl, NULL, NULL))
1950 /* This should fail because the callback will fail */
1951 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1952 SSL_ERROR_NONE))
1953 || !TEST_false(ocsp_client_called)
1954 || !TEST_false(ocsp_server_called))
ba881d3b 1955 goto end;
ba881d3b
MC		 1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = NULL;
1959 clientssl = NULL;
1960
1961 /*
1962 * This time we'll get the client to send an OCSP_RESPID that it will
1963 * accept.
1964 */
1965 ocsp_client_called = 0;
1966 ocsp_server_called = 0;
1967 cdummyarg = 2;
710756a9
RS		 1968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1969 &clientssl, NULL, NULL)))
ba881d3b 1970 goto end;
ba881d3b
MC		 1971
1972 /*
1973 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1974 * specific one. We'll use the server cert.
ba881d3b 1975 */
710756a9
RS		 1976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1977 || !TEST_ptr(id = OCSP_RESPID_new())
1978 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1979 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1980 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1981 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1982 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1983 goto end;
ba881d3b
MC		 1984 id = NULL;
1985 SSL_set_tlsext_status_ids(clientssl, ids);
1986 /* Control has been transferred */
1987 ids = NULL;
1988
1989 BIO_free(certbio);
1990 certbio = NULL;
1991
710756a9
RS		 1992 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1993 SSL_ERROR_NONE))
1994 || !TEST_true(ocsp_client_called)
1995 || !TEST_true(ocsp_server_called))
ba881d3b 1996 goto end;
ba881d3b 1997
2cb4b5f6
MC		 1998 testresult = 1;
1999
2000 end:
ba881d3b
MC		 2001 SSL_free(serverssl);
2002 SSL_free(clientssl);
2003 SSL_CTX_free(sctx);
2004 SSL_CTX_free(cctx);
2005 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2006 OCSP_RESPID_free(id);
2007 BIO_free(certbio);
2008 X509_free(ocspcert);
2009 ocspcert = NULL;
2cb4b5f6
MC		 2010
2011 return testresult;
2012}
8f8c11d8 2013#endif
2cb4b5f6 2014
a763ca11 2015#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2016static int new_called, remove_called, get_called;
eaa776da 2017
eaa776da
MC		 2018static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2019{
2020 new_called++;
c0537ebd
MC		 2021 /*
2022 * sess has been up-refed for us, but we don't actually need it so free it
2023 * immediately.
2024 */
2025 SSL_SESSION_free(sess);
eaa776da
MC		 2026 return 1;
2027}
2028
2029static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2030{
2031 remove_called++;
2032}
2033
7a301f08
MC		 2034static SSL_SESSION *get_sess_val = NULL;
2035
2036static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2037 int *copy)
2038{
0afca811 2039 get_called++;
7a301f08
MC		 2040 *copy = 1;
2041 return get_sess_val;
2042}
2043
7a301f08 2044static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2045 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2046{
2047 SSL_CTX *sctx = NULL, *cctx = NULL;
2048 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2049 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2050# ifndef OPENSSL_NO_TLS1_1
eaa776da 2051 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2052# endif
2cb4b5f6 2053 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2054 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2055
7e885b7b
P		 2056 new_called = remove_called = 0;
2057
36ff232c
MC		 2058 /* TLSv1.3 sends 2 NewSessionTickets */
2059 if (maxprot == TLS1_3_VERSION)
2060 numnewsesstick = 2;
2061
5e30f2fd
MC		 2062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2063 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2064 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2065 return 0;
2cb4b5f6 2066
7a301f08
MC		 2067 /*
2068 * Only allow the max protocol version so we can force a connection failure
2069 * later
2070 */
2071 SSL_CTX_set_min_proto_version(cctx, maxprot);
2072 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2073
2074 /* Set up session cache */
7e885b7b 2075 if (use_ext_cache) {
eaa776da
MC		 2076 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2077 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2078 }
7e885b7b 2079 if (use_int_cache) {
eaa776da
MC		 2080 /* Also covers instance where both are set */
2081 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2082 } else {
2083 SSL_CTX_set_session_cache_mode(cctx,
2084 SSL_SESS_CACHE_CLIENT
2085 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2086 }
2cb4b5f6 2087
90fc2c26
NM		 2088 if (s_options) {
2089 SSL_CTX_set_options(sctx, s_options);
2090 }
2091
710756a9
RS		 2092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2093 NULL, NULL))
2094 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2095 SSL_ERROR_NONE))
2096 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2097 goto end;
2cb4b5f6 2098
710756a9 2099 /* Should fail because it should already be in the cache */
7e885b7b 2100 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2101 goto end;
7a301f08 2102 if (use_ext_cache
36ff232c
MC		 2103 && (!TEST_int_eq(new_called, numnewsesstick)
2104
2105 || !TEST_int_eq(remove_called, 0)))
b4982125 2106 goto end;
b4982125 2107
c0537ebd
MC		 2108 new_called = remove_called = 0;
2109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2110 &clientssl2, NULL, NULL))
2111 || !TEST_true(SSL_set_session(clientssl2, sess1))
2112 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2113 SSL_ERROR_NONE))
2114 || !TEST_true(SSL_session_reused(clientssl2)))
2115 goto end;
2116
7a301f08
MC		 2117 if (maxprot == TLS1_3_VERSION) {
2118 /*
2119 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2120 * resumed. Since we attempted a resume we should also have removed the
2121 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2122 */
2123 if (use_ext_cache
2124 && (!TEST_int_eq(new_called, 1)
4cb00457 2125 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2126 goto end;
2127 } else {
2128 /*
2129 * In TLSv1.2 we expect to have resumed so no sessions added or
2130 * removed.
2131 */
2132 if (use_ext_cache
2133 && (!TEST_int_eq(new_called, 0)
2134 || !TEST_int_eq(remove_called, 0)))
2135 goto end;
2136 }
c0537ebd
MC		 2137
2138 SSL_SESSION_free(sess1);
2139 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2140 goto end;
2141 shutdown_ssl_connection(serverssl2, clientssl2);
2142 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2143
2144 new_called = remove_called = 0;
710756a9
RS		 2145 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2146 &clientssl2, NULL, NULL))
2147 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2148 SSL_ERROR_NONE)))
2cb4b5f6 2149 goto end;
2cb4b5f6 2150
710756a9 2151 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2152 goto end;
2cb4b5f6 2153
7a301f08 2154 if (use_ext_cache
36ff232c
MC		 2155 && (!TEST_int_eq(new_called, numnewsesstick)
2156 || !TEST_int_eq(remove_called, 0)))
eaa776da 2157 goto end;
eaa776da 2158
c0537ebd 2159 new_called = remove_called = 0;
2cb4b5f6 2160 /*
710756a9
RS		 2161 * This should clear sess2 from the cache because it is a "bad" session.
2162 * See SSL_set_session() documentation.
2cb4b5f6 2163 */
710756a9 2164 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2165 goto end;
7a301f08
MC		 2166 if (use_ext_cache
2167 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2168 goto end;
710756a9 2169 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2170 goto end;
2cb4b5f6 2171
7e885b7b 2172 if (use_int_cache) {
710756a9
RS		 2173 /* Should succeeded because it should not already be in the cache */
2174 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2175 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2176 goto end;
eaa776da
MC		 2177 }
2178
c0537ebd 2179 new_called = remove_called = 0;
eaa776da 2180 /* This shouldn't be in the cache so should fail */
710756a9 2181 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2182 goto end;
2cb4b5f6 2183
7a301f08
MC		 2184 if (use_ext_cache
2185 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2186 goto end;
2cb4b5f6 2187
bf208d95 2188# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2189 new_called = remove_called = 0;
eaa776da
MC		 2190 /* Force a connection failure */
2191 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2193 &clientssl3, NULL, NULL))
2194 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2195 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2196 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2197 SSL_ERROR_NONE)))
eaa776da 2198 goto end;
b4982125 2199
eaa776da 2200 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2201 if (use_ext_cache
2202 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2203 goto end;
2cb4b5f6 2204
710756a9 2205 /* Should succeed because it should not already be in the cache */
7e885b7b 2206 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2207 goto end;
bf208d95 2208# endif
eaa776da 2209
7a301f08
MC		 2210 /* Now do some tests for server side caching */
2211 if (use_ext_cache) {
2212 SSL_CTX_sess_set_new_cb(cctx, NULL);
2213 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2214 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2215 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2216 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2217 get_sess_val = NULL;
2218 }
2219
2220 SSL_CTX_set_session_cache_mode(cctx, 0);
2221 /* Internal caching is the default on the server side */
2222 if (!use_int_cache)
2223 SSL_CTX_set_session_cache_mode(sctx,
2224 SSL_SESS_CACHE_SERVER
2225 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2226
2227 SSL_free(serverssl1);
2228 SSL_free(clientssl1);
2229 serverssl1 = clientssl1 = NULL;
2230 SSL_free(serverssl2);
2231 SSL_free(clientssl2);
2232 serverssl2 = clientssl2 = NULL;
2233 SSL_SESSION_free(sess1);
2234 sess1 = NULL;
2235 SSL_SESSION_free(sess2);
2236 sess2 = NULL;
2237
2238 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2239 if (maxprot == TLS1_2_VERSION)
2240 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2241 new_called = remove_called = get_called = 0;
7a301f08
MC		 2242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2243 NULL, NULL))
2244 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2245 SSL_ERROR_NONE))
2246 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2247 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2248 goto end;
2249
ee94ec2e
MC		 2250 if (use_int_cache) {
2251 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2252 /*
2253 * In TLSv1.3 it should not have been added to the internal cache,
2254 * except in the case where we also have an external cache (in that
2255 * case it gets added to the cache in order to generate remove
2256 * events after timeout).
2257 */
2258 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2259 goto end;
2260 } else {
2261 /* Should fail because it should already be in the cache */
2262 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2263 goto end;
2264 }
2265 }
7a301f08
MC		 2266
2267 if (use_ext_cache) {
2268 SSL_SESSION *tmp = sess2;
2269
36ff232c 2270 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2271 || !TEST_int_eq(remove_called, 0)
2272 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2273 goto end;
2274 /*
2275 * Delete the session from the internal cache to force a lookup from
2276 * the external cache. We take a copy first because
2277 * SSL_CTX_remove_session() also marks the session as non-resumable.
2278 */
ee94ec2e 2279 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2280 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2281 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2282 goto end;
2283 SSL_SESSION_free(sess2);
2284 }
7a301f08
MC		 2285 sess2 = tmp;
2286 }
2287
0afca811 2288 new_called = remove_called = get_called = 0;
7a301f08
MC		 2289 get_sess_val = sess2;
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2291 &clientssl2, NULL, NULL))
2292 || !TEST_true(SSL_set_session(clientssl2, sess1))
2293 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2294 SSL_ERROR_NONE))
2295 || !TEST_true(SSL_session_reused(clientssl2)))
2296 goto end;
2297
0afca811 2298 if (use_ext_cache) {
32305f88 2299 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2300 goto end;
2301
2302 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2303 if (!TEST_int_eq(new_called, 1)
2304 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2305 goto end;
2306 } else {
32305f88
MC		 2307 if (!TEST_int_eq(new_called, 0)
2308 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2309 goto end;
2310 }
2311 }
4842a27b
TS		 2312 /*
2313 * Make a small cache, force out all other sessions but
2314 * sess2, try to add sess1, which should succeed. Then
2315 * make sure it's there by checking the owners. Despite
2316 * the timeouts, sess1 should have kicked out sess2
2317 */
2318
2319 /* Make sess1 expire before sess2 */
2320 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2321 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2322 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2323 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2324 goto end;
2325
2326 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2327 goto end;
2328
2329 /* Don't care about results - cache should only be sess2 at end */
2330 SSL_CTX_add_session(sctx, sess1);
2331 SSL_CTX_add_session(sctx, sess2);
2332
2333 /* Now add sess1, and make sure it remains, despite timeout */
2334 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2335 || !TEST_ptr(sess1->owner)
2336 || !TEST_ptr_null(sess2->owner))
2337 goto end;
7a301f08 2338
2cb4b5f6 2339 testresult = 1;
eaa776da 2340
2cb4b5f6
MC		 2341 end:
2342 SSL_free(serverssl1);
2343 SSL_free(clientssl1);
2344 SSL_free(serverssl2);
2345 SSL_free(clientssl2);
bf208d95 2346# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2347 SSL_free(serverssl3);
2348 SSL_free(clientssl3);
bf208d95 2349# endif
2cb4b5f6
MC		 2350 SSL_SESSION_free(sess1);
2351 SSL_SESSION_free(sess2);
2352 SSL_CTX_free(sctx);
2353 SSL_CTX_free(cctx);
2354
2355 return testresult;
2356}
a763ca11 2357#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2358
7fb4c820
MC		 2359static int test_session_with_only_int_cache(void)
2360{
a763ca11 2361#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2362 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2363 return 0;
2364#endif
2365
2366#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2367 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2368#else
2369 return 1;
2370#endif
eaa776da
MC		 2371}
2372
7fb4c820
MC		 2373static int test_session_with_only_ext_cache(void)
2374{
a763ca11 2375#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2376 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2377 return 0;
2378#endif
2379
2380#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2381 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2382#else
2383 return 1;
2384#endif
eaa776da
MC		 2385}
2386
7fb4c820
MC		 2387static int test_session_with_both_cache(void)
2388{
a763ca11 2389#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2390 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2391 return 0;
2392#endif
2393
2394#ifndef OPENSSL_NO_TLS1_2
2395 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2396#else
2397 return 1;
2398#endif
2399}
2400
2401static int test_session_wo_ca_names(void)
2402{
a763ca11 2403#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2404 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2405 return 0;
2406#endif
2407
2408#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2409 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2410#else
2411 return 1;
2412#endif
eaa776da
MC		 2413}
2414
90fc2c26 2415
a763ca11 2416#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2417static SSL_SESSION *sesscache[6];
2418static int do_cache;
36ff232c
MC		 2419
2420static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2421{
c22365b3
MC		 2422 if (do_cache) {
2423 sesscache[new_called] = sess;
2424 } else {
2425 /* We don't need the reference to the session, so free it */
2426 SSL_SESSION_free(sess);
2427 }
2428 new_called++;
2429
2430 return 1;
2431}
2432
2433static int post_handshake_verify(SSL *sssl, SSL *cssl)
2434{
2435 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2436 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2437 return 0;
2438
2439 /* Start handshake on the server and client */
2440 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2441 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2442 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2443 || !TEST_true(create_ssl_connection(sssl, cssl,
2444 SSL_ERROR_NONE)))
2445 return 0;
36ff232c
MC		 2446
2447 return 1;
2448}
2449
fbe9dafd 2450static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2451 SSL_CTX **cctx)
2452{
2453 int sess_id_ctx = 1;
2454
5e30f2fd
MC		 2455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2456 TLS_client_method(), TLS1_VERSION, 0,
2457 sctx, cctx, cert, privkey))
03cdf559
MC		 2458 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2459 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2460 (void *)&sess_id_ctx,
2461 sizeof(sess_id_ctx))))
2462 return 0;
2463
2464 if (stateful)
2465 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2466
2467 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2469 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2470
2471 return 1;
2472}
2473
2474static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2475{
2476 SSL *serverssl = NULL, *clientssl = NULL;
2477 int i;
2478
2479 /* Test that we can resume with all the tickets we got given */
2480 for (i = 0; i < idx * 2; i++) {
2481 new_called = 0;
2482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2483 &clientssl, NULL, NULL))
2484 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2485 goto end;
2486
32097b33 2487 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2488
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_NONE)))
2491 goto end;
2492
2493 /*
2494 * Following a successful resumption we only get 1 ticket. After a
2495 * failed one we should get idx tickets.
2496 */
2497 if (succ) {
2498 if (!TEST_true(SSL_session_reused(clientssl))
2499 || !TEST_int_eq(new_called, 1))
2500 goto end;
2501 } else {
2502 if (!TEST_false(SSL_session_reused(clientssl))
2503 || !TEST_int_eq(new_called, idx))
2504 goto end;
2505 }
2506
2507 new_called = 0;
2508 /* After a post-handshake authentication we should get 1 new ticket */
2509 if (succ
2510 && (!post_handshake_verify(serverssl, clientssl)
2511 || !TEST_int_eq(new_called, 1)))
2512 goto end;
2513
2514 SSL_shutdown(clientssl);
2515 SSL_shutdown(serverssl);
2516 SSL_free(serverssl);
2517 SSL_free(clientssl);
2518 serverssl = clientssl = NULL;
2519 SSL_SESSION_free(sesscache[i]);
2520 sesscache[i] = NULL;
2521 }
2522
2523 return 1;
2524
2525 end:
2526 SSL_free(clientssl);
2527 SSL_free(serverssl);
2528 return 0;
2529}
2530
04d7814a 2531static int test_tickets(int stateful, int idx)
36ff232c
MC		 2532{
2533 SSL_CTX *sctx = NULL, *cctx = NULL;
2534 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2535 int testresult = 0;
36ff232c
MC		 2536 size_t j;
2537
2538 /* idx is the test number, but also the number of tickets we want */
2539
2540 new_called = 0;
c22365b3 2541 do_cache = 1;
36ff232c 2542
fbe9dafd 2543 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2544 goto end;
2545
03cdf559
MC		 2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2547 &clientssl, NULL, NULL)))
2548 goto end;
2549
2550 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2551 SSL_ERROR_NONE))
2552 /* Check we got the number of tickets we were expecting */
2553 || !TEST_int_eq(idx, new_called))
2554 goto end;
04d7814a 2555
03cdf559
MC		 2556 SSL_shutdown(clientssl);
2557 SSL_shutdown(serverssl);
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2560 SSL_CTX_free(sctx);
2561 SSL_CTX_free(cctx);
2562 clientssl = serverssl = NULL;
2563 sctx = cctx = NULL;
2564
2565 /*
2566 * Now we try to resume with the tickets we previously created. The
2567 * resumption attempt is expected to fail (because we're now using a new
2568 * SSL_CTX). We should see idx number of tickets issued again.
2569 */
2570
2571 /* Stop caching sessions - just count them */
2572 do_cache = 0;
2573
fbe9dafd 2574 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2575 goto end;
2576
2577 if (!check_resumption(idx, sctx, cctx, 0))
2578 goto end;
2579
2580 /* Start again with caching sessions */
2581 new_called = 0;
2582 do_cache = 1;
fbe9dafd
MC		 2583 SSL_CTX_free(sctx);
2584 SSL_CTX_free(cctx);
2585 sctx = cctx = NULL;
03cdf559 2586
fbe9dafd 2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2588 goto end;
36ff232c
MC		 2589
2590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2591 &clientssl, NULL, NULL)))
2592 goto end;
2593
32097b33 2594 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2595
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2597 SSL_ERROR_NONE))
2598 /* Check we got the number of tickets we were expecting */
2599 || !TEST_int_eq(idx, new_called))
2600 goto end;
2601
2602 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2603 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2604 || !TEST_int_eq(idx * 2, new_called))
2605 goto end;
2606
36ff232c
MC		 2607 SSL_shutdown(clientssl);
2608 SSL_shutdown(serverssl);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 serverssl = clientssl = NULL;
2612
c22365b3
MC		 2613 /* Stop caching sessions - just count them */
2614 do_cache = 0;
2615
03cdf559
MC		 2616 /*
2617 * Check we can resume with all the tickets we created. This time around the
2618 * resumptions should all be successful.
2619 */
2620 if (!check_resumption(idx, sctx, cctx, 1))
2621 goto end;
36ff232c
MC		 2622
2623 testresult = 1;
2624
2625 end:
2626 SSL_free(serverssl);
2627 SSL_free(clientssl);
c22365b3 2628 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2629 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2630 sesscache[j] = NULL;
2631 }
36ff232c
MC		 2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634
2635 return testresult;
2636}
04d7814a
MC		 2637
2638static int test_stateless_tickets(int idx)
2639{
2640 return test_tickets(0, idx);
2641}
2642
2643static int test_stateful_tickets(int idx)
2644{
2645 return test_tickets(1, idx);
2646}
8614a4eb
MC		 2647
2648static int test_psk_tickets(void)
2649{
2650 SSL_CTX *sctx = NULL, *cctx = NULL;
2651 SSL *serverssl = NULL, *clientssl = NULL;
2652 int testresult = 0;
2653 int sess_id_ctx = 1;
2654
5e30f2fd
MC		 2655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2656 TLS_client_method(), TLS1_VERSION, 0,
2657 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2658 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2659 (void *)&sess_id_ctx,
2660 sizeof(sess_id_ctx))))
2661 goto end;
2662
2663 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2665 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2666 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2667 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2668 use_session_cb_cnt = 0;
2669 find_session_cb_cnt = 0;
2670 srvid = pskid;
2671 new_called = 0;
2672
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2674 NULL, NULL)))
2675 goto end;
2676 clientpsk = serverpsk = create_a_psk(clientssl);
2677 if (!TEST_ptr(clientpsk))
2678 goto end;
2679 SSL_SESSION_up_ref(clientpsk);
2680
2681 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2682 SSL_ERROR_NONE))
2683 || !TEST_int_eq(1, find_session_cb_cnt)
2684 || !TEST_int_eq(1, use_session_cb_cnt)
2685 /* We should always get 1 ticket when using external PSK */
2686 || !TEST_int_eq(1, new_called))
2687 goto end;
2688
2689 testresult = 1;
2690
2691 end:
2692 SSL_free(serverssl);
2693 SSL_free(clientssl);
2694 SSL_CTX_free(sctx);
2695 SSL_CTX_free(cctx);
2696 SSL_SESSION_free(clientpsk);
2697 SSL_SESSION_free(serverpsk);
2698 clientpsk = serverpsk = NULL;
2699
2700 return testresult;
2701}
f0049b86
BK		 2702
2703static int test_extra_tickets(int idx)
2704{
2705 SSL_CTX *sctx = NULL, *cctx = NULL;
2706 SSL *serverssl = NULL, *clientssl = NULL;
2707 BIO *bretry = BIO_new(bio_s_always_retry());
2708 BIO *tmp = NULL;
2709 int testresult = 0;
2710 int stateful = 0;
2711 size_t nbytes;
2712 unsigned char c, buf[1];
2713
2714 new_called = 0;
2715 do_cache = 1;
2716
2717 if (idx >= 3) {
2718 idx -= 3;
2719 stateful = 1;
2720 }
2721
2722 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2723 goto end;
2724 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2725 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2726 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2727
2728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2729 &clientssl, NULL, NULL)))
2730 goto end;
2731
2732 /*
2733 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2734 * incremented by both client and server.
2735 */
2736 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2737 SSL_ERROR_NONE))
2738 /* Check we got the number of tickets we were expecting */
2739 || !TEST_int_eq(idx * 2, new_called)
2740 || !TEST_true(SSL_new_session_ticket(serverssl))
2741 || !TEST_true(SSL_new_session_ticket(serverssl))
2742 || !TEST_int_eq(idx * 2, new_called))
2743 goto end;
2744
2745 /* Now try a (real) write to actually send the tickets */
2746 c = '1';
2747 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2748 || !TEST_size_t_eq(1, nbytes)
2749 || !TEST_int_eq(idx * 2 + 2, new_called)
2750 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2751 || !TEST_int_eq(idx * 2 + 4, new_called)
2752 || !TEST_int_eq(sizeof(buf), nbytes)
2753 || !TEST_int_eq(c, buf[0])
2754 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2755 goto end;
2756
2757 /* Try with only requesting one new ticket, too */
2758 c = '2';
2759 new_called = 0;
2760 if (!TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2762 || !TEST_size_t_eq(sizeof(c), nbytes)
2763 || !TEST_int_eq(1, new_called)
2764 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_size_t_eq(sizeof(buf), nbytes)
2767 || !TEST_int_eq(c, buf[0]))
2768 goto end;
2769
2770 /* Do it again but use dummy writes to drive the ticket generation */
2771 c = '3';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_new_session_ticket(serverssl))
2775 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2776 || !TEST_size_t_eq(0, nbytes)
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779 || !TEST_int_eq(4, new_called))
2780 goto end;
2781
a0bbcb42
BK		 2782 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2783 c = '4';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_do_handshake(serverssl))
2788 || !TEST_int_eq(2, new_called)
2789 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2790 || !TEST_int_eq(4, new_called))
2791 goto end;
2792
f0049b86
BK		 2793 /*
2794 * Use the always-retry BIO to exercise the logic that forces ticket
2795 * generation to wait until a record boundary.
2796 */
a0bbcb42 2797 c = '5';
f0049b86
BK		 2798 new_called = 0;
2799 tmp = SSL_get_wbio(serverssl);
2800 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2801 tmp = NULL;
2802 goto end;
2803 }
2804 SSL_set0_wbio(serverssl, bretry);
2805 bretry = NULL;
2806 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2807 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2808 || !TEST_size_t_eq(nbytes, 0))
2809 goto end;
2810 /* Restore a BIO that will let the write succeed */
2811 SSL_set0_wbio(serverssl, tmp);
2812 tmp = NULL;
a0bbcb42
BK		 2813 /*
2814 * These calls should just queue the request and not send anything
2815 * even if we explicitly try to hit the state machine.
2816 */
f0049b86
BK		 2817 if (!TEST_true(SSL_new_session_ticket(serverssl))
2818 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2819 || !TEST_int_eq(0, new_called)
2820 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2821 || !TEST_int_eq(0, new_called))
2822 goto end;
2823 /* Re-do the write; still no tickets sent */
2824 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2825 || !TEST_size_t_eq(1, nbytes)
2826 || !TEST_int_eq(0, new_called)
2827 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_int_eq(sizeof(buf), nbytes)
2830 || !TEST_int_eq(c, buf[0])
2831 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2832 goto end;
a0bbcb42
BK		 2833 /* Even trying to hit the state machine now will still not send tickets */
2834 if (!TEST_true(SSL_do_handshake(serverssl))
2835 || !TEST_int_eq(0, new_called))
2836 goto end;
f0049b86 2837 /* Now the *next* write should send the tickets */
a0bbcb42 2838 c = '6';
f0049b86
BK		 2839 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2840 || !TEST_size_t_eq(1, nbytes)
2841 || !TEST_int_eq(2, new_called)
2842 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2843 || !TEST_int_eq(4, new_called)
2844 || !TEST_int_eq(sizeof(buf), nbytes)
2845 || !TEST_int_eq(c, buf[0])
2846 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2847 goto end;
2848
2849 SSL_shutdown(clientssl);
2850 SSL_shutdown(serverssl);
2851 testresult = 1;
2852
2853 end:
2854 BIO_free(bretry);
2855 BIO_free(tmp);
2856 SSL_free(serverssl);
2857 SSL_free(clientssl);
2858 SSL_CTX_free(sctx);
2859 SSL_CTX_free(cctx);
2860 clientssl = serverssl = NULL;
2861 sctx = cctx = NULL;
2862 return testresult;
2863}
04225915 2864#endif
36ff232c 2865
7d4488bb
MC		 2866#define USE_NULL 0
2867#define USE_BIO_1 1
2868#define USE_BIO_2 2
2869#define USE_DEFAULT 3
2870
2871#define CONNTYPE_CONNECTION_SUCCESS 0
2872#define CONNTYPE_CONNECTION_FAIL 1
2873#define CONNTYPE_NO_CONNECTION 2
2874
2875#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2876#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2877#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2878# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2879#else
2880# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2881#endif
2882
7d4488bb
MC		 2883#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2884 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2885 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2886
2887static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2888{
2889 switch (type) {
2890 case USE_NULL:
2891 *res = NULL;
2892 break;
2893 case USE_BIO_1:
2894 *res = bio1;
2895 break;
2896 case USE_BIO_2:
2897 *res = bio2;
2898 break;
2899 }
2900}
2901
7d4488bb
MC		 2902
2903/*
2904 * Tests calls to SSL_set_bio() under various conditions.
2905 *
2906 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2908 * then do more tests where we create a successful connection first using our
2909 * standard connection setup functions, and then call SSL_set_bio() with
2910 * various combinations of valid BIOs or NULL. We then repeat these tests
2911 * following a failed connection. In this last case we are looking to check that
2912 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2913 */
7fb4c820
MC		 2914static int test_ssl_set_bio(int idx)
2915{
7d4488bb 2916 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2917 BIO *bio1 = NULL;
2918 BIO *bio2 = NULL;
0fae8150 2919 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2920 SSL *serverssl = NULL, *clientssl = NULL;
2921 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2922 int testresult = 0;
2923
7d4488bb
MC		 2924 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2925 initrbio = idx % 3;
2926 idx /= 3;
2927 initwbio = idx % 3;
2928 idx /= 3;
2929 newrbio = idx % 3;
2930 idx /= 3;
2931 newwbio = idx % 3;
2932 conntype = CONNTYPE_NO_CONNECTION;
2933 } else {
2934 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2935 initrbio = initwbio = USE_DEFAULT;
2936 newrbio = idx % 2;
2937 idx /= 2;
2938 newwbio = idx % 2;
2939 idx /= 2;
2940 conntype = idx % 2;
2941 }
710756a9 2942
5e30f2fd
MC		 2943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2944 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2945 &sctx, &cctx, cert, privkey)))
2946 goto end;
2947
2948 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2949 /*
2950 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2951 * because we reduced the number of tests in the definition of
2952 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2953 * mismatched protocol versions we will force a connection failure.
2954 */
2955 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2956 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2957 }
2958
2959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2960 NULL, NULL)))
710756a9 2961 goto end;
7fb4c820 2962
710756a9
RS		 2963 if (initrbio == USE_BIO_1
2964 || initwbio == USE_BIO_1
2965 || newrbio == USE_BIO_1
7fb4c820 2966 || newwbio == USE_BIO_1) {
710756a9 2967 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2968 goto end;
7fb4c820
MC		 2969 }
2970
710756a9
RS		 2971 if (initrbio == USE_BIO_2
2972 || initwbio == USE_BIO_2
2973 || newrbio == USE_BIO_2
7fb4c820 2974 || newwbio == USE_BIO_2) {
710756a9 2975 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2976 goto end;
7fb4c820
MC		 2977 }
2978
7d4488bb
MC		 2979 if (initrbio != USE_DEFAULT) {
2980 setupbio(&irbio, bio1, bio2, initrbio);
2981 setupbio(&iwbio, bio1, bio2, initwbio);
2982 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2983
7d4488bb
MC		 2984 /*
2985 * We want to maintain our own refs to these BIO, so do an up ref for
2986 * each BIO that will have ownership transferred in the SSL_set_bio()
2987 * call
2988 */
2989 if (irbio != NULL)
2990 BIO_up_ref(irbio);
2991 if (iwbio != NULL && iwbio != irbio)
2992 BIO_up_ref(iwbio);
2993 }
7fb4c820 2994
7d4488bb
MC		 2995 if (conntype != CONNTYPE_NO_CONNECTION
2996 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2997 SSL_ERROR_NONE)
2998 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2999 goto end;
7fb4c820
MC		 3000
3001 setupbio(&nrbio, bio1, bio2, newrbio);
3002 setupbio(&nwbio, bio1, bio2, newwbio);
3003
3004 /*
3005 * We will (maybe) transfer ownership again so do more up refs.
3006 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3007 * already been set!
3008 */
710756a9
RS		 3009 if (nrbio != NULL
3010 && nrbio != irbio
3011 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3012 BIO_up_ref(nrbio);
710756a9
RS		 3013 if (nwbio != NULL
3014 && nwbio != nrbio
3015 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3016 BIO_up_ref(nwbio);
3017
7d4488bb 3018 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3019
3020 testresult = 1;
3021
3022 end:
7fb4c820
MC		 3023 BIO_free(bio1);
3024 BIO_free(bio2);
710756a9 3025
7fb4c820
MC		 3026 /*
3027 * This test is checking that the ref counting for SSL_set_bio is correct.
3028 * If we get here and we did too many frees then we will fail in the above
742ccab3 3029 * functions.
7fb4c820 3030 */
7d4488bb
MC		 3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 SSL_CTX_free(sctx);
3034 SSL_CTX_free(cctx);
7fb4c820
MC		 3035 return testresult;
3036}
3037
7e885b7b 3038typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3039
7e885b7b 3040static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3041{
3042 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3043 SSL_CTX *ctx;
9a716987
MC		 3044 SSL *ssl = NULL;
3045 int testresult = 0;
3046
d8652be0 3047 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3048 || !TEST_ptr(ssl = SSL_new(ctx))
3049 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3050 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3051 goto end;
9a716987
MC		 3052
3053 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3054
3055 /*
742ccab3 3056 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3057 */
3058 BIO_push(sslbio, membio1);
3059
69687aa8 3060 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3061 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3062 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3063 ssl = NULL;
9a716987 3064 goto end;
493e7898 3065 }
7e885b7b 3066 if (change_bio == CHANGE_RBIO)
65e2d672 3067 SSL_set0_rbio(ssl, membio2);
9a716987 3068 else
65e2d672 3069 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3070 }
3071 ssl = NULL;
3072
7e885b7b 3073 if (pop_ssl)
9a716987
MC		 3074 BIO_pop(sslbio);
3075 else
3076 BIO_pop(membio1);
3077
3078 testresult = 1;
3079 end:
3080 BIO_free(membio1);
3081 BIO_free(sslbio);
3082 SSL_free(ssl);
3083 SSL_CTX_free(ctx);
3084
3085 return testresult;
3086}
3087
3088static int test_ssl_bio_pop_next_bio(void)
3089{
7e885b7b 3090 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3091}
3092
3093static int test_ssl_bio_pop_ssl_bio(void)
3094{
7e885b7b 3095 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3096}
3097
3098static int test_ssl_bio_change_rbio(void)
3099{
7e885b7b 3100 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3101}
3102
3103static int test_ssl_bio_change_wbio(void)
3104{
7e885b7b 3105 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3106}
3107
a763ca11 3108#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3109typedef struct {
3110 /* The list of sig algs */
3111 const int *list;
3112 /* The length of the list */
3113 size_t listlen;
3114 /* A sigalgs list in string format */
3115 const char *liststr;
3116 /* Whether setting the list should succeed */
3117 int valid;
3118 /* Whether creating a connection with the list should succeed */
3119 int connsuccess;
3120} sigalgs_list;
3121
3122static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3123# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3124static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3125static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3126# endif
f1b25aae
MC		 3127static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3128static const int invalidlist2[] = {NID_sha256, NID_undef};
3129static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3130static const int invalidlist4[] = {NID_sha256};
3131static const sigalgs_list testsigalgs[] = {
3132 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3133# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3134 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3135 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3136# endif
f1b25aae 3137 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 3138# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3139 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3140 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3141# endif
f1b25aae
MC		 3142 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3143 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3144 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3145 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3146 {NULL, 0, "RSA", 0, 0},
3147 {NULL, 0, "SHA256", 0, 0},
3148 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3149 {NULL, 0, "Invalid", 0, 0}
3150};
f1b25aae
MC		 3151
3152static int test_set_sigalgs(int idx)
3153{
3154 SSL_CTX *cctx = NULL, *sctx = NULL;
3155 SSL *clientssl = NULL, *serverssl = NULL;
3156 int testresult = 0;
3157 const sigalgs_list *curr;
3158 int testctx;
3159
3160 /* Should never happen */
710756a9 3161 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3162 return 0;
3163
3164 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3165 curr = testctx ? &testsigalgs[idx]
3166 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3167
5e30f2fd
MC		 3168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3169 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3170 &sctx, &cctx, cert, privkey)))
f1b25aae 3171 return 0;
f1b25aae 3172
d2e491f2
MC		 3173 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3174
f1b25aae
MC		 3175 if (testctx) {
3176 int ret;
710756a9 3177
f1b25aae
MC		 3178 if (curr->list != NULL)
3179 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3180 else
3181 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3182
3183 if (!ret) {
3184 if (curr->valid)
710756a9 3185 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3186 else
3187 testresult = 1;
3188 goto end;
3189 }
3190 if (!curr->valid) {
710756a9 3191 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3192 goto end;
3193 }
3194 }
3195
710756a9
RS		 3196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3197 &clientssl, NULL, NULL)))
f1b25aae 3198 goto end;
f1b25aae
MC		 3199
3200 if (!testctx) {
3201 int ret;
3202
3203 if (curr->list != NULL)
3204 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3205 else
3206 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3207 if (!ret) {
3208 if (curr->valid)
710756a9 3209 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3210 else
3211 testresult = 1;
3212 goto end;
3213 }
710756a9 3214 if (!curr->valid)
f1b25aae 3215 goto end;
f1b25aae
MC		 3216 }
3217
710756a9
RS		 3218 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3219 SSL_ERROR_NONE),
3220 curr->connsuccess))
f1b25aae 3221 goto end;
f1b25aae
MC		 3222
3223 testresult = 1;
3224
3225 end:
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230
3231 return testresult;
3232}
c423ecaa 3233#endif
f1b25aae 3234
a763ca11 3235#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3236static int psk_client_cb_cnt = 0;
3237static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3238
3239static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3240 size_t *idlen, SSL_SESSION **sess)
3241{
3242 switch (++use_session_cb_cnt) {
3243 case 1:
3244 /* The first call should always have a NULL md */
3245 if (md != NULL)
3246 return 0;
3247 break;
3248
3249 case 2:
3250 /* The second call should always have an md */
3251 if (md == NULL)
3252 return 0;
3253 break;
3254
3255 default:
3256 /* We should only be called a maximum of twice */
3257 return 0;
3258 }
3259
57dee9bb
MC		 3260 if (clientpsk != NULL)
3261 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3262
57dee9bb 3263 *sess = clientpsk;
02a3ed5a
MC		 3264 *id = (const unsigned char *)pskid;
3265 *idlen = strlen(pskid);
3266
3267 return 1;
3268}
3269
c2b290c3 3270#ifndef OPENSSL_NO_PSK
532f9578
MC		 3271static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3272 unsigned int max_id_len,
3273 unsigned char *psk,
3274 unsigned int max_psk_len)
3275{
3276 unsigned int psklen = 0;
3277
3278 psk_client_cb_cnt++;
3279
3280 if (strlen(pskid) + 1 > max_id_len)
3281 return 0;
3282
3283 /* We should only ever be called a maximum of twice per connection */
3284 if (psk_client_cb_cnt > 2)
3285 return 0;
3286
3287 if (clientpsk == NULL)
3288 return 0;
3289
3290 /* We'll reuse the PSK we set up for TLSv1.3 */
3291 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3292 return 0;
3293 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3294 strncpy(id, pskid, max_id_len);
3295
3296 return psklen;
3297}
c2b290c3 3298#endif /* OPENSSL_NO_PSK */
532f9578 3299
02a3ed5a
MC		 3300static int find_session_cb(SSL *ssl, const unsigned char *identity,
3301 size_t identity_len, SSL_SESSION **sess)
3302{
3303 find_session_cb_cnt++;
3304
3305 /* We should only ever be called a maximum of twice per connection */
3306 if (find_session_cb_cnt > 2)
3307 return 0;
3308
57dee9bb 3309 if (serverpsk == NULL)
02a3ed5a
MC		 3310 return 0;
3311
3312 /* Identity should match that set by the client */
3313 if (strlen(srvid) != identity_len
3314 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3315 /* No PSK found, continue but without a PSK */
3316 *sess = NULL;
3317 return 1;
3318 }
3319
57dee9bb
MC		 3320 SSL_SESSION_up_ref(serverpsk);
3321 *sess = serverpsk;
02a3ed5a
MC		 3322
3323 return 1;
3324}
3325
c2b290c3 3326#ifndef OPENSSL_NO_PSK
532f9578
MC		 3327static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3328 unsigned char *psk, unsigned int max_psk_len)
3329{
3330 unsigned int psklen = 0;
3331
3332 psk_server_cb_cnt++;
3333
3334 /* We should only ever be called a maximum of twice per connection */
3335 if (find_session_cb_cnt > 2)
3336 return 0;
3337
3338 if (serverpsk == NULL)
3339 return 0;
3340
3341 /* Identity should match that set by the client */
3342 if (strcmp(srvid, identity) != 0) {
3343 return 0;
3344 }
3345
3346 /* We'll reuse the PSK we set up for TLSv1.3 */
3347 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3348 return 0;
3349 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3350
3351 return psklen;
3352}
c2b290c3 3353#endif /* OPENSSL_NO_PSK */
532f9578 3354
5f982038
MC		 3355#define MSG1 "Hello"
3356#define MSG2 "World."
3357#define MSG3 "This"
3358#define MSG4 "is"
3359#define MSG5 "a"
90049cea
MC		 3360#define MSG6 "test"
3361#define MSG7 "message."
5f982038 3362
532f9578 3363#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3364#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3365#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3366#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3367#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3368
8614a4eb
MC		 3369
3370static SSL_SESSION *create_a_psk(SSL *ssl)
3371{
3372 const SSL_CIPHER *cipher = NULL;
3373 const unsigned char key[] = {
3374 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3375 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3376 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3377 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3378 0x2c, 0x2d, 0x2e, 0x2f
3379 };
3380 SSL_SESSION *sess = NULL;
3381
3382 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3383 sess = SSL_SESSION_new();
3384 if (!TEST_ptr(sess)
3385 || !TEST_ptr(cipher)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3387 sizeof(key)))
3388 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3389 || !TEST_true(
3390 SSL_SESSION_set_protocol_version(sess,
3391 TLS1_3_VERSION))) {
3392 SSL_SESSION_free(sess);
3393 return NULL;
3394 }
3395 return sess;
3396}
3397
2be5065b
MC		 3398static int artificial_ticket_time = 0;
3399
3400static int ed_gen_cb(SSL *s, void *arg)
3401{
3402 SSL_SESSION *sess = SSL_get0_session(s);
3403
3404 if (sess == NULL)
3405 return 0;
3406
3407 /*
3408 * Artificially give the ticket some age. Just do it for the number of
3409 * tickets we've been told to do.
3410 */
3411 if (artificial_ticket_time == 0)
3412 return 1;
3413 artificial_ticket_time--;
3414
3415 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3416 return 0;
3417
3418 return 1;
3419}
3420
5f982038
MC		 3421/*
3422 * Helper method to setup objects for early data test. Caller frees objects on
3423 * error.
3424 */
3425static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3426 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3427{
2be5065b
MC		 3428 int artificial = (artificial_ticket_time > 0);
3429
5a421415 3430 if (*sctx == NULL
5e30f2fd 3431 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3432 TLS_client_method(),
5c587fb6 3433 TLS1_VERSION, 0,
5a421415
MC		 3434 sctx, cctx, cert, privkey)))
3435 return 0;
3436
2be5065b
MC		 3437 if (artificial)
3438 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3439
5a421415 3440 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3441 return 0;
5f982038 3442
02a3ed5a
MC		 3443 if (idx == 1) {
3444 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3445 SSL_CTX_set_read_ahead(*cctx, 1);
3446 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3447 } else if (idx == 2) {
3448 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3449 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3450 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3451 use_session_cb_cnt = 0;
3452 find_session_cb_cnt = 0;
3453 srvid = pskid;
3cb47b4e
MC		 3454 }
3455
710756a9 3456 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3457 NULL, NULL)))
3458 return 0;
3459
141e4709
MC		 3460 /*
3461 * For one of the run throughs (doesn't matter which one), we'll try sending
3462 * some SNI data in the initial ClientHello. This will be ignored (because
3463 * there is no SNI cb set up by the server), so it should not impact
3464 * early_data.
3465 */
3466 if (idx == 1
3467 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3468 return 0;
3469
02a3ed5a 3470 if (idx == 2) {
8614a4eb 3471 clientpsk = create_a_psk(*clientssl);
57dee9bb 3472 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3473 /*
3474 * We just choose an arbitrary value for max_early_data which
3475 * should be big enough for testing purposes.
3476 */
57dee9bb
MC		 3477 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3478 0x100))
3479 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3480 SSL_SESSION_free(clientpsk);
3481 clientpsk = NULL;
02a3ed5a
MC		 3482 return 0;
3483 }
57dee9bb 3484 serverpsk = clientpsk;
02a3ed5a 3485
c20e3b28
MC		 3486 if (sess != NULL) {
3487 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3488 SSL_SESSION_free(clientpsk);
3489 SSL_SESSION_free(serverpsk);
3490 clientpsk = serverpsk = NULL;
3491 return 0;
3492 }
57dee9bb 3493 *sess = clientpsk;
c20e3b28 3494 }
02a3ed5a
MC		 3495 return 1;
3496 }
3497
3498 if (sess == NULL)
3499 return 1;
3500
3501 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3502 SSL_ERROR_NONE)))
5f982038 3503 return 0;
5f982038
MC		 3504
3505 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3506 SSL_shutdown(*clientssl);
3507 SSL_shutdown(*serverssl);
5f982038
MC		 3508 SSL_free(*serverssl);
3509 SSL_free(*clientssl);
3510 *serverssl = *clientssl = NULL;
3511
2be5065b
MC		 3512 /*
3513 * Artificially give the ticket some age to match the artificial age we
3514 * gave it on the server side
3515 */
3516 if (artificial
3517 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3518 SSL_SESSION_get_time(*sess) - 10), 0))
3519 return 0;
3520
710756a9
RS		 3521 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3522 clientssl, NULL, NULL))
3523 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3524 return 0;
5f982038
MC		 3525
3526 return 1;
3527}
3528
3cb47b4e 3529static int test_early_data_read_write(int idx)
5f982038
MC		 3530{
3531 SSL_CTX *cctx = NULL, *sctx = NULL;
3532 SSL *clientssl = NULL, *serverssl = NULL;
3533 int testresult = 0;
3534 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3535 unsigned char buf[20], data[1024];
3536 size_t readbytes, written, eoedlen, rawread, rawwritten;
3537 BIO *rbio;
5f982038 3538
2be5065b
MC		 3539 /* Artificially give the next 2 tickets some age for non PSK sessions */
3540 if (idx != 2)
3541 artificial_ticket_time = 2;
710756a9 3542 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2be5065b
MC		 3543 &serverssl, &sess, idx))) {
3544 artificial_ticket_time = 0;
5f982038 3545 goto end;
2be5065b
MC		 3546 }
3547 artificial_ticket_time = 0;
5f982038
MC		 3548
3549 /* Write and read some early data */
710756a9
RS		 3550 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3551 &written))
3552 || !TEST_size_t_eq(written, strlen(MSG1))
3553 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3554 sizeof(buf), &readbytes),
3555 SSL_READ_EARLY_DATA_SUCCESS)
3556 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3557 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3558 SSL_EARLY_DATA_ACCEPTED))
5f982038 3559 goto end;
5f982038
MC		 3560
3561 /*
09f28874 3562 * Server should be able to write data, and client should be able to
5f982038
MC		 3563 * read it.
3564 */
710756a9
RS		 3565 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3566 &written))
3567 || !TEST_size_t_eq(written, strlen(MSG2))
3568 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3569 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3570 goto end;
5f982038
MC		 3571
3572 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3573 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3574 &written))
3575 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3576 goto end;
5f982038 3577
09f28874 3578 /* Server should still be able read early data after writing data */
710756a9
RS		 3579 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580 &readbytes),
3581 SSL_READ_EARLY_DATA_SUCCESS)
3582 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3583 goto end;
5f982038 3584
09f28874 3585 /* Write more data from server and read it from client */
710756a9
RS		 3586 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3587 &written))
3588 || !TEST_size_t_eq(written, strlen(MSG4))
3589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3590 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3591 goto end;
5f982038
MC		 3592
3593 /*
3594 * If client writes normal data it should mean writing early data is no
3595 * longer possible.
3596 */
710756a9
RS		 3597 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3598 || !TEST_size_t_eq(written, strlen(MSG5))
3599 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3600 SSL_EARLY_DATA_ACCEPTED))
5f982038 3601 goto end;
5f982038 3602
9b5c865d
MC		 3603 /*
3604 * At this point the client has written EndOfEarlyData, ClientFinished and
3605 * normal (fully protected) data. We are going to cause a delay between the
3606 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3607 * in the read BIO, and then just put back the EndOfEarlyData message.
3608 */
3609 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3610 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3611 || !TEST_size_t_lt(rawread, sizeof(data))
3612 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3613 goto end;
710756a9 3614
9b5c865d
MC		 3615 /* Record length is in the 4th and 5th bytes of the record header */
3616 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3617 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3618 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3619 goto end;
9b5c865d 3620
5f982038 3621 /* Server should be told that there is no more early data */
710756a9
RS		 3622 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3623 &readbytes),
3624 SSL_READ_EARLY_DATA_FINISH)
3625 || !TEST_size_t_eq(readbytes, 0))
5f982038 3626 goto end;
5f982038 3627
9b5c865d
MC		 3628 /*
3629 * Server has not finished init yet, so should still be able to write early
3630 * data.
3631 */
710756a9
RS		 3632 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3633 &written))
3634 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3635 goto end;
9b5c865d 3636
f8a303fa 3637 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3638 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3639 &rawwritten))
3640 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3641 goto end;
f8a303fa 3642
5f982038 3643 /* Server should be able to read normal data */
710756a9
RS		 3644 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3645 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3646 goto end;
5f982038 3647
09f28874 3648 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3649 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3650 &written)))
5f982038 3651 goto end;
5f982038 3652 ERR_clear_error();
710756a9
RS		 3653 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3654 &readbytes),
3655 SSL_READ_EARLY_DATA_ERROR))
5f982038 3656 goto end;
5f982038
MC		 3657 ERR_clear_error();
3658
9b5c865d 3659 /* Client should be able to read the data sent by the server */
710756a9
RS		 3660 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3661 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3662 goto end;
710756a9 3663
f8a303fa 3664 /*
36ff232c
MC		 3665 * Make sure we process the two NewSessionTickets. These arrive
3666 * post-handshake. We attempt reads which we do not expect to return any
3667 * data.
f8a303fa 3668 */
36ff232c
MC		 3669 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3670 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3671 &readbytes)))
f8a303fa 3672 goto end;
5f982038 3673
90049cea 3674 /* Server should be able to write normal data */
710756a9
RS		 3675 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3676 || !TEST_size_t_eq(written, strlen(MSG7))
3677 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3678 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3679 goto end;
90049cea 3680
c20e3b28 3681 SSL_SESSION_free(sess);
5f982038 3682 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3683 use_session_cb_cnt = 0;
3684 find_session_cb_cnt = 0;
5f982038
MC		 3685
3686 SSL_shutdown(clientssl);
3687 SSL_shutdown(serverssl);
5f982038
MC		 3688 SSL_free(serverssl);
3689 SSL_free(clientssl);
3690 serverssl = clientssl = NULL;
710756a9
RS		 3691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3692 &clientssl, NULL, NULL))
3693 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3694 goto end;
5f982038
MC		 3695
3696 /* Write and read some early data */
710756a9
RS		 3697 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3698 &written))
3699 || !TEST_size_t_eq(written, strlen(MSG1))
3700 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3701 &readbytes),
3702 SSL_READ_EARLY_DATA_SUCCESS)
3703 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3704 goto end;
5f982038 3705
710756a9
RS		 3706 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3707 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3708 goto end;
5f982038 3709
09f28874 3710 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3711 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3712 &written)))
5f982038 3713 goto end;
5f982038 3714 ERR_clear_error();
710756a9
RS		 3715 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3716 &readbytes),
3717 SSL_READ_EARLY_DATA_ERROR))
5f982038 3718 goto end;
5f982038
MC		 3719 ERR_clear_error();
3720
3721 /* Client and server should be able to write/read normal data */
710756a9
RS		 3722 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3723 || !TEST_size_t_eq(written, strlen(MSG5))
3724 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3725 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3726 goto end;
5f982038
MC		 3727
3728 testresult = 1;
3729
3730 end:
c20e3b28 3731 SSL_SESSION_free(sess);
57dee9bb
MC		 3732 SSL_SESSION_free(clientpsk);
3733 SSL_SESSION_free(serverpsk);
3734 clientpsk = serverpsk = NULL;
5f982038
MC		 3735 SSL_free(serverssl);
3736 SSL_free(clientssl);
3737 SSL_CTX_free(sctx);
3738 SSL_CTX_free(cctx);
5f982038
MC		 3739 return testresult;
3740}
3741
5a421415
MC		 3742static int allow_ed_cb_called = 0;
3743
3744static int allow_early_data_cb(SSL *s, void *arg)
3745{
3746 int *usecb = (int *)arg;
3747
3748 allow_ed_cb_called++;
3749
3750 if (*usecb == 1)
3751 return 0;
3752
3753 return 1;
3754}
3755
3756/*
3757 * idx == 0: Standard early_data setup
3758 * idx == 1: early_data setup using read_ahead
3759 * usecb == 0: Don't use a custom early data callback
3760 * usecb == 1: Use a custom early data callback and reject the early data
3761 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3762 * confopt == 0: Configure anti-replay directly
3763 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3764 */
3bb5e5b0 3765static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3766{
3767 SSL_CTX *cctx = NULL, *sctx = NULL;
3768 SSL *clientssl = NULL, *serverssl = NULL;
3769 int testresult = 0;
3770 SSL_SESSION *sess = NULL;
5a421415
MC		 3771 size_t readbytes, written;
3772 unsigned char buf[20];
3773
3774 allow_ed_cb_called = 0;
3775
5e30f2fd
MC		 3776 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3777 TLS_client_method(), TLS1_VERSION, 0,
3778 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3779 return 0;
3780
3781 if (usecb > 0) {
3bb5e5b0
MC		 3782 if (confopt == 0) {
3783 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3784 } else {
3785 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3786
3787 if (!TEST_ptr(confctx))
3788 goto end;
3789 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3790 | SSL_CONF_FLAG_SERVER);
3791 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3792 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3793 2)) {
3794 SSL_CONF_CTX_free(confctx);
3795 goto end;
3796 }
3797 SSL_CONF_CTX_free(confctx);
3798 }
5a421415
MC		 3799 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3800 }
78fb5374
MC		 3801
3802 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3803 &serverssl, &sess, idx)))
3804 goto end;
3805
3806 /*
3807 * The server is configured to accept early data. Create a connection to
3808 * "use up" the ticket
3809 */
3810 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3811 || !TEST_true(SSL_session_reused(clientssl)))
3812 goto end;
3813
3814 SSL_shutdown(clientssl);
3815 SSL_shutdown(serverssl);
3816 SSL_free(serverssl);
3817 SSL_free(clientssl);
3818 serverssl = clientssl = NULL;
3819
3820 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3821 &clientssl, NULL, NULL))
5a421415
MC		 3822 || !TEST_true(SSL_set_session(clientssl, sess)))
3823 goto end;
3824
3825 /* Write and read some early data */
3826 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3827 &written))
3828 || !TEST_size_t_eq(written, strlen(MSG1)))
3829 goto end;
3830
3831 if (usecb <= 1) {
3832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3833 &readbytes),
3834 SSL_READ_EARLY_DATA_FINISH)
3835 /*
3836 * The ticket was reused, so the we should have rejected the
3837 * early data
3838 */
3839 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3840 SSL_EARLY_DATA_REJECTED))
3841 goto end;
3842 } else {
3843 /* In this case the callback decides to accept the early data */
3844 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3845 &readbytes),
3846 SSL_READ_EARLY_DATA_SUCCESS)
3847 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3848 /*
3849 * Server will have sent its flight so client can now send
3850 * end of early data and complete its half of the handshake
3851 */
3852 || !TEST_int_gt(SSL_connect(clientssl), 0)
3853 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3854 &readbytes),
3855 SSL_READ_EARLY_DATA_FINISH)
3856 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3857 SSL_EARLY_DATA_ACCEPTED))
3858 goto end;
3859 }
3860
3861 /* Complete the connection */
3862 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3863 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3864 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3865 goto end;
3866
3867 testresult = 1;
3868
3869 end:
c20e3b28 3870 SSL_SESSION_free(sess);
78fb5374
MC		 3871 SSL_SESSION_free(clientpsk);
3872 SSL_SESSION_free(serverpsk);
3873 clientpsk = serverpsk = NULL;
3874 SSL_free(serverssl);
3875 SSL_free(clientssl);
3876 SSL_CTX_free(sctx);
3877 SSL_CTX_free(cctx);
3878 return testresult;
3879}
3880
5a421415
MC		 3881static int test_early_data_replay(int idx)
3882{
3bb5e5b0 3883 int ret = 1, usecb, confopt;
5a421415 3884
3bb5e5b0
MC		 3885 for (usecb = 0; usecb < 3; usecb++) {
3886 for (confopt = 0; confopt < 2; confopt++)
3887 ret &= test_early_data_replay_int(idx, usecb, confopt);
3888 }
5a421415
MC		 3889
3890 return ret;
3891}
3892
710756a9 3893/*
6b84e6bf
MC		 3894 * Helper function to test that a server attempting to read early data can
3895 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3896 * testtype: 0 == No HRR
3897 * testtype: 1 == HRR
0efa0ba4
MC		 3898 * testtype: 2 == HRR, invalid early_data sent after HRR
3899 * testtype: 3 == recv_max_early_data set to 0
710756a9 3900 */
0d1b7789 3901static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3902{
3903 SSL_CTX *cctx = NULL, *sctx = NULL;
3904 SSL *clientssl = NULL, *serverssl = NULL;
3905 int testresult = 0;
018fcbec 3906 SSL_SESSION *sess = NULL;
5f982038
MC		 3907 unsigned char buf[20];
3908 size_t readbytes, written;
3909
710756a9
RS		 3910 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3911 &serverssl, &sess, idx)))
5f982038
MC		 3912 goto end;
3913
0efa0ba4 3914 if (testtype == 1 || testtype == 2) {
6b84e6bf 3915 /* Force an HRR to occur */
dbc6268f
MC		 3916#if defined(OPENSSL_NO_EC)
3917 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3918 goto end;
3919#else
6b84e6bf
MC		 3920 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3921 goto end;
dbc6268f 3922#endif
02a3ed5a
MC		 3923 } else if (idx == 2) {
3924 /*
3925 * We force early_data rejection by ensuring the PSK identity is
3926 * unrecognised
3927 */
3928 srvid = "Dummy Identity";
6b84e6bf
MC		 3929 } else {
3930 /*
3931 * Deliberately corrupt the creation time. We take 20 seconds off the
3932 * time. It could be any value as long as it is not within tolerance.
3933 * This should mean the ticket is rejected.
3934 */
5d99881e 3935 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3936 goto end;
3937 }
5f982038 3938
0efa0ba4 3939 if (testtype == 3
0d1b7789
MC		 3940 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3941 goto end;
3942
5f982038 3943 /* Write some early data */
710756a9
RS		 3944 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3945 &written))
3946 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3947 goto end;
5f982038 3948
0d1b7789 3949 /* Server should reject the early data */
710756a9
RS		 3950 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3951 &readbytes),
3952 SSL_READ_EARLY_DATA_FINISH)
3953 || !TEST_size_t_eq(readbytes, 0)
3954 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3955 SSL_EARLY_DATA_REJECTED))
5f982038 3956 goto end;
5f982038 3957
0efa0ba4
MC		 3958 switch (testtype) {
3959 case 0:
3960 /* Nothing to do */
3961 break;
3962
3963 case 1:
6b84e6bf
MC		 3964 /*
3965 * Finish off the handshake. We perform the same writes and reads as
3966 * further down but we expect them to fail due to the incomplete
3967 * handshake.
3968 */
3969 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3970 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3971 &readbytes)))
3972 goto end;
0efa0ba4
MC		 3973 break;
3974
3975 case 2:
3976 {
3977 BIO *wbio = SSL_get_wbio(clientssl);
3978 /* A record that will appear as bad early_data */
3979 const unsigned char bad_early_data[] = {
3980 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3981 };
3982
3983 /*
3984 * We force the client to attempt a write. This will fail because
3985 * we're still in the handshake. It will cause the second
3986 * ClientHello to be sent.
3987 */
3988 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3989 &written)))
3990 goto end;
3991
3992 /*
3993 * Inject some early_data after the second ClientHello. This should
3994 * cause the server to fail
3995 */
3996 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3997 sizeof(bad_early_data), &written)))
3998 goto end;
3999 }
4000 /* fallthrough */
4001
4002 case 3:
0d1b7789 4003 /*
0efa0ba4
MC		 4004 * This client has sent more early_data than we are willing to skip
4005 * (case 3) or sent invalid early_data (case 2) so the connection should
4006 * abort.
0d1b7789
MC		 4007 */
4008 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4009 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4010 goto end;
4011
4012 /* Connection has failed - nothing more to do */
4013 testresult = 1;
4014 goto end;
0efa0ba4
MC		 4015
4016 default:
4017 TEST_error("Invalid test type");
4018 goto end;
6b84e6bf
MC		 4019 }
4020
0d1b7789
MC		 4021 /*
4022 * Should be able to send normal data despite rejection of early data. The
4023 * early_data should be skipped.
4024 */
710756a9
RS		 4025 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4026 || !TEST_size_t_eq(written, strlen(MSG2))
4027 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4028 SSL_EARLY_DATA_REJECTED)
4029 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4030 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4031 goto end;
5f982038
MC		 4032
4033 testresult = 1;
4034
4035 end:
c20e3b28 4036 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4037 SSL_SESSION_free(serverpsk);
4038 clientpsk = serverpsk = NULL;
5f982038
MC		 4039 SSL_SESSION_free(sess);
4040 SSL_free(serverssl);
4041 SSL_free(clientssl);
4042 SSL_CTX_free(sctx);
4043 SSL_CTX_free(cctx);
5f982038
MC		 4044 return testresult;
4045}
4046
6b84e6bf
MC		 4047/*
4048 * Test that a server attempting to read early data can handle a connection
4049 * from a client where the early data is not acceptable.
4050 */
4051static int test_early_data_skip(int idx)
4052{
4053 return early_data_skip_helper(0, idx);
4054}
4055
4056/*
4057 * Test that a server attempting to read early data can handle a connection
4058 * from a client where an HRR occurs.
4059 */
4060static int test_early_data_skip_hrr(int idx)
4061{
4062 return early_data_skip_helper(1, idx);
4063}
4064
0efa0ba4
MC		 4065/*
4066 * Test that a server attempting to read early data can handle a connection
4067 * from a client where an HRR occurs and correctly fails if early_data is sent
4068 * after the HRR
4069 */
4070static int test_early_data_skip_hrr_fail(int idx)
4071{
4072 return early_data_skip_helper(2, idx);
4073}
4074
0d1b7789
MC		 4075/*
4076 * Test that a server attempting to read early data will abort if it tries to
4077 * skip over too much.
4078 */
4079static int test_early_data_skip_abort(int idx)
4080{
0efa0ba4 4081 return early_data_skip_helper(3, idx);
0d1b7789
MC		 4082}
4083
710756a9
RS		 4084/*
4085 * Test that a server attempting to read early data can handle a connection
4086 * from a client that doesn't send any.
4087 */
3cb47b4e 4088static int test_early_data_not_sent(int idx)
5f982038
MC		 4089{
4090 SSL_CTX *cctx = NULL, *sctx = NULL;
4091 SSL *clientssl = NULL, *serverssl = NULL;
4092 int testresult = 0;
018fcbec 4093 SSL_SESSION *sess = NULL;
5f982038
MC		 4094 unsigned char buf[20];
4095 size_t readbytes, written;
4096
710756a9
RS		 4097 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4098 &serverssl, &sess, idx)))
5f982038
MC		 4099 goto end;
4100
4101 /* Write some data - should block due to handshake with server */
4102 SSL_set_connect_state(clientssl);
710756a9 4103 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4104 goto end;
5f982038
MC		 4105
4106 /* Server should detect that early data has not been sent */
710756a9
RS		 4107 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4108 &readbytes),
4109 SSL_READ_EARLY_DATA_FINISH)
4110 || !TEST_size_t_eq(readbytes, 0)
4111 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4112 SSL_EARLY_DATA_NOT_SENT)
4113 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4114 SSL_EARLY_DATA_NOT_SENT))
5f982038 4115 goto end;
5f982038
MC		 4116
4117 /* Continue writing the message we started earlier */
710756a9
RS		 4118 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4119 || !TEST_size_t_eq(written, strlen(MSG1))
4120 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4121 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4122 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4123 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4124 goto end;
5f982038 4125
710756a9
RS		 4126 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4127 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4128 goto end;
5f982038
MC		 4129
4130 testresult = 1;
4131
4132 end:
5f982038 4133 SSL_SESSION_free(sess);
c20e3b28 4134 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4135 SSL_SESSION_free(serverpsk);
4136 clientpsk = serverpsk = NULL;
5f982038
MC		 4137 SSL_free(serverssl);
4138 SSL_free(clientssl);
4139 SSL_CTX_free(sctx);
4140 SSL_CTX_free(cctx);
5f982038
MC		 4141 return testresult;
4142}
4143
976e5323
MC		 4144static const char *servalpn;
4145
c7558d5b
PY		 4146static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4147 unsigned char *outlen, const unsigned char *in,
4148 unsigned int inlen, void *arg)
976e5323 4149{
c7558d5b 4150 unsigned int protlen = 0;
976e5323
MC		 4151 const unsigned char *prot;
4152
c7558d5b
PY		 4153 for (prot = in; prot < in + inlen; prot += protlen) {
4154 protlen = *prot++;
5d99881e 4155 if (in + inlen < prot + protlen)
976e5323
MC		 4156 return SSL_TLSEXT_ERR_NOACK;
4157
4158 if (protlen == strlen(servalpn)
0bd42fde 4159 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4160 *out = prot;
4161 *outlen = protlen;
4162 return SSL_TLSEXT_ERR_OK;
4163 }
4164 }
4165
4166 return SSL_TLSEXT_ERR_NOACK;
4167}
4168
57dee9bb 4169/* Test that a PSK can be used to send early_data */
976e5323
MC		 4170static int test_early_data_psk(int idx)
4171{
4172 SSL_CTX *cctx = NULL, *sctx = NULL;
4173 SSL *clientssl = NULL, *serverssl = NULL;
4174 int testresult = 0;
4175 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4176 unsigned char alpnlist[] = {
4177 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4178 'l', 'p', 'n'
4179 };
4180#define GOODALPNLEN 9
4181#define BADALPNLEN 8
4182#define GOODALPN (alpnlist)
4183#define BADALPN (alpnlist + GOODALPNLEN)
4184 int err = 0;
976e5323
MC		 4185 unsigned char buf[20];
4186 size_t readbytes, written;
57dee9bb 4187 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4188 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4189
4190 /* We always set this up with a final parameter of "2" for PSK */
4191 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4192 &serverssl, &sess, 2)))
4193 goto end;
4194
976e5323
MC		 4195 servalpn = "goodalpn";
4196
57dee9bb
MC		 4197 /*
4198 * Note: There is no test for inconsistent SNI with late client detection.
4199 * This is because servers do not acknowledge SNI even if they are using
4200 * it in a resumption handshake - so it is not actually possible for a
4201 * client to detect a problem.
4202 */
976e5323
MC		 4203 switch (idx) {
4204 case 0:
57dee9bb 4205 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4206 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4207 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4208 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4209 goto end;
4210 break;
4211
4212 case 1:
57dee9bb 4213 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4214 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4215 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4216 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4217 GOODALPNLEN))
4218 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4219 BADALPNLEN)))
976e5323
MC		 4220 goto end;
4221 break;
4222
4223 case 2:
4224 /*
4225 * Set invalid protocol version. Technically this affects PSKs without
4226 * early_data too, but we test it here because it is similar to the
4227 * SNI/ALPN consistency tests.
4228 */
4229 err = SSL_R_BAD_PSK;
4230 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4231 goto end;
4232 break;
4233
4234 case 3:
4235 /*
49ef3d07
MC		 4236 * Set inconsistent SNI (server side). In this case the connection
4237 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4238 * is associated with each handshake - not the session. Therefore it
4239 * should not matter that we used a different server name last time.
976e5323 4240 */
281bf233
MC		 4241 SSL_SESSION_free(serverpsk);
4242 serverpsk = SSL_SESSION_dup(clientpsk);
4243 if (!TEST_ptr(serverpsk)
4244 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4245 goto end;
976e5323
MC		 4246 /* Fall through */
4247 case 4:
4248 /* Set consistent SNI */
976e5323
MC		 4249 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4250 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4251 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4252 hostname_cb)))
4253 goto end;
4254 break;
4255
4256 case 5:
4257 /*
4258 * Set inconsistent ALPN (server detected). In this case the connection
4259 * will succeed but reject early_data.
4260 */
4261 servalpn = "badalpn";
4262 edstatus = SSL_EARLY_DATA_REJECTED;
4263 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4264 /* Fall through */
4265 case 6:
976e5323 4266 /*
57dee9bb 4267 * Set consistent ALPN.
976e5323
MC		 4268 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4269 * accepts a list of protos (each one length prefixed).
4270 * SSL_set1_alpn_selected accepts a single protocol (not length
4271 * prefixed)
4272 */
57dee9bb
MC		 4273 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4274 GOODALPNLEN - 1))
4275 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4276 GOODALPNLEN)))
976e5323
MC		 4277 goto end;
4278
4279 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4280 break;
4281
57dee9bb
MC		 4282 case 7:
4283 /* Set inconsistent ALPN (late client detection) */
4284 SSL_SESSION_free(serverpsk);
4285 serverpsk = SSL_SESSION_dup(clientpsk);
4286 if (!TEST_ptr(serverpsk)
4287 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4288 BADALPN + 1,
4289 BADALPNLEN - 1))
4290 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4291 GOODALPN + 1,
4292 GOODALPNLEN - 1))
4293 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4294 sizeof(alpnlist))))
4295 goto end;
4296 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4297 edstatus = SSL_EARLY_DATA_ACCEPTED;
4298 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4299 /* SSL_connect() call should fail */
4300 connectres = -1;
4301 break;
4302
976e5323
MC		 4303 default:
4304 TEST_error("Bad test index");
4305 goto end;
4306 }
4307
4308 SSL_set_connect_state(clientssl);
4309 if (err != 0) {
4310 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4311 &written))
4312 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4313 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4314 goto end;
4315 } else {
4316 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4317 &written)))
4318 goto end;
4319
4320 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4321 &readbytes), readearlyres)
976e5323
MC		 4322 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4323 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4324 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4325 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4326 goto end;
4327 }
4328
4329 testresult = 1;
4330
4331 end:
c20e3b28 4332 SSL_SESSION_free(sess);
57dee9bb
MC		 4333 SSL_SESSION_free(clientpsk);
4334 SSL_SESSION_free(serverpsk);
4335 clientpsk = serverpsk = NULL;
976e5323
MC		 4336 SSL_free(serverssl);
4337 SSL_free(clientssl);
4338 SSL_CTX_free(sctx);
4339 SSL_CTX_free(cctx);
4340 return testresult;
4341}
4342
0b2b0be9 4343/*
4344 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4345 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4346 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4347 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4348 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4349 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4350 */
4351static int test_early_data_psk_with_all_ciphers(int idx)
4352{
4353 SSL_CTX *cctx = NULL, *sctx = NULL;
4354 SSL *clientssl = NULL, *serverssl = NULL;
4355 int testresult = 0;
4356 SSL_SESSION *sess = NULL;
4357 unsigned char buf[20];
4358 size_t readbytes, written;
4359 const SSL_CIPHER *cipher;
4360 const char *cipher_str[] = {
4361 TLS1_3_RFC_AES_128_GCM_SHA256,
4362 TLS1_3_RFC_AES_256_GCM_SHA384,
4363# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4364 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4365# else
4366 NULL,
4367# endif
4368 TLS1_3_RFC_AES_128_CCM_SHA256,
4369 TLS1_3_RFC_AES_128_CCM_8_SHA256
4370 };
4371 const unsigned char *cipher_bytes[] = {
4372 TLS13_AES_128_GCM_SHA256_BYTES,
4373 TLS13_AES_256_GCM_SHA384_BYTES,
4374# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4375 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4376# else
4377 NULL,
4378# endif
4379 TLS13_AES_128_CCM_SHA256_BYTES,
4380 TLS13_AES_128_CCM_8_SHA256_BYTES
4381 };
4382
4383 if (cipher_str[idx] == NULL)
4384 return 1;
4385 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4386 if (idx == 2 && is_fips == 1)
4387 return 1;
4388
4389 /* We always set this up with a final parameter of "2" for PSK */
4390 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4391 &serverssl, &sess, 2)))
4392 goto end;
4393
e0710222
P		 4394 if (idx == 4) {
4395 /* CCM8 ciphers are considered low security due to their short tag */
4396 SSL_set_security_level(clientssl, 0);
4397 SSL_set_security_level(serverssl, 0);
4398 }
4399
0b2b0be9 4400 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4401 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4402 goto end;
4403
4404 /*
4405 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4406 * and assigns to both client and server with incremented reference
4407 * and the same instance is updated in 'sess'.
4408 * So updating ciphersuite in 'sess' which will get reflected in
4409 * PSK handshake using psk use sess and find sess cb.
4410 */
4411 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4412 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4413 goto end;
4414
4415 SSL_set_connect_state(clientssl);
4416 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4417 &written)))
4418 goto end;
4419
4420 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4421 &readbytes),
4422 SSL_READ_EARLY_DATA_SUCCESS)
4423 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4424 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4425 SSL_EARLY_DATA_ACCEPTED)
4426 || !TEST_int_eq(SSL_connect(clientssl), 1)
4427 || !TEST_int_eq(SSL_accept(serverssl), 1))
4428 goto end;
4429
4430 /* Send some normal data from client to server */
4431 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4432 || !TEST_size_t_eq(written, strlen(MSG2)))
4433 goto end;
4434
4435 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4436 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4437 goto end;
4438
4439 testresult = 1;
4440 end:
4441 SSL_SESSION_free(sess);
4442 SSL_SESSION_free(clientpsk);
4443 SSL_SESSION_free(serverpsk);
4444 clientpsk = serverpsk = NULL;
4445 if (clientssl != NULL)
4446 SSL_shutdown(clientssl);
4447 if (serverssl != NULL)
4448 SSL_shutdown(serverssl);
4449 SSL_free(serverssl);
4450 SSL_free(clientssl);
4451 SSL_CTX_free(sctx);
4452 SSL_CTX_free(cctx);
4453 return testresult;
4454}
4455
710756a9
RS		 4456/*
4457 * Test that a server that doesn't try to read early data can handle a
4458 * client sending some.
4459 */
3cb47b4e 4460static int test_early_data_not_expected(int idx)
5f982038
MC		 4461{
4462 SSL_CTX *cctx = NULL, *sctx = NULL;
4463 SSL *clientssl = NULL, *serverssl = NULL;
4464 int testresult = 0;
018fcbec 4465 SSL_SESSION *sess = NULL;
5f982038
MC		 4466 unsigned char buf[20];
4467 size_t readbytes, written;
4468
710756a9
RS		 4469 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4470 &serverssl, &sess, idx)))
5f982038
MC		 4471 goto end;
4472
4473 /* Write some early data */
710756a9
RS		 4474 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4475 &written)))
5f982038 4476 goto end;
5f982038
MC		 4477
4478 /*
4479 * Server should skip over early data and then block waiting for client to
4480 * continue handshake
4481 */
710756a9
RS		 4482 if (!TEST_int_le(SSL_accept(serverssl), 0)
4483 || !TEST_int_gt(SSL_connect(clientssl), 0)
4484 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4485 SSL_EARLY_DATA_REJECTED)
4486 || !TEST_int_gt(SSL_accept(serverssl), 0)
4487 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4488 SSL_EARLY_DATA_REJECTED))
5f982038 4489 goto end;
5f982038
MC		 4490
4491 /* Send some normal data from client to server */
710756a9
RS		 4492 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4493 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4494 goto end;
5f982038 4495
710756a9
RS		 4496 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4497 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4498 goto end;
5f982038
MC		 4499
4500 testresult = 1;
4501
4502 end:
5f982038 4503 SSL_SESSION_free(sess);
c20e3b28 4504 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4505 SSL_SESSION_free(serverpsk);
4506 clientpsk = serverpsk = NULL;
5f982038
MC		 4507 SSL_free(serverssl);
4508 SSL_free(clientssl);
4509 SSL_CTX_free(sctx);
4510 SSL_CTX_free(cctx);
5f982038
MC		 4511 return testresult;
4512}
4513
4514
4515# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4516/*
4517 * Test that a server attempting to read early data can handle a connection
4518 * from a TLSv1.2 client.
4519 */
3cb47b4e 4520static int test_early_data_tls1_2(int idx)
5f982038
MC		 4521{
4522 SSL_CTX *cctx = NULL, *sctx = NULL;
4523 SSL *clientssl = NULL, *serverssl = NULL;
4524 int testresult = 0;
4525 unsigned char buf[20];
4526 size_t readbytes, written;
4527
02a3ed5a
MC		 4528 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4529 &serverssl, NULL, idx)))
5f982038 4530 goto end;
5f982038
MC		 4531
4532 /* Write some data - should block due to handshake with server */
4533 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4534 SSL_set_connect_state(clientssl);
710756a9 4535 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4536 goto end;
5f982038
MC		 4537
4538 /*
4539 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4540 * messages from client after ServerDone. Then SSL_read_early_data should
4541 * finish and detect that early data has not been sent
5f982038 4542 */
710756a9
RS		 4543 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4544 &readbytes),
4545 SSL_READ_EARLY_DATA_ERROR))
5f982038 4546 goto end;
5f982038
MC		 4547
4548 /*
4549 * Continue writing the message we started earlier. Will still block waiting
4550 * for the CCS/Finished from server
4551 */
710756a9
RS		 4552 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4553 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4554 &readbytes),
4555 SSL_READ_EARLY_DATA_FINISH)
4556 || !TEST_size_t_eq(readbytes, 0)
4557 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4558 SSL_EARLY_DATA_NOT_SENT))
5f982038 4559 goto end;
5f982038
MC		 4560
4561 /* Continue writing the message we started earlier */
710756a9
RS		 4562 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4563 || !TEST_size_t_eq(written, strlen(MSG1))
4564 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4565 SSL_EARLY_DATA_NOT_SENT)
4566 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4567 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4568 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4569 || !TEST_size_t_eq(written, strlen(MSG2))
4570 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4571 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4572 goto end;
5f982038
MC		 4573
4574 testresult = 1;
4575
4576 end:
57dee9bb
MC		 4577 SSL_SESSION_free(clientpsk);
4578 SSL_SESSION_free(serverpsk);
4579 clientpsk = serverpsk = NULL;
5f982038
MC		 4580 SSL_free(serverssl);
4581 SSL_free(clientssl);
4582 SSL_CTX_free(sctx);
4583 SSL_CTX_free(cctx);
4584
4585 return testresult;
4586}
ca0413ae
MC		 4587# endif /* OPENSSL_NO_TLS1_2 */
4588
034cb87b
MC		 4589/*
4590 * Test configuring the TLSv1.3 ciphersuites
4591 *
4592 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4593 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4594 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4595 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4596 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4597 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4598 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4599 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4600 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4601 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4602 */
4603static int test_set_ciphersuite(int idx)
4604{
4605 SSL_CTX *cctx = NULL, *sctx = NULL;
4606 SSL *clientssl = NULL, *serverssl = NULL;
4607 int testresult = 0;
4608
5e30f2fd
MC		 4609 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4610 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4611 &sctx, &cctx, cert, privkey))
4612 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4613 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4614 goto end;
4615
4616 if (idx >=4 && idx <= 7) {
4617 /* SSL_CTX explicit cipher list */
4618 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4619 goto end;
4620 }
4621
4622 if (idx == 0 || idx == 4) {
4623 /* Default ciphersuite */
4624 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4625 "TLS_AES_128_GCM_SHA256")))
4626 goto end;
4627 } else if (idx == 1 || idx == 5) {
4628 /* Non default ciphersuite */
4629 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4630 "TLS_AES_128_CCM_SHA256")))
4631 goto end;
4632 }
4633
4634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4635 &clientssl, NULL, NULL)))
4636 goto end;
4637
4638 if (idx == 8 || idx == 9) {
4639 /* SSL explicit cipher list */
4640 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4641 goto end;
4642 }
4643
4644 if (idx == 2 || idx == 6 || idx == 8) {
4645 /* Default ciphersuite */
4646 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4647 "TLS_AES_128_GCM_SHA256")))
4648 goto end;
4649 } else if (idx == 3 || idx == 7 || idx == 9) {
4650 /* Non default ciphersuite */
4651 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4652 "TLS_AES_128_CCM_SHA256")))
4653 goto end;
4654 }
4655
4656 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4657 goto end;
4658
4659 testresult = 1;
4660
4661 end:
4662 SSL_free(serverssl);
4663 SSL_free(clientssl);
4664 SSL_CTX_free(sctx);
4665 SSL_CTX_free(cctx);
4666
4667 return testresult;
4668}
4669
ca0413ae
MC		 4670static int test_ciphersuite_change(void)
4671{
4672 SSL_CTX *cctx = NULL, *sctx = NULL;
4673 SSL *clientssl = NULL, *serverssl = NULL;
4674 SSL_SESSION *clntsess = NULL;
4675 int testresult = 0;
4676 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4677
4678 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4679 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4680 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4681 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4682 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4683 "TLS_AES_128_GCM_SHA256:"
4684 "TLS_AES_256_GCM_SHA384:"
4685 "TLS_AES_128_CCM_SHA256"))
f865b081 4686 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4687 "TLS_AES_128_GCM_SHA256")))
4688 goto end;
4689
4690 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4691 NULL, NULL))
ca0413ae
MC		 4692 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4693 SSL_ERROR_NONE)))
4694 goto end;
4695
4696 clntsess = SSL_get1_session(clientssl);
4697 /* Save for later */
4698 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4699 SSL_shutdown(clientssl);
4700 SSL_shutdown(serverssl);
4701 SSL_free(serverssl);
4702 SSL_free(clientssl);
4703 serverssl = clientssl = NULL;
4704
4705 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4706 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4707 "TLS_AES_128_CCM_SHA256"))
4708 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4709 &clientssl, NULL, NULL))
ca0413ae
MC		 4710 || !TEST_true(SSL_set_session(clientssl, clntsess))
4711 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4712 SSL_ERROR_NONE))
4713 || !TEST_true(SSL_session_reused(clientssl)))
4714 goto end;
4715
4716 SSL_SESSION_free(clntsess);
4717 clntsess = SSL_get1_session(clientssl);
4718 SSL_shutdown(clientssl);
4719 SSL_shutdown(serverssl);
4720 SSL_free(serverssl);
4721 SSL_free(clientssl);
4722 serverssl = clientssl = NULL;
4723
4724 /*
4725 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4726 * succeeds but does not resume.
ca0413ae 4727 */
f865b081 4728 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4729 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4730 NULL, NULL))
4731 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4732 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4733 SSL_ERROR_SSL))
0de6d66d 4734 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4735 goto end;
4736
4737 SSL_SESSION_free(clntsess);
4738 clntsess = NULL;
4739 SSL_shutdown(clientssl);
4740 SSL_shutdown(serverssl);
4741 SSL_free(serverssl);
4742 SSL_free(clientssl);
4743 serverssl = clientssl = NULL;
4744
4745 /* Create a session based on SHA384 */
f865b081 4746 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4747 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4748 &clientssl, NULL, NULL))
4749 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4750 SSL_ERROR_NONE)))
4751 goto end;
4752
4753 clntsess = SSL_get1_session(clientssl);
4754 SSL_shutdown(clientssl);
4755 SSL_shutdown(serverssl);
4756 SSL_free(serverssl);
4757 SSL_free(clientssl);
4758 serverssl = clientssl = NULL;
4759
f865b081
MC		 4760 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4761 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4762 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4763 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4764 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4765 NULL, NULL))
4766 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4767 /*
4768 * We use SSL_ERROR_WANT_READ below so that we can pause the
4769 * connection after the initial ClientHello has been sent to
4770 * enable us to make some session changes.
4771 */
ca0413ae
MC		 4772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4773 SSL_ERROR_WANT_READ)))
4774 goto end;
4775
4776 /* Trick the client into thinking this session is for a different digest */
4777 clntsess->cipher = aes_128_gcm_sha256;
4778 clntsess->cipher_id = clntsess->cipher->id;
4779
4780 /*
3b0e88d3
MC		 4781 * Continue the previously started connection. Server has selected a SHA-384
4782 * ciphersuite, but client thinks the session is for SHA-256, so it should
4783 * bail out.
ca0413ae
MC		 4784 */
4785 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4786 SSL_ERROR_SSL))
4787 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4788 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4789 goto end;
4790
4791 testresult = 1;
4792
4793 end:
4794 SSL_SESSION_free(clntsess);
4795 SSL_free(serverssl);
4796 SSL_free(clientssl);
4797 SSL_CTX_free(sctx);
4798 SSL_CTX_free(cctx);
4799
4800 return testresult;
4801}
4802
8e63900a 4803/*
5bf2eade 4804 * Test TLSv1.3 Key exchange
4805 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4806 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4807 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4808 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4809 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4810 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4811 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4812 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4813 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4814 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4815 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4816 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4817 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4818 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4819 */
f89d3d69
BK		 4820# ifndef OPENSSL_NO_EC
4821static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4822 NID_secp521r1, NID_X25519, NID_X448};
4823# endif
4824# ifndef OPENSSL_NO_DH
4825static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4826 NID_ffdhe6144, NID_ffdhe8192};
4827# endif
db26ec80 4828static int test_key_exchange(int idx)
8e63900a 4829{
4830 SSL_CTX *sctx = NULL, *cctx = NULL;
4831 SSL *serverssl = NULL, *clientssl = NULL;
4832 int testresult = 0;
fb8c6db4 4833 int kexch_alg;
4834 int *kexch_groups = &kexch_alg;
4835 int kexch_groups_size = 1;
8e63900a 4836 int max_version = TLS1_3_VERSION;
becbacd7 4837 char *kexch_name0 = NULL;
8e63900a 4838
4839 switch (idx) {
5bf2eade 4840# ifndef OPENSSL_NO_EC
db26ec80 4841# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4842 case 12:
fb8c6db4 4843 max_version = TLS1_2_VERSION;
db26ec80 4844# endif
fb8c6db4 4845 /* Fall through */
4846 case 0:
4847 kexch_groups = ecdhe_kexch_groups;
4848 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4849 kexch_name0 = "secp256r1";
fb8c6db4 4850 break;
5bf2eade 4851 case 1:
fb8c6db4 4852 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4853 kexch_name0 = "secp256r1";
fb8c6db4 4854 break;
5bf2eade 4855 case 2:
fb8c6db4 4856 kexch_alg = NID_secp384r1;
becbacd7 4857 kexch_name0 = "secp384r1";
fb8c6db4 4858 break;
5bf2eade 4859 case 3:
fb8c6db4 4860 kexch_alg = NID_secp521r1;
becbacd7 4861 kexch_name0 = "secp521r1";
fb8c6db4 4862 break;
5bf2eade 4863 case 4:
fb8c6db4 4864 kexch_alg = NID_X25519;
becbacd7 4865 kexch_name0 = "x25519";
fb8c6db4 4866 break;
5bf2eade 4867 case 5:
fb8c6db4 4868 kexch_alg = NID_X448;
becbacd7 4869 kexch_name0 = "x448";
fb8c6db4 4870 break;
5bf2eade 4871# endif
4872# ifndef OPENSSL_NO_DH
db26ec80 4873# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4874 case 13:
dbc6268f 4875 max_version = TLS1_2_VERSION;
becbacd7 4876 kexch_name0 = "ffdhe2048";
db26ec80 4877# endif
dbc6268f 4878 /* Fall through */
5bf2eade 4879 case 6:
8e63900a 4880 kexch_groups = ffdhe_kexch_groups;
4881 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4882 kexch_name0 = "ffdhe2048";
8e63900a 4883 break;
5bf2eade 4884 case 7:
fb8c6db4 4885 kexch_alg = NID_ffdhe2048;
becbacd7 4886 kexch_name0 = "ffdhe2048";
fb8c6db4 4887 break;
5bf2eade 4888 case 8:
fb8c6db4 4889 kexch_alg = NID_ffdhe3072;
becbacd7 4890 kexch_name0 = "ffdhe3072";
fb8c6db4 4891 break;
5bf2eade 4892 case 9:
fb8c6db4 4893 kexch_alg = NID_ffdhe4096;
becbacd7 4894 kexch_name0 = "ffdhe4096";
fb8c6db4 4895 break;
5bf2eade 4896 case 10:
fb8c6db4 4897 kexch_alg = NID_ffdhe6144;
becbacd7 4898 kexch_name0 = "ffdhe6144";
fb8c6db4 4899 break;
5bf2eade 4900 case 11:
fb8c6db4 4901 kexch_alg = NID_ffdhe8192;
becbacd7 4902 kexch_name0 = "ffdhe8192";
8e63900a 4903 break;
5bf2eade 4904# endif
6597d62b
MC		 4905 default:
4906 /* We're skipping this test */
4907 return 1;
8e63900a 4908 }
4909
5e30f2fd
MC		 4910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4911 TLS_client_method(), TLS1_VERSION,
4912 max_version, &sctx, &cctx, cert,
4913 privkey)))
8e63900a 4914 goto end;
4915
5bf2eade 4916 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4917 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4918 goto end;
4919
5bf2eade 4920 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4921 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4922 goto end;
4923
5bf2eade 4924 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4925 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4926 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4927 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4928 goto end;
4929
dbc6268f
MC		 4930 /*
4931 * Must include an EC ciphersuite so that we send supported groups in
4932 * TLSv1.2
4933 */
5bf2eade 4934# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4935 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4936 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4937 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4938 goto end;
5bf2eade 4939# endif
8e63900a 4940
4941 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4942 NULL, NULL)))
4943 goto end;
4944
4945 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4946 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4947 goto end;
4948
5bf2eade 4949 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4950 goto end;
8e63900a 4951
dbc6268f 4952 /*
5bf2eade 4953 * If Handshake succeeds the negotiated kexch alg should be the first one in
4954 * configured, except in the case of FFDHE groups (idx 13), which are
4955 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4956 */
4957 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4958 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4959 goto end;
becbacd7
MB		 4960
4961 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4962 kexch_name0))
4963 goto end;
4964
75d48520
BK		 4965 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4966 if (idx != 13) {
fb8c6db4 4967 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4968 goto end;
4969 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4970 goto end;
4971 }
8e63900a 4972
4973 testresult = 1;
4974 end:
4975 SSL_free(serverssl);
4976 SSL_free(clientssl);
4977 SSL_CTX_free(sctx);
4978 SSL_CTX_free(cctx);
4979 return testresult;
4980}
4981
c9cddf05
P		 4982# if !defined(OPENSSL_NO_TLS1_2) \
4983 && !defined(OPENSSL_NO_EC) \
4984 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4985static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4986 int isecdhe, int idx)
4987{
4988 int kexch_alg;
4989 int *kexch_groups = &kexch_alg;
4990 int numec, numff;
4991
4992 numec = OSSL_NELEM(ecdhe_kexch_groups);
4993 numff = OSSL_NELEM(ffdhe_kexch_groups);
4994 if (isecdhe)
4995 kexch_alg = ecdhe_kexch_groups[idx];
4996 else
4997 kexch_alg = ffdhe_kexch_groups[idx];
4998
4999 if (clientmulti) {
5000 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5001 return 0;
5002 if (isecdhe) {
5003 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5004 numec)))
5005 return 0;
5006 } else {
5007 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5008 numff)))
5009 return 0;
5010 }
5011 } else {
5012 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5013 return 0;
5014 if (isecdhe) {
5015 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5016 numec)))
5017 return 0;
5018 } else {
5019 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5020 numff)))
5021 return 0;
5022 }
5023 }
5024 return 1;
5025}
5026
5027/*-
5028 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5029 * Run through both the ECDHE and FFDHE group lists used in the previous
5030 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5031 * confirming the expected result; then perform a resumption handshake
5032 * while offering the same group list, and another resumption handshake
5033 * offering a different group list. The returned value should be the
5034 * negotiated group for the initial handshake; for TLS 1.3 resumption
5035 * handshakes the returned value will be negotiated on the resumption
5036 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5037 * be cached in the session from the original handshake, regardless of what
5038 * was offered in the resumption ClientHello.
5039 *
5040 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5041 * E tests of ECDHE with TLS 1.3, server only has one group
5042 * F tests of FFDHE with TLS 1.3, server only has one group
5043 * E tests of ECDHE with TLS 1.2, server only has one group
5044 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5045 * E tests of ECDHE with TLS 1.3, client sends only one group
5046 * F tests of FFDHE with TLS 1.3, client sends only one group
5047 * E tests of ECDHE with TLS 1.2, client sends only one group
5048 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5049 */
5050static int test_negotiated_group(int idx)
5051{
5052 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5053 int expectednid;
5054 SSL_CTX *sctx = NULL, *cctx = NULL;
5055 SSL *serverssl = NULL, *clientssl = NULL;
5056 SSL_SESSION *origsess = NULL;
5057 int testresult = 0;
5058 int kexch_alg;
5059 int max_version = TLS1_3_VERSION;
5060
5061 numec = OSSL_NELEM(ecdhe_kexch_groups);
5062 numff = OSSL_NELEM(ffdhe_kexch_groups);
5063 numgroups = numec + numff;
5064 clientmulti = (idx < 2 * numgroups);
5065 idx = idx % (2 * numgroups);
5066 istls13 = (idx < numgroups);
5067 idx = idx % numgroups;
5068 isecdhe = (idx < numec);
5069 if (!isecdhe)
5070 idx -= numec;
5071 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5072 if (isecdhe)
5073 kexch_alg = ecdhe_kexch_groups[idx];
5074 else
5075 kexch_alg = ffdhe_kexch_groups[idx];
5076 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5077 if (!istls13 && !isecdhe)
5078 expectednid = NID_undef;
5079 else
5080 expectednid = kexch_alg;
5081
5082 if (!istls13)
5083 max_version = TLS1_2_VERSION;
5084
5085 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5086 TLS_client_method(), TLS1_VERSION,
5087 max_version, &sctx, &cctx, cert,
5088 privkey)))
5089 goto end;
5090
5091 /*
5092 * Force (EC)DHE ciphers for TLS 1.2.
5093 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5094 */
5095 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5096 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5097 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5098 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5099 goto end;
5100 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5101 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5102 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5103 goto end;
5104
5105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5106 NULL, NULL)))
5107 goto end;
5108
5109 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5110 idx)))
5111 goto end;
5112
5113 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5114 goto end;
5115
5116 /* Initial handshake; always the configured one */
5117 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5118 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5119 goto end;
5120
5121 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5122 goto end;
5123
5124 SSL_shutdown(clientssl);
5125 SSL_shutdown(serverssl);
5126 SSL_free(serverssl);
5127 SSL_free(clientssl);
5128 serverssl = clientssl = NULL;
5129
5130 /* First resumption attempt; use the same config as initial handshake */
5131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5132 NULL, NULL))
5133 || !TEST_true(SSL_set_session(clientssl, origsess))
5134 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5135 isecdhe, idx)))
5136 goto end;
5137
5138 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5139 || !TEST_true(SSL_session_reused(clientssl)))
5140 goto end;
5141
5142 /* Still had better agree, since nothing changed... */
5143 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5144 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5145 goto end;
5146
5147 SSL_shutdown(clientssl);
5148 SSL_shutdown(serverssl);
5149 SSL_free(serverssl);
5150 SSL_free(clientssl);
5151 serverssl = clientssl = NULL;
5152
5153 /*-
5154 * Second resumption attempt
5155 * The party that picks one group changes it, which we effectuate by
5156 * changing 'idx' and updating what we expect.
5157 */
5158 if (idx == 0)
5159 idx = 1;
5160 else
5161 idx--;
5162 if (istls13) {
5163 if (isecdhe)
5164 expectednid = ecdhe_kexch_groups[idx];
5165 else
5166 expectednid = ffdhe_kexch_groups[idx];
5167 /* Verify that we are changing what we expect. */
5168 if (!TEST_int_ne(expectednid, kexch_alg))
5169 goto end;
5170 } else {
5171 /* TLS 1.2 only supports named groups for ECDHE. */
5172 if (isecdhe)
5173 expectednid = kexch_alg;
5174 else
5175 expectednid = 0;
5176 }
5177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5178 NULL, NULL))
5179 || !TEST_true(SSL_set_session(clientssl, origsess))
5180 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5181 isecdhe, idx)))
5182 goto end;
5183
5184 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5185 || !TEST_true(SSL_session_reused(clientssl)))
5186 goto end;
5187
5188 /* Check that we get what we expected */
5189 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5190 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5191 goto end;
5192
5193 testresult = 1;
5194 end:
5195 SSL_free(serverssl);
5196 SSL_free(clientssl);
5197 SSL_CTX_free(sctx);
5198 SSL_CTX_free(cctx);
5199 SSL_SESSION_free(origsess);
5200 return testresult;
5201}
5202# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5203
5bf2eade 5204/*
5205 * Test TLSv1.3 Cipher Suite
5206 * Test 0 = Set TLS1.3 cipher on context
5207 * Test 1 = Set TLS1.3 cipher on SSL
5208 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5209 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5210 */
5211static int test_tls13_ciphersuite(int idx)
5212{
5213 SSL_CTX *sctx = NULL, *cctx = NULL;
5214 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5215 static const struct {
5216 const char *ciphername;
5217 int fipscapable;
e0710222 5218 int low_security;
4f6c7044 5219 } t13_ciphers[] = {
e0710222
P		 5220 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5221 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5222 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5223# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5224 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5225 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5226 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5227# endif
e0710222
P		 5228 /* CCM8 ciphers are considered low security due to their short tag */
5229 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5230 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5231 };
5232 const char *t13_cipher = NULL;
5233 const char *t12_cipher = NULL;
5234 const char *negotiated_scipher;
5235 const char *negotiated_ccipher;
5236 int set_at_ctx = 0;
5237 int set_at_ssl = 0;
5238 int testresult = 0;
5239 int max_ver;
5240 size_t i;
5241
5242 switch (idx) {
5243 case 0:
5244 set_at_ctx = 1;
5245 break;
5246 case 1:
5247 set_at_ssl = 1;
5248 break;
5249 case 2:
5250 set_at_ctx = 1;
2d900758 5251 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5252 break;
5253 case 3:
5254 set_at_ssl = 1;
2d900758 5255 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5256 break;
5257 }
5258
5259 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5260# ifdef OPENSSL_NO_TLS1_2
5261 if (max_ver == TLS1_2_VERSION)
5262 continue;
5263# endif
5264 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5265 if (is_fips && !t13_ciphers[i].fipscapable)
5266 continue;
5267 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5269 TLS_client_method(),
5270 TLS1_VERSION, max_ver,
5271 &sctx, &cctx, cert, privkey)))
5272 goto end;
5273
e0710222
P		 5274 if (t13_ciphers[i].low_security) {
5275 SSL_CTX_set_security_level(sctx, 0);
5276 SSL_CTX_set_security_level(cctx, 0);
5277 }
5278
5bf2eade 5279 if (set_at_ctx) {
5280 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5281 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5282 goto end;
5283 if (t12_cipher != NULL) {
5284 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5285 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5286 t12_cipher)))
5287 goto end;
5288 }
5289 }
5290
5291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5292 &clientssl, NULL, NULL)))
5293 goto end;
5294
5295 if (set_at_ssl) {
5296 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5297 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5298 goto end;
5299 if (t12_cipher != NULL) {
5300 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5301 || !TEST_true(SSL_set_cipher_list(clientssl,
5302 t12_cipher)))
5303 goto end;
5304 }
5305 }
5306
5307 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5308 SSL_ERROR_NONE)))
5309 goto end;
5310
5311 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5312 serverssl));
5313 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5314 clientssl));
5315 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5316 goto end;
5317
5318 /*
5319 * TEST_strn_eq is used below because t13_cipher can contain
5320 * multiple ciphersuites
5321 */
5322 if (max_ver == TLS1_3_VERSION
5323 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5324 strlen(negotiated_scipher)))
5325 goto end;
5326
5327# ifndef OPENSSL_NO_TLS1_2
5328 /* Below validation is not done when t12_cipher is NULL */
5329 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5330 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5331 goto end;
5332# endif
5333
5334 SSL_free(serverssl);
5335 serverssl = NULL;
5336 SSL_free(clientssl);
5337 clientssl = NULL;
5338 SSL_CTX_free(sctx);
5339 sctx = NULL;
5340 SSL_CTX_free(cctx);
5341 cctx = NULL;
5342 }
5343 }
5344
5345 testresult = 1;
5346 end:
5347 SSL_free(serverssl);
5348 SSL_free(clientssl);
5349 SSL_CTX_free(sctx);
5350 SSL_CTX_free(cctx);
5351 return testresult;
5352}
5353
0d8da779
MC		 5354/*
5355 * Test TLSv1.3 PSKs
5356 * Test 0 = Test new style callbacks
5357 * Test 1 = Test both new and old style callbacks
5358 * Test 2 = Test old style callbacks
5359 * Test 3 = Test old style callbacks with no certificate
5360 */
532f9578 5361static int test_tls13_psk(int idx)
ca8c71ba
MC		 5362{
5363 SSL_CTX *sctx = NULL, *cctx = NULL;
5364 SSL *serverssl = NULL, *clientssl = NULL;
5365 const SSL_CIPHER *cipher = NULL;
5366 const unsigned char key[] = {
5367 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5368 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5369 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5370 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5371 };
5372 int testresult = 0;
5373
5e30f2fd
MC		 5374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5375 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5376 &sctx, &cctx, idx == 3 ? NULL : cert,
5377 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5378 goto end;
5379
0d8da779
MC		 5380 if (idx != 3) {
5381 /*
5382 * We use a ciphersuite with SHA256 to ease testing old style PSK
5383 * callbacks which will always default to SHA256. This should not be
5384 * necessary if we have no cert/priv key. In that case the server should
5385 * prefer SHA256 automatically.
5386 */
5387 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5388 "TLS_AES_128_GCM_SHA256")))
5389 goto end;
4f6c7044
MC		 5390 } else {
5391 /*
5392 * As noted above the server should prefer SHA256 automatically. However
5393 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5394 * code works even if we are testing with only the FIPS provider loaded.
5395 */
5396 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5397 "TLS_AES_256_GCM_SHA384:"
5398 "TLS_AES_128_GCM_SHA256")))
5399 goto end;
0d8da779 5400 }
532f9578
MC		 5401
5402 /*
5403 * Test 0: New style callbacks only
5404 * Test 1: New and old style callbacks (only the new ones should be used)
5405 * Test 2: Old style callbacks only
5406 */
5407 if (idx == 0 || idx == 1) {
5408 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5409 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5410 }
c2b290c3 5411#ifndef OPENSSL_NO_PSK
0d8da779 5412 if (idx >= 1) {
532f9578
MC		 5413 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5414 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5415 }
c2b290c3 5416#endif
ca8c71ba 5417 srvid = pskid;
02a3ed5a
MC		 5418 use_session_cb_cnt = 0;
5419 find_session_cb_cnt = 0;
532f9578
MC		 5420 psk_client_cb_cnt = 0;
5421 psk_server_cb_cnt = 0;
ca8c71ba 5422
0d8da779
MC		 5423 if (idx != 3) {
5424 /*
5425 * Check we can create a connection if callback decides not to send a
5426 * PSK
5427 */
5428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5429 NULL, NULL))
5430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5431 SSL_ERROR_NONE))
5432 || !TEST_false(SSL_session_reused(clientssl))
5433 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5434 goto end;
532f9578 5435
0d8da779
MC		 5436 if (idx == 0 || idx == 1) {
5437 if (!TEST_true(use_session_cb_cnt == 1)
5438 || !TEST_true(find_session_cb_cnt == 0)
5439 /*
5440 * If no old style callback then below should be 0
5441 * otherwise 1
5442 */
5443 || !TEST_true(psk_client_cb_cnt == idx)
5444 || !TEST_true(psk_server_cb_cnt == 0))
5445 goto end;
5446 } else {
5447 if (!TEST_true(use_session_cb_cnt == 0)
5448 || !TEST_true(find_session_cb_cnt == 0)
5449 || !TEST_true(psk_client_cb_cnt == 1)
5450 || !TEST_true(psk_server_cb_cnt == 0))
5451 goto end;
5452 }
5453
5454 shutdown_ssl_connection(serverssl, clientssl);
5455 serverssl = clientssl = NULL;
5456 use_session_cb_cnt = psk_client_cb_cnt = 0;
5457 }
ca8c71ba
MC		 5458
5459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5460 NULL, NULL)))
5461 goto end;
5462
5463 /* Create the PSK */
532f9578 5464 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5465 clientpsk = SSL_SESSION_new();
5466 if (!TEST_ptr(clientpsk)
ca8c71ba 5467 || !TEST_ptr(cipher)
57dee9bb
MC		 5468 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5469 sizeof(key)))
5470 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5471 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5472 TLS1_3_VERSION))
5473 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5474 goto end;
57dee9bb 5475 serverpsk = clientpsk;
ca8c71ba
MC		 5476
5477 /* Check we can create a connection and the PSK is used */
5478 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5479 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5480 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5481 goto end;
5482
532f9578
MC		 5483 if (idx == 0 || idx == 1) {
5484 if (!TEST_true(use_session_cb_cnt == 1)
5485 || !TEST_true(find_session_cb_cnt == 1)
5486 || !TEST_true(psk_client_cb_cnt == 0)
5487 || !TEST_true(psk_server_cb_cnt == 0))
5488 goto end;
5489 } else {
5490 if (!TEST_true(use_session_cb_cnt == 0)
5491 || !TEST_true(find_session_cb_cnt == 0)
5492 || !TEST_true(psk_client_cb_cnt == 1)
5493 || !TEST_true(psk_server_cb_cnt == 1))
5494 goto end;
5495 }
5496
ca8c71ba
MC		 5497 shutdown_ssl_connection(serverssl, clientssl);
5498 serverssl = clientssl = NULL;
5499 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5500 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5501
5502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5503 NULL, NULL)))
5504 goto end;
5505
5506 /* Force an HRR */
dbc6268f
MC		 5507#if defined(OPENSSL_NO_EC)
5508 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5509 goto end;
5510#else
ca8c71ba
MC		 5511 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5512 goto end;
dbc6268f 5513#endif
ca8c71ba
MC		 5514
5515 /*
5516 * Check we can create a connection, the PSK is used and the callbacks are
5517 * called twice.
5518 */
5519 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5520 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5521 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5522 goto end;
5523
532f9578
MC		 5524 if (idx == 0 || idx == 1) {
5525 if (!TEST_true(use_session_cb_cnt == 2)
5526 || !TEST_true(find_session_cb_cnt == 2)
5527 || !TEST_true(psk_client_cb_cnt == 0)
5528 || !TEST_true(psk_server_cb_cnt == 0))
5529 goto end;
5530 } else {
5531 if (!TEST_true(use_session_cb_cnt == 0)
5532 || !TEST_true(find_session_cb_cnt == 0)
5533 || !TEST_true(psk_client_cb_cnt == 2)
5534 || !TEST_true(psk_server_cb_cnt == 2))
5535 goto end;
5536 }
5537
ca8c71ba
MC		 5538 shutdown_ssl_connection(serverssl, clientssl);
5539 serverssl = clientssl = NULL;
5540 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5541 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5542
0d8da779
MC		 5543 if (idx != 3) {
5544 /*
5545 * Check that if the server rejects the PSK we can still connect, but with
5546 * a full handshake
5547 */
5548 srvid = "Dummy Identity";
5549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5550 NULL, NULL))
5551 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5552 SSL_ERROR_NONE))
5553 || !TEST_false(SSL_session_reused(clientssl))
5554 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5555 goto end;
532f9578 5556
0d8da779
MC		 5557 if (idx == 0 || idx == 1) {
5558 if (!TEST_true(use_session_cb_cnt == 1)
5559 || !TEST_true(find_session_cb_cnt == 1)
5560 || !TEST_true(psk_client_cb_cnt == 0)
5561 /*
5562 * If no old style callback then below should be 0
5563 * otherwise 1
5564 */
5565 || !TEST_true(psk_server_cb_cnt == idx))
5566 goto end;
5567 } else {
5568 if (!TEST_true(use_session_cb_cnt == 0)
5569 || !TEST_true(find_session_cb_cnt == 0)
5570 || !TEST_true(psk_client_cb_cnt == 1)
5571 || !TEST_true(psk_server_cb_cnt == 1))
5572 goto end;
5573 }
5574
5575 shutdown_ssl_connection(serverssl, clientssl);
5576 serverssl = clientssl = NULL;
5577 }
ca8c71ba
MC		 5578 testresult = 1;
5579
5580 end:
57dee9bb
MC		 5581 SSL_SESSION_free(clientpsk);
5582 SSL_SESSION_free(serverpsk);
5583 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5584 SSL_free(serverssl);
5585 SSL_free(clientssl);
5586 SSL_CTX_free(sctx);
5587 SSL_CTX_free(cctx);
5588 return testresult;
5589}
5590
c7b8ff25
MC		 5591static unsigned char cookie_magic_value[] = "cookie magic";
5592
5593static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5594 unsigned int *cookie_len)
5595{
5596 /*
5597 * Not suitable as a real cookie generation function but good enough for
5598 * testing!
5599 */
97ea1e7f
MC		 5600 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5601 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5602
5603 return 1;
5604}
5605
5606static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5607 unsigned int cookie_len)
5608{
97ea1e7f 5609 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5610 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5611 return 1;
5612
5613 return 0;
5614}
5615
3fa2812f
BS		 5616static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5617 size_t *cookie_len)
5618{
5619 unsigned int temp;
5620 int res = generate_cookie_callback(ssl, cookie, &temp);
5621 *cookie_len = temp;
5622 return res;
5623}
5624
5625static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5626 size_t cookie_len)
5627{
5628 return verify_cookie_callback(ssl, cookie, cookie_len);
5629}
5630
c7b8ff25
MC		 5631static int test_stateless(void)
5632{
5633 SSL_CTX *sctx = NULL, *cctx = NULL;
5634 SSL *serverssl = NULL, *clientssl = NULL;
5635 int testresult = 0;
5636
5e30f2fd
MC		 5637 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5638 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5639 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5640 goto end;
5641
e440f513
MC		 5642 /* The arrival of CCS messages can confuse the test */
5643 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5644
5645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5646 NULL, NULL))
5647 /* Send the first ClientHello */
5648 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5649 SSL_ERROR_WANT_READ))
5650 /*
5651 * This should fail with a -1 return because we have no callbacks
5652 * set up
5653 */
5654 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5655 goto end;
5656
5657 /* Fatal error so abandon the connection from this client */
5658 SSL_free(clientssl);
5659 clientssl = NULL;
5660
c7b8ff25 5661 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5662 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5663 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5664
e440f513
MC		 5665 /*
5666 * Create a new connection from the client (we can reuse the server SSL
5667 * object).
5668 */
c7b8ff25
MC		 5669 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5670 NULL, NULL))
5671 /* Send the first ClientHello */
5672 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5673 SSL_ERROR_WANT_READ))
5674 /* This should fail because there is no cookie */
e440f513 5675 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5676 goto end;
5677
5678 /* Abandon the connection from this client */
5679 SSL_free(clientssl);
5680 clientssl = NULL;
5681
5682 /*
5683 * Now create a connection from a new client but with the same server SSL
5684 * object
5685 */
5686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5687 NULL, NULL))
5688 /* Send the first ClientHello */
5689 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5690 SSL_ERROR_WANT_READ))
5691 /* This should fail because there is no cookie */
e440f513 5692 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5693 /* Send the second ClientHello */
5694 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5695 SSL_ERROR_WANT_READ))
5696 /* This should succeed because a cookie is now present */
e440f513 5697 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5698 /* Complete the connection */
5699 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5700 SSL_ERROR_NONE)))
5701 goto end;
5702
5703 shutdown_ssl_connection(serverssl, clientssl);
5704 serverssl = clientssl = NULL;
5705 testresult = 1;
5706
5707 end:
5708 SSL_free(serverssl);
5709 SSL_free(clientssl);
5710 SSL_CTX_free(sctx);
5711 SSL_CTX_free(cctx);
5712 return testresult;
5713
5714}
a763ca11 5715#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5716
a37008d9
MC		 5717static int clntaddoldcb = 0;
5718static int clntparseoldcb = 0;
5719static int srvaddoldcb = 0;
5720static int srvparseoldcb = 0;
5721static int clntaddnewcb = 0;
5722static int clntparsenewcb = 0;
5723static int srvaddnewcb = 0;
5724static int srvparsenewcb = 0;
bb01ef3f 5725static int snicb = 0;
a37008d9
MC		 5726
5727#define TEST_EXT_TYPE1 0xff00
5728
5729static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5730 size_t *outlen, int *al, void *add_arg)
5731{
5732 int *server = (int *)add_arg;
5733 unsigned char *data;
5734
5735 if (SSL_is_server(s))
5736 srvaddoldcb++;
5737 else
5738 clntaddoldcb++;
5739
710756a9
RS		 5740 if (*server != SSL_is_server(s)
5741 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5742 return -1;
5743
5744 *data = 1;
5745 *out = data;
5746 *outlen = sizeof(char);
a37008d9
MC		 5747 return 1;
5748}
5749
5750static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5751 void *add_arg)
5752{
5753 OPENSSL_free((unsigned char *)out);
5754}
5755
5756static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5757 size_t inlen, int *al, void *parse_arg)
5758{
5759 int *server = (int *)parse_arg;
5760
5761 if (SSL_is_server(s))
5762 srvparseoldcb++;
5763 else
5764 clntparseoldcb++;
5765
710756a9
RS		 5766 if (*server != SSL_is_server(s)
5767 || inlen != sizeof(char)
5768 || *in != 1)
a37008d9
MC		 5769 return -1;
5770
5771 return 1;
5772}
5773
5774static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5775 const unsigned char **out, size_t *outlen, X509 *x,
5776 size_t chainidx, int *al, void *add_arg)
5777{
5778 int *server = (int *)add_arg;
5779 unsigned char *data;
5780
5781 if (SSL_is_server(s))
5782 srvaddnewcb++;
5783 else
5784 clntaddnewcb++;
5785
710756a9
RS		 5786 if (*server != SSL_is_server(s)
5787 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5788 return -1;
5789
5790 *data = 1;
5791 *out = data;
710756a9 5792 *outlen = sizeof(*data);
a37008d9
MC		 5793 return 1;
5794}
5795
5796static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5797 const unsigned char *out, void *add_arg)
5798{
5799 OPENSSL_free((unsigned char *)out);
5800}
5801
5802static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5803 const unsigned char *in, size_t inlen, X509 *x,
5804 size_t chainidx, int *al, void *parse_arg)
5805{
5806 int *server = (int *)parse_arg;
5807
5808 if (SSL_is_server(s))
5809 srvparsenewcb++;
5810 else
5811 clntparsenewcb++;
5812
710756a9
RS		 5813 if (*server != SSL_is_server(s)
5814 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5815 return -1;
5816
5817 return 1;
5818}
bb01ef3f
MC		 5819
5820static int sni_cb(SSL *s, int *al, void *arg)
5821{
5822 SSL_CTX *ctx = (SSL_CTX *)arg;
5823
5824 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5825 *al = SSL_AD_INTERNAL_ERROR;
5826 return SSL_TLSEXT_ERR_ALERT_FATAL;
5827 }
5828 snicb++;
5829 return SSL_TLSEXT_ERR_OK;
5830}
5831
0db3a990
MC		 5832static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5833{
5834 return 1;
5835}
5836
a37008d9
MC		 5837/*
5838 * Custom call back tests.
5839 * Test 0: Old style callbacks in TLSv1.2
5840 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5841 * Test 2: New style callbacks in TLSv1.2 with SNI
5842 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5843 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5844 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5845 */
710756a9
RS		 5846static int test_custom_exts(int tst)
5847{
bb01ef3f 5848 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5849 SSL *clientssl = NULL, *serverssl = NULL;
5850 int testresult = 0;
5851 static int server = 1;
5852 static int client = 0;
5853 SSL_SESSION *sess = NULL;
5854 unsigned int context;
5855
a763ca11 5856#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5857 /* Skip tests for TLSv1.2 and below in this case */
5858 if (tst < 3)
5859 return 1;
5860#endif
5861
a37008d9
MC		 5862 /* Reset callback counters */
5863 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5864 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5865 snicb = 0;
a37008d9 5866
5e30f2fd
MC		 5867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5868 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5869 &sctx, &cctx, cert, privkey)))
710756a9 5870 goto end;
a37008d9 5871
bb01ef3f 5872 if (tst == 2
5e30f2fd 5873 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5874 TLS1_VERSION, 0,
7d7f6834 5875 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5876 goto end;
5877
5878
5879 if (tst < 3) {
a37008d9
MC		 5880 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5881 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5882 if (sctx2 != NULL)
5883 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5884 }
5885
0db3a990
MC		 5886 if (tst == 5) {
5887 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5888 | SSL_EXT_TLS1_3_CERTIFICATE;
5889 SSL_CTX_set_verify(sctx,
5890 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5891 verify_cb);
5892 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5893 SSL_FILETYPE_PEM), 1)
5894 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5895 SSL_FILETYPE_PEM), 1)
5896 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5897 goto end;
5898 } else if (tst == 4) {
710756a9
RS		 5899 context = SSL_EXT_CLIENT_HELLO
5900 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5901 | SSL_EXT_TLS1_3_SERVER_HELLO
5902 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5903 | SSL_EXT_TLS1_3_CERTIFICATE
5904 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5905 } else {
710756a9
RS		 5906 context = SSL_EXT_CLIENT_HELLO
5907 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5908 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5909 }
5910
5911 /* Create a client side custom extension */
5912 if (tst == 0) {
710756a9
RS		 5913 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5914 old_add_cb, old_free_cb,
5915 &client, old_parse_cb,
5916 &client)))
5917 goto end;
a37008d9 5918 } else {
710756a9
RS		 5919 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5920 new_add_cb, new_free_cb,
5921 &client, new_parse_cb, &client)))
5922 goto end;
a37008d9
MC		 5923 }
5924
5925 /* Should not be able to add duplicates */
710756a9
RS		 5926 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5927 old_add_cb, old_free_cb,
5928 &client, old_parse_cb,
5929 &client))
5930 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5931 context, new_add_cb,
5932 new_free_cb, &client,
5933 new_parse_cb, &client)))
5934 goto end;
a37008d9
MC		 5935
5936 /* Create a server side custom extension */
5937 if (tst == 0) {
710756a9
RS		 5938 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5939 old_add_cb, old_free_cb,
5940 &server, old_parse_cb,
5941 &server)))
5942 goto end;
a37008d9 5943 } else {
710756a9
RS		 5944 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5945 new_add_cb, new_free_cb,
5946 &server, new_parse_cb, &server)))
5947 goto end;
bb01ef3f
MC		 5948 if (sctx2 != NULL
5949 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5950 context, new_add_cb,
5951 new_free_cb, &server,
5952 new_parse_cb, &server)))
5953 goto end;
a37008d9
MC		 5954 }
5955
5956 /* Should not be able to add duplicates */
710756a9
RS		 5957 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5958 old_add_cb, old_free_cb,
5959 &server, old_parse_cb,
5960 &server))
5961 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5962 context, new_add_cb,
5963 new_free_cb, &server,
5964 new_parse_cb, &server)))
a37008d9 5965 goto end;
a37008d9 5966
bb01ef3f
MC		 5967 if (tst == 2) {
5968 /* Set up SNI */
5969 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5970 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5971 goto end;
5972 }
5973
710756a9
RS		 5974 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5975 &clientssl, NULL, NULL))
5976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5977 SSL_ERROR_NONE)))
a37008d9 5978 goto end;
a37008d9
MC		 5979
5980 if (tst == 0) {
710756a9
RS		 5981 if (clntaddoldcb != 1
5982 || clntparseoldcb != 1
5983 || srvaddoldcb != 1
5984 || srvparseoldcb != 1)
a37008d9 5985 goto end;
bb01ef3f 5986 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5987 if (clntaddnewcb != 1
5988 || clntparsenewcb != 1
5989 || srvaddnewcb != 1
bb01ef3f
MC		 5990 || srvparsenewcb != 1
5991 || (tst != 2 && snicb != 0)
5992 || (tst == 2 && snicb != 1))
a37008d9 5993 goto end;
0db3a990
MC		 5994 } else if (tst == 5) {
5995 if (clntaddnewcb != 1
5996 || clntparsenewcb != 1
5997 || srvaddnewcb != 1
5998 || srvparsenewcb != 1)
5999 goto end;
a37008d9 6000 } else {
36ff232c 6001 /* In this case there 2 NewSessionTicket messages created */
710756a9 6002 if (clntaddnewcb != 1
36ff232c
MC		 6003 || clntparsenewcb != 5
6004 || srvaddnewcb != 5
710756a9 6005 || srvparsenewcb != 1)
a37008d9 6006 goto end;
a37008d9
MC		 6007 }
6008
6009 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6010 SSL_shutdown(clientssl);
6011 SSL_shutdown(serverssl);
a37008d9
MC		 6012 SSL_free(serverssl);
6013 SSL_free(clientssl);
6014 serverssl = clientssl = NULL;
6015
0db3a990
MC		 6016 if (tst == 3 || tst == 5) {
6017 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6018 testresult = 1;
6019 goto end;
6020 }
6021
710756a9
RS		 6022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6023 NULL, NULL))
6024 || !TEST_true(SSL_set_session(clientssl, sess))
6025 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6026 SSL_ERROR_NONE)))
a37008d9 6027 goto end;
a37008d9
MC		 6028
6029 /*
6030 * For a resumed session we expect to add the ClientHello extension. For the
6031 * old style callbacks we ignore it on the server side because they set
6032 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6033 * them.
6034 */
6035 if (tst == 0) {
710756a9
RS		 6036 if (clntaddoldcb != 2
6037 || clntparseoldcb != 1
6038 || srvaddoldcb != 1
6039 || srvparseoldcb != 1)
a37008d9 6040 goto end;
bb01ef3f 6041 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6042 if (clntaddnewcb != 2
6043 || clntparsenewcb != 2
6044 || srvaddnewcb != 2
6045 || srvparsenewcb != 2)
a37008d9 6046 goto end;
a37008d9 6047 } else {
36ff232c
MC		 6048 /*
6049 * No Certificate message extensions in the resumption handshake,
6050 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6051 */
710756a9 6052 if (clntaddnewcb != 2
36ff232c
MC		 6053 || clntparsenewcb != 8
6054 || srvaddnewcb != 8
710756a9 6055 || srvparsenewcb != 2)
a37008d9 6056 goto end;
a37008d9
MC		 6057 }
6058
6059 testresult = 1;
6060
6061end:
6062 SSL_SESSION_free(sess);
6063 SSL_free(serverssl);
6064 SSL_free(clientssl);
bb01ef3f 6065 SSL_CTX_free(sctx2);
a37008d9
MC		 6066 SSL_CTX_free(sctx);
6067 SSL_CTX_free(cctx);
a37008d9
MC		 6068 return testresult;
6069}
6070
555dd939 6071#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6072
555dd939
DF		 6073#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6074 | SSL_EXT_CLIENT_HELLO \
6075 | SSL_EXT_TLS1_2_SERVER_HELLO \
6076 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6077
555dd939
DF		 6078#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6079 | SSL_EXT_TLS1_2_SERVER_HELLO \
6080 | SSL_EXT_CLIENT_HELLO)
16afd71c 6081
555dd939
DF		 6082#define SERVERINFO_CUSTOM \
6083 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6084 0x00, 0x03, \
6085 0x04, 0x05, 0x06 \
6086
6087static const unsigned char serverinfo_custom_tls13[] = {
6088 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6089 SERVERINFO_CUSTOM
6090};
6091static const unsigned char serverinfo_custom_v2[] = {
6092 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6093 SERVERINFO_CUSTOM
6094};
6095static const unsigned char serverinfo_custom_v1[] = {
6096 SERVERINFO_CUSTOM
6097};
6098static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6099static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6100static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6101
6102static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6103 unsigned int context,
6104 const unsigned char *in,
6105 size_t inlen, X509 *x,
6106 size_t chainidx, int *al,
6107 void *parse_arg)
6108{
6109 const size_t len = serverinfo_custom_v1_len;
6110 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6111 int *p_cb_result = (int*)parse_arg;
6112 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6113 return 1;
6114}
6115
6116static int test_serverinfo_custom(const int idx)
6117{
6118 SSL_CTX *sctx = NULL, *cctx = NULL;
6119 SSL *clientssl = NULL, *serverssl = NULL;
6120 int testresult = 0;
6121 int cb_result = 0;
6122
6123 /*
6124 * Following variables are set in the switch statement
6125 * according to the test iteration.
6126 * Default values do not make much sense: test would fail with them.
6127 */
6128 int serverinfo_version = 0;
6129 int protocol_version = 0;
6130 unsigned int extension_context = 0;
6131 const unsigned char *si = NULL;
6132 size_t si_len = 0;
6133
6134 const int call_use_serverinfo_ex = idx > 0;
6135 switch (idx) {
6136 case 0: /* FALLTHROUGH */
6137 case 1:
6138 serverinfo_version = SSL_SERVERINFOV1;
6139 protocol_version = TLS1_2_VERSION;
6140 extension_context = SYNTHV1CONTEXT;
6141 si = serverinfo_custom_v1;
6142 si_len = serverinfo_custom_v1_len;
6143 break;
6144 case 2:
6145 serverinfo_version = SSL_SERVERINFOV2;
6146 protocol_version = TLS1_2_VERSION;
6147 extension_context = SYNTHV1CONTEXT;
6148 si = serverinfo_custom_v2;
6149 si_len = serverinfo_custom_v2_len;
6150 break;
6151 case 3:
6152 serverinfo_version = SSL_SERVERINFOV2;
6153 protocol_version = TLS1_3_VERSION;
6154 extension_context = TLS13CONTEXT;
6155 si = serverinfo_custom_tls13;
6156 si_len = serverinfo_custom_tls13_len;
6157 break;
16afd71c
MC		 6158 }
6159
555dd939
DF		 6160 if (!TEST_true(create_ssl_ctx_pair(libctx,
6161 TLS_method(),
6162 TLS_method(),
6163 protocol_version,
6164 protocol_version,
6165 &sctx, &cctx, cert, privkey)))
6166 goto end;
16afd71c 6167
555dd939
DF		 6168 if (call_use_serverinfo_ex) {
6169 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6170 si, si_len)))
6171 goto end;
6172 } else {
6173 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6174 goto end;
16afd71c
MC		 6175 }
6176
555dd939
DF		 6177 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6178 extension_context,
6179 NULL, NULL, NULL,
6180 serverinfo_custom_parse_cb,
6181 &cb_result))
6182 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6183 NULL, NULL))
6184 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6185 SSL_ERROR_NONE))
6186 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6187 goto end;
6188
6189 if (!TEST_true(cb_result))
16afd71c
MC		 6190 goto end;
6191
6192 testresult = 1;
6193
6194 end:
555dd939
DF		 6195 SSL_free(serverssl);
6196 SSL_free(clientssl);
6197 SSL_CTX_free(sctx);
6198 SSL_CTX_free(cctx);
16afd71c
MC		 6199
6200 return testresult;
6201}
555dd939 6202#endif
16afd71c 6203
2197d1df
MC		 6204/*
6205 * Test that SSL_export_keying_material() produces expected results. There are
6206 * no test vectors so all we do is test that both sides of the communication
6207 * produce the same results for different protocol versions.
6208 */
0fb2815b
MC		 6209#define SMALL_LABEL_LEN 10
6210#define LONG_LABEL_LEN 249
2197d1df
MC		 6211static int test_export_key_mat(int tst)
6212{
a599574b 6213 int testresult = 0;
2197d1df
MC		 6214 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6215 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6216 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6217 const unsigned char context[] = "context";
6218 const unsigned char *emptycontext = NULL;
6219 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6220 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 6221 size_t labellen;
a599574b
MC		 6222 const int protocols[] = {
6223 TLS1_VERSION,
6224 TLS1_1_VERSION,
6225 TLS1_2_VERSION,
0fb2815b
MC		 6226 TLS1_3_VERSION,
6227 TLS1_3_VERSION,
a599574b
MC		 6228 TLS1_3_VERSION
6229 };
2197d1df
MC		 6230
6231#ifdef OPENSSL_NO_TLS1
6232 if (tst == 0)
6233 return 1;
6234#endif
6235#ifdef OPENSSL_NO_TLS1_1
6236 if (tst == 1)
6237 return 1;
6238#endif
4f6c7044
MC		 6239 if (is_fips && (tst == 0 || tst == 1))
6240 return 1;
2197d1df
MC		 6241#ifdef OPENSSL_NO_TLS1_2
6242 if (tst == 2)
6243 return 1;
6244#endif
a763ca11 6245#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6246 if (tst >= 3)
2197d1df
MC		 6247 return 1;
6248#endif
5e30f2fd
MC		 6249 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6250 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6251 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6252 goto end;
6253
a599574b
MC		 6254 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6255 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6256 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6257 if ((protocols[tst] < TLS1_2_VERSION) &&
6258 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6259 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6260 goto end;
2197d1df
MC		 6261
6262 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6263 NULL)))
6264 goto end;
6265
6266 /*
6267 * Premature call of SSL_export_keying_material should just fail.
6268 */
6269 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6270 sizeof(ckeymat1), label,
6271 SMALL_LABEL_LEN + 1, context,
6272 sizeof(context) - 1, 1), 0))
6273 goto end;
6274
6275 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6276 SSL_ERROR_NONE)))
2197d1df
MC		 6277 goto end;
6278
0fb2815b
MC		 6279 if (tst == 5) {
6280 /*
6281 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6282 * go over that.
6283 */
6284 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6285 sizeof(ckeymat1), label,
6286 LONG_LABEL_LEN + 1, context,
6287 sizeof(context) - 1, 1), 0))
6288 goto end;
6289
6290 testresult = 1;
6291 goto end;
6292 } else if (tst == 4) {
6293 labellen = LONG_LABEL_LEN;
6294 } else {
6295 labellen = SMALL_LABEL_LEN;
6296 }
6297
2197d1df
MC		 6298 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6299 sizeof(ckeymat1), label,
0fb2815b 6300 labellen, context,
2197d1df
MC		 6301 sizeof(context) - 1, 1), 1)
6302 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6303 sizeof(ckeymat2), label,
0fb2815b 6304 labellen,
2197d1df
MC		 6305 emptycontext,
6306 0, 1), 1)
6307 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6308 sizeof(ckeymat3), label,
0fb2815b 6309 labellen,
2197d1df
MC		 6310 NULL, 0, 0), 1)
6311 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6312 sizeof(skeymat1), label,
0fb2815b 6313 labellen,
2197d1df
MC		 6314 context,
6315 sizeof(context) -1, 1),
6316 1)
6317 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6318 sizeof(skeymat2), label,
0fb2815b 6319 labellen,
2197d1df
MC		 6320 emptycontext,
6321 0, 1), 1)
6322 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6323 sizeof(skeymat3), label,
0fb2815b 6324 labellen,
2197d1df
MC		 6325 NULL, 0, 0), 1)
6326 /*
6327 * Check that both sides created the same key material with the
6328 * same context.
6329 */
6330 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6331 sizeof(skeymat1))
6332 /*
6333 * Check that both sides created the same key material with an
6334 * empty context.
6335 */
6336 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6337 sizeof(skeymat2))
6338 /*
6339 * Check that both sides created the same key material without a
6340 * context.
6341 */
6342 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6343 sizeof(skeymat3))
6344 /* Different contexts should produce different results */
6345 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6346 sizeof(ckeymat2)))
6347 goto end;
6348
6349 /*
6350 * Check that an empty context and no context produce different results in
6351 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6352 */
0fb2815b 6353 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6354 sizeof(ckeymat3)))
0fb2815b
MC		 6355 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6356 sizeof(ckeymat3))))
2197d1df
MC		 6357 goto end;
6358
6359 testresult = 1;
6360
6361 end:
6362 SSL_free(serverssl);
6363 SSL_free(clientssl);
6364 SSL_CTX_free(sctx2);
6365 SSL_CTX_free(sctx);
6366 SSL_CTX_free(cctx);
6367
6368 return testresult;
6369}
6370
a763ca11 6371#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6372/*
6373 * Test that SSL_export_keying_material_early() produces expected
6374 * results. There are no test vectors so all we do is test that both
6375 * sides of the communication produce the same results for different
6376 * protocol versions.
6377 */
6378static int test_export_key_mat_early(int idx)
6379{
6380 static const char label[] = "test label";
6381 static const unsigned char context[] = "context";
6382 int testresult = 0;
6383 SSL_CTX *cctx = NULL, *sctx = NULL;
6384 SSL *clientssl = NULL, *serverssl = NULL;
6385 SSL_SESSION *sess = NULL;
6386 const unsigned char *emptycontext = NULL;
6387 unsigned char ckeymat1[80], ckeymat2[80];
6388 unsigned char skeymat1[80], skeymat2[80];
6389 unsigned char buf[1];
6390 size_t readbytes, written;
6391
6392 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6393 &sess, idx)))
6394 goto end;
6395
6396 /* Here writing 0 length early data is enough. */
6397 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6398 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6399 &readbytes),
6400 SSL_READ_EARLY_DATA_ERROR)
6401 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6402 SSL_EARLY_DATA_ACCEPTED))
6403 goto end;
6404
6405 if (!TEST_int_eq(SSL_export_keying_material_early(
6406 clientssl, ckeymat1, sizeof(ckeymat1), label,
6407 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6408 || !TEST_int_eq(SSL_export_keying_material_early(
6409 clientssl, ckeymat2, sizeof(ckeymat2), label,
6410 sizeof(label) - 1, emptycontext, 0), 1)
6411 || !TEST_int_eq(SSL_export_keying_material_early(
6412 serverssl, skeymat1, sizeof(skeymat1), label,
6413 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6414 || !TEST_int_eq(SSL_export_keying_material_early(
6415 serverssl, skeymat2, sizeof(skeymat2), label,
6416 sizeof(label) - 1, emptycontext, 0), 1)
6417 /*
6418 * Check that both sides created the same key material with the
6419 * same context.
6420 */
6421 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6422 sizeof(skeymat1))
6423 /*
6424 * Check that both sides created the same key material with an
6425 * empty context.
6426 */
6427 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6428 sizeof(skeymat2))
6429 /* Different contexts should produce different results */
6430 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6431 sizeof(ckeymat2)))
6432 goto end;
6433
6434 testresult = 1;
6435
6436 end:
c20e3b28 6437 SSL_SESSION_free(sess);
b38ede80
TT		 6438 SSL_SESSION_free(clientpsk);
6439 SSL_SESSION_free(serverpsk);
34ff74eb 6440 clientpsk = serverpsk = NULL;
b38ede80
TT		 6441 SSL_free(serverssl);
6442 SSL_free(clientssl);
6443 SSL_CTX_free(sctx);
6444 SSL_CTX_free(cctx);
6445
6446 return testresult;
6447}
3409a5ff
MC		 6448
6449#define NUM_KEY_UPDATE_MESSAGES 40
6450/*
6451 * Test KeyUpdate.
6452 */
6453static int test_key_update(void)
6454{
6455 SSL_CTX *cctx = NULL, *sctx = NULL;
6456 SSL *clientssl = NULL, *serverssl = NULL;
6457 int testresult = 0, i, j;
6458 char buf[20];
6459 static char *mess = "A test message";
6460
5e30f2fd 6461 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6462 TLS_client_method(),
6463 TLS1_3_VERSION,
6464 0,
6465 &sctx, &cctx, cert, privkey))
6466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6467 NULL, NULL))
6468 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6469 SSL_ERROR_NONE)))
6470 goto end;
6471
6472 for (j = 0; j < 2; j++) {
6473 /* Send lots of KeyUpdate messages */
6474 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6475 if (!TEST_true(SSL_key_update(clientssl,
6476 (j == 0)
6477 ? SSL_KEY_UPDATE_NOT_REQUESTED
6478 : SSL_KEY_UPDATE_REQUESTED))
6479 || !TEST_true(SSL_do_handshake(clientssl)))
6480 goto end;
6481 }
6482
6483 /* Check that sending and receiving app data is ok */
6484 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6485 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6486 strlen(mess)))
6487 goto end;
a77b4dba
MC		 6488
6489 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6491 strlen(mess)))
6492 goto end;
3409a5ff
MC		 6493 }
6494
6495 testresult = 1;
6496
6497 end:
6498 SSL_free(serverssl);
6499 SSL_free(clientssl);
6500 SSL_CTX_free(sctx);
6501 SSL_CTX_free(cctx);
6502
6503 return testresult;
6504}
a77b4dba
MC		 6505
6506/*
0c48fda8 6507 * Test we can handle a KeyUpdate (update requested) message while
6508 * write data is pending in peer.
a77b4dba
MC		 6509 * Test 0: Client sends KeyUpdate while Server is writing
6510 * Test 1: Server sends KeyUpdate while Client is writing
6511 */
0c48fda8 6512static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6513{
6514 SSL_CTX *cctx = NULL, *sctx = NULL;
6515 SSL *clientssl = NULL, *serverssl = NULL;
6516 int testresult = 0;
6517 char buf[20];
6518 static char *mess = "A test message";
6519 BIO *bretry = BIO_new(bio_s_always_retry());
6520 BIO *tmp = NULL;
6521 SSL *peerupdate = NULL, *peerwrite = NULL;
6522
6523 if (!TEST_ptr(bretry)
5e30f2fd 6524 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6525 TLS_client_method(),
6526 TLS1_3_VERSION,
6527 0,
6528 &sctx, &cctx, cert, privkey))
6529 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6530 NULL, NULL))
6531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6532 SSL_ERROR_NONE)))
6533 goto end;
6534
6535 peerupdate = tst == 0 ? clientssl : serverssl;
6536 peerwrite = tst == 0 ? serverssl : clientssl;
6537
6538 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6539 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6540 goto end;
6541
6542 /* Swap the writing endpoint's write BIO to force a retry */
6543 tmp = SSL_get_wbio(peerwrite);
6544 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6545 tmp = NULL;
6546 goto end;
6547 }
6548 SSL_set0_wbio(peerwrite, bretry);
6549 bretry = NULL;
6550
6551 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6552 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6553 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6554 goto end;
6555
6556 /* Reinstate the original writing endpoint's write BIO */
6557 SSL_set0_wbio(peerwrite, tmp);
6558 tmp = NULL;
6559
6560 /* Now read some data - we will read the key update */
6561 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6562 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6563 goto end;
6564
6565 /*
6566 * Complete the write we started previously and read it from the other
6567 * endpoint
6568 */
6569 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6570 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6571 goto end;
6572
6573 /* Write more data to ensure we send the KeyUpdate message back */
6574 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6575 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6576 goto end;
6577
6578 testresult = 1;
6579
6580 end:
6581 SSL_free(serverssl);
6582 SSL_free(clientssl);
6583 SSL_CTX_free(sctx);
6584 SSL_CTX_free(cctx);
6585 BIO_free(bretry);
6586 BIO_free(tmp);
6587
6588 return testresult;
6589}
0c48fda8 6590
6591/*
6592 * Test we can handle a KeyUpdate (update requested) message while
6593 * peer read data is pending after peer accepted keyupdate(the msg header
6594 * had been read 5 bytes).
6595 * Test 0: Client sends KeyUpdate while Server is reading
6596 * Test 1: Server sends KeyUpdate while Client is reading
6597 */
6598static int test_key_update_peer_in_read(int tst)
6599{
6600 SSL_CTX *cctx = NULL, *sctx = NULL;
6601 SSL *clientssl = NULL, *serverssl = NULL;
6602 int testresult = 0;
6603 char prbuf[515], lwbuf[515] = {0};
6604 static char *mess = "A test message";
6605 BIO *lbio = NULL, *pbio = NULL;
6606 SSL *local = NULL, *peer = NULL;
6607
6608 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6609 TLS_client_method(),
6610 TLS1_3_VERSION,
6611 0,
6612 &sctx, &cctx, cert, privkey))
6613 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6614 NULL, NULL))
6615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6616 SSL_ERROR_NONE)))
6617 goto end;
6618
6619 local = tst == 0 ? clientssl : serverssl;
6620 peer = tst == 0 ? serverssl : clientssl;
6621
6622 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6623 goto end;
6624
6625 SSL_set_bio(local, lbio, lbio);
6626 SSL_set_bio(peer, pbio, pbio);
6627
6628 /*
6629 * we first write keyupdate msg then appdata in local
6630 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6631 * lwbuf app data msg size + key updata msg size > 512(the size of
6632 * the bio pair buffer)
6633 */
6634 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6635 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6636 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6637 goto end;
6638
6639 /*
6640 * first read keyupdate msg in peer in peer
6641 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6642 */
6643 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6644 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6645 goto end;
6646
6647 /* Now write some data in peer - we will write the key update */
6648 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6649 goto end;
6650
6651 /*
6652 * write data in local previously that we will complete
6653 * read data in peer previously that we will complete
6654 */
6655 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6656 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6657 goto end;
6658
6659 /* check that sending and receiving appdata ok */
6660 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6661 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6662 goto end;
6663
6664 testresult = 1;
6665
6666 end:
6667 SSL_free(serverssl);
6668 SSL_free(clientssl);
6669 SSL_CTX_free(sctx);
6670 SSL_CTX_free(cctx);
6671
6672 return testresult;
6673}
6674
6675/*
6676 * Test we can't send a KeyUpdate (update requested) message while
6677 * local write data is pending.
6678 * Test 0: Client sends KeyUpdate while Client is writing
6679 * Test 1: Server sends KeyUpdate while Server is writing
6680 */
6681static int test_key_update_local_in_write(int tst)
6682{
6683 SSL_CTX *cctx = NULL, *sctx = NULL;
6684 SSL *clientssl = NULL, *serverssl = NULL;
6685 int testresult = 0;
6686 char buf[20];
6687 static char *mess = "A test message";
6688 BIO *bretry = BIO_new(bio_s_always_retry());
6689 BIO *tmp = NULL;
6690 SSL *local = NULL, *peer = NULL;
6691
6692 if (!TEST_ptr(bretry)
6693 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6694 TLS_client_method(),
6695 TLS1_3_VERSION,
6696 0,
6697 &sctx, &cctx, cert, privkey))
6698 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6699 NULL, NULL))
6700 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6701 SSL_ERROR_NONE)))
6702 goto end;
6703
6704 local = tst == 0 ? clientssl : serverssl;
6705 peer = tst == 0 ? serverssl : clientssl;
6706
6707 /* Swap the writing endpoint's write BIO to force a retry */
6708 tmp = SSL_get_wbio(local);
6709 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6710 tmp = NULL;
6711 goto end;
6712 }
6713 SSL_set0_wbio(local, bretry);
6714 bretry = NULL;
6715
6716 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6717 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6718 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6719 goto end;
6720
6721 /* Reinstate the original writing endpoint's write BIO */
6722 SSL_set0_wbio(local, tmp);
6723 tmp = NULL;
6724
6725 /* SSL_key_update will fail, because writing in local*/
6726 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6727 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6728 goto end;
6729
6730 ERR_clear_error();
6731 /* write data in local previously that we will complete */
6732 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6733 goto end;
6734
6735 /* SSL_key_update will succeed because there is no pending write data */
6736 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6737 || !TEST_int_eq(SSL_do_handshake(local), 1))
6738 goto end;
6739
6740 /*
6741 * we write some appdata in local
6742 * read data in peer - we will read the keyupdate msg
6743 */
6744 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6745 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6746 goto end;
6747
6748 /* Write more peer more data to ensure we send the keyupdate message back */
6749 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6750 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6751 goto end;
6752
6753 testresult = 1;
6754
6755 end:
6756 SSL_free(serverssl);
6757 SSL_free(clientssl);
6758 SSL_CTX_free(sctx);
6759 SSL_CTX_free(cctx);
6760 BIO_free(bretry);
6761 BIO_free(tmp);
6762
6763 return testresult;
6764}
6765
6766/*
6767 * Test we can handle a KeyUpdate (update requested) message while
6768 * local read data is pending(the msg header had been read 5 bytes).
6769 * Test 0: Client sends KeyUpdate while Client is reading
6770 * Test 1: Server sends KeyUpdate while Server is reading
6771 */
6772static int test_key_update_local_in_read(int tst)
6773{
6774 SSL_CTX *cctx = NULL, *sctx = NULL;
6775 SSL *clientssl = NULL, *serverssl = NULL;
6776 int testresult = 0;
6777 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6778 static char *mess = "A test message";
6779 BIO *lbio = NULL, *pbio = NULL;
6780 SSL *local = NULL, *peer = NULL;
6781
6782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6783 TLS_client_method(),
6784 TLS1_3_VERSION,
6785 0,
6786 &sctx, &cctx, cert, privkey))
6787 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6788 NULL, NULL))
6789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6790 SSL_ERROR_NONE)))
6791 goto end;
6792
6793 local = tst == 0 ? clientssl : serverssl;
6794 peer = tst == 0 ? serverssl : clientssl;
6795
6796 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6797 goto end;
6798
6799 SSL_set_bio(local, lbio, lbio);
6800 SSL_set_bio(peer, pbio, pbio);
6801
6802 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6803 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6804 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6805 goto end;
6806
6807 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6808 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6809 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6810 goto end;
6811
6812 /* SSL_do_handshake will send keyupdate msg */
6813 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6814 || !TEST_int_eq(SSL_do_handshake(local), 1))
6815 goto end;
6816
6817 /*
6818 * write data in peer previously that we will complete
6819 * read data in local previously that we will complete
6820 */
6821 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6822 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6823 goto end;
6824
6825 /*
6826 * write data in local
6827 * read data in peer - we will read the key update
6828 */
6829 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6830 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6831 goto end;
6832
6833 /* Write more peer data to ensure we send the keyupdate message back */
6834 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6835 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6836 goto end;
6837
6838 testresult = 1;
6839
6840 end:
6841 SSL_free(serverssl);
6842 SSL_free(clientssl);
6843 SSL_CTX_free(sctx);
6844 SSL_CTX_free(cctx);
6845
6846 return testresult;
6847}
a763ca11 6848#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6849
e11b6aa4
MC		 6850static int test_ssl_clear(int idx)
6851{
6852 SSL_CTX *cctx = NULL, *sctx = NULL;
6853 SSL *clientssl = NULL, *serverssl = NULL;
6854 int testresult = 0;
6855
6856#ifdef OPENSSL_NO_TLS1_2
6857 if (idx == 1)
6858 return 1;
6859#endif
6860
6861 /* Create an initial connection */
5e30f2fd
MC		 6862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6863 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6864 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6865 || (idx == 1
6866 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6867 TLS1_2_VERSION)))
6868 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6869 &clientssl, NULL, NULL))
6870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6871 SSL_ERROR_NONE)))
6872 goto end;
6873
6874 SSL_shutdown(clientssl);
6875 SSL_shutdown(serverssl);
6876 SSL_free(serverssl);
6877 serverssl = NULL;
6878
6879 /* Clear clientssl - we're going to reuse the object */
6880 if (!TEST_true(SSL_clear(clientssl)))
6881 goto end;
6882
6883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6884 NULL, NULL))
6885 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6886 SSL_ERROR_NONE))
6887 || !TEST_true(SSL_session_reused(clientssl)))
6888 goto end;
6889
6890 SSL_shutdown(clientssl);
6891 SSL_shutdown(serverssl);
6892
6893 testresult = 1;
6894
6895 end:
6896 SSL_free(serverssl);
6897 SSL_free(clientssl);
6898 SSL_CTX_free(sctx);
6899 SSL_CTX_free(cctx);
6900
6901 return testresult;
6902}
6903
cf72c757
F		 6904/* Parse CH and retrieve any MFL extension value if present */
6905static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6906{
6907 long len;
6908 unsigned char *data;
72962d02 6909 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6910 unsigned int MFL_code = 0, type = 0;
6911
1287dabd 6912 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6913 goto end;
6914
72962d02
P		 6915 memset(&pkt, 0, sizeof(pkt));
6916 memset(&pkt2, 0, sizeof(pkt2));
6917 memset(&pkt3, 0, sizeof(pkt3));
6918
9ba18520 6919 if (!TEST_long_gt(len, 0)
1287dabd 6920 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6921 /* Skip the record header */
6922 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6923 /* Skip the handshake message header */
6924 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6925 /* Skip client version and random */
6926 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6927 + SSL3_RANDOM_SIZE))
6928 /* Skip session id */
6929 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6930 /* Skip ciphers */
6931 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6932 /* Skip compression */
6933 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6934 /* Extensions len */
6935 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6936 goto end;
6937
6938 /* Loop through all extensions */
6939 while (PACKET_remaining(&pkt2)) {
6940 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6941 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6942 goto end;
6943
6944 if (type == TLSEXT_TYPE_max_fragment_length) {
6945 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6946 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6947 goto end;
6948
6949 *mfl_codemfl_code = MFL_code;
6950 return 1;
6951 }
6952 }
6953
6954 end:
6955 return 0;
6956}
6957
6958/* Maximum-Fragment-Length TLS extension mode to test */
6959static const unsigned char max_fragment_len_test[] = {
6960 TLSEXT_max_fragment_length_512,
6961 TLSEXT_max_fragment_length_1024,
6962 TLSEXT_max_fragment_length_2048,
6963 TLSEXT_max_fragment_length_4096
6964};
6965
6966static int test_max_fragment_len_ext(int idx_tst)
6967{
a763ca11 6968 SSL_CTX *ctx = NULL;
cf72c757
F		 6969 SSL *con = NULL;
6970 int testresult = 0, MFL_mode = 0;
6971 BIO *rbio, *wbio;
6972
a763ca11
MC		 6973 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6974 TLS1_VERSION, 0, NULL, &ctx, NULL,
6975 NULL)))
6976 return 0;
cf72c757
F		 6977
6978 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6979 ctx, max_fragment_len_test[idx_tst])))
6980 goto end;
6981
6982 con = SSL_new(ctx);
6983 if (!TEST_ptr(con))
6984 goto end;
6985
6986 rbio = BIO_new(BIO_s_mem());
6987 wbio = BIO_new(BIO_s_mem());
6988 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6989 BIO_free(rbio);
6990 BIO_free(wbio);
6991 goto end;
6992 }
6993
6994 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6995
6996 if (!TEST_int_le(SSL_connect(con), 0)) {
6997 /* This shouldn't succeed because we don't have a server! */
6998 goto end;
6999 }
7000
7001 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7002 /* no MFL in client hello */
7003 goto end;
7004 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7005 goto end;
7006
7007 testresult = 1;
7008
7009end:
7010 SSL_free(con);
7011 SSL_CTX_free(ctx);
7012
7013 return testresult;
7014}
7015
a763ca11 7016#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7017static int test_pha_key_update(void)
7018{
7019 SSL_CTX *cctx = NULL, *sctx = NULL;
7020 SSL *clientssl = NULL, *serverssl = NULL;
7021 int testresult = 0;
7022
5e30f2fd
MC		 7023 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7024 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7025 &sctx, &cctx, cert, privkey)))
7026 return 0;
7027
7028 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7029 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7030 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7031 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7032 goto end;
7033
e97be718 7034 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7035
7036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7037 NULL, NULL)))
7038 goto end;
7039
9d75dce3
TS		 7040 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7041 SSL_ERROR_NONE)))
7042 goto end;
7043
7044 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7045 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7046 goto end;
7047
7048 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7049 goto end;
7050
7051 /* Start handshake on the server */
7052 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7053 goto end;
7054
7055 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7056 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7057 SSL_ERROR_NONE)))
7058 goto end;
7059
7060 SSL_shutdown(clientssl);
7061 SSL_shutdown(serverssl);
7062
7063 testresult = 1;
7064
7065 end:
7066 SSL_free(serverssl);
7067 SSL_free(clientssl);
7068 SSL_CTX_free(sctx);
7069 SSL_CTX_free(cctx);
7070 return testresult;
7071}
7072#endif
7073
76fd7a1d
MC		 7074#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7075
7076static SRP_VBASE *vbase = NULL;
7077
7078static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7079{
7080 int ret = SSL3_AL_FATAL;
7081 char *username;
7082 SRP_user_pwd *user = NULL;
7083
7084 username = SSL_get_srp_username(s);
7085 if (username == NULL) {
7086 *ad = SSL_AD_INTERNAL_ERROR;
7087 goto err;
7088 }
7089
7090 user = SRP_VBASE_get1_by_user(vbase, username);
7091 if (user == NULL) {
7092 *ad = SSL_AD_INTERNAL_ERROR;
7093 goto err;
7094 }
7095
7096 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7097 user->info) <= 0) {
7098 *ad = SSL_AD_INTERNAL_ERROR;
7099 goto err;
7100 }
7101
7102 ret = 0;
7103
7104 err:
7105 SRP_user_pwd_free(user);
7106 return ret;
7107}
7108
7109static int create_new_vfile(char *userid, char *password, const char *filename)
7110{
7111 char *gNid = NULL;
7112 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7113 TXT_DB *db = NULL;
7114 int ret = 0;
7115 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7116 size_t i;
7117
7118 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7119 goto end;
7120
20c00d0a 7121 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7122 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7123 if (!TEST_ptr(gNid))
7124 goto end;
7125
7126 /*
7127 * The only way to create an empty TXT_DB is to provide a BIO with no data
7128 * in it!
7129 */
7130 db = TXT_DB_read(dummy, DB_NUMBER);
7131 if (!TEST_ptr(db))
7132 goto end;
7133
7134 out = BIO_new_file(filename, "w");
7135 if (!TEST_ptr(out))
7136 goto end;
7137
7138 row[DB_srpid] = OPENSSL_strdup(userid);
7139 row[DB_srptype] = OPENSSL_strdup("V");
7140 row[DB_srpgN] = OPENSSL_strdup(gNid);
7141
7142 if (!TEST_ptr(row[DB_srpid])
7143 || !TEST_ptr(row[DB_srptype])
7144 || !TEST_ptr(row[DB_srpgN])
7145 || !TEST_true(TXT_DB_insert(db, row)))
7146 goto end;
7147
7148 row = NULL;
7149
aba9943f 7150 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7151 goto end;
7152
7153 ret = 1;
7154 end:
7155 if (row != NULL) {
7156 for (i = 0; i < DB_NUMBER; i++)
7157 OPENSSL_free(row[i]);
7158 }
7159 OPENSSL_free(row);
7160 BIO_free(dummy);
7161 BIO_free(out);
7162 TXT_DB_free(db);
7163
7164 return ret;
7165}
7166
7167static int create_new_vbase(char *userid, char *password)
7168{
7169 BIGNUM *verifier = NULL, *salt = NULL;
7170 const SRP_gN *lgN = NULL;
7171 SRP_user_pwd *user_pwd = NULL;
7172 int ret = 0;
7173
7174 lgN = SRP_get_default_gN(NULL);
7175 if (!TEST_ptr(lgN))
7176 goto end;
7177
20c00d0a 7178 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7179 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7180 goto end;
7181
7182 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7183 if (!TEST_ptr(user_pwd))
7184 goto end;
7185
7186 user_pwd->N = lgN->N;
7187 user_pwd->g = lgN->g;
7188 user_pwd->id = OPENSSL_strdup(userid);
7189 if (!TEST_ptr(user_pwd->id))
7190 goto end;
7191
7192 user_pwd->v = verifier;
7193 user_pwd->s = salt;
7194 verifier = salt = NULL;
7195
7196 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7197 goto end;
7198 user_pwd = NULL;
7199
7200 ret = 1;
7201end:
7202 SRP_user_pwd_free(user_pwd);
7203 BN_free(salt);
7204 BN_free(verifier);
7205
7206 return ret;
7207}
7208
7209/*
7210 * SRP tests
7211 *
7212 * Test 0: Simple successful SRP connection, new vbase
7213 * Test 1: Connection failure due to bad password, new vbase
7214 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7215 * Test 3: Connection failure due to bad password, vbase loaded from existing
7216 * file
7217 * Test 4: Simple successful SRP connection, vbase loaded from new file
7218 * Test 5: Connection failure due to bad password, vbase loaded from new file
7219 */
7220static int test_srp(int tst)
7221{
7222 char *userid = "test", *password = "password", *tstsrpfile;
7223 SSL_CTX *cctx = NULL, *sctx = NULL;
7224 SSL *clientssl = NULL, *serverssl = NULL;
7225 int ret, testresult = 0;
7226
7227 vbase = SRP_VBASE_new(NULL);
7228 if (!TEST_ptr(vbase))
7229 goto end;
7230
7231 if (tst == 0 || tst == 1) {
7232 if (!TEST_true(create_new_vbase(userid, password)))
7233 goto end;
7234 } else {
7235 if (tst == 4 || tst == 5) {
7236 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7237 goto end;
7238 tstsrpfile = tmpfilename;
7239 } else {
7240 tstsrpfile = srpvfile;
7241 }
7242 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7243 goto end;
7244 }
7245
5e30f2fd
MC		 7246 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7247 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7248 &sctx, &cctx, cert, privkey)))
7249 goto end;
7250
7251 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7252 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7253 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7254 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7255 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7256 goto end;
7257
7258 if (tst % 2 == 1) {
7259 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7260 goto end;
7261 } else {
7262 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7263 goto end;
7264 }
7265
7266 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7267 NULL, NULL)))
7268 goto end;
7269
7270 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7271 if (ret) {
7272 if (!TEST_true(tst % 2 == 0))
7273 goto end;
7274 } else {
7275 if (!TEST_true(tst % 2 == 1))
7276 goto end;
7277 }
7278
7279 testresult = 1;
7280
7281 end:
7282 SRP_VBASE_free(vbase);
7283 vbase = NULL;
7284 SSL_free(serverssl);
7285 SSL_free(clientssl);
7286 SSL_CTX_free(sctx);
7287 SSL_CTX_free(cctx);
7288
7289 return testresult;
7290}
7291#endif
7292
5718fe45
MC		 7293static int info_cb_failed = 0;
7294static int info_cb_offset = 0;
7295static int info_cb_this_state = -1;
7296
7297static struct info_cb_states_st {
7298 int where;
7299 const char *statestr;
7300} info_cb_states[][60] = {
7301 {
7302 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7303 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7304 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7305 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7306 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7307 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7308 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7309 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7310 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7311 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7312 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7313 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7314 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7315 {SSL_CB_EXIT, NULL}, {0, NULL},
7316 }, {
7317 /* TLSv1.2 client followed by resumption */
e0f69c35 7318 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7319 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7320 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7321 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7322 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7323 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7325 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7326 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7327 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7328 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7329 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7330 }, {
7331 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7332 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7333 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7334 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7335 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7336 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7337 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7338 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7339 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7340 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7341 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7342 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7343 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7344 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7345 }, {
7346 /* TLSv1.3 client followed by resumption */
e0f69c35 7347 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7348 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7349 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7350 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7351 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7352 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7353 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7354 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7355 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7356 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7357 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7358 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7359 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7360 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7361 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7362 }, {
7363 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7364 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7365 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7366 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7367 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7368 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7369 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7370 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7371 {SSL_CB_EXIT, NULL}, {0, NULL},
7372 }, {
7373 /* TLSv1.3 client, early_data */
e0f69c35 7374 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7375 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7376 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7377 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7378 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7379 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7380 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7381 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7382 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7383 }, {
7384 /* TLSv1.3 server, certificate compression, followed by resumption */
7385 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7386 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7387 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7388 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7389 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7390 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7391 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7392 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7393 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7394 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7395 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7396 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7397 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7398 }, {
7399 /* TLSv1.3 client, certificate compression, followed by resumption */
7400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7401 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7402 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7403 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7404 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7405 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7406 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7407 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7408 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7409 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7410 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7411 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7412 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7413 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7414 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7415 }, {
7416 {0, NULL},
7417 }
7418};
7419
7420static void sslapi_info_callback(const SSL *s, int where, int ret)
7421{
7422 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7423
7424 /* We do not ever expect a connection to fail in this test */
7425 if (!TEST_false(ret == 0)) {
7426 info_cb_failed = 1;
7427 return;
7428 }
7429
7430 /*
7431 * Do some sanity checks. We never expect these things to happen in this
7432 * test
7433 */
7434 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7435 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7436 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7437 info_cb_failed = 1;
7438 return;
7439 }
7440
7441 /* Now check we're in the right state */
7442 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7443 info_cb_failed = 1;
7444 return;
7445 }
7446 if ((where & SSL_CB_LOOP) != 0
7447 && !TEST_int_eq(strcmp(SSL_state_string(s),
7448 state[info_cb_this_state].statestr), 0)) {
7449 info_cb_failed = 1;
7450 return;
7451 }
033c181b 7452
4af5836b
MC		 7453 /*
7454 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7455 */
7456 if ((where & SSL_CB_HANDSHAKE_DONE)
7457 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7458 info_cb_failed = 1;
7459 return;
7460 }
5718fe45
MC		 7461}
7462
7463/*
7464 * Test the info callback gets called when we expect it to.
7465 *
7466 * Test 0: TLSv1.2, server
7467 * Test 1: TLSv1.2, client
7468 * Test 2: TLSv1.3, server
7469 * Test 3: TLSv1.3, client
7470 * Test 4: TLSv1.3, server, early_data
7471 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7472 * Test 6: TLSv1.3, server, compressed certificate
7473 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7474 */
7475static int test_info_callback(int tst)
7476{
7477 SSL_CTX *cctx = NULL, *sctx = NULL;
7478 SSL *clientssl = NULL, *serverssl = NULL;
7479 SSL_SESSION *clntsess = NULL;
7480 int testresult = 0;
7481 int tlsvers;
7482
7483 if (tst < 2) {
1aac20f5
MC		 7484/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7485#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7486 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7487 tlsvers = TLS1_2_VERSION;
7488#else
7489 return 1;
7490#endif
7491 } else {
a763ca11 7492#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7493 tlsvers = TLS1_3_VERSION;
7494#else
7495 return 1;
7496#endif
7497 }
7498
7499 /* Reset globals */
7500 info_cb_failed = 0;
7501 info_cb_this_state = -1;
7502 info_cb_offset = tst;
7503
a763ca11 7504#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7505 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7506 SSL_SESSION *sess = NULL;
7507 size_t written, readbytes;
7508 unsigned char buf[80];
7509
7510 /* early_data tests */
7511 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7512 &serverssl, &sess, 0)))
7513 goto end;
7514
7515 /* We don't actually need this reference */
7516 SSL_SESSION_free(sess);
7517
7518 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7519 sslapi_info_callback);
7520
7521 /* Write and read some early data and then complete the connection */
7522 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7523 &written))
7524 || !TEST_size_t_eq(written, strlen(MSG1))
7525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7526 sizeof(buf), &readbytes),
7527 SSL_READ_EARLY_DATA_SUCCESS)
7528 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7530 SSL_EARLY_DATA_ACCEPTED)
7531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7532 SSL_ERROR_NONE))
7533 || !TEST_false(info_cb_failed))
7534 goto end;
7535
7536 testresult = 1;
7537 goto end;
7538 }
6e07834c 7539#endif
5718fe45 7540
5e30f2fd 7541 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7542 TLS_client_method(),
7543 tlsvers, tlsvers, &sctx, &cctx, cert,
7544 privkey)))
7545 goto end;
7546
33c39a06
MC		 7547 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7548 goto end;
7549
5718fe45
MC		 7550 /*
7551 * For even numbered tests we check the server callbacks. For odd numbers we
7552 * check the client.
7553 */
7554 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7555 sslapi_info_callback);
b67cb09f
TS		 7556 if (tst >= 6) {
7557 if (!SSL_CTX_compress_certs(sctx, 0))
7558 goto end;
7559 }
5718fe45
MC		 7560
7561 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7562 &clientssl, NULL, NULL))
7563 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7564 SSL_ERROR_NONE))
7565 || !TEST_false(info_cb_failed))
7566 goto end;
7567
7568
7569
7570 clntsess = SSL_get1_session(clientssl);
7571 SSL_shutdown(clientssl);
7572 SSL_shutdown(serverssl);
7573 SSL_free(serverssl);
7574 SSL_free(clientssl);
7575 serverssl = clientssl = NULL;
7576
7577 /* Now do a resumption */
7578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7579 NULL))
7580 || !TEST_true(SSL_set_session(clientssl, clntsess))
7581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7582 SSL_ERROR_NONE))
7583 || !TEST_true(SSL_session_reused(clientssl))
7584 || !TEST_false(info_cb_failed))
7585 goto end;
7586
7587 testresult = 1;
7588
7589 end:
7590 SSL_free(serverssl);
7591 SSL_free(clientssl);
7592 SSL_SESSION_free(clntsess);
7593 SSL_CTX_free(sctx);
7594 SSL_CTX_free(cctx);
7595 return testresult;
7596}
7597
4a432af8
MC		 7598static int test_ssl_pending(int tst)
7599{
7600 SSL_CTX *cctx = NULL, *sctx = NULL;
7601 SSL *clientssl = NULL, *serverssl = NULL;
7602 int testresult = 0;
7603 char msg[] = "A test message";
7604 char buf[5];
7605 size_t written, readbytes;
7606
7607 if (tst == 0) {
5e30f2fd 7608 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7609 TLS_client_method(),
5c587fb6 7610 TLS1_VERSION, 0,
4a432af8
MC		 7611 &sctx, &cctx, cert, privkey)))
7612 goto end;
7613 } else {
7614#ifndef OPENSSL_NO_DTLS
5e30f2fd 7615 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7616 DTLS_client_method(),
5c587fb6 7617 DTLS1_VERSION, 0,
4a432af8
MC		 7618 &sctx, &cctx, cert, privkey)))
7619 goto end;
8ce390e1
MC		 7620
7621# ifdef OPENSSL_NO_DTLS1_2
7622 /* Not supported in the FIPS provider */
7623 if (is_fips) {
7624 testresult = 1;
7625 goto end;
7626 };
7627 /*
7628 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7629 * level 0
7630 */
7631 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7632 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7633 "DEFAULT:@SECLEVEL=0")))
7634 goto end;
7635# endif
4a432af8
MC		 7636#else
7637 return 1;
7638#endif
7639 }
7640
7641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7642 NULL, NULL))
7643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7644 SSL_ERROR_NONE)))
7645 goto end;
7646
e8251092
MC		 7647 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7648 || !TEST_false(SSL_has_pending(clientssl))
7649 || !TEST_int_eq(SSL_pending(serverssl), 0)
7650 || !TEST_false(SSL_has_pending(serverssl))
7651 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7652 || !TEST_size_t_eq(written, sizeof(msg))
7653 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7654 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7655 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7656 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7657 goto end;
7658
7659 testresult = 1;
7660
7661 end:
7662 SSL_free(serverssl);
7663 SSL_free(clientssl);
7664 SSL_CTX_free(sctx);
7665 SSL_CTX_free(cctx);
7666
7667 return testresult;
7668}
7669
e401389a
MC		 7670static struct {
7671 unsigned int maxprot;
7672 const char *clntciphers;
7673 const char *clnttls13ciphers;
7674 const char *srvrciphers;
7675 const char *srvrtls13ciphers;
7676 const char *shared;
a96e6c34 7677 const char *fipsshared;
e401389a 7678} shared_ciphers_data[] = {
60155b9a
MC		 7679/*
7680 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7681 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7682 */
a763ca11 7683#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7684 {
7685 TLS1_2_VERSION,
7686 "AES128-SHA:AES256-SHA",
7687 NULL,
7688 "AES256-SHA:DHE-RSA-AES128-SHA",
7689 NULL,
a96e6c34 7690 "AES256-SHA",
e401389a
MC		 7691 "AES256-SHA"
7692 },
a96e6c34
MC		 7693# if !defined(OPENSSL_NO_CHACHA) \
7694 && !defined(OPENSSL_NO_POLY1305) \
7695 && !defined(OPENSSL_NO_EC)
7696 {
7697 TLS1_2_VERSION,
7698 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7699 NULL,
7700 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7701 NULL,
7702 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7703 "AES128-SHA"
7704 },
7705# endif
e401389a
MC		 7706 {
7707 TLS1_2_VERSION,
7708 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7709 NULL,
7710 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7711 NULL,
a96e6c34 7712 "AES128-SHA:AES256-SHA",
e401389a
MC		 7713 "AES128-SHA:AES256-SHA"
7714 },
7715 {
7716 TLS1_2_VERSION,
7717 "AES128-SHA:AES256-SHA",
7718 NULL,
7719 "AES128-SHA:DHE-RSA-AES128-SHA",
7720 NULL,
a96e6c34 7721 "AES128-SHA",
e401389a
MC		 7722 "AES128-SHA"
7723 },
60155b9a
MC		 7724#endif
7725/*
7726 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7727 * enabled.
7728 */
a763ca11 7729#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7730 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7731 {
7732 TLS1_3_VERSION,
7733 "AES128-SHA:AES256-SHA",
7734 NULL,
7735 "AES256-SHA:AES128-SHA256",
7736 NULL,
7737 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7738 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7739 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7740 },
60155b9a 7741#endif
a763ca11 7742#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7743 {
7744 TLS1_3_VERSION,
7745 "AES128-SHA",
7746 "TLS_AES_256_GCM_SHA384",
7747 "AES256-SHA",
7748 "TLS_AES_256_GCM_SHA384",
a96e6c34 7749 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7750 "TLS_AES_256_GCM_SHA384"
7751 },
7752#endif
7753};
7754
a96e6c34 7755static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7756{
7757 SSL_CTX *cctx = NULL, *sctx = NULL;
7758 SSL *clientssl = NULL, *serverssl = NULL;
7759 int testresult = 0;
7760 char buf[1024];
b4250010 7761 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7762
7763 if (!TEST_ptr(tmplibctx))
7764 goto end;
7765
7766 /*
7767 * Regardless of whether we're testing with the FIPS provider loaded into
7768 * libctx, we want one peer to always use the full set of ciphersuites
7769 * available. Therefore we use a separate libctx with the default provider
7770 * loaded into it. We run the same tests twice - once with the client side
7771 * having the full set of ciphersuites and once with the server side.
7772 */
7773 if (clnt) {
d8652be0 7774 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7775 if (!TEST_ptr(cctx))
7776 goto end;
7777 } else {
d8652be0 7778 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7779 if (!TEST_ptr(sctx))
7780 goto end;
7781 }
e401389a 7782
5e30f2fd 7783 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7784 TLS_client_method(),
7785 TLS1_VERSION,
7786 shared_ciphers_data[tst].maxprot,
7787 &sctx, &cctx, cert, privkey)))
7788 goto end;
7789
7790 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7791 shared_ciphers_data[tst].clntciphers))
7792 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7793 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7794 shared_ciphers_data[tst].clnttls13ciphers)))
7795 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7796 shared_ciphers_data[tst].srvrciphers))
7797 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7798 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7799 shared_ciphers_data[tst].srvrtls13ciphers))))
7800 goto end;
7801
7802
7803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7804 NULL, NULL))
7805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7806 SSL_ERROR_NONE)))
7807 goto end;
7808
7809 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7810 || !TEST_int_eq(strcmp(buf,
7811 is_fips
7812 ? shared_ciphers_data[tst].fipsshared
7813 : shared_ciphers_data[tst].shared),
7814 0)) {
e401389a
MC		 7815 TEST_info("Shared ciphers are: %s\n", buf);
7816 goto end;
7817 }
7818
7819 testresult = 1;
7820
7821 end:
7822 SSL_free(serverssl);
7823 SSL_free(clientssl);
7824 SSL_CTX_free(sctx);
7825 SSL_CTX_free(cctx);
b4250010 7826 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7827
7828 return testresult;
7829}
7830
a96e6c34
MC		 7831static int test_ssl_get_shared_ciphers(int tst)
7832{
7833 return int_test_ssl_get_shared_ciphers(tst, 0)
7834 && int_test_ssl_get_shared_ciphers(tst, 1);
7835}
7836
7837
d0191fe0 7838static const char *appdata = "Hello World";
61fb5923
MC		 7839static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7840static int tick_key_renew = 0;
7841static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7842
7843static int gen_tick_cb(SSL *s, void *arg)
7844{
7845 gen_tick_called = 1;
7846
7847 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7848 strlen(appdata));
7849}
7850
7851static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7852 const unsigned char *keyname,
7853 size_t keyname_length,
61fb5923
MC		 7854 SSL_TICKET_STATUS status,
7855 void *arg)
d0191fe0
MC		 7856{
7857 void *tickdata;
7858 size_t tickdlen;
7859
7860 dec_tick_called = 1;
7861
61fb5923
MC		 7862 if (status == SSL_TICKET_EMPTY)
7863 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7864
61fb5923
MC		 7865 if (!TEST_true(status == SSL_TICKET_SUCCESS
7866 || status == SSL_TICKET_SUCCESS_RENEW))
7867 return SSL_TICKET_RETURN_ABORT;
7868
7869 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7870 &tickdlen))
d0191fe0
MC		 7871 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7872 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7873 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7874
61fb5923
MC		 7875 if (tick_key_cb_called) {
7876 /* Don't change what the ticket key callback wanted to do */
7877 switch (status) {
7878 case SSL_TICKET_NO_DECRYPT:
7879 return SSL_TICKET_RETURN_IGNORE_RENEW;
7880
7881 case SSL_TICKET_SUCCESS:
7882 return SSL_TICKET_RETURN_USE;
d0191fe0 7883
61fb5923
MC		 7884 case SSL_TICKET_SUCCESS_RENEW:
7885 return SSL_TICKET_RETURN_USE_RENEW;
7886
7887 default:
7888 return SSL_TICKET_RETURN_ABORT;
7889 }
7890 }
7891 return tick_dec_ret;
7892
7893}
d0191fe0 7894
a76ce286 7895#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7896static int tick_key_cb(SSL *s, unsigned char key_name[16],
7897 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7898 HMAC_CTX *hctx, int enc)
7899{
7900 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7901 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 7902 EVP_CIPHER *aes128cbc;
7903 EVP_MD *sha256;
5e30f2fd 7904 int ret;
d0191fe0 7905
61fb5923 7906 tick_key_cb_called = 1;
3b7a3241
MC		 7907
7908 if (tick_key_renew == -1)
7909 return 0;
7910
7911 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7912 if (!TEST_ptr(aes128cbc))
7913 return 0;
7914 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7915 if (!TEST_ptr(sha256)) {
7916 EVP_CIPHER_free(aes128cbc);
7917 return 0;
7918 }
7919
d0191fe0
MC		 7920 memset(iv, 0, AES_BLOCK_SIZE);
7921 memset(key_name, 0, 16);
5e30f2fd
MC		 7922 if (aes128cbc == NULL
7923 || sha256 == NULL
7924 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7925 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7926 NULL))
7927 ret = -1;
7928 else
7929 ret = tick_key_renew ? 2 : 1;
d0191fe0 7930
5e30f2fd
MC		 7931 EVP_CIPHER_free(aes128cbc);
7932 EVP_MD_free(sha256);
7933
7934 return ret;
d0191fe0 7935}
a76ce286
P		 7936#endif
7937
7938static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7939 unsigned char iv[EVP_MAX_IV_LENGTH],
7940 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7941{
7942 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7943 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7944 OSSL_PARAM params[2];
3b7a3241 7945 EVP_CIPHER *aes128cbc;
5e30f2fd 7946 int ret;
a76ce286
P		 7947
7948 tick_key_cb_called = 1;
3b7a3241
MC		 7949
7950 if (tick_key_renew == -1)
7951 return 0;
7952
7953 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7954 if (!TEST_ptr(aes128cbc))
7955 return 0;
7956
a76ce286
P		 7957 memset(iv, 0, AES_BLOCK_SIZE);
7958 memset(key_name, 0, 16);
7959 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7960 "SHA256", 0);
77e4ae58 7961 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7962 if (aes128cbc == NULL
7963 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7964 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7965 params))
5e30f2fd
MC		 7966 ret = -1;
7967 else
7968 ret = tick_key_renew ? 2 : 1;
7969
7970 EVP_CIPHER_free(aes128cbc);
a76ce286 7971
5e30f2fd 7972 return ret;
a76ce286 7973}
d0191fe0
MC		 7974
7975/*
7976 * Test the various ticket callbacks
61fb5923
MC		 7977 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7978 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7979 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7980 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7981 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7982 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7983 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7984 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7985 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7986 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7987 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7988 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 7989 * Test 12: TLSv1.2, old ticket key callback, no ticket
7990 * Test 13: TLSv1.3, old ticket key callback, no ticket
7991 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7992 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7993 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7994 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7995 * Test 18: TLSv1.2, ticket key callback, no ticket
7996 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 7997 */
7998static int test_ticket_callbacks(int tst)
7999{
8000 SSL_CTX *cctx = NULL, *sctx = NULL;
8001 SSL *clientssl = NULL, *serverssl = NULL;
8002 SSL_SESSION *clntsess = NULL;
8003 int testresult = 0;
8004
8005#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8006 if (tst % 2 == 0)
d0191fe0
MC		 8007 return 1;
8008#endif
a763ca11 8009#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8010 if (tst % 2 == 1)
d0191fe0
MC		 8011 return 1;
8012#endif
a76ce286 8013#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8014 if (tst >= 8 && tst <= 13)
a76ce286
P		 8015 return 1;
8016#endif
d0191fe0 8017
61fb5923 8018 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8019
8020 /* Which tests the ticket key callback should request renewal for */
3b7a3241
MC		 8021
8022 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8023 tick_key_renew = 1;
3b7a3241
MC		 8024 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8025 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8026 else
61fb5923
MC		 8027 tick_key_renew = 0;
8028
8029 /* Which tests the decrypt ticket callback should request renewal for */
8030 switch (tst) {
8031 case 0:
8032 case 1:
8033 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8034 break;
8035
8036 case 2:
8037 case 3:
8038 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8039 break;
8040
8041 case 4:
8042 case 5:
8043 tick_dec_ret = SSL_TICKET_RETURN_USE;
8044 break;
8045
8046 case 6:
8047 case 7:
8048 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8049 break;
8050
8051 default:
8052 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8053 }
d0191fe0 8054
5e30f2fd 8055 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8056 TLS_client_method(),
8057 TLS1_VERSION,
61fb5923
MC		 8058 ((tst % 2) == 0) ? TLS1_2_VERSION
8059 : TLS1_3_VERSION,
d0191fe0
MC		 8060 &sctx, &cctx, cert, privkey)))
8061 goto end;
8062
61fb5923
MC		 8063 /*
8064 * We only want sessions to resume from tickets - not the session cache. So
8065 * switch the cache off.
8066 */
8067 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8068 goto end;
8069
d0191fe0
MC		 8070 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8071 NULL)))
8072 goto end;
8073
3b7a3241 8074 if (tst >= 14) {
a76ce286
P		 8075 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8076 goto end;
8077#ifndef OPENSSL_NO_DEPRECATED_3_0
8078 } else if (tst >= 8) {
8079 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8080 goto end;
8081#endif
8082 }
d0191fe0
MC		 8083
8084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8085 NULL, NULL))
8086 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8087 SSL_ERROR_NONE)))
8088 goto end;
8089
61fb5923
MC		 8090 /*
8091 * The decrypt ticket key callback in TLSv1.2 should be called even though
8092 * we have no ticket yet, because it gets called with a status of
8093 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8094 * actually send any ticket data). This does not happen in TLSv1.3 because
8095 * it is not valid to send empty ticket data in TLSv1.3.
8096 */
d0191fe0 8097 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8098 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8099 goto end;
8100
8101 gen_tick_called = dec_tick_called = 0;
8102
8103 clntsess = SSL_get1_session(clientssl);
8104 SSL_shutdown(clientssl);
8105 SSL_shutdown(serverssl);
8106 SSL_free(serverssl);
8107 SSL_free(clientssl);
8108 serverssl = clientssl = NULL;
8109
8110 /* Now do a resumption */
8111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8112 NULL))
8113 || !TEST_true(SSL_set_session(clientssl, clntsess))
8114 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8115 SSL_ERROR_NONE)))
d0191fe0
MC		 8116 goto end;
8117
61fb5923 8118 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8119 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8120 || tick_key_renew == -1) {
61fb5923
MC		 8121 if (!TEST_false(SSL_session_reused(clientssl)))
8122 goto end;
8123 } else {
8124 if (!TEST_true(SSL_session_reused(clientssl)))
8125 goto end;
8126 }
8127
d0191fe0 8128 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8129 (tick_key_renew
8130 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8131 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8132 ? 1 : 0)
3b7a3241
MC		 8133 /* There is no ticket to decrypt in tests 13 and 19 */
8134 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8135 goto end;
8136
8137 testresult = 1;
8138
8139 end:
8140 SSL_SESSION_free(clntsess);
8141 SSL_free(serverssl);
8142 SSL_free(clientssl);
8143 SSL_CTX_free(sctx);
8144 SSL_CTX_free(cctx);
8145
8146 return testresult;
8147}
8148
e638112e
DB		 8149/*
8150 * Test incorrect shutdown.
8151 * Test 0: client does not shutdown properly,
8152 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8153 * server should get SSL_ERROR_SSL
8154 * Test 1: client does not shutdown properly,
8155 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8156 * server should get SSL_ERROR_ZERO_RETURN
8157 */
8158static int test_incorrect_shutdown(int tst)
8159{
8160 SSL_CTX *cctx = NULL, *sctx = NULL;
8161 SSL *clientssl = NULL, *serverssl = NULL;
8162 int testresult = 0;
8163 char buf[80];
8164 BIO *c2s;
8165
8166 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8167 TLS_client_method(), 0, 0,
8168 &sctx, &cctx, cert, privkey)))
8169 goto end;
8170
8171 if (tst == 1)
8172 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8173
8174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8175 NULL, NULL)))
8176 goto end;
8177
8178 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8179 SSL_ERROR_NONE)))
8180 goto end;
8181
8182 c2s = SSL_get_rbio(serverssl);
8183 BIO_set_mem_eof_return(c2s, 0);
8184
8185 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8186 goto end;
8187
8188 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8189 goto end;
8190 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8191 goto end;
8192
8193 testresult = 1;
8194
8195 end:
8196 SSL_free(serverssl);
8197 SSL_free(clientssl);
8198 SSL_CTX_free(sctx);
8199 SSL_CTX_free(cctx);
8200
8201 return testresult;
8202}
8203
c748834f
MC		 8204/*
8205 * Test bi-directional shutdown.
8206 * Test 0: TLSv1.2
8207 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8208 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8209 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8210 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8211 * sends key update, client reads it
57d7b988
MC		 8212 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8213 * sends CertificateRequest, client reads and ignores it
8214 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8215 * doesn't read it
8216 */
8217static int test_shutdown(int tst)
8218{
8219 SSL_CTX *cctx = NULL, *sctx = NULL;
8220 SSL *clientssl = NULL, *serverssl = NULL;
8221 int testresult = 0;
8222 char msg[] = "A test message";
8223 char buf[80];
8224 size_t written, readbytes;
80eff008 8225 SSL_SESSION *sess;
c748834f
MC		 8226
8227#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8228 if (tst <= 1)
c748834f
MC		 8229 return 1;
8230#endif
a763ca11 8231#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8232 if (tst >= 2)
c748834f
MC		 8233 return 1;
8234#endif
8235
5e30f2fd 8236 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8237 TLS_client_method(),
8238 TLS1_VERSION,
8239 (tst <= 1) ? TLS1_2_VERSION
8240 : TLS1_3_VERSION,
57d7b988
MC		 8241 &sctx, &cctx, cert, privkey)))
8242 goto end;
8243
8244 if (tst == 5)
8245 SSL_CTX_set_post_handshake_auth(cctx, 1);
8246
8247 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8248 NULL, NULL)))
8249 goto end;
8250
8251 if (tst == 3) {
8252 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8253 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8254 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8255 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8256 goto end;
8257 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8258 SSL_ERROR_NONE))
8259 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8260 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8261 goto end;
8262 }
8263
8264 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8265 goto end;
8266
8267 if (tst >= 4) {
8268 /*
8269 * Reading on the server after the client has sent close_notify should
8270 * fail and provide SSL_ERROR_ZERO_RETURN
8271 */
8272 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8273 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8274 SSL_ERROR_ZERO_RETURN)
8275 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8276 SSL_RECEIVED_SHUTDOWN)
8277 /*
8278 * Even though we're shutdown on receive we should still be
8279 * able to write.
8280 */
80eff008
KR		 8281 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8282 goto end;
57d7b988
MC		 8283 if (tst == 4
8284 && !TEST_true(SSL_key_update(serverssl,
8285 SSL_KEY_UPDATE_REQUESTED)))
8286 goto end;
8287 if (tst == 5) {
8288 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8289 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8290 goto end;
8291 }
8292 if ((tst == 4 || tst == 5)
8293 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8294 goto end;
8295 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8296 goto end;
57d7b988 8297 if (tst == 4 || tst == 5) {
80eff008 8298 /* Should still be able to read data from server */
c748834f 8299 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8300 &readbytes))
8301 || !TEST_size_t_eq(readbytes, sizeof(msg))
8302 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8303 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8304 &readbytes))
c748834f
MC		 8305 || !TEST_size_t_eq(readbytes, sizeof(msg))
8306 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8307 goto end;
8308 }
8309 }
8310
8311 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8312 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8313 goto end;
8314
8315 if (tst < 4) {
8316 /*
8317 * For these tests the client has sent close_notify but it has not yet
8318 * been received by the server. The server has not sent close_notify
8319 * yet.
8320 */
8321 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8322 /*
8323 * Writing on the server after sending close_notify shouldn't
8324 * be possible.
8325 */
8326 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8327 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8328 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8329 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8330 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8331 goto end;
57d7b988 8332 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8333 /*
8334 * In this test the client has sent close_notify and it has been
8335 * received by the server which has responded with a close_notify. The
358ffa05 8336 * client needs to read the close_notify sent by the server.
c748834f 8337 */
80eff008
KR		 8338 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8339 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8340 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8341 goto end;
358ffa05
MC		 8342 } else {
8343 /*
57d7b988 8344 * tst == 6
358ffa05
MC		 8345 *
8346 * The client has sent close_notify and is expecting a close_notify
8347 * back, but instead there is application data first. The shutdown
8348 * should fail with a fatal error.
8349 */
8350 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8351 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8352 goto end;
c748834f
MC		 8353 }
8354
8355 testresult = 1;
8356
8357 end:
8358 SSL_free(serverssl);
8359 SSL_free(clientssl);
8360 SSL_CTX_free(sctx);
8361 SSL_CTX_free(cctx);
8362
8363 return testresult;
8364}
8365
cbf965b4
MC		 8366/*
8367 * Test that sending close_notify alerts works correctly in the case of a
8368 * retryable write failure.
8369 */
8370static int test_async_shutdown(void)
8371{
8372 SSL_CTX *cctx = NULL, *sctx = NULL;
8373 SSL *clientssl = NULL, *serverssl = NULL;
8374 int testresult = 0;
8375 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8376
8377 if (!TEST_ptr(bretry))
8378 goto end;
8379
8380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8381 TLS_client_method(),
8382 0, 0,
8383 &sctx, &cctx, cert, privkey)))
8384 goto end;
8385
8386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8387 NULL)))
8388 goto end;
8389
8390 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8391 goto end;
8392
8393 /* Close write side of clientssl */
8394 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8395 goto end;
8396
8397 tmp = SSL_get_wbio(serverssl);
8398 if (!TEST_true(BIO_up_ref(tmp))) {
8399 tmp = NULL;
8400 goto end;
8401 }
8402 SSL_set0_wbio(serverssl, bretry);
8403 bretry = NULL;
8404
8405 /* First server shutdown should fail because of a retrable write failure */
8406 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8407 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8408 goto end;
8409
8410 /* Second server shutdown should fail for the same reason */
8411 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8412 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8413 goto end;
8414
8415 SSL_set0_wbio(serverssl, tmp);
8416 tmp = NULL;
8417
8418 /* Third server shutdown should send close_notify */
8419 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8420 goto end;
8421
8422 /* Fourth server shutdown should read close_notify from client and finish */
8423 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8424 goto end;
8425
8426 /* Client should also successfully fully shutdown */
8427 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8428 goto end;
8429
8430 testresult = 1;
8431 end:
8432 SSL_free(serverssl);
8433 SSL_free(clientssl);
8434 SSL_CTX_free(sctx);
8435 SSL_CTX_free(cctx);
8436 BIO_free(bretry);
8437 BIO_free(tmp);
8438
8439 return testresult;
8440}
8441
a763ca11 8442#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8443static int cert_cb_cnt;
8444
8445static int cert_cb(SSL *s, void *arg)
8446{
8447 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8448 BIO *in = NULL;
8449 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8450 X509 *x509 = NULL, *rootx = NULL;
8451 STACK_OF(X509) *chain = NULL;
8452 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8453 int ret = 0;
cd6fe29f
MC		 8454
8455 if (cert_cb_cnt == 0) {
8456 /* Suspend the handshake */
8457 cert_cb_cnt++;
8458 return -1;
8459 } else if (cert_cb_cnt == 1) {
8460 /*
8461 * Update the SSL_CTX, set the certificate and private key and then
8462 * continue the handshake normally.
8463 */
8464 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8465 return 0;
8466
8467 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8468 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8469 SSL_FILETYPE_PEM))
8470 || !TEST_true(SSL_check_private_key(s)))
8471 return 0;
8472 cert_cb_cnt++;
8473 return 1;
7cb8fb07
BK		 8474 } else if (cert_cb_cnt == 3) {
8475 int rv;
1a2a3a42
MC		 8476
8477 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8478 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8479 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8480 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8481 goto out;
8482 chain = sk_X509_new_null();
8483 if (!TEST_ptr(chain))
8484 goto out;
7cb8fb07 8485 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8486 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8487 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8488 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8489 || !TEST_true(sk_X509_push(chain, rootx)))
8490 goto out;
8491 rootx = NULL;
8492 BIO_free(in);
8493 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8494 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8495 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8496 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8497 goto out;
8498 BIO_free(in);
8499 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8500 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8501 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8502 NULL, NULL,
8503 libctx, NULL)))
7cb8fb07 8504 goto out;
1a2a3a42 8505 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8506 /*
8507 * If the cert doesn't show as valid here (e.g., because we don't
8508 * have any shared sigalgs), then we will not set it, and there will
8509 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8510 * will cause tls_choose_sigalgs() to fail the connection.
8511 */
1a2a3a42
MC		 8512 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8513 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8514 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8515 goto out;
8516 }
1a2a3a42
MC		 8517
8518 ret = 1;
cd6fe29f
MC		 8519 }
8520
8521 /* Abort the handshake */
7cb8fb07 8522 out:
1a2a3a42
MC		 8523 OPENSSL_free(ecdsacert);
8524 OPENSSL_free(ecdsakey);
8525 OPENSSL_free(rootfile);
7cb8fb07
BK		 8526 BIO_free(in);
8527 EVP_PKEY_free(pkey);
8528 X509_free(x509);
1a2a3a42 8529 X509_free(rootx);
79b2a2f2 8530 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8531 return ret;
cd6fe29f
MC		 8532}
8533
8534/*
8535 * Test the certificate callback.
8536 * Test 0: Callback fails
8537 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8538 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8539 * Test 3: Success - Call SSL_check_chain from the callback
8540 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8541 * chain
8542 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8543 */
8544static int test_cert_cb_int(int prot, int tst)
8545{
8546 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8547 SSL *clientssl = NULL, *serverssl = NULL;
8548 int testresult = 0, ret;
8549
1a2a3a42
MC		 8550#ifdef OPENSSL_NO_EC
8551 /* We use an EC cert in these tests, so we skip in a no-ec build */
8552 if (tst >= 3)
8553 return 1;
8554#endif
8555
5e30f2fd 8556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8557 TLS_client_method(),
8558 TLS1_VERSION,
8559 prot,
8560 &sctx, &cctx, NULL, NULL)))
8561 goto end;
8562
8563 if (tst == 0)
8564 cert_cb_cnt = -1;
1a2a3a42 8565 else if (tst >= 3)
7cb8fb07 8566 cert_cb_cnt = 3;
cd6fe29f
MC		 8567 else
8568 cert_cb_cnt = 0;
1a2a3a42 8569
b0317df2 8570 if (tst == 2) {
7e1eda48 8571 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8572 if (!TEST_ptr(snictx))
8573 goto end;
8574 }
8575
cd6fe29f
MC		 8576 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8577
8578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8579 NULL, NULL)))
8580 goto end;
8581
1a2a3a42
MC		 8582 if (tst == 4) {
8583 /*
8584 * We cause SSL_check_chain() to fail by specifying sig_algs that
8585 * the chain doesn't meet (the root uses an RSA cert)
8586 */
8587 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8588 "ecdsa_secp256r1_sha256")))
8589 goto end;
8590 } else if (tst == 5) {
8591 /*
8592 * We cause SSL_check_chain() to fail by specifying sig_algs that
8593 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8594 */
8595 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8596 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8597 goto end;
8598 }
8599
cd6fe29f 8600 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8601 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8602 || (tst > 0
8603 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8604 goto end;
8605 }
8606
8607 testresult = 1;
8608
8609 end:
8610 SSL_free(serverssl);
8611 SSL_free(clientssl);
8612 SSL_CTX_free(sctx);
8613 SSL_CTX_free(cctx);
8614 SSL_CTX_free(snictx);
8615
8616 return testresult;
8617}
7f1d923a 8618#endif
cd6fe29f
MC		 8619
8620static int test_cert_cb(int tst)
8621{
8622 int testresult = 1;
8623
8624#ifndef OPENSSL_NO_TLS1_2
8625 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8626#endif
a763ca11 8627#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8628 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8629#endif
8630
8631 return testresult;
8632}
8633
6e46c065
MC		 8634static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8635{
8c2bfd25 8636 X509 *xcert;
6e46c065
MC		 8637 EVP_PKEY *privpkey;
8638 BIO *in = NULL;
6725682d 8639 BIO *priv_in = NULL;
6e46c065 8640
8c2bfd25
TS		 8641 /* Check that SSL_get0_peer_certificate() returns something sensible */
8642 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8643 return 0;
6e46c065
MC		 8644
8645 in = BIO_new_file(cert, "r");
8646 if (!TEST_ptr(in))
8647 return 0;
8648
d8652be0 8649 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8650 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8651 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8652 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8653 NULL, NULL,
8654 libctx, NULL)))
6725682d 8655 goto err;
6e46c065
MC		 8656
8657 *x509 = xcert;
8658 *pkey = privpkey;
8659
6725682d
SL		 8660 BIO_free(in);
8661 BIO_free(priv_in);
6e46c065 8662 return 1;
6725682d
SL		 8663err:
8664 X509_free(xcert);
8665 BIO_free(in);
8666 BIO_free(priv_in);
8667 return 0;
6e46c065
MC		 8668}
8669
6e46c065
MC		 8670static int test_client_cert_cb(int tst)
8671{
8672 SSL_CTX *cctx = NULL, *sctx = NULL;
8673 SSL *clientssl = NULL, *serverssl = NULL;
8674 int testresult = 0;
8675
8676#ifdef OPENSSL_NO_TLS1_2
8677 if (tst == 0)
8678 return 1;
8679#endif
a763ca11 8680#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8681 if (tst == 1)
8682 return 1;
8683#endif
8684
5e30f2fd 8685 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8686 TLS_client_method(),
8687 TLS1_VERSION,
8688 tst == 0 ? TLS1_2_VERSION
8689 : TLS1_3_VERSION,
8690 &sctx, &cctx, cert, privkey)))
8691 goto end;
8692
8693 /*
8694 * Test that setting a client_cert_cb results in a client certificate being
8695 * sent.
8696 */
8697 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8698 SSL_CTX_set_verify(sctx,
8699 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8700 verify_cb);
fb8c8359
MC		 8701
8702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8703 NULL, NULL))
8704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8705 SSL_ERROR_NONE)))
8706 goto end;
8707
8708 testresult = 1;
8709
8710 end:
8711 SSL_free(serverssl);
8712 SSL_free(clientssl);
8713 SSL_CTX_free(sctx);
8714 SSL_CTX_free(cctx);
8715
8716 return testresult;
8717}
8718
a763ca11 8719#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8720/*
8721 * Test setting certificate authorities on both client and server.
8722 *
8723 * Test 0: SSL_CTX_set0_CA_list() only
8724 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8725 * Test 2: Only SSL_CTX_set_client_CA_list()
8726 */
8727static int test_ca_names_int(int prot, int tst)
8728{
8729 SSL_CTX *cctx = NULL, *sctx = NULL;
8730 SSL *clientssl = NULL, *serverssl = NULL;
8731 int testresult = 0;
8732 size_t i;
8733 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8734 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8735 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8736 const STACK_OF(X509_NAME) *sktmp = NULL;
8737
8738 for (i = 0; i < OSSL_NELEM(name); i++) {
8739 name[i] = X509_NAME_new();
8740 if (!TEST_ptr(name[i])
8741 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8742 MBSTRING_ASC,
8743 (unsigned char *)
8744 strnames[i],
8745 -1, -1, 0)))
8746 goto end;
8747 }
8748
5e30f2fd 8749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8750 TLS_client_method(),
8751 TLS1_VERSION,
8752 prot,
8753 &sctx, &cctx, cert, privkey)))
8754 goto end;
8755
8756 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8757
8758 if (tst == 0 || tst == 1) {
8759 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8760 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8761 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8762 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8763 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8764 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8765 goto end;
8766
8767 SSL_CTX_set0_CA_list(sctx, sk1);
8768 SSL_CTX_set0_CA_list(cctx, sk2);
8769 sk1 = sk2 = NULL;
8770 }
8771 if (tst == 1 || tst == 2) {
8772 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8773 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8774 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8775 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8776 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8777 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8778 goto end;
8779
8780 SSL_CTX_set_client_CA_list(sctx, sk1);
8781 SSL_CTX_set_client_CA_list(cctx, sk2);
8782 sk1 = sk2 = NULL;
8783 }
8784
6e46c065
MC		 8785 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8786 NULL, NULL))
8787 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8788 SSL_ERROR_NONE)))
8789 goto end;
8790
fb8c8359
MC		 8791 /*
8792 * We only expect certificate authorities to have been sent to the server
8793 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8794 */
8795 sktmp = SSL_get0_peer_CA_list(serverssl);
8796 if (prot == TLS1_3_VERSION
8797 && (tst == 0 || tst == 1)) {
8798 if (!TEST_ptr(sktmp)
8799 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8800 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8801 name[0]), 0)
8802 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8803 name[1]), 0))
8804 goto end;
8805 } else if (!TEST_ptr_null(sktmp)) {
8806 goto end;
8807 }
8808
8809 /*
8810 * In all tests we expect certificate authorities to have been sent to the
8811 * client. However, SSL_set_client_CA_list() should override
8812 * SSL_set0_CA_list()
8813 */
8814 sktmp = SSL_get0_peer_CA_list(clientssl);
8815 if (!TEST_ptr(sktmp)
8816 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8817 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8818 name[tst == 0 ? 0 : 2]), 0)
8819 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8820 name[tst == 0 ? 1 : 3]), 0))
8821 goto end;
8822
6e46c065
MC		 8823 testresult = 1;
8824
8825 end:
8826 SSL_free(serverssl);
8827 SSL_free(clientssl);
8828 SSL_CTX_free(sctx);
8829 SSL_CTX_free(cctx);
fb8c8359
MC		 8830 for (i = 0; i < OSSL_NELEM(name); i++)
8831 X509_NAME_free(name[i]);
8832 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8833 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8834
8835 return testresult;
8836}
8837#endif
8838
8839static int test_ca_names(int tst)
8840{
8841 int testresult = 1;
8842
8843#ifndef OPENSSL_NO_TLS1_2
8844 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8845#endif
a763ca11 8846#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8847 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8848#endif
6e46c065
MC		 8849
8850 return testresult;
8851}
8852
0d2bfe52
SL		 8853#ifndef OPENSSL_NO_TLS1_2
8854static const char *multiblock_cipherlist_data[]=
8855{
8856 "AES128-SHA",
8857 "AES128-SHA256",
8858 "AES256-SHA",
8859 "AES256-SHA256",
8860};
8861
8862/* Reduce the fragment size - so the multiblock test buffer can be small */
8863# define MULTIBLOCK_FRAGSIZE 512
8864
8865static int test_multiblock_write(int test_index)
8866{
8867 static const char *fetchable_ciphers[]=
8868 {
8869 "AES-128-CBC-HMAC-SHA1",
8870 "AES-128-CBC-HMAC-SHA256",
8871 "AES-256-CBC-HMAC-SHA1",
8872 "AES-256-CBC-HMAC-SHA256"
8873 };
8874 const char *cipherlist = multiblock_cipherlist_data[test_index];
8875 const SSL_METHOD *smeth = TLS_server_method();
8876 const SSL_METHOD *cmeth = TLS_client_method();
8877 int min_version = TLS1_VERSION;
8878 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8879 SSL_CTX *cctx = NULL, *sctx = NULL;
8880 SSL *clientssl = NULL, *serverssl = NULL;
8881 int testresult = 0;
8882
8883 /*
8884 * Choose a buffer large enough to perform a multi-block operation
8885 * i.e: write_len >= 4 * frag_size
8886 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8887 */
8888 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8889 unsigned char buf[sizeof(msg)], *p = buf;
8890 size_t readbytes, written, len;
8891 EVP_CIPHER *ciph = NULL;
8892
8893 /*
8894 * Check if the cipher exists before attempting to use it since it only has
8895 * a hardware specific implementation.
8896 */
7c82a7a8 8897 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 8898 if (ciph == NULL) {
8899 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8900 return 1;
8901 }
8902 EVP_CIPHER_free(ciph);
8903
8904 /* Set up a buffer with some data that will be sent to the client */
8905 RAND_bytes(msg, sizeof(msg));
8906
5e30f2fd
MC		 8907 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8908 max_version, &sctx, &cctx, cert,
8909 privkey)))
0d2bfe52
SL		 8910 goto end;
8911
8912 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8913 goto end;
8914
8915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8916 NULL, NULL)))
8917 goto end;
8918
8919 /* settings to force it to use AES-CBC-HMAC_SHA */
8920 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8921 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8922 goto end;
8923
8924 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8925 goto end;
8926
8927 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8928 || !TEST_size_t_eq(written, sizeof(msg)))
8929 goto end;
8930
8931 len = written;
8932 while (len > 0) {
8933 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8934 goto end;
8935 p += readbytes;
8936 len -= readbytes;
8937 }
8938 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8939 goto end;
8940
8941 testresult = 1;
8942end:
8943 SSL_free(serverssl);
8944 SSL_free(clientssl);
8945 SSL_CTX_free(sctx);
8946 SSL_CTX_free(cctx);
8947
8948 return testresult;
8949}
8950#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8951
25959e04
TS		 8952static int test_session_timeout(int test)
8953{
8954 /*
8955 * Test session ordering and timeout
8956 * Can't explicitly test performance of the new code,
8957 * but can test to see if the ordering of the sessions
8958 * are correct, and they they are removed as expected
8959 */
8960 SSL_SESSION *early = NULL;
8961 SSL_SESSION *middle = NULL;
8962 SSL_SESSION *late = NULL;
8963 SSL_CTX *ctx;
8964 int testresult = 0;
8965 long now = (long)time(NULL);
8966#define TIMEOUT 10
8967
8968 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8969 || !TEST_ptr(early = SSL_SESSION_new())
8970 || !TEST_ptr(middle = SSL_SESSION_new())
8971 || !TEST_ptr(late = SSL_SESSION_new()))
8972 goto end;
8973
8974 /* assign unique session ids */
8975 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8976 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8977 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8978 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8979 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8980 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8981
8982 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8983 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8984 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8985 goto end;
8986
8987 /* Make sure they are all added */
8988 if (!TEST_ptr(early->prev)
8989 || !TEST_ptr(middle->prev)
8990 || !TEST_ptr(late->prev))
8991 goto end;
8992
8993 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8994 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8995 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8996 goto end;
8997
8998 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8999 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9000 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9001 goto end;
9002
9003 /* Make sure they are all still there */
9004 if (!TEST_ptr(early->prev)
9005 || !TEST_ptr(middle->prev)
9006 || !TEST_ptr(late->prev))
9007 goto end;
9008
9009 /* Make sure they are in the expected order */
9010 if (!TEST_ptr_eq(late->next, middle)
9011 || !TEST_ptr_eq(middle->next, early)
9012 || !TEST_ptr_eq(early->prev, middle)
9013 || !TEST_ptr_eq(middle->prev, late))
9014 goto end;
9015
9016 /* This should remove "early" */
9017 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9018 if (!TEST_ptr_null(early->prev)
9019 || !TEST_ptr(middle->prev)
9020 || !TEST_ptr(late->prev))
9021 goto end;
9022
9023 /* This should remove "middle" */
9024 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9025 if (!TEST_ptr_null(early->prev)
9026 || !TEST_ptr_null(middle->prev)
9027 || !TEST_ptr(late->prev))
9028 goto end;
9029
9030 /* This should remove "late" */
9031 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9032 if (!TEST_ptr_null(early->prev)
9033 || !TEST_ptr_null(middle->prev)
9034 || !TEST_ptr_null(late->prev))
9035 goto end;
9036
9037 /* Add them back in again */
9038 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9039 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9040 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9041 goto end;
9042
9043 /* Make sure they are all added */
9044 if (!TEST_ptr(early->prev)
9045 || !TEST_ptr(middle->prev)
9046 || !TEST_ptr(late->prev))
9047 goto end;
9048
9049 /* This should remove all of them */
9050 SSL_CTX_flush_sessions(ctx, 0);
9051 if (!TEST_ptr_null(early->prev)
9052 || !TEST_ptr_null(middle->prev)
9053 || !TEST_ptr_null(late->prev))
9054 goto end;
9055
9056 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9057 | SSL_CTX_get_session_cache_mode(ctx));
9058
9059 /* make sure |now| is NOT equal to the current time */
9060 now -= 10;
9061 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9062 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9063 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9064 goto end;
9065
9066 testresult = 1;
9067 end:
9068 SSL_CTX_free(ctx);
9069 SSL_SESSION_free(early);
9070 SSL_SESSION_free(middle);
9071 SSL_SESSION_free(late);
9072 return testresult;
9073}
9074
49ef3d07
MC		 9075/*
9076 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9077 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9078 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9079 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9080 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9081 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9082 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9083 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9084 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9085 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9086 */
9087static int test_servername(int tst)
9088{
9089 SSL_CTX *cctx = NULL, *sctx = NULL;
9090 SSL *clientssl = NULL, *serverssl = NULL;
9091 int testresult = 0;
9092 SSL_SESSION *sess = NULL;
9093 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9094
9095#ifdef OPENSSL_NO_TLS1_2
9096 if (tst <= 4)
9097 return 1;
9098#endif
a763ca11 9099#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9100 if (tst >= 5)
9101 return 1;
9102#endif
9103
5e30f2fd 9104 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9105 TLS_client_method(),
9106 TLS1_VERSION,
9107 (tst <= 4) ? TLS1_2_VERSION
9108 : TLS1_3_VERSION,
9109 &sctx, &cctx, cert, privkey))
9110 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9111 NULL, NULL)))
9112 goto end;
9113
9114 if (tst != 1 && tst != 6) {
9115 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9116 hostname_cb)))
9117 goto end;
9118 }
9119
9120 if (tst != 3 && tst != 8) {
9121 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9122 goto end;
9123 sexpectedhost = cexpectedhost = "goodhost";
9124 }
9125
9126 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9127 goto end;
9128
9129 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9130 cexpectedhost)
9131 || !TEST_str_eq(SSL_get_servername(serverssl,
9132 TLSEXT_NAMETYPE_host_name),
9133 sexpectedhost))
9134 goto end;
9135
9136 /* Now repeat with a resumption handshake */
9137
9138 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9139 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9140 || !TEST_true(SSL_SESSION_is_resumable(sess))
9141 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9142 goto end;
9143
9144 SSL_free(clientssl);
9145 SSL_free(serverssl);
9146 clientssl = serverssl = NULL;
9147
9148 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9149 NULL)))
9150 goto end;
9151
9152 if (!TEST_true(SSL_set_session(clientssl, sess)))
9153 goto end;
9154
9155 sexpectedhost = cexpectedhost = "goodhost";
9156 if (tst == 2 || tst == 7) {
9157 /* Set an inconsistent hostname */
9158 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9159 goto end;
9160 /*
9161 * In TLSv1.2 we expect the hostname from the original handshake, in
9162 * TLSv1.3 we expect the hostname from this handshake
9163 */
9164 if (tst == 7)
9165 sexpectedhost = cexpectedhost = "altgoodhost";
9166
9167 if (!TEST_str_eq(SSL_get_servername(clientssl,
9168 TLSEXT_NAMETYPE_host_name),
9169 "altgoodhost"))
9170 goto end;
9171 } else if (tst == 4 || tst == 9) {
9172 /*
9173 * A TLSv1.3 session does not associate a session with a servername,
9174 * but a TLSv1.2 session does.
9175 */
9176 if (tst == 9)
9177 sexpectedhost = cexpectedhost = NULL;
9178
9179 if (!TEST_str_eq(SSL_get_servername(clientssl,
9180 TLSEXT_NAMETYPE_host_name),
9181 cexpectedhost))
9182 goto end;
9183 } else {
9184 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9185 goto end;
9186 /*
9187 * In a TLSv1.2 resumption where the hostname was not acknowledged
9188 * we expect the hostname on the server to be empty. On the client we
9189 * return what was requested in this case.
9190 *
9191 * Similarly if the client didn't set a hostname on an original TLSv1.2
9192 * session but is now, the server hostname will be empty, but the client
9193 * is as we set it.
9194 */
9195 if (tst == 1 || tst == 3)
9196 sexpectedhost = NULL;
9197
9198 if (!TEST_str_eq(SSL_get_servername(clientssl,
9199 TLSEXT_NAMETYPE_host_name),
9200 "goodhost"))
9201 goto end;
9202 }
9203
9204 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9205 goto end;
9206
9207 if (!TEST_true(SSL_session_reused(clientssl))
9208 || !TEST_true(SSL_session_reused(serverssl))
9209 || !TEST_str_eq(SSL_get_servername(clientssl,
9210 TLSEXT_NAMETYPE_host_name),
9211 cexpectedhost)
9212 || !TEST_str_eq(SSL_get_servername(serverssl,
9213 TLSEXT_NAMETYPE_host_name),
9214 sexpectedhost))
9215 goto end;
9216
9217 testresult = 1;
9218
9219 end:
9220 SSL_SESSION_free(sess);
9221 SSL_free(serverssl);
9222 SSL_free(clientssl);
9223 SSL_CTX_free(sctx);
9224 SSL_CTX_free(cctx);
9225
9226 return testresult;
9227}
9228
b1fdbc68 9229#if !defined(OPENSSL_NO_EC) \
a763ca11 9230 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9231/*
9232 * Test that if signature algorithms are not available, then we do not offer or
9233 * accept them.
9234 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9235 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9236 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9237 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9238 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9239 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9240 */
9241static int test_sigalgs_available(int idx)
9242{
9243 SSL_CTX *cctx = NULL, *sctx = NULL;
9244 SSL *clientssl = NULL, *serverssl = NULL;
9245 int testresult = 0;
b4250010
DMSP		 9246 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9247 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9248 OSSL_PROVIDER *filterprov = NULL;
9249 int sig, hash;
9250
9251 if (!TEST_ptr(tmpctx))
9252 goto end;
9253
9254 if (idx != 0 && idx != 3) {
9255 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9256 filter_provider_init)))
9257 goto end;
9258
9259 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9260 if (!TEST_ptr(filterprov))
9261 goto end;
9262
9263 if (idx < 3) {
9264 /*
9265 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9266 * or accepted for the peer that uses this libctx. Note that libssl
9267 * *requires* SHA2-256 to be available so we cannot disable that. We
9268 * also need SHA1 for our certificate.
9269 */
9270 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9271 "SHA2-256:SHA1")))
9272 goto end;
9273 } else {
9274 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9275 "ECDSA"))
9276 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9277 "EC:X25519:X448")))
9278 goto end;
9279 }
9280
9281 if (idx == 1 || idx == 4)
9282 clientctx = tmpctx;
9283 else
9284 serverctx = tmpctx;
9285 }
9286
d8652be0
MC		 9287 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9288 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9289 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9290 goto end;
b3842539 9291
b4c4a2c6
TM		 9292 if (idx != 5) {
9293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9294 TLS_client_method(),
9295 TLS1_VERSION,
9296 0,
9297 &sctx, &cctx, cert, privkey)))
9298 goto end;
9299 } else {
9300 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9301 TLS_client_method(),
9302 TLS1_VERSION,
9303 0,
9304 &sctx, &cctx, cert2, privkey2)))
9305 goto end;
9306 }
b3842539 9307
b1fdbc68
MC		 9308 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9309 if (idx < 4) {
9310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9311 "ECDHE-RSA-AES128-GCM-SHA256")))
9312 goto end;
9313 } else {
9314 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9315 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9316 goto end;
9317 }
9318
b3842539
MC		 9319 if (idx < 3) {
9320 if (!SSL_CTX_set1_sigalgs_list(cctx,
9321 "rsa_pss_rsae_sha384"
9322 ":rsa_pss_rsae_sha256")
9323 || !SSL_CTX_set1_sigalgs_list(sctx,
9324 "rsa_pss_rsae_sha384"
9325 ":rsa_pss_rsae_sha256"))
9326 goto end;
9327 } else {
9328 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9329 || !SSL_CTX_set1_sigalgs_list(sctx,
9330 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9331 goto end;
9332 }
9333
b4c4a2c6
TM		 9334 if (idx != 5
9335 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9336 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9337 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9338 privkey2,
9339 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9340 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9341 goto end;
9342
9343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9344 NULL, NULL)))
b3842539
MC		 9345 goto end;
9346
9347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9348 goto end;
9349
9350 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9351 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9352 NULL, NULL),
9353 (idx == 0 || idx == 3) ? 2 : 1))
9354 goto end;
9355
9356 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9357 goto end;
9358
9359 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9360 : NID_rsassaPss))
9361 goto end;
9362
b0001d0c 9363 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9364
9365 end:
9366 SSL_free(serverssl);
9367 SSL_free(clientssl);
9368 SSL_CTX_free(sctx);
9369 SSL_CTX_free(cctx);
9370 OSSL_PROVIDER_unload(filterprov);
b4250010 9371 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9372
9373 return testresult;
9374}
b1fdbc68
MC		 9375#endif /*
9376 * !defined(OPENSSL_NO_EC) \
a763ca11 9377 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9378 */
b3842539 9379
0c13cdf8 9380#ifndef OPENSSL_NO_TLS1_3
a763ca11 9381/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9382static int test_pluggable_group(int idx)
0c13cdf8
MC		 9383{
9384 SSL_CTX *cctx = NULL, *sctx = NULL;
9385 SSL *clientssl = NULL, *serverssl = NULL;
9386 int testresult = 0;
9387 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9388 /* Check that we are not impacted by a provider without any groups */
9389 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 9390 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 9391
5ae54dba 9392 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9393 goto end;
9394
5ae54dba
MC		 9395 if (legacyprov == NULL) {
9396 /*
9397 * In this case we assume we've been built with "no-legacy" and skip
9398 * this test (there is no OPENSSL_NO_LEGACY)
9399 */
9400 testresult = 1;
9401 goto end;
9402 }
9403
0c13cdf8
MC		 9404 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9405 TLS_client_method(),
9406 TLS1_3_VERSION,
9407 TLS1_3_VERSION,
9408 &sctx, &cctx, cert, privkey))
9409 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9410 NULL, NULL)))
9411 goto end;
9412
c8e3a4c6
NT		 9413 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9414 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9415 goto end;
9416
9417 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9418 goto end;
9419
becbacd7
MB		 9420 if (!TEST_str_eq(group_name,
9421 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9422 goto end;
9423
0c13cdf8
MC		 9424 testresult = 1;
9425
9426 end:
9427 SSL_free(serverssl);
9428 SSL_free(clientssl);
9429 SSL_CTX_free(sctx);
9430 SSL_CTX_free(cctx);
9431 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9432 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9433
9434 return testresult;
9435}
ee58915c
MB		 9436
9437/*
9438 * This function triggers encode, decode and sign functions
9439 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9440 * creating private key and certificate files for use in TLS testing.
9441 */
9442static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9443{
9444 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9445 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9446 EVP_PKEY *pkey = NULL;
9447 X509 *x509 = X509_new();
9448 X509_NAME *name = NULL;
9449 BIO *keybio = NULL, *certbio = NULL;
9450 int ret = 1;
9451
9452 if (!TEST_ptr(evpctx)
9453 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9454 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9455 || !TEST_ptr(pkey)
9456 || !TEST_ptr(x509)
9457 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9458 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9459 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9460 || !TEST_true(X509_set_pubkey(x509, pkey))
9461 || !TEST_ptr(name = X509_get_subject_name(x509))
9462 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9463 (unsigned char *)"CH", -1, -1, 0))
9464 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9465 (unsigned char *)"test.org", -1, -1, 0))
9466 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9467 (unsigned char *)"localhost", -1, -1, 0))
9468 || !TEST_true(X509_set_issuer_name(x509, name))
9469 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9470 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9471 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9472 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9473 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9474 ret = 0;
9475
9476 EVP_PKEY_free(pkey);
9477 X509_free(x509);
9478 EVP_PKEY_CTX_free(evpctx);
9479 BIO_free(keybio);
9480 BIO_free(certbio);
9481 return ret;
9482}
9483
9484/*
9485 * Test that signature algorithms loaded via the provider interface can
9486 * correctly establish a TLS (1.3) connection.
9487 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9488 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9489 */
9490static int test_pluggable_signature(int idx)
9491{
9492 SSL_CTX *cctx = NULL, *sctx = NULL;
9493 SSL *clientssl = NULL, *serverssl = NULL;
9494 int testresult = 0;
9495 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9496 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9497 char *certfilename = "tls-prov-cert.pem";
9498 char *privkeyfilename = "tls-prov-key.pem";
9499
9500 /* create key and certificate for the different algorithm types */
9501 if (!TEST_ptr(tlsprov)
9502 || !TEST_true(create_cert_key(idx, certfilename, privkeyfilename)))
9503 goto end;
9504
9505 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9506 TLS_client_method(),
9507 TLS1_3_VERSION,
9508 TLS1_3_VERSION,
9509 &sctx, &cctx, certfilename, privkeyfilename))
9510 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9511 NULL, NULL)))
9512 goto end;
9513
9514 /* This is necessary to pass minimal setup w/o other groups configured */
9515 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9516 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9517 goto end;
9518
9519 /*
9520 * If this connection gets established, it must have been completed
9521 * via the tls-provider-implemented "hmacsig" algorithm, testing
9522 * both sign and verify functions during handshake.
9523 */
9524 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9525 goto end;
9526
9527 testresult = 1;
9528
9529 end:
9530 SSL_free(serverssl);
9531 SSL_free(clientssl);
9532 SSL_CTX_free(sctx);
9533 SSL_CTX_free(cctx);
9534 OSSL_PROVIDER_unload(tlsprov);
9535 OSSL_PROVIDER_unload(defaultprov);
9536
9537 return testresult;
9538}
0c13cdf8 9539#endif
b3842539 9540
49a36a52
MC		 9541#ifndef OPENSSL_NO_TLS1_2
9542static int test_ssl_dup(void)
9543{
9544 SSL_CTX *cctx = NULL, *sctx = NULL;
9545 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9546 int testresult = 0;
9547 BIO *rbio = NULL, *wbio = NULL;
9548
9549 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9550 TLS_client_method(),
9551 0,
9552 0,
9553 &sctx, &cctx, cert, privkey)))
9554 goto end;
9555
9556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9557 NULL, NULL)))
9558 goto end;
9559
9560 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9561 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9562 goto end;
9563
9564 client2ssl = SSL_dup(clientssl);
9565 rbio = SSL_get_rbio(clientssl);
9566 if (!TEST_ptr(rbio)
9567 || !TEST_true(BIO_up_ref(rbio)))
9568 goto end;
9569 SSL_set0_rbio(client2ssl, rbio);
9570 rbio = NULL;
9571
9572 wbio = SSL_get_wbio(clientssl);
9573 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9574 goto end;
9575 SSL_set0_wbio(client2ssl, wbio);
9576 rbio = NULL;
9577
9578 if (!TEST_ptr(client2ssl)
9579 /* Handshake not started so pointers should be different */
9580 || !TEST_ptr_ne(clientssl, client2ssl))
9581 goto end;
9582
9583 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9584 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9585 goto end;
9586
9587 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9588 goto end;
9589
9590 SSL_free(clientssl);
9591 clientssl = SSL_dup(client2ssl);
9592 if (!TEST_ptr(clientssl)
9593 /* Handshake has finished so pointers should be the same */
9594 || !TEST_ptr_eq(clientssl, client2ssl))
9595 goto end;
9596
9597 testresult = 1;
9598
9599 end:
9600 SSL_free(serverssl);
9601 SSL_free(clientssl);
9602 SSL_free(client2ssl);
9603 SSL_CTX_free(sctx);
9604 SSL_CTX_free(cctx);
9605
9606 return testresult;
9607}
33c39a06
MC		 9608
9609# ifndef OPENSSL_NO_DH
9610
9611static EVP_PKEY *tmp_dh_params = NULL;
9612
9613/* Helper function for the test_set_tmp_dh() tests */
9614static EVP_PKEY *get_tmp_dh_params(void)
9615{
9616 if (tmp_dh_params == NULL) {
9617 BIGNUM *p = NULL;
9618 OSSL_PARAM_BLD *tmpl = NULL;
9619 EVP_PKEY_CTX *pctx = NULL;
9620 OSSL_PARAM *params = NULL;
9621 EVP_PKEY *dhpkey = NULL;
9622
9623 p = BN_get_rfc3526_prime_2048(NULL);
9624 if (!TEST_ptr(p))
9625 goto end;
9626
9627 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9628 if (!TEST_ptr(pctx)
884400d7 9629 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9630 goto end;
9631
9632 tmpl = OSSL_PARAM_BLD_new();
9633 if (!TEST_ptr(tmpl)
9634 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9635 OSSL_PKEY_PARAM_FFC_P,
9636 p))
9637 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9638 OSSL_PKEY_PARAM_FFC_G,
9639 2)))
9640 goto end;
9641
9642 params = OSSL_PARAM_BLD_to_param(tmpl);
9643 if (!TEST_ptr(params)
884400d7 9644 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9645 EVP_PKEY_KEY_PARAMETERS,
9646 params), 1))
33c39a06
MC		 9647 goto end;
9648
9649 tmp_dh_params = dhpkey;
9650 end:
9651 BN_free(p);
9652 EVP_PKEY_CTX_free(pctx);
9653 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9654 OSSL_PARAM_free(params);
33c39a06
MC		 9655 }
9656
f1619160 9657 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9658 return NULL;
9659
9660 return tmp_dh_params;
9661}
9662
39f3427d 9663# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9664/* Callback used by test_set_tmp_dh() */
9665static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9666{
9667 EVP_PKEY *dhpkey = get_tmp_dh_params();
9668 DH *ret = NULL;
9669
9670 if (!TEST_ptr(dhpkey))
9671 return NULL;
9672
7bc0fdd3
MC		 9673 /*
9674 * libssl does not free the returned DH, so we free it now knowing that even
9675 * after we free dhpkey, there will still be a reference to the owning
9676 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9677 * of time we need it for.
9678 */
9679 ret = EVP_PKEY_get1_DH(dhpkey);
9680 DH_free(ret);
33c39a06
MC		 9681
9682 EVP_PKEY_free(dhpkey);
9683
9684 return ret;
9685}
9686# endif
9687
9688/*
9689 * Test the various methods for setting temporary DH parameters
9690 *
9691 * Test 0: Default (no auto) setting
9692 * Test 1: Explicit SSL_CTX auto off
9693 * Test 2: Explicit SSL auto off
9694 * Test 3: Explicit SSL_CTX auto on
9695 * Test 4: Explicit SSL auto on
9696 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9697 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9698 *
9699 * The following are testing deprecated APIs, so we only run them if available
9700 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9701 * Test 8: Explicit SSL auto off, custom DH params via DH
9702 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9703 * Test 10: Explicit SSL auto off, custom DH params via callback
9704 */
9705static int test_set_tmp_dh(int idx)
9706{
9707 SSL_CTX *cctx = NULL, *sctx = NULL;
9708 SSL *clientssl = NULL, *serverssl = NULL;
9709 int testresult = 0;
9710 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9711 int expected = (idx <= 2) ? 0 : 1;
9712 EVP_PKEY *dhpkey = NULL;
9713# ifndef OPENSSL_NO_DEPRECATED_3_0
9714 DH *dh = NULL;
9715# else
9716
9717 if (idx >= 7)
9718 return 1;
9719# endif
9720
9721 if (idx >= 5 && idx <= 8) {
9722 dhpkey = get_tmp_dh_params();
9723 if (!TEST_ptr(dhpkey))
9724 goto end;
9725 }
9726# ifndef OPENSSL_NO_DEPRECATED_3_0
9727 if (idx == 7 || idx == 8) {
7bc0fdd3 9728 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9729 if (!TEST_ptr(dh))
9730 goto end;
9731 }
9732# endif
9733
9734 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9735 TLS_client_method(),
9736 0,
9737 0,
9738 &sctx, &cctx, cert, privkey)))
9739 goto end;
9740
9741 if ((idx & 1) == 1) {
9742 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9743 goto end;
9744 }
9745
9746 if (idx == 5) {
9747 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9748 goto end;
9749 dhpkey = NULL;
9750 }
9751# ifndef OPENSSL_NO_DEPRECATED_3_0
9752 else if (idx == 7) {
9753 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9754 goto end;
9755 } else if (idx == 9) {
9756 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9757 }
9758# endif
9759
9760 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9761 NULL, NULL)))
9762 goto end;
9763
9764 if ((idx & 1) == 0 && idx != 0) {
9765 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9766 goto end;
9767 }
9768 if (idx == 6) {
9769 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9770 goto end;
9771 dhpkey = NULL;
9772 }
9773# ifndef OPENSSL_NO_DEPRECATED_3_0
9774 else if (idx == 8) {
9775 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9776 goto end;
9777 } else if (idx == 10) {
9778 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9779 }
9780# endif
9781
9782 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9783 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9784 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9785 goto end;
9786
9787 /*
9788 * If autoon then we should succeed. Otherwise we expect failure because
9789 * there are no parameters
9790 */
9791 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9792 SSL_ERROR_NONE), expected))
9793 goto end;
9794
9795 testresult = 1;
9796
9797 end:
7bc0fdd3
MC		 9798# ifndef OPENSSL_NO_DEPRECATED_3_0
9799 DH_free(dh);
9800# endif
33c39a06
MC		 9801 SSL_free(serverssl);
9802 SSL_free(clientssl);
9803 SSL_CTX_free(sctx);
9804 SSL_CTX_free(cctx);
9805 EVP_PKEY_free(dhpkey);
9806
9807 return testresult;
9808}
3105d846
MC		 9809
9810/*
9811 * Test the auto DH keys are appropriately sized
9812 */
9813static int test_dh_auto(int idx)
9814{
61cab650
MC		 9815 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9816 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9817 SSL *clientssl = NULL, *serverssl = NULL;
9818 int testresult = 0;
9819 EVP_PKEY *tmpkey = NULL;
9820 char *thiscert = NULL, *thiskey = NULL;
9821 size_t expdhsize = 0;
9822 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9823
61cab650
MC		 9824 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9825 goto end;
9826
3105d846
MC		 9827 switch (idx) {
9828 case 0:
9829 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9830 if (is_fips) {
9831 testresult = 1;
9832 goto end;
9833 }
3105d846
MC		 9834 thiscert = cert1024;
9835 thiskey = privkey1024;
9836 expdhsize = 1024;
61cab650
MC		 9837 SSL_CTX_set_security_level(sctx, 1);
9838 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9839 break;
9840 case 1:
9841 /* 2048 bit prime */
9842 thiscert = cert;
9843 thiskey = privkey;
9844 expdhsize = 2048;
9845 break;
9846 case 2:
9847 thiscert = cert3072;
9848 thiskey = privkey3072;
9849 expdhsize = 3072;
9850 break;
9851 case 3:
9852 thiscert = cert4096;
9853 thiskey = privkey4096;
9854 expdhsize = 4096;
9855 break;
9856 case 4:
9857 thiscert = cert8192;
9858 thiskey = privkey8192;
9859 expdhsize = 8192;
9860 break;
9861 /* No certificate cases */
9862 case 5:
9863 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9864 if (is_fips) {
9865 testresult = 1;
9866 goto end;
9867 }
3105d846
MC		 9868 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9869 expdhsize = 1024;
9870 break;
9871 case 6:
9872 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9873 expdhsize = 3072;
9874 break;
9875 default:
9876 TEST_error("Invalid text index");
9877 goto end;
9878 }
9879
61cab650
MC		 9880 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9881 NULL,
3105d846
MC		 9882 0,
9883 0,
9884 &sctx, &cctx, thiscert, thiskey)))
9885 goto end;
9886
9887 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9888 NULL, NULL)))
9889 goto end;
9890
9891 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9892 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9893 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9894 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9895 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9896 goto end;
9897
9898 /*
9899 * Send the server's first flight. At this point the server has created the
9900 * temporary DH key but hasn't finished using it yet. Once used it is
9901 * removed, so we cannot test it.
9902 */
9903 if (!TEST_int_le(SSL_connect(clientssl), 0)
9904 || !TEST_int_le(SSL_accept(serverssl), 0))
9905 goto end;
9906
9907 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9908 goto end;
ed576acd 9909 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9910 goto end;
9911
9912 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9913 goto end;
9914
9915 testresult = 1;
9916
9917 end:
9918 SSL_free(serverssl);
9919 SSL_free(clientssl);
9920 SSL_CTX_free(sctx);
9921 SSL_CTX_free(cctx);
9922 EVP_PKEY_free(tmpkey);
9923
9924 return testresult;
9925
9926}
33c39a06
MC		 9927# endif /* OPENSSL_NO_DH */
9928#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9929
a763ca11 9930#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9931/*
9932 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9933 * that it works even without a certificate configured for the original
9934 * SSL_CTX
9935 */
9936static int test_sni_tls13(void)
9937{
9938 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9939 SSL *clientssl = NULL, *serverssl = NULL;
9940 int testresult = 0;
9941
9942 /* Reset callback counter */
9943 snicb = 0;
9944
9945 /* Create an initial SSL_CTX with no certificate configured */
9946 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9947 if (!TEST_ptr(sctx))
9948 goto end;
9949 /* Require TLSv1.3 as a minimum */
9950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9951 TLS_client_method(), TLS1_3_VERSION, 0,
9952 &sctx2, &cctx, cert, privkey)))
9953 goto end;
9954
9955 /* Set up SNI */
9956 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9957 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9958 goto end;
9959
9960 /*
9961 * Connection should still succeed because the final SSL_CTX has the right
9962 * certificates configured.
9963 */
9964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9965 &clientssl, NULL, NULL))
9966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9967 SSL_ERROR_NONE)))
9968 goto end;
9969
9970 /* We should have had the SNI callback called exactly once */
9971 if (!TEST_int_eq(snicb, 1))
9972 goto end;
9973
9974 testresult = 1;
9975
9976end:
9977 SSL_free(serverssl);
9978 SSL_free(clientssl);
9979 SSL_CTX_free(sctx2);
9980 SSL_CTX_free(sctx);
9981 SSL_CTX_free(cctx);
9982 return testresult;
9983}
0089cc7f
TS		 9984
9985/*
9986 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9987 * 0 = TLSv1.2
9988 * 1 = TLSv1.3
9989 */
9990static int test_ticket_lifetime(int idx)
9991{
9992 SSL_CTX *cctx = NULL, *sctx = NULL;
9993 SSL *clientssl = NULL, *serverssl = NULL;
9994 int testresult = 0;
9995 int version = TLS1_3_VERSION;
9996
9997#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9998#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9999
10000 if (idx == 0) {
40fb5a4c
TS		 10001#ifdef OPENSSL_NO_TLS1_2
10002 return TEST_skip("TLS 1.2 is disabled.");
10003#else
0089cc7f 10004 version = TLS1_2_VERSION;
40fb5a4c 10005#endif
0089cc7f
TS		 10006 }
10007
10008 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10009 TLS_client_method(), version, version,
10010 &sctx, &cctx, cert, privkey)))
10011 goto end;
10012
10013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10014 &clientssl, NULL, NULL)))
10015 goto end;
10016
10017 /*
10018 * Set the timeout to be more than 1 week
10019 * make sure the returned value is the default
10020 */
10021 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10022 SSL_get_default_timeout(serverssl)))
10023 goto end;
10024
10025 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10026 goto end;
10027
10028 if (idx == 0) {
10029 /* TLSv1.2 uses the set value */
10030 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10031 goto end;
10032 } else {
10033 /* TLSv1.3 uses the limited value */
10034 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10035 goto end;
10036 }
10037 testresult = 1;
10038
10039end:
10040 SSL_free(serverssl);
10041 SSL_free(clientssl);
10042 SSL_CTX_free(sctx);
10043 SSL_CTX_free(cctx);
10044 return testresult;
10045}
6582661f 10046#endif
feba11cf
TS		 10047/*
10048 * Test that setting an ALPN does not violate RFC
10049 */
10050static int test_set_alpn(void)
10051{
10052 SSL_CTX *ctx = NULL;
10053 SSL *ssl = NULL;
10054 int testresult = 0;
10055
10056 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10057 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10058 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10059 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10060 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10061 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10062
10063 /* Create an initial SSL_CTX with no certificate configured */
10064 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10065 if (!TEST_ptr(ctx))
10066 goto end;
10067
10068 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10069 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10070 goto end;
10071 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10072 goto end;
10073 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10074 goto end;
10075 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10076 goto end;
10077 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10078 goto end;
10079 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10080 goto end;
10081 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10082 goto end;
10083 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10084 goto end;
10085 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10086 goto end;
10087
10088 ssl = SSL_new(ctx);
10089 if (!TEST_ptr(ssl))
10090 goto end;
10091
10092 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10093 goto end;
10094 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10095 goto end;
10096 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10097 goto end;
10098 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10099 goto end;
10100 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10101 goto end;
10102 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10103 goto end;
10104 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10105 goto end;
10106 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10107 goto end;
10108 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10109 goto end;
10110
10111 testresult = 1;
10112
10113end:
10114 SSL_free(ssl);
10115 SSL_CTX_free(ctx);
10116 return testresult;
10117}
6582661f 10118
948cf521
HL		 10119/*
10120 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10121 */
10122static int test_set_verify_cert_store_ssl_ctx(void)
10123{
10124 SSL_CTX *ctx = NULL;
10125 int testresult = 0;
10126 X509_STORE *store = NULL, *new_store = NULL,
10127 *cstore = NULL, *new_cstore = NULL;
10128
10129 /* Create an initial SSL_CTX. */
10130 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10131 if (!TEST_ptr(ctx))
10132 goto end;
10133
10134 /* Retrieve verify store pointer. */
10135 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10136 goto end;
10137
10138 /* Retrieve chain store pointer. */
10139 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10140 goto end;
10141
10142 /* We haven't set any yet, so this should be NULL. */
10143 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10144 goto end;
10145
10146 /* Create stores. We use separate stores so pointers are different. */
10147 new_store = X509_STORE_new();
10148 if (!TEST_ptr(new_store))
10149 goto end;
10150
10151 new_cstore = X509_STORE_new();
10152 if (!TEST_ptr(new_cstore))
10153 goto end;
10154
10155 /* Set stores. */
10156 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10157 goto end;
10158
10159 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10160 goto end;
10161
10162 /* Should be able to retrieve the same pointer. */
10163 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10164 goto end;
10165
10166 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10167 goto end;
10168
10169 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10170 goto end;
10171
10172 /* Should be able to unset again. */
10173 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10174 goto end;
10175
10176 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10177 goto end;
10178
10179 /* Should now be NULL. */
10180 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10181 goto end;
10182
10183 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10184 goto end;
10185
10186 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10187 goto end;
10188
10189 testresult = 1;
10190
10191end:
10192 X509_STORE_free(new_store);
10193 X509_STORE_free(new_cstore);
10194 SSL_CTX_free(ctx);
10195 return testresult;
10196}
10197
10198/*
10199 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10200 */
10201static int test_set_verify_cert_store_ssl(void)
10202{
10203 SSL_CTX *ctx = NULL;
10204 SSL *ssl = NULL;
10205 int testresult = 0;
10206 X509_STORE *store = NULL, *new_store = NULL,
10207 *cstore = NULL, *new_cstore = NULL;
10208
10209 /* Create an initial SSL_CTX. */
10210 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10211 if (!TEST_ptr(ctx))
10212 goto end;
10213
10214 /* Create an SSL object. */
10215 ssl = SSL_new(ctx);
10216 if (!TEST_ptr(ssl))
10217 goto end;
10218
10219 /* Retrieve verify store pointer. */
10220 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10221 goto end;
10222
10223 /* Retrieve chain store pointer. */
10224 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10225 goto end;
10226
10227 /* We haven't set any yet, so this should be NULL. */
10228 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10229 goto end;
10230
10231 /* Create stores. We use separate stores so pointers are different. */
10232 new_store = X509_STORE_new();
10233 if (!TEST_ptr(new_store))
10234 goto end;
10235
10236 new_cstore = X509_STORE_new();
10237 if (!TEST_ptr(new_cstore))
10238 goto end;
10239
10240 /* Set stores. */
10241 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10242 goto end;
10243
10244 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10245 goto end;
10246
10247 /* Should be able to retrieve the same pointer. */
10248 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10249 goto end;
10250
10251 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10252 goto end;
10253
10254 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10255 goto end;
10256
10257 /* Should be able to unset again. */
10258 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10259 goto end;
10260
10261 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10262 goto end;
10263
10264 /* Should now be NULL. */
10265 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10266 goto end;
10267
10268 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10269 goto end;
10270
10271 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10272 goto end;
10273
10274 testresult = 1;
10275
10276end:
10277 X509_STORE_free(new_store);
10278 X509_STORE_free(new_cstore);
10279 SSL_free(ssl);
10280 SSL_CTX_free(ctx);
10281 return testresult;
10282}
10283
10284
dfccfde0
CH		 10285static int test_inherit_verify_param(void)
10286{
10287 int testresult = 0;
10288
10289 SSL_CTX *ctx = NULL;
10290 X509_VERIFY_PARAM *cp = NULL;
10291 SSL *ssl = NULL;
10292 X509_VERIFY_PARAM *sp = NULL;
10293 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10294
10295 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10296 if (!TEST_ptr(ctx))
10297 goto end;
10298
10299 cp = SSL_CTX_get0_param(ctx);
10300 if (!TEST_ptr(cp))
10301 goto end;
10302 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10303 goto end;
10304
10305 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10306
10307 ssl = SSL_new(ctx);
10308 if (!TEST_ptr(ssl))
10309 goto end;
10310
10311 sp = SSL_get0_param(ssl);
10312 if (!TEST_ptr(sp))
10313 goto end;
10314 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10315 goto end;
10316
10317 testresult = 1;
10318
10319 end:
10320 SSL_free(ssl);
10321 SSL_CTX_free(ctx);
10322
10323 return testresult;
10324}
10325
b2b8d188
DF		 10326static int test_load_dhfile(void)
10327{
10328#ifndef OPENSSL_NO_DH
10329 int testresult = 0;
10330
10331 SSL_CTX *ctx = NULL;
10332 SSL_CONF_CTX *cctx = NULL;
10333
10334 if (dhfile == NULL)
10335 return 1;
10336
10337 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10338 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10339 goto end;
10340
10341 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10342 SSL_CONF_CTX_set_flags(cctx,
10343 SSL_CONF_FLAG_CERTIFICATE
10344 | SSL_CONF_FLAG_SERVER
10345 | SSL_CONF_FLAG_FILE);
10346
10347 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10348 goto end;
10349
10350 testresult = 1;
10351end:
10352 SSL_CONF_CTX_free(cctx);
10353 SSL_CTX_free(ctx);
10354
10355 return testresult;
10356#else
10357 return TEST_skip("DH not supported by this build");
10358#endif
10359}
10360
f7565348
MC		 10361#ifndef OSSL_NO_USABLE_TLS1_3
10362/* Test that read_ahead works across a key change */
10363static int test_read_ahead_key_change(void)
10364{
10365 SSL_CTX *cctx = NULL, *sctx = NULL;
10366 SSL *clientssl = NULL, *serverssl = NULL;
10367 int testresult = 0;
10368 char *msg = "Hello World";
10369 size_t written, readbytes;
10370 char buf[80];
10371 int i;
10372
10373 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10374 TLS_client_method(), TLS1_3_VERSION, 0,
10375 &sctx, &cctx, cert, privkey)))
10376 goto end;
10377
10378 SSL_CTX_set_read_ahead(sctx, 1);
10379
10380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10381 &clientssl, NULL, NULL)))
10382 goto end;
10383
10384 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10385 goto end;
10386
10387 /* Write some data, send a key update, write more data */
10388 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10389 || !TEST_size_t_eq(written, strlen(msg)))
10390 goto end;
10391
10392 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10393 goto end;
10394
10395 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10396 || !TEST_size_t_eq(written, strlen(msg)))
10397 goto end;
10398
10399 /*
10400 * Since read_ahead is on the first read below should read the record with
10401 * the first app data, the second record with the key update message, and
10402 * the third record with the app data all in one go. We should be able to
10403 * still process the read_ahead data correctly even though it crosses
10404 * epochs
10405 */
10406 for (i = 0; i < 2; i++) {
10407 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10408 &readbytes)))
10409 goto end;
10410
10411 buf[readbytes] = '\0';
10412 if (!TEST_str_eq(buf, msg))
10413 goto end;
10414 }
10415
10416 testresult = 1;
10417
10418end:
10419 SSL_free(serverssl);
10420 SSL_free(clientssl);
10421 SSL_CTX_free(sctx);
10422 SSL_CTX_free(cctx);
10423 return testresult;
10424}
f3f8e53c
MC		 10425
10426static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10427{
10428 int *called = arg;
10429
10430 switch ((*called)++) {
10431 case 0:
10432 /* Add some padding to first record */
10433 return 512;
10434 case 1:
10435 /* Maximally pad the second record */
10436 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10437 case 2:
10438 /*
10439 * Exceeding the maximum padding should be fine. It should just pad to
10440 * the maximum anyway
10441 */
10442 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10443 case 3:
10444 /*
10445 * Very large padding should also be ok. Should just pad to the maximum
10446 * allowed
10447 */
10448 return SIZE_MAX;
10449 default:
10450 return 0;
10451 }
10452}
10453
10454/*
10455 * Test that setting record padding in TLSv1.3 works as expected
10456 * Test 0: Record padding callback on the SSL_CTX
10457 * Test 1: Record padding callback on the SSL
10458 * Test 2: Record block padding on the SSL_CTX
10459 * Test 3: Record block padding on the SSL
10460 */
10461static int test_tls13_record_padding(int idx)
10462{
10463 SSL_CTX *cctx = NULL, *sctx = NULL;
10464 SSL *clientssl = NULL, *serverssl = NULL;
10465 int testresult = 0;
10466 char *msg = "Hello World";
10467 size_t written, readbytes;
10468 char buf[80];
10469 int i;
10470 int called = 0;
10471
10472 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10473 TLS_client_method(), TLS1_3_VERSION, 0,
10474 &sctx, &cctx, cert, privkey)))
10475 goto end;
10476
10477 if (idx == 0) {
10478 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10479 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10480 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10481 goto end;
10482 } else if (idx == 2) {
10483 /* Exceeding the max plain length should fail */
10484 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10485 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10486 goto end;
10487 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10488 goto end;
10489 }
10490
10491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10492 &clientssl, NULL, NULL)))
10493 goto end;
10494
10495 if (idx == 1) {
10496 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10497 SSL_set_record_padding_callback_arg(clientssl, &called);
10498 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10499 goto end;
10500 } else if (idx == 3) {
10501 /* Exceeding the max plain length should fail */
10502 if (!TEST_false(SSL_set_block_padding(clientssl,
10503 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10504 goto end;
10505 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10506 goto end;
10507 }
10508
10509 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10510 goto end;
10511
10512 called = 0;
10513 /*
10514 * Write some data, then check we can read it. Do this four times to check
10515 * we can continue to write and read padded data after the initial record
10516 * padding has been added. We don't actually check that the padding has
10517 * been applied to the record - just that we can continue to communicate
10518 * normally and that the callback has been called (if appropriate).
10519 */
10520 for (i = 0; i < 4; i++) {
10521 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10522 || !TEST_size_t_eq(written, strlen(msg)))
10523 goto end;
10524
10525 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10526 &readbytes))
10527 || !TEST_size_t_eq(written, readbytes))
10528 goto end;
10529
10530 buf[readbytes] = '\0';
10531 if (!TEST_str_eq(buf, msg))
10532 goto end;
10533 }
10534
10535 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10536 goto end;
10537
10538 testresult = 1;
10539end:
10540 SSL_free(serverssl);
10541 SSL_free(clientssl);
10542 SSL_CTX_free(sctx);
10543 SSL_CTX_free(cctx);
10544 return testresult;
10545}
f7565348
MC		 10546#endif /* OSSL_NO_USABLE_TLS1_3 */
10547
b718f6fc
MC		 10548#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10549/*
10550 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10551 * support this yet. The only pipeline capable cipher that we have is in the
10552 * dasync engine (providers don't support this yet), so we have to use
10553 * deprecated APIs for this test.
10554 *
10555 * Test 0: Client has pipelining enabled, server does not
10556 * Test 1: Server has pipelining enabled, client does not
10557 * Test 2: Client has pipelining enabled, server does not: not enough data to
10558 * fill all the pipelines
10559 * Test 3: Client has pipelining enabled, server does not: not enough data to
10560 * fill all the pipelines by more than a full pipeline's worth
10561 * Test 4: Client has pipelining enabled, server does not: more data than all
10562 * the available pipelines can take
10563 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10564 */
10565static int test_pipelining(int idx)
10566{
10567 SSL_CTX *cctx = NULL, *sctx = NULL;
10568 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10569 int testresult = 0, numreads;
10570 /* A 55 byte message */
10571 unsigned char *msg = (unsigned char *)
10572 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10573 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10574 size_t expectedreads;
10575 unsigned char *buf = NULL;
10576 ENGINE *e;
10577
10578 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10579 return 0;
10580
10581 if (!TEST_true(ENGINE_init(e))) {
10582 ENGINE_free(e);
10583 return 0;
10584 }
10585
10586 if (!TEST_true(ENGINE_register_ciphers(e)))
10587 goto end;
10588
10589 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10590 TLS_client_method(), 0,
10591 TLS1_2_VERSION, &sctx, &cctx, cert,
10592 privkey)))
10593 goto end;
10594
10595 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10596 &clientssl, NULL, NULL)))
10597 goto end;
10598
10599 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10600 goto end;
10601
10602 /* peera is always configured for pipelining, while peerb is not. */
10603 if (idx == 1) {
10604 peera = serverssl;
10605 peerb = clientssl;
10606
10607 } else {
10608 peera = clientssl;
10609 peerb = serverssl;
10610 }
10611
10612 if (idx == 5) {
10613 numpipes = 2;
10614 /* Maximum allowed fragment size */
10615 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10616 msglen = fragsize * numpipes;
10617 msg = OPENSSL_malloc(msglen);
10618 if (!TEST_ptr(msg))
10619 goto end;
10620 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10621 goto end;
10622 } else if (idx == 4) {
10623 msglen = 55;
10624 } else {
10625 msglen = 50;
10626 }
10627 if (idx == 2)
10628 msglen -= 2; /* Send 2 less bytes */
10629 else if (idx == 3)
10630 msglen -= 12; /* Send 12 less bytes */
10631
10632 buf = OPENSSL_malloc(msglen);
10633 if (!TEST_ptr(buf))
10634 goto end;
10635
10636 if (idx == 5) {
10637 /*
10638 * Test that setting a split send fragment longer than the maximum
10639 * allowed fails
10640 */
10641 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10642 goto end;
10643 }
10644
10645 /*
10646 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10647 * (50 bytes in total). This is a ridiculously small number of bytes -
10648 * but sufficient for our purposes
10649 */
10650 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10651 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10652 goto end;
10653
10654 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10655 goto end;
10656
10657 /* Write some data from peera to peerb */
10658 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10659 || !TEST_size_t_eq(written, msglen))
10660 goto end;
10661
10662 /*
10663 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10664 * have been used - except in test 3 where only |numpipes - 1| pipelines
10665 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10666 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10667 * expect this to be read in |numpipes| or |numpipes - 1| separate
10668 * SSL_read_ex calls. In the case of test 4, there is then one additional
10669 * read for left over data that couldn't fit in the previous pipelines
10670 */
10671 for (offset = 0, numreads = 0;
10672 offset < msglen;
10673 offset += readbytes, numreads++) {
10674 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10675 msglen - offset, &readbytes)))
10676 goto end;
10677 }
10678
10679 expectedreads = idx == 4 ? numpipes + 1
10680 : (idx == 3 ? numpipes - 1 : numpipes);
10681 if (!TEST_mem_eq(msg, msglen, buf, offset)
10682 || !TEST_int_eq(numreads, expectedreads))
10683 goto end;
10684
10685 /*
10686 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10687 * chunks to exercise the read pipelining code on peera.
10688 */
10689 for (offset = 0; offset < msglen; offset += fragsize) {
10690 size_t sendlen = msglen - offset;
10691
10692 if (sendlen > fragsize)
10693 sendlen = fragsize;
10694 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10695 || !TEST_size_t_eq(written, sendlen))
10696 goto end;
10697 }
10698
10699 /*
10700 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10701 * separate chunks (depending on which test we are running). If the
10702 * pipelining is working then we expect peera to read up to numpipes chunks
10703 * and process them in parallel, giving back the complete result in a single
10704 * call to SSL_read_ex
10705 */
10706 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10707 || !TEST_size_t_le(readbytes, msglen))
10708 goto end;
10709
10710 if (idx == 4) {
10711 size_t readbytes2;
10712
10713 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10714 msglen - readbytes, &readbytes2)))
10715 goto end;
10716 readbytes += readbytes2;
10717 if (!TEST_size_t_le(readbytes, msglen))
10718 goto end;
10719 }
10720
10721 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10722 goto end;
10723
10724 testresult = 1;
10725end:
10726 SSL_free(serverssl);
10727 SSL_free(clientssl);
10728 SSL_CTX_free(sctx);
10729 SSL_CTX_free(cctx);
10730 ENGINE_unregister_ciphers(e);
10731 ENGINE_finish(e);
10732 ENGINE_free(e);
10733 OPENSSL_free(buf);
10734 if (idx == 5)
10735 OPENSSL_free(msg);
10736 return testresult;
10737}
10738#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10739
b2b8d188 10740OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 10741
ad887416 10742int setup_tests(void)
2cb4b5f6 10743{
5e30f2fd
MC		 10744 char *modulename;
10745 char *configfile;
10746
b4250010 10747 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 10748 if (!TEST_ptr(libctx))
10749 return 0;
10750
10751 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10752
10753 /*
10754 * Verify that the default and fips providers in the default libctx are not
10755 * available
10756 */
10757 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10758 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10759 return 0;
10760
8d242823
MC		 10761 if (!test_skip_common_options()) {
10762 TEST_error("Error parsing test options\n");
10763 return 0;
10764 }
10765
1a2a3a42
MC		 10766 if (!TEST_ptr(certsdir = test_get_argument(0))
10767 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 10768 || !TEST_ptr(tmpfilename = test_get_argument(2))
10769 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 10770 || !TEST_ptr(configfile = test_get_argument(4))
10771 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 10772 return 0;
10773
b4250010 10774 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 10775 return 0;
10776
10777 /* Check we have the expected provider available */
10778 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10779 return 0;
10780
10781 /* Check the default provider is not available */
10782 if (strcmp(modulename, "default") != 0
10783 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 10784 return 0;
2cb4b5f6 10785
4f6c7044
MC		 10786 if (strcmp(modulename, "fips") == 0)
10787 is_fips = 1;
10788
0c13cdf8
MC		 10789 /*
10790 * We add, but don't load the test "tls-provider". We'll load it when we
10791 * need it.
10792 */
10793 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10794 tls_provider_init)))
10795 return 0;
10796
10797
f297e4ec
RS		 10798 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10799#ifdef OPENSSL_NO_CRYPTO_MDEBUG
10800 TEST_error("not supported in this build");
10801 return 0;
10802#else
10803 int i, mcount, rcount, fcount;
10804
10805 for (i = 0; i < 4; i++)
10806 test_export_key_mat(i);
10807 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10808 test_printf_stdout("malloc %d realloc %d free %d\n",
10809 mcount, rcount, fcount);
10810 return 1;
10811#endif
10812 }
10813
1a2a3a42
MC		 10814 cert = test_mk_file_path(certsdir, "servercert.pem");
10815 if (cert == NULL)
b3842539 10816 goto err;
1a2a3a42
MC		 10817
10818 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 10819 if (privkey == NULL)
10820 goto err;
10821
10822 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10823 if (cert2 == NULL)
10824 goto err;
10825
10826 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10827 if (privkey2 == NULL)
10828 goto err;
1a2a3a42 10829
3105d846
MC		 10830 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10831 if (cert1024 == NULL)
10832 goto err;
10833
10834 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10835 if (privkey1024 == NULL)
10836 goto err;
10837
10838 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10839 if (cert3072 == NULL)
10840 goto err;
10841
10842 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10843 if (privkey3072 == NULL)
10844 goto err;
10845
10846 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10847 if (cert4096 == NULL)
10848 goto err;
10849
10850 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10851 if (privkey4096 == NULL)
10852 goto err;
10853
10854 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10855 if (cert8192 == NULL)
10856 goto err;
10857
10858 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10859 if (privkey8192 == NULL)
10860 goto err;
10861
da4db160 10862#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 10863# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 10864 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 10865 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 10866# endif
fe5d9450 10867#endif
84d5549e 10868 ADD_TEST(test_large_message_tls);
7856332e 10869 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 10870#ifndef OPENSSL_NO_DTLS
84d5549e 10871 ADD_TEST(test_large_message_dtls);
55386bef 10872#endif
2fda45d5 10873 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 10874 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 10875#ifndef OPENSSL_NO_OCSP
c887104f 10876 ADD_TEST(test_tlsext_status_type);
8f8c11d8 10877#endif
eaa776da
MC		 10878 ADD_TEST(test_session_with_only_int_cache);
10879 ADD_TEST(test_session_with_only_ext_cache);
10880 ADD_TEST(test_session_with_both_cache);
90fc2c26 10881 ADD_TEST(test_session_wo_ca_names);
a763ca11 10882#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 10883 ADD_ALL_TESTS(test_stateful_tickets, 3);
10884 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 10885 ADD_TEST(test_psk_tickets);
f0049b86 10886 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 10887#endif
7fb4c820 10888 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 10889 ADD_TEST(test_ssl_bio_pop_next_bio);
10890 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10891 ADD_TEST(test_ssl_bio_change_rbio);
10892 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 10893#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 10894 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 10895 ADD_TEST(test_keylog);
c423ecaa 10896#endif
a763ca11 10897#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 10898 ADD_TEST(test_keylog_no_master_key);
10899#endif
0c3eb279 10900 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 10901 ADD_TEST(test_ssl_build_cert_chain);
10902 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 10903#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 10904 ADD_TEST(test_client_hello_cb);
088dfa13 10905 ADD_TEST(test_no_ems);
3cd14e5e 10906 ADD_TEST(test_ccs_change_cipher);
5f982038 10907#endif
a763ca11 10908#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 10909 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 10910 /*
10911 * We don't do replay tests for external PSK. Replay protection isn't used
10912 * in that scenario.
10913 */
10914 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 10915 ADD_ALL_TESTS(test_early_data_skip, 3);
10916 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 10917 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 10918 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 10919 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 10920 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 10921 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 10922 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 10923# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 10924 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 10925# endif
e9ee6536 10926#endif
a763ca11 10927#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 10928 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 10929 ADD_TEST(test_ciphersuite_change);
5bf2eade 10930 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10931# ifdef OPENSSL_NO_PSK
c2b290c3 10932 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 10933# else
0d8da779 10934 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 10935# endif /* OPENSSL_NO_PSK */
10936# ifndef OPENSSL_NO_TLS1_2
10937 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 10938 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 10939# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10940 ADD_ALL_TESTS(test_negotiated_group,
10941 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10942 + OSSL_NELEM(ffdhe_kexch_groups)));
10943# endif
5bf2eade 10944# else
10945 /* Test with only TLSv1.3 versions */
10946 ADD_ALL_TESTS(test_key_exchange, 12);
10947# endif
0db3a990 10948 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 10949 ADD_TEST(test_stateless);
9d75dce3 10950 ADD_TEST(test_pha_key_update);
a273157a 10951#else
bb01ef3f 10952 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 10953#endif
0fb2815b 10954 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 10955#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 10956 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 10957 ADD_TEST(test_key_update);
0c48fda8 10958 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10959 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10960 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10961 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 10962#endif
e11b6aa4 10963 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 10964 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 10965#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10966 ADD_ALL_TESTS(test_srp, 6);
10967#endif
b67cb09f
TS		 10968#if !defined(OPENSSL_NO_COMP_ALG)
10969 /* Add compression case */
10970 ADD_ALL_TESTS(test_info_callback, 8);
10971#else
5718fe45 10972 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 10973#endif
4a432af8 10974 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 10975 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 10976 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 10977 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 10978 ADD_TEST(test_async_shutdown);
e638112e 10979 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 10980 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 10981 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 10982 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 10983#ifndef OPENSSL_NO_TLS1_2
10984 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10985#endif
49ef3d07 10986 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 10987#if !defined(OPENSSL_NO_EC) \
a763ca11 10988 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 10989 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 10990#endif
10991#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 10992 ADD_ALL_TESTS(test_pluggable_group, 2);
ee58915c 10993 ADD_ALL_TESTS(test_pluggable_signature, 2);
49a36a52
MC		 10994#endif
10995#ifndef OPENSSL_NO_TLS1_2
10996 ADD_TEST(test_ssl_dup);
33c39a06
MC		 10997# ifndef OPENSSL_NO_DH
10998 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 10999 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 11000# endif
6582661f 11001#endif
a763ca11 11002#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 11003 ADD_TEST(test_sni_tls13);
0089cc7f 11004 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 11005#endif
dfccfde0 11006 ADD_TEST(test_inherit_verify_param);
feba11cf 11007 ADD_TEST(test_set_alpn);
948cf521
HL		 11008 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11009 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 11010 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 11011 ADD_TEST(test_load_dhfile);
f7565348
MC		 11012#ifndef OSSL_NO_USABLE_TLS1_3
11013 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 11014 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 11015#endif
11016#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11017 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 11018#endif
11019#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11020 ADD_ALL_TESTS(test_pipelining, 6);
f7565348 11021#endif
ad887416 11022 return 1;
b3842539
MC		 11023
11024 err:
11025 OPENSSL_free(cert);
11026 OPENSSL_free(privkey);
11027 OPENSSL_free(cert2);
11028 OPENSSL_free(privkey2);
11029 return 0;
ad887416 11030}
2cb4b5f6 11031
ad887416
P		 11032void cleanup_tests(void)
11033{
8778f0eb 11034# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 11035 EVP_PKEY_free(tmp_dh_params);
11036#endif
1a2a3a42
MC		 11037 OPENSSL_free(cert);
11038 OPENSSL_free(privkey);
b3842539
MC		 11039 OPENSSL_free(cert2);
11040 OPENSSL_free(privkey2);
3105d846
MC		 11041 OPENSSL_free(cert1024);
11042 OPENSSL_free(privkey1024);
11043 OPENSSL_free(cert3072);
11044 OPENSSL_free(privkey3072);
11045 OPENSSL_free(cert4096);
11046 OPENSSL_free(privkey4096);
11047 OPENSSL_free(cert8192);
11048 OPENSSL_free(privkey8192);
fa454945 11049 bio_s_mempacket_test_free();
a77b4dba 11050 bio_s_always_retry_free();
5e30f2fd 11051 OSSL_PROVIDER_unload(defctxnull);
b4250010 11052 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 11053}
A mirror of the official openssl repository