]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Adding TLS group name retrieval
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
2cb4b5f6 34
20f8bc72 35#include "helpers/ssltestlib.h"
c887104f 36#include "testutil.h"
f297e4ec 37#include "testutil/output.h"
176db6dc 38#include "internal/nelem.h"
fe5d9450 39#include "internal/ktls.h"
706457b7 40#include "../ssl/ssl_local.h"
2cb4b5f6 41
b3842539
MC		 42/* Defined in filterprov.c */
43OSSL_provider_init_fn filter_provider_init;
44int filter_provider_set_filter(int operation, const char *name);
45
0c13cdf8
MC		 46/* Defined in tls-provider.c */
47int tls_provider_init(const OSSL_CORE_HANDLE *handle,
48 const OSSL_DISPATCH *in,
49 const OSSL_DISPATCH **out,
50 void **provctx);
852c2ed2 51
b4250010 52static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 53static OSSL_PROVIDER *defctxnull = NULL;
54
8614a4eb
MC		 55#ifndef OPENSSL_NO_TLS1_3
56
57static SSL_SESSION *clientpsk = NULL;
58static SSL_SESSION *serverpsk = NULL;
59static const char *pskid = "Identity";
60static const char *srvid;
61
62static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
63 size_t *idlen, SSL_SESSION **sess);
64static int find_session_cb(SSL *ssl, const unsigned char *identity,
65 size_t identity_len, SSL_SESSION **sess);
66
67static int use_session_cb_cnt = 0;
68static int find_session_cb_cnt = 0;
69
70static SSL_SESSION *create_a_psk(SSL *ssl);
71#endif
72
1a2a3a42 73static char *certsdir = NULL;
2cb4b5f6
MC		 74static char *cert = NULL;
75static char *privkey = NULL;
b3842539
MC		 76static char *cert2 = NULL;
77static char *privkey2 = NULL;
3105d846
MC		 78static char *cert1024 = NULL;
79static char *privkey1024 = NULL;
80static char *cert3072 = NULL;
81static char *privkey3072 = NULL;
82static char *cert4096 = NULL;
83static char *privkey4096 = NULL;
84static char *cert8192 = NULL;
85static char *privkey8192 = NULL;
76fd7a1d
MC		 86static char *srpvfile = NULL;
87static char *tmpfilename = NULL;
2cb4b5f6 88
4f6c7044
MC		 89static int is_fips = 0;
90
cffe973c 91#define LOG_BUFFER_SIZE 2048
6acdd3e5 92static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 93static size_t server_log_buffer_index = 0;
6acdd3e5 94static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 95static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 96static int error_writing_log = 0;
97
8f8c11d8 98#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 99static const unsigned char orespder[] = "Dummy OCSP Response";
100static int ocsp_server_called = 0;
101static int ocsp_client_called = 0;
102
103static int cdummyarg = 1;
104static X509 *ocspcert = NULL;
8f8c11d8 105#endif
ba881d3b 106
84d5549e 107#define NUM_EXTRA_CERTS 40
cf72c757 108#define CLIENT_VERSION_LEN 2
84d5549e 109
f1a5939f
CB		 110/*
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
113 */
114struct sslapitest_log_counts {
115 unsigned int rsa_key_exchange_count;
116 unsigned int master_secret_count;
cffe973c 117 unsigned int client_early_secret_count;
f1a5939f
CB		 118 unsigned int client_handshake_secret_count;
119 unsigned int server_handshake_secret_count;
120 unsigned int client_application_secret_count;
121 unsigned int server_application_secret_count;
01a2a654 122 unsigned int early_exporter_secret_count;
6329ce8f 123 unsigned int exporter_secret_count;
f1a5939f
CB		 124};
125
16afd71c
MC		 126
127static unsigned char serverinfov1[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
131};
132
133static unsigned char serverinfov2[] = {
134 0x00, 0x00, 0x00,
135 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
104a733d
MC		 141static int hostname_cb(SSL *s, int *al, void *arg)
142{
143 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144
145 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
146 || strcmp(hostname, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK;
148
149 return SSL_TLSEXT_ERR_NOACK;
150}
151
710756a9
RS		 152static void client_keylog_callback(const SSL *ssl, const char *line)
153{
6acdd3e5
CB		 154 int line_length = strlen(line);
155
156 /* If the log doesn't fit, error out. */
710756a9
RS		 157 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
158 TEST_info("Client log too full");
6acdd3e5
CB		 159 error_writing_log = 1;
160 return;
161 }
162
163 strcat(client_log_buffer, line);
164 client_log_buffer_index += line_length;
710756a9 165 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 166}
167
710756a9
RS		 168static void server_keylog_callback(const SSL *ssl, const char *line)
169{
6acdd3e5
CB		 170 int line_length = strlen(line);
171
172 /* If the log doesn't fit, error out. */
710756a9 173 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 174 TEST_info("Server log too full");
6acdd3e5
CB		 175 error_writing_log = 1;
176 return;
177 }
178
179 strcat(server_log_buffer, line);
180 server_log_buffer_index += line_length;
710756a9 181 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 182}
183
184static int compare_hex_encoded_buffer(const char *hex_encoded,
185 size_t hex_length,
186 const uint8_t *raw,
710756a9
RS		 187 size_t raw_length)
188{
189 size_t i, j;
190 char hexed[3];
6acdd3e5 191
710756a9 192 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 193 return 1;
6acdd3e5 194
710756a9 195 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 196 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 197 if (!TEST_int_eq(hexed[0], hex_encoded[j])
198 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 199 return 1;
6acdd3e5
CB		 200 }
201
202 return 0;
203}
204
205static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 206 const SSL_SESSION *session,
710756a9
RS		 207 struct sslapitest_log_counts *expected)
208{
6acdd3e5
CB		 209 char *token = NULL;
210 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
211 size_t client_random_size = SSL3_RANDOM_SIZE;
212 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
213 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 214 unsigned int rsa_key_exchange_count = 0;
215 unsigned int master_secret_count = 0;
cffe973c 216 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 217 unsigned int client_handshake_secret_count = 0;
218 unsigned int server_handshake_secret_count = 0;
219 unsigned int client_application_secret_count = 0;
220 unsigned int server_application_secret_count = 0;
01a2a654 221 unsigned int early_exporter_secret_count = 0;
6329ce8f 222 unsigned int exporter_secret_count = 0;
6acdd3e5 223
710756a9
RS		 224 for (token = strtok(buffer, " \n"); token != NULL;
225 token = strtok(NULL, " \n")) {
6acdd3e5 226 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 227 /*
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 229 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 * secret.
231 */
710756a9 232 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 233 return 0;
710756a9 234 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 235 return 0;
710756a9 236 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 237 return 0;
f1a5939f
CB		 238 /*
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
242 */
243 rsa_key_exchange_count++;
6acdd3e5 244 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 245 /*
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 247 * client random, then the hex-encoded master secret.
248 */
249 client_random_size = SSL_get_client_random(ssl,
250 actual_client_random,
251 SSL3_RANDOM_SIZE);
710756a9 252 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 253 return 0;
6acdd3e5 254
710756a9 255 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 256 return 0;
710756a9 257 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 258 return 0;
710756a9
RS		 259 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
260 actual_client_random,
261 client_random_size)))
f1a5939f 262 return 0;
6acdd3e5 263
710756a9 264 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 265 return 0;
6acdd3e5
CB		 266 master_key_size = SSL_SESSION_get_master_key(session,
267 actual_master_key,
268 master_key_size);
710756a9 269 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 270 return 0;
710756a9
RS		 271 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 actual_master_key,
273 master_key_size)))
f1a5939f 274 return 0;
f1a5939f 275 master_secret_count++;
cffe973c
PW		 276 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 278 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 280 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 281 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 282 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 283 /*
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
288 */
cffe973c
PW		 289 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count++;
291 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 292 client_handshake_secret_count++;
293 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count++;
295 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count++;
297 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count++;
01a2a654
PW		 299 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count++;
6329ce8f
PW		 301 else if (strcmp(token, "EXPORTER_SECRET") == 0)
302 exporter_secret_count++;
f1a5939f
CB		 303
304 client_random_size = SSL_get_client_random(ssl,
305 actual_client_random,
306 SSL3_RANDOM_SIZE);
710756a9 307 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 308 return 0;
f1a5939f 309
710756a9 310 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 311 return 0;
710756a9 312 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 313 return 0;
710756a9
RS		 314 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
315 actual_client_random,
316 client_random_size)))
f1a5939f 317 return 0;
6acdd3e5 318
710756a9 319 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 320 return 0;
f1a5939f
CB		 321
322 /*
323 * TODO(TLS1.3): test that application traffic secrets are what
324 * we expect */
6acdd3e5 325 } else {
710756a9 326 TEST_info("Unexpected token %s\n", token);
f1a5939f 327 return 0;
6acdd3e5 328 }
6acdd3e5
CB		 329 }
330
710756a9
RS		 331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count,
333 expected->rsa_key_exchange_count)
334 || !TEST_size_t_eq(master_secret_count,
335 expected->master_secret_count)
cffe973c
PW		 336 || !TEST_size_t_eq(client_early_secret_count,
337 expected->client_early_secret_count)
710756a9
RS		 338 || !TEST_size_t_eq(client_handshake_secret_count,
339 expected->client_handshake_secret_count)
340 || !TEST_size_t_eq(server_handshake_secret_count,
341 expected->server_handshake_secret_count)
342 || !TEST_size_t_eq(client_application_secret_count,
343 expected->client_application_secret_count)
344 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 345 expected->server_application_secret_count)
01a2a654
PW		 346 || !TEST_size_t_eq(early_exporter_secret_count,
347 expected->early_exporter_secret_count)
6329ce8f
PW		 348 || !TEST_size_t_eq(exporter_secret_count,
349 expected->exporter_secret_count))
710756a9
RS		 350 return 0;
351 return 1;
6acdd3e5
CB		 352}
353
c423ecaa 354#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 355static int test_keylog(void)
356{
6acdd3e5
CB		 357 SSL_CTX *cctx = NULL, *sctx = NULL;
358 SSL *clientssl = NULL, *serverssl = NULL;
359 int testresult = 0;
6fc1e624 360 struct sslapitest_log_counts expected;
6acdd3e5
CB		 361
362 /* Clean up logging space */
6fc1e624 363 memset(&expected, 0, sizeof(expected));
710756a9
RS		 364 memset(client_log_buffer, 0, sizeof(client_log_buffer));
365 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 366 client_log_buffer_index = 0;
367 server_log_buffer_index = 0;
368 error_writing_log = 0;
369
5e30f2fd 370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 371 TLS_client_method(),
5c587fb6 372 TLS1_VERSION, 0,
710756a9 373 &sctx, &cctx, cert, privkey)))
6acdd3e5 374 return 0;
6acdd3e5
CB		 375
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
378 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
379
f0deb4d3 380 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 382 goto end;
f0deb4d3 383
cf10df81
RS		 384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 386 goto end;
6acdd3e5 387 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
389 == client_keylog_callback))
6acdd3e5 390 goto end;
710756a9 391 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
393 == server_keylog_callback))
6acdd3e5 394 goto end;
6acdd3e5 395
710756a9
RS		 396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
398 &clientssl, NULL, NULL))
399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
400 SSL_ERROR_NONE))
401 || !TEST_false(error_writing_log)
402 || !TEST_int_gt(client_log_buffer_index, 0)
403 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 404 goto end;
6acdd3e5 405
f1a5939f
CB		 406 /*
407 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 408 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
6acdd3e5 411 */
f1a5939f
CB		 412 expected.rsa_key_exchange_count = 1;
413 expected.master_secret_count = 1;
710756a9
RS		 414 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
415 SSL_get_session(clientssl), &expected)))
6acdd3e5 416 goto end;
f1a5939f
CB		 417
418 expected.rsa_key_exchange_count = 0;
710756a9
RS		 419 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
420 SSL_get_session(serverssl), &expected)))
6acdd3e5 421 goto end;
6acdd3e5
CB		 422
423 testresult = 1;
424
425end:
426 SSL_free(serverssl);
427 SSL_free(clientssl);
428 SSL_CTX_free(sctx);
429 SSL_CTX_free(cctx);
430
431 return testresult;
432}
c423ecaa 433#endif
6acdd3e5
CB		 434
435#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 436static int test_keylog_no_master_key(void)
437{
6acdd3e5
CB		 438 SSL_CTX *cctx = NULL, *sctx = NULL;
439 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 440 SSL_SESSION *sess = NULL;
6acdd3e5 441 int testresult = 0;
6fc1e624 442 struct sslapitest_log_counts expected;
cffe973c
PW		 443 unsigned char buf[1];
444 size_t readbytes, written;
6acdd3e5
CB		 445
446 /* Clean up logging space */
6fc1e624 447 memset(&expected, 0, sizeof(expected));
710756a9
RS		 448 memset(client_log_buffer, 0, sizeof(client_log_buffer));
449 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 450 client_log_buffer_index = 0;
451 server_log_buffer_index = 0;
452 error_writing_log = 0;
453
5e30f2fd
MC		 454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 456 &sctx, &cctx, cert, privkey))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 458 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 459 return 0;
6acdd3e5 460
cf10df81
RS		 461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 463 goto end;
6acdd3e5
CB		 464
465 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
467 == client_keylog_callback))
6acdd3e5 468 goto end;
6acdd3e5 469
710756a9 470 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
472 == server_keylog_callback))
6acdd3e5 473 goto end;
6acdd3e5 474
710756a9
RS		 475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(create_ssl_connection(serverssl, clientssl,
479 SSL_ERROR_NONE))
480 || !TEST_false(error_writing_log))
6acdd3e5 481 goto end;
6acdd3e5 482
f1a5939f
CB		 483 /*
484 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 486 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 487 */
f1a5939f
CB		 488 expected.client_handshake_secret_count = 1;
489 expected.server_handshake_secret_count = 1;
490 expected.client_application_secret_count = 1;
491 expected.server_application_secret_count = 1;
6329ce8f 492 expected.exporter_secret_count = 1;
710756a9
RS		 493 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
494 SSL_get_session(clientssl), &expected))
495 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
496 SSL_get_session(serverssl),
497 &expected)))
6acdd3e5 498 goto end;
6acdd3e5 499
cffe973c
PW		 500 /* Terminate old session and resume with early data. */
501 sess = SSL_get1_session(clientssl);
502 SSL_shutdown(clientssl);
503 SSL_shutdown(serverssl);
504 SSL_free(serverssl);
505 SSL_free(clientssl);
506 serverssl = clientssl = NULL;
507
508 /* Reset key log */
509 memset(client_log_buffer, 0, sizeof(client_log_buffer));
510 memset(server_log_buffer, 0, sizeof(server_log_buffer));
511 client_log_buffer_index = 0;
512 server_log_buffer_index = 0;
513
514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
515 &clientssl, NULL, NULL))
516 || !TEST_true(SSL_set_session(clientssl, sess))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
520 &readbytes),
521 SSL_READ_EARLY_DATA_ERROR)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
523 SSL_EARLY_DATA_ACCEPTED)
524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
525 SSL_ERROR_NONE))
526 || !TEST_true(SSL_session_reused(clientssl)))
527 goto end;
528
529 /* In addition to the previous entries, expect early secrets. */
530 expected.client_early_secret_count = 1;
01a2a654 531 expected.early_exporter_secret_count = 1;
cffe973c
PW		 532 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
533 SSL_get_session(clientssl), &expected))
534 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
535 SSL_get_session(serverssl),
536 &expected)))
537 goto end;
538
6acdd3e5
CB		 539 testresult = 1;
540
541end:
cffe973c 542 SSL_SESSION_free(sess);
6acdd3e5
CB		 543 SSL_free(serverssl);
544 SSL_free(clientssl);
545 SSL_CTX_free(sctx);
546 SSL_CTX_free(cctx);
547
548 return testresult;
549}
550#endif
551
e9ee6536 552#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 553static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 554{
555 int *ctr = arg;
556 const unsigned char *p;
8ea404fb 557 int *exts;
2afaee51
BK		 558 /* We only configure two ciphers, but the SCSV is added automatically. */
559#ifdef OPENSSL_NO_EC
560 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
561#else
562 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
563 0x2c, 0x00, 0xff};
564#endif
8ea404fb
BK		 565 const int expected_extensions[] = {
566#ifndef OPENSSL_NO_EC
567 11, 10,
568#endif
10ed1b72 569 35, 22, 23, 13};
2afaee51
BK		 570 size_t len;
571
572 /* Make sure we can defer processing and get called back. */
573 if ((*ctr)++ == 0)
f1b97da1 574 return SSL_CLIENT_HELLO_RETRY;
2afaee51 575
a9c0d8be 576 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 577 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 578 || !TEST_size_t_eq(
579 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 580 || !TEST_int_eq(*p, 0))
f1b97da1 581 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 582 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 583 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 584 if (len != OSSL_NELEM(expected_extensions) ||
585 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 586 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 587 OPENSSL_free(exts);
f1b97da1 588 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 589 }
590 OPENSSL_free(exts);
f1b97da1 591 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 592}
593
a9c0d8be 594static int test_client_hello_cb(void)
710756a9 595{
2afaee51
BK		 596 SSL_CTX *cctx = NULL, *sctx = NULL;
597 SSL *clientssl = NULL, *serverssl = NULL;
598 int testctr = 0, testresult = 0;
599
5e30f2fd
MC		 600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
601 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 602 &sctx, &cctx, cert, privkey)))
2afaee51 603 goto end;
a9c0d8be 604 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 605
2afaee51
BK		 606 /* The gimpy cipher list we configure can't do TLS 1.3. */
607 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 608
710756a9
RS		 609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
610 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
611 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
612 &clientssl, NULL, NULL))
613 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 614 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 615 /*
616 * Passing a -1 literal is a hack since
617 * the real value was lost.
618 * */
a9c0d8be
DB		 619 || !TEST_int_eq(SSL_get_error(serverssl, -1),
620 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
622 SSL_ERROR_NONE)))
2afaee51 623 goto end;
2afaee51
BK		 624
625 testresult = 1;
626
088dfa13
TS		 627end:
628 SSL_free(serverssl);
629 SSL_free(clientssl);
630 SSL_CTX_free(sctx);
631 SSL_CTX_free(cctx);
632
633 return testresult;
634}
635
636static int test_no_ems(void)
637{
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
640 int testresult = 0;
641
5e30f2fd 642 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 643 TLS1_VERSION, TLS1_2_VERSION,
644 &sctx, &cctx, cert, privkey)) {
645 printf("Unable to create SSL_CTX pair\n");
646 goto end;
647 }
648
649 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
650
651 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
652 printf("Unable to create SSL objects\n");
653 goto end;
654 }
655
656 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
657 printf("Creating SSL connection failed\n");
658 goto end;
659 }
660
661 if (SSL_get_extms_support(serverssl)) {
662 printf("Server reports Extended Master Secret support\n");
663 goto end;
664 }
665
666 if (SSL_get_extms_support(clientssl)) {
667 printf("Client reports Extended Master Secret support\n");
668 goto end;
669 }
670 testresult = 1;
671
2afaee51
BK		 672end:
673 SSL_free(serverssl);
674 SSL_free(clientssl);
675 SSL_CTX_free(sctx);
676 SSL_CTX_free(cctx);
677
678 return testresult;
679}
680
3cd14e5e
BK		 681/*
682 * Very focused test to exercise a single case in the server-side state
683 * machine, when the ChangeCipherState message needs to actually change
684 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 685 * encryption to real encryption).
3cd14e5e
BK		 686 */
687static int test_ccs_change_cipher(void)
688{
689 SSL_CTX *cctx = NULL, *sctx = NULL;
690 SSL *clientssl = NULL, *serverssl = NULL;
691 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
692 int testresult = 0;
693 int i;
694 unsigned char buf;
695 size_t readbytes;
696
697 /*
698 * Create a conection so we can resume and potentially (but not) use
699 * a different cipher in the second connection.
700 */
5e30f2fd 701 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 702 TLS_client_method(),
703 TLS1_VERSION, TLS1_2_VERSION,
704 &sctx, &cctx, cert, privkey))
705 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
706 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
707 NULL, NULL))
708 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
710 SSL_ERROR_NONE))
711 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
712 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
713 goto end;
714
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
717
718 /* Resume, preferring a different cipher. Our server will force the
719 * same cipher to be used as the initial handshake. */
720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
721 NULL, NULL))
722 || !TEST_true(SSL_set_session(clientssl, sess))
723 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
725 SSL_ERROR_NONE))
726 || !TEST_true(SSL_session_reused(clientssl))
727 || !TEST_true(SSL_session_reused(serverssl))
728 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
729 || !TEST_ptr_eq(sesspre, sesspost)
730 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
731 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
732 goto end;
733 shutdown_ssl_connection(serverssl, clientssl);
734 serverssl = clientssl = NULL;
735
736 /*
737 * Now create a fresh connection and try to renegotiate a different
738 * cipher on it.
739 */
b3e6d666
BK		 740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
741 NULL, NULL))
3cd14e5e
BK		 742 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
743 || !TEST_true(create_ssl_connection(serverssl, clientssl,
744 SSL_ERROR_NONE))
745 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
746 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
747 || !TEST_true(SSL_renegotiate(clientssl))
748 || !TEST_true(SSL_renegotiate_pending(clientssl)))
749 goto end;
750 /* Actually drive the renegotiation. */
751 for (i = 0; i < 3; i++) {
752 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
753 if (!TEST_ulong_eq(readbytes, 0))
754 goto end;
755 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
756 SSL_ERROR_WANT_READ)) {
757 goto end;
758 }
759 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
760 if (!TEST_ulong_eq(readbytes, 0))
761 goto end;
762 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
763 SSL_ERROR_WANT_READ)) {
764 goto end;
765 }
766 }
767 /* sesspre and sesspost should be different since the cipher changed. */
768 if (!TEST_false(SSL_renegotiate_pending(clientssl))
769 || !TEST_false(SSL_session_reused(clientssl))
770 || !TEST_false(SSL_session_reused(serverssl))
771 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
772 || !TEST_ptr_ne(sesspre, sesspost)
773 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
774 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
775 goto end;
776
777 shutdown_ssl_connection(serverssl, clientssl);
778 serverssl = clientssl = NULL;
779
780 testresult = 1;
781
782end:
783 SSL_free(serverssl);
784 SSL_free(clientssl);
785 SSL_CTX_free(sctx);
786 SSL_CTX_free(cctx);
787 SSL_SESSION_free(sess);
788
789 return testresult;
790}
fb121631 791#endif
3cd14e5e 792
84d5549e 793static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 794 const SSL_METHOD *cmeth,
795 int min_version, int max_version,
796 int read_ahead)
84d5549e
MC		 797{
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0;
801 int i;
710756a9 802 BIO *certbio = NULL;
84d5549e
MC		 803 X509 *chaincert = NULL;
804 int certlen;
805
710756a9 806 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 807 goto end;
6725682d 808
d8652be0 809 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 810 goto end;
811
812 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
813 goto end;
fa454945
MC		 814 BIO_free(certbio);
815 certbio = NULL;
84d5549e 816
5e30f2fd
MC		 817 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
818 max_version, &sctx, &cctx, cert,
819 privkey)))
84d5549e 820 goto end;
84d5549e 821
710756a9 822 if (read_ahead) {
7856332e
MC		 823 /*
824 * Test that read_ahead works correctly when dealing with large
825 * records
826 */
827 SSL_CTX_set_read_ahead(cctx, 1);
828 }
829
84d5549e
MC		 830 /*
831 * We assume the supplied certificate is big enough so that if we add
832 * NUM_EXTRA_CERTS it will make the overall message large enough. The
833 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 834 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
835 * test we need to have a message larger than that.
84d5549e
MC		 836 */
837 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 838 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
839 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 840 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 841 if (!X509_up_ref(chaincert))
84d5549e 842 goto end;
84d5549e 843 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 844 X509_free(chaincert);
845 goto end;
846 }
847 }
848
710756a9
RS		 849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
850 NULL, NULL))
851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
852 SSL_ERROR_NONE)))
84d5549e 853 goto end;
84d5549e 854
4bf08600
MC		 855 /*
856 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 857 * doesn't leak.
4bf08600 858 */
710756a9 859 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 860 goto end;
84d5549e 861
4bf08600 862 testresult = 1;
84d5549e 863 end:
6725682d 864 BIO_free(certbio);
84d5549e
MC		 865 X509_free(chaincert);
866 SSL_free(serverssl);
867 SSL_free(clientssl);
868 SSL_CTX_free(sctx);
869 SSL_CTX_free(cctx);
870
871 return testresult;
872}
873
da4db160
VF		 874#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
875 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
876#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 877/* sock must be connected */
878static int ktls_chk_platform(int sock)
879{
880 if (!ktls_enable(sock))
881 return 0;
882 return 1;
883}
884
da4db160 885static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 886{
887 static char count = 1;
888 unsigned char cbuf[16000] = {0};
889 unsigned char sbuf[16000];
890 size_t err = 0;
da4db160
VF		 891 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
893 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
894 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
895 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
896 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
897 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
898 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 899
900 cbuf[0] = count++;
da4db160
VF		 901 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
902 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
903 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
904 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 905
906 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
907 goto end;
908
909 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
910 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
911 goto end;
912 }
913 }
914
915 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
916 goto end;
917
918 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
919 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
920 goto end;
921 }
922 }
923
da4db160
VF		 924 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
925 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
926 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
927 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 928
929 /* verify the payload */
930 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
931 goto end;
932
933 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
934 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 935 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
936 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 937 goto end;
938 } else {
da4db160
VF		 939 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
940 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 941 goto end;
942 }
943
944 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 945 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
946 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 947 goto end;
948 } else {
da4db160
VF		 949 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
950 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 951 goto end;
952 }
953
2fab79af 954 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 955 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
956 crec_rseq_after, rec_seq_size))
2fab79af
BP		 957 goto end;
958 } else {
da4db160
VF		 959 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
960 crec_rseq_after, rec_seq_size))
2fab79af
BP		 961 goto end;
962 }
963
964 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 965 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
966 srec_rseq_after, rec_seq_size))
2fab79af
BP		 967 goto end;
968 } else {
da4db160
VF		 969 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
970 srec_rseq_after, rec_seq_size))
2fab79af
BP		 971 goto end;
972 }
fe5d9450
BP		 973
974 return 1;
975end:
976 return 0;
977}
978
2fab79af 979static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 980 int sis_ktls_tx, int sis_ktls_rx,
981 int tls_version, const char *cipher,
982 int rec_seq_size)
fe5d9450
BP		 983{
984 SSL_CTX *cctx = NULL, *sctx = NULL;
985 SSL *clientssl = NULL, *serverssl = NULL;
986 int testresult = 0;
987 int cfd, sfd;
988
989 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
990 goto end;
991
992 /* Skip this test if the platform does not support ktls */
993 if (!ktls_chk_platform(cfd))
994 return 1;
995
996 /* Create a session based on SHA-256 */
5e30f2fd 997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 998 TLS_client_method(),
da4db160 999 tls_version, tls_version,
fe5d9450 1000 &sctx, &cctx, cert, privkey))
da4db160 1001 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1002 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1003 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1004 &clientssl, sfd, cfd)))
1005 goto end;
1006
1007 if (!cis_ktls_tx) {
1008 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1009 goto end;
1010 }
1011
1012 if (!sis_ktls_tx) {
1013 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1014 goto end;
1015 }
1016
2fab79af
BP		 1017 if (!cis_ktls_rx) {
1018 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1019 goto end;
1020 }
1021
1022 if (!sis_ktls_rx) {
1023 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1024 goto end;
1025 }
1026
fe5d9450
BP		 1027 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1028 SSL_ERROR_NONE)))
1029 goto end;
1030
1031 if (!cis_ktls_tx) {
1032 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_tx) {
1040 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1044 goto end;
1045 }
1046
2fab79af
BP		 1047 if (!cis_ktls_rx) {
1048 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1049 goto end;
1050 } else {
1051 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1052 goto end;
1053 }
1054
1055 if (!sis_ktls_rx) {
1056 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1057 goto end;
1058 } else {
1059 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1060 goto end;
1061 }
1062
da4db160
VF		 1063 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1064 rec_seq_size)))
fe5d9450
BP		 1065 goto end;
1066
1067 testresult = 1;
1068end:
1069 if (clientssl) {
1070 SSL_shutdown(clientssl);
1071 SSL_free(clientssl);
1072 }
1073 if (serverssl) {
1074 SSL_shutdown(serverssl);
1075 SSL_free(serverssl);
1076 }
1077 SSL_CTX_free(sctx);
1078 SSL_CTX_free(cctx);
1079 serverssl = clientssl = NULL;
1080 return testresult;
1081}
1082
7c3a7561
BP		 1083#define SENDFILE_SZ (16 * 4096)
1084#define SENDFILE_CHUNK (4 * 4096)
1085#define min(a,b) ((a) > (b) ? (b) : (a))
1086
da4db160 1087static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1088{
1089 SSL_CTX *cctx = NULL, *sctx = NULL;
1090 SSL *clientssl = NULL, *serverssl = NULL;
1091 unsigned char *buf, *buf_dst;
1092 BIO *out = NULL, *in = NULL;
1093 int cfd, sfd, ffd, err;
1094 ssize_t chunk_size = 0;
1095 off_t chunk_off = 0;
1096 int testresult = 0;
1097 FILE *ffdp;
1098
1099 buf = OPENSSL_zalloc(SENDFILE_SZ);
1100 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1101 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1102 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1103 goto end;
1104
1105 /* Skip this test if the platform does not support ktls */
1106 if (!ktls_chk_platform(sfd)) {
1107 testresult = 1;
1108 goto end;
1109 }
1110
1111 /* Create a session based on SHA-256 */
5e30f2fd 1112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1113 TLS_client_method(),
da4db160 1114 tls_version, tls_version,
7c3a7561 1115 &sctx, &cctx, cert, privkey))
da4db160 1116 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1117 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1118 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1119 &clientssl, sfd, cfd)))
1120 goto end;
1121
1122 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1123 SSL_ERROR_NONE))
1124 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1125 goto end;
1126
72c1e374
JB		 1127 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1128 goto end;
1129
7c3a7561
BP		 1130 out = BIO_new_file(tmpfilename, "wb");
1131 if (!TEST_ptr(out))
1132 goto end;
1133
1134 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1135 goto end;
1136
1137 BIO_free(out);
1138 out = NULL;
1139 in = BIO_new_file(tmpfilename, "rb");
1140 BIO_get_fp(in, &ffdp);
1141 ffd = fileno(ffdp);
1142
1143 while (chunk_off < SENDFILE_SZ) {
1144 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1145 while ((err = SSL_sendfile(serverssl,
1146 ffd,
1147 chunk_off,
1148 chunk_size,
1149 0)) != chunk_size) {
1150 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1151 goto end;
1152 }
1153 while ((err = SSL_read(clientssl,
1154 buf_dst + chunk_off,
1155 chunk_size)) != chunk_size) {
1156 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1157 goto end;
1158 }
1159
1160 /* verify the payload */
1161 if (!TEST_mem_eq(buf_dst + chunk_off,
1162 chunk_size,
1163 buf + chunk_off,
1164 chunk_size))
1165 goto end;
1166
1167 chunk_off += chunk_size;
1168 }
1169
1170 testresult = 1;
1171end:
1172 if (clientssl) {
1173 SSL_shutdown(clientssl);
1174 SSL_free(clientssl);
1175 }
1176 if (serverssl) {
1177 SSL_shutdown(serverssl);
1178 SSL_free(serverssl);
1179 }
1180 SSL_CTX_free(sctx);
1181 SSL_CTX_free(cctx);
1182 serverssl = clientssl = NULL;
1183 BIO_free(out);
1184 BIO_free(in);
1185 OPENSSL_free(buf);
1186 OPENSSL_free(buf_dst);
1187 return testresult;
1188}
1189
da4db160
VF		 1190#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1191static int test_ktls(int test)
1192{
eb818d23
JB		 1193 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1194 int tlsver, testresult;
da4db160
VF		 1195
1196 if (test > 15) {
1197#if defined(OPENSSL_NO_TLS1_3)
1198 return 1;
1199#else
1200 test -= 16;
1201 tlsver = TLS1_3_VERSION;
1202#endif
1203 } else {
1204#if defined(OPENSSL_NO_TLS1_2)
1205 return 1;
1206#else
1207 tlsver = TLS1_2_VERSION;
1208#endif
1209 }
1210
eb818d23
JB		 1211 cis_ktls_tx = (test & 1) != 0;
1212 cis_ktls_rx = (test & 2) != 0;
1213 sis_ktls_tx = (test & 4) != 0;
1214 sis_ktls_rx = (test & 8) != 0;
1215
cd03b5dc
JB		 1216#if defined(OPENSSL_NO_KTLS_RX)
1217 if (cis_ktls_rx || sis_ktls_rx)
1218 return 1;
1219#endif
18efb630
JB		 1220#if !defined(OPENSSL_NO_TLS1_3)
1221 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1222 return 1;
1223#endif
cd03b5dc 1224
eb818d23
JB		 1225 testresult = 1;
1226#ifdef OPENSSL_KTLS_AES_GCM_128
1227 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1228 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1229 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1230#endif
1231#ifdef OPENSSL_KTLS_AES_CCM_128
1232 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1233 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1234 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1235#endif
1236#ifdef OPENSSL_KTLS_AES_GCM_256
1237 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1238 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1239 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1240#endif
1241 return testresult;
2fab79af
BP		 1242}
1243
da4db160 1244static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1245{
ab114c6d 1246 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1247 int tlsver;
1248
1249 if (tst > 2) {
1250#if defined(OPENSSL_NO_TLS1_3)
1251 return 1;
1252#else
1253 tst -= 3;
1254 tlsver = TLS1_3_VERSION;
1255#endif
1256 } else {
1257#if defined(OPENSSL_NO_TLS1_2)
1258 return 1;
1259#else
1260 tlsver = TLS1_2_VERSION;
1261#endif
1262 }
1263
1264#ifndef OPENSSL_KTLS_AES_GCM_128
1265 if(tst == 0) return 1;
1266#endif
1267#ifndef OPENSSL_KTLS_AES_CCM_128
1268 if(tst == 1) return 1;
1269#endif
1270#ifndef OPENSSL_KTLS_AES_GCM_256
1271 if(tst == 2) return 1;
1272#endif
1273 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1274}
da4db160
VF		 1275
1276#endif
fe5d9450
BP		 1277#endif
1278
84d5549e
MC		 1279static int test_large_message_tls(void)
1280{
7856332e 1281 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1282 TLS1_VERSION, 0, 0);
7856332e
MC		 1283}
1284
1285static int test_large_message_tls_read_ahead(void)
1286{
1287 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1288 TLS1_VERSION, 0, 1);
84d5549e
MC		 1289}
1290
55386bef 1291#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1292static int test_large_message_dtls(void)
1293{
7856332e
MC		 1294 /*
1295 * read_ahead is not relevant to DTLS because DTLS always acts as if
1296 * read_ahead is set.
1297 */
84d5549e 1298 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1299 DTLS_client_method(),
5c587fb6 1300 DTLS1_VERSION, 0, 0);
84d5549e 1301}
55386bef 1302#endif
84d5549e 1303
163b8016
ME		 1304static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1305 const SSL_METHOD *cmeth,
1306 int min_version, int max_version)
1307{
1308 size_t i;
1309 SSL_CTX *cctx = NULL, *sctx = NULL;
1310 SSL *clientssl = NULL, *serverssl = NULL;
1311 int testresult = 0;
1312 SSL3_RECORD *rr;
1313 void *zbuf;
1314
1315 static unsigned char cbuf[16000];
1316 static unsigned char sbuf[16000];
1317
1318 if (!TEST_true(create_ssl_ctx_pair(libctx,
1319 smeth, cmeth,
1320 min_version, max_version,
1321 &sctx, &cctx, cert,
1322 privkey)))
1323 goto end;
1324
1325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1326 NULL, NULL)))
1327 goto end;
1328
1329 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1330 goto end;
1331
1332 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1333 SSL_ERROR_NONE)))
1334 goto end;
1335
1336 for (i = 0; i < sizeof(cbuf); i++) {
1337 cbuf[i] = i & 0xff;
1338 }
1339
1340 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1341 goto end;
1342
1343 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1344 goto end;
1345
1346 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1347 goto end;
1348
1349 /*
1350 * Since we called SSL_peek(), we know the data in the record
1351 * layer is a plaintext record. We can gather the pointer to check
1352 * for zeroization after SSL_read().
1353 */
1354 rr = serverssl->rlayer.rrec;
1355 zbuf = &rr->data[rr->off];
1356 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1357 goto end;
1358
1359 /*
1360 * After SSL_peek() the plaintext must still be stored in the
1361 * record.
1362 */
1363 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1364 goto end;
1365
1366 memset(sbuf, 0, sizeof(sbuf));
1367 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1368 goto end;
1369
1370 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1371 goto end;
1372
1373 /* Check if rbuf is cleansed */
1374 memset(cbuf, 0, sizeof(cbuf));
1375 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1376 goto end;
1377
1378 testresult = 1;
1379 end:
1380 SSL_free(serverssl);
1381 SSL_free(clientssl);
1382 SSL_CTX_free(sctx);
1383 SSL_CTX_free(cctx);
1384
1385 return testresult;
1386}
1387
1388static int test_cleanse_plaintext(void)
1389{
1390#if !defined(OPENSSL_NO_TLS1_2)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1393 TLS1_2_VERSION,
1394 TLS1_2_VERSION)))
1395 return 0;
1396
1397#endif
1398
1399#if !defined(OPENSSL_NO_TLS1_3)
1400 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1401 TLS_client_method(),
1402 TLS1_3_VERSION,
1403 TLS1_3_VERSION)))
1404 return 0;
1405#endif
1406
1407#if !defined(OPENSSL_NO_DTLS)
1408 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1409 DTLS_client_method(),
1410 DTLS1_VERSION,
1411 0)))
1412 return 0;
1413#endif
1414 return 1;
1415}
1416
8f8c11d8 1417#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1418static int ocsp_server_cb(SSL *s, void *arg)
1419{
1420 int *argi = (int *)arg;
710756a9 1421 unsigned char *copy = NULL;
ba881d3b
MC		 1422 STACK_OF(OCSP_RESPID) *ids = NULL;
1423 OCSP_RESPID *id = NULL;
1424
1425 if (*argi == 2) {
1426 /* In this test we are expecting exactly 1 OCSP_RESPID */
1427 SSL_get_tlsext_status_ids(s, &ids);
1428 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1429 return SSL_TLSEXT_ERR_ALERT_FATAL;
1430
1431 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1432 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1433 return SSL_TLSEXT_ERR_ALERT_FATAL;
1434 } else if (*argi != 1) {
1435 return SSL_TLSEXT_ERR_ALERT_FATAL;
1436 }
1437
710756a9 1438 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1439 return SSL_TLSEXT_ERR_ALERT_FATAL;
1440
710756a9 1441 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1442 ocsp_server_called = 1;
ba881d3b
MC		 1443 return SSL_TLSEXT_ERR_OK;
1444}
1445
1446static int ocsp_client_cb(SSL *s, void *arg)
1447{
1448 int *argi = (int *)arg;
1449 const unsigned char *respderin;
1450 size_t len;
1451
1452 if (*argi != 1 && *argi != 2)
1453 return 0;
1454
1455 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1456 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1457 return 0;
1458
1459 ocsp_client_called = 1;
ba881d3b
MC		 1460 return 1;
1461}
1462
2cb4b5f6
MC		 1463static int test_tlsext_status_type(void)
1464{
ba881d3b
MC		 1465 SSL_CTX *cctx = NULL, *sctx = NULL;
1466 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1467 int testresult = 0;
ba881d3b
MC		 1468 STACK_OF(OCSP_RESPID) *ids = NULL;
1469 OCSP_RESPID *id = NULL;
1470 BIO *certbio = NULL;
2cb4b5f6 1471
5e30f2fd 1472 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1473 TLS1_VERSION, 0,
7d7f6834 1474 &sctx, &cctx, cert, privkey))
ba881d3b 1475 return 0;
2cb4b5f6 1476
710756a9 1477 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1478 goto end;
2cb4b5f6 1479
ba881d3b 1480 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1481
ba881d3b 1482 clientssl = SSL_new(cctx);
710756a9
RS		 1483 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1484 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1485 TLSEXT_STATUSTYPE_ocsp))
1486 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1487 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1488 goto end;
2cb4b5f6 1489
ba881d3b
MC		 1490 SSL_free(clientssl);
1491 clientssl = NULL;
2cb4b5f6 1492
710756a9
RS		 1493 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1494 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1495 goto end;
2cb4b5f6 1496
ba881d3b 1497 clientssl = SSL_new(cctx);
710756a9 1498 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1499 goto end;
ba881d3b
MC		 1500 SSL_free(clientssl);
1501 clientssl = NULL;
1502
1503 /*
1504 * Now actually do a handshake and check OCSP information is exchanged and
1505 * the callbacks get called
1506 */
ba881d3b
MC		 1507 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1508 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1509 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1510 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1512 &clientssl, NULL, NULL))
1513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1514 SSL_ERROR_NONE))
1515 || !TEST_true(ocsp_client_called)
1516 || !TEST_true(ocsp_server_called))
ba881d3b 1517 goto end;
ba881d3b
MC		 1518 SSL_free(serverssl);
1519 SSL_free(clientssl);
1520 serverssl = NULL;
1521 clientssl = NULL;
1522
1523 /* Try again but this time force the server side callback to fail */
1524 ocsp_client_called = 0;
1525 ocsp_server_called = 0;
1526 cdummyarg = 0;
710756a9
RS		 1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1528 &clientssl, NULL, NULL))
1529 /* This should fail because the callback will fail */
1530 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1531 SSL_ERROR_NONE))
1532 || !TEST_false(ocsp_client_called)
1533 || !TEST_false(ocsp_server_called))
ba881d3b 1534 goto end;
ba881d3b
MC		 1535 SSL_free(serverssl);
1536 SSL_free(clientssl);
1537 serverssl = NULL;
1538 clientssl = NULL;
1539
1540 /*
1541 * This time we'll get the client to send an OCSP_RESPID that it will
1542 * accept.
1543 */
1544 ocsp_client_called = 0;
1545 ocsp_server_called = 0;
1546 cdummyarg = 2;
710756a9
RS		 1547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1548 &clientssl, NULL, NULL)))
ba881d3b 1549 goto end;
ba881d3b
MC		 1550
1551 /*
1552 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1553 * specific one. We'll use the server cert.
ba881d3b 1554 */
710756a9
RS		 1555 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1556 || !TEST_ptr(id = OCSP_RESPID_new())
1557 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1558 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1559 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1560 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1561 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1562 goto end;
ba881d3b
MC		 1563 id = NULL;
1564 SSL_set_tlsext_status_ids(clientssl, ids);
1565 /* Control has been transferred */
1566 ids = NULL;
1567
1568 BIO_free(certbio);
1569 certbio = NULL;
1570
710756a9
RS		 1571 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1572 SSL_ERROR_NONE))
1573 || !TEST_true(ocsp_client_called)
1574 || !TEST_true(ocsp_server_called))
ba881d3b 1575 goto end;
ba881d3b 1576
2cb4b5f6
MC		 1577 testresult = 1;
1578
1579 end:
ba881d3b
MC		 1580 SSL_free(serverssl);
1581 SSL_free(clientssl);
1582 SSL_CTX_free(sctx);
1583 SSL_CTX_free(cctx);
1584 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1585 OCSP_RESPID_free(id);
1586 BIO_free(certbio);
1587 X509_free(ocspcert);
1588 ocspcert = NULL;
2cb4b5f6
MC		 1589
1590 return testresult;
1591}
8f8c11d8 1592#endif
2cb4b5f6 1593
bf208d95 1594#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1595static int new_called, remove_called, get_called;
eaa776da 1596
eaa776da
MC		 1597static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1598{
1599 new_called++;
c0537ebd
MC		 1600 /*
1601 * sess has been up-refed for us, but we don't actually need it so free it
1602 * immediately.
1603 */
1604 SSL_SESSION_free(sess);
eaa776da
MC		 1605 return 1;
1606}
1607
1608static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1609{
1610 remove_called++;
1611}
1612
7a301f08
MC		 1613static SSL_SESSION *get_sess_val = NULL;
1614
1615static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1616 int *copy)
1617{
0afca811 1618 get_called++;
7a301f08
MC		 1619 *copy = 1;
1620 return get_sess_val;
1621}
1622
7a301f08 1623static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1624 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1625{
1626 SSL_CTX *sctx = NULL, *cctx = NULL;
1627 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1628 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1629# ifndef OPENSSL_NO_TLS1_1
eaa776da 1630 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1631# endif
2cb4b5f6 1632 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1633 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1634
7e885b7b
P		 1635 new_called = remove_called = 0;
1636
36ff232c
MC		 1637 /* TLSv1.3 sends 2 NewSessionTickets */
1638 if (maxprot == TLS1_3_VERSION)
1639 numnewsesstick = 2;
1640
5e30f2fd
MC		 1641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1642 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1643 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1644 return 0;
2cb4b5f6 1645
7a301f08
MC		 1646 /*
1647 * Only allow the max protocol version so we can force a connection failure
1648 * later
1649 */
1650 SSL_CTX_set_min_proto_version(cctx, maxprot);
1651 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1652
1653 /* Set up session cache */
7e885b7b 1654 if (use_ext_cache) {
eaa776da
MC		 1655 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1656 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1657 }
7e885b7b 1658 if (use_int_cache) {
eaa776da
MC		 1659 /* Also covers instance where both are set */
1660 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1661 } else {
1662 SSL_CTX_set_session_cache_mode(cctx,
1663 SSL_SESS_CACHE_CLIENT
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1665 }
2cb4b5f6 1666
90fc2c26
NM		 1667 if (s_options) {
1668 SSL_CTX_set_options(sctx, s_options);
1669 }
1670
710756a9
RS		 1671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1672 NULL, NULL))
1673 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1674 SSL_ERROR_NONE))
1675 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1676 goto end;
2cb4b5f6 1677
710756a9 1678 /* Should fail because it should already be in the cache */
7e885b7b 1679 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1680 goto end;
7a301f08 1681 if (use_ext_cache
36ff232c
MC		 1682 && (!TEST_int_eq(new_called, numnewsesstick)
1683
1684 || !TEST_int_eq(remove_called, 0)))
b4982125 1685 goto end;
b4982125 1686
c0537ebd
MC		 1687 new_called = remove_called = 0;
1688 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1689 &clientssl2, NULL, NULL))
1690 || !TEST_true(SSL_set_session(clientssl2, sess1))
1691 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1692 SSL_ERROR_NONE))
1693 || !TEST_true(SSL_session_reused(clientssl2)))
1694 goto end;
1695
7a301f08
MC		 1696 if (maxprot == TLS1_3_VERSION) {
1697 /*
1698 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1699 * resumed. Since we attempted a resume we should also have removed the
1700 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1701 */
1702 if (use_ext_cache
1703 && (!TEST_int_eq(new_called, 1)
4cb00457 1704 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1705 goto end;
1706 } else {
1707 /*
1708 * In TLSv1.2 we expect to have resumed so no sessions added or
1709 * removed.
1710 */
1711 if (use_ext_cache
1712 && (!TEST_int_eq(new_called, 0)
1713 || !TEST_int_eq(remove_called, 0)))
1714 goto end;
1715 }
c0537ebd
MC		 1716
1717 SSL_SESSION_free(sess1);
1718 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1719 goto end;
1720 shutdown_ssl_connection(serverssl2, clientssl2);
1721 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1722
1723 new_called = remove_called = 0;
710756a9
RS		 1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1725 &clientssl2, NULL, NULL))
1726 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1727 SSL_ERROR_NONE)))
2cb4b5f6 1728 goto end;
2cb4b5f6 1729
710756a9 1730 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1731 goto end;
2cb4b5f6 1732
7a301f08 1733 if (use_ext_cache
36ff232c
MC		 1734 && (!TEST_int_eq(new_called, numnewsesstick)
1735 || !TEST_int_eq(remove_called, 0)))
eaa776da 1736 goto end;
eaa776da 1737
c0537ebd 1738 new_called = remove_called = 0;
2cb4b5f6 1739 /*
710756a9
RS		 1740 * This should clear sess2 from the cache because it is a "bad" session.
1741 * See SSL_set_session() documentation.
2cb4b5f6 1742 */
710756a9 1743 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1744 goto end;
7a301f08
MC		 1745 if (use_ext_cache
1746 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1747 goto end;
710756a9 1748 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1749 goto end;
2cb4b5f6 1750
7e885b7b 1751 if (use_int_cache) {
710756a9
RS		 1752 /* Should succeeded because it should not already be in the cache */
1753 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1754 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1755 goto end;
eaa776da
MC		 1756 }
1757
c0537ebd 1758 new_called = remove_called = 0;
eaa776da 1759 /* This shouldn't be in the cache so should fail */
710756a9 1760 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1761 goto end;
2cb4b5f6 1762
7a301f08
MC		 1763 if (use_ext_cache
1764 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1765 goto end;
2cb4b5f6 1766
bf208d95 1767# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1768 new_called = remove_called = 0;
eaa776da
MC		 1769 /* Force a connection failure */
1770 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1772 &clientssl3, NULL, NULL))
1773 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1774 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1775 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1776 SSL_ERROR_NONE)))
eaa776da 1777 goto end;
b4982125 1778
eaa776da 1779 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1780 if (use_ext_cache
1781 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1782 goto end;
2cb4b5f6 1783
710756a9 1784 /* Should succeed because it should not already be in the cache */
7e885b7b 1785 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1786 goto end;
bf208d95 1787# endif
eaa776da 1788
7a301f08
MC		 1789 /* Now do some tests for server side caching */
1790 if (use_ext_cache) {
1791 SSL_CTX_sess_set_new_cb(cctx, NULL);
1792 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1793 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1794 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1795 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1796 get_sess_val = NULL;
1797 }
1798
1799 SSL_CTX_set_session_cache_mode(cctx, 0);
1800 /* Internal caching is the default on the server side */
1801 if (!use_int_cache)
1802 SSL_CTX_set_session_cache_mode(sctx,
1803 SSL_SESS_CACHE_SERVER
1804 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1805
1806 SSL_free(serverssl1);
1807 SSL_free(clientssl1);
1808 serverssl1 = clientssl1 = NULL;
1809 SSL_free(serverssl2);
1810 SSL_free(clientssl2);
1811 serverssl2 = clientssl2 = NULL;
1812 SSL_SESSION_free(sess1);
1813 sess1 = NULL;
1814 SSL_SESSION_free(sess2);
1815 sess2 = NULL;
1816
1817 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1818 if (maxprot == TLS1_2_VERSION)
1819 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1820 new_called = remove_called = get_called = 0;
7a301f08
MC		 1821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1822 NULL, NULL))
1823 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1824 SSL_ERROR_NONE))
1825 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1826 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1827 goto end;
1828
ee94ec2e
MC		 1829 if (use_int_cache) {
1830 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1831 /*
1832 * In TLSv1.3 it should not have been added to the internal cache,
1833 * except in the case where we also have an external cache (in that
1834 * case it gets added to the cache in order to generate remove
1835 * events after timeout).
1836 */
1837 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1838 goto end;
1839 } else {
1840 /* Should fail because it should already be in the cache */
1841 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1842 goto end;
1843 }
1844 }
7a301f08
MC		 1845
1846 if (use_ext_cache) {
1847 SSL_SESSION *tmp = sess2;
1848
36ff232c 1849 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1850 || !TEST_int_eq(remove_called, 0)
1851 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1852 goto end;
1853 /*
1854 * Delete the session from the internal cache to force a lookup from
1855 * the external cache. We take a copy first because
1856 * SSL_CTX_remove_session() also marks the session as non-resumable.
1857 */
ee94ec2e 1858 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1859 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1860 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1861 goto end;
1862 SSL_SESSION_free(sess2);
1863 }
7a301f08
MC		 1864 sess2 = tmp;
1865 }
1866
0afca811 1867 new_called = remove_called = get_called = 0;
7a301f08
MC		 1868 get_sess_val = sess2;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1873 SSL_ERROR_NONE))
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1875 goto end;
1876
0afca811 1877 if (use_ext_cache) {
32305f88 1878 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1879 goto end;
1880
1881 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1882 if (!TEST_int_eq(new_called, 1)
1883 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1884 goto end;
1885 } else {
32305f88
MC		 1886 if (!TEST_int_eq(new_called, 0)
1887 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1888 goto end;
1889 }
1890 }
7a301f08 1891
2cb4b5f6 1892 testresult = 1;
eaa776da 1893
2cb4b5f6
MC		 1894 end:
1895 SSL_free(serverssl1);
1896 SSL_free(clientssl1);
1897 SSL_free(serverssl2);
1898 SSL_free(clientssl2);
bf208d95 1899# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1900 SSL_free(serverssl3);
1901 SSL_free(clientssl3);
bf208d95 1902# endif
2cb4b5f6
MC		 1903 SSL_SESSION_free(sess1);
1904 SSL_SESSION_free(sess2);
1905 SSL_CTX_free(sctx);
1906 SSL_CTX_free(cctx);
1907
1908 return testresult;
1909}
bf208d95 1910#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1911
7fb4c820
MC		 1912static int test_session_with_only_int_cache(void)
1913{
7a301f08 1914#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1915 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 1916 return 0;
1917#endif
1918
1919#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1920 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 1921#else
1922 return 1;
1923#endif
eaa776da
MC		 1924}
1925
7fb4c820
MC		 1926static int test_session_with_only_ext_cache(void)
1927{
7a301f08 1928#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1929 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 1930 return 0;
1931#endif
1932
1933#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1934 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 1935#else
1936 return 1;
1937#endif
eaa776da
MC		 1938}
1939
7fb4c820
MC		 1940static int test_session_with_both_cache(void)
1941{
7a301f08 1942#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 1943 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1944 return 0;
1945#endif
1946
1947#ifndef OPENSSL_NO_TLS1_2
1948 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1949#else
1950 return 1;
1951#endif
1952}
1953
1954static int test_session_wo_ca_names(void)
1955{
1956#ifndef OPENSSL_NO_TLS1_3
1957 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 1958 return 0;
1959#endif
1960
1961#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1962 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 1963#else
1964 return 1;
1965#endif
eaa776da
MC		 1966}
1967
90fc2c26 1968
04225915 1969#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1970static SSL_SESSION *sesscache[6];
1971static int do_cache;
36ff232c
MC		 1972
1973static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1974{
c22365b3
MC		 1975 if (do_cache) {
1976 sesscache[new_called] = sess;
1977 } else {
1978 /* We don't need the reference to the session, so free it */
1979 SSL_SESSION_free(sess);
1980 }
1981 new_called++;
1982
1983 return 1;
1984}
1985
1986static int post_handshake_verify(SSL *sssl, SSL *cssl)
1987{
1988 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1989 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1990 return 0;
1991
1992 /* Start handshake on the server and client */
1993 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1994 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1995 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1996 || !TEST_true(create_ssl_connection(sssl, cssl,
1997 SSL_ERROR_NONE)))
1998 return 0;
36ff232c
MC		 1999
2000 return 1;
2001}
2002
fbe9dafd 2003static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2004 SSL_CTX **cctx)
2005{
2006 int sess_id_ctx = 1;
2007
5e30f2fd
MC		 2008 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2009 TLS_client_method(), TLS1_VERSION, 0,
2010 sctx, cctx, cert, privkey))
03cdf559
MC		 2011 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2012 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2013 (void *)&sess_id_ctx,
2014 sizeof(sess_id_ctx))))
2015 return 0;
2016
2017 if (stateful)
2018 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2019
2020 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2021 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2022 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2023
2024 return 1;
2025}
2026
2027static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2028{
2029 SSL *serverssl = NULL, *clientssl = NULL;
2030 int i;
2031
2032 /* Test that we can resume with all the tickets we got given */
2033 for (i = 0; i < idx * 2; i++) {
2034 new_called = 0;
2035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2036 &clientssl, NULL, NULL))
2037 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2038 goto end;
2039
32097b33 2040 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2041
2042 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2043 SSL_ERROR_NONE)))
2044 goto end;
2045
2046 /*
2047 * Following a successful resumption we only get 1 ticket. After a
2048 * failed one we should get idx tickets.
2049 */
2050 if (succ) {
2051 if (!TEST_true(SSL_session_reused(clientssl))
2052 || !TEST_int_eq(new_called, 1))
2053 goto end;
2054 } else {
2055 if (!TEST_false(SSL_session_reused(clientssl))
2056 || !TEST_int_eq(new_called, idx))
2057 goto end;
2058 }
2059
2060 new_called = 0;
2061 /* After a post-handshake authentication we should get 1 new ticket */
2062 if (succ
2063 && (!post_handshake_verify(serverssl, clientssl)
2064 || !TEST_int_eq(new_called, 1)))
2065 goto end;
2066
2067 SSL_shutdown(clientssl);
2068 SSL_shutdown(serverssl);
2069 SSL_free(serverssl);
2070 SSL_free(clientssl);
2071 serverssl = clientssl = NULL;
2072 SSL_SESSION_free(sesscache[i]);
2073 sesscache[i] = NULL;
2074 }
2075
2076 return 1;
2077
2078 end:
2079 SSL_free(clientssl);
2080 SSL_free(serverssl);
2081 return 0;
2082}
2083
04d7814a 2084static int test_tickets(int stateful, int idx)
36ff232c
MC		 2085{
2086 SSL_CTX *sctx = NULL, *cctx = NULL;
2087 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2088 int testresult = 0;
36ff232c
MC		 2089 size_t j;
2090
2091 /* idx is the test number, but also the number of tickets we want */
2092
2093 new_called = 0;
c22365b3 2094 do_cache = 1;
36ff232c 2095
fbe9dafd 2096 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2097 goto end;
2098
03cdf559
MC		 2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2100 &clientssl, NULL, NULL)))
2101 goto end;
2102
2103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2104 SSL_ERROR_NONE))
2105 /* Check we got the number of tickets we were expecting */
2106 || !TEST_int_eq(idx, new_called))
2107 goto end;
04d7814a 2108
03cdf559
MC		 2109 SSL_shutdown(clientssl);
2110 SSL_shutdown(serverssl);
2111 SSL_free(serverssl);
2112 SSL_free(clientssl);
2113 SSL_CTX_free(sctx);
2114 SSL_CTX_free(cctx);
2115 clientssl = serverssl = NULL;
2116 sctx = cctx = NULL;
2117
2118 /*
2119 * Now we try to resume with the tickets we previously created. The
2120 * resumption attempt is expected to fail (because we're now using a new
2121 * SSL_CTX). We should see idx number of tickets issued again.
2122 */
2123
2124 /* Stop caching sessions - just count them */
2125 do_cache = 0;
2126
fbe9dafd 2127 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2128 goto end;
2129
2130 if (!check_resumption(idx, sctx, cctx, 0))
2131 goto end;
2132
2133 /* Start again with caching sessions */
2134 new_called = 0;
2135 do_cache = 1;
fbe9dafd
MC		 2136 SSL_CTX_free(sctx);
2137 SSL_CTX_free(cctx);
2138 sctx = cctx = NULL;
03cdf559 2139
fbe9dafd 2140 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2141 goto end;
36ff232c
MC		 2142
2143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2144 &clientssl, NULL, NULL)))
2145 goto end;
2146
32097b33 2147 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2148
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2150 SSL_ERROR_NONE))
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx, new_called))
2153 goto end;
2154
2155 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2156 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2157 || !TEST_int_eq(idx * 2, new_called))
2158 goto end;
2159
36ff232c
MC		 2160 SSL_shutdown(clientssl);
2161 SSL_shutdown(serverssl);
2162 SSL_free(serverssl);
2163 SSL_free(clientssl);
2164 serverssl = clientssl = NULL;
2165
c22365b3
MC		 2166 /* Stop caching sessions - just count them */
2167 do_cache = 0;
2168
03cdf559
MC		 2169 /*
2170 * Check we can resume with all the tickets we created. This time around the
2171 * resumptions should all be successful.
2172 */
2173 if (!check_resumption(idx, sctx, cctx, 1))
2174 goto end;
36ff232c
MC		 2175
2176 testresult = 1;
2177
2178 end:
2179 SSL_free(serverssl);
2180 SSL_free(clientssl);
c22365b3 2181 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2182 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2183 sesscache[j] = NULL;
2184 }
36ff232c
MC		 2185 SSL_CTX_free(sctx);
2186 SSL_CTX_free(cctx);
2187
2188 return testresult;
2189}
04d7814a
MC		 2190
2191static int test_stateless_tickets(int idx)
2192{
2193 return test_tickets(0, idx);
2194}
2195
2196static int test_stateful_tickets(int idx)
2197{
2198 return test_tickets(1, idx);
2199}
8614a4eb
MC		 2200
2201static int test_psk_tickets(void)
2202{
2203 SSL_CTX *sctx = NULL, *cctx = NULL;
2204 SSL *serverssl = NULL, *clientssl = NULL;
2205 int testresult = 0;
2206 int sess_id_ctx = 1;
2207
5e30f2fd
MC		 2208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2209 TLS_client_method(), TLS1_VERSION, 0,
2210 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2211 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2212 (void *)&sess_id_ctx,
2213 sizeof(sess_id_ctx))))
2214 goto end;
2215
2216 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2217 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2218 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2219 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2220 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2221 use_session_cb_cnt = 0;
2222 find_session_cb_cnt = 0;
2223 srvid = pskid;
2224 new_called = 0;
2225
2226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2227 NULL, NULL)))
2228 goto end;
2229 clientpsk = serverpsk = create_a_psk(clientssl);
2230 if (!TEST_ptr(clientpsk))
2231 goto end;
2232 SSL_SESSION_up_ref(clientpsk);
2233
2234 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2235 SSL_ERROR_NONE))
2236 || !TEST_int_eq(1, find_session_cb_cnt)
2237 || !TEST_int_eq(1, use_session_cb_cnt)
2238 /* We should always get 1 ticket when using external PSK */
2239 || !TEST_int_eq(1, new_called))
2240 goto end;
2241
2242 testresult = 1;
2243
2244 end:
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2247 SSL_CTX_free(sctx);
2248 SSL_CTX_free(cctx);
2249 SSL_SESSION_free(clientpsk);
2250 SSL_SESSION_free(serverpsk);
2251 clientpsk = serverpsk = NULL;
2252
2253 return testresult;
2254}
f0049b86
BK		 2255
2256static int test_extra_tickets(int idx)
2257{
2258 SSL_CTX *sctx = NULL, *cctx = NULL;
2259 SSL *serverssl = NULL, *clientssl = NULL;
2260 BIO *bretry = BIO_new(bio_s_always_retry());
2261 BIO *tmp = NULL;
2262 int testresult = 0;
2263 int stateful = 0;
2264 size_t nbytes;
2265 unsigned char c, buf[1];
2266
2267 new_called = 0;
2268 do_cache = 1;
2269
2270 if (idx >= 3) {
2271 idx -= 3;
2272 stateful = 1;
2273 }
2274
2275 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2276 goto end;
2277 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2278 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2279 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2280
2281 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2282 &clientssl, NULL, NULL)))
2283 goto end;
2284
2285 /*
2286 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2287 * incremented by both client and server.
2288 */
2289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2290 SSL_ERROR_NONE))
2291 /* Check we got the number of tickets we were expecting */
2292 || !TEST_int_eq(idx * 2, new_called)
2293 || !TEST_true(SSL_new_session_ticket(serverssl))
2294 || !TEST_true(SSL_new_session_ticket(serverssl))
2295 || !TEST_int_eq(idx * 2, new_called))
2296 goto end;
2297
2298 /* Now try a (real) write to actually send the tickets */
2299 c = '1';
2300 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2301 || !TEST_size_t_eq(1, nbytes)
2302 || !TEST_int_eq(idx * 2 + 2, new_called)
2303 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2304 || !TEST_int_eq(idx * 2 + 4, new_called)
2305 || !TEST_int_eq(sizeof(buf), nbytes)
2306 || !TEST_int_eq(c, buf[0])
2307 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2308 goto end;
2309
2310 /* Try with only requesting one new ticket, too */
2311 c = '2';
2312 new_called = 0;
2313 if (!TEST_true(SSL_new_session_ticket(serverssl))
2314 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2315 || !TEST_size_t_eq(sizeof(c), nbytes)
2316 || !TEST_int_eq(1, new_called)
2317 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2318 || !TEST_int_eq(2, new_called)
2319 || !TEST_size_t_eq(sizeof(buf), nbytes)
2320 || !TEST_int_eq(c, buf[0]))
2321 goto end;
2322
2323 /* Do it again but use dummy writes to drive the ticket generation */
2324 c = '3';
2325 new_called = 0;
2326 if (!TEST_true(SSL_new_session_ticket(serverssl))
2327 || !TEST_true(SSL_new_session_ticket(serverssl))
2328 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2329 || !TEST_size_t_eq(0, nbytes)
2330 || !TEST_int_eq(2, new_called)
2331 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2332 || !TEST_int_eq(4, new_called))
2333 goto end;
2334
2335 /*
2336 * Use the always-retry BIO to exercise the logic that forces ticket
2337 * generation to wait until a record boundary.
2338 */
2339 c = '4';
2340 new_called = 0;
2341 tmp = SSL_get_wbio(serverssl);
2342 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2343 tmp = NULL;
2344 goto end;
2345 }
2346 SSL_set0_wbio(serverssl, bretry);
2347 bretry = NULL;
2348 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2349 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2350 || !TEST_size_t_eq(nbytes, 0))
2351 goto end;
2352 /* Restore a BIO that will let the write succeed */
2353 SSL_set0_wbio(serverssl, tmp);
2354 tmp = NULL;
2355 /* These calls should just queue the request and not send anything. */
2356 if (!TEST_true(SSL_new_session_ticket(serverssl))
2357 || !TEST_true(SSL_new_session_ticket(serverssl))
2358 || !TEST_int_eq(0, new_called))
2359 goto end;
2360 /* Re-do the write; still no tickets sent */
2361 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2362 || !TEST_size_t_eq(1, nbytes)
2363 || !TEST_int_eq(0, new_called)
2364 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2365 || !TEST_int_eq(0, new_called)
2366 || !TEST_int_eq(sizeof(buf), nbytes)
2367 || !TEST_int_eq(c, buf[0])
2368 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2369 goto end;
2370 /* Now the *next* write should send the tickets */
2371 c = '5';
2372 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2373 || !TEST_size_t_eq(1, nbytes)
2374 || !TEST_int_eq(2, new_called)
2375 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2376 || !TEST_int_eq(4, new_called)
2377 || !TEST_int_eq(sizeof(buf), nbytes)
2378 || !TEST_int_eq(c, buf[0])
2379 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2380 goto end;
2381
2382 SSL_shutdown(clientssl);
2383 SSL_shutdown(serverssl);
2384 testresult = 1;
2385
2386 end:
2387 BIO_free(bretry);
2388 BIO_free(tmp);
2389 SSL_free(serverssl);
2390 SSL_free(clientssl);
2391 SSL_CTX_free(sctx);
2392 SSL_CTX_free(cctx);
2393 clientssl = serverssl = NULL;
2394 sctx = cctx = NULL;
2395 return testresult;
2396}
04225915 2397#endif
36ff232c 2398
7d4488bb
MC		 2399#define USE_NULL 0
2400#define USE_BIO_1 1
2401#define USE_BIO_2 2
2402#define USE_DEFAULT 3
2403
2404#define CONNTYPE_CONNECTION_SUCCESS 0
2405#define CONNTYPE_CONNECTION_FAIL 1
2406#define CONNTYPE_NO_CONNECTION 2
2407
2408#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2409#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2410#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2411# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2412#else
2413# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2414#endif
2415
7d4488bb
MC		 2416#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2417 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2418 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2419
2420static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2421{
2422 switch (type) {
2423 case USE_NULL:
2424 *res = NULL;
2425 break;
2426 case USE_BIO_1:
2427 *res = bio1;
2428 break;
2429 case USE_BIO_2:
2430 *res = bio2;
2431 break;
2432 }
2433}
2434
7d4488bb
MC		 2435
2436/*
2437 * Tests calls to SSL_set_bio() under various conditions.
2438 *
2439 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2440 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2441 * then do more tests where we create a successful connection first using our
2442 * standard connection setup functions, and then call SSL_set_bio() with
2443 * various combinations of valid BIOs or NULL. We then repeat these tests
2444 * following a failed connection. In this last case we are looking to check that
2445 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2446 */
7fb4c820
MC		 2447static int test_ssl_set_bio(int idx)
2448{
7d4488bb 2449 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2450 BIO *bio1 = NULL;
2451 BIO *bio2 = NULL;
0fae8150 2452 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2453 SSL *serverssl = NULL, *clientssl = NULL;
2454 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2455 int testresult = 0;
2456
7d4488bb
MC		 2457 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2458 initrbio = idx % 3;
2459 idx /= 3;
2460 initwbio = idx % 3;
2461 idx /= 3;
2462 newrbio = idx % 3;
2463 idx /= 3;
2464 newwbio = idx % 3;
2465 conntype = CONNTYPE_NO_CONNECTION;
2466 } else {
2467 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2468 initrbio = initwbio = USE_DEFAULT;
2469 newrbio = idx % 2;
2470 idx /= 2;
2471 newwbio = idx % 2;
2472 idx /= 2;
2473 conntype = idx % 2;
2474 }
710756a9 2475
5e30f2fd
MC		 2476 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2477 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2478 &sctx, &cctx, cert, privkey)))
2479 goto end;
2480
2481 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2482 /*
2483 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2484 * because we reduced the number of tests in the definition of
2485 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2486 * mismatched protocol versions we will force a connection failure.
2487 */
2488 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2489 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2490 }
2491
2492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2493 NULL, NULL)))
710756a9 2494 goto end;
7fb4c820 2495
710756a9
RS		 2496 if (initrbio == USE_BIO_1
2497 || initwbio == USE_BIO_1
2498 || newrbio == USE_BIO_1
7fb4c820 2499 || newwbio == USE_BIO_1) {
710756a9 2500 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2501 goto end;
7fb4c820
MC		 2502 }
2503
710756a9
RS		 2504 if (initrbio == USE_BIO_2
2505 || initwbio == USE_BIO_2
2506 || newrbio == USE_BIO_2
7fb4c820 2507 || newwbio == USE_BIO_2) {
710756a9 2508 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2509 goto end;
7fb4c820
MC		 2510 }
2511
7d4488bb
MC		 2512 if (initrbio != USE_DEFAULT) {
2513 setupbio(&irbio, bio1, bio2, initrbio);
2514 setupbio(&iwbio, bio1, bio2, initwbio);
2515 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2516
7d4488bb
MC		 2517 /*
2518 * We want to maintain our own refs to these BIO, so do an up ref for
2519 * each BIO that will have ownership transferred in the SSL_set_bio()
2520 * call
2521 */
2522 if (irbio != NULL)
2523 BIO_up_ref(irbio);
2524 if (iwbio != NULL && iwbio != irbio)
2525 BIO_up_ref(iwbio);
2526 }
7fb4c820 2527
7d4488bb
MC		 2528 if (conntype != CONNTYPE_NO_CONNECTION
2529 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2530 SSL_ERROR_NONE)
2531 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2532 goto end;
7fb4c820
MC		 2533
2534 setupbio(&nrbio, bio1, bio2, newrbio);
2535 setupbio(&nwbio, bio1, bio2, newwbio);
2536
2537 /*
2538 * We will (maybe) transfer ownership again so do more up refs.
2539 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2540 * already been set!
2541 */
710756a9
RS		 2542 if (nrbio != NULL
2543 && nrbio != irbio
2544 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2545 BIO_up_ref(nrbio);
710756a9
RS		 2546 if (nwbio != NULL
2547 && nwbio != nrbio
2548 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2549 BIO_up_ref(nwbio);
2550
7d4488bb 2551 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2552
2553 testresult = 1;
2554
2555 end:
7fb4c820
MC		 2556 BIO_free(bio1);
2557 BIO_free(bio2);
710756a9 2558
7fb4c820
MC		 2559 /*
2560 * This test is checking that the ref counting for SSL_set_bio is correct.
2561 * If we get here and we did too many frees then we will fail in the above
742ccab3 2562 * functions.
7fb4c820 2563 */
7d4488bb
MC		 2564 SSL_free(serverssl);
2565 SSL_free(clientssl);
2566 SSL_CTX_free(sctx);
2567 SSL_CTX_free(cctx);
7fb4c820
MC		 2568 return testresult;
2569}
2570
7e885b7b 2571typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2572
7e885b7b 2573static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2574{
2575 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2576 SSL_CTX *ctx;
9a716987
MC		 2577 SSL *ssl = NULL;
2578 int testresult = 0;
2579
d8652be0 2580 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2581 || !TEST_ptr(ssl = SSL_new(ctx))
2582 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2583 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2584 goto end;
9a716987
MC		 2585
2586 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2587
2588 /*
742ccab3 2589 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2590 */
2591 BIO_push(sslbio, membio1);
2592
69687aa8 2593 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2594 if (change_bio != NO_BIO_CHANGE) {
710756a9 2595 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2596 goto end;
7e885b7b 2597 if (change_bio == CHANGE_RBIO)
65e2d672 2598 SSL_set0_rbio(ssl, membio2);
9a716987 2599 else
65e2d672 2600 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2601 }
2602 ssl = NULL;
2603
7e885b7b 2604 if (pop_ssl)
9a716987
MC		 2605 BIO_pop(sslbio);
2606 else
2607 BIO_pop(membio1);
2608
2609 testresult = 1;
2610 end:
2611 BIO_free(membio1);
2612 BIO_free(sslbio);
2613 SSL_free(ssl);
2614 SSL_CTX_free(ctx);
2615
2616 return testresult;
2617}
2618
2619static int test_ssl_bio_pop_next_bio(void)
2620{
7e885b7b 2621 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2622}
2623
2624static int test_ssl_bio_pop_ssl_bio(void)
2625{
7e885b7b 2626 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2627}
2628
2629static int test_ssl_bio_change_rbio(void)
2630{
7e885b7b 2631 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2632}
2633
2634static int test_ssl_bio_change_wbio(void)
2635{
7e885b7b 2636 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2637}
2638
c423ecaa 2639#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2640typedef struct {
2641 /* The list of sig algs */
2642 const int *list;
2643 /* The length of the list */
2644 size_t listlen;
2645 /* A sigalgs list in string format */
2646 const char *liststr;
2647 /* Whether setting the list should succeed */
2648 int valid;
2649 /* Whether creating a connection with the list should succeed */
2650 int connsuccess;
2651} sigalgs_list;
2652
2653static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2654# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2655static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2656static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2657# endif
f1b25aae
MC		 2658static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2659static const int invalidlist2[] = {NID_sha256, NID_undef};
2660static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2661static const int invalidlist4[] = {NID_sha256};
2662static const sigalgs_list testsigalgs[] = {
2663 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2664# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2665 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2666 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2667# endif
f1b25aae 2668 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2669# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2670 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2671 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2672# endif
f1b25aae
MC		 2673 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2674 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2675 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2676 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2677 {NULL, 0, "RSA", 0, 0},
2678 {NULL, 0, "SHA256", 0, 0},
2679 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2680 {NULL, 0, "Invalid", 0, 0}
2681};
f1b25aae
MC		 2682
2683static int test_set_sigalgs(int idx)
2684{
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2687 int testresult = 0;
2688 const sigalgs_list *curr;
2689 int testctx;
2690
2691 /* Should never happen */
710756a9 2692 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2693 return 0;
2694
2695 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2696 curr = testctx ? &testsigalgs[idx]
2697 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2698
5e30f2fd
MC		 2699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2700 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2701 &sctx, &cctx, cert, privkey)))
f1b25aae 2702 return 0;
f1b25aae 2703
d2e491f2
MC		 2704 /*
2705 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2706 * for TLSv1.2 for now until we add a new API.
2707 */
2708 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2709
f1b25aae
MC		 2710 if (testctx) {
2711 int ret;
710756a9 2712
f1b25aae
MC		 2713 if (curr->list != NULL)
2714 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2715 else
2716 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2717
2718 if (!ret) {
2719 if (curr->valid)
710756a9 2720 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2721 else
2722 testresult = 1;
2723 goto end;
2724 }
2725 if (!curr->valid) {
710756a9 2726 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2727 goto end;
2728 }
2729 }
2730
710756a9
RS		 2731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2732 &clientssl, NULL, NULL)))
f1b25aae 2733 goto end;
f1b25aae
MC		 2734
2735 if (!testctx) {
2736 int ret;
2737
2738 if (curr->list != NULL)
2739 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2740 else
2741 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2742 if (!ret) {
2743 if (curr->valid)
710756a9 2744 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2745 else
2746 testresult = 1;
2747 goto end;
2748 }
710756a9 2749 if (!curr->valid)
f1b25aae 2750 goto end;
f1b25aae
MC		 2751 }
2752
710756a9
RS		 2753 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2754 SSL_ERROR_NONE),
2755 curr->connsuccess))
f1b25aae 2756 goto end;
f1b25aae
MC		 2757
2758 testresult = 1;
2759
2760 end:
2761 SSL_free(serverssl);
2762 SSL_free(clientssl);
2763 SSL_CTX_free(sctx);
2764 SSL_CTX_free(cctx);
2765
2766 return testresult;
2767}
c423ecaa 2768#endif
f1b25aae 2769
fff202e5 2770#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2771static int psk_client_cb_cnt = 0;
2772static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2773
2774static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2775 size_t *idlen, SSL_SESSION **sess)
2776{
2777 switch (++use_session_cb_cnt) {
2778 case 1:
2779 /* The first call should always have a NULL md */
2780 if (md != NULL)
2781 return 0;
2782 break;
2783
2784 case 2:
2785 /* The second call should always have an md */
2786 if (md == NULL)
2787 return 0;
2788 break;
2789
2790 default:
2791 /* We should only be called a maximum of twice */
2792 return 0;
2793 }
2794
57dee9bb
MC		 2795 if (clientpsk != NULL)
2796 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2797
57dee9bb 2798 *sess = clientpsk;
02a3ed5a
MC		 2799 *id = (const unsigned char *)pskid;
2800 *idlen = strlen(pskid);
2801
2802 return 1;
2803}
2804
c2b290c3 2805#ifndef OPENSSL_NO_PSK
532f9578
MC		 2806static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2807 unsigned int max_id_len,
2808 unsigned char *psk,
2809 unsigned int max_psk_len)
2810{
2811 unsigned int psklen = 0;
2812
2813 psk_client_cb_cnt++;
2814
2815 if (strlen(pskid) + 1 > max_id_len)
2816 return 0;
2817
2818 /* We should only ever be called a maximum of twice per connection */
2819 if (psk_client_cb_cnt > 2)
2820 return 0;
2821
2822 if (clientpsk == NULL)
2823 return 0;
2824
2825 /* We'll reuse the PSK we set up for TLSv1.3 */
2826 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2827 return 0;
2828 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2829 strncpy(id, pskid, max_id_len);
2830
2831 return psklen;
2832}
c2b290c3 2833#endif /* OPENSSL_NO_PSK */
532f9578 2834
02a3ed5a
MC		 2835static int find_session_cb(SSL *ssl, const unsigned char *identity,
2836 size_t identity_len, SSL_SESSION **sess)
2837{
2838 find_session_cb_cnt++;
2839
2840 /* We should only ever be called a maximum of twice per connection */
2841 if (find_session_cb_cnt > 2)
2842 return 0;
2843
57dee9bb 2844 if (serverpsk == NULL)
02a3ed5a
MC		 2845 return 0;
2846
2847 /* Identity should match that set by the client */
2848 if (strlen(srvid) != identity_len
2849 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2850 /* No PSK found, continue but without a PSK */
2851 *sess = NULL;
2852 return 1;
2853 }
2854
57dee9bb
MC		 2855 SSL_SESSION_up_ref(serverpsk);
2856 *sess = serverpsk;
02a3ed5a
MC		 2857
2858 return 1;
2859}
2860
c2b290c3 2861#ifndef OPENSSL_NO_PSK
532f9578
MC		 2862static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2863 unsigned char *psk, unsigned int max_psk_len)
2864{
2865 unsigned int psklen = 0;
2866
2867 psk_server_cb_cnt++;
2868
2869 /* We should only ever be called a maximum of twice per connection */
2870 if (find_session_cb_cnt > 2)
2871 return 0;
2872
2873 if (serverpsk == NULL)
2874 return 0;
2875
2876 /* Identity should match that set by the client */
2877 if (strcmp(srvid, identity) != 0) {
2878 return 0;
2879 }
2880
2881 /* We'll reuse the PSK we set up for TLSv1.3 */
2882 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2883 return 0;
2884 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2885
2886 return psklen;
2887}
c2b290c3 2888#endif /* OPENSSL_NO_PSK */
532f9578 2889
5f982038
MC		 2890#define MSG1 "Hello"
2891#define MSG2 "World."
2892#define MSG3 "This"
2893#define MSG4 "is"
2894#define MSG5 "a"
90049cea
MC		 2895#define MSG6 "test"
2896#define MSG7 "message."
5f982038 2897
532f9578 2898#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 2899#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2900#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2901#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2902#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 2903
8614a4eb
MC		 2904
2905static SSL_SESSION *create_a_psk(SSL *ssl)
2906{
2907 const SSL_CIPHER *cipher = NULL;
2908 const unsigned char key[] = {
2909 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2910 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2911 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2912 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2913 0x2c, 0x2d, 0x2e, 0x2f
2914 };
2915 SSL_SESSION *sess = NULL;
2916
2917 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2918 sess = SSL_SESSION_new();
2919 if (!TEST_ptr(sess)
2920 || !TEST_ptr(cipher)
2921 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2922 sizeof(key)))
2923 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2924 || !TEST_true(
2925 SSL_SESSION_set_protocol_version(sess,
2926 TLS1_3_VERSION))) {
2927 SSL_SESSION_free(sess);
2928 return NULL;
2929 }
2930 return sess;
2931}
2932
5f982038
MC		 2933/*
2934 * Helper method to setup objects for early data test. Caller frees objects on
2935 * error.
2936 */
2937static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2938 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2939{
5a421415 2940 if (*sctx == NULL
5e30f2fd 2941 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 2942 TLS_client_method(),
5c587fb6 2943 TLS1_VERSION, 0,
5a421415
MC		 2944 sctx, cctx, cert, privkey)))
2945 return 0;
2946
2947 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2948 return 0;
5f982038 2949
02a3ed5a
MC		 2950 if (idx == 1) {
2951 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2952 SSL_CTX_set_read_ahead(*cctx, 1);
2953 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2954 } else if (idx == 2) {
2955 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2956 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2957 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2958 use_session_cb_cnt = 0;
2959 find_session_cb_cnt = 0;
2960 srvid = pskid;
3cb47b4e
MC		 2961 }
2962
710756a9 2963 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2964 NULL, NULL)))
2965 return 0;
2966
141e4709
MC		 2967 /*
2968 * For one of the run throughs (doesn't matter which one), we'll try sending
2969 * some SNI data in the initial ClientHello. This will be ignored (because
2970 * there is no SNI cb set up by the server), so it should not impact
2971 * early_data.
2972 */
2973 if (idx == 1
2974 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2975 return 0;
2976
02a3ed5a 2977 if (idx == 2) {
8614a4eb 2978 clientpsk = create_a_psk(*clientssl);
57dee9bb 2979 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2980 /*
2981 * We just choose an arbitrary value for max_early_data which
2982 * should be big enough for testing purposes.
2983 */
57dee9bb
MC		 2984 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2985 0x100))
2986 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2987 SSL_SESSION_free(clientpsk);
2988 clientpsk = NULL;
02a3ed5a
MC		 2989 return 0;
2990 }
57dee9bb 2991 serverpsk = clientpsk;
02a3ed5a 2992
c20e3b28
MC		 2993 if (sess != NULL) {
2994 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2995 SSL_SESSION_free(clientpsk);
2996 SSL_SESSION_free(serverpsk);
2997 clientpsk = serverpsk = NULL;
2998 return 0;
2999 }
57dee9bb 3000 *sess = clientpsk;
c20e3b28 3001 }
02a3ed5a
MC		 3002 return 1;
3003 }
3004
3005 if (sess == NULL)
3006 return 1;
3007
3008 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3009 SSL_ERROR_NONE)))
5f982038 3010 return 0;
5f982038
MC		 3011
3012 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3013 SSL_shutdown(*clientssl);
3014 SSL_shutdown(*serverssl);
5f982038
MC		 3015 SSL_free(*serverssl);
3016 SSL_free(*clientssl);
3017 *serverssl = *clientssl = NULL;
3018
710756a9
RS		 3019 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3020 clientssl, NULL, NULL))
3021 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3022 return 0;
5f982038
MC		 3023
3024 return 1;
3025}
3026
3cb47b4e 3027static int test_early_data_read_write(int idx)
5f982038
MC		 3028{
3029 SSL_CTX *cctx = NULL, *sctx = NULL;
3030 SSL *clientssl = NULL, *serverssl = NULL;
3031 int testresult = 0;
3032 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3033 unsigned char buf[20], data[1024];
3034 size_t readbytes, written, eoedlen, rawread, rawwritten;
3035 BIO *rbio;
5f982038 3036
710756a9
RS		 3037 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3038 &serverssl, &sess, idx)))
5f982038
MC		 3039 goto end;
3040
3041 /* Write and read some early data */
710756a9
RS		 3042 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3043 &written))
3044 || !TEST_size_t_eq(written, strlen(MSG1))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3046 sizeof(buf), &readbytes),
3047 SSL_READ_EARLY_DATA_SUCCESS)
3048 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_ACCEPTED))
5f982038 3051 goto end;
5f982038
MC		 3052
3053 /*
09f28874 3054 * Server should be able to write data, and client should be able to
5f982038
MC		 3055 * read it.
3056 */
710756a9
RS		 3057 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3058 &written))
3059 || !TEST_size_t_eq(written, strlen(MSG2))
3060 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3061 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3062 goto end;
5f982038
MC		 3063
3064 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3065 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3066 &written))
3067 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3068 goto end;
5f982038 3069
09f28874 3070 /* Server should still be able read early data after writing data */
710756a9
RS		 3071 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3072 &readbytes),
3073 SSL_READ_EARLY_DATA_SUCCESS)
3074 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3075 goto end;
5f982038 3076
09f28874 3077 /* Write more data from server and read it from client */
710756a9
RS		 3078 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3079 &written))
3080 || !TEST_size_t_eq(written, strlen(MSG4))
3081 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3082 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3083 goto end;
5f982038
MC		 3084
3085 /*
3086 * If client writes normal data it should mean writing early data is no
3087 * longer possible.
3088 */
710756a9
RS		 3089 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3090 || !TEST_size_t_eq(written, strlen(MSG5))
3091 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3092 SSL_EARLY_DATA_ACCEPTED))
5f982038 3093 goto end;
5f982038 3094
9b5c865d
MC		 3095 /*
3096 * At this point the client has written EndOfEarlyData, ClientFinished and
3097 * normal (fully protected) data. We are going to cause a delay between the
3098 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3099 * in the read BIO, and then just put back the EndOfEarlyData message.
3100 */
3101 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3102 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3103 || !TEST_size_t_lt(rawread, sizeof(data))
3104 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3105 goto end;
710756a9 3106
9b5c865d
MC		 3107 /* Record length is in the 4th and 5th bytes of the record header */
3108 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3109 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3110 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3111 goto end;
9b5c865d 3112
5f982038 3113 /* Server should be told that there is no more early data */
710756a9
RS		 3114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3115 &readbytes),
3116 SSL_READ_EARLY_DATA_FINISH)
3117 || !TEST_size_t_eq(readbytes, 0))
5f982038 3118 goto end;
5f982038 3119
9b5c865d
MC		 3120 /*
3121 * Server has not finished init yet, so should still be able to write early
3122 * data.
3123 */
710756a9
RS		 3124 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3125 &written))
3126 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3127 goto end;
9b5c865d 3128
f8a303fa 3129 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3130 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3131 &rawwritten))
3132 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3133 goto end;
f8a303fa 3134
5f982038 3135 /* Server should be able to read normal data */
710756a9
RS		 3136 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3137 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3138 goto end;
5f982038 3139
09f28874 3140 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3141 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3142 &written)))
5f982038 3143 goto end;
5f982038 3144 ERR_clear_error();
710756a9
RS		 3145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3146 &readbytes),
3147 SSL_READ_EARLY_DATA_ERROR))
5f982038 3148 goto end;
5f982038
MC		 3149 ERR_clear_error();
3150
9b5c865d 3151 /* Client should be able to read the data sent by the server */
710756a9
RS		 3152 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3154 goto end;
710756a9 3155
f8a303fa 3156 /*
36ff232c
MC		 3157 * Make sure we process the two NewSessionTickets. These arrive
3158 * post-handshake. We attempt reads which we do not expect to return any
3159 * data.
f8a303fa 3160 */
36ff232c
MC		 3161 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3162 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3163 &readbytes)))
f8a303fa 3164 goto end;
5f982038 3165
90049cea 3166 /* Server should be able to write normal data */
710756a9
RS		 3167 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3168 || !TEST_size_t_eq(written, strlen(MSG7))
3169 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3170 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3171 goto end;
90049cea 3172
c20e3b28 3173 SSL_SESSION_free(sess);
5f982038 3174 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3175 use_session_cb_cnt = 0;
3176 find_session_cb_cnt = 0;
5f982038
MC		 3177
3178 SSL_shutdown(clientssl);
3179 SSL_shutdown(serverssl);
5f982038
MC		 3180 SSL_free(serverssl);
3181 SSL_free(clientssl);
3182 serverssl = clientssl = NULL;
710756a9
RS		 3183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3184 &clientssl, NULL, NULL))
3185 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3186 goto end;
5f982038
MC		 3187
3188 /* Write and read some early data */
710756a9
RS		 3189 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3190 &written))
3191 || !TEST_size_t_eq(written, strlen(MSG1))
3192 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3193 &readbytes),
3194 SSL_READ_EARLY_DATA_SUCCESS)
3195 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3196 goto end;
5f982038 3197
710756a9
RS		 3198 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3199 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3200 goto end;
5f982038 3201
09f28874 3202 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3203 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3204 &written)))
5f982038 3205 goto end;
5f982038 3206 ERR_clear_error();
710756a9
RS		 3207 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3208 &readbytes),
3209 SSL_READ_EARLY_DATA_ERROR))
5f982038 3210 goto end;
5f982038
MC		 3211 ERR_clear_error();
3212
3213 /* Client and server should be able to write/read normal data */
710756a9
RS		 3214 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3215 || !TEST_size_t_eq(written, strlen(MSG5))
3216 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3217 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3218 goto end;
5f982038
MC		 3219
3220 testresult = 1;
3221
3222 end:
c20e3b28 3223 SSL_SESSION_free(sess);
57dee9bb
MC		 3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
5f982038
MC		 3227 SSL_free(serverssl);
3228 SSL_free(clientssl);
3229 SSL_CTX_free(sctx);
3230 SSL_CTX_free(cctx);
5f982038
MC		 3231 return testresult;
3232}
3233
5a421415
MC		 3234static int allow_ed_cb_called = 0;
3235
3236static int allow_early_data_cb(SSL *s, void *arg)
3237{
3238 int *usecb = (int *)arg;
3239
3240 allow_ed_cb_called++;
3241
3242 if (*usecb == 1)
3243 return 0;
3244
3245 return 1;
3246}
3247
3248/*
3249 * idx == 0: Standard early_data setup
3250 * idx == 1: early_data setup using read_ahead
3251 * usecb == 0: Don't use a custom early data callback
3252 * usecb == 1: Use a custom early data callback and reject the early data
3253 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3254 * confopt == 0: Configure anti-replay directly
3255 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3256 */
3bb5e5b0 3257static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3258{
3259 SSL_CTX *cctx = NULL, *sctx = NULL;
3260 SSL *clientssl = NULL, *serverssl = NULL;
3261 int testresult = 0;
3262 SSL_SESSION *sess = NULL;
5a421415
MC		 3263 size_t readbytes, written;
3264 unsigned char buf[20];
3265
3266 allow_ed_cb_called = 0;
3267
5e30f2fd
MC		 3268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3269 TLS_client_method(), TLS1_VERSION, 0,
3270 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3271 return 0;
3272
3273 if (usecb > 0) {
3bb5e5b0
MC		 3274 if (confopt == 0) {
3275 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3276 } else {
3277 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3278
3279 if (!TEST_ptr(confctx))
3280 goto end;
3281 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3282 | SSL_CONF_FLAG_SERVER);
3283 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3284 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3285 2)) {
3286 SSL_CONF_CTX_free(confctx);
3287 goto end;
3288 }
3289 SSL_CONF_CTX_free(confctx);
3290 }
5a421415
MC		 3291 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3292 }
78fb5374
MC		 3293
3294 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3295 &serverssl, &sess, idx)))
3296 goto end;
3297
3298 /*
3299 * The server is configured to accept early data. Create a connection to
3300 * "use up" the ticket
3301 */
3302 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3303 || !TEST_true(SSL_session_reused(clientssl)))
3304 goto end;
3305
3306 SSL_shutdown(clientssl);
3307 SSL_shutdown(serverssl);
3308 SSL_free(serverssl);
3309 SSL_free(clientssl);
3310 serverssl = clientssl = NULL;
3311
3312 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3313 &clientssl, NULL, NULL))
5a421415
MC		 3314 || !TEST_true(SSL_set_session(clientssl, sess)))
3315 goto end;
3316
3317 /* Write and read some early data */
3318 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3319 &written))
3320 || !TEST_size_t_eq(written, strlen(MSG1)))
3321 goto end;
3322
3323 if (usecb <= 1) {
3324 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3325 &readbytes),
3326 SSL_READ_EARLY_DATA_FINISH)
3327 /*
3328 * The ticket was reused, so the we should have rejected the
3329 * early data
3330 */
3331 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3332 SSL_EARLY_DATA_REJECTED))
3333 goto end;
3334 } else {
3335 /* In this case the callback decides to accept the early data */
3336 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3337 &readbytes),
3338 SSL_READ_EARLY_DATA_SUCCESS)
3339 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3340 /*
3341 * Server will have sent its flight so client can now send
3342 * end of early data and complete its half of the handshake
3343 */
3344 || !TEST_int_gt(SSL_connect(clientssl), 0)
3345 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3346 &readbytes),
3347 SSL_READ_EARLY_DATA_FINISH)
3348 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3349 SSL_EARLY_DATA_ACCEPTED))
3350 goto end;
3351 }
3352
3353 /* Complete the connection */
3354 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3355 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3356 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3357 goto end;
3358
3359 testresult = 1;
3360
3361 end:
c20e3b28 3362 SSL_SESSION_free(sess);
78fb5374
MC		 3363 SSL_SESSION_free(clientpsk);
3364 SSL_SESSION_free(serverpsk);
3365 clientpsk = serverpsk = NULL;
3366 SSL_free(serverssl);
3367 SSL_free(clientssl);
3368 SSL_CTX_free(sctx);
3369 SSL_CTX_free(cctx);
3370 return testresult;
3371}
3372
5a421415
MC		 3373static int test_early_data_replay(int idx)
3374{
3bb5e5b0 3375 int ret = 1, usecb, confopt;
5a421415 3376
3bb5e5b0
MC		 3377 for (usecb = 0; usecb < 3; usecb++) {
3378 for (confopt = 0; confopt < 2; confopt++)
3379 ret &= test_early_data_replay_int(idx, usecb, confopt);
3380 }
5a421415
MC		 3381
3382 return ret;
3383}
3384
710756a9 3385/*
6b84e6bf
MC		 3386 * Helper function to test that a server attempting to read early data can
3387 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3388 * testtype: 0 == No HRR
3389 * testtype: 1 == HRR
0efa0ba4
MC		 3390 * testtype: 2 == HRR, invalid early_data sent after HRR
3391 * testtype: 3 == recv_max_early_data set to 0
710756a9 3392 */
0d1b7789 3393static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3394{
3395 SSL_CTX *cctx = NULL, *sctx = NULL;
3396 SSL *clientssl = NULL, *serverssl = NULL;
3397 int testresult = 0;
018fcbec 3398 SSL_SESSION *sess = NULL;
5f982038
MC		 3399 unsigned char buf[20];
3400 size_t readbytes, written;
3401
710756a9
RS		 3402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3403 &serverssl, &sess, idx)))
5f982038
MC		 3404 goto end;
3405
0efa0ba4 3406 if (testtype == 1 || testtype == 2) {
6b84e6bf 3407 /* Force an HRR to occur */
dbc6268f
MC		 3408#if defined(OPENSSL_NO_EC)
3409 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3410 goto end;
3411#else
6b84e6bf
MC		 3412 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3413 goto end;
dbc6268f 3414#endif
02a3ed5a
MC		 3415 } else if (idx == 2) {
3416 /*
3417 * We force early_data rejection by ensuring the PSK identity is
3418 * unrecognised
3419 */
3420 srvid = "Dummy Identity";
6b84e6bf
MC		 3421 } else {
3422 /*
3423 * Deliberately corrupt the creation time. We take 20 seconds off the
3424 * time. It could be any value as long as it is not within tolerance.
3425 * This should mean the ticket is rejected.
3426 */
5d99881e 3427 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3428 goto end;
3429 }
5f982038 3430
0efa0ba4 3431 if (testtype == 3
0d1b7789
MC		 3432 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3433 goto end;
3434
5f982038 3435 /* Write some early data */
710756a9
RS		 3436 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3437 &written))
3438 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3439 goto end;
5f982038 3440
0d1b7789 3441 /* Server should reject the early data */
710756a9
RS		 3442 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3443 &readbytes),
3444 SSL_READ_EARLY_DATA_FINISH)
3445 || !TEST_size_t_eq(readbytes, 0)
3446 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3447 SSL_EARLY_DATA_REJECTED))
5f982038 3448 goto end;
5f982038 3449
0efa0ba4
MC		 3450 switch (testtype) {
3451 case 0:
3452 /* Nothing to do */
3453 break;
3454
3455 case 1:
6b84e6bf
MC		 3456 /*
3457 * Finish off the handshake. We perform the same writes and reads as
3458 * further down but we expect them to fail due to the incomplete
3459 * handshake.
3460 */
3461 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3462 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3463 &readbytes)))
3464 goto end;
0efa0ba4
MC		 3465 break;
3466
3467 case 2:
3468 {
3469 BIO *wbio = SSL_get_wbio(clientssl);
3470 /* A record that will appear as bad early_data */
3471 const unsigned char bad_early_data[] = {
3472 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3473 };
3474
3475 /*
3476 * We force the client to attempt a write. This will fail because
3477 * we're still in the handshake. It will cause the second
3478 * ClientHello to be sent.
3479 */
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3481 &written)))
3482 goto end;
3483
3484 /*
3485 * Inject some early_data after the second ClientHello. This should
3486 * cause the server to fail
3487 */
3488 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3489 sizeof(bad_early_data), &written)))
3490 goto end;
3491 }
3492 /* fallthrough */
3493
3494 case 3:
0d1b7789 3495 /*
0efa0ba4
MC		 3496 * This client has sent more early_data than we are willing to skip
3497 * (case 3) or sent invalid early_data (case 2) so the connection should
3498 * abort.
0d1b7789
MC		 3499 */
3500 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3501 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3502 goto end;
3503
3504 /* Connection has failed - nothing more to do */
3505 testresult = 1;
3506 goto end;
0efa0ba4
MC		 3507
3508 default:
3509 TEST_error("Invalid test type");
3510 goto end;
6b84e6bf
MC		 3511 }
3512
0d1b7789
MC		 3513 /*
3514 * Should be able to send normal data despite rejection of early data. The
3515 * early_data should be skipped.
3516 */
710756a9
RS		 3517 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3518 || !TEST_size_t_eq(written, strlen(MSG2))
3519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3520 SSL_EARLY_DATA_REJECTED)
3521 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3522 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3523 goto end;
5f982038
MC		 3524
3525 testresult = 1;
3526
3527 end:
c20e3b28 3528 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3529 SSL_SESSION_free(serverpsk);
3530 clientpsk = serverpsk = NULL;
5f982038
MC		 3531 SSL_SESSION_free(sess);
3532 SSL_free(serverssl);
3533 SSL_free(clientssl);
3534 SSL_CTX_free(sctx);
3535 SSL_CTX_free(cctx);
5f982038
MC		 3536 return testresult;
3537}
3538
6b84e6bf
MC		 3539/*
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where the early data is not acceptable.
3542 */
3543static int test_early_data_skip(int idx)
3544{
3545 return early_data_skip_helper(0, idx);
3546}
3547
3548/*
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs.
3551 */
3552static int test_early_data_skip_hrr(int idx)
3553{
3554 return early_data_skip_helper(1, idx);
3555}
3556
0efa0ba4
MC		 3557/*
3558 * Test that a server attempting to read early data can handle a connection
3559 * from a client where an HRR occurs and correctly fails if early_data is sent
3560 * after the HRR
3561 */
3562static int test_early_data_skip_hrr_fail(int idx)
3563{
3564 return early_data_skip_helper(2, idx);
3565}
3566
0d1b7789
MC		 3567/*
3568 * Test that a server attempting to read early data will abort if it tries to
3569 * skip over too much.
3570 */
3571static int test_early_data_skip_abort(int idx)
3572{
0efa0ba4 3573 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3574}
3575
710756a9
RS		 3576/*
3577 * Test that a server attempting to read early data can handle a connection
3578 * from a client that doesn't send any.
3579 */
3cb47b4e 3580static int test_early_data_not_sent(int idx)
5f982038
MC		 3581{
3582 SSL_CTX *cctx = NULL, *sctx = NULL;
3583 SSL *clientssl = NULL, *serverssl = NULL;
3584 int testresult = 0;
018fcbec 3585 SSL_SESSION *sess = NULL;
5f982038
MC		 3586 unsigned char buf[20];
3587 size_t readbytes, written;
3588
710756a9
RS		 3589 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3590 &serverssl, &sess, idx)))
5f982038
MC		 3591 goto end;
3592
3593 /* Write some data - should block due to handshake with server */
3594 SSL_set_connect_state(clientssl);
710756a9 3595 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3596 goto end;
5f982038
MC		 3597
3598 /* Server should detect that early data has not been sent */
710756a9
RS		 3599 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3600 &readbytes),
3601 SSL_READ_EARLY_DATA_FINISH)
3602 || !TEST_size_t_eq(readbytes, 0)
3603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3604 SSL_EARLY_DATA_NOT_SENT)
3605 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3606 SSL_EARLY_DATA_NOT_SENT))
5f982038 3607 goto end;
5f982038
MC		 3608
3609 /* Continue writing the message we started earlier */
710756a9
RS		 3610 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG1))
3612 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3613 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3614 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3615 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3616 goto end;
5f982038 3617
710756a9
RS		 3618 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3619 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3620 goto end;
5f982038
MC		 3621
3622 testresult = 1;
3623
3624 end:
5f982038 3625 SSL_SESSION_free(sess);
c20e3b28 3626 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3627 SSL_SESSION_free(serverpsk);
3628 clientpsk = serverpsk = NULL;
5f982038
MC		 3629 SSL_free(serverssl);
3630 SSL_free(clientssl);
3631 SSL_CTX_free(sctx);
3632 SSL_CTX_free(cctx);
5f982038
MC		 3633 return testresult;
3634}
3635
976e5323
MC		 3636static const char *servalpn;
3637
c7558d5b
PY		 3638static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3639 unsigned char *outlen, const unsigned char *in,
3640 unsigned int inlen, void *arg)
976e5323 3641{
c7558d5b 3642 unsigned int protlen = 0;
976e5323
MC		 3643 const unsigned char *prot;
3644
c7558d5b
PY		 3645 for (prot = in; prot < in + inlen; prot += protlen) {
3646 protlen = *prot++;
5d99881e 3647 if (in + inlen < prot + protlen)
976e5323
MC		 3648 return SSL_TLSEXT_ERR_NOACK;
3649
3650 if (protlen == strlen(servalpn)
0bd42fde 3651 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3652 *out = prot;
3653 *outlen = protlen;
3654 return SSL_TLSEXT_ERR_OK;
3655 }
3656 }
3657
3658 return SSL_TLSEXT_ERR_NOACK;
3659}
3660
57dee9bb 3661/* Test that a PSK can be used to send early_data */
976e5323
MC		 3662static int test_early_data_psk(int idx)
3663{
3664 SSL_CTX *cctx = NULL, *sctx = NULL;
3665 SSL *clientssl = NULL, *serverssl = NULL;
3666 int testresult = 0;
3667 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3668 unsigned char alpnlist[] = {
3669 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3670 'l', 'p', 'n'
3671 };
3672#define GOODALPNLEN 9
3673#define BADALPNLEN 8
3674#define GOODALPN (alpnlist)
3675#define BADALPN (alpnlist + GOODALPNLEN)
3676 int err = 0;
976e5323
MC		 3677 unsigned char buf[20];
3678 size_t readbytes, written;
57dee9bb 3679 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3680 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3681
3682 /* We always set this up with a final parameter of "2" for PSK */
3683 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3684 &serverssl, &sess, 2)))
3685 goto end;
3686
976e5323
MC		 3687 servalpn = "goodalpn";
3688
57dee9bb
MC		 3689 /*
3690 * Note: There is no test for inconsistent SNI with late client detection.
3691 * This is because servers do not acknowledge SNI even if they are using
3692 * it in a resumption handshake - so it is not actually possible for a
3693 * client to detect a problem.
3694 */
976e5323
MC		 3695 switch (idx) {
3696 case 0:
57dee9bb 3697 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3698 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3699 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3700 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3701 goto end;
3702 break;
3703
3704 case 1:
57dee9bb 3705 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3706 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3707 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3708 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3709 GOODALPNLEN))
3710 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3711 BADALPNLEN)))
976e5323
MC		 3712 goto end;
3713 break;
3714
3715 case 2:
3716 /*
3717 * Set invalid protocol version. Technically this affects PSKs without
3718 * early_data too, but we test it here because it is similar to the
3719 * SNI/ALPN consistency tests.
3720 */
3721 err = SSL_R_BAD_PSK;
3722 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3723 goto end;
3724 break;
3725
3726 case 3:
3727 /*
49ef3d07
MC		 3728 * Set inconsistent SNI (server side). In this case the connection
3729 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3730 * is associated with each handshake - not the session. Therefore it
3731 * should not matter that we used a different server name last time.
976e5323 3732 */
281bf233
MC		 3733 SSL_SESSION_free(serverpsk);
3734 serverpsk = SSL_SESSION_dup(clientpsk);
3735 if (!TEST_ptr(serverpsk)
3736 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3737 goto end;
976e5323
MC		 3738 /* Fall through */
3739 case 4:
3740 /* Set consistent SNI */
976e5323
MC		 3741 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3742 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3743 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3744 hostname_cb)))
3745 goto end;
3746 break;
3747
3748 case 5:
3749 /*
3750 * Set inconsistent ALPN (server detected). In this case the connection
3751 * will succeed but reject early_data.
3752 */
3753 servalpn = "badalpn";
3754 edstatus = SSL_EARLY_DATA_REJECTED;
3755 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3756 /* Fall through */
3757 case 6:
976e5323 3758 /*
57dee9bb 3759 * Set consistent ALPN.
976e5323
MC		 3760 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3761 * accepts a list of protos (each one length prefixed).
3762 * SSL_set1_alpn_selected accepts a single protocol (not length
3763 * prefixed)
3764 */
57dee9bb
MC		 3765 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3766 GOODALPNLEN - 1))
3767 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3768 GOODALPNLEN)))
976e5323
MC		 3769 goto end;
3770
3771 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3772 break;
3773
57dee9bb
MC		 3774 case 7:
3775 /* Set inconsistent ALPN (late client detection) */
3776 SSL_SESSION_free(serverpsk);
3777 serverpsk = SSL_SESSION_dup(clientpsk);
3778 if (!TEST_ptr(serverpsk)
3779 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3780 BADALPN + 1,
3781 BADALPNLEN - 1))
3782 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3783 GOODALPN + 1,
3784 GOODALPNLEN - 1))
3785 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3786 sizeof(alpnlist))))
3787 goto end;
3788 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3789 edstatus = SSL_EARLY_DATA_ACCEPTED;
3790 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3791 /* SSL_connect() call should fail */
3792 connectres = -1;
3793 break;
3794
976e5323
MC		 3795 default:
3796 TEST_error("Bad test index");
3797 goto end;
3798 }
3799
3800 SSL_set_connect_state(clientssl);
3801 if (err != 0) {
3802 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3803 &written))
3804 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3805 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3806 goto end;
3807 } else {
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3809 &written)))
3810 goto end;
3811
3812 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3813 &readbytes), readearlyres)
976e5323
MC		 3814 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3815 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3816 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3817 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3818 goto end;
3819 }
3820
3821 testresult = 1;
3822
3823 end:
c20e3b28 3824 SSL_SESSION_free(sess);
57dee9bb
MC		 3825 SSL_SESSION_free(clientpsk);
3826 SSL_SESSION_free(serverpsk);
3827 clientpsk = serverpsk = NULL;
976e5323
MC		 3828 SSL_free(serverssl);
3829 SSL_free(clientssl);
3830 SSL_CTX_free(sctx);
3831 SSL_CTX_free(cctx);
3832 return testresult;
3833}
3834
0b2b0be9 3835/*
3836 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3837 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3838 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3839 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3840 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3841 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3842 */
3843static int test_early_data_psk_with_all_ciphers(int idx)
3844{
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3847 int testresult = 0;
3848 SSL_SESSION *sess = NULL;
3849 unsigned char buf[20];
3850 size_t readbytes, written;
3851 const SSL_CIPHER *cipher;
3852 const char *cipher_str[] = {
3853 TLS1_3_RFC_AES_128_GCM_SHA256,
3854 TLS1_3_RFC_AES_256_GCM_SHA384,
3855# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3856 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3857# else
3858 NULL,
3859# endif
3860 TLS1_3_RFC_AES_128_CCM_SHA256,
3861 TLS1_3_RFC_AES_128_CCM_8_SHA256
3862 };
3863 const unsigned char *cipher_bytes[] = {
3864 TLS13_AES_128_GCM_SHA256_BYTES,
3865 TLS13_AES_256_GCM_SHA384_BYTES,
3866# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3867 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3868# else
3869 NULL,
3870# endif
3871 TLS13_AES_128_CCM_SHA256_BYTES,
3872 TLS13_AES_128_CCM_8_SHA256_BYTES
3873 };
3874
3875 if (cipher_str[idx] == NULL)
3876 return 1;
3877 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3878 if (idx == 2 && is_fips == 1)
3879 return 1;
3880
3881 /* We always set this up with a final parameter of "2" for PSK */
3882 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3883 &serverssl, &sess, 2)))
3884 goto end;
3885
3886 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3887 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3888 goto end;
3889
3890 /*
3891 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3892 * and assigns to both client and server with incremented reference
3893 * and the same instance is updated in 'sess'.
3894 * So updating ciphersuite in 'sess' which will get reflected in
3895 * PSK handshake using psk use sess and find sess cb.
3896 */
3897 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3898 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3899 goto end;
3900
3901 SSL_set_connect_state(clientssl);
3902 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3903 &written)))
3904 goto end;
3905
3906 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3907 &readbytes),
3908 SSL_READ_EARLY_DATA_SUCCESS)
3909 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3910 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3911 SSL_EARLY_DATA_ACCEPTED)
3912 || !TEST_int_eq(SSL_connect(clientssl), 1)
3913 || !TEST_int_eq(SSL_accept(serverssl), 1))
3914 goto end;
3915
3916 /* Send some normal data from client to server */
3917 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3918 || !TEST_size_t_eq(written, strlen(MSG2)))
3919 goto end;
3920
3921 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3922 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3923 goto end;
3924
3925 testresult = 1;
3926 end:
3927 SSL_SESSION_free(sess);
3928 SSL_SESSION_free(clientpsk);
3929 SSL_SESSION_free(serverpsk);
3930 clientpsk = serverpsk = NULL;
3931 if (clientssl != NULL)
3932 SSL_shutdown(clientssl);
3933 if (serverssl != NULL)
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 SSL_CTX_free(sctx);
3938 SSL_CTX_free(cctx);
3939 return testresult;
3940}
3941
710756a9
RS		 3942/*
3943 * Test that a server that doesn't try to read early data can handle a
3944 * client sending some.
3945 */
3cb47b4e 3946static int test_early_data_not_expected(int idx)
5f982038
MC		 3947{
3948 SSL_CTX *cctx = NULL, *sctx = NULL;
3949 SSL *clientssl = NULL, *serverssl = NULL;
3950 int testresult = 0;
018fcbec 3951 SSL_SESSION *sess = NULL;
5f982038
MC		 3952 unsigned char buf[20];
3953 size_t readbytes, written;
3954
710756a9
RS		 3955 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3956 &serverssl, &sess, idx)))
5f982038
MC		 3957 goto end;
3958
3959 /* Write some early data */
710756a9
RS		 3960 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3961 &written)))
5f982038 3962 goto end;
5f982038
MC		 3963
3964 /*
3965 * Server should skip over early data and then block waiting for client to
3966 * continue handshake
3967 */
710756a9
RS		 3968 if (!TEST_int_le(SSL_accept(serverssl), 0)
3969 || !TEST_int_gt(SSL_connect(clientssl), 0)
3970 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3971 SSL_EARLY_DATA_REJECTED)
3972 || !TEST_int_gt(SSL_accept(serverssl), 0)
3973 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3974 SSL_EARLY_DATA_REJECTED))
5f982038 3975 goto end;
5f982038
MC		 3976
3977 /* Send some normal data from client to server */
710756a9
RS		 3978 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3979 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3980 goto end;
5f982038 3981
710756a9
RS		 3982 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3983 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3984 goto end;
5f982038
MC		 3985
3986 testresult = 1;
3987
3988 end:
5f982038 3989 SSL_SESSION_free(sess);
c20e3b28 3990 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3991 SSL_SESSION_free(serverpsk);
3992 clientpsk = serverpsk = NULL;
5f982038
MC		 3993 SSL_free(serverssl);
3994 SSL_free(clientssl);
3995 SSL_CTX_free(sctx);
3996 SSL_CTX_free(cctx);
5f982038
MC		 3997 return testresult;
3998}
3999
4000
4001# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4002/*
4003 * Test that a server attempting to read early data can handle a connection
4004 * from a TLSv1.2 client.
4005 */
3cb47b4e 4006static int test_early_data_tls1_2(int idx)
5f982038
MC		 4007{
4008 SSL_CTX *cctx = NULL, *sctx = NULL;
4009 SSL *clientssl = NULL, *serverssl = NULL;
4010 int testresult = 0;
4011 unsigned char buf[20];
4012 size_t readbytes, written;
4013
02a3ed5a
MC		 4014 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4015 &serverssl, NULL, idx)))
5f982038 4016 goto end;
5f982038
MC		 4017
4018 /* Write some data - should block due to handshake with server */
4019 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4020 SSL_set_connect_state(clientssl);
710756a9 4021 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4022 goto end;
5f982038
MC		 4023
4024 /*
4025 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4026 * messages from client after ServerDone. Then SSL_read_early_data should
4027 * finish and detect that early data has not been sent
5f982038 4028 */
710756a9
RS		 4029 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4030 &readbytes),
4031 SSL_READ_EARLY_DATA_ERROR))
5f982038 4032 goto end;
5f982038
MC		 4033
4034 /*
4035 * Continue writing the message we started earlier. Will still block waiting
4036 * for the CCS/Finished from server
4037 */
710756a9
RS		 4038 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4039 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4040 &readbytes),
4041 SSL_READ_EARLY_DATA_FINISH)
4042 || !TEST_size_t_eq(readbytes, 0)
4043 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4044 SSL_EARLY_DATA_NOT_SENT))
5f982038 4045 goto end;
5f982038
MC		 4046
4047 /* Continue writing the message we started earlier */
710756a9
RS		 4048 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4049 || !TEST_size_t_eq(written, strlen(MSG1))
4050 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4051 SSL_EARLY_DATA_NOT_SENT)
4052 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4053 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4054 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4055 || !TEST_size_t_eq(written, strlen(MSG2))
4056 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4057 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4058 goto end;
5f982038
MC		 4059
4060 testresult = 1;
4061
4062 end:
57dee9bb
MC		 4063 SSL_SESSION_free(clientpsk);
4064 SSL_SESSION_free(serverpsk);
4065 clientpsk = serverpsk = NULL;
5f982038
MC		 4066 SSL_free(serverssl);
4067 SSL_free(clientssl);
4068 SSL_CTX_free(sctx);
4069 SSL_CTX_free(cctx);
4070
4071 return testresult;
4072}
ca0413ae
MC		 4073# endif /* OPENSSL_NO_TLS1_2 */
4074
034cb87b
MC		 4075/*
4076 * Test configuring the TLSv1.3 ciphersuites
4077 *
4078 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4079 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4080 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4081 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4082 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4083 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4084 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4085 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4086 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4087 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4088 */
4089static int test_set_ciphersuite(int idx)
4090{
4091 SSL_CTX *cctx = NULL, *sctx = NULL;
4092 SSL *clientssl = NULL, *serverssl = NULL;
4093 int testresult = 0;
4094
5e30f2fd
MC		 4095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4096 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4097 &sctx, &cctx, cert, privkey))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4099 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4100 goto end;
4101
4102 if (idx >=4 && idx <= 7) {
4103 /* SSL_CTX explicit cipher list */
4104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4105 goto end;
4106 }
4107
4108 if (idx == 0 || idx == 4) {
4109 /* Default ciphersuite */
4110 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4111 "TLS_AES_128_GCM_SHA256")))
4112 goto end;
4113 } else if (idx == 1 || idx == 5) {
4114 /* Non default ciphersuite */
4115 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4116 "TLS_AES_128_CCM_SHA256")))
4117 goto end;
4118 }
4119
4120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4121 &clientssl, NULL, NULL)))
4122 goto end;
4123
4124 if (idx == 8 || idx == 9) {
4125 /* SSL explicit cipher list */
4126 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4127 goto end;
4128 }
4129
4130 if (idx == 2 || idx == 6 || idx == 8) {
4131 /* Default ciphersuite */
4132 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4133 "TLS_AES_128_GCM_SHA256")))
4134 goto end;
4135 } else if (idx == 3 || idx == 7 || idx == 9) {
4136 /* Non default ciphersuite */
4137 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4138 "TLS_AES_128_CCM_SHA256")))
4139 goto end;
4140 }
4141
4142 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4143 goto end;
4144
4145 testresult = 1;
4146
4147 end:
4148 SSL_free(serverssl);
4149 SSL_free(clientssl);
4150 SSL_CTX_free(sctx);
4151 SSL_CTX_free(cctx);
4152
4153 return testresult;
4154}
4155
ca0413ae
MC		 4156static int test_ciphersuite_change(void)
4157{
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4160 SSL_SESSION *clntsess = NULL;
4161 int testresult = 0;
4162 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4163
4164 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4166 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4167 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4168 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4169 "TLS_AES_128_GCM_SHA256:"
4170 "TLS_AES_256_GCM_SHA384:"
4171 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4172 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4173 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4174 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4175 &clientssl, NULL, NULL))
4176 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4177 SSL_ERROR_NONE)))
4178 goto end;
4179
4180 clntsess = SSL_get1_session(clientssl);
4181 /* Save for later */
4182 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4183 SSL_shutdown(clientssl);
4184 SSL_shutdown(serverssl);
4185 SSL_free(serverssl);
4186 SSL_free(clientssl);
4187 serverssl = clientssl = NULL;
4188
4189 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4191 "TLS_AES_128_CCM_SHA256"))
4192 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4193 &clientssl, NULL, NULL))
ca0413ae
MC		 4194 || !TEST_true(SSL_set_session(clientssl, clntsess))
4195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4196 SSL_ERROR_NONE))
4197 || !TEST_true(SSL_session_reused(clientssl)))
4198 goto end;
4199
4200 SSL_SESSION_free(clntsess);
4201 clntsess = SSL_get1_session(clientssl);
4202 SSL_shutdown(clientssl);
4203 SSL_shutdown(serverssl);
4204 SSL_free(serverssl);
4205 SSL_free(clientssl);
4206 serverssl = clientssl = NULL;
4207
4208 /*
4209 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4210 * succeeds but does not resume.
ca0413ae 4211 */
f865b081 4212 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4213 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4214 NULL, NULL))
4215 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4217 SSL_ERROR_SSL))
0de6d66d 4218 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4219 goto end;
4220
4221 SSL_SESSION_free(clntsess);
4222 clntsess = NULL;
4223 SSL_shutdown(clientssl);
4224 SSL_shutdown(serverssl);
4225 SSL_free(serverssl);
4226 SSL_free(clientssl);
4227 serverssl = clientssl = NULL;
4228
4229 /* Create a session based on SHA384 */
f865b081 4230 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4231 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4232 &clientssl, NULL, NULL))
4233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4234 SSL_ERROR_NONE)))
4235 goto end;
4236
4237 clntsess = SSL_get1_session(clientssl);
4238 SSL_shutdown(clientssl);
4239 SSL_shutdown(serverssl);
4240 SSL_free(serverssl);
4241 SSL_free(clientssl);
4242 serverssl = clientssl = NULL;
4243
f865b081
MC		 4244 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4245 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4246 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4247 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4248 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4249 NULL, NULL))
4250 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4251 /*
4252 * We use SSL_ERROR_WANT_READ below so that we can pause the
4253 * connection after the initial ClientHello has been sent to
4254 * enable us to make some session changes.
4255 */
ca0413ae
MC		 4256 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4257 SSL_ERROR_WANT_READ)))
4258 goto end;
4259
4260 /* Trick the client into thinking this session is for a different digest */
4261 clntsess->cipher = aes_128_gcm_sha256;
4262 clntsess->cipher_id = clntsess->cipher->id;
4263
4264 /*
3b0e88d3
MC		 4265 * Continue the previously started connection. Server has selected a SHA-384
4266 * ciphersuite, but client thinks the session is for SHA-256, so it should
4267 * bail out.
ca0413ae
MC		 4268 */
4269 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4270 SSL_ERROR_SSL))
4271 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4272 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4273 goto end;
4274
4275 testresult = 1;
4276
4277 end:
4278 SSL_SESSION_free(clntsess);
4279 SSL_free(serverssl);
4280 SSL_free(clientssl);
4281 SSL_CTX_free(sctx);
4282 SSL_CTX_free(cctx);
4283
4284 return testresult;
4285}
4286
8e63900a 4287/*
5bf2eade 4288 * Test TLSv1.3 Key exchange
4289 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4290 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4291 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4292 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4293 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4294 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4295 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4296 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4297 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4298 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4299 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4300 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4301 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4302 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4303 */
db26ec80 4304static int test_key_exchange(int idx)
8e63900a 4305{
4306 SSL_CTX *sctx = NULL, *cctx = NULL;
4307 SSL *serverssl = NULL, *clientssl = NULL;
4308 int testresult = 0;
5bf2eade 4309# ifndef OPENSSL_NO_EC
4310 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4311 NID_secp521r1, NID_X25519, NID_X448};
4312# endif
4313# ifndef OPENSSL_NO_DH
8e63900a 4314 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4315 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4316# endif
fb8c6db4 4317 int kexch_alg;
4318 int *kexch_groups = &kexch_alg;
4319 int kexch_groups_size = 1;
8e63900a 4320 int max_version = TLS1_3_VERSION;
becbacd7 4321 char *kexch_name0 = NULL;
8e63900a 4322
4323 switch (idx) {
5bf2eade 4324# ifndef OPENSSL_NO_EC
db26ec80 4325# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4326 case 12:
fb8c6db4 4327 max_version = TLS1_2_VERSION;
db26ec80 4328# endif
fb8c6db4 4329 /* Fall through */
4330 case 0:
4331 kexch_groups = ecdhe_kexch_groups;
4332 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4333 kexch_name0 = "secp256r1";
fb8c6db4 4334 break;
5bf2eade 4335 case 1:
fb8c6db4 4336 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4337 kexch_name0 = "secp256r1";
fb8c6db4 4338 break;
5bf2eade 4339 case 2:
fb8c6db4 4340 kexch_alg = NID_secp384r1;
becbacd7 4341 kexch_name0 = "secp384r1";
fb8c6db4 4342 break;
5bf2eade 4343 case 3:
fb8c6db4 4344 kexch_alg = NID_secp521r1;
becbacd7 4345 kexch_name0 = "secp521r1";
fb8c6db4 4346 break;
5bf2eade 4347 case 4:
fb8c6db4 4348 kexch_alg = NID_X25519;
becbacd7 4349 kexch_name0 = "x25519";
fb8c6db4 4350 break;
5bf2eade 4351 case 5:
fb8c6db4 4352 kexch_alg = NID_X448;
becbacd7 4353 kexch_name0 = "x448";
fb8c6db4 4354 break;
5bf2eade 4355# endif
4356# ifndef OPENSSL_NO_DH
db26ec80 4357# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4358 case 13:
dbc6268f 4359 max_version = TLS1_2_VERSION;
becbacd7 4360 kexch_name0 = "ffdhe2048";
db26ec80 4361# endif
dbc6268f 4362 /* Fall through */
5bf2eade 4363 case 6:
8e63900a 4364 kexch_groups = ffdhe_kexch_groups;
4365 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4366 kexch_name0 = "ffdhe2048";
8e63900a 4367 break;
5bf2eade 4368 case 7:
fb8c6db4 4369 kexch_alg = NID_ffdhe2048;
becbacd7 4370 kexch_name0 = "ffdhe2048";
fb8c6db4 4371 break;
5bf2eade 4372 case 8:
fb8c6db4 4373 kexch_alg = NID_ffdhe3072;
becbacd7 4374 kexch_name0 = "ffdhe3072";
fb8c6db4 4375 break;
5bf2eade 4376 case 9:
fb8c6db4 4377 kexch_alg = NID_ffdhe4096;
becbacd7 4378 kexch_name0 = "ffdhe4096";
fb8c6db4 4379 break;
5bf2eade 4380 case 10:
fb8c6db4 4381 kexch_alg = NID_ffdhe6144;
becbacd7 4382 kexch_name0 = "ffdhe6144";
fb8c6db4 4383 break;
5bf2eade 4384 case 11:
fb8c6db4 4385 kexch_alg = NID_ffdhe8192;
becbacd7 4386 kexch_name0 = "ffdhe8192";
8e63900a 4387 break;
5bf2eade 4388# endif
6597d62b
MC		 4389 default:
4390 /* We're skipping this test */
4391 return 1;
8e63900a 4392 }
4393
5e30f2fd
MC		 4394 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4395 TLS_client_method(), TLS1_VERSION,
4396 max_version, &sctx, &cctx, cert,
4397 privkey)))
8e63900a 4398 goto end;
4399
5bf2eade 4400 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4401 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4402 goto end;
4403
5bf2eade 4404 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4405 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4406 goto end;
4407
5bf2eade 4408 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4409 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4410 goto end;
4411
dbc6268f
MC		 4412 /*
4413 * Must include an EC ciphersuite so that we send supported groups in
4414 * TLSv1.2
4415 */
5bf2eade 4416# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4417 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4418 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4419 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4420 goto end;
5bf2eade 4421# endif
8e63900a 4422
4423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4424 NULL, NULL)))
4425 goto end;
4426
4427 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4428 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4429 goto end;
4430
5bf2eade 4431 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4432 goto end;
8e63900a 4433
dbc6268f 4434 /*
5bf2eade 4435 * If Handshake succeeds the negotiated kexch alg should be the first one in
4436 * configured, except in the case of FFDHE groups (idx 13), which are
4437 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4438 */
4439 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4440 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4441 goto end;
becbacd7
MB		 4442
4443 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4444 kexch_name0))
4445 goto end;
4446
fb8c6db4 4447 if (max_version == TLS1_3_VERSION) {
4448 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4449 goto end;
4450 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4451 goto end;
4452 }
8e63900a 4453
4454 testresult = 1;
4455 end:
4456 SSL_free(serverssl);
4457 SSL_free(clientssl);
4458 SSL_CTX_free(sctx);
4459 SSL_CTX_free(cctx);
4460 return testresult;
4461}
4462
5bf2eade 4463/*
4464 * Test TLSv1.3 Cipher Suite
4465 * Test 0 = Set TLS1.3 cipher on context
4466 * Test 1 = Set TLS1.3 cipher on SSL
4467 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4468 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4469 */
4470static int test_tls13_ciphersuite(int idx)
4471{
4472 SSL_CTX *sctx = NULL, *cctx = NULL;
4473 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4474 static const struct {
4475 const char *ciphername;
4476 int fipscapable;
4477 } t13_ciphers[] = {
4478 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4479 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4480 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4481# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4482 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4483 { TLS1_3_RFC_AES_256_GCM_SHA384
4484 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4485# endif
4f6c7044 4486 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4487 };
4488 const char *t13_cipher = NULL;
4489 const char *t12_cipher = NULL;
4490 const char *negotiated_scipher;
4491 const char *negotiated_ccipher;
4492 int set_at_ctx = 0;
4493 int set_at_ssl = 0;
4494 int testresult = 0;
4495 int max_ver;
4496 size_t i;
4497
4498 switch (idx) {
4499 case 0:
4500 set_at_ctx = 1;
4501 break;
4502 case 1:
4503 set_at_ssl = 1;
4504 break;
4505 case 2:
4506 set_at_ctx = 1;
2d900758 4507 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4508 break;
4509 case 3:
4510 set_at_ssl = 1;
2d900758 4511 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4512 break;
4513 }
4514
4515 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4516# ifdef OPENSSL_NO_TLS1_2
4517 if (max_ver == TLS1_2_VERSION)
4518 continue;
4519# endif
4520 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4521 if (is_fips && !t13_ciphers[i].fipscapable)
4522 continue;
4523 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4524 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4525 TLS_client_method(),
4526 TLS1_VERSION, max_ver,
4527 &sctx, &cctx, cert, privkey)))
4528 goto end;
4529
4530 if (set_at_ctx) {
4531 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4532 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4533 goto end;
4534 if (t12_cipher != NULL) {
4535 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4536 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4537 t12_cipher)))
4538 goto end;
4539 }
4540 }
4541
4542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4543 &clientssl, NULL, NULL)))
4544 goto end;
4545
4546 if (set_at_ssl) {
4547 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4548 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4549 goto end;
4550 if (t12_cipher != NULL) {
4551 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4552 || !TEST_true(SSL_set_cipher_list(clientssl,
4553 t12_cipher)))
4554 goto end;
4555 }
4556 }
4557
4558 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4559 SSL_ERROR_NONE)))
4560 goto end;
4561
4562 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4563 serverssl));
4564 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4565 clientssl));
4566 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4567 goto end;
4568
4569 /*
4570 * TEST_strn_eq is used below because t13_cipher can contain
4571 * multiple ciphersuites
4572 */
4573 if (max_ver == TLS1_3_VERSION
4574 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4575 strlen(negotiated_scipher)))
4576 goto end;
4577
4578# ifndef OPENSSL_NO_TLS1_2
4579 /* Below validation is not done when t12_cipher is NULL */
4580 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4581 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4582 goto end;
4583# endif
4584
4585 SSL_free(serverssl);
4586 serverssl = NULL;
4587 SSL_free(clientssl);
4588 clientssl = NULL;
4589 SSL_CTX_free(sctx);
4590 sctx = NULL;
4591 SSL_CTX_free(cctx);
4592 cctx = NULL;
4593 }
4594 }
4595
4596 testresult = 1;
4597 end:
4598 SSL_free(serverssl);
4599 SSL_free(clientssl);
4600 SSL_CTX_free(sctx);
4601 SSL_CTX_free(cctx);
4602 return testresult;
4603}
4604
0d8da779
MC		 4605/*
4606 * Test TLSv1.3 PSKs
4607 * Test 0 = Test new style callbacks
4608 * Test 1 = Test both new and old style callbacks
4609 * Test 2 = Test old style callbacks
4610 * Test 3 = Test old style callbacks with no certificate
4611 */
532f9578 4612static int test_tls13_psk(int idx)
ca8c71ba
MC		 4613{
4614 SSL_CTX *sctx = NULL, *cctx = NULL;
4615 SSL *serverssl = NULL, *clientssl = NULL;
4616 const SSL_CIPHER *cipher = NULL;
4617 const unsigned char key[] = {
4618 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4619 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4620 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4621 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4622 };
4623 int testresult = 0;
4624
5e30f2fd
MC		 4625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4626 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4627 &sctx, &cctx, idx == 3 ? NULL : cert,
4628 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4629 goto end;
4630
0d8da779
MC		 4631 if (idx != 3) {
4632 /*
4633 * We use a ciphersuite with SHA256 to ease testing old style PSK
4634 * callbacks which will always default to SHA256. This should not be
4635 * necessary if we have no cert/priv key. In that case the server should
4636 * prefer SHA256 automatically.
4637 */
4638 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4639 "TLS_AES_128_GCM_SHA256")))
4640 goto end;
4f6c7044
MC		 4641 } else {
4642 /*
4643 * As noted above the server should prefer SHA256 automatically. However
4644 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4645 * code works even if we are testing with only the FIPS provider loaded.
4646 */
4647 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4648 "TLS_AES_256_GCM_SHA384:"
4649 "TLS_AES_128_GCM_SHA256")))
4650 goto end;
0d8da779 4651 }
532f9578
MC		 4652
4653 /*
4654 * Test 0: New style callbacks only
4655 * Test 1: New and old style callbacks (only the new ones should be used)
4656 * Test 2: Old style callbacks only
4657 */
4658 if (idx == 0 || idx == 1) {
4659 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4660 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4661 }
c2b290c3 4662#ifndef OPENSSL_NO_PSK
0d8da779 4663 if (idx >= 1) {
532f9578
MC		 4664 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4665 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4666 }
c2b290c3 4667#endif
ca8c71ba 4668 srvid = pskid;
02a3ed5a
MC		 4669 use_session_cb_cnt = 0;
4670 find_session_cb_cnt = 0;
532f9578
MC		 4671 psk_client_cb_cnt = 0;
4672 psk_server_cb_cnt = 0;
ca8c71ba 4673
0d8da779
MC		 4674 if (idx != 3) {
4675 /*
4676 * Check we can create a connection if callback decides not to send a
4677 * PSK
4678 */
4679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4680 NULL, NULL))
4681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4682 SSL_ERROR_NONE))
4683 || !TEST_false(SSL_session_reused(clientssl))
4684 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4685 goto end;
532f9578 4686
0d8da779
MC		 4687 if (idx == 0 || idx == 1) {
4688 if (!TEST_true(use_session_cb_cnt == 1)
4689 || !TEST_true(find_session_cb_cnt == 0)
4690 /*
4691 * If no old style callback then below should be 0
4692 * otherwise 1
4693 */
4694 || !TEST_true(psk_client_cb_cnt == idx)
4695 || !TEST_true(psk_server_cb_cnt == 0))
4696 goto end;
4697 } else {
4698 if (!TEST_true(use_session_cb_cnt == 0)
4699 || !TEST_true(find_session_cb_cnt == 0)
4700 || !TEST_true(psk_client_cb_cnt == 1)
4701 || !TEST_true(psk_server_cb_cnt == 0))
4702 goto end;
4703 }
4704
4705 shutdown_ssl_connection(serverssl, clientssl);
4706 serverssl = clientssl = NULL;
4707 use_session_cb_cnt = psk_client_cb_cnt = 0;
4708 }
ca8c71ba
MC		 4709
4710 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4711 NULL, NULL)))
4712 goto end;
4713
4714 /* Create the PSK */
532f9578 4715 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4716 clientpsk = SSL_SESSION_new();
4717 if (!TEST_ptr(clientpsk)
ca8c71ba 4718 || !TEST_ptr(cipher)
57dee9bb
MC		 4719 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4720 sizeof(key)))
4721 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4722 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4723 TLS1_3_VERSION))
4724 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4725 goto end;
57dee9bb 4726 serverpsk = clientpsk;
ca8c71ba
MC		 4727
4728 /* Check we can create a connection and the PSK is used */
4729 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4730 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4731 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4732 goto end;
4733
532f9578
MC		 4734 if (idx == 0 || idx == 1) {
4735 if (!TEST_true(use_session_cb_cnt == 1)
4736 || !TEST_true(find_session_cb_cnt == 1)
4737 || !TEST_true(psk_client_cb_cnt == 0)
4738 || !TEST_true(psk_server_cb_cnt == 0))
4739 goto end;
4740 } else {
4741 if (!TEST_true(use_session_cb_cnt == 0)
4742 || !TEST_true(find_session_cb_cnt == 0)
4743 || !TEST_true(psk_client_cb_cnt == 1)
4744 || !TEST_true(psk_server_cb_cnt == 1))
4745 goto end;
4746 }
4747
ca8c71ba
MC		 4748 shutdown_ssl_connection(serverssl, clientssl);
4749 serverssl = clientssl = NULL;
4750 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4751 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4752
4753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4754 NULL, NULL)))
4755 goto end;
4756
4757 /* Force an HRR */
dbc6268f
MC		 4758#if defined(OPENSSL_NO_EC)
4759 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4760 goto end;
4761#else
ca8c71ba
MC		 4762 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4763 goto end;
dbc6268f 4764#endif
ca8c71ba
MC		 4765
4766 /*
4767 * Check we can create a connection, the PSK is used and the callbacks are
4768 * called twice.
4769 */
4770 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4771 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4772 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4773 goto end;
4774
532f9578
MC		 4775 if (idx == 0 || idx == 1) {
4776 if (!TEST_true(use_session_cb_cnt == 2)
4777 || !TEST_true(find_session_cb_cnt == 2)
4778 || !TEST_true(psk_client_cb_cnt == 0)
4779 || !TEST_true(psk_server_cb_cnt == 0))
4780 goto end;
4781 } else {
4782 if (!TEST_true(use_session_cb_cnt == 0)
4783 || !TEST_true(find_session_cb_cnt == 0)
4784 || !TEST_true(psk_client_cb_cnt == 2)
4785 || !TEST_true(psk_server_cb_cnt == 2))
4786 goto end;
4787 }
4788
ca8c71ba
MC		 4789 shutdown_ssl_connection(serverssl, clientssl);
4790 serverssl = clientssl = NULL;
4791 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4792 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4793
0d8da779
MC		 4794 if (idx != 3) {
4795 /*
4796 * Check that if the server rejects the PSK we can still connect, but with
4797 * a full handshake
4798 */
4799 srvid = "Dummy Identity";
4800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4801 NULL, NULL))
4802 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4803 SSL_ERROR_NONE))
4804 || !TEST_false(SSL_session_reused(clientssl))
4805 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4806 goto end;
532f9578 4807
0d8da779
MC		 4808 if (idx == 0 || idx == 1) {
4809 if (!TEST_true(use_session_cb_cnt == 1)
4810 || !TEST_true(find_session_cb_cnt == 1)
4811 || !TEST_true(psk_client_cb_cnt == 0)
4812 /*
4813 * If no old style callback then below should be 0
4814 * otherwise 1
4815 */
4816 || !TEST_true(psk_server_cb_cnt == idx))
4817 goto end;
4818 } else {
4819 if (!TEST_true(use_session_cb_cnt == 0)
4820 || !TEST_true(find_session_cb_cnt == 0)
4821 || !TEST_true(psk_client_cb_cnt == 1)
4822 || !TEST_true(psk_server_cb_cnt == 1))
4823 goto end;
4824 }
4825
4826 shutdown_ssl_connection(serverssl, clientssl);
4827 serverssl = clientssl = NULL;
4828 }
ca8c71ba
MC		 4829 testresult = 1;
4830
4831 end:
57dee9bb
MC		 4832 SSL_SESSION_free(clientpsk);
4833 SSL_SESSION_free(serverpsk);
4834 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4835 SSL_free(serverssl);
4836 SSL_free(clientssl);
4837 SSL_CTX_free(sctx);
4838 SSL_CTX_free(cctx);
4839 return testresult;
4840}
4841
c7b8ff25
MC		 4842static unsigned char cookie_magic_value[] = "cookie magic";
4843
4844static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4845 unsigned int *cookie_len)
4846{
4847 /*
4848 * Not suitable as a real cookie generation function but good enough for
4849 * testing!
4850 */
97ea1e7f
MC		 4851 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4852 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4853
4854 return 1;
4855}
4856
4857static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4858 unsigned int cookie_len)
4859{
97ea1e7f 4860 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4861 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4862 return 1;
4863
4864 return 0;
4865}
4866
3fa2812f
BS		 4867static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4868 size_t *cookie_len)
4869{
4870 unsigned int temp;
4871 int res = generate_cookie_callback(ssl, cookie, &temp);
4872 *cookie_len = temp;
4873 return res;
4874}
4875
4876static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4877 size_t cookie_len)
4878{
4879 return verify_cookie_callback(ssl, cookie, cookie_len);
4880}
4881
c7b8ff25
MC		 4882static int test_stateless(void)
4883{
4884 SSL_CTX *sctx = NULL, *cctx = NULL;
4885 SSL *serverssl = NULL, *clientssl = NULL;
4886 int testresult = 0;
4887
5e30f2fd
MC		 4888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4889 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4890 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4891 goto end;
4892
e440f513
MC		 4893 /* The arrival of CCS messages can confuse the test */
4894 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4895
4896 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4897 NULL, NULL))
4898 /* Send the first ClientHello */
4899 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4900 SSL_ERROR_WANT_READ))
4901 /*
4902 * This should fail with a -1 return because we have no callbacks
4903 * set up
4904 */
4905 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4906 goto end;
4907
4908 /* Fatal error so abandon the connection from this client */
4909 SSL_free(clientssl);
4910 clientssl = NULL;
4911
c7b8ff25 4912 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4913 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4914 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4915
e440f513
MC		 4916 /*
4917 * Create a new connection from the client (we can reuse the server SSL
4918 * object).
4919 */
c7b8ff25
MC		 4920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4921 NULL, NULL))
4922 /* Send the first ClientHello */
4923 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4924 SSL_ERROR_WANT_READ))
4925 /* This should fail because there is no cookie */
e440f513 4926 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4927 goto end;
4928
4929 /* Abandon the connection from this client */
4930 SSL_free(clientssl);
4931 clientssl = NULL;
4932
4933 /*
4934 * Now create a connection from a new client but with the same server SSL
4935 * object
4936 */
4937 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4938 NULL, NULL))
4939 /* Send the first ClientHello */
4940 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4941 SSL_ERROR_WANT_READ))
4942 /* This should fail because there is no cookie */
e440f513 4943 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4944 /* Send the second ClientHello */
4945 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4946 SSL_ERROR_WANT_READ))
4947 /* This should succeed because a cookie is now present */
e440f513 4948 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4949 /* Complete the connection */
4950 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4951 SSL_ERROR_NONE)))
4952 goto end;
4953
4954 shutdown_ssl_connection(serverssl, clientssl);
4955 serverssl = clientssl = NULL;
4956 testresult = 1;
4957
4958 end:
4959 SSL_free(serverssl);
4960 SSL_free(clientssl);
4961 SSL_CTX_free(sctx);
4962 SSL_CTX_free(cctx);
4963 return testresult;
4964
4965}
ca0413ae 4966#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4967
a37008d9
MC		 4968static int clntaddoldcb = 0;
4969static int clntparseoldcb = 0;
4970static int srvaddoldcb = 0;
4971static int srvparseoldcb = 0;
4972static int clntaddnewcb = 0;
4973static int clntparsenewcb = 0;
4974static int srvaddnewcb = 0;
4975static int srvparsenewcb = 0;
bb01ef3f 4976static int snicb = 0;
a37008d9
MC		 4977
4978#define TEST_EXT_TYPE1 0xff00
4979
4980static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4981 size_t *outlen, int *al, void *add_arg)
4982{
4983 int *server = (int *)add_arg;
4984 unsigned char *data;
4985
4986 if (SSL_is_server(s))
4987 srvaddoldcb++;
4988 else
4989 clntaddoldcb++;
4990
710756a9
RS		 4991 if (*server != SSL_is_server(s)
4992 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4993 return -1;
4994
4995 *data = 1;
4996 *out = data;
4997 *outlen = sizeof(char);
a37008d9
MC		 4998 return 1;
4999}
5000
5001static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5002 void *add_arg)
5003{
5004 OPENSSL_free((unsigned char *)out);
5005}
5006
5007static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5008 size_t inlen, int *al, void *parse_arg)
5009{
5010 int *server = (int *)parse_arg;
5011
5012 if (SSL_is_server(s))
5013 srvparseoldcb++;
5014 else
5015 clntparseoldcb++;
5016
710756a9
RS		 5017 if (*server != SSL_is_server(s)
5018 || inlen != sizeof(char)
5019 || *in != 1)
a37008d9
MC		 5020 return -1;
5021
5022 return 1;
5023}
5024
5025static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5026 const unsigned char **out, size_t *outlen, X509 *x,
5027 size_t chainidx, int *al, void *add_arg)
5028{
5029 int *server = (int *)add_arg;
5030 unsigned char *data;
5031
5032 if (SSL_is_server(s))
5033 srvaddnewcb++;
5034 else
5035 clntaddnewcb++;
5036
710756a9
RS		 5037 if (*server != SSL_is_server(s)
5038 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5039 return -1;
5040
5041 *data = 1;
5042 *out = data;
710756a9 5043 *outlen = sizeof(*data);
a37008d9
MC		 5044 return 1;
5045}
5046
5047static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5048 const unsigned char *out, void *add_arg)
5049{
5050 OPENSSL_free((unsigned char *)out);
5051}
5052
5053static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5054 const unsigned char *in, size_t inlen, X509 *x,
5055 size_t chainidx, int *al, void *parse_arg)
5056{
5057 int *server = (int *)parse_arg;
5058
5059 if (SSL_is_server(s))
5060 srvparsenewcb++;
5061 else
5062 clntparsenewcb++;
5063
710756a9
RS		 5064 if (*server != SSL_is_server(s)
5065 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5066 return -1;
5067
5068 return 1;
5069}
bb01ef3f
MC		 5070
5071static int sni_cb(SSL *s, int *al, void *arg)
5072{
5073 SSL_CTX *ctx = (SSL_CTX *)arg;
5074
5075 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5076 *al = SSL_AD_INTERNAL_ERROR;
5077 return SSL_TLSEXT_ERR_ALERT_FATAL;
5078 }
5079 snicb++;
5080 return SSL_TLSEXT_ERR_OK;
5081}
5082
a37008d9
MC		 5083/*
5084 * Custom call back tests.
5085 * Test 0: Old style callbacks in TLSv1.2
5086 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5087 * Test 2: New style callbacks in TLSv1.2 with SNI
5088 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5089 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5090 */
710756a9
RS		 5091static int test_custom_exts(int tst)
5092{
bb01ef3f 5093 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5094 SSL *clientssl = NULL, *serverssl = NULL;
5095 int testresult = 0;
5096 static int server = 1;
5097 static int client = 0;
5098 SSL_SESSION *sess = NULL;
5099 unsigned int context;
5100
c423ecaa
MC		 5101#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5102 /* Skip tests for TLSv1.2 and below in this case */
5103 if (tst < 3)
5104 return 1;
5105#endif
5106
a37008d9
MC		 5107 /* Reset callback counters */
5108 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5109 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5110 snicb = 0;
a37008d9 5111
5e30f2fd
MC		 5112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5113 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5114 &sctx, &cctx, cert, privkey)))
710756a9 5115 goto end;
a37008d9 5116
bb01ef3f 5117 if (tst == 2
5e30f2fd 5118 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5119 TLS1_VERSION, 0,
7d7f6834 5120 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5121 goto end;
5122
5123
5124 if (tst < 3) {
a37008d9
MC		 5125 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5126 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5127 if (sctx2 != NULL)
5128 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5129 }
5130
bb01ef3f 5131 if (tst == 4) {
710756a9
RS		 5132 context = SSL_EXT_CLIENT_HELLO
5133 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5134 | SSL_EXT_TLS1_3_SERVER_HELLO
5135 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5136 | SSL_EXT_TLS1_3_CERTIFICATE
5137 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5138 } else {
710756a9
RS		 5139 context = SSL_EXT_CLIENT_HELLO
5140 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5141 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5142 }
5143
5144 /* Create a client side custom extension */
5145 if (tst == 0) {
710756a9
RS		 5146 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5147 old_add_cb, old_free_cb,
5148 &client, old_parse_cb,
5149 &client)))
5150 goto end;
a37008d9 5151 } else {
710756a9
RS		 5152 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5153 new_add_cb, new_free_cb,
5154 &client, new_parse_cb, &client)))
5155 goto end;
a37008d9
MC		 5156 }
5157
5158 /* Should not be able to add duplicates */
710756a9
RS		 5159 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5160 old_add_cb, old_free_cb,
5161 &client, old_parse_cb,
5162 &client))
5163 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5164 context, new_add_cb,
5165 new_free_cb, &client,
5166 new_parse_cb, &client)))
5167 goto end;
a37008d9
MC		 5168
5169 /* Create a server side custom extension */
5170 if (tst == 0) {
710756a9
RS		 5171 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5172 old_add_cb, old_free_cb,
5173 &server, old_parse_cb,
5174 &server)))
5175 goto end;
a37008d9 5176 } else {
710756a9
RS		 5177 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5178 new_add_cb, new_free_cb,
5179 &server, new_parse_cb, &server)))
5180 goto end;
bb01ef3f
MC		 5181 if (sctx2 != NULL
5182 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5183 context, new_add_cb,
5184 new_free_cb, &server,
5185 new_parse_cb, &server)))
5186 goto end;
a37008d9
MC		 5187 }
5188
5189 /* Should not be able to add duplicates */
710756a9
RS		 5190 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5191 old_add_cb, old_free_cb,
5192 &server, old_parse_cb,
5193 &server))
5194 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5195 context, new_add_cb,
5196 new_free_cb, &server,
5197 new_parse_cb, &server)))
a37008d9 5198 goto end;
a37008d9 5199
bb01ef3f
MC		 5200 if (tst == 2) {
5201 /* Set up SNI */
5202 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5203 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5204 goto end;
5205 }
5206
710756a9
RS		 5207 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5208 &clientssl, NULL, NULL))
5209 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5210 SSL_ERROR_NONE)))
a37008d9 5211 goto end;
a37008d9
MC		 5212
5213 if (tst == 0) {
710756a9
RS		 5214 if (clntaddoldcb != 1
5215 || clntparseoldcb != 1
5216 || srvaddoldcb != 1
5217 || srvparseoldcb != 1)
a37008d9 5218 goto end;
bb01ef3f 5219 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5220 if (clntaddnewcb != 1
5221 || clntparsenewcb != 1
5222 || srvaddnewcb != 1
bb01ef3f
MC		 5223 || srvparsenewcb != 1
5224 || (tst != 2 && snicb != 0)
5225 || (tst == 2 && snicb != 1))
a37008d9 5226 goto end;
a37008d9 5227 } else {
36ff232c 5228 /* In this case there 2 NewSessionTicket messages created */
710756a9 5229 if (clntaddnewcb != 1
36ff232c
MC		 5230 || clntparsenewcb != 5
5231 || srvaddnewcb != 5
710756a9 5232 || srvparsenewcb != 1)
a37008d9 5233 goto end;
a37008d9
MC		 5234 }
5235
5236 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5237 SSL_shutdown(clientssl);
5238 SSL_shutdown(serverssl);
a37008d9
MC		 5239 SSL_free(serverssl);
5240 SSL_free(clientssl);
5241 serverssl = clientssl = NULL;
5242
bb01ef3f
MC		 5243 if (tst == 3) {
5244 /* We don't bother with the resumption aspects for this test */
5245 testresult = 1;
5246 goto end;
5247 }
5248
710756a9
RS		 5249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5250 NULL, NULL))
5251 || !TEST_true(SSL_set_session(clientssl, sess))
5252 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5253 SSL_ERROR_NONE)))
a37008d9 5254 goto end;
a37008d9
MC		 5255
5256 /*
5257 * For a resumed session we expect to add the ClientHello extension. For the
5258 * old style callbacks we ignore it on the server side because they set
5259 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5260 * them.
5261 */
5262 if (tst == 0) {
710756a9
RS		 5263 if (clntaddoldcb != 2
5264 || clntparseoldcb != 1
5265 || srvaddoldcb != 1
5266 || srvparseoldcb != 1)
a37008d9 5267 goto end;
bb01ef3f 5268 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5269 if (clntaddnewcb != 2
5270 || clntparsenewcb != 2
5271 || srvaddnewcb != 2
5272 || srvparsenewcb != 2)
a37008d9 5273 goto end;
a37008d9 5274 } else {
36ff232c
MC		 5275 /*
5276 * No Certificate message extensions in the resumption handshake,
5277 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5278 */
710756a9 5279 if (clntaddnewcb != 2
36ff232c
MC		 5280 || clntparsenewcb != 8
5281 || srvaddnewcb != 8
710756a9 5282 || srvparsenewcb != 2)
a37008d9 5283 goto end;
a37008d9
MC		 5284 }
5285
5286 testresult = 1;
5287
5288end:
5289 SSL_SESSION_free(sess);
5290 SSL_free(serverssl);
5291 SSL_free(clientssl);
bb01ef3f 5292 SSL_CTX_free(sctx2);
a37008d9
MC		 5293 SSL_CTX_free(sctx);
5294 SSL_CTX_free(cctx);
a37008d9
MC		 5295 return testresult;
5296}
5297
16afd71c
MC		 5298/*
5299 * Test loading of serverinfo data in various formats. test_sslmessages actually
5300 * tests to make sure the extensions appear in the handshake
5301 */
5302static int test_serverinfo(int tst)
5303{
5304 unsigned int version;
5305 unsigned char *sibuf;
5306 size_t sibuflen;
5307 int ret, expected, testresult = 0;
5308 SSL_CTX *ctx;
5309
d8652be0 5310 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5311 if (!TEST_ptr(ctx))
5312 goto end;
5313
5314 if ((tst & 0x01) == 0x01)
5315 version = SSL_SERVERINFOV2;
5316 else
5317 version = SSL_SERVERINFOV1;
5318
5319 if ((tst & 0x02) == 0x02) {
5320 sibuf = serverinfov2;
5321 sibuflen = sizeof(serverinfov2);
5322 expected = (version == SSL_SERVERINFOV2);
5323 } else {
5324 sibuf = serverinfov1;
5325 sibuflen = sizeof(serverinfov1);
5326 expected = (version == SSL_SERVERINFOV1);
5327 }
5328
5329 if ((tst & 0x04) == 0x04) {
5330 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5331 } else {
5332 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5333
5334 /*
5335 * The version variable is irrelevant in this case - it's what is in the
5336 * buffer that matters
5337 */
5338 if ((tst & 0x02) == 0x02)
5339 expected = 0;
5340 else
5341 expected = 1;
5342 }
5343
5344 if (!TEST_true(ret == expected))
5345 goto end;
5346
5347 testresult = 1;
5348
5349 end:
5350 SSL_CTX_free(ctx);
5351
5352 return testresult;
5353}
5354
2197d1df
MC		 5355/*
5356 * Test that SSL_export_keying_material() produces expected results. There are
5357 * no test vectors so all we do is test that both sides of the communication
5358 * produce the same results for different protocol versions.
5359 */
0fb2815b
MC		 5360#define SMALL_LABEL_LEN 10
5361#define LONG_LABEL_LEN 249
2197d1df
MC		 5362static int test_export_key_mat(int tst)
5363{
a599574b 5364 int testresult = 0;
2197d1df
MC		 5365 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5366 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5367 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5368 const unsigned char context[] = "context";
5369 const unsigned char *emptycontext = NULL;
5370 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5371 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5372 size_t labellen;
a599574b
MC		 5373 const int protocols[] = {
5374 TLS1_VERSION,
5375 TLS1_1_VERSION,
5376 TLS1_2_VERSION,
0fb2815b
MC		 5377 TLS1_3_VERSION,
5378 TLS1_3_VERSION,
a599574b
MC		 5379 TLS1_3_VERSION
5380 };
2197d1df
MC		 5381
5382#ifdef OPENSSL_NO_TLS1
5383 if (tst == 0)
5384 return 1;
5385#endif
5386#ifdef OPENSSL_NO_TLS1_1
5387 if (tst == 1)
5388 return 1;
5389#endif
4f6c7044
MC		 5390 if (is_fips && (tst == 0 || tst == 1))
5391 return 1;
2197d1df
MC		 5392#ifdef OPENSSL_NO_TLS1_2
5393 if (tst == 2)
5394 return 1;
5395#endif
5396#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5397 if (tst >= 3)
2197d1df
MC		 5398 return 1;
5399#endif
5e30f2fd
MC		 5400 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5401 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5402 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5403 goto end;
5404
a599574b
MC		 5405 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5406 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5407 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5408 if ((protocols[tst] < TLS1_2_VERSION) &&
5409 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5410 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5411 goto end;
2197d1df
MC		 5412
5413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5414 NULL)))
5415 goto end;
5416
5417 /*
5418 * Premature call of SSL_export_keying_material should just fail.
5419 */
5420 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5421 sizeof(ckeymat1), label,
5422 SMALL_LABEL_LEN + 1, context,
5423 sizeof(context) - 1, 1), 0))
5424 goto end;
5425
5426 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5427 SSL_ERROR_NONE)))
2197d1df
MC		 5428 goto end;
5429
0fb2815b
MC		 5430 if (tst == 5) {
5431 /*
5432 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5433 * go over that.
5434 */
5435 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5436 sizeof(ckeymat1), label,
5437 LONG_LABEL_LEN + 1, context,
5438 sizeof(context) - 1, 1), 0))
5439 goto end;
5440
5441 testresult = 1;
5442 goto end;
5443 } else if (tst == 4) {
5444 labellen = LONG_LABEL_LEN;
5445 } else {
5446 labellen = SMALL_LABEL_LEN;
5447 }
5448
2197d1df
MC		 5449 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5450 sizeof(ckeymat1), label,
0fb2815b 5451 labellen, context,
2197d1df
MC		 5452 sizeof(context) - 1, 1), 1)
5453 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5454 sizeof(ckeymat2), label,
0fb2815b 5455 labellen,
2197d1df
MC		 5456 emptycontext,
5457 0, 1), 1)
5458 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5459 sizeof(ckeymat3), label,
0fb2815b 5460 labellen,
2197d1df
MC		 5461 NULL, 0, 0), 1)
5462 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5463 sizeof(skeymat1), label,
0fb2815b 5464 labellen,
2197d1df
MC		 5465 context,
5466 sizeof(context) -1, 1),
5467 1)
5468 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5469 sizeof(skeymat2), label,
0fb2815b 5470 labellen,
2197d1df
MC		 5471 emptycontext,
5472 0, 1), 1)
5473 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5474 sizeof(skeymat3), label,
0fb2815b 5475 labellen,
2197d1df
MC		 5476 NULL, 0, 0), 1)
5477 /*
5478 * Check that both sides created the same key material with the
5479 * same context.
5480 */
5481 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5482 sizeof(skeymat1))
5483 /*
5484 * Check that both sides created the same key material with an
5485 * empty context.
5486 */
5487 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5488 sizeof(skeymat2))
5489 /*
5490 * Check that both sides created the same key material without a
5491 * context.
5492 */
5493 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5494 sizeof(skeymat3))
5495 /* Different contexts should produce different results */
5496 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5497 sizeof(ckeymat2)))
5498 goto end;
5499
5500 /*
5501 * Check that an empty context and no context produce different results in
5502 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5503 */
0fb2815b 5504 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5505 sizeof(ckeymat3)))
0fb2815b
MC		 5506 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5507 sizeof(ckeymat3))))
2197d1df
MC		 5508 goto end;
5509
5510 testresult = 1;
5511
5512 end:
5513 SSL_free(serverssl);
5514 SSL_free(clientssl);
5515 SSL_CTX_free(sctx2);
5516 SSL_CTX_free(sctx);
5517 SSL_CTX_free(cctx);
5518
5519 return testresult;
5520}
5521
b38ede80
TT		 5522#ifndef OPENSSL_NO_TLS1_3
5523/*
5524 * Test that SSL_export_keying_material_early() produces expected
5525 * results. There are no test vectors so all we do is test that both
5526 * sides of the communication produce the same results for different
5527 * protocol versions.
5528 */
5529static int test_export_key_mat_early(int idx)
5530{
5531 static const char label[] = "test label";
5532 static const unsigned char context[] = "context";
5533 int testresult = 0;
5534 SSL_CTX *cctx = NULL, *sctx = NULL;
5535 SSL *clientssl = NULL, *serverssl = NULL;
5536 SSL_SESSION *sess = NULL;
5537 const unsigned char *emptycontext = NULL;
5538 unsigned char ckeymat1[80], ckeymat2[80];
5539 unsigned char skeymat1[80], skeymat2[80];
5540 unsigned char buf[1];
5541 size_t readbytes, written;
5542
5543 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5544 &sess, idx)))
5545 goto end;
5546
5547 /* Here writing 0 length early data is enough. */
5548 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5549 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5550 &readbytes),
5551 SSL_READ_EARLY_DATA_ERROR)
5552 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5553 SSL_EARLY_DATA_ACCEPTED))
5554 goto end;
5555
5556 if (!TEST_int_eq(SSL_export_keying_material_early(
5557 clientssl, ckeymat1, sizeof(ckeymat1), label,
5558 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5559 || !TEST_int_eq(SSL_export_keying_material_early(
5560 clientssl, ckeymat2, sizeof(ckeymat2), label,
5561 sizeof(label) - 1, emptycontext, 0), 1)
5562 || !TEST_int_eq(SSL_export_keying_material_early(
5563 serverssl, skeymat1, sizeof(skeymat1), label,
5564 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5565 || !TEST_int_eq(SSL_export_keying_material_early(
5566 serverssl, skeymat2, sizeof(skeymat2), label,
5567 sizeof(label) - 1, emptycontext, 0), 1)
5568 /*
5569 * Check that both sides created the same key material with the
5570 * same context.
5571 */
5572 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5573 sizeof(skeymat1))
5574 /*
5575 * Check that both sides created the same key material with an
5576 * empty context.
5577 */
5578 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5579 sizeof(skeymat2))
5580 /* Different contexts should produce different results */
5581 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5582 sizeof(ckeymat2)))
5583 goto end;
5584
5585 testresult = 1;
5586
5587 end:
c20e3b28 5588 SSL_SESSION_free(sess);
b38ede80
TT		 5589 SSL_SESSION_free(clientpsk);
5590 SSL_SESSION_free(serverpsk);
34ff74eb 5591 clientpsk = serverpsk = NULL;
b38ede80
TT		 5592 SSL_free(serverssl);
5593 SSL_free(clientssl);
5594 SSL_CTX_free(sctx);
5595 SSL_CTX_free(cctx);
5596
5597 return testresult;
5598}
3409a5ff
MC		 5599
5600#define NUM_KEY_UPDATE_MESSAGES 40
5601/*
5602 * Test KeyUpdate.
5603 */
5604static int test_key_update(void)
5605{
5606 SSL_CTX *cctx = NULL, *sctx = NULL;
5607 SSL *clientssl = NULL, *serverssl = NULL;
5608 int testresult = 0, i, j;
5609 char buf[20];
5610 static char *mess = "A test message";
5611
5e30f2fd 5612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5613 TLS_client_method(),
5614 TLS1_3_VERSION,
5615 0,
5616 &sctx, &cctx, cert, privkey))
5617 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5618 NULL, NULL))
5619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5620 SSL_ERROR_NONE)))
5621 goto end;
5622
5623 for (j = 0; j < 2; j++) {
5624 /* Send lots of KeyUpdate messages */
5625 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5626 if (!TEST_true(SSL_key_update(clientssl,
5627 (j == 0)
5628 ? SSL_KEY_UPDATE_NOT_REQUESTED
5629 : SSL_KEY_UPDATE_REQUESTED))
5630 || !TEST_true(SSL_do_handshake(clientssl)))
5631 goto end;
5632 }
5633
5634 /* Check that sending and receiving app data is ok */
5635 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5636 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5637 strlen(mess)))
5638 goto end;
a77b4dba
MC		 5639
5640 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5641 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5642 strlen(mess)))
5643 goto end;
3409a5ff
MC		 5644 }
5645
5646 testresult = 1;
5647
5648 end:
5649 SSL_free(serverssl);
5650 SSL_free(clientssl);
5651 SSL_CTX_free(sctx);
5652 SSL_CTX_free(cctx);
5653
5654 return testresult;
5655}
a77b4dba
MC		 5656
5657/*
5658 * Test we can handle a KeyUpdate (update requested) message while write data
5659 * is pending.
5660 * Test 0: Client sends KeyUpdate while Server is writing
5661 * Test 1: Server sends KeyUpdate while Client is writing
5662 */
5663static int test_key_update_in_write(int tst)
5664{
5665 SSL_CTX *cctx = NULL, *sctx = NULL;
5666 SSL *clientssl = NULL, *serverssl = NULL;
5667 int testresult = 0;
5668 char buf[20];
5669 static char *mess = "A test message";
5670 BIO *bretry = BIO_new(bio_s_always_retry());
5671 BIO *tmp = NULL;
5672 SSL *peerupdate = NULL, *peerwrite = NULL;
5673
5674 if (!TEST_ptr(bretry)
5e30f2fd 5675 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5676 TLS_client_method(),
5677 TLS1_3_VERSION,
5678 0,
5679 &sctx, &cctx, cert, privkey))
5680 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5681 NULL, NULL))
5682 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5683 SSL_ERROR_NONE)))
5684 goto end;
5685
5686 peerupdate = tst == 0 ? clientssl : serverssl;
5687 peerwrite = tst == 0 ? serverssl : clientssl;
5688
5689 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5690 || !TEST_true(SSL_do_handshake(peerupdate)))
5691 goto end;
5692
5693 /* Swap the writing endpoint's write BIO to force a retry */
5694 tmp = SSL_get_wbio(peerwrite);
5695 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5696 tmp = NULL;
5697 goto end;
5698 }
5699 SSL_set0_wbio(peerwrite, bretry);
5700 bretry = NULL;
5701
5702 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5703 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5704 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5705 goto end;
5706
5707 /* Reinstate the original writing endpoint's write BIO */
5708 SSL_set0_wbio(peerwrite, tmp);
5709 tmp = NULL;
5710
5711 /* Now read some data - we will read the key update */
5712 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5713 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5714 goto end;
5715
5716 /*
5717 * Complete the write we started previously and read it from the other
5718 * endpoint
5719 */
5720 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5721 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5722 goto end;
5723
5724 /* Write more data to ensure we send the KeyUpdate message back */
5725 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5726 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5727 goto end;
5728
5729 testresult = 1;
5730
5731 end:
5732 SSL_free(serverssl);
5733 SSL_free(clientssl);
5734 SSL_CTX_free(sctx);
5735 SSL_CTX_free(cctx);
5736 BIO_free(bretry);
5737 BIO_free(tmp);
5738
5739 return testresult;
5740}
b38ede80
TT		 5741#endif /* OPENSSL_NO_TLS1_3 */
5742
e11b6aa4
MC		 5743static int test_ssl_clear(int idx)
5744{
5745 SSL_CTX *cctx = NULL, *sctx = NULL;
5746 SSL *clientssl = NULL, *serverssl = NULL;
5747 int testresult = 0;
5748
5749#ifdef OPENSSL_NO_TLS1_2
5750 if (idx == 1)
5751 return 1;
5752#endif
5753
5754 /* Create an initial connection */
5e30f2fd
MC		 5755 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5756 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5757 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5758 || (idx == 1
5759 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5760 TLS1_2_VERSION)))
5761 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5762 &clientssl, NULL, NULL))
5763 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5764 SSL_ERROR_NONE)))
5765 goto end;
5766
5767 SSL_shutdown(clientssl);
5768 SSL_shutdown(serverssl);
5769 SSL_free(serverssl);
5770 serverssl = NULL;
5771
5772 /* Clear clientssl - we're going to reuse the object */
5773 if (!TEST_true(SSL_clear(clientssl)))
5774 goto end;
5775
5776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5777 NULL, NULL))
5778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5779 SSL_ERROR_NONE))
5780 || !TEST_true(SSL_session_reused(clientssl)))
5781 goto end;
5782
5783 SSL_shutdown(clientssl);
5784 SSL_shutdown(serverssl);
5785
5786 testresult = 1;
5787
5788 end:
5789 SSL_free(serverssl);
5790 SSL_free(clientssl);
5791 SSL_CTX_free(sctx);
5792 SSL_CTX_free(cctx);
5793
5794 return testresult;
5795}
5796
cf72c757
F		 5797/* Parse CH and retrieve any MFL extension value if present */
5798static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5799{
5800 long len;
5801 unsigned char *data;
72962d02 5802 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5803 unsigned int MFL_code = 0, type = 0;
5804
5805 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5806 goto end;
5807
72962d02
P		 5808 memset(&pkt, 0, sizeof(pkt));
5809 memset(&pkt2, 0, sizeof(pkt2));
5810 memset(&pkt3, 0, sizeof(pkt3));
5811
cf72c757
F		 5812 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5813 /* Skip the record header */
5814 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5815 /* Skip the handshake message header */
5816 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5817 /* Skip client version and random */
5818 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5819 + SSL3_RANDOM_SIZE))
5820 /* Skip session id */
5821 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5822 /* Skip ciphers */
5823 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5824 /* Skip compression */
5825 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5826 /* Extensions len */
5827 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5828 goto end;
5829
5830 /* Loop through all extensions */
5831 while (PACKET_remaining(&pkt2)) {
5832 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5833 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5834 goto end;
5835
5836 if (type == TLSEXT_TYPE_max_fragment_length) {
5837 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5838 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5839 goto end;
5840
5841 *mfl_codemfl_code = MFL_code;
5842 return 1;
5843 }
5844 }
5845
5846 end:
5847 return 0;
5848}
5849
5850/* Maximum-Fragment-Length TLS extension mode to test */
5851static const unsigned char max_fragment_len_test[] = {
5852 TLSEXT_max_fragment_length_512,
5853 TLSEXT_max_fragment_length_1024,
5854 TLSEXT_max_fragment_length_2048,
5855 TLSEXT_max_fragment_length_4096
5856};
5857
5858static int test_max_fragment_len_ext(int idx_tst)
5859{
5860 SSL_CTX *ctx;
5861 SSL *con = NULL;
5862 int testresult = 0, MFL_mode = 0;
5863 BIO *rbio, *wbio;
5864
d8652be0 5865 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
cf72c757
F		 5866 if (!TEST_ptr(ctx))
5867 goto end;
5868
5869 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5870 ctx, max_fragment_len_test[idx_tst])))
5871 goto end;
5872
5873 con = SSL_new(ctx);
5874 if (!TEST_ptr(con))
5875 goto end;
5876
5877 rbio = BIO_new(BIO_s_mem());
5878 wbio = BIO_new(BIO_s_mem());
5879 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5880 BIO_free(rbio);
5881 BIO_free(wbio);
5882 goto end;
5883 }
5884
5885 SSL_set_bio(con, rbio, wbio);
5886 SSL_set_connect_state(con);
5887
5888 if (!TEST_int_le(SSL_connect(con), 0)) {
5889 /* This shouldn't succeed because we don't have a server! */
5890 goto end;
5891 }
5892
5893 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5894 /* no MFL in client hello */
5895 goto end;
5896 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5897 goto end;
5898
5899 testresult = 1;
5900
5901end:
5902 SSL_free(con);
5903 SSL_CTX_free(ctx);
5904
5905 return testresult;
5906}
5907
9d75dce3
TS		 5908#ifndef OPENSSL_NO_TLS1_3
5909static int test_pha_key_update(void)
5910{
5911 SSL_CTX *cctx = NULL, *sctx = NULL;
5912 SSL *clientssl = NULL, *serverssl = NULL;
5913 int testresult = 0;
5914
5e30f2fd
MC		 5915 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5916 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 5917 &sctx, &cctx, cert, privkey)))
5918 return 0;
5919
5920 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5921 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5922 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5923 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5924 goto end;
5925
e97be718 5926 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5927
5928 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5929 NULL, NULL)))
5930 goto end;
5931
9d75dce3
TS		 5932 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5933 SSL_ERROR_NONE)))
5934 goto end;
5935
5936 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5937 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5938 goto end;
5939
5940 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5941 goto end;
5942
5943 /* Start handshake on the server */
5944 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5945 goto end;
5946
5947 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5948 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5949 SSL_ERROR_NONE)))
5950 goto end;
5951
5952 SSL_shutdown(clientssl);
5953 SSL_shutdown(serverssl);
5954
5955 testresult = 1;
5956
5957 end:
5958 SSL_free(serverssl);
5959 SSL_free(clientssl);
5960 SSL_CTX_free(sctx);
5961 SSL_CTX_free(cctx);
5962 return testresult;
5963}
5964#endif
5965
76fd7a1d
MC		 5966#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5967
5968static SRP_VBASE *vbase = NULL;
5969
5970static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5971{
5972 int ret = SSL3_AL_FATAL;
5973 char *username;
5974 SRP_user_pwd *user = NULL;
5975
5976 username = SSL_get_srp_username(s);
5977 if (username == NULL) {
5978 *ad = SSL_AD_INTERNAL_ERROR;
5979 goto err;
5980 }
5981
5982 user = SRP_VBASE_get1_by_user(vbase, username);
5983 if (user == NULL) {
5984 *ad = SSL_AD_INTERNAL_ERROR;
5985 goto err;
5986 }
5987
5988 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5989 user->info) <= 0) {
5990 *ad = SSL_AD_INTERNAL_ERROR;
5991 goto err;
5992 }
5993
5994 ret = 0;
5995
5996 err:
5997 SRP_user_pwd_free(user);
5998 return ret;
5999}
6000
6001static int create_new_vfile(char *userid, char *password, const char *filename)
6002{
6003 char *gNid = NULL;
6004 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6005 TXT_DB *db = NULL;
6006 int ret = 0;
6007 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6008 size_t i;
6009
6010 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6011 goto end;
6012
20c00d0a 6013 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6014 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6015 if (!TEST_ptr(gNid))
6016 goto end;
6017
6018 /*
6019 * The only way to create an empty TXT_DB is to provide a BIO with no data
6020 * in it!
6021 */
6022 db = TXT_DB_read(dummy, DB_NUMBER);
6023 if (!TEST_ptr(db))
6024 goto end;
6025
6026 out = BIO_new_file(filename, "w");
6027 if (!TEST_ptr(out))
6028 goto end;
6029
6030 row[DB_srpid] = OPENSSL_strdup(userid);
6031 row[DB_srptype] = OPENSSL_strdup("V");
6032 row[DB_srpgN] = OPENSSL_strdup(gNid);
6033
6034 if (!TEST_ptr(row[DB_srpid])
6035 || !TEST_ptr(row[DB_srptype])
6036 || !TEST_ptr(row[DB_srpgN])
6037 || !TEST_true(TXT_DB_insert(db, row)))
6038 goto end;
6039
6040 row = NULL;
6041
6042 if (!TXT_DB_write(out, db))
6043 goto end;
6044
6045 ret = 1;
6046 end:
6047 if (row != NULL) {
6048 for (i = 0; i < DB_NUMBER; i++)
6049 OPENSSL_free(row[i]);
6050 }
6051 OPENSSL_free(row);
6052 BIO_free(dummy);
6053 BIO_free(out);
6054 TXT_DB_free(db);
6055
6056 return ret;
6057}
6058
6059static int create_new_vbase(char *userid, char *password)
6060{
6061 BIGNUM *verifier = NULL, *salt = NULL;
6062 const SRP_gN *lgN = NULL;
6063 SRP_user_pwd *user_pwd = NULL;
6064 int ret = 0;
6065
6066 lgN = SRP_get_default_gN(NULL);
6067 if (!TEST_ptr(lgN))
6068 goto end;
6069
20c00d0a 6070 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6071 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6072 goto end;
6073
6074 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6075 if (!TEST_ptr(user_pwd))
6076 goto end;
6077
6078 user_pwd->N = lgN->N;
6079 user_pwd->g = lgN->g;
6080 user_pwd->id = OPENSSL_strdup(userid);
6081 if (!TEST_ptr(user_pwd->id))
6082 goto end;
6083
6084 user_pwd->v = verifier;
6085 user_pwd->s = salt;
6086 verifier = salt = NULL;
6087
6088 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6089 goto end;
6090 user_pwd = NULL;
6091
6092 ret = 1;
6093end:
6094 SRP_user_pwd_free(user_pwd);
6095 BN_free(salt);
6096 BN_free(verifier);
6097
6098 return ret;
6099}
6100
6101/*
6102 * SRP tests
6103 *
6104 * Test 0: Simple successful SRP connection, new vbase
6105 * Test 1: Connection failure due to bad password, new vbase
6106 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6107 * Test 3: Connection failure due to bad password, vbase loaded from existing
6108 * file
6109 * Test 4: Simple successful SRP connection, vbase loaded from new file
6110 * Test 5: Connection failure due to bad password, vbase loaded from new file
6111 */
6112static int test_srp(int tst)
6113{
6114 char *userid = "test", *password = "password", *tstsrpfile;
6115 SSL_CTX *cctx = NULL, *sctx = NULL;
6116 SSL *clientssl = NULL, *serverssl = NULL;
6117 int ret, testresult = 0;
6118
6119 vbase = SRP_VBASE_new(NULL);
6120 if (!TEST_ptr(vbase))
6121 goto end;
6122
6123 if (tst == 0 || tst == 1) {
6124 if (!TEST_true(create_new_vbase(userid, password)))
6125 goto end;
6126 } else {
6127 if (tst == 4 || tst == 5) {
6128 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6129 goto end;
6130 tstsrpfile = tmpfilename;
6131 } else {
6132 tstsrpfile = srpvfile;
6133 }
6134 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6135 goto end;
6136 }
6137
5e30f2fd
MC		 6138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6139 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6140 &sctx, &cctx, cert, privkey)))
6141 goto end;
6142
6143 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6144 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6145 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6146 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6147 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6148 goto end;
6149
6150 if (tst % 2 == 1) {
6151 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6152 goto end;
6153 } else {
6154 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6155 goto end;
6156 }
6157
6158 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6159 NULL, NULL)))
6160 goto end;
6161
6162 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6163 if (ret) {
6164 if (!TEST_true(tst % 2 == 0))
6165 goto end;
6166 } else {
6167 if (!TEST_true(tst % 2 == 1))
6168 goto end;
6169 }
6170
6171 testresult = 1;
6172
6173 end:
6174 SRP_VBASE_free(vbase);
6175 vbase = NULL;
6176 SSL_free(serverssl);
6177 SSL_free(clientssl);
6178 SSL_CTX_free(sctx);
6179 SSL_CTX_free(cctx);
6180
6181 return testresult;
6182}
6183#endif
6184
5718fe45
MC		 6185static int info_cb_failed = 0;
6186static int info_cb_offset = 0;
6187static int info_cb_this_state = -1;
6188
6189static struct info_cb_states_st {
6190 int where;
6191 const char *statestr;
6192} info_cb_states[][60] = {
6193 {
6194 /* TLSv1.2 server followed by resumption */
6195 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6196 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6197 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6198 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6199 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6200 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6201 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6202 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6203 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6204 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6205 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6206 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6207 {SSL_CB_EXIT, NULL}, {0, NULL},
6208 }, {
6209 /* TLSv1.2 client followed by resumption */
6210 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6211 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6212 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6213 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6214 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6215 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6216 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6217 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6218 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6219 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6220 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6221 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6222 }, {
6223 /* TLSv1.3 server followed by resumption */
6224 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6225 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6226 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6227 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6228 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6229 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6230 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6231 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6232 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6233 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6234 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6235 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6236 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6237 }, {
6238 /* TLSv1.3 client followed by resumption */
6239 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6240 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6241 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6242 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6243 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6244 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6245 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6246 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6247 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6248 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6249 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6250 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6251 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6252 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6253 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6254 }, {
6255 /* TLSv1.3 server, early_data */
6256 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6257 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6258 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6259 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6260 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6261 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6262 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6263 {SSL_CB_EXIT, NULL}, {0, NULL},
6264 }, {
6265 /* TLSv1.3 client, early_data */
6266 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6267 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6268 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6269 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6270 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6271 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6272 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6273 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6274 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6275 }, {
6276 {0, NULL},
6277 }
6278};
6279
6280static void sslapi_info_callback(const SSL *s, int where, int ret)
6281{
6282 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6283
6284 /* We do not ever expect a connection to fail in this test */
6285 if (!TEST_false(ret == 0)) {
6286 info_cb_failed = 1;
6287 return;
6288 }
6289
6290 /*
6291 * Do some sanity checks. We never expect these things to happen in this
6292 * test
6293 */
6294 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6295 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6296 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6297 info_cb_failed = 1;
6298 return;
6299 }
6300
6301 /* Now check we're in the right state */
6302 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6303 info_cb_failed = 1;
6304 return;
6305 }
6306 if ((where & SSL_CB_LOOP) != 0
6307 && !TEST_int_eq(strcmp(SSL_state_string(s),
6308 state[info_cb_this_state].statestr), 0)) {
6309 info_cb_failed = 1;
6310 return;
6311 }
033c181b 6312
4af5836b
MC		 6313 /*
6314 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6315 */
6316 if ((where & SSL_CB_HANDSHAKE_DONE)
6317 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6318 info_cb_failed = 1;
6319 return;
6320 }
5718fe45
MC		 6321}
6322
6323/*
6324 * Test the info callback gets called when we expect it to.
6325 *
6326 * Test 0: TLSv1.2, server
6327 * Test 1: TLSv1.2, client
6328 * Test 2: TLSv1.3, server
6329 * Test 3: TLSv1.3, client
6330 * Test 4: TLSv1.3, server, early_data
6331 * Test 5: TLSv1.3, client, early_data
6332 */
6333static int test_info_callback(int tst)
6334{
6335 SSL_CTX *cctx = NULL, *sctx = NULL;
6336 SSL *clientssl = NULL, *serverssl = NULL;
6337 SSL_SESSION *clntsess = NULL;
6338 int testresult = 0;
6339 int tlsvers;
6340
6341 if (tst < 2) {
1aac20f5
MC		 6342/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6343#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6344 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6345 tlsvers = TLS1_2_VERSION;
6346#else
6347 return 1;
6348#endif
6349 } else {
6350#ifndef OPENSSL_NO_TLS1_3
6351 tlsvers = TLS1_3_VERSION;
6352#else
6353 return 1;
6354#endif
6355 }
6356
6357 /* Reset globals */
6358 info_cb_failed = 0;
6359 info_cb_this_state = -1;
6360 info_cb_offset = tst;
6361
6e07834c 6362#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6363 if (tst >= 4) {
6364 SSL_SESSION *sess = NULL;
6365 size_t written, readbytes;
6366 unsigned char buf[80];
6367
6368 /* early_data tests */
6369 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6370 &serverssl, &sess, 0)))
6371 goto end;
6372
6373 /* We don't actually need this reference */
6374 SSL_SESSION_free(sess);
6375
6376 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6377 sslapi_info_callback);
6378
6379 /* Write and read some early data and then complete the connection */
6380 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6381 &written))
6382 || !TEST_size_t_eq(written, strlen(MSG1))
6383 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6384 sizeof(buf), &readbytes),
6385 SSL_READ_EARLY_DATA_SUCCESS)
6386 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6387 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6388 SSL_EARLY_DATA_ACCEPTED)
6389 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6390 SSL_ERROR_NONE))
6391 || !TEST_false(info_cb_failed))
6392 goto end;
6393
6394 testresult = 1;
6395 goto end;
6396 }
6e07834c 6397#endif
5718fe45 6398
5e30f2fd 6399 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6400 TLS_client_method(),
6401 tlsvers, tlsvers, &sctx, &cctx, cert,
6402 privkey)))
6403 goto end;
6404
33c39a06
MC		 6405 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6406 goto end;
6407
5718fe45
MC		 6408 /*
6409 * For even numbered tests we check the server callbacks. For odd numbers we
6410 * check the client.
6411 */
6412 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6413 sslapi_info_callback);
6414
6415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6416 &clientssl, NULL, NULL))
6417 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6418 SSL_ERROR_NONE))
6419 || !TEST_false(info_cb_failed))
6420 goto end;
6421
6422
6423
6424 clntsess = SSL_get1_session(clientssl);
6425 SSL_shutdown(clientssl);
6426 SSL_shutdown(serverssl);
6427 SSL_free(serverssl);
6428 SSL_free(clientssl);
6429 serverssl = clientssl = NULL;
6430
6431 /* Now do a resumption */
6432 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6433 NULL))
6434 || !TEST_true(SSL_set_session(clientssl, clntsess))
6435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6436 SSL_ERROR_NONE))
6437 || !TEST_true(SSL_session_reused(clientssl))
6438 || !TEST_false(info_cb_failed))
6439 goto end;
6440
6441 testresult = 1;
6442
6443 end:
6444 SSL_free(serverssl);
6445 SSL_free(clientssl);
6446 SSL_SESSION_free(clntsess);
6447 SSL_CTX_free(sctx);
6448 SSL_CTX_free(cctx);
6449 return testresult;
6450}
6451
4a432af8
MC		 6452static int test_ssl_pending(int tst)
6453{
6454 SSL_CTX *cctx = NULL, *sctx = NULL;
6455 SSL *clientssl = NULL, *serverssl = NULL;
6456 int testresult = 0;
6457 char msg[] = "A test message";
6458 char buf[5];
6459 size_t written, readbytes;
6460
6461 if (tst == 0) {
5e30f2fd 6462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6463 TLS_client_method(),
5c587fb6 6464 TLS1_VERSION, 0,
4a432af8
MC		 6465 &sctx, &cctx, cert, privkey)))
6466 goto end;
6467 } else {
6468#ifndef OPENSSL_NO_DTLS
5e30f2fd 6469 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6470 DTLS_client_method(),
5c587fb6 6471 DTLS1_VERSION, 0,
4a432af8
MC		 6472 &sctx, &cctx, cert, privkey)))
6473 goto end;
6474#else
6475 return 1;
6476#endif
6477 }
6478
6479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6480 NULL, NULL))
6481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6482 SSL_ERROR_NONE)))
6483 goto end;
6484
e8251092
MC		 6485 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6486 || !TEST_false(SSL_has_pending(clientssl))
6487 || !TEST_int_eq(SSL_pending(serverssl), 0)
6488 || !TEST_false(SSL_has_pending(serverssl))
6489 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6490 || !TEST_size_t_eq(written, sizeof(msg))
6491 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6492 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6493 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6494 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6495 goto end;
6496
6497 testresult = 1;
6498
6499 end:
6500 SSL_free(serverssl);
6501 SSL_free(clientssl);
6502 SSL_CTX_free(sctx);
6503 SSL_CTX_free(cctx);
6504
6505 return testresult;
6506}
6507
e401389a
MC		 6508static struct {
6509 unsigned int maxprot;
6510 const char *clntciphers;
6511 const char *clnttls13ciphers;
6512 const char *srvrciphers;
6513 const char *srvrtls13ciphers;
6514 const char *shared;
a96e6c34 6515 const char *fipsshared;
e401389a 6516} shared_ciphers_data[] = {
60155b9a
MC		 6517/*
6518 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6519 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6520 */
6521#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6522 {
6523 TLS1_2_VERSION,
6524 "AES128-SHA:AES256-SHA",
6525 NULL,
6526 "AES256-SHA:DHE-RSA-AES128-SHA",
6527 NULL,
a96e6c34 6528 "AES256-SHA",
e401389a
MC		 6529 "AES256-SHA"
6530 },
a96e6c34
MC		 6531# if !defined(OPENSSL_NO_CHACHA) \
6532 && !defined(OPENSSL_NO_POLY1305) \
6533 && !defined(OPENSSL_NO_EC)
6534 {
6535 TLS1_2_VERSION,
6536 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6537 NULL,
6538 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6539 NULL,
6540 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6541 "AES128-SHA"
6542 },
6543# endif
e401389a
MC		 6544 {
6545 TLS1_2_VERSION,
6546 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6547 NULL,
6548 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6549 NULL,
a96e6c34 6550 "AES128-SHA:AES256-SHA",
e401389a
MC		 6551 "AES128-SHA:AES256-SHA"
6552 },
6553 {
6554 TLS1_2_VERSION,
6555 "AES128-SHA:AES256-SHA",
6556 NULL,
6557 "AES128-SHA:DHE-RSA-AES128-SHA",
6558 NULL,
a96e6c34 6559 "AES128-SHA",
e401389a
MC		 6560 "AES128-SHA"
6561 },
60155b9a
MC		 6562#endif
6563/*
6564 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6565 * enabled.
6566 */
6567#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6568 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6569 {
6570 TLS1_3_VERSION,
6571 "AES128-SHA:AES256-SHA",
6572 NULL,
6573 "AES256-SHA:AES128-SHA256",
6574 NULL,
6575 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6576 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6577 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6578 },
60155b9a
MC		 6579#endif
6580#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6581 {
6582 TLS1_3_VERSION,
6583 "AES128-SHA",
6584 "TLS_AES_256_GCM_SHA384",
6585 "AES256-SHA",
6586 "TLS_AES_256_GCM_SHA384",
a96e6c34 6587 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6588 "TLS_AES_256_GCM_SHA384"
6589 },
6590#endif
6591};
6592
a96e6c34 6593static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6594{
6595 SSL_CTX *cctx = NULL, *sctx = NULL;
6596 SSL *clientssl = NULL, *serverssl = NULL;
6597 int testresult = 0;
6598 char buf[1024];
b4250010 6599 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6600
6601 if (!TEST_ptr(tmplibctx))
6602 goto end;
6603
6604 /*
6605 * Regardless of whether we're testing with the FIPS provider loaded into
6606 * libctx, we want one peer to always use the full set of ciphersuites
6607 * available. Therefore we use a separate libctx with the default provider
6608 * loaded into it. We run the same tests twice - once with the client side
6609 * having the full set of ciphersuites and once with the server side.
6610 */
6611 if (clnt) {
d8652be0 6612 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6613 if (!TEST_ptr(cctx))
6614 goto end;
6615 } else {
d8652be0 6616 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6617 if (!TEST_ptr(sctx))
6618 goto end;
6619 }
e401389a 6620
5e30f2fd 6621 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6622 TLS_client_method(),
6623 TLS1_VERSION,
6624 shared_ciphers_data[tst].maxprot,
6625 &sctx, &cctx, cert, privkey)))
6626 goto end;
6627
6628 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6629 shared_ciphers_data[tst].clntciphers))
6630 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6631 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6632 shared_ciphers_data[tst].clnttls13ciphers)))
6633 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6634 shared_ciphers_data[tst].srvrciphers))
6635 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6636 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6637 shared_ciphers_data[tst].srvrtls13ciphers))))
6638 goto end;
6639
6640
6641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6642 NULL, NULL))
6643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6644 SSL_ERROR_NONE)))
6645 goto end;
6646
6647 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6648 || !TEST_int_eq(strcmp(buf,
6649 is_fips
6650 ? shared_ciphers_data[tst].fipsshared
6651 : shared_ciphers_data[tst].shared),
6652 0)) {
e401389a
MC		 6653 TEST_info("Shared ciphers are: %s\n", buf);
6654 goto end;
6655 }
6656
6657 testresult = 1;
6658
6659 end:
6660 SSL_free(serverssl);
6661 SSL_free(clientssl);
6662 SSL_CTX_free(sctx);
6663 SSL_CTX_free(cctx);
b4250010 6664 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6665
6666 return testresult;
6667}
6668
a96e6c34
MC		 6669static int test_ssl_get_shared_ciphers(int tst)
6670{
6671 return int_test_ssl_get_shared_ciphers(tst, 0)
6672 && int_test_ssl_get_shared_ciphers(tst, 1);
6673}
6674
6675
d0191fe0 6676static const char *appdata = "Hello World";
61fb5923
MC		 6677static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6678static int tick_key_renew = 0;
6679static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6680
6681static int gen_tick_cb(SSL *s, void *arg)
6682{
6683 gen_tick_called = 1;
6684
6685 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6686 strlen(appdata));
6687}
6688
6689static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6690 const unsigned char *keyname,
6691 size_t keyname_length,
61fb5923
MC		 6692 SSL_TICKET_STATUS status,
6693 void *arg)
d0191fe0
MC		 6694{
6695 void *tickdata;
6696 size_t tickdlen;
6697
6698 dec_tick_called = 1;
6699
61fb5923
MC		 6700 if (status == SSL_TICKET_EMPTY)
6701 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6702
61fb5923
MC		 6703 if (!TEST_true(status == SSL_TICKET_SUCCESS
6704 || status == SSL_TICKET_SUCCESS_RENEW))
6705 return SSL_TICKET_RETURN_ABORT;
6706
6707 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6708 &tickdlen))
d0191fe0
MC		 6709 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6710 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6711 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6712
61fb5923
MC		 6713 if (tick_key_cb_called) {
6714 /* Don't change what the ticket key callback wanted to do */
6715 switch (status) {
6716 case SSL_TICKET_NO_DECRYPT:
6717 return SSL_TICKET_RETURN_IGNORE_RENEW;
6718
6719 case SSL_TICKET_SUCCESS:
6720 return SSL_TICKET_RETURN_USE;
d0191fe0 6721
61fb5923
MC		 6722 case SSL_TICKET_SUCCESS_RENEW:
6723 return SSL_TICKET_RETURN_USE_RENEW;
6724
6725 default:
6726 return SSL_TICKET_RETURN_ABORT;
6727 }
6728 }
6729 return tick_dec_ret;
6730
6731}
d0191fe0 6732
a76ce286 6733#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6734static int tick_key_cb(SSL *s, unsigned char key_name[16],
6735 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6736 HMAC_CTX *hctx, int enc)
6737{
6738 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6739 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6740 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6741 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6742 int ret;
d0191fe0 6743
61fb5923 6744 tick_key_cb_called = 1;
d0191fe0
MC		 6745 memset(iv, 0, AES_BLOCK_SIZE);
6746 memset(key_name, 0, 16);
5e30f2fd
MC		 6747 if (aes128cbc == NULL
6748 || sha256 == NULL
6749 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6750 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6751 NULL))
6752 ret = -1;
6753 else
6754 ret = tick_key_renew ? 2 : 1;
d0191fe0 6755
5e30f2fd
MC		 6756 EVP_CIPHER_free(aes128cbc);
6757 EVP_MD_free(sha256);
6758
6759 return ret;
d0191fe0 6760}
a76ce286
P		 6761#endif
6762
6763static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6764 unsigned char iv[EVP_MAX_IV_LENGTH],
6765 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6766{
6767 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6768 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6769 OSSL_PARAM params[3];
5e30f2fd
MC		 6770 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6771 int ret;
a76ce286
P		 6772
6773 tick_key_cb_called = 1;
6774 memset(iv, 0, AES_BLOCK_SIZE);
6775 memset(key_name, 0, 16);
6776 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6777 "SHA256", 0);
6778 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6779 tick_hmac_key,
6780 sizeof(tick_hmac_key));
6781 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6782 if (aes128cbc == NULL
6783 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 6784 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 6785 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6786 ret = -1;
6787 else
6788 ret = tick_key_renew ? 2 : 1;
6789
6790 EVP_CIPHER_free(aes128cbc);
a76ce286 6791
5e30f2fd 6792 return ret;
a76ce286 6793}
d0191fe0
MC		 6794
6795/*
6796 * Test the various ticket callbacks
61fb5923
MC		 6797 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6798 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6799 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6800 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6801 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6802 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6803 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6804 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6805 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6806 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6807 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6808 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6809 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6810 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6811 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6812 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6813 */
6814static int test_ticket_callbacks(int tst)
6815{
6816 SSL_CTX *cctx = NULL, *sctx = NULL;
6817 SSL *clientssl = NULL, *serverssl = NULL;
6818 SSL_SESSION *clntsess = NULL;
6819 int testresult = 0;
6820
6821#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6822 if (tst % 2 == 0)
d0191fe0
MC		 6823 return 1;
6824#endif
6825#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6826 if (tst % 2 == 1)
d0191fe0
MC		 6827 return 1;
6828#endif
a76ce286
P		 6829#ifdef OPENSSL_NO_DEPRECATED_3_0
6830 if (tst >= 8 && tst <= 11)
6831 return 1;
6832#endif
d0191fe0 6833
61fb5923 6834 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6835
6836 /* Which tests the ticket key callback should request renewal for */
a76ce286 6837 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6838 tick_key_renew = 1;
d0191fe0 6839 else
61fb5923
MC		 6840 tick_key_renew = 0;
6841
6842 /* Which tests the decrypt ticket callback should request renewal for */
6843 switch (tst) {
6844 case 0:
6845 case 1:
6846 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6847 break;
6848
6849 case 2:
6850 case 3:
6851 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6852 break;
6853
6854 case 4:
6855 case 5:
6856 tick_dec_ret = SSL_TICKET_RETURN_USE;
6857 break;
6858
6859 case 6:
6860 case 7:
6861 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6862 break;
6863
6864 default:
6865 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6866 }
d0191fe0 6867
5e30f2fd 6868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6869 TLS_client_method(),
6870 TLS1_VERSION,
61fb5923
MC		 6871 ((tst % 2) == 0) ? TLS1_2_VERSION
6872 : TLS1_3_VERSION,
d0191fe0
MC		 6873 &sctx, &cctx, cert, privkey)))
6874 goto end;
6875
61fb5923
MC		 6876 /*
6877 * We only want sessions to resume from tickets - not the session cache. So
6878 * switch the cache off.
6879 */
6880 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6881 goto end;
6882
d0191fe0
MC		 6883 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6884 NULL)))
6885 goto end;
6886
a76ce286
P		 6887 if (tst >= 12) {
6888 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6889 goto end;
6890#ifndef OPENSSL_NO_DEPRECATED_3_0
6891 } else if (tst >= 8) {
6892 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6893 goto end;
6894#endif
6895 }
d0191fe0
MC		 6896
6897 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6898 NULL, NULL))
6899 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6900 SSL_ERROR_NONE)))
6901 goto end;
6902
61fb5923
MC		 6903 /*
6904 * The decrypt ticket key callback in TLSv1.2 should be called even though
6905 * we have no ticket yet, because it gets called with a status of
6906 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6907 * actually send any ticket data). This does not happen in TLSv1.3 because
6908 * it is not valid to send empty ticket data in TLSv1.3.
6909 */
d0191fe0 6910 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6911 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6912 goto end;
6913
6914 gen_tick_called = dec_tick_called = 0;
6915
6916 clntsess = SSL_get1_session(clientssl);
6917 SSL_shutdown(clientssl);
6918 SSL_shutdown(serverssl);
6919 SSL_free(serverssl);
6920 SSL_free(clientssl);
6921 serverssl = clientssl = NULL;
6922
6923 /* Now do a resumption */
6924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6925 NULL))
6926 || !TEST_true(SSL_set_session(clientssl, clntsess))
6927 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6928 SSL_ERROR_NONE)))
d0191fe0
MC		 6929 goto end;
6930
61fb5923
MC		 6931 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6932 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6933 if (!TEST_false(SSL_session_reused(clientssl)))
6934 goto end;
6935 } else {
6936 if (!TEST_true(SSL_session_reused(clientssl)))
6937 goto end;
6938 }
6939
d0191fe0 6940 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6941 (tick_key_renew
6942 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6943 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6944 ? 1 : 0)
d0191fe0
MC		 6945 || !TEST_int_eq(dec_tick_called, 1))
6946 goto end;
6947
6948 testresult = 1;
6949
6950 end:
6951 SSL_SESSION_free(clntsess);
6952 SSL_free(serverssl);
6953 SSL_free(clientssl);
6954 SSL_CTX_free(sctx);
6955 SSL_CTX_free(cctx);
6956
6957 return testresult;
6958}
6959
e638112e
DB		 6960/*
6961 * Test incorrect shutdown.
6962 * Test 0: client does not shutdown properly,
6963 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6964 * server should get SSL_ERROR_SSL
6965 * Test 1: client does not shutdown properly,
6966 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6967 * server should get SSL_ERROR_ZERO_RETURN
6968 */
6969static int test_incorrect_shutdown(int tst)
6970{
6971 SSL_CTX *cctx = NULL, *sctx = NULL;
6972 SSL *clientssl = NULL, *serverssl = NULL;
6973 int testresult = 0;
6974 char buf[80];
6975 BIO *c2s;
6976
6977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6978 TLS_client_method(), 0, 0,
6979 &sctx, &cctx, cert, privkey)))
6980 goto end;
6981
6982 if (tst == 1)
6983 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6984
6985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6986 NULL, NULL)))
6987 goto end;
6988
6989 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6990 SSL_ERROR_NONE)))
6991 goto end;
6992
6993 c2s = SSL_get_rbio(serverssl);
6994 BIO_set_mem_eof_return(c2s, 0);
6995
6996 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6997 goto end;
6998
6999 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7000 goto end;
7001 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7002 goto end;
7003
7004 testresult = 1;
7005
7006 end:
7007 SSL_free(serverssl);
7008 SSL_free(clientssl);
7009 SSL_CTX_free(sctx);
7010 SSL_CTX_free(cctx);
7011
7012 return testresult;
7013}
7014
c748834f
MC		 7015/*
7016 * Test bi-directional shutdown.
7017 * Test 0: TLSv1.2
7018 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7019 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7020 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7021 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7022 * sends key update, client reads it
57d7b988
MC		 7023 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7024 * sends CertificateRequest, client reads and ignores it
7025 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7026 * doesn't read it
7027 */
7028static int test_shutdown(int tst)
7029{
7030 SSL_CTX *cctx = NULL, *sctx = NULL;
7031 SSL *clientssl = NULL, *serverssl = NULL;
7032 int testresult = 0;
7033 char msg[] = "A test message";
7034 char buf[80];
7035 size_t written, readbytes;
80eff008 7036 SSL_SESSION *sess;
c748834f
MC		 7037
7038#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7039 if (tst <= 1)
c748834f
MC		 7040 return 1;
7041#endif
7042#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7043 if (tst >= 2)
c748834f
MC		 7044 return 1;
7045#endif
7046
5e30f2fd 7047 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7048 TLS_client_method(),
7049 TLS1_VERSION,
7050 (tst <= 1) ? TLS1_2_VERSION
7051 : TLS1_3_VERSION,
57d7b988
MC		 7052 &sctx, &cctx, cert, privkey)))
7053 goto end;
7054
7055 if (tst == 5)
7056 SSL_CTX_set_post_handshake_auth(cctx, 1);
7057
7058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7059 NULL, NULL)))
7060 goto end;
7061
7062 if (tst == 3) {
7063 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7064 SSL_ERROR_NONE, 1))
80eff008
KR		 7065 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7066 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7067 goto end;
7068 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7069 SSL_ERROR_NONE))
7070 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7071 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7072 goto end;
7073 }
7074
7075 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7076 goto end;
7077
7078 if (tst >= 4) {
7079 /*
7080 * Reading on the server after the client has sent close_notify should
7081 * fail and provide SSL_ERROR_ZERO_RETURN
7082 */
7083 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7084 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7085 SSL_ERROR_ZERO_RETURN)
7086 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7087 SSL_RECEIVED_SHUTDOWN)
7088 /*
7089 * Even though we're shutdown on receive we should still be
7090 * able to write.
7091 */
80eff008
KR		 7092 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7093 goto end;
57d7b988
MC		 7094 if (tst == 4
7095 && !TEST_true(SSL_key_update(serverssl,
7096 SSL_KEY_UPDATE_REQUESTED)))
7097 goto end;
7098 if (tst == 5) {
7099 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7100 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7101 goto end;
7102 }
7103 if ((tst == 4 || tst == 5)
7104 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7105 goto end;
7106 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7107 goto end;
57d7b988 7108 if (tst == 4 || tst == 5) {
80eff008 7109 /* Should still be able to read data from server */
c748834f 7110 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7111 &readbytes))
7112 || !TEST_size_t_eq(readbytes, sizeof(msg))
7113 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7114 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7115 &readbytes))
c748834f
MC		 7116 || !TEST_size_t_eq(readbytes, sizeof(msg))
7117 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7118 goto end;
7119 }
7120 }
7121
7122 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7123 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7124 goto end;
7125
7126 if (tst < 4) {
7127 /*
7128 * For these tests the client has sent close_notify but it has not yet
7129 * been received by the server. The server has not sent close_notify
7130 * yet.
7131 */
7132 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7133 /*
7134 * Writing on the server after sending close_notify shouldn't
7135 * be possible.
7136 */
7137 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7138 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7139 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7140 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7141 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7142 goto end;
57d7b988 7143 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7144 /*
7145 * In this test the client has sent close_notify and it has been
7146 * received by the server which has responded with a close_notify. The
358ffa05 7147 * client needs to read the close_notify sent by the server.
c748834f 7148 */
80eff008
KR		 7149 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7150 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7151 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7152 goto end;
358ffa05
MC		 7153 } else {
7154 /*
57d7b988 7155 * tst == 6
358ffa05
MC		 7156 *
7157 * The client has sent close_notify and is expecting a close_notify
7158 * back, but instead there is application data first. The shutdown
7159 * should fail with a fatal error.
7160 */
7161 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7162 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7163 goto end;
c748834f
MC		 7164 }
7165
7166 testresult = 1;
7167
7168 end:
7169 SSL_free(serverssl);
7170 SSL_free(clientssl);
7171 SSL_CTX_free(sctx);
7172 SSL_CTX_free(cctx);
7173
7174 return testresult;
7175}
7176
7f1d923a 7177#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7178static int cert_cb_cnt;
7179
7180static int cert_cb(SSL *s, void *arg)
7181{
7182 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7183 BIO *in = NULL;
7184 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7185 X509 *x509 = NULL, *rootx = NULL;
7186 STACK_OF(X509) *chain = NULL;
7187 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7188 int ret = 0;
cd6fe29f
MC		 7189
7190 if (cert_cb_cnt == 0) {
7191 /* Suspend the handshake */
7192 cert_cb_cnt++;
7193 return -1;
7194 } else if (cert_cb_cnt == 1) {
7195 /*
7196 * Update the SSL_CTX, set the certificate and private key and then
7197 * continue the handshake normally.
7198 */
7199 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7200 return 0;
7201
7202 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7203 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7204 SSL_FILETYPE_PEM))
7205 || !TEST_true(SSL_check_private_key(s)))
7206 return 0;
7207 cert_cb_cnt++;
7208 return 1;
7cb8fb07
BK		 7209 } else if (cert_cb_cnt == 3) {
7210 int rv;
1a2a3a42
MC		 7211
7212 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7213 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7214 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7215 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7216 goto out;
7217 chain = sk_X509_new_null();
7218 if (!TEST_ptr(chain))
7219 goto out;
7cb8fb07 7220 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7221 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7222 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7223 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7224 || !TEST_true(sk_X509_push(chain, rootx)))
7225 goto out;
7226 rootx = NULL;
7227 BIO_free(in);
7228 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7229 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7230 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7231 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7232 goto out;
7233 BIO_free(in);
7234 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7235 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7236 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7237 NULL, NULL,
7238 libctx, NULL)))
7cb8fb07 7239 goto out;
1a2a3a42 7240 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7241 /*
7242 * If the cert doesn't show as valid here (e.g., because we don't
7243 * have any shared sigalgs), then we will not set it, and there will
7244 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7245 * will cause tls_choose_sigalgs() to fail the connection.
7246 */
1a2a3a42
MC		 7247 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7248 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7249 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7250 goto out;
7251 }
1a2a3a42
MC		 7252
7253 ret = 1;
cd6fe29f
MC		 7254 }
7255
7256 /* Abort the handshake */
7cb8fb07 7257 out:
1a2a3a42
MC		 7258 OPENSSL_free(ecdsacert);
7259 OPENSSL_free(ecdsakey);
7260 OPENSSL_free(rootfile);
7cb8fb07
BK		 7261 BIO_free(in);
7262 EVP_PKEY_free(pkey);
7263 X509_free(x509);
1a2a3a42
MC		 7264 X509_free(rootx);
7265 sk_X509_pop_free(chain, X509_free);
7266 return ret;
cd6fe29f
MC		 7267}
7268
7269/*
7270 * Test the certificate callback.
7271 * Test 0: Callback fails
7272 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7273 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7274 * Test 3: Success - Call SSL_check_chain from the callback
7275 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7276 * chain
7277 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7278 */
7279static int test_cert_cb_int(int prot, int tst)
7280{
7281 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7282 SSL *clientssl = NULL, *serverssl = NULL;
7283 int testresult = 0, ret;
7284
1a2a3a42
MC		 7285#ifdef OPENSSL_NO_EC
7286 /* We use an EC cert in these tests, so we skip in a no-ec build */
7287 if (tst >= 3)
7288 return 1;
7289#endif
7290
5e30f2fd 7291 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7292 TLS_client_method(),
7293 TLS1_VERSION,
7294 prot,
7295 &sctx, &cctx, NULL, NULL)))
7296 goto end;
7297
7298 if (tst == 0)
7299 cert_cb_cnt = -1;
1a2a3a42 7300 else if (tst >= 3)
7cb8fb07 7301 cert_cb_cnt = 3;
cd6fe29f
MC		 7302 else
7303 cert_cb_cnt = 0;
1a2a3a42 7304
cd6fe29f
MC		 7305 if (tst == 2)
7306 snictx = SSL_CTX_new(TLS_server_method());
7307 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7308
7309 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7310 NULL, NULL)))
7311 goto end;
7312
1a2a3a42
MC		 7313 if (tst == 4) {
7314 /*
7315 * We cause SSL_check_chain() to fail by specifying sig_algs that
7316 * the chain doesn't meet (the root uses an RSA cert)
7317 */
7318 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7319 "ecdsa_secp256r1_sha256")))
7320 goto end;
7321 } else if (tst == 5) {
7322 /*
7323 * We cause SSL_check_chain() to fail by specifying sig_algs that
7324 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7325 */
7326 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7327 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7328 goto end;
7329 }
7330
cd6fe29f 7331 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7332 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7333 || (tst > 0
7334 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7335 goto end;
7336 }
7337
7338 testresult = 1;
7339
7340 end:
7341 SSL_free(serverssl);
7342 SSL_free(clientssl);
7343 SSL_CTX_free(sctx);
7344 SSL_CTX_free(cctx);
7345 SSL_CTX_free(snictx);
7346
7347 return testresult;
7348}
7f1d923a 7349#endif
cd6fe29f
MC		 7350
7351static int test_cert_cb(int tst)
7352{
7353 int testresult = 1;
7354
7355#ifndef OPENSSL_NO_TLS1_2
7356 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7357#endif
7f1d923a 7358#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7359 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7360#endif
7361
7362 return testresult;
7363}
7364
6e46c065
MC		 7365static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7366{
8c2bfd25 7367 X509 *xcert;
6e46c065
MC		 7368 EVP_PKEY *privpkey;
7369 BIO *in = NULL;
6725682d 7370 BIO *priv_in = NULL;
6e46c065 7371
8c2bfd25
TS		 7372 /* Check that SSL_get0_peer_certificate() returns something sensible */
7373 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7374 return 0;
6e46c065
MC		 7375
7376 in = BIO_new_file(cert, "r");
7377 if (!TEST_ptr(in))
7378 return 0;
7379
d8652be0 7380 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7381 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7382 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7383 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7384 NULL, NULL,
7385 libctx, NULL)))
6725682d 7386 goto err;
6e46c065
MC		 7387
7388 *x509 = xcert;
7389 *pkey = privpkey;
7390
6725682d
SL		 7391 BIO_free(in);
7392 BIO_free(priv_in);
6e46c065 7393 return 1;
6725682d
SL		 7394err:
7395 X509_free(xcert);
7396 BIO_free(in);
7397 BIO_free(priv_in);
7398 return 0;
6e46c065
MC		 7399}
7400
7401static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7402{
7403 return 1;
7404}
7405
7406static int test_client_cert_cb(int tst)
7407{
7408 SSL_CTX *cctx = NULL, *sctx = NULL;
7409 SSL *clientssl = NULL, *serverssl = NULL;
7410 int testresult = 0;
7411
7412#ifdef OPENSSL_NO_TLS1_2
7413 if (tst == 0)
7414 return 1;
7415#endif
7416#ifdef OPENSSL_NO_TLS1_3
7417 if (tst == 1)
7418 return 1;
7419#endif
7420
5e30f2fd 7421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7422 TLS_client_method(),
7423 TLS1_VERSION,
7424 tst == 0 ? TLS1_2_VERSION
7425 : TLS1_3_VERSION,
7426 &sctx, &cctx, cert, privkey)))
7427 goto end;
7428
7429 /*
7430 * Test that setting a client_cert_cb results in a client certificate being
7431 * sent.
7432 */
7433 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7434 SSL_CTX_set_verify(sctx,
7435 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7436 verify_cb);
fb8c8359
MC		 7437
7438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7439 NULL, NULL))
7440 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7441 SSL_ERROR_NONE)))
7442 goto end;
7443
7444 testresult = 1;
7445
7446 end:
7447 SSL_free(serverssl);
7448 SSL_free(clientssl);
7449 SSL_CTX_free(sctx);
7450 SSL_CTX_free(cctx);
7451
7452 return testresult;
7453}
7454
7455#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7456/*
7457 * Test setting certificate authorities on both client and server.
7458 *
7459 * Test 0: SSL_CTX_set0_CA_list() only
7460 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7461 * Test 2: Only SSL_CTX_set_client_CA_list()
7462 */
7463static int test_ca_names_int(int prot, int tst)
7464{
7465 SSL_CTX *cctx = NULL, *sctx = NULL;
7466 SSL *clientssl = NULL, *serverssl = NULL;
7467 int testresult = 0;
7468 size_t i;
7469 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7470 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7471 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7472 const STACK_OF(X509_NAME) *sktmp = NULL;
7473
7474 for (i = 0; i < OSSL_NELEM(name); i++) {
7475 name[i] = X509_NAME_new();
7476 if (!TEST_ptr(name[i])
7477 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7478 MBSTRING_ASC,
7479 (unsigned char *)
7480 strnames[i],
7481 -1, -1, 0)))
7482 goto end;
7483 }
7484
5e30f2fd 7485 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7486 TLS_client_method(),
7487 TLS1_VERSION,
7488 prot,
7489 &sctx, &cctx, cert, privkey)))
7490 goto end;
7491
7492 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7493
7494 if (tst == 0 || tst == 1) {
7495 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7496 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7497 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7498 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7499 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7500 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7501 goto end;
7502
7503 SSL_CTX_set0_CA_list(sctx, sk1);
7504 SSL_CTX_set0_CA_list(cctx, sk2);
7505 sk1 = sk2 = NULL;
7506 }
7507 if (tst == 1 || tst == 2) {
7508 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7509 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7510 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7511 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7512 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7513 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7514 goto end;
7515
7516 SSL_CTX_set_client_CA_list(sctx, sk1);
7517 SSL_CTX_set_client_CA_list(cctx, sk2);
7518 sk1 = sk2 = NULL;
7519 }
7520
6e46c065
MC		 7521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7522 NULL, NULL))
7523 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7524 SSL_ERROR_NONE)))
7525 goto end;
7526
fb8c8359
MC		 7527 /*
7528 * We only expect certificate authorities to have been sent to the server
7529 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7530 */
7531 sktmp = SSL_get0_peer_CA_list(serverssl);
7532 if (prot == TLS1_3_VERSION
7533 && (tst == 0 || tst == 1)) {
7534 if (!TEST_ptr(sktmp)
7535 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7536 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7537 name[0]), 0)
7538 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7539 name[1]), 0))
7540 goto end;
7541 } else if (!TEST_ptr_null(sktmp)) {
7542 goto end;
7543 }
7544
7545 /*
7546 * In all tests we expect certificate authorities to have been sent to the
7547 * client. However, SSL_set_client_CA_list() should override
7548 * SSL_set0_CA_list()
7549 */
7550 sktmp = SSL_get0_peer_CA_list(clientssl);
7551 if (!TEST_ptr(sktmp)
7552 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7553 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7554 name[tst == 0 ? 0 : 2]), 0)
7555 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7556 name[tst == 0 ? 1 : 3]), 0))
7557 goto end;
7558
6e46c065
MC		 7559 testresult = 1;
7560
7561 end:
7562 SSL_free(serverssl);
7563 SSL_free(clientssl);
7564 SSL_CTX_free(sctx);
7565 SSL_CTX_free(cctx);
fb8c8359
MC		 7566 for (i = 0; i < OSSL_NELEM(name); i++)
7567 X509_NAME_free(name[i]);
7568 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7569 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7570
7571 return testresult;
7572}
7573#endif
7574
7575static int test_ca_names(int tst)
7576{
7577 int testresult = 1;
7578
7579#ifndef OPENSSL_NO_TLS1_2
7580 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7581#endif
7582#ifndef OPENSSL_NO_TLS1_3
7583 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7584#endif
6e46c065
MC		 7585
7586 return testresult;
7587}
7588
0d2bfe52
SL		 7589#ifndef OPENSSL_NO_TLS1_2
7590static const char *multiblock_cipherlist_data[]=
7591{
7592 "AES128-SHA",
7593 "AES128-SHA256",
7594 "AES256-SHA",
7595 "AES256-SHA256",
7596};
7597
7598/* Reduce the fragment size - so the multiblock test buffer can be small */
7599# define MULTIBLOCK_FRAGSIZE 512
7600
7601static int test_multiblock_write(int test_index)
7602{
7603 static const char *fetchable_ciphers[]=
7604 {
7605 "AES-128-CBC-HMAC-SHA1",
7606 "AES-128-CBC-HMAC-SHA256",
7607 "AES-256-CBC-HMAC-SHA1",
7608 "AES-256-CBC-HMAC-SHA256"
7609 };
7610 const char *cipherlist = multiblock_cipherlist_data[test_index];
7611 const SSL_METHOD *smeth = TLS_server_method();
7612 const SSL_METHOD *cmeth = TLS_client_method();
7613 int min_version = TLS1_VERSION;
7614 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7615 SSL_CTX *cctx = NULL, *sctx = NULL;
7616 SSL *clientssl = NULL, *serverssl = NULL;
7617 int testresult = 0;
7618
7619 /*
7620 * Choose a buffer large enough to perform a multi-block operation
7621 * i.e: write_len >= 4 * frag_size
7622 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7623 */
7624 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7625 unsigned char buf[sizeof(msg)], *p = buf;
7626 size_t readbytes, written, len;
7627 EVP_CIPHER *ciph = NULL;
7628
7629 /*
7630 * Check if the cipher exists before attempting to use it since it only has
7631 * a hardware specific implementation.
7632 */
7633 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7634 if (ciph == NULL) {
7635 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7636 return 1;
7637 }
7638 EVP_CIPHER_free(ciph);
7639
7640 /* Set up a buffer with some data that will be sent to the client */
7641 RAND_bytes(msg, sizeof(msg));
7642
5e30f2fd
MC		 7643 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7644 max_version, &sctx, &cctx, cert,
7645 privkey)))
0d2bfe52
SL		 7646 goto end;
7647
7648 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7649 goto end;
7650
7651 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7652 NULL, NULL)))
7653 goto end;
7654
7655 /* settings to force it to use AES-CBC-HMAC_SHA */
7656 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7657 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7658 goto end;
7659
7660 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7661 goto end;
7662
7663 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7664 || !TEST_size_t_eq(written, sizeof(msg)))
7665 goto end;
7666
7667 len = written;
7668 while (len > 0) {
7669 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7670 goto end;
7671 p += readbytes;
7672 len -= readbytes;
7673 }
7674 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7675 goto end;
7676
7677 testresult = 1;
7678end:
7679 SSL_free(serverssl);
7680 SSL_free(clientssl);
7681 SSL_CTX_free(sctx);
7682 SSL_CTX_free(cctx);
7683
7684 return testresult;
7685}
7686#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7687
49ef3d07
MC		 7688/*
7689 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7690 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7691 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7692 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7693 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7694 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7695 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7696 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7697 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7698 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7699 */
7700static int test_servername(int tst)
7701{
7702 SSL_CTX *cctx = NULL, *sctx = NULL;
7703 SSL *clientssl = NULL, *serverssl = NULL;
7704 int testresult = 0;
7705 SSL_SESSION *sess = NULL;
7706 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7707
7708#ifdef OPENSSL_NO_TLS1_2
7709 if (tst <= 4)
7710 return 1;
7711#endif
7712#ifdef OPENSSL_NO_TLS1_3
7713 if (tst >= 5)
7714 return 1;
7715#endif
7716
5e30f2fd 7717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7718 TLS_client_method(),
7719 TLS1_VERSION,
7720 (tst <= 4) ? TLS1_2_VERSION
7721 : TLS1_3_VERSION,
7722 &sctx, &cctx, cert, privkey))
7723 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7724 NULL, NULL)))
7725 goto end;
7726
7727 if (tst != 1 && tst != 6) {
7728 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7729 hostname_cb)))
7730 goto end;
7731 }
7732
7733 if (tst != 3 && tst != 8) {
7734 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7735 goto end;
7736 sexpectedhost = cexpectedhost = "goodhost";
7737 }
7738
7739 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7740 goto end;
7741
7742 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7743 cexpectedhost)
7744 || !TEST_str_eq(SSL_get_servername(serverssl,
7745 TLSEXT_NAMETYPE_host_name),
7746 sexpectedhost))
7747 goto end;
7748
7749 /* Now repeat with a resumption handshake */
7750
7751 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7752 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7753 || !TEST_true(SSL_SESSION_is_resumable(sess))
7754 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7755 goto end;
7756
7757 SSL_free(clientssl);
7758 SSL_free(serverssl);
7759 clientssl = serverssl = NULL;
7760
7761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7762 NULL)))
7763 goto end;
7764
7765 if (!TEST_true(SSL_set_session(clientssl, sess)))
7766 goto end;
7767
7768 sexpectedhost = cexpectedhost = "goodhost";
7769 if (tst == 2 || tst == 7) {
7770 /* Set an inconsistent hostname */
7771 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7772 goto end;
7773 /*
7774 * In TLSv1.2 we expect the hostname from the original handshake, in
7775 * TLSv1.3 we expect the hostname from this handshake
7776 */
7777 if (tst == 7)
7778 sexpectedhost = cexpectedhost = "altgoodhost";
7779
7780 if (!TEST_str_eq(SSL_get_servername(clientssl,
7781 TLSEXT_NAMETYPE_host_name),
7782 "altgoodhost"))
7783 goto end;
7784 } else if (tst == 4 || tst == 9) {
7785 /*
7786 * A TLSv1.3 session does not associate a session with a servername,
7787 * but a TLSv1.2 session does.
7788 */
7789 if (tst == 9)
7790 sexpectedhost = cexpectedhost = NULL;
7791
7792 if (!TEST_str_eq(SSL_get_servername(clientssl,
7793 TLSEXT_NAMETYPE_host_name),
7794 cexpectedhost))
7795 goto end;
7796 } else {
7797 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7798 goto end;
7799 /*
7800 * In a TLSv1.2 resumption where the hostname was not acknowledged
7801 * we expect the hostname on the server to be empty. On the client we
7802 * return what was requested in this case.
7803 *
7804 * Similarly if the client didn't set a hostname on an original TLSv1.2
7805 * session but is now, the server hostname will be empty, but the client
7806 * is as we set it.
7807 */
7808 if (tst == 1 || tst == 3)
7809 sexpectedhost = NULL;
7810
7811 if (!TEST_str_eq(SSL_get_servername(clientssl,
7812 TLSEXT_NAMETYPE_host_name),
7813 "goodhost"))
7814 goto end;
7815 }
7816
7817 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7818 goto end;
7819
7820 if (!TEST_true(SSL_session_reused(clientssl))
7821 || !TEST_true(SSL_session_reused(serverssl))
7822 || !TEST_str_eq(SSL_get_servername(clientssl,
7823 TLSEXT_NAMETYPE_host_name),
7824 cexpectedhost)
7825 || !TEST_str_eq(SSL_get_servername(serverssl,
7826 TLSEXT_NAMETYPE_host_name),
7827 sexpectedhost))
7828 goto end;
7829
7830 testresult = 1;
7831
7832 end:
7833 SSL_SESSION_free(sess);
7834 SSL_free(serverssl);
7835 SSL_free(clientssl);
7836 SSL_CTX_free(sctx);
7837 SSL_CTX_free(cctx);
7838
7839 return testresult;
7840}
7841
b1fdbc68
MC		 7842#if !defined(OPENSSL_NO_EC) \
7843 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 7844/*
7845 * Test that if signature algorithms are not available, then we do not offer or
7846 * accept them.
7847 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7848 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7849 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7850 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7851 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7852 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7853 */
7854static int test_sigalgs_available(int idx)
7855{
7856 SSL_CTX *cctx = NULL, *sctx = NULL;
7857 SSL *clientssl = NULL, *serverssl = NULL;
7858 int testresult = 0;
b4250010
DMSP		 7859 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7860 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 7861 OSSL_PROVIDER *filterprov = NULL;
7862 int sig, hash;
7863
7864 if (!TEST_ptr(tmpctx))
7865 goto end;
7866
7867 if (idx != 0 && idx != 3) {
7868 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7869 filter_provider_init)))
7870 goto end;
7871
7872 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7873 if (!TEST_ptr(filterprov))
7874 goto end;
7875
7876 if (idx < 3) {
7877 /*
7878 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7879 * or accepted for the peer that uses this libctx. Note that libssl
7880 * *requires* SHA2-256 to be available so we cannot disable that. We
7881 * also need SHA1 for our certificate.
7882 */
7883 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7884 "SHA2-256:SHA1")))
7885 goto end;
7886 } else {
7887 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7888 "ECDSA"))
7889 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7890 "EC:X25519:X448")))
7891 goto end;
7892 }
7893
7894 if (idx == 1 || idx == 4)
7895 clientctx = tmpctx;
7896 else
7897 serverctx = tmpctx;
7898 }
7899
d8652be0
MC		 7900 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7901 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 7902 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7903 goto end;
b3842539
MC		 7904
7905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7906 TLS_client_method(),
7907 TLS1_VERSION,
7908 0,
7909 &sctx, &cctx, cert, privkey)))
7910 goto end;
7911
b1fdbc68
MC		 7912 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7913 if (idx < 4) {
7914 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7915 "ECDHE-RSA-AES128-GCM-SHA256")))
7916 goto end;
7917 } else {
7918 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7919 "ECDHE-ECDSA-AES128-GCM-SHA256")))
7920 goto end;
7921 }
7922
b3842539
MC		 7923 if (idx < 3) {
7924 if (!SSL_CTX_set1_sigalgs_list(cctx,
7925 "rsa_pss_rsae_sha384"
7926 ":rsa_pss_rsae_sha256")
7927 || !SSL_CTX_set1_sigalgs_list(sctx,
7928 "rsa_pss_rsae_sha384"
7929 ":rsa_pss_rsae_sha256"))
7930 goto end;
7931 } else {
7932 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7933 || !SSL_CTX_set1_sigalgs_list(sctx,
7934 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7935 goto end;
7936 }
7937
7938 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7939 SSL_FILETYPE_PEM), 1)
7940 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7941 privkey2,
7942 SSL_FILETYPE_PEM), 1)
7943 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7944 goto end;
7945
7946 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7947 NULL, NULL)))
7948 goto end;
7949
7950 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7951 goto end;
7952
7953 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7954 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7955 NULL, NULL),
7956 (idx == 0 || idx == 3) ? 2 : 1))
7957 goto end;
7958
7959 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7960 goto end;
7961
7962 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7963 : NID_rsassaPss))
7964 goto end;
7965
7966 testresult = 1;
7967
7968 end:
7969 SSL_free(serverssl);
7970 SSL_free(clientssl);
7971 SSL_CTX_free(sctx);
7972 SSL_CTX_free(cctx);
7973 OSSL_PROVIDER_unload(filterprov);
b4250010 7974 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 7975
7976 return testresult;
7977}
b1fdbc68
MC		 7978#endif /*
7979 * !defined(OPENSSL_NO_EC) \
7980 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7981 */
b3842539 7982
0c13cdf8 7983#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 7984static int test_pluggable_group(int idx)
0c13cdf8
MC		 7985{
7986 SSL_CTX *cctx = NULL, *sctx = NULL;
7987 SSL *clientssl = NULL, *serverssl = NULL;
7988 int testresult = 0;
7989 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 7990 /* Check that we are not impacted by a provider without any groups */
7991 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 7992 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 7993
5ae54dba 7994 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 7995 goto end;
7996
5ae54dba
MC		 7997 if (legacyprov == NULL) {
7998 /*
7999 * In this case we assume we've been built with "no-legacy" and skip
8000 * this test (there is no OPENSSL_NO_LEGACY)
8001 */
8002 testresult = 1;
8003 goto end;
8004 }
8005
0c13cdf8
MC		 8006 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8007 TLS_client_method(),
8008 TLS1_3_VERSION,
8009 TLS1_3_VERSION,
8010 &sctx, &cctx, cert, privkey))
8011 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8012 NULL, NULL)))
8013 goto end;
8014
c8e3a4c6
NT		 8015 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8016 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8017 goto end;
8018
8019 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8020 goto end;
8021
becbacd7
MB		 8022 if (!TEST_str_eq(group_name,
8023 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8024 goto end;
8025
0c13cdf8
MC		 8026 testresult = 1;
8027
8028 end:
8029 SSL_free(serverssl);
8030 SSL_free(clientssl);
8031 SSL_CTX_free(sctx);
8032 SSL_CTX_free(cctx);
8033 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8034 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8035
8036 return testresult;
8037}
8038#endif
b3842539 8039
49a36a52
MC		 8040#ifndef OPENSSL_NO_TLS1_2
8041static int test_ssl_dup(void)
8042{
8043 SSL_CTX *cctx = NULL, *sctx = NULL;
8044 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8045 int testresult = 0;
8046 BIO *rbio = NULL, *wbio = NULL;
8047
8048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8049 TLS_client_method(),
8050 0,
8051 0,
8052 &sctx, &cctx, cert, privkey)))
8053 goto end;
8054
8055 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8056 NULL, NULL)))
8057 goto end;
8058
8059 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8060 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8061 goto end;
8062
8063 client2ssl = SSL_dup(clientssl);
8064 rbio = SSL_get_rbio(clientssl);
8065 if (!TEST_ptr(rbio)
8066 || !TEST_true(BIO_up_ref(rbio)))
8067 goto end;
8068 SSL_set0_rbio(client2ssl, rbio);
8069 rbio = NULL;
8070
8071 wbio = SSL_get_wbio(clientssl);
8072 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8073 goto end;
8074 SSL_set0_wbio(client2ssl, wbio);
8075 rbio = NULL;
8076
8077 if (!TEST_ptr(client2ssl)
8078 /* Handshake not started so pointers should be different */
8079 || !TEST_ptr_ne(clientssl, client2ssl))
8080 goto end;
8081
8082 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8083 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8084 goto end;
8085
8086 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8087 goto end;
8088
8089 SSL_free(clientssl);
8090 clientssl = SSL_dup(client2ssl);
8091 if (!TEST_ptr(clientssl)
8092 /* Handshake has finished so pointers should be the same */
8093 || !TEST_ptr_eq(clientssl, client2ssl))
8094 goto end;
8095
8096 testresult = 1;
8097
8098 end:
8099 SSL_free(serverssl);
8100 SSL_free(clientssl);
8101 SSL_free(client2ssl);
8102 SSL_CTX_free(sctx);
8103 SSL_CTX_free(cctx);
8104
8105 return testresult;
8106}
33c39a06
MC		 8107
8108# ifndef OPENSSL_NO_DH
8109
8110static EVP_PKEY *tmp_dh_params = NULL;
8111
8112/* Helper function for the test_set_tmp_dh() tests */
8113static EVP_PKEY *get_tmp_dh_params(void)
8114{
8115 if (tmp_dh_params == NULL) {
8116 BIGNUM *p = NULL;
8117 OSSL_PARAM_BLD *tmpl = NULL;
8118 EVP_PKEY_CTX *pctx = NULL;
8119 OSSL_PARAM *params = NULL;
8120 EVP_PKEY *dhpkey = NULL;
8121
8122 p = BN_get_rfc3526_prime_2048(NULL);
8123 if (!TEST_ptr(p))
8124 goto end;
8125
8126 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8127 if (!TEST_ptr(pctx)
8128 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx)))
8129 goto end;
8130
8131 tmpl = OSSL_PARAM_BLD_new();
8132 if (!TEST_ptr(tmpl)
8133 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8134 OSSL_PKEY_PARAM_FFC_P,
8135 p))
8136 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8137 OSSL_PKEY_PARAM_FFC_G,
8138 2)))
8139 goto end;
8140
8141 params = OSSL_PARAM_BLD_to_param(tmpl);
8142 if (!TEST_ptr(params)
8143 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params)))
8144 goto end;
8145
8146 tmp_dh_params = dhpkey;
8147 end:
8148 BN_free(p);
8149 EVP_PKEY_CTX_free(pctx);
8150 OSSL_PARAM_BLD_free(tmpl);
8151 OSSL_PARAM_BLD_free_params(params);
8152 }
8153
8154 if (!EVP_PKEY_up_ref(tmp_dh_params))
8155 return NULL;
8156
8157 return tmp_dh_params;
8158}
8159
8160# ifndef OPENSSL_NO_DEPRECATED
8161/* Callback used by test_set_tmp_dh() */
8162static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8163{
8164 EVP_PKEY *dhpkey = get_tmp_dh_params();
8165 DH *ret = NULL;
8166
8167 if (!TEST_ptr(dhpkey))
8168 return NULL;
8169
8170 ret = EVP_PKEY_get0_DH(dhpkey);
8171
8172 EVP_PKEY_free(dhpkey);
8173
8174 return ret;
8175}
8176# endif
8177
8178/*
8179 * Test the various methods for setting temporary DH parameters
8180 *
8181 * Test 0: Default (no auto) setting
8182 * Test 1: Explicit SSL_CTX auto off
8183 * Test 2: Explicit SSL auto off
8184 * Test 3: Explicit SSL_CTX auto on
8185 * Test 4: Explicit SSL auto on
8186 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8187 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8188 *
8189 * The following are testing deprecated APIs, so we only run them if available
8190 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8191 * Test 8: Explicit SSL auto off, custom DH params via DH
8192 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8193 * Test 10: Explicit SSL auto off, custom DH params via callback
8194 */
8195static int test_set_tmp_dh(int idx)
8196{
8197 SSL_CTX *cctx = NULL, *sctx = NULL;
8198 SSL *clientssl = NULL, *serverssl = NULL;
8199 int testresult = 0;
8200 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8201 int expected = (idx <= 2) ? 0 : 1;
8202 EVP_PKEY *dhpkey = NULL;
8203# ifndef OPENSSL_NO_DEPRECATED_3_0
8204 DH *dh = NULL;
8205# else
8206
8207 if (idx >= 7)
8208 return 1;
8209# endif
8210
8211 if (idx >= 5 && idx <= 8) {
8212 dhpkey = get_tmp_dh_params();
8213 if (!TEST_ptr(dhpkey))
8214 goto end;
8215 }
8216# ifndef OPENSSL_NO_DEPRECATED_3_0
8217 if (idx == 7 || idx == 8) {
8218 dh = EVP_PKEY_get0_DH(dhpkey);
8219 if (!TEST_ptr(dh))
8220 goto end;
8221 }
8222# endif
8223
8224 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8225 TLS_client_method(),
8226 0,
8227 0,
8228 &sctx, &cctx, cert, privkey)))
8229 goto end;
8230
8231 if ((idx & 1) == 1) {
8232 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8233 goto end;
8234 }
8235
8236 if (idx == 5) {
8237 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8238 goto end;
8239 dhpkey = NULL;
8240 }
8241# ifndef OPENSSL_NO_DEPRECATED_3_0
8242 else if (idx == 7) {
8243 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8244 goto end;
8245 } else if (idx == 9) {
8246 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8247 }
8248# endif
8249
8250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8251 NULL, NULL)))
8252 goto end;
8253
8254 if ((idx & 1) == 0 && idx != 0) {
8255 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8256 goto end;
8257 }
8258 if (idx == 6) {
8259 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8260 goto end;
8261 dhpkey = NULL;
8262 }
8263# ifndef OPENSSL_NO_DEPRECATED_3_0
8264 else if (idx == 8) {
8265 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8266 goto end;
8267 } else if (idx == 10) {
8268 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8269 }
8270# endif
8271
8272 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8273 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8274 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8275 goto end;
8276
8277 /*
8278 * If autoon then we should succeed. Otherwise we expect failure because
8279 * there are no parameters
8280 */
8281 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8282 SSL_ERROR_NONE), expected))
8283 goto end;
8284
8285 testresult = 1;
8286
8287 end:
8288 SSL_free(serverssl);
8289 SSL_free(clientssl);
8290 SSL_CTX_free(sctx);
8291 SSL_CTX_free(cctx);
8292 EVP_PKEY_free(dhpkey);
8293
8294 return testresult;
8295}
3105d846
MC		 8296
8297/*
8298 * Test the auto DH keys are appropriately sized
8299 */
8300static int test_dh_auto(int idx)
8301{
8302 SSL_CTX *cctx = NULL, *sctx = NULL;
8303 SSL *clientssl = NULL, *serverssl = NULL;
8304 int testresult = 0;
8305 EVP_PKEY *tmpkey = NULL;
8306 char *thiscert = NULL, *thiskey = NULL;
8307 size_t expdhsize = 0;
8308 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8309
8310 switch (idx) {
8311 case 0:
8312 /* The FIPS provider doesn't support this DH size - so we ignore it */
8313 if (is_fips)
8314 return 1;
8315 thiscert = cert1024;
8316 thiskey = privkey1024;
8317 expdhsize = 1024;
8318 break;
8319 case 1:
8320 /* 2048 bit prime */
8321 thiscert = cert;
8322 thiskey = privkey;
8323 expdhsize = 2048;
8324 break;
8325 case 2:
8326 thiscert = cert3072;
8327 thiskey = privkey3072;
8328 expdhsize = 3072;
8329 break;
8330 case 3:
8331 thiscert = cert4096;
8332 thiskey = privkey4096;
8333 expdhsize = 4096;
8334 break;
8335 case 4:
8336 thiscert = cert8192;
8337 thiskey = privkey8192;
8338 expdhsize = 8192;
8339 break;
8340 /* No certificate cases */
8341 case 5:
8342 /* The FIPS provider doesn't support this DH size - so we ignore it */
8343 if (is_fips)
8344 return 1;
8345 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8346 expdhsize = 1024;
8347 break;
8348 case 6:
8349 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8350 expdhsize = 3072;
8351 break;
8352 default:
8353 TEST_error("Invalid text index");
8354 goto end;
8355 }
8356
8357 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8358 TLS_client_method(),
8359 0,
8360 0,
8361 &sctx, &cctx, thiscert, thiskey)))
8362 goto end;
8363
8364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8365 NULL, NULL)))
8366 goto end;
8367
8368 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8369 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8370 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8371 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8372 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8373 goto end;
8374
8375 /*
8376 * Send the server's first flight. At this point the server has created the
8377 * temporary DH key but hasn't finished using it yet. Once used it is
8378 * removed, so we cannot test it.
8379 */
8380 if (!TEST_int_le(SSL_connect(clientssl), 0)
8381 || !TEST_int_le(SSL_accept(serverssl), 0))
8382 goto end;
8383
8384 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8385 goto end;
8386 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8387 goto end;
8388
8389 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8390 goto end;
8391
8392 testresult = 1;
8393
8394 end:
8395 SSL_free(serverssl);
8396 SSL_free(clientssl);
8397 SSL_CTX_free(sctx);
8398 SSL_CTX_free(cctx);
8399 EVP_PKEY_free(tmpkey);
8400
8401 return testresult;
8402
8403}
33c39a06
MC		 8404# endif /* OPENSSL_NO_DH */
8405#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8406
6582661f
MC		 8407#ifndef OPENSSL_NO_TLS1_3
8408/*
8409 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8410 * that it works even without a certificate configured for the original
8411 * SSL_CTX
8412 */
8413static int test_sni_tls13(void)
8414{
8415 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8416 SSL *clientssl = NULL, *serverssl = NULL;
8417 int testresult = 0;
8418
8419 /* Reset callback counter */
8420 snicb = 0;
8421
8422 /* Create an initial SSL_CTX with no certificate configured */
8423 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8424 if (!TEST_ptr(sctx))
8425 goto end;
8426 /* Require TLSv1.3 as a minimum */
8427 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8428 TLS_client_method(), TLS1_3_VERSION, 0,
8429 &sctx2, &cctx, cert, privkey)))
8430 goto end;
8431
8432 /* Set up SNI */
8433 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8434 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8435 goto end;
8436
8437 /*
8438 * Connection should still succeed because the final SSL_CTX has the right
8439 * certificates configured.
8440 */
8441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8442 &clientssl, NULL, NULL))
8443 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8444 SSL_ERROR_NONE)))
8445 goto end;
8446
8447 /* We should have had the SNI callback called exactly once */
8448 if (!TEST_int_eq(snicb, 1))
8449 goto end;
8450
8451 testresult = 1;
8452
8453end:
8454 SSL_free(serverssl);
8455 SSL_free(clientssl);
8456 SSL_CTX_free(sctx2);
8457 SSL_CTX_free(sctx);
8458 SSL_CTX_free(cctx);
8459 return testresult;
8460}
8461#endif
8462
5e30f2fd 8463OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8464
ad887416 8465int setup_tests(void)
2cb4b5f6 8466{
5e30f2fd
MC		 8467 char *modulename;
8468 char *configfile;
8469
b4250010 8470 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8471 if (!TEST_ptr(libctx))
8472 return 0;
8473
8474 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8475
8476 /*
8477 * Verify that the default and fips providers in the default libctx are not
8478 * available
8479 */
8480 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8481 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8482 return 0;
8483
8d242823
MC		 8484 if (!test_skip_common_options()) {
8485 TEST_error("Error parsing test options\n");
8486 return 0;
8487 }
8488
1a2a3a42
MC		 8489 if (!TEST_ptr(certsdir = test_get_argument(0))
8490 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8491 || !TEST_ptr(tmpfilename = test_get_argument(2))
8492 || !TEST_ptr(modulename = test_get_argument(3))
8493 || !TEST_ptr(configfile = test_get_argument(4)))
8494 return 0;
8495
b4250010 8496 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8497 return 0;
8498
8499 /* Check we have the expected provider available */
8500 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8501 return 0;
8502
8503 /* Check the default provider is not available */
8504 if (strcmp(modulename, "default") != 0
8505 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8506 return 0;
2cb4b5f6 8507
4f6c7044
MC		 8508 if (strcmp(modulename, "fips") == 0)
8509 is_fips = 1;
8510
0c13cdf8
MC		 8511 /*
8512 * We add, but don't load the test "tls-provider". We'll load it when we
8513 * need it.
8514 */
8515 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8516 tls_provider_init)))
8517 return 0;
8518
8519
f297e4ec
RS		 8520 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8521#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8522 TEST_error("not supported in this build");
8523 return 0;
8524#else
8525 int i, mcount, rcount, fcount;
8526
8527 for (i = 0; i < 4; i++)
8528 test_export_key_mat(i);
8529 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8530 test_printf_stdout("malloc %d realloc %d free %d\n",
8531 mcount, rcount, fcount);
8532 return 1;
8533#endif
8534 }
8535
1a2a3a42
MC		 8536 cert = test_mk_file_path(certsdir, "servercert.pem");
8537 if (cert == NULL)
b3842539 8538 goto err;
1a2a3a42
MC		 8539
8540 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8541 if (privkey == NULL)
8542 goto err;
8543
8544 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8545 if (cert2 == NULL)
8546 goto err;
8547
8548 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8549 if (privkey2 == NULL)
8550 goto err;
1a2a3a42 8551
3105d846
MC		 8552 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8553 if (cert1024 == NULL)
8554 goto err;
8555
8556 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8557 if (privkey1024 == NULL)
8558 goto err;
8559
8560 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8561 if (cert3072 == NULL)
8562 goto err;
8563
8564 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8565 if (privkey3072 == NULL)
8566 goto err;
8567
8568 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8569 if (cert4096 == NULL)
8570 goto err;
8571
8572 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8573 if (privkey4096 == NULL)
8574 goto err;
8575
8576 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8577 if (cert8192 == NULL)
8578 goto err;
8579
8580 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8581 if (privkey8192 == NULL)
8582 goto err;
8583
da4db160 8584#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
c8e3a4c6 8585# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
da4db160
VF		 8586 ADD_ALL_TESTS(test_ktls, 32);
8587 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8588# endif
fe5d9450 8589#endif
84d5549e 8590 ADD_TEST(test_large_message_tls);
7856332e 8591 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8592#ifndef OPENSSL_NO_DTLS
84d5549e 8593 ADD_TEST(test_large_message_dtls);
55386bef 8594#endif
163b8016 8595 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8596#ifndef OPENSSL_NO_OCSP
c887104f 8597 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8598#endif
eaa776da
MC		 8599 ADD_TEST(test_session_with_only_int_cache);
8600 ADD_TEST(test_session_with_only_ext_cache);
8601 ADD_TEST(test_session_with_both_cache);
90fc2c26 8602 ADD_TEST(test_session_wo_ca_names);
36ff232c 8603#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8604 ADD_ALL_TESTS(test_stateful_tickets, 3);
8605 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8606 ADD_TEST(test_psk_tickets);
f0049b86 8607 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8608#endif
7fb4c820 8609 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8610 ADD_TEST(test_ssl_bio_pop_next_bio);
8611 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8612 ADD_TEST(test_ssl_bio_change_rbio);
8613 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8614#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8615 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8616 ADD_TEST(test_keylog);
c423ecaa 8617#endif
6acdd3e5
CB		 8618#ifndef OPENSSL_NO_TLS1_3
8619 ADD_TEST(test_keylog_no_master_key);
8620#endif
e9ee6536 8621#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8622 ADD_TEST(test_client_hello_cb);
088dfa13 8623 ADD_TEST(test_no_ems);
3cd14e5e 8624 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8625#endif
8626#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8627 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8628 /*
8629 * We don't do replay tests for external PSK. Replay protection isn't used
8630 * in that scenario.
8631 */
8632 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8633 ADD_ALL_TESTS(test_early_data_skip, 3);
8634 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8635 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8636 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8637 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8638 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8639 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8640 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8641# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8642 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8643# endif
e9ee6536 8644#endif
a273157a 8645#ifndef OPENSSL_NO_TLS1_3
034cb87b 8646 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8647 ADD_TEST(test_ciphersuite_change);
5bf2eade 8648 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8649# ifdef OPENSSL_NO_PSK
c2b290c3 8650 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8651# else
0d8da779 8652 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8653# endif /* OPENSSL_NO_PSK */
8654# ifndef OPENSSL_NO_TLS1_2
8655 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8656 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8657# else
8658 /* Test with only TLSv1.3 versions */
8659 ADD_ALL_TESTS(test_key_exchange, 12);
8660# endif
bb01ef3f 8661 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8662 ADD_TEST(test_stateless);
9d75dce3 8663 ADD_TEST(test_pha_key_update);
a273157a 8664#else
bb01ef3f 8665 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8666#endif
16afd71c 8667 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8668 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8669#ifndef OPENSSL_NO_TLS1_3
8670 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8671 ADD_TEST(test_key_update);
a77b4dba 8672 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8673#endif
e11b6aa4 8674 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8675 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8676#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8677 ADD_ALL_TESTS(test_srp, 6);
8678#endif
5718fe45 8679 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8680 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8681 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8682 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8683 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8684 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8685 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8686 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8687 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8688#ifndef OPENSSL_NO_TLS1_2
8689 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8690#endif
49ef3d07 8691 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68
MC		 8692#if !defined(OPENSSL_NO_EC) \
8693 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 8694 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8695#endif
8696#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8697 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8698#endif
8699#ifndef OPENSSL_NO_TLS1_2
8700 ADD_TEST(test_ssl_dup);
33c39a06
MC		 8701# ifndef OPENSSL_NO_DH
8702 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 8703 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 8704# endif
6582661f
MC		 8705#endif
8706#ifndef OPENSSL_NO_TLS1_3
8707 ADD_TEST(test_sni_tls13);
b3842539 8708#endif
ad887416 8709 return 1;
b3842539
MC		 8710
8711 err:
8712 OPENSSL_free(cert);
8713 OPENSSL_free(privkey);
8714 OPENSSL_free(cert2);
8715 OPENSSL_free(privkey2);
8716 return 0;
ad887416 8717}
2cb4b5f6 8718
ad887416
P		 8719void cleanup_tests(void)
8720{
8778f0eb 8721# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 8722 EVP_PKEY_free(tmp_dh_params);
8723#endif
1a2a3a42
MC		 8724 OPENSSL_free(cert);
8725 OPENSSL_free(privkey);
b3842539
MC		 8726 OPENSSL_free(cert2);
8727 OPENSSL_free(privkey2);
3105d846
MC		 8728 OPENSSL_free(cert1024);
8729 OPENSSL_free(privkey1024);
8730 OPENSSL_free(cert3072);
8731 OPENSSL_free(privkey3072);
8732 OPENSSL_free(cert4096);
8733 OPENSSL_free(privkey4096);
8734 OPENSSL_free(cert8192);
8735 OPENSSL_free(privkey8192);
fa454945 8736 bio_s_mempacket_test_free();
a77b4dba 8737 bio_s_always_retry_free();
5e30f2fd 8738 OSSL_PROVIDER_unload(defctxnull);
b4250010 8739 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8740}
A mirror of the official openssl repository