]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add info on the CMP implementation and HTTP client to NEWS.md and CHANGES.md
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
5e30f2fd 31#include <openssl/provider.h>
2cb4b5f6
MC		 32
33#include "ssltestlib.h"
c887104f 34#include "testutil.h"
f297e4ec 35#include "testutil/output.h"
176db6dc 36#include "internal/nelem.h"
fe5d9450 37#include "internal/ktls.h"
706457b7 38#include "../ssl/ssl_local.h"
2cb4b5f6 39
5e30f2fd
MC		 40static OPENSSL_CTX *libctx = NULL;
41static OSSL_PROVIDER *defctxnull = NULL;
42
8614a4eb
MC		 43#ifndef OPENSSL_NO_TLS1_3
44
45static SSL_SESSION *clientpsk = NULL;
46static SSL_SESSION *serverpsk = NULL;
47static const char *pskid = "Identity";
48static const char *srvid;
49
50static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
51 size_t *idlen, SSL_SESSION **sess);
52static int find_session_cb(SSL *ssl, const unsigned char *identity,
53 size_t identity_len, SSL_SESSION **sess);
54
55static int use_session_cb_cnt = 0;
56static int find_session_cb_cnt = 0;
57
58static SSL_SESSION *create_a_psk(SSL *ssl);
59#endif
60
1a2a3a42 61static char *certsdir = NULL;
2cb4b5f6
MC		 62static char *cert = NULL;
63static char *privkey = NULL;
76fd7a1d
MC		 64static char *srpvfile = NULL;
65static char *tmpfilename = NULL;
2cb4b5f6 66
4f6c7044
MC		 67static int is_fips = 0;
68
cffe973c 69#define LOG_BUFFER_SIZE 2048
6acdd3e5 70static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 71static size_t server_log_buffer_index = 0;
6acdd3e5 72static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 73static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 74static int error_writing_log = 0;
75
8f8c11d8 76#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 77static const unsigned char orespder[] = "Dummy OCSP Response";
78static int ocsp_server_called = 0;
79static int ocsp_client_called = 0;
80
81static int cdummyarg = 1;
82static X509 *ocspcert = NULL;
8f8c11d8 83#endif
ba881d3b 84
84d5549e 85#define NUM_EXTRA_CERTS 40
cf72c757 86#define CLIENT_VERSION_LEN 2
84d5549e 87
f1a5939f
CB		 88/*
89 * This structure is used to validate that the correct number of log messages
90 * of various types are emitted when emitting secret logs.
91 */
92struct sslapitest_log_counts {
93 unsigned int rsa_key_exchange_count;
94 unsigned int master_secret_count;
cffe973c 95 unsigned int client_early_secret_count;
f1a5939f
CB		 96 unsigned int client_handshake_secret_count;
97 unsigned int server_handshake_secret_count;
98 unsigned int client_application_secret_count;
99 unsigned int server_application_secret_count;
01a2a654 100 unsigned int early_exporter_secret_count;
6329ce8f 101 unsigned int exporter_secret_count;
f1a5939f
CB		 102};
103
16afd71c
MC		 104
105static unsigned char serverinfov1[] = {
106 0xff, 0xff, /* Dummy extension type */
107 0x00, 0x01, /* Extension length is 1 byte */
108 0xff /* Dummy extension data */
109};
110
111static unsigned char serverinfov2[] = {
112 0x00, 0x00, 0x00,
113 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
114 0xff, 0xff, /* Dummy extension type */
115 0x00, 0x01, /* Extension length is 1 byte */
116 0xff /* Dummy extension data */
117};
118
104a733d
MC		 119static int hostname_cb(SSL *s, int *al, void *arg)
120{
121 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
122
123 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
124 || strcmp(hostname, "altgoodhost") == 0))
125 return SSL_TLSEXT_ERR_OK;
126
127 return SSL_TLSEXT_ERR_NOACK;
128}
129
710756a9
RS		 130static void client_keylog_callback(const SSL *ssl, const char *line)
131{
6acdd3e5
CB		 132 int line_length = strlen(line);
133
134 /* If the log doesn't fit, error out. */
710756a9
RS		 135 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
136 TEST_info("Client log too full");
6acdd3e5
CB		 137 error_writing_log = 1;
138 return;
139 }
140
141 strcat(client_log_buffer, line);
142 client_log_buffer_index += line_length;
710756a9 143 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 144}
145
710756a9
RS		 146static void server_keylog_callback(const SSL *ssl, const char *line)
147{
6acdd3e5
CB		 148 int line_length = strlen(line);
149
150 /* If the log doesn't fit, error out. */
710756a9 151 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 152 TEST_info("Server log too full");
6acdd3e5
CB		 153 error_writing_log = 1;
154 return;
155 }
156
157 strcat(server_log_buffer, line);
158 server_log_buffer_index += line_length;
710756a9 159 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 160}
161
162static int compare_hex_encoded_buffer(const char *hex_encoded,
163 size_t hex_length,
164 const uint8_t *raw,
710756a9
RS		 165 size_t raw_length)
166{
167 size_t i, j;
168 char hexed[3];
6acdd3e5 169
710756a9 170 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 171 return 1;
6acdd3e5 172
710756a9 173 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 174 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 175 if (!TEST_int_eq(hexed[0], hex_encoded[j])
176 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 177 return 1;
6acdd3e5
CB		 178 }
179
180 return 0;
181}
182
183static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 184 const SSL_SESSION *session,
710756a9
RS		 185 struct sslapitest_log_counts *expected)
186{
6acdd3e5
CB		 187 char *token = NULL;
188 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
189 size_t client_random_size = SSL3_RANDOM_SIZE;
190 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
191 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 192 unsigned int rsa_key_exchange_count = 0;
193 unsigned int master_secret_count = 0;
cffe973c 194 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 195 unsigned int client_handshake_secret_count = 0;
196 unsigned int server_handshake_secret_count = 0;
197 unsigned int client_application_secret_count = 0;
198 unsigned int server_application_secret_count = 0;
01a2a654 199 unsigned int early_exporter_secret_count = 0;
6329ce8f 200 unsigned int exporter_secret_count = 0;
6acdd3e5 201
710756a9
RS		 202 for (token = strtok(buffer, " \n"); token != NULL;
203 token = strtok(NULL, " \n")) {
6acdd3e5 204 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 205 /*
206 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 207 * hex-encoded encrypted secret, then the hex-encoded pre-master
208 * secret.
209 */
710756a9 210 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 211 return 0;
710756a9 212 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 213 return 0;
710756a9 214 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 215 return 0;
f1a5939f
CB		 216 /*
217 * We can't sensibly check the log because the premaster secret is
218 * transient, and OpenSSL doesn't keep hold of it once the master
219 * secret is generated.
220 */
221 rsa_key_exchange_count++;
6acdd3e5 222 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 223 /*
224 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 225 * client random, then the hex-encoded master secret.
226 */
227 client_random_size = SSL_get_client_random(ssl,
228 actual_client_random,
229 SSL3_RANDOM_SIZE);
710756a9 230 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 231 return 0;
6acdd3e5 232
710756a9 233 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 234 return 0;
710756a9 235 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 236 return 0;
710756a9
RS		 237 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
238 actual_client_random,
239 client_random_size)))
f1a5939f 240 return 0;
6acdd3e5 241
710756a9 242 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 243 return 0;
6acdd3e5
CB		 244 master_key_size = SSL_SESSION_get_master_key(session,
245 actual_master_key,
246 master_key_size);
710756a9 247 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 248 return 0;
710756a9
RS		 249 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
250 actual_master_key,
251 master_key_size)))
f1a5939f 252 return 0;
f1a5939f 253 master_secret_count++;
cffe973c
PW		 254 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
255 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 256 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
257 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 258 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 259 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 260 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 261 /*
262 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
263 * client random, and then the hex-encoded secret. In this case,
264 * we treat all of these secrets identically and then just
265 * distinguish between them when counting what we saw.
266 */
cffe973c
PW		 267 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
268 client_early_secret_count++;
269 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 270 client_handshake_secret_count++;
271 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
272 server_handshake_secret_count++;
273 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
274 client_application_secret_count++;
275 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
276 server_application_secret_count++;
01a2a654
PW		 277 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
278 early_exporter_secret_count++;
6329ce8f
PW		 279 else if (strcmp(token, "EXPORTER_SECRET") == 0)
280 exporter_secret_count++;
f1a5939f
CB		 281
282 client_random_size = SSL_get_client_random(ssl,
283 actual_client_random,
284 SSL3_RANDOM_SIZE);
710756a9 285 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 286 return 0;
f1a5939f 287
710756a9 288 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 289 return 0;
710756a9 290 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 291 return 0;
710756a9
RS		 292 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
293 actual_client_random,
294 client_random_size)))
f1a5939f 295 return 0;
6acdd3e5 296
710756a9 297 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 298 return 0;
f1a5939f
CB		 299
300 /*
301 * TODO(TLS1.3): test that application traffic secrets are what
302 * we expect */
6acdd3e5 303 } else {
710756a9 304 TEST_info("Unexpected token %s\n", token);
f1a5939f 305 return 0;
6acdd3e5 306 }
6acdd3e5
CB		 307 }
308
710756a9
RS		 309 /* Got what we expected? */
310 if (!TEST_size_t_eq(rsa_key_exchange_count,
311 expected->rsa_key_exchange_count)
312 || !TEST_size_t_eq(master_secret_count,
313 expected->master_secret_count)
cffe973c
PW		 314 || !TEST_size_t_eq(client_early_secret_count,
315 expected->client_early_secret_count)
710756a9
RS		 316 || !TEST_size_t_eq(client_handshake_secret_count,
317 expected->client_handshake_secret_count)
318 || !TEST_size_t_eq(server_handshake_secret_count,
319 expected->server_handshake_secret_count)
320 || !TEST_size_t_eq(client_application_secret_count,
321 expected->client_application_secret_count)
322 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 323 expected->server_application_secret_count)
01a2a654
PW		 324 || !TEST_size_t_eq(early_exporter_secret_count,
325 expected->early_exporter_secret_count)
6329ce8f
PW		 326 || !TEST_size_t_eq(exporter_secret_count,
327 expected->exporter_secret_count))
710756a9
RS		 328 return 0;
329 return 1;
6acdd3e5
CB		 330}
331
c423ecaa 332#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 333static int test_keylog(void)
334{
6acdd3e5
CB		 335 SSL_CTX *cctx = NULL, *sctx = NULL;
336 SSL *clientssl = NULL, *serverssl = NULL;
337 int testresult = 0;
6fc1e624 338 struct sslapitest_log_counts expected;
6acdd3e5
CB		 339
340 /* Clean up logging space */
6fc1e624 341 memset(&expected, 0, sizeof(expected));
710756a9
RS		 342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
347
5e30f2fd 348 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 349 TLS_client_method(),
5c587fb6 350 TLS1_VERSION, 0,
710756a9 351 &sctx, &cctx, cert, privkey)))
6acdd3e5 352 return 0;
6acdd3e5
CB		 353
354 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
355 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
356 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
357
f0deb4d3 358 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 359 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 360 goto end;
f0deb4d3 361
cf10df81
RS		 362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
363 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 364 goto end;
6acdd3e5 365 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
367 == client_keylog_callback))
6acdd3e5 368 goto end;
710756a9 369 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 370 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
371 == server_keylog_callback))
6acdd3e5 372 goto end;
6acdd3e5 373
710756a9
RS		 374 /* Now do a handshake and check that the logs have been written to. */
375 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
376 &clientssl, NULL, NULL))
377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
378 SSL_ERROR_NONE))
379 || !TEST_false(error_writing_log)
380 || !TEST_int_gt(client_log_buffer_index, 0)
381 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 382 goto end;
6acdd3e5 383
f1a5939f
CB		 384 /*
385 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 386 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 387 * data we expect. For both client and server, we expect to see one master
388 * secret. The client should also see a RSA key exchange.
6acdd3e5 389 */
f1a5939f
CB		 390 expected.rsa_key_exchange_count = 1;
391 expected.master_secret_count = 1;
710756a9
RS		 392 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
393 SSL_get_session(clientssl), &expected)))
6acdd3e5 394 goto end;
f1a5939f
CB		 395
396 expected.rsa_key_exchange_count = 0;
710756a9
RS		 397 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
398 SSL_get_session(serverssl), &expected)))
6acdd3e5 399 goto end;
6acdd3e5
CB		 400
401 testresult = 1;
402
403end:
404 SSL_free(serverssl);
405 SSL_free(clientssl);
406 SSL_CTX_free(sctx);
407 SSL_CTX_free(cctx);
408
409 return testresult;
410}
c423ecaa 411#endif
6acdd3e5
CB		 412
413#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 414static int test_keylog_no_master_key(void)
415{
6acdd3e5
CB		 416 SSL_CTX *cctx = NULL, *sctx = NULL;
417 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 418 SSL_SESSION *sess = NULL;
6acdd3e5 419 int testresult = 0;
6fc1e624 420 struct sslapitest_log_counts expected;
cffe973c
PW		 421 unsigned char buf[1];
422 size_t readbytes, written;
6acdd3e5
CB		 423
424 /* Clean up logging space */
6fc1e624 425 memset(&expected, 0, sizeof(expected));
710756a9
RS		 426 memset(client_log_buffer, 0, sizeof(client_log_buffer));
427 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 428 client_log_buffer_index = 0;
429 server_log_buffer_index = 0;
430 error_writing_log = 0;
431
5e30f2fd
MC		 432 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
433 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 434 &sctx, &cctx, cert, privkey))
435 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 436 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 437 return 0;
6acdd3e5 438
cf10df81
RS		 439 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
440 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 441 goto end;
6acdd3e5
CB		 442
443 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 444 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
445 == client_keylog_callback))
6acdd3e5 446 goto end;
6acdd3e5 447
710756a9 448 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 449 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
450 == server_keylog_callback))
6acdd3e5 451 goto end;
6acdd3e5 452
710756a9
RS		 453 /* Now do a handshake and check that the logs have been written to. */
454 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
455 &clientssl, NULL, NULL))
456 || !TEST_true(create_ssl_connection(serverssl, clientssl,
457 SSL_ERROR_NONE))
458 || !TEST_false(error_writing_log))
6acdd3e5 459 goto end;
6acdd3e5 460
f1a5939f
CB		 461 /*
462 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 463 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 464 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 465 */
f1a5939f
CB		 466 expected.client_handshake_secret_count = 1;
467 expected.server_handshake_secret_count = 1;
468 expected.client_application_secret_count = 1;
469 expected.server_application_secret_count = 1;
6329ce8f 470 expected.exporter_secret_count = 1;
710756a9
RS		 471 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
472 SSL_get_session(clientssl), &expected))
473 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
474 SSL_get_session(serverssl),
475 &expected)))
6acdd3e5 476 goto end;
6acdd3e5 477
cffe973c
PW		 478 /* Terminate old session and resume with early data. */
479 sess = SSL_get1_session(clientssl);
480 SSL_shutdown(clientssl);
481 SSL_shutdown(serverssl);
482 SSL_free(serverssl);
483 SSL_free(clientssl);
484 serverssl = clientssl = NULL;
485
486 /* Reset key log */
487 memset(client_log_buffer, 0, sizeof(client_log_buffer));
488 memset(server_log_buffer, 0, sizeof(server_log_buffer));
489 client_log_buffer_index = 0;
490 server_log_buffer_index = 0;
491
492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
493 &clientssl, NULL, NULL))
494 || !TEST_true(SSL_set_session(clientssl, sess))
495 /* Here writing 0 length early data is enough. */
496 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
498 &readbytes),
499 SSL_READ_EARLY_DATA_ERROR)
500 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
501 SSL_EARLY_DATA_ACCEPTED)
502 || !TEST_true(create_ssl_connection(serverssl, clientssl,
503 SSL_ERROR_NONE))
504 || !TEST_true(SSL_session_reused(clientssl)))
505 goto end;
506
507 /* In addition to the previous entries, expect early secrets. */
508 expected.client_early_secret_count = 1;
01a2a654 509 expected.early_exporter_secret_count = 1;
cffe973c
PW		 510 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
511 SSL_get_session(clientssl), &expected))
512 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
513 SSL_get_session(serverssl),
514 &expected)))
515 goto end;
516
6acdd3e5
CB		 517 testresult = 1;
518
519end:
cffe973c 520 SSL_SESSION_free(sess);
6acdd3e5
CB		 521 SSL_free(serverssl);
522 SSL_free(clientssl);
523 SSL_CTX_free(sctx);
524 SSL_CTX_free(cctx);
525
526 return testresult;
527}
528#endif
529
e9ee6536 530#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 531static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 532{
533 int *ctr = arg;
534 const unsigned char *p;
8ea404fb 535 int *exts;
2afaee51
BK		 536 /* We only configure two ciphers, but the SCSV is added automatically. */
537#ifdef OPENSSL_NO_EC
538 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
539#else
540 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
541 0x2c, 0x00, 0xff};
542#endif
8ea404fb
BK		 543 const int expected_extensions[] = {
544#ifndef OPENSSL_NO_EC
545 11, 10,
546#endif
10ed1b72 547 35, 22, 23, 13};
2afaee51
BK		 548 size_t len;
549
550 /* Make sure we can defer processing and get called back. */
551 if ((*ctr)++ == 0)
f1b97da1 552 return SSL_CLIENT_HELLO_RETRY;
2afaee51 553
a9c0d8be 554 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 555 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 556 || !TEST_size_t_eq(
557 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 558 || !TEST_int_eq(*p, 0))
f1b97da1 559 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 560 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 561 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 562 if (len != OSSL_NELEM(expected_extensions) ||
563 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 564 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 565 OPENSSL_free(exts);
f1b97da1 566 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 567 }
568 OPENSSL_free(exts);
f1b97da1 569 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 570}
571
a9c0d8be 572static int test_client_hello_cb(void)
710756a9 573{
2afaee51
BK		 574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testctr = 0, testresult = 0;
577
5e30f2fd
MC		 578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 580 &sctx, &cctx, cert, privkey)))
2afaee51 581 goto end;
a9c0d8be 582 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 583
2afaee51
BK		 584 /* The gimpy cipher list we configure can't do TLS 1.3. */
585 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 586
710756a9
RS		 587 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
588 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
589 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
590 &clientssl, NULL, NULL))
591 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 592 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 593 /*
594 * Passing a -1 literal is a hack since
595 * the real value was lost.
596 * */
a9c0d8be
DB		 597 || !TEST_int_eq(SSL_get_error(serverssl, -1),
598 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 599 || !TEST_true(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_NONE)))
2afaee51 601 goto end;
2afaee51
BK		 602
603 testresult = 1;
604
088dfa13
TS		 605end:
606 SSL_free(serverssl);
607 SSL_free(clientssl);
608 SSL_CTX_free(sctx);
609 SSL_CTX_free(cctx);
610
611 return testresult;
612}
613
614static int test_no_ems(void)
615{
616 SSL_CTX *cctx = NULL, *sctx = NULL;
617 SSL *clientssl = NULL, *serverssl = NULL;
618 int testresult = 0;
619
5e30f2fd 620 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 621 TLS1_VERSION, TLS1_2_VERSION,
622 &sctx, &cctx, cert, privkey)) {
623 printf("Unable to create SSL_CTX pair\n");
624 goto end;
625 }
626
627 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
628
629 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
630 printf("Unable to create SSL objects\n");
631 goto end;
632 }
633
634 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
635 printf("Creating SSL connection failed\n");
636 goto end;
637 }
638
639 if (SSL_get_extms_support(serverssl)) {
640 printf("Server reports Extended Master Secret support\n");
641 goto end;
642 }
643
644 if (SSL_get_extms_support(clientssl)) {
645 printf("Client reports Extended Master Secret support\n");
646 goto end;
647 }
648 testresult = 1;
649
2afaee51
BK		 650end:
651 SSL_free(serverssl);
652 SSL_free(clientssl);
653 SSL_CTX_free(sctx);
654 SSL_CTX_free(cctx);
655
656 return testresult;
657}
e9ee6536 658#endif
2afaee51 659
3cd14e5e
BK		 660/*
661 * Very focused test to exercise a single case in the server-side state
662 * machine, when the ChangeCipherState message needs to actually change
663 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 664 * encryption to real encryption).
3cd14e5e
BK		 665 */
666static int test_ccs_change_cipher(void)
667{
668 SSL_CTX *cctx = NULL, *sctx = NULL;
669 SSL *clientssl = NULL, *serverssl = NULL;
670 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
671 int testresult = 0;
672 int i;
673 unsigned char buf;
674 size_t readbytes;
675
676 /*
677 * Create a conection so we can resume and potentially (but not) use
678 * a different cipher in the second connection.
679 */
5e30f2fd 680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 681 TLS_client_method(),
682 TLS1_VERSION, TLS1_2_VERSION,
683 &sctx, &cctx, cert, privkey))
684 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
685 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
686 NULL, NULL))
687 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
689 SSL_ERROR_NONE))
690 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
691 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
692 goto end;
693
694 shutdown_ssl_connection(serverssl, clientssl);
695 serverssl = clientssl = NULL;
696
697 /* Resume, preferring a different cipher. Our server will force the
698 * same cipher to be used as the initial handshake. */
699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
700 NULL, NULL))
701 || !TEST_true(SSL_set_session(clientssl, sess))
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
704 SSL_ERROR_NONE))
705 || !TEST_true(SSL_session_reused(clientssl))
706 || !TEST_true(SSL_session_reused(serverssl))
707 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
708 || !TEST_ptr_eq(sesspre, sesspost)
709 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
710 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
711 goto end;
712 shutdown_ssl_connection(serverssl, clientssl);
713 serverssl = clientssl = NULL;
714
715 /*
716 * Now create a fresh connection and try to renegotiate a different
717 * cipher on it.
718 */
b3e6d666
BK		 719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
720 NULL, NULL))
3cd14e5e
BK		 721 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
722 || !TEST_true(create_ssl_connection(serverssl, clientssl,
723 SSL_ERROR_NONE))
724 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
725 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
726 || !TEST_true(SSL_renegotiate(clientssl))
727 || !TEST_true(SSL_renegotiate_pending(clientssl)))
728 goto end;
729 /* Actually drive the renegotiation. */
730 for (i = 0; i < 3; i++) {
731 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
732 if (!TEST_ulong_eq(readbytes, 0))
733 goto end;
734 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
735 SSL_ERROR_WANT_READ)) {
736 goto end;
737 }
738 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
739 if (!TEST_ulong_eq(readbytes, 0))
740 goto end;
741 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
742 SSL_ERROR_WANT_READ)) {
743 goto end;
744 }
745 }
746 /* sesspre and sesspost should be different since the cipher changed. */
747 if (!TEST_false(SSL_renegotiate_pending(clientssl))
748 || !TEST_false(SSL_session_reused(clientssl))
749 || !TEST_false(SSL_session_reused(serverssl))
750 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
751 || !TEST_ptr_ne(sesspre, sesspost)
752 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
753 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
754 goto end;
755
756 shutdown_ssl_connection(serverssl, clientssl);
757 serverssl = clientssl = NULL;
758
759 testresult = 1;
760
761end:
762 SSL_free(serverssl);
763 SSL_free(clientssl);
764 SSL_CTX_free(sctx);
765 SSL_CTX_free(cctx);
766 SSL_SESSION_free(sess);
767
768 return testresult;
769}
770
84d5549e 771static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 772 const SSL_METHOD *cmeth,
773 int min_version, int max_version,
774 int read_ahead)
84d5549e
MC		 775{
776 SSL_CTX *cctx = NULL, *sctx = NULL;
777 SSL *clientssl = NULL, *serverssl = NULL;
778 int testresult = 0;
779 int i;
710756a9 780 BIO *certbio = NULL;
84d5549e
MC		 781 X509 *chaincert = NULL;
782 int certlen;
783
710756a9 784 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 785 goto end;
84d5549e 786 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 787 BIO_free(certbio);
788 certbio = NULL;
710756a9 789 if (!TEST_ptr(chaincert))
fa454945 790 goto end;
84d5549e 791
5e30f2fd
MC		 792 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
793 max_version, &sctx, &cctx, cert,
794 privkey)))
84d5549e 795 goto end;
84d5549e 796
710756a9 797 if (read_ahead) {
7856332e
MC		 798 /*
799 * Test that read_ahead works correctly when dealing with large
800 * records
801 */
802 SSL_CTX_set_read_ahead(cctx, 1);
803 }
804
84d5549e
MC		 805 /*
806 * We assume the supplied certificate is big enough so that if we add
807 * NUM_EXTRA_CERTS it will make the overall message large enough. The
808 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 809 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
810 * test we need to have a message larger than that.
84d5549e
MC		 811 */
812 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 813 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
814 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 815 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 816 if (!X509_up_ref(chaincert))
84d5549e 817 goto end;
84d5549e 818 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 819 X509_free(chaincert);
820 goto end;
821 }
822 }
823
710756a9
RS		 824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
825 NULL, NULL))
826 || !TEST_true(create_ssl_connection(serverssl, clientssl,
827 SSL_ERROR_NONE)))
84d5549e 828 goto end;
84d5549e 829
4bf08600
MC		 830 /*
831 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 832 * doesn't leak.
4bf08600 833 */
710756a9 834 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 835 goto end;
84d5549e 836
4bf08600 837 testresult = 1;
84d5549e
MC		 838 end:
839 X509_free(chaincert);
840 SSL_free(serverssl);
841 SSL_free(clientssl);
842 SSL_CTX_free(sctx);
843 SSL_CTX_free(cctx);
844
845 return testresult;
846}
847
5e9072ed
MC		 848#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
849 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 850
851/* sock must be connected */
852static int ktls_chk_platform(int sock)
853{
854 if (!ktls_enable(sock))
855 return 0;
856 return 1;
857}
858
859static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
860{
861 static char count = 1;
862 unsigned char cbuf[16000] = {0};
863 unsigned char sbuf[16000];
864 size_t err = 0;
865 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
866 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
2fab79af
BP		 867 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
868 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
fe5d9450
BP		 869 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
871 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
873
874 cbuf[0] = count++;
875 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
876 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 877 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
878 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 879 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
881 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
883
884 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
885 goto end;
886
887 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
888 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
889 goto end;
890 }
891 }
892
893 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
894 goto end;
895
896 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
897 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
898 goto end;
899 }
900 }
901
902 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
903 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 904 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
905 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 906 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
908 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
910
911 /* verify the payload */
912 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
913 goto end;
914
915 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
916 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
917 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
918 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
919 goto end;
920 } else {
921 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
923 goto end;
924 }
925
926 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
927 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
928 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
929 goto end;
930 } else {
931 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
933 goto end;
934 }
935
2fab79af
BP		 936 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
937 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
938 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
939 goto end;
940 } else {
941 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
943 goto end;
944 }
945
946 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
947 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
948 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
949 goto end;
950 } else {
951 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
953 goto end;
954 }
fe5d9450
BP		 955
956 return 1;
957end:
958 return 0;
959}
960
2fab79af
BP		 961static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
962 int sis_ktls_tx, int sis_ktls_rx)
fe5d9450
BP		 963{
964 SSL_CTX *cctx = NULL, *sctx = NULL;
965 SSL *clientssl = NULL, *serverssl = NULL;
966 int testresult = 0;
967 int cfd, sfd;
968
969 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
970 goto end;
971
972 /* Skip this test if the platform does not support ktls */
973 if (!ktls_chk_platform(cfd))
974 return 1;
975
976 /* Create a session based on SHA-256 */
5e30f2fd 977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450
BP		 978 TLS_client_method(),
979 TLS1_2_VERSION, TLS1_2_VERSION,
980 &sctx, &cctx, cert, privkey))
981 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
982 "AES128-GCM-SHA256"))
983 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
984 &clientssl, sfd, cfd)))
985 goto end;
986
987 if (!cis_ktls_tx) {
988 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
989 goto end;
990 }
991
992 if (!sis_ktls_tx) {
993 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
994 goto end;
995 }
996
2fab79af
BP		 997 if (!cis_ktls_rx) {
998 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
999 goto end;
1000 }
1001
1002 if (!sis_ktls_rx) {
1003 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1004 goto end;
1005 }
1006
fe5d9450
BP		 1007 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1008 SSL_ERROR_NONE)))
1009 goto end;
1010
1011 if (!cis_ktls_tx) {
1012 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1013 goto end;
1014 } else {
1015 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1016 goto end;
1017 }
1018
1019 if (!sis_ktls_tx) {
1020 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1021 goto end;
1022 } else {
1023 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1024 goto end;
1025 }
1026
2fab79af
BP		 1027 if (!cis_ktls_rx) {
1028 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1029 goto end;
1030 } else {
1031 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1032 goto end;
1033 }
1034
1035 if (!sis_ktls_rx) {
1036 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1037 goto end;
1038 } else {
1039 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1040 goto end;
1041 }
1042
fe5d9450
BP		 1043 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1044 goto end;
1045
1046 testresult = 1;
1047end:
1048 if (clientssl) {
1049 SSL_shutdown(clientssl);
1050 SSL_free(clientssl);
1051 }
1052 if (serverssl) {
1053 SSL_shutdown(serverssl);
1054 SSL_free(serverssl);
1055 }
1056 SSL_CTX_free(sctx);
1057 SSL_CTX_free(cctx);
1058 serverssl = clientssl = NULL;
1059 return testresult;
1060}
1061
7c3a7561
BP		 1062#define SENDFILE_SZ (16 * 4096)
1063#define SENDFILE_CHUNK (4 * 4096)
1064#define min(a,b) ((a) > (b) ? (b) : (a))
1065
1066static int test_ktls_sendfile(void)
1067{
1068 SSL_CTX *cctx = NULL, *sctx = NULL;
1069 SSL *clientssl = NULL, *serverssl = NULL;
1070 unsigned char *buf, *buf_dst;
1071 BIO *out = NULL, *in = NULL;
1072 int cfd, sfd, ffd, err;
1073 ssize_t chunk_size = 0;
1074 off_t chunk_off = 0;
1075 int testresult = 0;
1076 FILE *ffdp;
1077
1078 buf = OPENSSL_zalloc(SENDFILE_SZ);
1079 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1080 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1081 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1082 goto end;
1083
1084 /* Skip this test if the platform does not support ktls */
1085 if (!ktls_chk_platform(sfd)) {
1086 testresult = 1;
1087 goto end;
1088 }
1089
1090 /* Create a session based on SHA-256 */
5e30f2fd 1091 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561
BP		 1092 TLS_client_method(),
1093 TLS1_2_VERSION, TLS1_2_VERSION,
1094 &sctx, &cctx, cert, privkey))
1095 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1096 "AES128-GCM-SHA256"))
1097 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1098 &clientssl, sfd, cfd)))
1099 goto end;
1100
1101 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1102 SSL_ERROR_NONE))
1103 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1104 goto end;
1105
1106 RAND_bytes(buf, SENDFILE_SZ);
1107 out = BIO_new_file(tmpfilename, "wb");
1108 if (!TEST_ptr(out))
1109 goto end;
1110
1111 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1112 goto end;
1113
1114 BIO_free(out);
1115 out = NULL;
1116 in = BIO_new_file(tmpfilename, "rb");
1117 BIO_get_fp(in, &ffdp);
1118 ffd = fileno(ffdp);
1119
1120 while (chunk_off < SENDFILE_SZ) {
1121 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1122 while ((err = SSL_sendfile(serverssl,
1123 ffd,
1124 chunk_off,
1125 chunk_size,
1126 0)) != chunk_size) {
1127 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1128 goto end;
1129 }
1130 while ((err = SSL_read(clientssl,
1131 buf_dst + chunk_off,
1132 chunk_size)) != chunk_size) {
1133 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1134 goto end;
1135 }
1136
1137 /* verify the payload */
1138 if (!TEST_mem_eq(buf_dst + chunk_off,
1139 chunk_size,
1140 buf + chunk_off,
1141 chunk_size))
1142 goto end;
1143
1144 chunk_off += chunk_size;
1145 }
1146
1147 testresult = 1;
1148end:
1149 if (clientssl) {
1150 SSL_shutdown(clientssl);
1151 SSL_free(clientssl);
1152 }
1153 if (serverssl) {
1154 SSL_shutdown(serverssl);
1155 SSL_free(serverssl);
1156 }
1157 SSL_CTX_free(sctx);
1158 SSL_CTX_free(cctx);
1159 serverssl = clientssl = NULL;
1160 BIO_free(out);
1161 BIO_free(in);
1162 OPENSSL_free(buf);
1163 OPENSSL_free(buf_dst);
1164 return testresult;
1165}
1166
2fab79af
BP		 1167static int test_ktls_no_txrx_client_no_txrx_server(void)
1168{
1169 return execute_test_ktls(0, 0, 0, 0);
1170}
1171
1172static int test_ktls_no_rx_client_no_txrx_server(void)
1173{
1174 return execute_test_ktls(1, 0, 0, 0);
1175}
1176
1177static int test_ktls_no_tx_client_no_txrx_server(void)
1178{
1179 return execute_test_ktls(0, 1, 0, 0);
1180}
1181
1182static int test_ktls_client_no_txrx_server(void)
1183{
1184 return execute_test_ktls(1, 1, 0, 0);
1185}
1186
1187static int test_ktls_no_txrx_client_no_rx_server(void)
1188{
1189 return execute_test_ktls(0, 0, 1, 0);
1190}
1191
1192static int test_ktls_no_rx_client_no_rx_server(void)
1193{
1194 return execute_test_ktls(1, 0, 1, 0);
1195}
1196
1197static int test_ktls_no_tx_client_no_rx_server(void)
1198{
1199 return execute_test_ktls(0, 1, 1, 0);
1200}
1201
1202static int test_ktls_client_no_rx_server(void)
fe5d9450 1203{
2fab79af 1204 return execute_test_ktls(1, 1, 1, 0);
fe5d9450
BP		 1205}
1206
2fab79af 1207static int test_ktls_no_txrx_client_no_tx_server(void)
fe5d9450 1208{
2fab79af 1209 return execute_test_ktls(0, 0, 0, 1);
fe5d9450
BP		 1210}
1211
2fab79af 1212static int test_ktls_no_rx_client_no_tx_server(void)
fe5d9450 1213{
2fab79af 1214 return execute_test_ktls(1, 0, 0, 1);
fe5d9450
BP		 1215}
1216
2fab79af
BP		 1217static int test_ktls_no_tx_client_no_tx_server(void)
1218{
1219 return execute_test_ktls(0, 1, 0, 1);
1220}
1221
1222static int test_ktls_client_no_tx_server(void)
1223{
1224 return execute_test_ktls(1, 1, 0, 1);
1225}
1226
1227static int test_ktls_no_txrx_client_server(void)
1228{
1229 return execute_test_ktls(0, 0, 1, 1);
1230}
1231
1232static int test_ktls_no_rx_client_server(void)
1233{
1234 return execute_test_ktls(1, 0, 1, 1);
1235}
1236
1237static int test_ktls_no_tx_client_server(void)
1238{
1239 return execute_test_ktls(0, 1, 1, 1);
1240}
1241
1242static int test_ktls_client_server(void)
fe5d9450 1243{
2fab79af 1244 return execute_test_ktls(1, 1, 1, 1);
fe5d9450 1245}
fe5d9450
BP		 1246#endif
1247
84d5549e
MC		 1248static int test_large_message_tls(void)
1249{
7856332e 1250 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1251 TLS1_VERSION, 0, 0);
7856332e
MC		 1252}
1253
1254static int test_large_message_tls_read_ahead(void)
1255{
1256 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1257 TLS1_VERSION, 0, 1);
84d5549e
MC		 1258}
1259
55386bef 1260#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1261static int test_large_message_dtls(void)
1262{
7856332e
MC		 1263 /*
1264 * read_ahead is not relevant to DTLS because DTLS always acts as if
1265 * read_ahead is set.
1266 */
84d5549e 1267 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1268 DTLS_client_method(),
5c587fb6 1269 DTLS1_VERSION, 0, 0);
84d5549e 1270}
55386bef 1271#endif
84d5549e 1272
8f8c11d8 1273#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1274static int ocsp_server_cb(SSL *s, void *arg)
1275{
1276 int *argi = (int *)arg;
710756a9 1277 unsigned char *copy = NULL;
ba881d3b
MC		 1278 STACK_OF(OCSP_RESPID) *ids = NULL;
1279 OCSP_RESPID *id = NULL;
1280
1281 if (*argi == 2) {
1282 /* In this test we are expecting exactly 1 OCSP_RESPID */
1283 SSL_get_tlsext_status_ids(s, &ids);
1284 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1285 return SSL_TLSEXT_ERR_ALERT_FATAL;
1286
1287 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1288 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290 } else if (*argi != 1) {
1291 return SSL_TLSEXT_ERR_ALERT_FATAL;
1292 }
1293
710756a9 1294 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1296
710756a9 1297 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1298 ocsp_server_called = 1;
ba881d3b
MC		 1299 return SSL_TLSEXT_ERR_OK;
1300}
1301
1302static int ocsp_client_cb(SSL *s, void *arg)
1303{
1304 int *argi = (int *)arg;
1305 const unsigned char *respderin;
1306 size_t len;
1307
1308 if (*argi != 1 && *argi != 2)
1309 return 0;
1310
1311 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1312 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1313 return 0;
1314
1315 ocsp_client_called = 1;
ba881d3b
MC		 1316 return 1;
1317}
1318
2cb4b5f6
MC		 1319static int test_tlsext_status_type(void)
1320{
ba881d3b
MC		 1321 SSL_CTX *cctx = NULL, *sctx = NULL;
1322 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1323 int testresult = 0;
ba881d3b
MC		 1324 STACK_OF(OCSP_RESPID) *ids = NULL;
1325 OCSP_RESPID *id = NULL;
1326 BIO *certbio = NULL;
2cb4b5f6 1327
5e30f2fd 1328 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1329 TLS1_VERSION, 0,
7d7f6834 1330 &sctx, &cctx, cert, privkey))
ba881d3b 1331 return 0;
2cb4b5f6 1332
710756a9 1333 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1334 goto end;
2cb4b5f6 1335
ba881d3b 1336 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1337
ba881d3b 1338 clientssl = SSL_new(cctx);
710756a9
RS		 1339 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1340 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1341 TLSEXT_STATUSTYPE_ocsp))
1342 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1343 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1344 goto end;
2cb4b5f6 1345
ba881d3b
MC		 1346 SSL_free(clientssl);
1347 clientssl = NULL;
2cb4b5f6 1348
710756a9
RS		 1349 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1350 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1351 goto end;
2cb4b5f6 1352
ba881d3b 1353 clientssl = SSL_new(cctx);
710756a9 1354 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1355 goto end;
ba881d3b
MC		 1356 SSL_free(clientssl);
1357 clientssl = NULL;
1358
1359 /*
1360 * Now actually do a handshake and check OCSP information is exchanged and
1361 * the callbacks get called
1362 */
ba881d3b
MC		 1363 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1364 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1365 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1366 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1367 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1368 &clientssl, NULL, NULL))
1369 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1370 SSL_ERROR_NONE))
1371 || !TEST_true(ocsp_client_called)
1372 || !TEST_true(ocsp_server_called))
ba881d3b 1373 goto end;
ba881d3b
MC		 1374 SSL_free(serverssl);
1375 SSL_free(clientssl);
1376 serverssl = NULL;
1377 clientssl = NULL;
1378
1379 /* Try again but this time force the server side callback to fail */
1380 ocsp_client_called = 0;
1381 ocsp_server_called = 0;
1382 cdummyarg = 0;
710756a9
RS		 1383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1384 &clientssl, NULL, NULL))
1385 /* This should fail because the callback will fail */
1386 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1387 SSL_ERROR_NONE))
1388 || !TEST_false(ocsp_client_called)
1389 || !TEST_false(ocsp_server_called))
ba881d3b 1390 goto end;
ba881d3b
MC		 1391 SSL_free(serverssl);
1392 SSL_free(clientssl);
1393 serverssl = NULL;
1394 clientssl = NULL;
1395
1396 /*
1397 * This time we'll get the client to send an OCSP_RESPID that it will
1398 * accept.
1399 */
1400 ocsp_client_called = 0;
1401 ocsp_server_called = 0;
1402 cdummyarg = 2;
710756a9
RS		 1403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1404 &clientssl, NULL, NULL)))
ba881d3b 1405 goto end;
ba881d3b
MC		 1406
1407 /*
1408 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1409 * specific one. We'll use the server cert.
ba881d3b 1410 */
710756a9
RS		 1411 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1412 || !TEST_ptr(id = OCSP_RESPID_new())
1413 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1414 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1415 NULL, NULL, NULL))
5e30f2fd 1416 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1417 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1418 goto end;
ba881d3b
MC		 1419 id = NULL;
1420 SSL_set_tlsext_status_ids(clientssl, ids);
1421 /* Control has been transferred */
1422 ids = NULL;
1423
1424 BIO_free(certbio);
1425 certbio = NULL;
1426
710756a9
RS		 1427 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1428 SSL_ERROR_NONE))
1429 || !TEST_true(ocsp_client_called)
1430 || !TEST_true(ocsp_server_called))
ba881d3b 1431 goto end;
ba881d3b 1432
2cb4b5f6
MC		 1433 testresult = 1;
1434
1435 end:
ba881d3b
MC		 1436 SSL_free(serverssl);
1437 SSL_free(clientssl);
1438 SSL_CTX_free(sctx);
1439 SSL_CTX_free(cctx);
1440 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1441 OCSP_RESPID_free(id);
1442 BIO_free(certbio);
1443 X509_free(ocspcert);
1444 ocspcert = NULL;
2cb4b5f6
MC		 1445
1446 return testresult;
1447}
8f8c11d8 1448#endif
2cb4b5f6 1449
bf208d95 1450#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1451static int new_called, remove_called, get_called;
eaa776da 1452
eaa776da
MC		 1453static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1454{
1455 new_called++;
c0537ebd
MC		 1456 /*
1457 * sess has been up-refed for us, but we don't actually need it so free it
1458 * immediately.
1459 */
1460 SSL_SESSION_free(sess);
eaa776da
MC		 1461 return 1;
1462}
1463
1464static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1465{
1466 remove_called++;
1467}
1468
7a301f08
MC		 1469static SSL_SESSION *get_sess_val = NULL;
1470
1471static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1472 int *copy)
1473{
0afca811 1474 get_called++;
7a301f08
MC		 1475 *copy = 1;
1476 return get_sess_val;
1477}
1478
7a301f08
MC		 1479static int execute_test_session(int maxprot, int use_int_cache,
1480 int use_ext_cache)
2cb4b5f6
MC		 1481{
1482 SSL_CTX *sctx = NULL, *cctx = NULL;
1483 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1484 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1485# ifndef OPENSSL_NO_TLS1_1
eaa776da 1486 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1487# endif
2cb4b5f6 1488 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1489 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1490
7e885b7b
P		 1491 new_called = remove_called = 0;
1492
36ff232c
MC		 1493 /* TLSv1.3 sends 2 NewSessionTickets */
1494 if (maxprot == TLS1_3_VERSION)
1495 numnewsesstick = 2;
1496
5e30f2fd
MC		 1497 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1498 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1499 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1500 return 0;
2cb4b5f6 1501
7a301f08
MC		 1502 /*
1503 * Only allow the max protocol version so we can force a connection failure
1504 * later
1505 */
1506 SSL_CTX_set_min_proto_version(cctx, maxprot);
1507 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1508
1509 /* Set up session cache */
7e885b7b 1510 if (use_ext_cache) {
eaa776da
MC		 1511 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1512 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1513 }
7e885b7b 1514 if (use_int_cache) {
eaa776da
MC		 1515 /* Also covers instance where both are set */
1516 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1517 } else {
1518 SSL_CTX_set_session_cache_mode(cctx,
1519 SSL_SESS_CACHE_CLIENT
1520 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1521 }
2cb4b5f6 1522
710756a9
RS		 1523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1524 NULL, NULL))
1525 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1526 SSL_ERROR_NONE))
1527 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1528 goto end;
2cb4b5f6 1529
710756a9 1530 /* Should fail because it should already be in the cache */
7e885b7b 1531 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1532 goto end;
7a301f08 1533 if (use_ext_cache
36ff232c
MC		 1534 && (!TEST_int_eq(new_called, numnewsesstick)
1535
1536 || !TEST_int_eq(remove_called, 0)))
b4982125 1537 goto end;
b4982125 1538
c0537ebd
MC		 1539 new_called = remove_called = 0;
1540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1541 &clientssl2, NULL, NULL))
1542 || !TEST_true(SSL_set_session(clientssl2, sess1))
1543 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1544 SSL_ERROR_NONE))
1545 || !TEST_true(SSL_session_reused(clientssl2)))
1546 goto end;
1547
7a301f08
MC		 1548 if (maxprot == TLS1_3_VERSION) {
1549 /*
1550 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1551 * resumed. Since we attempted a resume we should also have removed the
1552 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1553 */
1554 if (use_ext_cache
1555 && (!TEST_int_eq(new_called, 1)
4cb00457 1556 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1557 goto end;
1558 } else {
1559 /*
1560 * In TLSv1.2 we expect to have resumed so no sessions added or
1561 * removed.
1562 */
1563 if (use_ext_cache
1564 && (!TEST_int_eq(new_called, 0)
1565 || !TEST_int_eq(remove_called, 0)))
1566 goto end;
1567 }
c0537ebd
MC		 1568
1569 SSL_SESSION_free(sess1);
1570 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1571 goto end;
1572 shutdown_ssl_connection(serverssl2, clientssl2);
1573 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1574
1575 new_called = remove_called = 0;
710756a9
RS		 1576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1577 &clientssl2, NULL, NULL))
1578 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1579 SSL_ERROR_NONE)))
2cb4b5f6 1580 goto end;
2cb4b5f6 1581
710756a9 1582 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1583 goto end;
2cb4b5f6 1584
7a301f08 1585 if (use_ext_cache
36ff232c
MC		 1586 && (!TEST_int_eq(new_called, numnewsesstick)
1587 || !TEST_int_eq(remove_called, 0)))
eaa776da 1588 goto end;
eaa776da 1589
c0537ebd 1590 new_called = remove_called = 0;
2cb4b5f6 1591 /*
710756a9
RS		 1592 * This should clear sess2 from the cache because it is a "bad" session.
1593 * See SSL_set_session() documentation.
2cb4b5f6 1594 */
710756a9 1595 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1596 goto end;
7a301f08
MC		 1597 if (use_ext_cache
1598 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1599 goto end;
710756a9 1600 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1601 goto end;
2cb4b5f6 1602
7e885b7b 1603 if (use_int_cache) {
710756a9
RS		 1604 /* Should succeeded because it should not already be in the cache */
1605 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1606 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1607 goto end;
eaa776da
MC		 1608 }
1609
c0537ebd 1610 new_called = remove_called = 0;
eaa776da 1611 /* This shouldn't be in the cache so should fail */
710756a9 1612 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1613 goto end;
2cb4b5f6 1614
7a301f08
MC		 1615 if (use_ext_cache
1616 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1617 goto end;
2cb4b5f6 1618
bf208d95 1619# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1620 new_called = remove_called = 0;
eaa776da
MC		 1621 /* Force a connection failure */
1622 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1624 &clientssl3, NULL, NULL))
1625 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1626 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1627 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1628 SSL_ERROR_NONE)))
eaa776da 1629 goto end;
b4982125 1630
eaa776da 1631 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1632 if (use_ext_cache
1633 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1634 goto end;
2cb4b5f6 1635
710756a9 1636 /* Should succeed because it should not already be in the cache */
7e885b7b 1637 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1638 goto end;
bf208d95 1639# endif
eaa776da 1640
7a301f08
MC		 1641 /* Now do some tests for server side caching */
1642 if (use_ext_cache) {
1643 SSL_CTX_sess_set_new_cb(cctx, NULL);
1644 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1645 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1646 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1647 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1648 get_sess_val = NULL;
1649 }
1650
1651 SSL_CTX_set_session_cache_mode(cctx, 0);
1652 /* Internal caching is the default on the server side */
1653 if (!use_int_cache)
1654 SSL_CTX_set_session_cache_mode(sctx,
1655 SSL_SESS_CACHE_SERVER
1656 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1657
1658 SSL_free(serverssl1);
1659 SSL_free(clientssl1);
1660 serverssl1 = clientssl1 = NULL;
1661 SSL_free(serverssl2);
1662 SSL_free(clientssl2);
1663 serverssl2 = clientssl2 = NULL;
1664 SSL_SESSION_free(sess1);
1665 sess1 = NULL;
1666 SSL_SESSION_free(sess2);
1667 sess2 = NULL;
1668
1669 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1670 if (maxprot == TLS1_2_VERSION)
1671 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1672 new_called = remove_called = get_called = 0;
7a301f08
MC		 1673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1674 NULL, NULL))
1675 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1676 SSL_ERROR_NONE))
1677 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1678 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1679 goto end;
1680
ee94ec2e
MC		 1681 if (use_int_cache) {
1682 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1683 /*
1684 * In TLSv1.3 it should not have been added to the internal cache,
1685 * except in the case where we also have an external cache (in that
1686 * case it gets added to the cache in order to generate remove
1687 * events after timeout).
1688 */
1689 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1690 goto end;
1691 } else {
1692 /* Should fail because it should already be in the cache */
1693 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1694 goto end;
1695 }
1696 }
7a301f08
MC		 1697
1698 if (use_ext_cache) {
1699 SSL_SESSION *tmp = sess2;
1700
36ff232c 1701 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1702 || !TEST_int_eq(remove_called, 0)
1703 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1704 goto end;
1705 /*
1706 * Delete the session from the internal cache to force a lookup from
1707 * the external cache. We take a copy first because
1708 * SSL_CTX_remove_session() also marks the session as non-resumable.
1709 */
ee94ec2e 1710 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1711 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1712 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1713 goto end;
1714 SSL_SESSION_free(sess2);
1715 }
7a301f08
MC		 1716 sess2 = tmp;
1717 }
1718
0afca811 1719 new_called = remove_called = get_called = 0;
7a301f08
MC		 1720 get_sess_val = sess2;
1721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1722 &clientssl2, NULL, NULL))
1723 || !TEST_true(SSL_set_session(clientssl2, sess1))
1724 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1725 SSL_ERROR_NONE))
1726 || !TEST_true(SSL_session_reused(clientssl2)))
1727 goto end;
1728
0afca811 1729 if (use_ext_cache) {
32305f88 1730 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1731 goto end;
1732
1733 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1734 if (!TEST_int_eq(new_called, 1)
1735 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1736 goto end;
1737 } else {
32305f88
MC		 1738 if (!TEST_int_eq(new_called, 0)
1739 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1740 goto end;
1741 }
1742 }
7a301f08 1743
2cb4b5f6 1744 testresult = 1;
eaa776da 1745
2cb4b5f6
MC		 1746 end:
1747 SSL_free(serverssl1);
1748 SSL_free(clientssl1);
1749 SSL_free(serverssl2);
1750 SSL_free(clientssl2);
bf208d95 1751# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1752 SSL_free(serverssl3);
1753 SSL_free(clientssl3);
bf208d95 1754# endif
2cb4b5f6
MC		 1755 SSL_SESSION_free(sess1);
1756 SSL_SESSION_free(sess2);
1757 SSL_CTX_free(sctx);
1758 SSL_CTX_free(cctx);
1759
1760 return testresult;
1761}
bf208d95 1762#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1763
7fb4c820
MC		 1764static int test_session_with_only_int_cache(void)
1765{
7a301f08
MC		 1766#ifndef OPENSSL_NO_TLS1_3
1767 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1768 return 0;
1769#endif
1770
1771#ifndef OPENSSL_NO_TLS1_2
1772 return execute_test_session(TLS1_2_VERSION, 1, 0);
1773#else
1774 return 1;
1775#endif
eaa776da
MC		 1776}
1777
7fb4c820
MC		 1778static int test_session_with_only_ext_cache(void)
1779{
7a301f08
MC		 1780#ifndef OPENSSL_NO_TLS1_3
1781 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1782 return 0;
1783#endif
1784
1785#ifndef OPENSSL_NO_TLS1_2
1786 return execute_test_session(TLS1_2_VERSION, 0, 1);
1787#else
1788 return 1;
1789#endif
eaa776da
MC		 1790}
1791
7fb4c820
MC		 1792static int test_session_with_both_cache(void)
1793{
7a301f08
MC		 1794#ifndef OPENSSL_NO_TLS1_3
1795 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1796 return 0;
1797#endif
1798
1799#ifndef OPENSSL_NO_TLS1_2
1800 return execute_test_session(TLS1_2_VERSION, 1, 1);
1801#else
1802 return 1;
1803#endif
eaa776da
MC		 1804}
1805
04225915 1806#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1807static SSL_SESSION *sesscache[6];
1808static int do_cache;
36ff232c
MC		 1809
1810static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1811{
c22365b3
MC		 1812 if (do_cache) {
1813 sesscache[new_called] = sess;
1814 } else {
1815 /* We don't need the reference to the session, so free it */
1816 SSL_SESSION_free(sess);
1817 }
1818 new_called++;
1819
1820 return 1;
1821}
1822
1823static int post_handshake_verify(SSL *sssl, SSL *cssl)
1824{
1825 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1826 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1827 return 0;
1828
1829 /* Start handshake on the server and client */
1830 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1831 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1832 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1833 || !TEST_true(create_ssl_connection(sssl, cssl,
1834 SSL_ERROR_NONE)))
1835 return 0;
36ff232c
MC		 1836
1837 return 1;
1838}
1839
fbe9dafd 1840static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1841 SSL_CTX **cctx)
1842{
1843 int sess_id_ctx = 1;
1844
5e30f2fd
MC		 1845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1846 TLS_client_method(), TLS1_VERSION, 0,
1847 sctx, cctx, cert, privkey))
03cdf559
MC		 1848 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1849 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1850 (void *)&sess_id_ctx,
1851 sizeof(sess_id_ctx))))
1852 return 0;
1853
1854 if (stateful)
1855 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1856
1857 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1858 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1859 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1860
1861 return 1;
1862}
1863
1864static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1865{
1866 SSL *serverssl = NULL, *clientssl = NULL;
1867 int i;
1868
1869 /* Test that we can resume with all the tickets we got given */
1870 for (i = 0; i < idx * 2; i++) {
1871 new_called = 0;
1872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1873 &clientssl, NULL, NULL))
1874 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1875 goto end;
1876
32097b33 1877 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1878
1879 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1880 SSL_ERROR_NONE)))
1881 goto end;
1882
1883 /*
1884 * Following a successful resumption we only get 1 ticket. After a
1885 * failed one we should get idx tickets.
1886 */
1887 if (succ) {
1888 if (!TEST_true(SSL_session_reused(clientssl))
1889 || !TEST_int_eq(new_called, 1))
1890 goto end;
1891 } else {
1892 if (!TEST_false(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, idx))
1894 goto end;
1895 }
1896
1897 new_called = 0;
1898 /* After a post-handshake authentication we should get 1 new ticket */
1899 if (succ
1900 && (!post_handshake_verify(serverssl, clientssl)
1901 || !TEST_int_eq(new_called, 1)))
1902 goto end;
1903
1904 SSL_shutdown(clientssl);
1905 SSL_shutdown(serverssl);
1906 SSL_free(serverssl);
1907 SSL_free(clientssl);
1908 serverssl = clientssl = NULL;
1909 SSL_SESSION_free(sesscache[i]);
1910 sesscache[i] = NULL;
1911 }
1912
1913 return 1;
1914
1915 end:
1916 SSL_free(clientssl);
1917 SSL_free(serverssl);
1918 return 0;
1919}
1920
04d7814a 1921static int test_tickets(int stateful, int idx)
36ff232c
MC		 1922{
1923 SSL_CTX *sctx = NULL, *cctx = NULL;
1924 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1925 int testresult = 0;
36ff232c
MC		 1926 size_t j;
1927
1928 /* idx is the test number, but also the number of tickets we want */
1929
1930 new_called = 0;
c22365b3 1931 do_cache = 1;
36ff232c 1932
fbe9dafd 1933 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1934 goto end;
1935
03cdf559
MC		 1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1937 &clientssl, NULL, NULL)))
1938 goto end;
1939
1940 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1941 SSL_ERROR_NONE))
1942 /* Check we got the number of tickets we were expecting */
1943 || !TEST_int_eq(idx, new_called))
1944 goto end;
04d7814a 1945
03cdf559
MC		 1946 SSL_shutdown(clientssl);
1947 SSL_shutdown(serverssl);
1948 SSL_free(serverssl);
1949 SSL_free(clientssl);
1950 SSL_CTX_free(sctx);
1951 SSL_CTX_free(cctx);
1952 clientssl = serverssl = NULL;
1953 sctx = cctx = NULL;
1954
1955 /*
1956 * Now we try to resume with the tickets we previously created. The
1957 * resumption attempt is expected to fail (because we're now using a new
1958 * SSL_CTX). We should see idx number of tickets issued again.
1959 */
1960
1961 /* Stop caching sessions - just count them */
1962 do_cache = 0;
1963
fbe9dafd 1964 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1965 goto end;
1966
1967 if (!check_resumption(idx, sctx, cctx, 0))
1968 goto end;
1969
1970 /* Start again with caching sessions */
1971 new_called = 0;
1972 do_cache = 1;
fbe9dafd
MC		 1973 SSL_CTX_free(sctx);
1974 SSL_CTX_free(cctx);
1975 sctx = cctx = NULL;
03cdf559 1976
fbe9dafd 1977 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1978 goto end;
36ff232c
MC		 1979
1980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1981 &clientssl, NULL, NULL)))
1982 goto end;
1983
32097b33 1984 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1985
1986 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1987 SSL_ERROR_NONE))
1988 /* Check we got the number of tickets we were expecting */
1989 || !TEST_int_eq(idx, new_called))
1990 goto end;
1991
1992 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1993 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1994 || !TEST_int_eq(idx * 2, new_called))
1995 goto end;
1996
36ff232c
MC		 1997 SSL_shutdown(clientssl);
1998 SSL_shutdown(serverssl);
1999 SSL_free(serverssl);
2000 SSL_free(clientssl);
2001 serverssl = clientssl = NULL;
2002
c22365b3
MC		 2003 /* Stop caching sessions - just count them */
2004 do_cache = 0;
2005
03cdf559
MC		 2006 /*
2007 * Check we can resume with all the tickets we created. This time around the
2008 * resumptions should all be successful.
2009 */
2010 if (!check_resumption(idx, sctx, cctx, 1))
2011 goto end;
36ff232c
MC		 2012
2013 testresult = 1;
2014
2015 end:
2016 SSL_free(serverssl);
2017 SSL_free(clientssl);
c22365b3 2018 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2019 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2020 sesscache[j] = NULL;
2021 }
36ff232c
MC		 2022 SSL_CTX_free(sctx);
2023 SSL_CTX_free(cctx);
2024
2025 return testresult;
2026}
04d7814a
MC		 2027
2028static int test_stateless_tickets(int idx)
2029{
2030 return test_tickets(0, idx);
2031}
2032
2033static int test_stateful_tickets(int idx)
2034{
2035 return test_tickets(1, idx);
2036}
8614a4eb
MC		 2037
2038static int test_psk_tickets(void)
2039{
2040 SSL_CTX *sctx = NULL, *cctx = NULL;
2041 SSL *serverssl = NULL, *clientssl = NULL;
2042 int testresult = 0;
2043 int sess_id_ctx = 1;
2044
5e30f2fd
MC		 2045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2046 TLS_client_method(), TLS1_VERSION, 0,
2047 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2048 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2049 (void *)&sess_id_ctx,
2050 sizeof(sess_id_ctx))))
2051 goto end;
2052
2053 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2054 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2055 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2056 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2057 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2058 use_session_cb_cnt = 0;
2059 find_session_cb_cnt = 0;
2060 srvid = pskid;
2061 new_called = 0;
2062
2063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2064 NULL, NULL)))
2065 goto end;
2066 clientpsk = serverpsk = create_a_psk(clientssl);
2067 if (!TEST_ptr(clientpsk))
2068 goto end;
2069 SSL_SESSION_up_ref(clientpsk);
2070
2071 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2072 SSL_ERROR_NONE))
2073 || !TEST_int_eq(1, find_session_cb_cnt)
2074 || !TEST_int_eq(1, use_session_cb_cnt)
2075 /* We should always get 1 ticket when using external PSK */
2076 || !TEST_int_eq(1, new_called))
2077 goto end;
2078
2079 testresult = 1;
2080
2081 end:
2082 SSL_free(serverssl);
2083 SSL_free(clientssl);
2084 SSL_CTX_free(sctx);
2085 SSL_CTX_free(cctx);
2086 SSL_SESSION_free(clientpsk);
2087 SSL_SESSION_free(serverpsk);
2088 clientpsk = serverpsk = NULL;
2089
2090 return testresult;
2091}
04225915 2092#endif
36ff232c 2093
7d4488bb
MC		 2094#define USE_NULL 0
2095#define USE_BIO_1 1
2096#define USE_BIO_2 2
2097#define USE_DEFAULT 3
2098
2099#define CONNTYPE_CONNECTION_SUCCESS 0
2100#define CONNTYPE_CONNECTION_FAIL 1
2101#define CONNTYPE_NO_CONNECTION 2
2102
2103#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2104#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2105#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2106# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2107#else
2108# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2109#endif
2110
7d4488bb
MC		 2111#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2112 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2113 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2114
2115static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2116{
2117 switch (type) {
2118 case USE_NULL:
2119 *res = NULL;
2120 break;
2121 case USE_BIO_1:
2122 *res = bio1;
2123 break;
2124 case USE_BIO_2:
2125 *res = bio2;
2126 break;
2127 }
2128}
2129
7d4488bb
MC		 2130
2131/*
2132 * Tests calls to SSL_set_bio() under various conditions.
2133 *
2134 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2135 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2136 * then do more tests where we create a successful connection first using our
2137 * standard connection setup functions, and then call SSL_set_bio() with
2138 * various combinations of valid BIOs or NULL. We then repeat these tests
2139 * following a failed connection. In this last case we are looking to check that
2140 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2141 */
7fb4c820
MC		 2142static int test_ssl_set_bio(int idx)
2143{
7d4488bb 2144 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2145 BIO *bio1 = NULL;
2146 BIO *bio2 = NULL;
0fae8150 2147 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2148 SSL *serverssl = NULL, *clientssl = NULL;
2149 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2150 int testresult = 0;
2151
7d4488bb
MC		 2152 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2153 initrbio = idx % 3;
2154 idx /= 3;
2155 initwbio = idx % 3;
2156 idx /= 3;
2157 newrbio = idx % 3;
2158 idx /= 3;
2159 newwbio = idx % 3;
2160 conntype = CONNTYPE_NO_CONNECTION;
2161 } else {
2162 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2163 initrbio = initwbio = USE_DEFAULT;
2164 newrbio = idx % 2;
2165 idx /= 2;
2166 newwbio = idx % 2;
2167 idx /= 2;
2168 conntype = idx % 2;
2169 }
710756a9 2170
5e30f2fd
MC		 2171 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2172 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2173 &sctx, &cctx, cert, privkey)))
2174 goto end;
2175
2176 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2177 /*
2178 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2179 * because we reduced the number of tests in the definition of
2180 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2181 * mismatched protocol versions we will force a connection failure.
2182 */
2183 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2184 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2185 }
2186
2187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2188 NULL, NULL)))
710756a9 2189 goto end;
7fb4c820 2190
710756a9
RS		 2191 if (initrbio == USE_BIO_1
2192 || initwbio == USE_BIO_1
2193 || newrbio == USE_BIO_1
7fb4c820 2194 || newwbio == USE_BIO_1) {
710756a9 2195 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2196 goto end;
7fb4c820
MC		 2197 }
2198
710756a9
RS		 2199 if (initrbio == USE_BIO_2
2200 || initwbio == USE_BIO_2
2201 || newrbio == USE_BIO_2
7fb4c820 2202 || newwbio == USE_BIO_2) {
710756a9 2203 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2204 goto end;
7fb4c820
MC		 2205 }
2206
7d4488bb
MC		 2207 if (initrbio != USE_DEFAULT) {
2208 setupbio(&irbio, bio1, bio2, initrbio);
2209 setupbio(&iwbio, bio1, bio2, initwbio);
2210 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2211
7d4488bb
MC		 2212 /*
2213 * We want to maintain our own refs to these BIO, so do an up ref for
2214 * each BIO that will have ownership transferred in the SSL_set_bio()
2215 * call
2216 */
2217 if (irbio != NULL)
2218 BIO_up_ref(irbio);
2219 if (iwbio != NULL && iwbio != irbio)
2220 BIO_up_ref(iwbio);
2221 }
7fb4c820 2222
7d4488bb
MC		 2223 if (conntype != CONNTYPE_NO_CONNECTION
2224 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2225 SSL_ERROR_NONE)
2226 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2227 goto end;
7fb4c820
MC		 2228
2229 setupbio(&nrbio, bio1, bio2, newrbio);
2230 setupbio(&nwbio, bio1, bio2, newwbio);
2231
2232 /*
2233 * We will (maybe) transfer ownership again so do more up refs.
2234 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2235 * already been set!
2236 */
710756a9
RS		 2237 if (nrbio != NULL
2238 && nrbio != irbio
2239 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2240 BIO_up_ref(nrbio);
710756a9
RS		 2241 if (nwbio != NULL
2242 && nwbio != nrbio
2243 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2244 BIO_up_ref(nwbio);
2245
7d4488bb 2246 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2247
2248 testresult = 1;
2249
2250 end:
7fb4c820
MC		 2251 BIO_free(bio1);
2252 BIO_free(bio2);
710756a9 2253
7fb4c820
MC		 2254 /*
2255 * This test is checking that the ref counting for SSL_set_bio is correct.
2256 * If we get here and we did too many frees then we will fail in the above
742ccab3 2257 * functions.
7fb4c820 2258 */
7d4488bb
MC		 2259 SSL_free(serverssl);
2260 SSL_free(clientssl);
2261 SSL_CTX_free(sctx);
2262 SSL_CTX_free(cctx);
7fb4c820
MC		 2263 return testresult;
2264}
2265
7e885b7b 2266typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2267
7e885b7b 2268static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2269{
2270 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2271 SSL_CTX *ctx;
9a716987
MC		 2272 SSL *ssl = NULL;
2273 int testresult = 0;
2274
5e30f2fd 2275 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
710756a9
RS		 2276 || !TEST_ptr(ssl = SSL_new(ctx))
2277 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2278 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2279 goto end;
9a716987
MC		 2280
2281 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2282
2283 /*
742ccab3 2284 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2285 */
2286 BIO_push(sslbio, membio1);
2287
69687aa8 2288 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2289 if (change_bio != NO_BIO_CHANGE) {
710756a9 2290 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2291 goto end;
7e885b7b 2292 if (change_bio == CHANGE_RBIO)
65e2d672 2293 SSL_set0_rbio(ssl, membio2);
9a716987 2294 else
65e2d672 2295 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2296 }
2297 ssl = NULL;
2298
7e885b7b 2299 if (pop_ssl)
9a716987
MC		 2300 BIO_pop(sslbio);
2301 else
2302 BIO_pop(membio1);
2303
2304 testresult = 1;
2305 end:
2306 BIO_free(membio1);
2307 BIO_free(sslbio);
2308 SSL_free(ssl);
2309 SSL_CTX_free(ctx);
2310
2311 return testresult;
2312}
2313
2314static int test_ssl_bio_pop_next_bio(void)
2315{
7e885b7b 2316 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2317}
2318
2319static int test_ssl_bio_pop_ssl_bio(void)
2320{
7e885b7b 2321 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2322}
2323
2324static int test_ssl_bio_change_rbio(void)
2325{
7e885b7b 2326 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2327}
2328
2329static int test_ssl_bio_change_wbio(void)
2330{
7e885b7b 2331 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2332}
2333
c423ecaa 2334#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2335typedef struct {
2336 /* The list of sig algs */
2337 const int *list;
2338 /* The length of the list */
2339 size_t listlen;
2340 /* A sigalgs list in string format */
2341 const char *liststr;
2342 /* Whether setting the list should succeed */
2343 int valid;
2344 /* Whether creating a connection with the list should succeed */
2345 int connsuccess;
2346} sigalgs_list;
2347
2348static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2349# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2350static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2351static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2352# endif
f1b25aae
MC		 2353static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2354static const int invalidlist2[] = {NID_sha256, NID_undef};
2355static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2356static const int invalidlist4[] = {NID_sha256};
2357static const sigalgs_list testsigalgs[] = {
2358 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2359# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2360 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2361 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2362# endif
f1b25aae 2363 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2364# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2365 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2366 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2367# endif
f1b25aae
MC		 2368 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2369 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2370 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2371 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2372 {NULL, 0, "RSA", 0, 0},
2373 {NULL, 0, "SHA256", 0, 0},
2374 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2375 {NULL, 0, "Invalid", 0, 0}
2376};
f1b25aae
MC		 2377
2378static int test_set_sigalgs(int idx)
2379{
2380 SSL_CTX *cctx = NULL, *sctx = NULL;
2381 SSL *clientssl = NULL, *serverssl = NULL;
2382 int testresult = 0;
2383 const sigalgs_list *curr;
2384 int testctx;
2385
2386 /* Should never happen */
710756a9 2387 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2388 return 0;
2389
2390 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2391 curr = testctx ? &testsigalgs[idx]
2392 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2393
5e30f2fd
MC		 2394 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2395 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2396 &sctx, &cctx, cert, privkey)))
f1b25aae 2397 return 0;
f1b25aae 2398
d2e491f2
MC		 2399 /*
2400 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2401 * for TLSv1.2 for now until we add a new API.
2402 */
2403 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2404
f1b25aae
MC		 2405 if (testctx) {
2406 int ret;
710756a9 2407
f1b25aae
MC		 2408 if (curr->list != NULL)
2409 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2410 else
2411 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2412
2413 if (!ret) {
2414 if (curr->valid)
710756a9 2415 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2416 else
2417 testresult = 1;
2418 goto end;
2419 }
2420 if (!curr->valid) {
710756a9 2421 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2422 goto end;
2423 }
2424 }
2425
710756a9
RS		 2426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2427 &clientssl, NULL, NULL)))
f1b25aae 2428 goto end;
f1b25aae
MC		 2429
2430 if (!testctx) {
2431 int ret;
2432
2433 if (curr->list != NULL)
2434 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2435 else
2436 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2437 if (!ret) {
2438 if (curr->valid)
710756a9 2439 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2440 else
2441 testresult = 1;
2442 goto end;
2443 }
710756a9 2444 if (!curr->valid)
f1b25aae 2445 goto end;
f1b25aae
MC		 2446 }
2447
710756a9
RS		 2448 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2449 SSL_ERROR_NONE),
2450 curr->connsuccess))
f1b25aae 2451 goto end;
f1b25aae
MC		 2452
2453 testresult = 1;
2454
2455 end:
2456 SSL_free(serverssl);
2457 SSL_free(clientssl);
2458 SSL_CTX_free(sctx);
2459 SSL_CTX_free(cctx);
2460
2461 return testresult;
2462}
c423ecaa 2463#endif
f1b25aae 2464
fff202e5 2465#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2466static int psk_client_cb_cnt = 0;
2467static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2468
2469static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2470 size_t *idlen, SSL_SESSION **sess)
2471{
2472 switch (++use_session_cb_cnt) {
2473 case 1:
2474 /* The first call should always have a NULL md */
2475 if (md != NULL)
2476 return 0;
2477 break;
2478
2479 case 2:
2480 /* The second call should always have an md */
2481 if (md == NULL)
2482 return 0;
2483 break;
2484
2485 default:
2486 /* We should only be called a maximum of twice */
2487 return 0;
2488 }
2489
57dee9bb
MC		 2490 if (clientpsk != NULL)
2491 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2492
57dee9bb 2493 *sess = clientpsk;
02a3ed5a
MC		 2494 *id = (const unsigned char *)pskid;
2495 *idlen = strlen(pskid);
2496
2497 return 1;
2498}
2499
c2b290c3 2500#ifndef OPENSSL_NO_PSK
532f9578
MC		 2501static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2502 unsigned int max_id_len,
2503 unsigned char *psk,
2504 unsigned int max_psk_len)
2505{
2506 unsigned int psklen = 0;
2507
2508 psk_client_cb_cnt++;
2509
2510 if (strlen(pskid) + 1 > max_id_len)
2511 return 0;
2512
2513 /* We should only ever be called a maximum of twice per connection */
2514 if (psk_client_cb_cnt > 2)
2515 return 0;
2516
2517 if (clientpsk == NULL)
2518 return 0;
2519
2520 /* We'll reuse the PSK we set up for TLSv1.3 */
2521 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2522 return 0;
2523 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2524 strncpy(id, pskid, max_id_len);
2525
2526 return psklen;
2527}
c2b290c3 2528#endif /* OPENSSL_NO_PSK */
532f9578 2529
02a3ed5a
MC		 2530static int find_session_cb(SSL *ssl, const unsigned char *identity,
2531 size_t identity_len, SSL_SESSION **sess)
2532{
2533 find_session_cb_cnt++;
2534
2535 /* We should only ever be called a maximum of twice per connection */
2536 if (find_session_cb_cnt > 2)
2537 return 0;
2538
57dee9bb 2539 if (serverpsk == NULL)
02a3ed5a
MC		 2540 return 0;
2541
2542 /* Identity should match that set by the client */
2543 if (strlen(srvid) != identity_len
2544 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2545 /* No PSK found, continue but without a PSK */
2546 *sess = NULL;
2547 return 1;
2548 }
2549
57dee9bb
MC		 2550 SSL_SESSION_up_ref(serverpsk);
2551 *sess = serverpsk;
02a3ed5a
MC		 2552
2553 return 1;
2554}
2555
c2b290c3 2556#ifndef OPENSSL_NO_PSK
532f9578
MC		 2557static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2558 unsigned char *psk, unsigned int max_psk_len)
2559{
2560 unsigned int psklen = 0;
2561
2562 psk_server_cb_cnt++;
2563
2564 /* We should only ever be called a maximum of twice per connection */
2565 if (find_session_cb_cnt > 2)
2566 return 0;
2567
2568 if (serverpsk == NULL)
2569 return 0;
2570
2571 /* Identity should match that set by the client */
2572 if (strcmp(srvid, identity) != 0) {
2573 return 0;
2574 }
2575
2576 /* We'll reuse the PSK we set up for TLSv1.3 */
2577 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2578 return 0;
2579 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2580
2581 return psklen;
2582}
c2b290c3 2583#endif /* OPENSSL_NO_PSK */
532f9578 2584
5f982038
MC		 2585#define MSG1 "Hello"
2586#define MSG2 "World."
2587#define MSG3 "This"
2588#define MSG4 "is"
2589#define MSG5 "a"
90049cea
MC		 2590#define MSG6 "test"
2591#define MSG7 "message."
5f982038 2592
02a3ed5a 2593#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2594#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2595
8614a4eb
MC		 2596
2597static SSL_SESSION *create_a_psk(SSL *ssl)
2598{
2599 const SSL_CIPHER *cipher = NULL;
2600 const unsigned char key[] = {
2601 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2602 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2603 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2604 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2605 0x2c, 0x2d, 0x2e, 0x2f
2606 };
2607 SSL_SESSION *sess = NULL;
2608
2609 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2610 sess = SSL_SESSION_new();
2611 if (!TEST_ptr(sess)
2612 || !TEST_ptr(cipher)
2613 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2614 sizeof(key)))
2615 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2616 || !TEST_true(
2617 SSL_SESSION_set_protocol_version(sess,
2618 TLS1_3_VERSION))) {
2619 SSL_SESSION_free(sess);
2620 return NULL;
2621 }
2622 return sess;
2623}
2624
5f982038
MC		 2625/*
2626 * Helper method to setup objects for early data test. Caller frees objects on
2627 * error.
2628 */
2629static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2630 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2631{
5a421415 2632 if (*sctx == NULL
5e30f2fd 2633 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 2634 TLS_client_method(),
5c587fb6 2635 TLS1_VERSION, 0,
5a421415
MC		 2636 sctx, cctx, cert, privkey)))
2637 return 0;
2638
2639 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2640 return 0;
5f982038 2641
02a3ed5a
MC		 2642 if (idx == 1) {
2643 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2644 SSL_CTX_set_read_ahead(*cctx, 1);
2645 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2646 } else if (idx == 2) {
2647 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2648 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2649 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2650 use_session_cb_cnt = 0;
2651 find_session_cb_cnt = 0;
2652 srvid = pskid;
3cb47b4e
MC		 2653 }
2654
710756a9 2655 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2656 NULL, NULL)))
2657 return 0;
2658
141e4709
MC		 2659 /*
2660 * For one of the run throughs (doesn't matter which one), we'll try sending
2661 * some SNI data in the initial ClientHello. This will be ignored (because
2662 * there is no SNI cb set up by the server), so it should not impact
2663 * early_data.
2664 */
2665 if (idx == 1
2666 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2667 return 0;
2668
02a3ed5a 2669 if (idx == 2) {
8614a4eb 2670 clientpsk = create_a_psk(*clientssl);
57dee9bb 2671 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2672 /*
2673 * We just choose an arbitrary value for max_early_data which
2674 * should be big enough for testing purposes.
2675 */
57dee9bb
MC		 2676 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2677 0x100))
2678 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2679 SSL_SESSION_free(clientpsk);
2680 clientpsk = NULL;
02a3ed5a
MC		 2681 return 0;
2682 }
57dee9bb 2683 serverpsk = clientpsk;
02a3ed5a 2684
c20e3b28
MC		 2685 if (sess != NULL) {
2686 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2687 SSL_SESSION_free(clientpsk);
2688 SSL_SESSION_free(serverpsk);
2689 clientpsk = serverpsk = NULL;
2690 return 0;
2691 }
57dee9bb 2692 *sess = clientpsk;
c20e3b28 2693 }
02a3ed5a
MC		 2694 return 1;
2695 }
2696
2697 if (sess == NULL)
2698 return 1;
2699
2700 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2701 SSL_ERROR_NONE)))
5f982038 2702 return 0;
5f982038
MC		 2703
2704 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2705 SSL_shutdown(*clientssl);
2706 SSL_shutdown(*serverssl);
5f982038
MC		 2707 SSL_free(*serverssl);
2708 SSL_free(*clientssl);
2709 *serverssl = *clientssl = NULL;
2710
710756a9
RS		 2711 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2712 clientssl, NULL, NULL))
2713 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2714 return 0;
5f982038
MC		 2715
2716 return 1;
2717}
2718
3cb47b4e 2719static int test_early_data_read_write(int idx)
5f982038
MC		 2720{
2721 SSL_CTX *cctx = NULL, *sctx = NULL;
2722 SSL *clientssl = NULL, *serverssl = NULL;
2723 int testresult = 0;
2724 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2725 unsigned char buf[20], data[1024];
2726 size_t readbytes, written, eoedlen, rawread, rawwritten;
2727 BIO *rbio;
5f982038 2728
710756a9
RS		 2729 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2730 &serverssl, &sess, idx)))
5f982038
MC		 2731 goto end;
2732
2733 /* Write and read some early data */
710756a9
RS		 2734 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2735 &written))
2736 || !TEST_size_t_eq(written, strlen(MSG1))
2737 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2738 sizeof(buf), &readbytes),
2739 SSL_READ_EARLY_DATA_SUCCESS)
2740 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2741 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2742 SSL_EARLY_DATA_ACCEPTED))
5f982038 2743 goto end;
5f982038
MC		 2744
2745 /*
09f28874 2746 * Server should be able to write data, and client should be able to
5f982038
MC		 2747 * read it.
2748 */
710756a9
RS		 2749 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2750 &written))
2751 || !TEST_size_t_eq(written, strlen(MSG2))
2752 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2753 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2754 goto end;
5f982038
MC		 2755
2756 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2757 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2758 &written))
2759 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2760 goto end;
5f982038 2761
09f28874 2762 /* Server should still be able read early data after writing data */
710756a9
RS		 2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2764 &readbytes),
2765 SSL_READ_EARLY_DATA_SUCCESS)
2766 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2767 goto end;
5f982038 2768
09f28874 2769 /* Write more data from server and read it from client */
710756a9
RS		 2770 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2771 &written))
2772 || !TEST_size_t_eq(written, strlen(MSG4))
2773 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2774 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2775 goto end;
5f982038
MC		 2776
2777 /*
2778 * If client writes normal data it should mean writing early data is no
2779 * longer possible.
2780 */
710756a9
RS		 2781 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2782 || !TEST_size_t_eq(written, strlen(MSG5))
2783 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2784 SSL_EARLY_DATA_ACCEPTED))
5f982038 2785 goto end;
5f982038 2786
9b5c865d
MC		 2787 /*
2788 * At this point the client has written EndOfEarlyData, ClientFinished and
2789 * normal (fully protected) data. We are going to cause a delay between the
2790 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2791 * in the read BIO, and then just put back the EndOfEarlyData message.
2792 */
2793 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2794 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2795 || !TEST_size_t_lt(rawread, sizeof(data))
2796 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2797 goto end;
710756a9 2798
9b5c865d
MC		 2799 /* Record length is in the 4th and 5th bytes of the record header */
2800 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2801 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2802 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2803 goto end;
9b5c865d 2804
5f982038 2805 /* Server should be told that there is no more early data */
710756a9
RS		 2806 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2807 &readbytes),
2808 SSL_READ_EARLY_DATA_FINISH)
2809 || !TEST_size_t_eq(readbytes, 0))
5f982038 2810 goto end;
5f982038 2811
9b5c865d
MC		 2812 /*
2813 * Server has not finished init yet, so should still be able to write early
2814 * data.
2815 */
710756a9
RS		 2816 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2817 &written))
2818 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2819 goto end;
9b5c865d 2820
f8a303fa 2821 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2822 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2823 &rawwritten))
2824 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2825 goto end;
f8a303fa 2826
5f982038 2827 /* Server should be able to read normal data */
710756a9
RS		 2828 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2829 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2830 goto end;
5f982038 2831
09f28874 2832 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2833 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2834 &written)))
5f982038 2835 goto end;
5f982038 2836 ERR_clear_error();
710756a9
RS		 2837 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2838 &readbytes),
2839 SSL_READ_EARLY_DATA_ERROR))
5f982038 2840 goto end;
5f982038
MC		 2841 ERR_clear_error();
2842
9b5c865d 2843 /* Client should be able to read the data sent by the server */
710756a9
RS		 2844 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2845 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2846 goto end;
710756a9 2847
f8a303fa 2848 /*
36ff232c
MC		 2849 * Make sure we process the two NewSessionTickets. These arrive
2850 * post-handshake. We attempt reads which we do not expect to return any
2851 * data.
f8a303fa 2852 */
36ff232c
MC		 2853 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2854 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2855 &readbytes)))
f8a303fa 2856 goto end;
5f982038 2857
90049cea 2858 /* Server should be able to write normal data */
710756a9
RS		 2859 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2860 || !TEST_size_t_eq(written, strlen(MSG7))
2861 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2862 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2863 goto end;
90049cea 2864
c20e3b28 2865 SSL_SESSION_free(sess);
5f982038 2866 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2867 use_session_cb_cnt = 0;
2868 find_session_cb_cnt = 0;
5f982038
MC		 2869
2870 SSL_shutdown(clientssl);
2871 SSL_shutdown(serverssl);
5f982038
MC		 2872 SSL_free(serverssl);
2873 SSL_free(clientssl);
2874 serverssl = clientssl = NULL;
710756a9
RS		 2875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2876 &clientssl, NULL, NULL))
2877 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2878 goto end;
5f982038
MC		 2879
2880 /* Write and read some early data */
710756a9
RS		 2881 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2882 &written))
2883 || !TEST_size_t_eq(written, strlen(MSG1))
2884 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2885 &readbytes),
2886 SSL_READ_EARLY_DATA_SUCCESS)
2887 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2888 goto end;
5f982038 2889
710756a9
RS		 2890 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2891 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2892 goto end;
5f982038 2893
09f28874 2894 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2895 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2896 &written)))
5f982038 2897 goto end;
5f982038 2898 ERR_clear_error();
710756a9
RS		 2899 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2900 &readbytes),
2901 SSL_READ_EARLY_DATA_ERROR))
5f982038 2902 goto end;
5f982038
MC		 2903 ERR_clear_error();
2904
2905 /* Client and server should be able to write/read normal data */
710756a9
RS		 2906 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2907 || !TEST_size_t_eq(written, strlen(MSG5))
2908 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2909 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2910 goto end;
5f982038
MC		 2911
2912 testresult = 1;
2913
2914 end:
c20e3b28 2915 SSL_SESSION_free(sess);
57dee9bb
MC		 2916 SSL_SESSION_free(clientpsk);
2917 SSL_SESSION_free(serverpsk);
2918 clientpsk = serverpsk = NULL;
5f982038
MC		 2919 SSL_free(serverssl);
2920 SSL_free(clientssl);
2921 SSL_CTX_free(sctx);
2922 SSL_CTX_free(cctx);
5f982038
MC		 2923 return testresult;
2924}
2925
5a421415
MC		 2926static int allow_ed_cb_called = 0;
2927
2928static int allow_early_data_cb(SSL *s, void *arg)
2929{
2930 int *usecb = (int *)arg;
2931
2932 allow_ed_cb_called++;
2933
2934 if (*usecb == 1)
2935 return 0;
2936
2937 return 1;
2938}
2939
2940/*
2941 * idx == 0: Standard early_data setup
2942 * idx == 1: early_data setup using read_ahead
2943 * usecb == 0: Don't use a custom early data callback
2944 * usecb == 1: Use a custom early data callback and reject the early data
2945 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2946 * confopt == 0: Configure anti-replay directly
2947 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2948 */
3bb5e5b0 2949static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2950{
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 int testresult = 0;
2954 SSL_SESSION *sess = NULL;
5a421415
MC		 2955 size_t readbytes, written;
2956 unsigned char buf[20];
2957
2958 allow_ed_cb_called = 0;
2959
5e30f2fd
MC		 2960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2961 TLS_client_method(), TLS1_VERSION, 0,
2962 &sctx, &cctx, cert, privkey)))
5a421415
MC		 2963 return 0;
2964
2965 if (usecb > 0) {
3bb5e5b0
MC		 2966 if (confopt == 0) {
2967 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2968 } else {
2969 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2970
2971 if (!TEST_ptr(confctx))
2972 goto end;
2973 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2974 | SSL_CONF_FLAG_SERVER);
2975 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2976 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2977 2)) {
2978 SSL_CONF_CTX_free(confctx);
2979 goto end;
2980 }
2981 SSL_CONF_CTX_free(confctx);
2982 }
5a421415
MC		 2983 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2984 }
78fb5374
MC		 2985
2986 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2987 &serverssl, &sess, idx)))
2988 goto end;
2989
2990 /*
2991 * The server is configured to accept early data. Create a connection to
2992 * "use up" the ticket
2993 */
2994 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2995 || !TEST_true(SSL_session_reused(clientssl)))
2996 goto end;
2997
2998 SSL_shutdown(clientssl);
2999 SSL_shutdown(serverssl);
3000 SSL_free(serverssl);
3001 SSL_free(clientssl);
3002 serverssl = clientssl = NULL;
3003
3004 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3005 &clientssl, NULL, NULL))
5a421415
MC		 3006 || !TEST_true(SSL_set_session(clientssl, sess)))
3007 goto end;
3008
3009 /* Write and read some early data */
3010 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3011 &written))
3012 || !TEST_size_t_eq(written, strlen(MSG1)))
3013 goto end;
3014
3015 if (usecb <= 1) {
3016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3017 &readbytes),
3018 SSL_READ_EARLY_DATA_FINISH)
3019 /*
3020 * The ticket was reused, so the we should have rejected the
3021 * early data
3022 */
3023 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3024 SSL_EARLY_DATA_REJECTED))
3025 goto end;
3026 } else {
3027 /* In this case the callback decides to accept the early data */
3028 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3029 &readbytes),
3030 SSL_READ_EARLY_DATA_SUCCESS)
3031 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3032 /*
3033 * Server will have sent its flight so client can now send
3034 * end of early data and complete its half of the handshake
3035 */
3036 || !TEST_int_gt(SSL_connect(clientssl), 0)
3037 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3038 &readbytes),
3039 SSL_READ_EARLY_DATA_FINISH)
3040 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3041 SSL_EARLY_DATA_ACCEPTED))
3042 goto end;
3043 }
3044
3045 /* Complete the connection */
3046 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3047 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3048 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3049 goto end;
3050
3051 testresult = 1;
3052
3053 end:
c20e3b28 3054 SSL_SESSION_free(sess);
78fb5374
MC		 3055 SSL_SESSION_free(clientpsk);
3056 SSL_SESSION_free(serverpsk);
3057 clientpsk = serverpsk = NULL;
3058 SSL_free(serverssl);
3059 SSL_free(clientssl);
3060 SSL_CTX_free(sctx);
3061 SSL_CTX_free(cctx);
3062 return testresult;
3063}
3064
5a421415
MC		 3065static int test_early_data_replay(int idx)
3066{
3bb5e5b0 3067 int ret = 1, usecb, confopt;
5a421415 3068
3bb5e5b0
MC		 3069 for (usecb = 0; usecb < 3; usecb++) {
3070 for (confopt = 0; confopt < 2; confopt++)
3071 ret &= test_early_data_replay_int(idx, usecb, confopt);
3072 }
5a421415
MC		 3073
3074 return ret;
3075}
3076
710756a9 3077/*
6b84e6bf
MC		 3078 * Helper function to test that a server attempting to read early data can
3079 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3080 * testtype: 0 == No HRR
3081 * testtype: 1 == HRR
0efa0ba4
MC		 3082 * testtype: 2 == HRR, invalid early_data sent after HRR
3083 * testtype: 3 == recv_max_early_data set to 0
710756a9 3084 */
0d1b7789 3085static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3086{
3087 SSL_CTX *cctx = NULL, *sctx = NULL;
3088 SSL *clientssl = NULL, *serverssl = NULL;
3089 int testresult = 0;
018fcbec 3090 SSL_SESSION *sess = NULL;
5f982038
MC		 3091 unsigned char buf[20];
3092 size_t readbytes, written;
3093
710756a9
RS		 3094 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3095 &serverssl, &sess, idx)))
5f982038
MC		 3096 goto end;
3097
0efa0ba4 3098 if (testtype == 1 || testtype == 2) {
6b84e6bf 3099 /* Force an HRR to occur */
dbc6268f
MC		 3100#if defined(OPENSSL_NO_EC)
3101 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3102 goto end;
3103#else
6b84e6bf
MC		 3104 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3105 goto end;
dbc6268f 3106#endif
02a3ed5a
MC		 3107 } else if (idx == 2) {
3108 /*
3109 * We force early_data rejection by ensuring the PSK identity is
3110 * unrecognised
3111 */
3112 srvid = "Dummy Identity";
6b84e6bf
MC		 3113 } else {
3114 /*
3115 * Deliberately corrupt the creation time. We take 20 seconds off the
3116 * time. It could be any value as long as it is not within tolerance.
3117 * This should mean the ticket is rejected.
3118 */
5d99881e 3119 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3120 goto end;
3121 }
5f982038 3122
0efa0ba4 3123 if (testtype == 3
0d1b7789
MC		 3124 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3125 goto end;
3126
5f982038 3127 /* Write some early data */
710756a9
RS		 3128 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3129 &written))
3130 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3131 goto end;
5f982038 3132
0d1b7789 3133 /* Server should reject the early data */
710756a9
RS		 3134 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3135 &readbytes),
3136 SSL_READ_EARLY_DATA_FINISH)
3137 || !TEST_size_t_eq(readbytes, 0)
3138 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3139 SSL_EARLY_DATA_REJECTED))
5f982038 3140 goto end;
5f982038 3141
0efa0ba4
MC		 3142 switch (testtype) {
3143 case 0:
3144 /* Nothing to do */
3145 break;
3146
3147 case 1:
6b84e6bf
MC		 3148 /*
3149 * Finish off the handshake. We perform the same writes and reads as
3150 * further down but we expect them to fail due to the incomplete
3151 * handshake.
3152 */
3153 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3154 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3155 &readbytes)))
3156 goto end;
0efa0ba4
MC		 3157 break;
3158
3159 case 2:
3160 {
3161 BIO *wbio = SSL_get_wbio(clientssl);
3162 /* A record that will appear as bad early_data */
3163 const unsigned char bad_early_data[] = {
3164 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3165 };
3166
3167 /*
3168 * We force the client to attempt a write. This will fail because
3169 * we're still in the handshake. It will cause the second
3170 * ClientHello to be sent.
3171 */
3172 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3173 &written)))
3174 goto end;
3175
3176 /*
3177 * Inject some early_data after the second ClientHello. This should
3178 * cause the server to fail
3179 */
3180 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3181 sizeof(bad_early_data), &written)))
3182 goto end;
3183 }
3184 /* fallthrough */
3185
3186 case 3:
0d1b7789 3187 /*
0efa0ba4
MC		 3188 * This client has sent more early_data than we are willing to skip
3189 * (case 3) or sent invalid early_data (case 2) so the connection should
3190 * abort.
0d1b7789
MC		 3191 */
3192 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3193 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3194 goto end;
3195
3196 /* Connection has failed - nothing more to do */
3197 testresult = 1;
3198 goto end;
0efa0ba4
MC		 3199
3200 default:
3201 TEST_error("Invalid test type");
3202 goto end;
6b84e6bf
MC		 3203 }
3204
0d1b7789
MC		 3205 /*
3206 * Should be able to send normal data despite rejection of early data. The
3207 * early_data should be skipped.
3208 */
710756a9
RS		 3209 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3210 || !TEST_size_t_eq(written, strlen(MSG2))
3211 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3212 SSL_EARLY_DATA_REJECTED)
3213 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3214 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3215 goto end;
5f982038
MC		 3216
3217 testresult = 1;
3218
3219 end:
c20e3b28 3220 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3221 SSL_SESSION_free(serverpsk);
3222 clientpsk = serverpsk = NULL;
5f982038
MC		 3223 SSL_SESSION_free(sess);
3224 SSL_free(serverssl);
3225 SSL_free(clientssl);
3226 SSL_CTX_free(sctx);
3227 SSL_CTX_free(cctx);
5f982038
MC		 3228 return testresult;
3229}
3230
6b84e6bf
MC		 3231/*
3232 * Test that a server attempting to read early data can handle a connection
3233 * from a client where the early data is not acceptable.
3234 */
3235static int test_early_data_skip(int idx)
3236{
3237 return early_data_skip_helper(0, idx);
3238}
3239
3240/*
3241 * Test that a server attempting to read early data can handle a connection
3242 * from a client where an HRR occurs.
3243 */
3244static int test_early_data_skip_hrr(int idx)
3245{
3246 return early_data_skip_helper(1, idx);
3247}
3248
0efa0ba4
MC		 3249/*
3250 * Test that a server attempting to read early data can handle a connection
3251 * from a client where an HRR occurs and correctly fails if early_data is sent
3252 * after the HRR
3253 */
3254static int test_early_data_skip_hrr_fail(int idx)
3255{
3256 return early_data_skip_helper(2, idx);
3257}
3258
0d1b7789
MC		 3259/*
3260 * Test that a server attempting to read early data will abort if it tries to
3261 * skip over too much.
3262 */
3263static int test_early_data_skip_abort(int idx)
3264{
0efa0ba4 3265 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3266}
3267
710756a9
RS		 3268/*
3269 * Test that a server attempting to read early data can handle a connection
3270 * from a client that doesn't send any.
3271 */
3cb47b4e 3272static int test_early_data_not_sent(int idx)
5f982038
MC		 3273{
3274 SSL_CTX *cctx = NULL, *sctx = NULL;
3275 SSL *clientssl = NULL, *serverssl = NULL;
3276 int testresult = 0;
018fcbec 3277 SSL_SESSION *sess = NULL;
5f982038
MC		 3278 unsigned char buf[20];
3279 size_t readbytes, written;
3280
710756a9
RS		 3281 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3282 &serverssl, &sess, idx)))
5f982038
MC		 3283 goto end;
3284
3285 /* Write some data - should block due to handshake with server */
3286 SSL_set_connect_state(clientssl);
710756a9 3287 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3288 goto end;
5f982038
MC		 3289
3290 /* Server should detect that early data has not been sent */
710756a9
RS		 3291 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3292 &readbytes),
3293 SSL_READ_EARLY_DATA_FINISH)
3294 || !TEST_size_t_eq(readbytes, 0)
3295 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3296 SSL_EARLY_DATA_NOT_SENT)
3297 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3298 SSL_EARLY_DATA_NOT_SENT))
5f982038 3299 goto end;
5f982038
MC		 3300
3301 /* Continue writing the message we started earlier */
710756a9
RS		 3302 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3303 || !TEST_size_t_eq(written, strlen(MSG1))
3304 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3305 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3306 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3307 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3308 goto end;
5f982038 3309
710756a9
RS		 3310 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3311 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3312 goto end;
5f982038
MC		 3313
3314 testresult = 1;
3315
3316 end:
5f982038 3317 SSL_SESSION_free(sess);
c20e3b28 3318 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3319 SSL_SESSION_free(serverpsk);
3320 clientpsk = serverpsk = NULL;
5f982038
MC		 3321 SSL_free(serverssl);
3322 SSL_free(clientssl);
3323 SSL_CTX_free(sctx);
3324 SSL_CTX_free(cctx);
5f982038
MC		 3325 return testresult;
3326}
3327
976e5323
MC		 3328static const char *servalpn;
3329
c7558d5b
PY		 3330static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3331 unsigned char *outlen, const unsigned char *in,
3332 unsigned int inlen, void *arg)
976e5323 3333{
c7558d5b 3334 unsigned int protlen = 0;
976e5323
MC		 3335 const unsigned char *prot;
3336
c7558d5b
PY		 3337 for (prot = in; prot < in + inlen; prot += protlen) {
3338 protlen = *prot++;
5d99881e 3339 if (in + inlen < prot + protlen)
976e5323
MC		 3340 return SSL_TLSEXT_ERR_NOACK;
3341
3342 if (protlen == strlen(servalpn)
0bd42fde 3343 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3344 *out = prot;
3345 *outlen = protlen;
3346 return SSL_TLSEXT_ERR_OK;
3347 }
3348 }
3349
3350 return SSL_TLSEXT_ERR_NOACK;
3351}
3352
57dee9bb 3353/* Test that a PSK can be used to send early_data */
976e5323
MC		 3354static int test_early_data_psk(int idx)
3355{
3356 SSL_CTX *cctx = NULL, *sctx = NULL;
3357 SSL *clientssl = NULL, *serverssl = NULL;
3358 int testresult = 0;
3359 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3360 unsigned char alpnlist[] = {
3361 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3362 'l', 'p', 'n'
3363 };
3364#define GOODALPNLEN 9
3365#define BADALPNLEN 8
3366#define GOODALPN (alpnlist)
3367#define BADALPN (alpnlist + GOODALPNLEN)
3368 int err = 0;
976e5323
MC		 3369 unsigned char buf[20];
3370 size_t readbytes, written;
57dee9bb 3371 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3372 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3373
3374 /* We always set this up with a final parameter of "2" for PSK */
3375 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3376 &serverssl, &sess, 2)))
3377 goto end;
3378
976e5323
MC		 3379 servalpn = "goodalpn";
3380
57dee9bb
MC		 3381 /*
3382 * Note: There is no test for inconsistent SNI with late client detection.
3383 * This is because servers do not acknowledge SNI even if they are using
3384 * it in a resumption handshake - so it is not actually possible for a
3385 * client to detect a problem.
3386 */
976e5323
MC		 3387 switch (idx) {
3388 case 0:
57dee9bb 3389 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3390 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3391 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3392 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3393 goto end;
3394 break;
3395
3396 case 1:
57dee9bb 3397 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3398 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3399 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3400 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3401 GOODALPNLEN))
3402 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3403 BADALPNLEN)))
976e5323
MC		 3404 goto end;
3405 break;
3406
3407 case 2:
3408 /*
3409 * Set invalid protocol version. Technically this affects PSKs without
3410 * early_data too, but we test it here because it is similar to the
3411 * SNI/ALPN consistency tests.
3412 */
3413 err = SSL_R_BAD_PSK;
3414 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3415 goto end;
3416 break;
3417
3418 case 3:
3419 /*
49ef3d07
MC		 3420 * Set inconsistent SNI (server side). In this case the connection
3421 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3422 * is associated with each handshake - not the session. Therefore it
3423 * should not matter that we used a different server name last time.
976e5323 3424 */
281bf233
MC		 3425 SSL_SESSION_free(serverpsk);
3426 serverpsk = SSL_SESSION_dup(clientpsk);
3427 if (!TEST_ptr(serverpsk)
3428 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3429 goto end;
976e5323
MC		 3430 /* Fall through */
3431 case 4:
3432 /* Set consistent SNI */
976e5323
MC		 3433 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3434 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3435 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3436 hostname_cb)))
3437 goto end;
3438 break;
3439
3440 case 5:
3441 /*
3442 * Set inconsistent ALPN (server detected). In this case the connection
3443 * will succeed but reject early_data.
3444 */
3445 servalpn = "badalpn";
3446 edstatus = SSL_EARLY_DATA_REJECTED;
3447 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3448 /* Fall through */
3449 case 6:
976e5323 3450 /*
57dee9bb 3451 * Set consistent ALPN.
976e5323
MC		 3452 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3453 * accepts a list of protos (each one length prefixed).
3454 * SSL_set1_alpn_selected accepts a single protocol (not length
3455 * prefixed)
3456 */
57dee9bb
MC		 3457 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3458 GOODALPNLEN - 1))
3459 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3460 GOODALPNLEN)))
976e5323
MC		 3461 goto end;
3462
3463 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3464 break;
3465
57dee9bb
MC		 3466 case 7:
3467 /* Set inconsistent ALPN (late client detection) */
3468 SSL_SESSION_free(serverpsk);
3469 serverpsk = SSL_SESSION_dup(clientpsk);
3470 if (!TEST_ptr(serverpsk)
3471 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3472 BADALPN + 1,
3473 BADALPNLEN - 1))
3474 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3475 GOODALPN + 1,
3476 GOODALPNLEN - 1))
3477 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3478 sizeof(alpnlist))))
3479 goto end;
3480 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3481 edstatus = SSL_EARLY_DATA_ACCEPTED;
3482 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3483 /* SSL_connect() call should fail */
3484 connectres = -1;
3485 break;
3486
976e5323
MC		 3487 default:
3488 TEST_error("Bad test index");
3489 goto end;
3490 }
3491
3492 SSL_set_connect_state(clientssl);
3493 if (err != 0) {
3494 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3495 &written))
3496 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3497 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3498 goto end;
3499 } else {
3500 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3501 &written)))
3502 goto end;
3503
3504 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3505 &readbytes), readearlyres)
976e5323
MC		 3506 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3507 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3508 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3509 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3510 goto end;
3511 }
3512
3513 testresult = 1;
3514
3515 end:
c20e3b28 3516 SSL_SESSION_free(sess);
57dee9bb
MC		 3517 SSL_SESSION_free(clientpsk);
3518 SSL_SESSION_free(serverpsk);
3519 clientpsk = serverpsk = NULL;
976e5323
MC		 3520 SSL_free(serverssl);
3521 SSL_free(clientssl);
3522 SSL_CTX_free(sctx);
3523 SSL_CTX_free(cctx);
3524 return testresult;
3525}
3526
710756a9
RS		 3527/*
3528 * Test that a server that doesn't try to read early data can handle a
3529 * client sending some.
3530 */
3cb47b4e 3531static int test_early_data_not_expected(int idx)
5f982038
MC		 3532{
3533 SSL_CTX *cctx = NULL, *sctx = NULL;
3534 SSL *clientssl = NULL, *serverssl = NULL;
3535 int testresult = 0;
018fcbec 3536 SSL_SESSION *sess = NULL;
5f982038
MC		 3537 unsigned char buf[20];
3538 size_t readbytes, written;
3539
710756a9
RS		 3540 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3541 &serverssl, &sess, idx)))
5f982038
MC		 3542 goto end;
3543
3544 /* Write some early data */
710756a9
RS		 3545 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3546 &written)))
5f982038 3547 goto end;
5f982038
MC		 3548
3549 /*
3550 * Server should skip over early data and then block waiting for client to
3551 * continue handshake
3552 */
710756a9
RS		 3553 if (!TEST_int_le(SSL_accept(serverssl), 0)
3554 || !TEST_int_gt(SSL_connect(clientssl), 0)
3555 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3556 SSL_EARLY_DATA_REJECTED)
3557 || !TEST_int_gt(SSL_accept(serverssl), 0)
3558 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3559 SSL_EARLY_DATA_REJECTED))
5f982038 3560 goto end;
5f982038
MC		 3561
3562 /* Send some normal data from client to server */
710756a9
RS		 3563 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3564 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3565 goto end;
5f982038 3566
710756a9
RS		 3567 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3568 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3569 goto end;
5f982038
MC		 3570
3571 testresult = 1;
3572
3573 end:
5f982038 3574 SSL_SESSION_free(sess);
c20e3b28 3575 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3576 SSL_SESSION_free(serverpsk);
3577 clientpsk = serverpsk = NULL;
5f982038
MC		 3578 SSL_free(serverssl);
3579 SSL_free(clientssl);
3580 SSL_CTX_free(sctx);
3581 SSL_CTX_free(cctx);
5f982038
MC		 3582 return testresult;
3583}
3584
3585
3586# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3587/*
3588 * Test that a server attempting to read early data can handle a connection
3589 * from a TLSv1.2 client.
3590 */
3cb47b4e 3591static int test_early_data_tls1_2(int idx)
5f982038
MC		 3592{
3593 SSL_CTX *cctx = NULL, *sctx = NULL;
3594 SSL *clientssl = NULL, *serverssl = NULL;
3595 int testresult = 0;
3596 unsigned char buf[20];
3597 size_t readbytes, written;
3598
02a3ed5a
MC		 3599 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3600 &serverssl, NULL, idx)))
5f982038 3601 goto end;
5f982038
MC		 3602
3603 /* Write some data - should block due to handshake with server */
3604 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3605 SSL_set_connect_state(clientssl);
710756a9 3606 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3607 goto end;
5f982038
MC		 3608
3609 /*
3610 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3611 * messages from client after ServerDone. Then SSL_read_early_data should
3612 * finish and detect that early data has not been sent
5f982038 3613 */
710756a9
RS		 3614 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3615 &readbytes),
3616 SSL_READ_EARLY_DATA_ERROR))
5f982038 3617 goto end;
5f982038
MC		 3618
3619 /*
3620 * Continue writing the message we started earlier. Will still block waiting
3621 * for the CCS/Finished from server
3622 */
710756a9
RS		 3623 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3624 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3625 &readbytes),
3626 SSL_READ_EARLY_DATA_FINISH)
3627 || !TEST_size_t_eq(readbytes, 0)
3628 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3629 SSL_EARLY_DATA_NOT_SENT))
5f982038 3630 goto end;
5f982038
MC		 3631
3632 /* Continue writing the message we started earlier */
710756a9
RS		 3633 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3634 || !TEST_size_t_eq(written, strlen(MSG1))
3635 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3636 SSL_EARLY_DATA_NOT_SENT)
3637 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3638 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3639 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3640 || !TEST_size_t_eq(written, strlen(MSG2))
3641 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3642 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3643 goto end;
5f982038
MC		 3644
3645 testresult = 1;
3646
3647 end:
57dee9bb
MC		 3648 SSL_SESSION_free(clientpsk);
3649 SSL_SESSION_free(serverpsk);
3650 clientpsk = serverpsk = NULL;
5f982038
MC		 3651 SSL_free(serverssl);
3652 SSL_free(clientssl);
3653 SSL_CTX_free(sctx);
3654 SSL_CTX_free(cctx);
3655
3656 return testresult;
3657}
ca0413ae
MC		 3658# endif /* OPENSSL_NO_TLS1_2 */
3659
034cb87b
MC		 3660/*
3661 * Test configuring the TLSv1.3 ciphersuites
3662 *
3663 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3664 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3665 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3666 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3667 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3668 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3669 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3670 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3671 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3672 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3673 */
3674static int test_set_ciphersuite(int idx)
3675{
3676 SSL_CTX *cctx = NULL, *sctx = NULL;
3677 SSL *clientssl = NULL, *serverssl = NULL;
3678 int testresult = 0;
3679
5e30f2fd
MC		 3680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3681 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 3682 &sctx, &cctx, cert, privkey))
3683 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3684 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3685 goto end;
3686
3687 if (idx >=4 && idx <= 7) {
3688 /* SSL_CTX explicit cipher list */
3689 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3690 goto end;
3691 }
3692
3693 if (idx == 0 || idx == 4) {
3694 /* Default ciphersuite */
3695 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3696 "TLS_AES_128_GCM_SHA256")))
3697 goto end;
3698 } else if (idx == 1 || idx == 5) {
3699 /* Non default ciphersuite */
3700 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3701 "TLS_AES_128_CCM_SHA256")))
3702 goto end;
3703 }
3704
3705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3706 &clientssl, NULL, NULL)))
3707 goto end;
3708
3709 if (idx == 8 || idx == 9) {
3710 /* SSL explicit cipher list */
3711 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3712 goto end;
3713 }
3714
3715 if (idx == 2 || idx == 6 || idx == 8) {
3716 /* Default ciphersuite */
3717 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3718 "TLS_AES_128_GCM_SHA256")))
3719 goto end;
3720 } else if (idx == 3 || idx == 7 || idx == 9) {
3721 /* Non default ciphersuite */
3722 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3723 "TLS_AES_128_CCM_SHA256")))
3724 goto end;
3725 }
3726
3727 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3728 goto end;
3729
3730 testresult = 1;
3731
3732 end:
3733 SSL_free(serverssl);
3734 SSL_free(clientssl);
3735 SSL_CTX_free(sctx);
3736 SSL_CTX_free(cctx);
3737
3738 return testresult;
3739}
3740
ca0413ae
MC		 3741static int test_ciphersuite_change(void)
3742{
3743 SSL_CTX *cctx = NULL, *sctx = NULL;
3744 SSL *clientssl = NULL, *serverssl = NULL;
3745 SSL_SESSION *clntsess = NULL;
3746 int testresult = 0;
3747 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3748
3749 /* Create a session based on SHA-256 */
5e30f2fd
MC		 3750 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3751 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3752 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 3753 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3754 "TLS_AES_128_GCM_SHA256:"
3755 "TLS_AES_256_GCM_SHA384:"
3756 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 3757 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3758 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3760 &clientssl, NULL, NULL))
3761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3762 SSL_ERROR_NONE)))
3763 goto end;
3764
3765 clntsess = SSL_get1_session(clientssl);
3766 /* Save for later */
3767 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3768 SSL_shutdown(clientssl);
3769 SSL_shutdown(serverssl);
3770 SSL_free(serverssl);
3771 SSL_free(clientssl);
3772 serverssl = clientssl = NULL;
3773
3774 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 3775 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 3776 "TLS_AES_128_CCM_SHA256"))
3777 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3778 &clientssl, NULL, NULL))
ca0413ae
MC		 3779 || !TEST_true(SSL_set_session(clientssl, clntsess))
3780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3781 SSL_ERROR_NONE))
3782 || !TEST_true(SSL_session_reused(clientssl)))
3783 goto end;
3784
3785 SSL_SESSION_free(clntsess);
3786 clntsess = SSL_get1_session(clientssl);
3787 SSL_shutdown(clientssl);
3788 SSL_shutdown(serverssl);
3789 SSL_free(serverssl);
3790 SSL_free(clientssl);
3791 serverssl = clientssl = NULL;
3792
3793 /*
3794 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3795 * succeeds but does not resume.
ca0413ae 3796 */
f865b081 3797 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3798 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3799 NULL, NULL))
3800 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3801 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3802 SSL_ERROR_SSL))
0de6d66d 3803 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3804 goto end;
3805
3806 SSL_SESSION_free(clntsess);
3807 clntsess = NULL;
3808 SSL_shutdown(clientssl);
3809 SSL_shutdown(serverssl);
3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3812 serverssl = clientssl = NULL;
3813
3814 /* Create a session based on SHA384 */
f865b081 3815 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3816 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3817 &clientssl, NULL, NULL))
3818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3819 SSL_ERROR_NONE)))
3820 goto end;
3821
3822 clntsess = SSL_get1_session(clientssl);
3823 SSL_shutdown(clientssl);
3824 SSL_shutdown(serverssl);
3825 SSL_free(serverssl);
3826 SSL_free(clientssl);
3827 serverssl = clientssl = NULL;
3828
f865b081
MC		 3829 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3830 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3831 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3832 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3833 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3834 NULL, NULL))
3835 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3836 /*
3837 * We use SSL_ERROR_WANT_READ below so that we can pause the
3838 * connection after the initial ClientHello has been sent to
3839 * enable us to make some session changes.
3840 */
ca0413ae
MC		 3841 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3842 SSL_ERROR_WANT_READ)))
3843 goto end;
3844
3845 /* Trick the client into thinking this session is for a different digest */
3846 clntsess->cipher = aes_128_gcm_sha256;
3847 clntsess->cipher_id = clntsess->cipher->id;
3848
3849 /*
3b0e88d3
MC		 3850 * Continue the previously started connection. Server has selected a SHA-384
3851 * ciphersuite, but client thinks the session is for SHA-256, so it should
3852 * bail out.
ca0413ae
MC		 3853 */
3854 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3855 SSL_ERROR_SSL))
3856 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3857 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3858 goto end;
3859
3860 testresult = 1;
3861
3862 end:
3863 SSL_SESSION_free(clntsess);
3864 SSL_free(serverssl);
3865 SSL_free(clientssl);
3866 SSL_CTX_free(sctx);
3867 SSL_CTX_free(cctx);
3868
3869 return testresult;
3870}
3871
8e63900a 3872/*
5bf2eade 3873 * Test TLSv1.3 Key exchange
3874 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3875 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3876 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3877 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3878 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3879 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3880 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3881 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3882 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3883 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3884 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3885 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3886 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3887 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 3888 */
db26ec80 3889static int test_key_exchange(int idx)
8e63900a 3890{
3891 SSL_CTX *sctx = NULL, *cctx = NULL;
3892 SSL *serverssl = NULL, *clientssl = NULL;
3893 int testresult = 0;
5bf2eade 3894# ifndef OPENSSL_NO_EC
3895 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3896 NID_secp521r1, NID_X25519, NID_X448};
3897# endif
3898# ifndef OPENSSL_NO_DH
8e63900a 3899 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3900 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 3901# endif
fb8c6db4 3902 int kexch_alg;
3903 int *kexch_groups = &kexch_alg;
3904 int kexch_groups_size = 1;
8e63900a 3905 int max_version = TLS1_3_VERSION;
8e63900a 3906
3907 switch (idx) {
5bf2eade 3908# ifndef OPENSSL_NO_EC
db26ec80 3909# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3910 case 12:
fb8c6db4 3911 max_version = TLS1_2_VERSION;
db26ec80 3912# endif
fb8c6db4 3913 /* Fall through */
3914 case 0:
3915 kexch_groups = ecdhe_kexch_groups;
3916 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3917 break;
5bf2eade 3918 case 1:
fb8c6db4 3919 kexch_alg = NID_X9_62_prime256v1;
3920 break;
5bf2eade 3921 case 2:
fb8c6db4 3922 kexch_alg = NID_secp384r1;
3923 break;
5bf2eade 3924 case 3:
fb8c6db4 3925 kexch_alg = NID_secp521r1;
3926 break;
5bf2eade 3927 case 4:
fb8c6db4 3928 kexch_alg = NID_X25519;
3929 break;
5bf2eade 3930 case 5:
fb8c6db4 3931 kexch_alg = NID_X448;
3932 break;
5bf2eade 3933# endif
3934# ifndef OPENSSL_NO_DH
db26ec80 3935# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3936 case 13:
dbc6268f 3937 max_version = TLS1_2_VERSION;
db26ec80 3938# endif
dbc6268f 3939 /* Fall through */
5bf2eade 3940 case 6:
8e63900a 3941 kexch_groups = ffdhe_kexch_groups;
3942 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3943 break;
5bf2eade 3944 case 7:
fb8c6db4 3945 kexch_alg = NID_ffdhe2048;
3946 break;
5bf2eade 3947 case 8:
fb8c6db4 3948 kexch_alg = NID_ffdhe3072;
3949 break;
5bf2eade 3950 case 9:
fb8c6db4 3951 kexch_alg = NID_ffdhe4096;
3952 break;
5bf2eade 3953 case 10:
fb8c6db4 3954 kexch_alg = NID_ffdhe6144;
3955 break;
5bf2eade 3956 case 11:
fb8c6db4 3957 kexch_alg = NID_ffdhe8192;
8e63900a 3958 break;
5bf2eade 3959# endif
6597d62b
MC		 3960 default:
3961 /* We're skipping this test */
3962 return 1;
8e63900a 3963 }
3964
5e30f2fd
MC		 3965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3966 TLS_client_method(), TLS1_VERSION,
3967 max_version, &sctx, &cctx, cert,
3968 privkey)))
8e63900a 3969 goto end;
3970
5bf2eade 3971 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3972 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3973 goto end;
3974
5bf2eade 3975 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3976 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3977 goto end;
3978
5bf2eade 3979 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3980 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3981 goto end;
3982
dbc6268f
MC		 3983 /*
3984 * Must include an EC ciphersuite so that we send supported groups in
3985 * TLSv1.2
3986 */
5bf2eade 3987# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 3988 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3989 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3990 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3991 goto end;
5bf2eade 3992# endif
8e63900a 3993
3994 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3995 NULL, NULL)))
3996 goto end;
3997
3998 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3999 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4000 goto end;
4001
5bf2eade 4002 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4003 goto end;
8e63900a 4004
dbc6268f 4005 /*
5bf2eade 4006 * If Handshake succeeds the negotiated kexch alg should be the first one in
4007 * configured, except in the case of FFDHE groups (idx 13), which are
4008 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4009 */
4010 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4011 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4012 goto end;
fb8c6db4 4013 if (max_version == TLS1_3_VERSION) {
4014 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4015 goto end;
4016 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4017 goto end;
4018 }
8e63900a 4019
4020 testresult = 1;
4021 end:
4022 SSL_free(serverssl);
4023 SSL_free(clientssl);
4024 SSL_CTX_free(sctx);
4025 SSL_CTX_free(cctx);
4026 return testresult;
4027}
4028
5bf2eade 4029/*
4030 * Test TLSv1.3 Cipher Suite
4031 * Test 0 = Set TLS1.3 cipher on context
4032 * Test 1 = Set TLS1.3 cipher on SSL
4033 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4034 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4035 */
4036static int test_tls13_ciphersuite(int idx)
4037{
4038 SSL_CTX *sctx = NULL, *cctx = NULL;
4039 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4040 static const struct {
4041 const char *ciphername;
4042 int fipscapable;
4043 } t13_ciphers[] = {
4044 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4045 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4046 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4047# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4048 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4049 { TLS1_3_RFC_AES_256_GCM_SHA384
4050 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4051# endif
4f6c7044 4052 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4053 };
4054 const char *t13_cipher = NULL;
4055 const char *t12_cipher = NULL;
4056 const char *negotiated_scipher;
4057 const char *negotiated_ccipher;
4058 int set_at_ctx = 0;
4059 int set_at_ssl = 0;
4060 int testresult = 0;
4061 int max_ver;
4062 size_t i;
4063
4064 switch (idx) {
4065 case 0:
4066 set_at_ctx = 1;
4067 break;
4068 case 1:
4069 set_at_ssl = 1;
4070 break;
4071 case 2:
4072 set_at_ctx = 1;
2d900758 4073 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4074 break;
4075 case 3:
4076 set_at_ssl = 1;
2d900758 4077 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4078 break;
4079 }
4080
4081 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4082# ifdef OPENSSL_NO_TLS1_2
4083 if (max_ver == TLS1_2_VERSION)
4084 continue;
4085# endif
4086 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4087 if (is_fips && !t13_ciphers[i].fipscapable)
4088 continue;
4089 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4090 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4091 TLS_client_method(),
4092 TLS1_VERSION, max_ver,
4093 &sctx, &cctx, cert, privkey)))
4094 goto end;
4095
4096 if (set_at_ctx) {
4097 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4099 goto end;
4100 if (t12_cipher != NULL) {
4101 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4102 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4103 t12_cipher)))
4104 goto end;
4105 }
4106 }
4107
4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4109 &clientssl, NULL, NULL)))
4110 goto end;
4111
4112 if (set_at_ssl) {
4113 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4114 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4115 goto end;
4116 if (t12_cipher != NULL) {
4117 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4118 || !TEST_true(SSL_set_cipher_list(clientssl,
4119 t12_cipher)))
4120 goto end;
4121 }
4122 }
4123
4124 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4125 SSL_ERROR_NONE)))
4126 goto end;
4127
4128 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4129 serverssl));
4130 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4131 clientssl));
4132 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4133 goto end;
4134
4135 /*
4136 * TEST_strn_eq is used below because t13_cipher can contain
4137 * multiple ciphersuites
4138 */
4139 if (max_ver == TLS1_3_VERSION
4140 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4141 strlen(negotiated_scipher)))
4142 goto end;
4143
4144# ifndef OPENSSL_NO_TLS1_2
4145 /* Below validation is not done when t12_cipher is NULL */
4146 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4147 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4148 goto end;
4149# endif
4150
4151 SSL_free(serverssl);
4152 serverssl = NULL;
4153 SSL_free(clientssl);
4154 clientssl = NULL;
4155 SSL_CTX_free(sctx);
4156 sctx = NULL;
4157 SSL_CTX_free(cctx);
4158 cctx = NULL;
4159 }
4160 }
4161
4162 testresult = 1;
4163 end:
4164 SSL_free(serverssl);
4165 SSL_free(clientssl);
4166 SSL_CTX_free(sctx);
4167 SSL_CTX_free(cctx);
4168 return testresult;
4169}
4170
0d8da779
MC		 4171/*
4172 * Test TLSv1.3 PSKs
4173 * Test 0 = Test new style callbacks
4174 * Test 1 = Test both new and old style callbacks
4175 * Test 2 = Test old style callbacks
4176 * Test 3 = Test old style callbacks with no certificate
4177 */
532f9578 4178static int test_tls13_psk(int idx)
ca8c71ba
MC		 4179{
4180 SSL_CTX *sctx = NULL, *cctx = NULL;
4181 SSL *serverssl = NULL, *clientssl = NULL;
4182 const SSL_CIPHER *cipher = NULL;
4183 const unsigned char key[] = {
4184 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4185 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4186 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4187 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4188 };
4189 int testresult = 0;
4190
5e30f2fd
MC		 4191 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4192 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4193 &sctx, &cctx, idx == 3 ? NULL : cert,
4194 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4195 goto end;
4196
0d8da779
MC		 4197 if (idx != 3) {
4198 /*
4199 * We use a ciphersuite with SHA256 to ease testing old style PSK
4200 * callbacks which will always default to SHA256. This should not be
4201 * necessary if we have no cert/priv key. In that case the server should
4202 * prefer SHA256 automatically.
4203 */
4204 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4205 "TLS_AES_128_GCM_SHA256")))
4206 goto end;
4f6c7044
MC		 4207 } else {
4208 /*
4209 * As noted above the server should prefer SHA256 automatically. However
4210 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4211 * code works even if we are testing with only the FIPS provider loaded.
4212 */
4213 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4214 "TLS_AES_256_GCM_SHA384:"
4215 "TLS_AES_128_GCM_SHA256")))
4216 goto end;
0d8da779 4217 }
532f9578
MC		 4218
4219 /*
4220 * Test 0: New style callbacks only
4221 * Test 1: New and old style callbacks (only the new ones should be used)
4222 * Test 2: Old style callbacks only
4223 */
4224 if (idx == 0 || idx == 1) {
4225 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4226 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4227 }
c2b290c3 4228#ifndef OPENSSL_NO_PSK
0d8da779 4229 if (idx >= 1) {
532f9578
MC		 4230 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4231 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4232 }
c2b290c3 4233#endif
ca8c71ba 4234 srvid = pskid;
02a3ed5a
MC		 4235 use_session_cb_cnt = 0;
4236 find_session_cb_cnt = 0;
532f9578
MC		 4237 psk_client_cb_cnt = 0;
4238 psk_server_cb_cnt = 0;
ca8c71ba 4239
0d8da779
MC		 4240 if (idx != 3) {
4241 /*
4242 * Check we can create a connection if callback decides not to send a
4243 * PSK
4244 */
4245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4246 NULL, NULL))
4247 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4248 SSL_ERROR_NONE))
4249 || !TEST_false(SSL_session_reused(clientssl))
4250 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4251 goto end;
532f9578 4252
0d8da779
MC		 4253 if (idx == 0 || idx == 1) {
4254 if (!TEST_true(use_session_cb_cnt == 1)
4255 || !TEST_true(find_session_cb_cnt == 0)
4256 /*
4257 * If no old style callback then below should be 0
4258 * otherwise 1
4259 */
4260 || !TEST_true(psk_client_cb_cnt == idx)
4261 || !TEST_true(psk_server_cb_cnt == 0))
4262 goto end;
4263 } else {
4264 if (!TEST_true(use_session_cb_cnt == 0)
4265 || !TEST_true(find_session_cb_cnt == 0)
4266 || !TEST_true(psk_client_cb_cnt == 1)
4267 || !TEST_true(psk_server_cb_cnt == 0))
4268 goto end;
4269 }
4270
4271 shutdown_ssl_connection(serverssl, clientssl);
4272 serverssl = clientssl = NULL;
4273 use_session_cb_cnt = psk_client_cb_cnt = 0;
4274 }
ca8c71ba
MC		 4275
4276 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4277 NULL, NULL)))
4278 goto end;
4279
4280 /* Create the PSK */
532f9578 4281 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4282 clientpsk = SSL_SESSION_new();
4283 if (!TEST_ptr(clientpsk)
ca8c71ba 4284 || !TEST_ptr(cipher)
57dee9bb
MC		 4285 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4286 sizeof(key)))
4287 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4288 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4289 TLS1_3_VERSION))
4290 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4291 goto end;
57dee9bb 4292 serverpsk = clientpsk;
ca8c71ba
MC		 4293
4294 /* Check we can create a connection and the PSK is used */
4295 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4296 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4297 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4298 goto end;
4299
532f9578
MC		 4300 if (idx == 0 || idx == 1) {
4301 if (!TEST_true(use_session_cb_cnt == 1)
4302 || !TEST_true(find_session_cb_cnt == 1)
4303 || !TEST_true(psk_client_cb_cnt == 0)
4304 || !TEST_true(psk_server_cb_cnt == 0))
4305 goto end;
4306 } else {
4307 if (!TEST_true(use_session_cb_cnt == 0)
4308 || !TEST_true(find_session_cb_cnt == 0)
4309 || !TEST_true(psk_client_cb_cnt == 1)
4310 || !TEST_true(psk_server_cb_cnt == 1))
4311 goto end;
4312 }
4313
ca8c71ba
MC		 4314 shutdown_ssl_connection(serverssl, clientssl);
4315 serverssl = clientssl = NULL;
4316 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4317 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4318
4319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4320 NULL, NULL)))
4321 goto end;
4322
4323 /* Force an HRR */
dbc6268f
MC		 4324#if defined(OPENSSL_NO_EC)
4325 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4326 goto end;
4327#else
ca8c71ba
MC		 4328 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4329 goto end;
dbc6268f 4330#endif
ca8c71ba
MC		 4331
4332 /*
4333 * Check we can create a connection, the PSK is used and the callbacks are
4334 * called twice.
4335 */
4336 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4337 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4338 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4339 goto end;
4340
532f9578
MC		 4341 if (idx == 0 || idx == 1) {
4342 if (!TEST_true(use_session_cb_cnt == 2)
4343 || !TEST_true(find_session_cb_cnt == 2)
4344 || !TEST_true(psk_client_cb_cnt == 0)
4345 || !TEST_true(psk_server_cb_cnt == 0))
4346 goto end;
4347 } else {
4348 if (!TEST_true(use_session_cb_cnt == 0)
4349 || !TEST_true(find_session_cb_cnt == 0)
4350 || !TEST_true(psk_client_cb_cnt == 2)
4351 || !TEST_true(psk_server_cb_cnt == 2))
4352 goto end;
4353 }
4354
ca8c71ba
MC		 4355 shutdown_ssl_connection(serverssl, clientssl);
4356 serverssl = clientssl = NULL;
4357 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4358 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4359
0d8da779
MC		 4360 if (idx != 3) {
4361 /*
4362 * Check that if the server rejects the PSK we can still connect, but with
4363 * a full handshake
4364 */
4365 srvid = "Dummy Identity";
4366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4367 NULL, NULL))
4368 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4369 SSL_ERROR_NONE))
4370 || !TEST_false(SSL_session_reused(clientssl))
4371 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4372 goto end;
532f9578 4373
0d8da779
MC		 4374 if (idx == 0 || idx == 1) {
4375 if (!TEST_true(use_session_cb_cnt == 1)
4376 || !TEST_true(find_session_cb_cnt == 1)
4377 || !TEST_true(psk_client_cb_cnt == 0)
4378 /*
4379 * If no old style callback then below should be 0
4380 * otherwise 1
4381 */
4382 || !TEST_true(psk_server_cb_cnt == idx))
4383 goto end;
4384 } else {
4385 if (!TEST_true(use_session_cb_cnt == 0)
4386 || !TEST_true(find_session_cb_cnt == 0)
4387 || !TEST_true(psk_client_cb_cnt == 1)
4388 || !TEST_true(psk_server_cb_cnt == 1))
4389 goto end;
4390 }
4391
4392 shutdown_ssl_connection(serverssl, clientssl);
4393 serverssl = clientssl = NULL;
4394 }
ca8c71ba
MC		 4395 testresult = 1;
4396
4397 end:
57dee9bb
MC		 4398 SSL_SESSION_free(clientpsk);
4399 SSL_SESSION_free(serverpsk);
4400 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4401 SSL_free(serverssl);
4402 SSL_free(clientssl);
4403 SSL_CTX_free(sctx);
4404 SSL_CTX_free(cctx);
4405 return testresult;
4406}
4407
c7b8ff25
MC		 4408static unsigned char cookie_magic_value[] = "cookie magic";
4409
4410static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4411 unsigned int *cookie_len)
4412{
4413 /*
4414 * Not suitable as a real cookie generation function but good enough for
4415 * testing!
4416 */
97ea1e7f
MC		 4417 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4418 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4419
4420 return 1;
4421}
4422
4423static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4424 unsigned int cookie_len)
4425{
97ea1e7f 4426 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4427 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4428 return 1;
4429
4430 return 0;
4431}
4432
3fa2812f
BS		 4433static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4434 size_t *cookie_len)
4435{
4436 unsigned int temp;
4437 int res = generate_cookie_callback(ssl, cookie, &temp);
4438 *cookie_len = temp;
4439 return res;
4440}
4441
4442static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4443 size_t cookie_len)
4444{
4445 return verify_cookie_callback(ssl, cookie, cookie_len);
4446}
4447
c7b8ff25
MC		 4448static int test_stateless(void)
4449{
4450 SSL_CTX *sctx = NULL, *cctx = NULL;
4451 SSL *serverssl = NULL, *clientssl = NULL;
4452 int testresult = 0;
4453
5e30f2fd
MC		 4454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4455 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4456 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4457 goto end;
4458
e440f513
MC		 4459 /* The arrival of CCS messages can confuse the test */
4460 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4461
4462 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4463 NULL, NULL))
4464 /* Send the first ClientHello */
4465 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4466 SSL_ERROR_WANT_READ))
4467 /*
4468 * This should fail with a -1 return because we have no callbacks
4469 * set up
4470 */
4471 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4472 goto end;
4473
4474 /* Fatal error so abandon the connection from this client */
4475 SSL_free(clientssl);
4476 clientssl = NULL;
4477
c7b8ff25 4478 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4479 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4480 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4481
e440f513
MC		 4482 /*
4483 * Create a new connection from the client (we can reuse the server SSL
4484 * object).
4485 */
c7b8ff25
MC		 4486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4487 NULL, NULL))
4488 /* Send the first ClientHello */
4489 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4490 SSL_ERROR_WANT_READ))
4491 /* This should fail because there is no cookie */
e440f513 4492 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4493 goto end;
4494
4495 /* Abandon the connection from this client */
4496 SSL_free(clientssl);
4497 clientssl = NULL;
4498
4499 /*
4500 * Now create a connection from a new client but with the same server SSL
4501 * object
4502 */
4503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4504 NULL, NULL))
4505 /* Send the first ClientHello */
4506 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4507 SSL_ERROR_WANT_READ))
4508 /* This should fail because there is no cookie */
e440f513 4509 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4510 /* Send the second ClientHello */
4511 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4512 SSL_ERROR_WANT_READ))
4513 /* This should succeed because a cookie is now present */
e440f513 4514 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4515 /* Complete the connection */
4516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4517 SSL_ERROR_NONE)))
4518 goto end;
4519
4520 shutdown_ssl_connection(serverssl, clientssl);
4521 serverssl = clientssl = NULL;
4522 testresult = 1;
4523
4524 end:
4525 SSL_free(serverssl);
4526 SSL_free(clientssl);
4527 SSL_CTX_free(sctx);
4528 SSL_CTX_free(cctx);
4529 return testresult;
4530
4531}
ca0413ae 4532#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4533
a37008d9
MC		 4534static int clntaddoldcb = 0;
4535static int clntparseoldcb = 0;
4536static int srvaddoldcb = 0;
4537static int srvparseoldcb = 0;
4538static int clntaddnewcb = 0;
4539static int clntparsenewcb = 0;
4540static int srvaddnewcb = 0;
4541static int srvparsenewcb = 0;
bb01ef3f 4542static int snicb = 0;
a37008d9
MC		 4543
4544#define TEST_EXT_TYPE1 0xff00
4545
4546static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4547 size_t *outlen, int *al, void *add_arg)
4548{
4549 int *server = (int *)add_arg;
4550 unsigned char *data;
4551
4552 if (SSL_is_server(s))
4553 srvaddoldcb++;
4554 else
4555 clntaddoldcb++;
4556
710756a9
RS		 4557 if (*server != SSL_is_server(s)
4558 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4559 return -1;
4560
4561 *data = 1;
4562 *out = data;
4563 *outlen = sizeof(char);
a37008d9
MC		 4564 return 1;
4565}
4566
4567static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4568 void *add_arg)
4569{
4570 OPENSSL_free((unsigned char *)out);
4571}
4572
4573static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4574 size_t inlen, int *al, void *parse_arg)
4575{
4576 int *server = (int *)parse_arg;
4577
4578 if (SSL_is_server(s))
4579 srvparseoldcb++;
4580 else
4581 clntparseoldcb++;
4582
710756a9
RS		 4583 if (*server != SSL_is_server(s)
4584 || inlen != sizeof(char)
4585 || *in != 1)
a37008d9
MC		 4586 return -1;
4587
4588 return 1;
4589}
4590
4591static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4592 const unsigned char **out, size_t *outlen, X509 *x,
4593 size_t chainidx, int *al, void *add_arg)
4594{
4595 int *server = (int *)add_arg;
4596 unsigned char *data;
4597
4598 if (SSL_is_server(s))
4599 srvaddnewcb++;
4600 else
4601 clntaddnewcb++;
4602
710756a9
RS		 4603 if (*server != SSL_is_server(s)
4604 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4605 return -1;
4606
4607 *data = 1;
4608 *out = data;
710756a9 4609 *outlen = sizeof(*data);
a37008d9
MC		 4610 return 1;
4611}
4612
4613static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4614 const unsigned char *out, void *add_arg)
4615{
4616 OPENSSL_free((unsigned char *)out);
4617}
4618
4619static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4620 const unsigned char *in, size_t inlen, X509 *x,
4621 size_t chainidx, int *al, void *parse_arg)
4622{
4623 int *server = (int *)parse_arg;
4624
4625 if (SSL_is_server(s))
4626 srvparsenewcb++;
4627 else
4628 clntparsenewcb++;
4629
710756a9
RS		 4630 if (*server != SSL_is_server(s)
4631 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 4632 return -1;
4633
4634 return 1;
4635}
bb01ef3f
MC		 4636
4637static int sni_cb(SSL *s, int *al, void *arg)
4638{
4639 SSL_CTX *ctx = (SSL_CTX *)arg;
4640
4641 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4642 *al = SSL_AD_INTERNAL_ERROR;
4643 return SSL_TLSEXT_ERR_ALERT_FATAL;
4644 }
4645 snicb++;
4646 return SSL_TLSEXT_ERR_OK;
4647}
4648
a37008d9
MC		 4649/*
4650 * Custom call back tests.
4651 * Test 0: Old style callbacks in TLSv1.2
4652 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 4653 * Test 2: New style callbacks in TLSv1.2 with SNI
4654 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4655 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 4656 */
710756a9
RS		 4657static int test_custom_exts(int tst)
4658{
bb01ef3f 4659 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 4660 SSL *clientssl = NULL, *serverssl = NULL;
4661 int testresult = 0;
4662 static int server = 1;
4663 static int client = 0;
4664 SSL_SESSION *sess = NULL;
4665 unsigned int context;
4666
c423ecaa
MC		 4667#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4668 /* Skip tests for TLSv1.2 and below in this case */
4669 if (tst < 3)
4670 return 1;
4671#endif
4672
a37008d9
MC		 4673 /* Reset callback counters */
4674 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4675 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4676 snicb = 0;
a37008d9 4677
5e30f2fd
MC		 4678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4679 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4680 &sctx, &cctx, cert, privkey)))
710756a9 4681 goto end;
a37008d9 4682
bb01ef3f 4683 if (tst == 2
5e30f2fd 4684 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 4685 TLS1_VERSION, 0,
7d7f6834 4686 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4687 goto end;
4688
4689
4690 if (tst < 3) {
a37008d9
MC		 4691 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4692 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4693 if (sctx2 != NULL)
4694 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4695 }
4696
bb01ef3f 4697 if (tst == 4) {
710756a9
RS		 4698 context = SSL_EXT_CLIENT_HELLO
4699 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4700 | SSL_EXT_TLS1_3_SERVER_HELLO
4701 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4702 | SSL_EXT_TLS1_3_CERTIFICATE
4703 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4704 } else {
710756a9
RS		 4705 context = SSL_EXT_CLIENT_HELLO
4706 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4707 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4708 }
4709
4710 /* Create a client side custom extension */
4711 if (tst == 0) {
710756a9
RS		 4712 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4713 old_add_cb, old_free_cb,
4714 &client, old_parse_cb,
4715 &client)))
4716 goto end;
a37008d9 4717 } else {
710756a9
RS		 4718 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4719 new_add_cb, new_free_cb,
4720 &client, new_parse_cb, &client)))
4721 goto end;
a37008d9
MC		 4722 }
4723
4724 /* Should not be able to add duplicates */
710756a9
RS		 4725 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4726 old_add_cb, old_free_cb,
4727 &client, old_parse_cb,
4728 &client))
4729 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4730 context, new_add_cb,
4731 new_free_cb, &client,
4732 new_parse_cb, &client)))
4733 goto end;
a37008d9
MC		 4734
4735 /* Create a server side custom extension */
4736 if (tst == 0) {
710756a9
RS		 4737 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4738 old_add_cb, old_free_cb,
4739 &server, old_parse_cb,
4740 &server)))
4741 goto end;
a37008d9 4742 } else {
710756a9
RS		 4743 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4744 new_add_cb, new_free_cb,
4745 &server, new_parse_cb, &server)))
4746 goto end;
bb01ef3f
MC		 4747 if (sctx2 != NULL
4748 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4749 context, new_add_cb,
4750 new_free_cb, &server,
4751 new_parse_cb, &server)))
4752 goto end;
a37008d9
MC		 4753 }
4754
4755 /* Should not be able to add duplicates */
710756a9
RS		 4756 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4757 old_add_cb, old_free_cb,
4758 &server, old_parse_cb,
4759 &server))
4760 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4761 context, new_add_cb,
4762 new_free_cb, &server,
4763 new_parse_cb, &server)))
a37008d9 4764 goto end;
a37008d9 4765
bb01ef3f
MC		 4766 if (tst == 2) {
4767 /* Set up SNI */
4768 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4769 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4770 goto end;
4771 }
4772
710756a9
RS		 4773 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4774 &clientssl, NULL, NULL))
4775 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4776 SSL_ERROR_NONE)))
a37008d9 4777 goto end;
a37008d9
MC		 4778
4779 if (tst == 0) {
710756a9
RS		 4780 if (clntaddoldcb != 1
4781 || clntparseoldcb != 1
4782 || srvaddoldcb != 1
4783 || srvparseoldcb != 1)
a37008d9 4784 goto end;
bb01ef3f 4785 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4786 if (clntaddnewcb != 1
4787 || clntparsenewcb != 1
4788 || srvaddnewcb != 1
bb01ef3f
MC		 4789 || srvparsenewcb != 1
4790 || (tst != 2 && snicb != 0)
4791 || (tst == 2 && snicb != 1))
a37008d9 4792 goto end;
a37008d9 4793 } else {
36ff232c 4794 /* In this case there 2 NewSessionTicket messages created */
710756a9 4795 if (clntaddnewcb != 1
36ff232c
MC		 4796 || clntparsenewcb != 5
4797 || srvaddnewcb != 5
710756a9 4798 || srvparsenewcb != 1)
a37008d9 4799 goto end;
a37008d9
MC		 4800 }
4801
4802 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4803 SSL_shutdown(clientssl);
4804 SSL_shutdown(serverssl);
a37008d9
MC		 4805 SSL_free(serverssl);
4806 SSL_free(clientssl);
4807 serverssl = clientssl = NULL;
4808
bb01ef3f
MC		 4809 if (tst == 3) {
4810 /* We don't bother with the resumption aspects for this test */
4811 testresult = 1;
4812 goto end;
4813 }
4814
710756a9
RS		 4815 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4816 NULL, NULL))
4817 || !TEST_true(SSL_set_session(clientssl, sess))
4818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4819 SSL_ERROR_NONE)))
a37008d9 4820 goto end;
a37008d9
MC		 4821
4822 /*
4823 * For a resumed session we expect to add the ClientHello extension. For the
4824 * old style callbacks we ignore it on the server side because they set
4825 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4826 * them.
4827 */
4828 if (tst == 0) {
710756a9
RS		 4829 if (clntaddoldcb != 2
4830 || clntparseoldcb != 1
4831 || srvaddoldcb != 1
4832 || srvparseoldcb != 1)
a37008d9 4833 goto end;
bb01ef3f 4834 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4835 if (clntaddnewcb != 2
4836 || clntparsenewcb != 2
4837 || srvaddnewcb != 2
4838 || srvparsenewcb != 2)
a37008d9 4839 goto end;
a37008d9 4840 } else {
36ff232c
MC		 4841 /*
4842 * No Certificate message extensions in the resumption handshake,
4843 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4844 */
710756a9 4845 if (clntaddnewcb != 2
36ff232c
MC		 4846 || clntparsenewcb != 8
4847 || srvaddnewcb != 8
710756a9 4848 || srvparsenewcb != 2)
a37008d9 4849 goto end;
a37008d9
MC		 4850 }
4851
4852 testresult = 1;
4853
4854end:
4855 SSL_SESSION_free(sess);
4856 SSL_free(serverssl);
4857 SSL_free(clientssl);
bb01ef3f 4858 SSL_CTX_free(sctx2);
a37008d9
MC		 4859 SSL_CTX_free(sctx);
4860 SSL_CTX_free(cctx);
a37008d9
MC		 4861 return testresult;
4862}
4863
16afd71c
MC		 4864/*
4865 * Test loading of serverinfo data in various formats. test_sslmessages actually
4866 * tests to make sure the extensions appear in the handshake
4867 */
4868static int test_serverinfo(int tst)
4869{
4870 unsigned int version;
4871 unsigned char *sibuf;
4872 size_t sibuflen;
4873 int ret, expected, testresult = 0;
4874 SSL_CTX *ctx;
4875
5e30f2fd 4876 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
16afd71c
MC		 4877 if (!TEST_ptr(ctx))
4878 goto end;
4879
4880 if ((tst & 0x01) == 0x01)
4881 version = SSL_SERVERINFOV2;
4882 else
4883 version = SSL_SERVERINFOV1;
4884
4885 if ((tst & 0x02) == 0x02) {
4886 sibuf = serverinfov2;
4887 sibuflen = sizeof(serverinfov2);
4888 expected = (version == SSL_SERVERINFOV2);
4889 } else {
4890 sibuf = serverinfov1;
4891 sibuflen = sizeof(serverinfov1);
4892 expected = (version == SSL_SERVERINFOV1);
4893 }
4894
4895 if ((tst & 0x04) == 0x04) {
4896 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4897 } else {
4898 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4899
4900 /*
4901 * The version variable is irrelevant in this case - it's what is in the
4902 * buffer that matters
4903 */
4904 if ((tst & 0x02) == 0x02)
4905 expected = 0;
4906 else
4907 expected = 1;
4908 }
4909
4910 if (!TEST_true(ret == expected))
4911 goto end;
4912
4913 testresult = 1;
4914
4915 end:
4916 SSL_CTX_free(ctx);
4917
4918 return testresult;
4919}
4920
2197d1df
MC		 4921/*
4922 * Test that SSL_export_keying_material() produces expected results. There are
4923 * no test vectors so all we do is test that both sides of the communication
4924 * produce the same results for different protocol versions.
4925 */
0fb2815b
MC		 4926#define SMALL_LABEL_LEN 10
4927#define LONG_LABEL_LEN 249
2197d1df
MC		 4928static int test_export_key_mat(int tst)
4929{
a599574b 4930 int testresult = 0;
2197d1df
MC		 4931 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4932 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4933 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4934 const unsigned char context[] = "context";
4935 const unsigned char *emptycontext = NULL;
4936 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4937 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4938 size_t labellen;
a599574b
MC		 4939 const int protocols[] = {
4940 TLS1_VERSION,
4941 TLS1_1_VERSION,
4942 TLS1_2_VERSION,
0fb2815b
MC		 4943 TLS1_3_VERSION,
4944 TLS1_3_VERSION,
a599574b
MC		 4945 TLS1_3_VERSION
4946 };
2197d1df
MC		 4947
4948#ifdef OPENSSL_NO_TLS1
4949 if (tst == 0)
4950 return 1;
4951#endif
4952#ifdef OPENSSL_NO_TLS1_1
4953 if (tst == 1)
4954 return 1;
4955#endif
4f6c7044
MC		 4956 if (is_fips && (tst == 0 || tst == 1))
4957 return 1;
2197d1df
MC		 4958#ifdef OPENSSL_NO_TLS1_2
4959 if (tst == 2)
4960 return 1;
4961#endif
4962#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4963 if (tst >= 3)
2197d1df
MC		 4964 return 1;
4965#endif
5e30f2fd
MC		 4966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4967 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4968 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4969 goto end;
4970
a599574b
MC		 4971 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4972 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4973 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4974
4975 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4976 NULL))
4977 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4978 SSL_ERROR_NONE)))
4979 goto end;
4980
0fb2815b
MC		 4981 if (tst == 5) {
4982 /*
4983 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4984 * go over that.
4985 */
4986 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4987 sizeof(ckeymat1), label,
4988 LONG_LABEL_LEN + 1, context,
4989 sizeof(context) - 1, 1), 0))
4990 goto end;
4991
4992 testresult = 1;
4993 goto end;
4994 } else if (tst == 4) {
4995 labellen = LONG_LABEL_LEN;
4996 } else {
4997 labellen = SMALL_LABEL_LEN;
4998 }
4999
2197d1df
MC		 5000 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5001 sizeof(ckeymat1), label,
0fb2815b 5002 labellen, context,
2197d1df
MC		 5003 sizeof(context) - 1, 1), 1)
5004 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5005 sizeof(ckeymat2), label,
0fb2815b 5006 labellen,
2197d1df
MC		 5007 emptycontext,
5008 0, 1), 1)
5009 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5010 sizeof(ckeymat3), label,
0fb2815b 5011 labellen,
2197d1df
MC		 5012 NULL, 0, 0), 1)
5013 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5014 sizeof(skeymat1), label,
0fb2815b 5015 labellen,
2197d1df
MC		 5016 context,
5017 sizeof(context) -1, 1),
5018 1)
5019 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5020 sizeof(skeymat2), label,
0fb2815b 5021 labellen,
2197d1df
MC		 5022 emptycontext,
5023 0, 1), 1)
5024 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5025 sizeof(skeymat3), label,
0fb2815b 5026 labellen,
2197d1df
MC		 5027 NULL, 0, 0), 1)
5028 /*
5029 * Check that both sides created the same key material with the
5030 * same context.
5031 */
5032 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5033 sizeof(skeymat1))
5034 /*
5035 * Check that both sides created the same key material with an
5036 * empty context.
5037 */
5038 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5039 sizeof(skeymat2))
5040 /*
5041 * Check that both sides created the same key material without a
5042 * context.
5043 */
5044 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5045 sizeof(skeymat3))
5046 /* Different contexts should produce different results */
5047 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5048 sizeof(ckeymat2)))
5049 goto end;
5050
5051 /*
5052 * Check that an empty context and no context produce different results in
5053 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5054 */
0fb2815b 5055 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5056 sizeof(ckeymat3)))
0fb2815b
MC		 5057 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5058 sizeof(ckeymat3))))
2197d1df
MC		 5059 goto end;
5060
5061 testresult = 1;
5062
5063 end:
5064 SSL_free(serverssl);
5065 SSL_free(clientssl);
5066 SSL_CTX_free(sctx2);
5067 SSL_CTX_free(sctx);
5068 SSL_CTX_free(cctx);
5069
5070 return testresult;
5071}
5072
b38ede80
TT		 5073#ifndef OPENSSL_NO_TLS1_3
5074/*
5075 * Test that SSL_export_keying_material_early() produces expected
5076 * results. There are no test vectors so all we do is test that both
5077 * sides of the communication produce the same results for different
5078 * protocol versions.
5079 */
5080static int test_export_key_mat_early(int idx)
5081{
5082 static const char label[] = "test label";
5083 static const unsigned char context[] = "context";
5084 int testresult = 0;
5085 SSL_CTX *cctx = NULL, *sctx = NULL;
5086 SSL *clientssl = NULL, *serverssl = NULL;
5087 SSL_SESSION *sess = NULL;
5088 const unsigned char *emptycontext = NULL;
5089 unsigned char ckeymat1[80], ckeymat2[80];
5090 unsigned char skeymat1[80], skeymat2[80];
5091 unsigned char buf[1];
5092 size_t readbytes, written;
5093
5094 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5095 &sess, idx)))
5096 goto end;
5097
5098 /* Here writing 0 length early data is enough. */
5099 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5100 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5101 &readbytes),
5102 SSL_READ_EARLY_DATA_ERROR)
5103 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5104 SSL_EARLY_DATA_ACCEPTED))
5105 goto end;
5106
5107 if (!TEST_int_eq(SSL_export_keying_material_early(
5108 clientssl, ckeymat1, sizeof(ckeymat1), label,
5109 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5110 || !TEST_int_eq(SSL_export_keying_material_early(
5111 clientssl, ckeymat2, sizeof(ckeymat2), label,
5112 sizeof(label) - 1, emptycontext, 0), 1)
5113 || !TEST_int_eq(SSL_export_keying_material_early(
5114 serverssl, skeymat1, sizeof(skeymat1), label,
5115 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5116 || !TEST_int_eq(SSL_export_keying_material_early(
5117 serverssl, skeymat2, sizeof(skeymat2), label,
5118 sizeof(label) - 1, emptycontext, 0), 1)
5119 /*
5120 * Check that both sides created the same key material with the
5121 * same context.
5122 */
5123 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5124 sizeof(skeymat1))
5125 /*
5126 * Check that both sides created the same key material with an
5127 * empty context.
5128 */
5129 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5130 sizeof(skeymat2))
5131 /* Different contexts should produce different results */
5132 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5133 sizeof(ckeymat2)))
5134 goto end;
5135
5136 testresult = 1;
5137
5138 end:
c20e3b28 5139 SSL_SESSION_free(sess);
b38ede80
TT		 5140 SSL_SESSION_free(clientpsk);
5141 SSL_SESSION_free(serverpsk);
34ff74eb 5142 clientpsk = serverpsk = NULL;
b38ede80
TT		 5143 SSL_free(serverssl);
5144 SSL_free(clientssl);
5145 SSL_CTX_free(sctx);
5146 SSL_CTX_free(cctx);
5147
5148 return testresult;
5149}
3409a5ff
MC		 5150
5151#define NUM_KEY_UPDATE_MESSAGES 40
5152/*
5153 * Test KeyUpdate.
5154 */
5155static int test_key_update(void)
5156{
5157 SSL_CTX *cctx = NULL, *sctx = NULL;
5158 SSL *clientssl = NULL, *serverssl = NULL;
5159 int testresult = 0, i, j;
5160 char buf[20];
5161 static char *mess = "A test message";
5162
5e30f2fd 5163 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5164 TLS_client_method(),
5165 TLS1_3_VERSION,
5166 0,
5167 &sctx, &cctx, cert, privkey))
5168 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5169 NULL, NULL))
5170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5171 SSL_ERROR_NONE)))
5172 goto end;
5173
5174 for (j = 0; j < 2; j++) {
5175 /* Send lots of KeyUpdate messages */
5176 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5177 if (!TEST_true(SSL_key_update(clientssl,
5178 (j == 0)
5179 ? SSL_KEY_UPDATE_NOT_REQUESTED
5180 : SSL_KEY_UPDATE_REQUESTED))
5181 || !TEST_true(SSL_do_handshake(clientssl)))
5182 goto end;
5183 }
5184
5185 /* Check that sending and receiving app data is ok */
5186 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5187 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5188 strlen(mess)))
5189 goto end;
a77b4dba
MC		 5190
5191 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5192 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5193 strlen(mess)))
5194 goto end;
3409a5ff
MC		 5195 }
5196
5197 testresult = 1;
5198
5199 end:
5200 SSL_free(serverssl);
5201 SSL_free(clientssl);
5202 SSL_CTX_free(sctx);
5203 SSL_CTX_free(cctx);
5204
5205 return testresult;
5206}
a77b4dba
MC		 5207
5208/*
5209 * Test we can handle a KeyUpdate (update requested) message while write data
5210 * is pending.
5211 * Test 0: Client sends KeyUpdate while Server is writing
5212 * Test 1: Server sends KeyUpdate while Client is writing
5213 */
5214static int test_key_update_in_write(int tst)
5215{
5216 SSL_CTX *cctx = NULL, *sctx = NULL;
5217 SSL *clientssl = NULL, *serverssl = NULL;
5218 int testresult = 0;
5219 char buf[20];
5220 static char *mess = "A test message";
5221 BIO *bretry = BIO_new(bio_s_always_retry());
5222 BIO *tmp = NULL;
5223 SSL *peerupdate = NULL, *peerwrite = NULL;
5224
5225 if (!TEST_ptr(bretry)
5e30f2fd 5226 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5227 TLS_client_method(),
5228 TLS1_3_VERSION,
5229 0,
5230 &sctx, &cctx, cert, privkey))
5231 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5232 NULL, NULL))
5233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5234 SSL_ERROR_NONE)))
5235 goto end;
5236
5237 peerupdate = tst == 0 ? clientssl : serverssl;
5238 peerwrite = tst == 0 ? serverssl : clientssl;
5239
5240 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5241 || !TEST_true(SSL_do_handshake(peerupdate)))
5242 goto end;
5243
5244 /* Swap the writing endpoint's write BIO to force a retry */
5245 tmp = SSL_get_wbio(peerwrite);
5246 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5247 tmp = NULL;
5248 goto end;
5249 }
5250 SSL_set0_wbio(peerwrite, bretry);
5251 bretry = NULL;
5252
5253 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5254 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5255 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5256 goto end;
5257
5258 /* Reinstate the original writing endpoint's write BIO */
5259 SSL_set0_wbio(peerwrite, tmp);
5260 tmp = NULL;
5261
5262 /* Now read some data - we will read the key update */
5263 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5264 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5265 goto end;
5266
5267 /*
5268 * Complete the write we started previously and read it from the other
5269 * endpoint
5270 */
5271 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5272 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5273 goto end;
5274
5275 /* Write more data to ensure we send the KeyUpdate message back */
5276 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5277 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5278 goto end;
5279
5280 testresult = 1;
5281
5282 end:
5283 SSL_free(serverssl);
5284 SSL_free(clientssl);
5285 SSL_CTX_free(sctx);
5286 SSL_CTX_free(cctx);
5287 BIO_free(bretry);
5288 BIO_free(tmp);
5289
5290 return testresult;
5291}
b38ede80
TT		 5292#endif /* OPENSSL_NO_TLS1_3 */
5293
e11b6aa4
MC		 5294static int test_ssl_clear(int idx)
5295{
5296 SSL_CTX *cctx = NULL, *sctx = NULL;
5297 SSL *clientssl = NULL, *serverssl = NULL;
5298 int testresult = 0;
5299
5300#ifdef OPENSSL_NO_TLS1_2
5301 if (idx == 1)
5302 return 1;
5303#endif
5304
5305 /* Create an initial connection */
5e30f2fd
MC		 5306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5307 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5308 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5309 || (idx == 1
5310 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5311 TLS1_2_VERSION)))
5312 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5313 &clientssl, NULL, NULL))
5314 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5315 SSL_ERROR_NONE)))
5316 goto end;
5317
5318 SSL_shutdown(clientssl);
5319 SSL_shutdown(serverssl);
5320 SSL_free(serverssl);
5321 serverssl = NULL;
5322
5323 /* Clear clientssl - we're going to reuse the object */
5324 if (!TEST_true(SSL_clear(clientssl)))
5325 goto end;
5326
5327 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5328 NULL, NULL))
5329 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5330 SSL_ERROR_NONE))
5331 || !TEST_true(SSL_session_reused(clientssl)))
5332 goto end;
5333
5334 SSL_shutdown(clientssl);
5335 SSL_shutdown(serverssl);
5336
5337 testresult = 1;
5338
5339 end:
5340 SSL_free(serverssl);
5341 SSL_free(clientssl);
5342 SSL_CTX_free(sctx);
5343 SSL_CTX_free(cctx);
5344
5345 return testresult;
5346}
5347
cf72c757
F		 5348/* Parse CH and retrieve any MFL extension value if present */
5349static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5350{
5351 long len;
5352 unsigned char *data;
72962d02 5353 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5354 unsigned int MFL_code = 0, type = 0;
5355
5356 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5357 goto end;
5358
72962d02
P		 5359 memset(&pkt, 0, sizeof(pkt));
5360 memset(&pkt2, 0, sizeof(pkt2));
5361 memset(&pkt3, 0, sizeof(pkt3));
5362
cf72c757
F		 5363 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5364 /* Skip the record header */
5365 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5366 /* Skip the handshake message header */
5367 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5368 /* Skip client version and random */
5369 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5370 + SSL3_RANDOM_SIZE))
5371 /* Skip session id */
5372 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5373 /* Skip ciphers */
5374 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5375 /* Skip compression */
5376 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5377 /* Extensions len */
5378 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5379 goto end;
5380
5381 /* Loop through all extensions */
5382 while (PACKET_remaining(&pkt2)) {
5383 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5384 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5385 goto end;
5386
5387 if (type == TLSEXT_TYPE_max_fragment_length) {
5388 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5389 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5390 goto end;
5391
5392 *mfl_codemfl_code = MFL_code;
5393 return 1;
5394 }
5395 }
5396
5397 end:
5398 return 0;
5399}
5400
5401/* Maximum-Fragment-Length TLS extension mode to test */
5402static const unsigned char max_fragment_len_test[] = {
5403 TLSEXT_max_fragment_length_512,
5404 TLSEXT_max_fragment_length_1024,
5405 TLSEXT_max_fragment_length_2048,
5406 TLSEXT_max_fragment_length_4096
5407};
5408
5409static int test_max_fragment_len_ext(int idx_tst)
5410{
5411 SSL_CTX *ctx;
5412 SSL *con = NULL;
5413 int testresult = 0, MFL_mode = 0;
5414 BIO *rbio, *wbio;
5415
5e30f2fd 5416 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
cf72c757
F		 5417 if (!TEST_ptr(ctx))
5418 goto end;
5419
5420 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5421 ctx, max_fragment_len_test[idx_tst])))
5422 goto end;
5423
5424 con = SSL_new(ctx);
5425 if (!TEST_ptr(con))
5426 goto end;
5427
5428 rbio = BIO_new(BIO_s_mem());
5429 wbio = BIO_new(BIO_s_mem());
5430 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5431 BIO_free(rbio);
5432 BIO_free(wbio);
5433 goto end;
5434 }
5435
5436 SSL_set_bio(con, rbio, wbio);
5437 SSL_set_connect_state(con);
5438
5439 if (!TEST_int_le(SSL_connect(con), 0)) {
5440 /* This shouldn't succeed because we don't have a server! */
5441 goto end;
5442 }
5443
5444 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5445 /* no MFL in client hello */
5446 goto end;
5447 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5448 goto end;
5449
5450 testresult = 1;
5451
5452end:
5453 SSL_free(con);
5454 SSL_CTX_free(ctx);
5455
5456 return testresult;
5457}
5458
9d75dce3
TS		 5459#ifndef OPENSSL_NO_TLS1_3
5460static int test_pha_key_update(void)
5461{
5462 SSL_CTX *cctx = NULL, *sctx = NULL;
5463 SSL *clientssl = NULL, *serverssl = NULL;
5464 int testresult = 0;
5465
5e30f2fd
MC		 5466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5467 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 5468 &sctx, &cctx, cert, privkey)))
5469 return 0;
5470
5471 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5472 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5473 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5474 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5475 goto end;
5476
e97be718 5477 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5478
5479 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5480 NULL, NULL)))
5481 goto end;
5482
9d75dce3
TS		 5483 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5484 SSL_ERROR_NONE)))
5485 goto end;
5486
5487 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5488 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5489 goto end;
5490
5491 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5492 goto end;
5493
5494 /* Start handshake on the server */
5495 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5496 goto end;
5497
5498 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5499 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5500 SSL_ERROR_NONE)))
5501 goto end;
5502
5503 SSL_shutdown(clientssl);
5504 SSL_shutdown(serverssl);
5505
5506 testresult = 1;
5507
5508 end:
5509 SSL_free(serverssl);
5510 SSL_free(clientssl);
5511 SSL_CTX_free(sctx);
5512 SSL_CTX_free(cctx);
5513 return testresult;
5514}
5515#endif
5516
76fd7a1d
MC		 5517#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5518
5519static SRP_VBASE *vbase = NULL;
5520
5521static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5522{
5523 int ret = SSL3_AL_FATAL;
5524 char *username;
5525 SRP_user_pwd *user = NULL;
5526
5527 username = SSL_get_srp_username(s);
5528 if (username == NULL) {
5529 *ad = SSL_AD_INTERNAL_ERROR;
5530 goto err;
5531 }
5532
5533 user = SRP_VBASE_get1_by_user(vbase, username);
5534 if (user == NULL) {
5535 *ad = SSL_AD_INTERNAL_ERROR;
5536 goto err;
5537 }
5538
5539 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5540 user->info) <= 0) {
5541 *ad = SSL_AD_INTERNAL_ERROR;
5542 goto err;
5543 }
5544
5545 ret = 0;
5546
5547 err:
5548 SRP_user_pwd_free(user);
5549 return ret;
5550}
5551
5552static int create_new_vfile(char *userid, char *password, const char *filename)
5553{
5554 char *gNid = NULL;
5555 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5556 TXT_DB *db = NULL;
5557 int ret = 0;
5558 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5559 size_t i;
5560
5561 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5562 goto end;
5563
20c00d0a 5564 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 5565 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 5566 if (!TEST_ptr(gNid))
5567 goto end;
5568
5569 /*
5570 * The only way to create an empty TXT_DB is to provide a BIO with no data
5571 * in it!
5572 */
5573 db = TXT_DB_read(dummy, DB_NUMBER);
5574 if (!TEST_ptr(db))
5575 goto end;
5576
5577 out = BIO_new_file(filename, "w");
5578 if (!TEST_ptr(out))
5579 goto end;
5580
5581 row[DB_srpid] = OPENSSL_strdup(userid);
5582 row[DB_srptype] = OPENSSL_strdup("V");
5583 row[DB_srpgN] = OPENSSL_strdup(gNid);
5584
5585 if (!TEST_ptr(row[DB_srpid])
5586 || !TEST_ptr(row[DB_srptype])
5587 || !TEST_ptr(row[DB_srpgN])
5588 || !TEST_true(TXT_DB_insert(db, row)))
5589 goto end;
5590
5591 row = NULL;
5592
5593 if (!TXT_DB_write(out, db))
5594 goto end;
5595
5596 ret = 1;
5597 end:
5598 if (row != NULL) {
5599 for (i = 0; i < DB_NUMBER; i++)
5600 OPENSSL_free(row[i]);
5601 }
5602 OPENSSL_free(row);
5603 BIO_free(dummy);
5604 BIO_free(out);
5605 TXT_DB_free(db);
5606
5607 return ret;
5608}
5609
5610static int create_new_vbase(char *userid, char *password)
5611{
5612 BIGNUM *verifier = NULL, *salt = NULL;
5613 const SRP_gN *lgN = NULL;
5614 SRP_user_pwd *user_pwd = NULL;
5615 int ret = 0;
5616
5617 lgN = SRP_get_default_gN(NULL);
5618 if (!TEST_ptr(lgN))
5619 goto end;
5620
20c00d0a 5621 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 5622 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 5623 goto end;
5624
5625 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5626 if (!TEST_ptr(user_pwd))
5627 goto end;
5628
5629 user_pwd->N = lgN->N;
5630 user_pwd->g = lgN->g;
5631 user_pwd->id = OPENSSL_strdup(userid);
5632 if (!TEST_ptr(user_pwd->id))
5633 goto end;
5634
5635 user_pwd->v = verifier;
5636 user_pwd->s = salt;
5637 verifier = salt = NULL;
5638
5639 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5640 goto end;
5641 user_pwd = NULL;
5642
5643 ret = 1;
5644end:
5645 SRP_user_pwd_free(user_pwd);
5646 BN_free(salt);
5647 BN_free(verifier);
5648
5649 return ret;
5650}
5651
5652/*
5653 * SRP tests
5654 *
5655 * Test 0: Simple successful SRP connection, new vbase
5656 * Test 1: Connection failure due to bad password, new vbase
5657 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5658 * Test 3: Connection failure due to bad password, vbase loaded from existing
5659 * file
5660 * Test 4: Simple successful SRP connection, vbase loaded from new file
5661 * Test 5: Connection failure due to bad password, vbase loaded from new file
5662 */
5663static int test_srp(int tst)
5664{
5665 char *userid = "test", *password = "password", *tstsrpfile;
5666 SSL_CTX *cctx = NULL, *sctx = NULL;
5667 SSL *clientssl = NULL, *serverssl = NULL;
5668 int ret, testresult = 0;
5669
5670 vbase = SRP_VBASE_new(NULL);
5671 if (!TEST_ptr(vbase))
5672 goto end;
5673
5674 if (tst == 0 || tst == 1) {
5675 if (!TEST_true(create_new_vbase(userid, password)))
5676 goto end;
5677 } else {
5678 if (tst == 4 || tst == 5) {
5679 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5680 goto end;
5681 tstsrpfile = tmpfilename;
5682 } else {
5683 tstsrpfile = srpvfile;
5684 }
5685 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5686 goto end;
5687 }
5688
5e30f2fd
MC		 5689 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5690 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 5691 &sctx, &cctx, cert, privkey)))
5692 goto end;
5693
5694 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5695 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5696 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5697 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5698 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5699 goto end;
5700
5701 if (tst % 2 == 1) {
5702 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5703 goto end;
5704 } else {
5705 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5706 goto end;
5707 }
5708
5709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5710 NULL, NULL)))
5711 goto end;
5712
5713 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5714 if (ret) {
5715 if (!TEST_true(tst % 2 == 0))
5716 goto end;
5717 } else {
5718 if (!TEST_true(tst % 2 == 1))
5719 goto end;
5720 }
5721
5722 testresult = 1;
5723
5724 end:
5725 SRP_VBASE_free(vbase);
5726 vbase = NULL;
5727 SSL_free(serverssl);
5728 SSL_free(clientssl);
5729 SSL_CTX_free(sctx);
5730 SSL_CTX_free(cctx);
5731
5732 return testresult;
5733}
5734#endif
5735
5718fe45
MC		 5736static int info_cb_failed = 0;
5737static int info_cb_offset = 0;
5738static int info_cb_this_state = -1;
5739
5740static struct info_cb_states_st {
5741 int where;
5742 const char *statestr;
5743} info_cb_states[][60] = {
5744 {
5745 /* TLSv1.2 server followed by resumption */
5746 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5747 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5748 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5749 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5750 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5751 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5752 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5753 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5754 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5755 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5756 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5757 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5758 {SSL_CB_EXIT, NULL}, {0, NULL},
5759 }, {
5760 /* TLSv1.2 client followed by resumption */
5761 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5762 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5763 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5764 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5765 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5766 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5767 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5768 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5769 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5770 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5771 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5772 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5773 }, {
5774 /* TLSv1.3 server followed by resumption */
5775 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5776 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5777 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5778 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5779 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 5780 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5781 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5782 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5783 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5784 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5785 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5786 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5787 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5788 }, {
5789 /* TLSv1.3 client followed by resumption */
5790 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5791 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5792 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5793 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5794 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5795 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5796 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5797 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 5798 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5799 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5800 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5801 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5802 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 5803 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5804 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5805 }, {
5806 /* TLSv1.3 server, early_data */
5807 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5808 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5809 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5810 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5811 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5812 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5813 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5814 {SSL_CB_EXIT, NULL}, {0, NULL},
5815 }, {
5816 /* TLSv1.3 client, early_data */
5817 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5818 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5820 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5821 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5822 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5823 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5824 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5825 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5826 }, {
5827 {0, NULL},
5828 }
5829};
5830
5831static void sslapi_info_callback(const SSL *s, int where, int ret)
5832{
5833 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5834
5835 /* We do not ever expect a connection to fail in this test */
5836 if (!TEST_false(ret == 0)) {
5837 info_cb_failed = 1;
5838 return;
5839 }
5840
5841 /*
5842 * Do some sanity checks. We never expect these things to happen in this
5843 * test
5844 */
5845 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5846 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5847 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5848 info_cb_failed = 1;
5849 return;
5850 }
5851
5852 /* Now check we're in the right state */
5853 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5854 info_cb_failed = 1;
5855 return;
5856 }
5857 if ((where & SSL_CB_LOOP) != 0
5858 && !TEST_int_eq(strcmp(SSL_state_string(s),
5859 state[info_cb_this_state].statestr), 0)) {
5860 info_cb_failed = 1;
5861 return;
5862 }
033c181b 5863
4af5836b
MC		 5864 /*
5865 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5866 */
5867 if ((where & SSL_CB_HANDSHAKE_DONE)
5868 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5869 info_cb_failed = 1;
5870 return;
5871 }
5718fe45
MC		 5872}
5873
5874/*
5875 * Test the info callback gets called when we expect it to.
5876 *
5877 * Test 0: TLSv1.2, server
5878 * Test 1: TLSv1.2, client
5879 * Test 2: TLSv1.3, server
5880 * Test 3: TLSv1.3, client
5881 * Test 4: TLSv1.3, server, early_data
5882 * Test 5: TLSv1.3, client, early_data
5883 */
5884static int test_info_callback(int tst)
5885{
5886 SSL_CTX *cctx = NULL, *sctx = NULL;
5887 SSL *clientssl = NULL, *serverssl = NULL;
5888 SSL_SESSION *clntsess = NULL;
5889 int testresult = 0;
5890 int tlsvers;
5891
5892 if (tst < 2) {
1aac20f5
MC		 5893/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5894#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5895 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5896 tlsvers = TLS1_2_VERSION;
5897#else
5898 return 1;
5899#endif
5900 } else {
5901#ifndef OPENSSL_NO_TLS1_3
5902 tlsvers = TLS1_3_VERSION;
5903#else
5904 return 1;
5905#endif
5906 }
5907
5908 /* Reset globals */
5909 info_cb_failed = 0;
5910 info_cb_this_state = -1;
5911 info_cb_offset = tst;
5912
6e07834c 5913#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5914 if (tst >= 4) {
5915 SSL_SESSION *sess = NULL;
5916 size_t written, readbytes;
5917 unsigned char buf[80];
5918
5919 /* early_data tests */
5920 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5921 &serverssl, &sess, 0)))
5922 goto end;
5923
5924 /* We don't actually need this reference */
5925 SSL_SESSION_free(sess);
5926
5927 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5928 sslapi_info_callback);
5929
5930 /* Write and read some early data and then complete the connection */
5931 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5932 &written))
5933 || !TEST_size_t_eq(written, strlen(MSG1))
5934 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5935 sizeof(buf), &readbytes),
5936 SSL_READ_EARLY_DATA_SUCCESS)
5937 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5938 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5939 SSL_EARLY_DATA_ACCEPTED)
5940 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5941 SSL_ERROR_NONE))
5942 || !TEST_false(info_cb_failed))
5943 goto end;
5944
5945 testresult = 1;
5946 goto end;
5947 }
6e07834c 5948#endif
5718fe45 5949
5e30f2fd 5950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 5951 TLS_client_method(),
5952 tlsvers, tlsvers, &sctx, &cctx, cert,
5953 privkey)))
5954 goto end;
5955
5956 /*
5957 * For even numbered tests we check the server callbacks. For odd numbers we
5958 * check the client.
5959 */
5960 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5961 sslapi_info_callback);
5962
5963 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5964 &clientssl, NULL, NULL))
5965 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5966 SSL_ERROR_NONE))
5967 || !TEST_false(info_cb_failed))
5968 goto end;
5969
5970
5971
5972 clntsess = SSL_get1_session(clientssl);
5973 SSL_shutdown(clientssl);
5974 SSL_shutdown(serverssl);
5975 SSL_free(serverssl);
5976 SSL_free(clientssl);
5977 serverssl = clientssl = NULL;
5978
5979 /* Now do a resumption */
5980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5981 NULL))
5982 || !TEST_true(SSL_set_session(clientssl, clntsess))
5983 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5984 SSL_ERROR_NONE))
5985 || !TEST_true(SSL_session_reused(clientssl))
5986 || !TEST_false(info_cb_failed))
5987 goto end;
5988
5989 testresult = 1;
5990
5991 end:
5992 SSL_free(serverssl);
5993 SSL_free(clientssl);
5994 SSL_SESSION_free(clntsess);
5995 SSL_CTX_free(sctx);
5996 SSL_CTX_free(cctx);
5997 return testresult;
5998}
5999
4a432af8
MC		 6000static int test_ssl_pending(int tst)
6001{
6002 SSL_CTX *cctx = NULL, *sctx = NULL;
6003 SSL *clientssl = NULL, *serverssl = NULL;
6004 int testresult = 0;
6005 char msg[] = "A test message";
6006 char buf[5];
6007 size_t written, readbytes;
6008
6009 if (tst == 0) {
5e30f2fd 6010 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6011 TLS_client_method(),
5c587fb6 6012 TLS1_VERSION, 0,
4a432af8
MC		 6013 &sctx, &cctx, cert, privkey)))
6014 goto end;
6015 } else {
6016#ifndef OPENSSL_NO_DTLS
5e30f2fd 6017 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6018 DTLS_client_method(),
5c587fb6 6019 DTLS1_VERSION, 0,
4a432af8
MC		 6020 &sctx, &cctx, cert, privkey)))
6021 goto end;
6022#else
6023 return 1;
6024#endif
6025 }
6026
6027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6028 NULL, NULL))
6029 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6030 SSL_ERROR_NONE)))
6031 goto end;
6032
e8251092
MC		 6033 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6034 || !TEST_false(SSL_has_pending(clientssl))
6035 || !TEST_int_eq(SSL_pending(serverssl), 0)
6036 || !TEST_false(SSL_has_pending(serverssl))
6037 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6038 || !TEST_size_t_eq(written, sizeof(msg))
6039 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6040 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6041 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6042 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6043 goto end;
6044
6045 testresult = 1;
6046
6047 end:
6048 SSL_free(serverssl);
6049 SSL_free(clientssl);
6050 SSL_CTX_free(sctx);
6051 SSL_CTX_free(cctx);
6052
6053 return testresult;
6054}
6055
e401389a
MC		 6056static struct {
6057 unsigned int maxprot;
6058 const char *clntciphers;
6059 const char *clnttls13ciphers;
6060 const char *srvrciphers;
6061 const char *srvrtls13ciphers;
6062 const char *shared;
6063} shared_ciphers_data[] = {
60155b9a
MC		 6064/*
6065 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6066 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6067 */
6068#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6069 {
6070 TLS1_2_VERSION,
6071 "AES128-SHA:AES256-SHA",
6072 NULL,
6073 "AES256-SHA:DHE-RSA-AES128-SHA",
6074 NULL,
6075 "AES256-SHA"
6076 },
6077 {
6078 TLS1_2_VERSION,
6079 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6080 NULL,
6081 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6082 NULL,
6083 "AES128-SHA:AES256-SHA"
6084 },
6085 {
6086 TLS1_2_VERSION,
6087 "AES128-SHA:AES256-SHA",
6088 NULL,
6089 "AES128-SHA:DHE-RSA-AES128-SHA",
6090 NULL,
6091 "AES128-SHA"
6092 },
60155b9a
MC		 6093#endif
6094/*
6095 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6096 * enabled.
6097 */
6098#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6099 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6100 {
6101 TLS1_3_VERSION,
6102 "AES128-SHA:AES256-SHA",
6103 NULL,
6104 "AES256-SHA:AES128-SHA256",
6105 NULL,
6106 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6107 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6108 },
60155b9a
MC		 6109#endif
6110#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6111 {
6112 TLS1_3_VERSION,
6113 "AES128-SHA",
6114 "TLS_AES_256_GCM_SHA384",
6115 "AES256-SHA",
6116 "TLS_AES_256_GCM_SHA384",
6117 "TLS_AES_256_GCM_SHA384"
6118 },
6119#endif
6120};
6121
6122static int test_ssl_get_shared_ciphers(int tst)
6123{
6124 SSL_CTX *cctx = NULL, *sctx = NULL;
6125 SSL *clientssl = NULL, *serverssl = NULL;
6126 int testresult = 0;
6127 char buf[1024];
6128
5e30f2fd 6129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6130 TLS_client_method(),
6131 TLS1_VERSION,
6132 shared_ciphers_data[tst].maxprot,
6133 &sctx, &cctx, cert, privkey)))
6134 goto end;
6135
6136 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6137 shared_ciphers_data[tst].clntciphers))
6138 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6139 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6140 shared_ciphers_data[tst].clnttls13ciphers)))
6141 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6142 shared_ciphers_data[tst].srvrciphers))
6143 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6144 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6145 shared_ciphers_data[tst].srvrtls13ciphers))))
6146 goto end;
6147
6148
6149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6150 NULL, NULL))
6151 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6152 SSL_ERROR_NONE)))
6153 goto end;
6154
6155 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6156 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6157 TEST_info("Shared ciphers are: %s\n", buf);
6158 goto end;
6159 }
6160
6161 testresult = 1;
6162
6163 end:
6164 SSL_free(serverssl);
6165 SSL_free(clientssl);
6166 SSL_CTX_free(sctx);
6167 SSL_CTX_free(cctx);
6168
6169 return testresult;
6170}
6171
d0191fe0 6172static const char *appdata = "Hello World";
61fb5923
MC		 6173static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6174static int tick_key_renew = 0;
6175static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6176
6177static int gen_tick_cb(SSL *s, void *arg)
6178{
6179 gen_tick_called = 1;
6180
6181 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6182 strlen(appdata));
6183}
6184
6185static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6186 const unsigned char *keyname,
6187 size_t keyname_length,
61fb5923
MC		 6188 SSL_TICKET_STATUS status,
6189 void *arg)
d0191fe0
MC		 6190{
6191 void *tickdata;
6192 size_t tickdlen;
6193
6194 dec_tick_called = 1;
6195
61fb5923
MC		 6196 if (status == SSL_TICKET_EMPTY)
6197 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6198
61fb5923
MC		 6199 if (!TEST_true(status == SSL_TICKET_SUCCESS
6200 || status == SSL_TICKET_SUCCESS_RENEW))
6201 return SSL_TICKET_RETURN_ABORT;
6202
6203 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6204 &tickdlen))
d0191fe0
MC		 6205 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6206 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6207 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6208
61fb5923
MC		 6209 if (tick_key_cb_called) {
6210 /* Don't change what the ticket key callback wanted to do */
6211 switch (status) {
6212 case SSL_TICKET_NO_DECRYPT:
6213 return SSL_TICKET_RETURN_IGNORE_RENEW;
6214
6215 case SSL_TICKET_SUCCESS:
6216 return SSL_TICKET_RETURN_USE;
d0191fe0 6217
61fb5923
MC		 6218 case SSL_TICKET_SUCCESS_RENEW:
6219 return SSL_TICKET_RETURN_USE_RENEW;
6220
6221 default:
6222 return SSL_TICKET_RETURN_ABORT;
6223 }
6224 }
6225 return tick_dec_ret;
6226
6227}
d0191fe0 6228
a76ce286 6229#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6230static int tick_key_cb(SSL *s, unsigned char key_name[16],
6231 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6232 HMAC_CTX *hctx, int enc)
6233{
6234 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6235 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6236 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6237 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6238 int ret;
d0191fe0 6239
61fb5923 6240 tick_key_cb_called = 1;
d0191fe0
MC		 6241 memset(iv, 0, AES_BLOCK_SIZE);
6242 memset(key_name, 0, 16);
5e30f2fd
MC		 6243 if (aes128cbc == NULL
6244 || sha256 == NULL
6245 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6246 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6247 NULL))
6248 ret = -1;
6249 else
6250 ret = tick_key_renew ? 2 : 1;
d0191fe0 6251
5e30f2fd
MC		 6252 EVP_CIPHER_free(aes128cbc);
6253 EVP_MD_free(sha256);
6254
6255 return ret;
d0191fe0 6256}
a76ce286
P		 6257#endif
6258
6259static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6260 unsigned char iv[EVP_MAX_IV_LENGTH],
6261 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6262{
6263 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6264 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6265 OSSL_PARAM params[3];
5e30f2fd
MC		 6266 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6267 int ret;
a76ce286
P		 6268
6269 tick_key_cb_called = 1;
6270 memset(iv, 0, AES_BLOCK_SIZE);
6271 memset(key_name, 0, 16);
6272 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6273 "SHA256", 0);
6274 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6275 tick_hmac_key,
6276 sizeof(tick_hmac_key));
6277 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6278 if (aes128cbc == NULL
6279 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
a76ce286
P		 6280 || !EVP_MAC_CTX_set_params(hctx, params)
6281 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6282 ret = -1;
6283 else
6284 ret = tick_key_renew ? 2 : 1;
6285
6286 EVP_CIPHER_free(aes128cbc);
a76ce286 6287
5e30f2fd 6288 return ret;
a76ce286 6289}
d0191fe0
MC		 6290
6291/*
6292 * Test the various ticket callbacks
61fb5923
MC		 6293 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6294 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6295 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6296 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6297 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6298 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6299 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6300 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6301 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6302 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6303 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6304 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6305 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6306 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6307 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6308 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6309 */
6310static int test_ticket_callbacks(int tst)
6311{
6312 SSL_CTX *cctx = NULL, *sctx = NULL;
6313 SSL *clientssl = NULL, *serverssl = NULL;
6314 SSL_SESSION *clntsess = NULL;
6315 int testresult = 0;
6316
6317#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6318 if (tst % 2 == 0)
d0191fe0
MC		 6319 return 1;
6320#endif
6321#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6322 if (tst % 2 == 1)
d0191fe0
MC		 6323 return 1;
6324#endif
a76ce286
P		 6325#ifdef OPENSSL_NO_DEPRECATED_3_0
6326 if (tst >= 8 && tst <= 11)
6327 return 1;
6328#endif
d0191fe0 6329
61fb5923 6330 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6331
6332 /* Which tests the ticket key callback should request renewal for */
a76ce286 6333 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6334 tick_key_renew = 1;
d0191fe0 6335 else
61fb5923
MC		 6336 tick_key_renew = 0;
6337
6338 /* Which tests the decrypt ticket callback should request renewal for */
6339 switch (tst) {
6340 case 0:
6341 case 1:
6342 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6343 break;
6344
6345 case 2:
6346 case 3:
6347 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6348 break;
6349
6350 case 4:
6351 case 5:
6352 tick_dec_ret = SSL_TICKET_RETURN_USE;
6353 break;
6354
6355 case 6:
6356 case 7:
6357 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6358 break;
6359
6360 default:
6361 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6362 }
d0191fe0 6363
5e30f2fd 6364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6365 TLS_client_method(),
6366 TLS1_VERSION,
61fb5923
MC		 6367 ((tst % 2) == 0) ? TLS1_2_VERSION
6368 : TLS1_3_VERSION,
d0191fe0
MC		 6369 &sctx, &cctx, cert, privkey)))
6370 goto end;
6371
61fb5923
MC		 6372 /*
6373 * We only want sessions to resume from tickets - not the session cache. So
6374 * switch the cache off.
6375 */
6376 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6377 goto end;
6378
d0191fe0
MC		 6379 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6380 NULL)))
6381 goto end;
6382
a76ce286
P		 6383 if (tst >= 12) {
6384 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6385 goto end;
6386#ifndef OPENSSL_NO_DEPRECATED_3_0
6387 } else if (tst >= 8) {
6388 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6389 goto end;
6390#endif
6391 }
d0191fe0
MC		 6392
6393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6394 NULL, NULL))
6395 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6396 SSL_ERROR_NONE)))
6397 goto end;
6398
61fb5923
MC		 6399 /*
6400 * The decrypt ticket key callback in TLSv1.2 should be called even though
6401 * we have no ticket yet, because it gets called with a status of
6402 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6403 * actually send any ticket data). This does not happen in TLSv1.3 because
6404 * it is not valid to send empty ticket data in TLSv1.3.
6405 */
d0191fe0 6406 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6407 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6408 goto end;
6409
6410 gen_tick_called = dec_tick_called = 0;
6411
6412 clntsess = SSL_get1_session(clientssl);
6413 SSL_shutdown(clientssl);
6414 SSL_shutdown(serverssl);
6415 SSL_free(serverssl);
6416 SSL_free(clientssl);
6417 serverssl = clientssl = NULL;
6418
6419 /* Now do a resumption */
6420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6421 NULL))
6422 || !TEST_true(SSL_set_session(clientssl, clntsess))
6423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6424 SSL_ERROR_NONE)))
d0191fe0
MC		 6425 goto end;
6426
61fb5923
MC		 6427 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6428 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6429 if (!TEST_false(SSL_session_reused(clientssl)))
6430 goto end;
6431 } else {
6432 if (!TEST_true(SSL_session_reused(clientssl)))
6433 goto end;
6434 }
6435
d0191fe0 6436 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6437 (tick_key_renew
6438 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6439 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6440 ? 1 : 0)
d0191fe0
MC		 6441 || !TEST_int_eq(dec_tick_called, 1))
6442 goto end;
6443
6444 testresult = 1;
6445
6446 end:
6447 SSL_SESSION_free(clntsess);
6448 SSL_free(serverssl);
6449 SSL_free(clientssl);
6450 SSL_CTX_free(sctx);
6451 SSL_CTX_free(cctx);
6452
6453 return testresult;
6454}
6455
c748834f
MC		 6456/*
6457 * Test bi-directional shutdown.
6458 * Test 0: TLSv1.2
6459 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6460 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6461 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6462 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6463 * sends key update, client reads it
57d7b988
MC		 6464 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6465 * sends CertificateRequest, client reads and ignores it
6466 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6467 * doesn't read it
6468 */
6469static int test_shutdown(int tst)
6470{
6471 SSL_CTX *cctx = NULL, *sctx = NULL;
6472 SSL *clientssl = NULL, *serverssl = NULL;
6473 int testresult = 0;
6474 char msg[] = "A test message";
6475 char buf[80];
6476 size_t written, readbytes;
80eff008 6477 SSL_SESSION *sess;
c748834f
MC		 6478
6479#ifdef OPENSSL_NO_TLS1_2
a97d19f7 6480 if (tst <= 1)
c748834f
MC		 6481 return 1;
6482#endif
6483#ifdef OPENSSL_NO_TLS1_3
a97d19f7 6484 if (tst >= 2)
c748834f
MC		 6485 return 1;
6486#endif
6487
5e30f2fd 6488 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 6489 TLS_client_method(),
6490 TLS1_VERSION,
6491 (tst <= 1) ? TLS1_2_VERSION
6492 : TLS1_3_VERSION,
57d7b988
MC		 6493 &sctx, &cctx, cert, privkey)))
6494 goto end;
6495
6496 if (tst == 5)
6497 SSL_CTX_set_post_handshake_auth(cctx, 1);
6498
6499 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 6500 NULL, NULL)))
6501 goto end;
6502
6503 if (tst == 3) {
6504 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 6505 SSL_ERROR_NONE, 1))
80eff008
KR		 6506 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6507 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 6508 goto end;
6509 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 6510 SSL_ERROR_NONE))
6511 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6512 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 6513 goto end;
6514 }
6515
6516 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6517 goto end;
6518
6519 if (tst >= 4) {
6520 /*
6521 * Reading on the server after the client has sent close_notify should
6522 * fail and provide SSL_ERROR_ZERO_RETURN
6523 */
6524 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6525 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6526 SSL_ERROR_ZERO_RETURN)
6527 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6528 SSL_RECEIVED_SHUTDOWN)
6529 /*
6530 * Even though we're shutdown on receive we should still be
6531 * able to write.
6532 */
80eff008
KR		 6533 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6534 goto end;
57d7b988
MC		 6535 if (tst == 4
6536 && !TEST_true(SSL_key_update(serverssl,
6537 SSL_KEY_UPDATE_REQUESTED)))
6538 goto end;
6539 if (tst == 5) {
6540 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6541 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6542 goto end;
6543 }
6544 if ((tst == 4 || tst == 5)
6545 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 6546 goto end;
6547 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 6548 goto end;
57d7b988 6549 if (tst == 4 || tst == 5) {
80eff008 6550 /* Should still be able to read data from server */
c748834f 6551 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 6552 &readbytes))
6553 || !TEST_size_t_eq(readbytes, sizeof(msg))
6554 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6555 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6556 &readbytes))
c748834f
MC		 6557 || !TEST_size_t_eq(readbytes, sizeof(msg))
6558 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6559 goto end;
6560 }
6561 }
6562
6563 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 6564 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 6565 goto end;
6566
6567 if (tst < 4) {
6568 /*
6569 * For these tests the client has sent close_notify but it has not yet
6570 * been received by the server. The server has not sent close_notify
6571 * yet.
6572 */
6573 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 6574 /*
6575 * Writing on the server after sending close_notify shouldn't
6576 * be possible.
6577 */
6578 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 6579 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 6580 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6581 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 6582 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6583 goto end;
57d7b988 6584 } else if (tst == 4 || tst == 5) {
c748834f
MC		 6585 /*
6586 * In this test the client has sent close_notify and it has been
6587 * received by the server which has responded with a close_notify. The
358ffa05 6588 * client needs to read the close_notify sent by the server.
c748834f 6589 */
80eff008
KR		 6590 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6591 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6592 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 6593 goto end;
358ffa05
MC		 6594 } else {
6595 /*
57d7b988 6596 * tst == 6
358ffa05
MC		 6597 *
6598 * The client has sent close_notify and is expecting a close_notify
6599 * back, but instead there is application data first. The shutdown
6600 * should fail with a fatal error.
6601 */
6602 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6603 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6604 goto end;
c748834f
MC		 6605 }
6606
6607 testresult = 1;
6608
6609 end:
6610 SSL_free(serverssl);
6611 SSL_free(clientssl);
6612 SSL_CTX_free(sctx);
6613 SSL_CTX_free(cctx);
6614
6615 return testresult;
6616}
6617
7f1d923a 6618#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 6619static int cert_cb_cnt;
6620
6621static int cert_cb(SSL *s, void *arg)
6622{
6623 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 6624 BIO *in = NULL;
6625 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 6626 X509 *x509 = NULL, *rootx = NULL;
6627 STACK_OF(X509) *chain = NULL;
6628 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6629 int ret = 0;
cd6fe29f
MC		 6630
6631 if (cert_cb_cnt == 0) {
6632 /* Suspend the handshake */
6633 cert_cb_cnt++;
6634 return -1;
6635 } else if (cert_cb_cnt == 1) {
6636 /*
6637 * Update the SSL_CTX, set the certificate and private key and then
6638 * continue the handshake normally.
6639 */
6640 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6641 return 0;
6642
6643 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6644 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6645 SSL_FILETYPE_PEM))
6646 || !TEST_true(SSL_check_private_key(s)))
6647 return 0;
6648 cert_cb_cnt++;
6649 return 1;
7cb8fb07
BK		 6650 } else if (cert_cb_cnt == 3) {
6651 int rv;
1a2a3a42
MC		 6652
6653 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6654 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6655 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6656 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6657 goto out;
6658 chain = sk_X509_new_null();
6659 if (!TEST_ptr(chain))
6660 goto out;
7cb8fb07 6661 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 6662 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6663 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6664 || !TEST_true(sk_X509_push(chain, rootx)))
6665 goto out;
6666 rootx = NULL;
6667 BIO_free(in);
6668 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6669 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 6670 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6671 goto out;
6672 BIO_free(in);
6673 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 6674 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 6675 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6676 goto out;
1a2a3a42 6677 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 6678 /*
6679 * If the cert doesn't show as valid here (e.g., because we don't
6680 * have any shared sigalgs), then we will not set it, and there will
6681 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6682 * will cause tls_choose_sigalgs() to fail the connection.
6683 */
1a2a3a42
MC		 6684 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6685 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 6686 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6687 goto out;
6688 }
1a2a3a42
MC		 6689
6690 ret = 1;
cd6fe29f
MC		 6691 }
6692
6693 /* Abort the handshake */
7cb8fb07 6694 out:
1a2a3a42
MC		 6695 OPENSSL_free(ecdsacert);
6696 OPENSSL_free(ecdsakey);
6697 OPENSSL_free(rootfile);
7cb8fb07
BK		 6698 BIO_free(in);
6699 EVP_PKEY_free(pkey);
6700 X509_free(x509);
1a2a3a42
MC		 6701 X509_free(rootx);
6702 sk_X509_pop_free(chain, X509_free);
6703 return ret;
cd6fe29f
MC		 6704}
6705
6706/*
6707 * Test the certificate callback.
6708 * Test 0: Callback fails
6709 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6710 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 6711 * Test 3: Success - Call SSL_check_chain from the callback
6712 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6713 * chain
6714 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 6715 */
6716static int test_cert_cb_int(int prot, int tst)
6717{
6718 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6719 SSL *clientssl = NULL, *serverssl = NULL;
6720 int testresult = 0, ret;
6721
1a2a3a42
MC		 6722#ifdef OPENSSL_NO_EC
6723 /* We use an EC cert in these tests, so we skip in a no-ec build */
6724 if (tst >= 3)
6725 return 1;
6726#endif
6727
5e30f2fd 6728 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 6729 TLS_client_method(),
6730 TLS1_VERSION,
6731 prot,
6732 &sctx, &cctx, NULL, NULL)))
6733 goto end;
6734
6735 if (tst == 0)
6736 cert_cb_cnt = -1;
1a2a3a42 6737 else if (tst >= 3)
7cb8fb07 6738 cert_cb_cnt = 3;
cd6fe29f
MC		 6739 else
6740 cert_cb_cnt = 0;
1a2a3a42 6741
cd6fe29f
MC		 6742 if (tst == 2)
6743 snictx = SSL_CTX_new(TLS_server_method());
6744 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6745
6746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6747 NULL, NULL)))
6748 goto end;
6749
1a2a3a42
MC		 6750 if (tst == 4) {
6751 /*
6752 * We cause SSL_check_chain() to fail by specifying sig_algs that
6753 * the chain doesn't meet (the root uses an RSA cert)
6754 */
6755 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6756 "ecdsa_secp256r1_sha256")))
6757 goto end;
6758 } else if (tst == 5) {
6759 /*
6760 * We cause SSL_check_chain() to fail by specifying sig_algs that
6761 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6762 */
6763 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6764 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6765 goto end;
6766 }
6767
cd6fe29f 6768 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 6769 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 6770 || (tst > 0
6771 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 6772 goto end;
6773 }
6774
6775 testresult = 1;
6776
6777 end:
6778 SSL_free(serverssl);
6779 SSL_free(clientssl);
6780 SSL_CTX_free(sctx);
6781 SSL_CTX_free(cctx);
6782 SSL_CTX_free(snictx);
6783
6784 return testresult;
6785}
7f1d923a 6786#endif
cd6fe29f
MC		 6787
6788static int test_cert_cb(int tst)
6789{
6790 int testresult = 1;
6791
6792#ifndef OPENSSL_NO_TLS1_2
6793 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6794#endif
7f1d923a 6795#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 6796 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6797#endif
6798
6799 return testresult;
6800}
6801
6e46c065
MC		 6802static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6803{
6804 X509 *xcert, *peer;
6805 EVP_PKEY *privpkey;
6806 BIO *in = NULL;
6807
6808 /* Check that SSL_get_peer_certificate() returns something sensible */
6809 peer = SSL_get_peer_certificate(ssl);
6810 if (!TEST_ptr(peer))
6811 return 0;
6812 X509_free(peer);
6813
6814 in = BIO_new_file(cert, "r");
6815 if (!TEST_ptr(in))
6816 return 0;
6817
6818 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6819 BIO_free(in);
6820 if (!TEST_ptr(xcert))
6821 return 0;
6822
6823 in = BIO_new_file(privkey, "r");
6824 if (!TEST_ptr(in)) {
6825 X509_free(xcert);
6826 return 0;
6827 }
6828
6829 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6830 BIO_free(in);
6831 if (!TEST_ptr(privpkey)) {
6832 X509_free(xcert);
6833 return 0;
6834 }
6835
6836 *x509 = xcert;
6837 *pkey = privpkey;
6838
6839 return 1;
6840}
6841
6842static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6843{
6844 return 1;
6845}
6846
6847static int test_client_cert_cb(int tst)
6848{
6849 SSL_CTX *cctx = NULL, *sctx = NULL;
6850 SSL *clientssl = NULL, *serverssl = NULL;
6851 int testresult = 0;
6852
6853#ifdef OPENSSL_NO_TLS1_2
6854 if (tst == 0)
6855 return 1;
6856#endif
6857#ifdef OPENSSL_NO_TLS1_3
6858 if (tst == 1)
6859 return 1;
6860#endif
6861
5e30f2fd 6862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 6863 TLS_client_method(),
6864 TLS1_VERSION,
6865 tst == 0 ? TLS1_2_VERSION
6866 : TLS1_3_VERSION,
6867 &sctx, &cctx, cert, privkey)))
6868 goto end;
6869
6870 /*
6871 * Test that setting a client_cert_cb results in a client certificate being
6872 * sent.
6873 */
6874 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6875 SSL_CTX_set_verify(sctx,
6876 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6877 verify_cb);
fb8c8359
MC		 6878
6879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6880 NULL, NULL))
6881 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6882 SSL_ERROR_NONE)))
6883 goto end;
6884
6885 testresult = 1;
6886
6887 end:
6888 SSL_free(serverssl);
6889 SSL_free(clientssl);
6890 SSL_CTX_free(sctx);
6891 SSL_CTX_free(cctx);
6892
6893 return testresult;
6894}
6895
6896#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6897/*
6898 * Test setting certificate authorities on both client and server.
6899 *
6900 * Test 0: SSL_CTX_set0_CA_list() only
6901 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6902 * Test 2: Only SSL_CTX_set_client_CA_list()
6903 */
6904static int test_ca_names_int(int prot, int tst)
6905{
6906 SSL_CTX *cctx = NULL, *sctx = NULL;
6907 SSL *clientssl = NULL, *serverssl = NULL;
6908 int testresult = 0;
6909 size_t i;
6910 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6911 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6912 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6913 const STACK_OF(X509_NAME) *sktmp = NULL;
6914
6915 for (i = 0; i < OSSL_NELEM(name); i++) {
6916 name[i] = X509_NAME_new();
6917 if (!TEST_ptr(name[i])
6918 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6919 MBSTRING_ASC,
6920 (unsigned char *)
6921 strnames[i],
6922 -1, -1, 0)))
6923 goto end;
6924 }
6925
5e30f2fd 6926 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 6927 TLS_client_method(),
6928 TLS1_VERSION,
6929 prot,
6930 &sctx, &cctx, cert, privkey)))
6931 goto end;
6932
6933 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6934
6935 if (tst == 0 || tst == 1) {
6936 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6937 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6938 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6939 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6940 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6941 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6942 goto end;
6943
6944 SSL_CTX_set0_CA_list(sctx, sk1);
6945 SSL_CTX_set0_CA_list(cctx, sk2);
6946 sk1 = sk2 = NULL;
6947 }
6948 if (tst == 1 || tst == 2) {
6949 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6950 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6951 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6952 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6953 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6954 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6955 goto end;
6956
6957 SSL_CTX_set_client_CA_list(sctx, sk1);
6958 SSL_CTX_set_client_CA_list(cctx, sk2);
6959 sk1 = sk2 = NULL;
6960 }
6961
6e46c065
MC		 6962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6963 NULL, NULL))
6964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6965 SSL_ERROR_NONE)))
6966 goto end;
6967
fb8c8359
MC		 6968 /*
6969 * We only expect certificate authorities to have been sent to the server
6970 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6971 */
6972 sktmp = SSL_get0_peer_CA_list(serverssl);
6973 if (prot == TLS1_3_VERSION
6974 && (tst == 0 || tst == 1)) {
6975 if (!TEST_ptr(sktmp)
6976 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6977 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6978 name[0]), 0)
6979 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6980 name[1]), 0))
6981 goto end;
6982 } else if (!TEST_ptr_null(sktmp)) {
6983 goto end;
6984 }
6985
6986 /*
6987 * In all tests we expect certificate authorities to have been sent to the
6988 * client. However, SSL_set_client_CA_list() should override
6989 * SSL_set0_CA_list()
6990 */
6991 sktmp = SSL_get0_peer_CA_list(clientssl);
6992 if (!TEST_ptr(sktmp)
6993 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6994 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6995 name[tst == 0 ? 0 : 2]), 0)
6996 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6997 name[tst == 0 ? 1 : 3]), 0))
6998 goto end;
6999
6e46c065
MC		 7000 testresult = 1;
7001
7002 end:
7003 SSL_free(serverssl);
7004 SSL_free(clientssl);
7005 SSL_CTX_free(sctx);
7006 SSL_CTX_free(cctx);
fb8c8359
MC		 7007 for (i = 0; i < OSSL_NELEM(name); i++)
7008 X509_NAME_free(name[i]);
7009 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7010 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7011
7012 return testresult;
7013}
7014#endif
7015
7016static int test_ca_names(int tst)
7017{
7018 int testresult = 1;
7019
7020#ifndef OPENSSL_NO_TLS1_2
7021 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7022#endif
7023#ifndef OPENSSL_NO_TLS1_3
7024 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7025#endif
6e46c065
MC		 7026
7027 return testresult;
7028}
7029
0d2bfe52
SL		 7030#ifndef OPENSSL_NO_TLS1_2
7031static const char *multiblock_cipherlist_data[]=
7032{
7033 "AES128-SHA",
7034 "AES128-SHA256",
7035 "AES256-SHA",
7036 "AES256-SHA256",
7037};
7038
7039/* Reduce the fragment size - so the multiblock test buffer can be small */
7040# define MULTIBLOCK_FRAGSIZE 512
7041
7042static int test_multiblock_write(int test_index)
7043{
7044 static const char *fetchable_ciphers[]=
7045 {
7046 "AES-128-CBC-HMAC-SHA1",
7047 "AES-128-CBC-HMAC-SHA256",
7048 "AES-256-CBC-HMAC-SHA1",
7049 "AES-256-CBC-HMAC-SHA256"
7050 };
7051 const char *cipherlist = multiblock_cipherlist_data[test_index];
7052 const SSL_METHOD *smeth = TLS_server_method();
7053 const SSL_METHOD *cmeth = TLS_client_method();
7054 int min_version = TLS1_VERSION;
7055 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7056 SSL_CTX *cctx = NULL, *sctx = NULL;
7057 SSL *clientssl = NULL, *serverssl = NULL;
7058 int testresult = 0;
7059
7060 /*
7061 * Choose a buffer large enough to perform a multi-block operation
7062 * i.e: write_len >= 4 * frag_size
7063 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7064 */
7065 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7066 unsigned char buf[sizeof(msg)], *p = buf;
7067 size_t readbytes, written, len;
7068 EVP_CIPHER *ciph = NULL;
7069
7070 /*
7071 * Check if the cipher exists before attempting to use it since it only has
7072 * a hardware specific implementation.
7073 */
7074 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7075 if (ciph == NULL) {
7076 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7077 return 1;
7078 }
7079 EVP_CIPHER_free(ciph);
7080
7081 /* Set up a buffer with some data that will be sent to the client */
7082 RAND_bytes(msg, sizeof(msg));
7083
5e30f2fd
MC		 7084 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7085 max_version, &sctx, &cctx, cert,
7086 privkey)))
0d2bfe52
SL		 7087 goto end;
7088
7089 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7090 goto end;
7091
7092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7093 NULL, NULL)))
7094 goto end;
7095
7096 /* settings to force it to use AES-CBC-HMAC_SHA */
7097 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7098 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7099 goto end;
7100
7101 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7102 goto end;
7103
7104 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7105 || !TEST_size_t_eq(written, sizeof(msg)))
7106 goto end;
7107
7108 len = written;
7109 while (len > 0) {
7110 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7111 goto end;
7112 p += readbytes;
7113 len -= readbytes;
7114 }
7115 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7116 goto end;
7117
7118 testresult = 1;
7119end:
7120 SSL_free(serverssl);
7121 SSL_free(clientssl);
7122 SSL_CTX_free(sctx);
7123 SSL_CTX_free(cctx);
7124
7125 return testresult;
7126}
7127#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7128
49ef3d07
MC		 7129/*
7130 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7131 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7132 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7133 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7134 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7135 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7136 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7137 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7138 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7139 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7140 */
7141static int test_servername(int tst)
7142{
7143 SSL_CTX *cctx = NULL, *sctx = NULL;
7144 SSL *clientssl = NULL, *serverssl = NULL;
7145 int testresult = 0;
7146 SSL_SESSION *sess = NULL;
7147 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7148
7149#ifdef OPENSSL_NO_TLS1_2
7150 if (tst <= 4)
7151 return 1;
7152#endif
7153#ifdef OPENSSL_NO_TLS1_3
7154 if (tst >= 5)
7155 return 1;
7156#endif
7157
5e30f2fd 7158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7159 TLS_client_method(),
7160 TLS1_VERSION,
7161 (tst <= 4) ? TLS1_2_VERSION
7162 : TLS1_3_VERSION,
7163 &sctx, &cctx, cert, privkey))
7164 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7165 NULL, NULL)))
7166 goto end;
7167
7168 if (tst != 1 && tst != 6) {
7169 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7170 hostname_cb)))
7171 goto end;
7172 }
7173
7174 if (tst != 3 && tst != 8) {
7175 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7176 goto end;
7177 sexpectedhost = cexpectedhost = "goodhost";
7178 }
7179
7180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7181 goto end;
7182
7183 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7184 cexpectedhost)
7185 || !TEST_str_eq(SSL_get_servername(serverssl,
7186 TLSEXT_NAMETYPE_host_name),
7187 sexpectedhost))
7188 goto end;
7189
7190 /* Now repeat with a resumption handshake */
7191
7192 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7193 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7194 || !TEST_true(SSL_SESSION_is_resumable(sess))
7195 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7196 goto end;
7197
7198 SSL_free(clientssl);
7199 SSL_free(serverssl);
7200 clientssl = serverssl = NULL;
7201
7202 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7203 NULL)))
7204 goto end;
7205
7206 if (!TEST_true(SSL_set_session(clientssl, sess)))
7207 goto end;
7208
7209 sexpectedhost = cexpectedhost = "goodhost";
7210 if (tst == 2 || tst == 7) {
7211 /* Set an inconsistent hostname */
7212 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7213 goto end;
7214 /*
7215 * In TLSv1.2 we expect the hostname from the original handshake, in
7216 * TLSv1.3 we expect the hostname from this handshake
7217 */
7218 if (tst == 7)
7219 sexpectedhost = cexpectedhost = "altgoodhost";
7220
7221 if (!TEST_str_eq(SSL_get_servername(clientssl,
7222 TLSEXT_NAMETYPE_host_name),
7223 "altgoodhost"))
7224 goto end;
7225 } else if (tst == 4 || tst == 9) {
7226 /*
7227 * A TLSv1.3 session does not associate a session with a servername,
7228 * but a TLSv1.2 session does.
7229 */
7230 if (tst == 9)
7231 sexpectedhost = cexpectedhost = NULL;
7232
7233 if (!TEST_str_eq(SSL_get_servername(clientssl,
7234 TLSEXT_NAMETYPE_host_name),
7235 cexpectedhost))
7236 goto end;
7237 } else {
7238 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7239 goto end;
7240 /*
7241 * In a TLSv1.2 resumption where the hostname was not acknowledged
7242 * we expect the hostname on the server to be empty. On the client we
7243 * return what was requested in this case.
7244 *
7245 * Similarly if the client didn't set a hostname on an original TLSv1.2
7246 * session but is now, the server hostname will be empty, but the client
7247 * is as we set it.
7248 */
7249 if (tst == 1 || tst == 3)
7250 sexpectedhost = NULL;
7251
7252 if (!TEST_str_eq(SSL_get_servername(clientssl,
7253 TLSEXT_NAMETYPE_host_name),
7254 "goodhost"))
7255 goto end;
7256 }
7257
7258 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7259 goto end;
7260
7261 if (!TEST_true(SSL_session_reused(clientssl))
7262 || !TEST_true(SSL_session_reused(serverssl))
7263 || !TEST_str_eq(SSL_get_servername(clientssl,
7264 TLSEXT_NAMETYPE_host_name),
7265 cexpectedhost)
7266 || !TEST_str_eq(SSL_get_servername(serverssl,
7267 TLSEXT_NAMETYPE_host_name),
7268 sexpectedhost))
7269 goto end;
7270
7271 testresult = 1;
7272
7273 end:
7274 SSL_SESSION_free(sess);
7275 SSL_free(serverssl);
7276 SSL_free(clientssl);
7277 SSL_CTX_free(sctx);
7278 SSL_CTX_free(cctx);
7279
7280 return testresult;
7281}
7282
5e30f2fd 7283OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 7284
ad887416 7285int setup_tests(void)
2cb4b5f6 7286{
5e30f2fd
MC		 7287 char *modulename;
7288 char *configfile;
7289
7290 libctx = OPENSSL_CTX_new();
7291 if (!TEST_ptr(libctx))
7292 return 0;
7293
7294 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7295
7296 /*
7297 * Verify that the default and fips providers in the default libctx are not
7298 * available
7299 */
7300 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7301 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7302 return 0;
7303
8d242823
MC		 7304 if (!test_skip_common_options()) {
7305 TEST_error("Error parsing test options\n");
7306 return 0;
7307 }
7308
1a2a3a42
MC		 7309 if (!TEST_ptr(certsdir = test_get_argument(0))
7310 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 7311 || !TEST_ptr(tmpfilename = test_get_argument(2))
7312 || !TEST_ptr(modulename = test_get_argument(3))
7313 || !TEST_ptr(configfile = test_get_argument(4)))
7314 return 0;
7315
7316 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7317 return 0;
7318
7319 /* Check we have the expected provider available */
7320 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7321 return 0;
7322
7323 /* Check the default provider is not available */
7324 if (strcmp(modulename, "default") != 0
7325 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 7326 return 0;
2cb4b5f6 7327
4f6c7044
MC		 7328 if (strcmp(modulename, "fips") == 0)
7329 is_fips = 1;
7330
f297e4ec
RS		 7331 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7332#ifdef OPENSSL_NO_CRYPTO_MDEBUG
7333 TEST_error("not supported in this build");
7334 return 0;
7335#else
7336 int i, mcount, rcount, fcount;
7337
7338 for (i = 0; i < 4; i++)
7339 test_export_key_mat(i);
7340 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7341 test_printf_stdout("malloc %d realloc %d free %d\n",
7342 mcount, rcount, fcount);
7343 return 1;
7344#endif
7345 }
7346
1a2a3a42
MC		 7347 cert = test_mk_file_path(certsdir, "servercert.pem");
7348 if (cert == NULL)
7349 return 0;
7350
7351 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7352 if (privkey == NULL) {
7353 OPENSSL_free(cert);
7354 return 0;
7355 }
7356
5e9072ed
MC		 7357#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7358 && !defined(OPENSSL_NO_SOCK)
2fab79af
BP		 7359 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7360 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7361 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7362 ADD_TEST(test_ktls_client_no_txrx_server);
7363 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7364 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7365 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7366 ADD_TEST(test_ktls_client_no_rx_server);
7367 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7368 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7369 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7370 ADD_TEST(test_ktls_client_no_tx_server);
7371 ADD_TEST(test_ktls_no_txrx_client_server);
7372 ADD_TEST(test_ktls_no_rx_client_server);
7373 ADD_TEST(test_ktls_no_tx_client_server);
fe5d9450 7374 ADD_TEST(test_ktls_client_server);
7c3a7561 7375 ADD_TEST(test_ktls_sendfile);
fe5d9450 7376#endif
84d5549e 7377 ADD_TEST(test_large_message_tls);
7856332e 7378 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 7379#ifndef OPENSSL_NO_DTLS
84d5549e 7380 ADD_TEST(test_large_message_dtls);
55386bef 7381#endif
8f8c11d8 7382#ifndef OPENSSL_NO_OCSP
c887104f 7383 ADD_TEST(test_tlsext_status_type);
8f8c11d8 7384#endif
eaa776da
MC		 7385 ADD_TEST(test_session_with_only_int_cache);
7386 ADD_TEST(test_session_with_only_ext_cache);
7387 ADD_TEST(test_session_with_both_cache);
36ff232c 7388#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 7389 ADD_ALL_TESTS(test_stateful_tickets, 3);
7390 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 7391 ADD_TEST(test_psk_tickets);
36ff232c 7392#endif
7fb4c820 7393 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 7394 ADD_TEST(test_ssl_bio_pop_next_bio);
7395 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7396 ADD_TEST(test_ssl_bio_change_rbio);
7397 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 7398#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 7399 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 7400 ADD_TEST(test_keylog);
c423ecaa 7401#endif
6acdd3e5
CB		 7402#ifndef OPENSSL_NO_TLS1_3
7403 ADD_TEST(test_keylog_no_master_key);
7404#endif
e9ee6536 7405#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 7406 ADD_TEST(test_client_hello_cb);
088dfa13 7407 ADD_TEST(test_no_ems);
3cd14e5e 7408 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 7409#endif
7410#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 7411 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 7412 /*
7413 * We don't do replay tests for external PSK. Replay protection isn't used
7414 * in that scenario.
7415 */
7416 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 7417 ADD_ALL_TESTS(test_early_data_skip, 3);
7418 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 7419 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 7420 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 7421 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 7422 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 7423 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 7424# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 7425 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 7426# endif
e9ee6536 7427#endif
a273157a 7428#ifndef OPENSSL_NO_TLS1_3
034cb87b 7429 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 7430 ADD_TEST(test_ciphersuite_change);
5bf2eade 7431 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7432# ifdef OPENSSL_NO_PSK
c2b290c3 7433 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 7434# else
0d8da779 7435 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 7436# endif /* OPENSSL_NO_PSK */
7437# ifndef OPENSSL_NO_TLS1_2
7438 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 7439 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 7440# else
7441 /* Test with only TLSv1.3 versions */
7442 ADD_ALL_TESTS(test_key_exchange, 12);
7443# endif
bb01ef3f 7444 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 7445 ADD_TEST(test_stateless);
9d75dce3 7446 ADD_TEST(test_pha_key_update);
a273157a 7447#else
bb01ef3f 7448 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 7449#endif
16afd71c 7450 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 7451 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 7452#ifndef OPENSSL_NO_TLS1_3
7453 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 7454 ADD_TEST(test_key_update);
a77b4dba 7455 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 7456#endif
e11b6aa4 7457 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 7458 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 7459#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7460 ADD_ALL_TESTS(test_srp, 6);
7461#endif
5718fe45 7462 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 7463 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 7464 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 7465 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 7466 ADD_ALL_TESTS(test_shutdown, 7);
1a2a3a42 7467 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 7468 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 7469 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 7470#ifndef OPENSSL_NO_TLS1_2
7471 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7472#endif
49ef3d07 7473 ADD_ALL_TESTS(test_servername, 10);
ad887416
P		 7474 return 1;
7475}
2cb4b5f6 7476
ad887416
P		 7477void cleanup_tests(void)
7478{
1a2a3a42
MC		 7479 OPENSSL_free(cert);
7480 OPENSSL_free(privkey);
fa454945 7481 bio_s_mempacket_test_free();
a77b4dba 7482 bio_s_always_retry_free();
5e30f2fd
MC		 7483 OSSL_PROVIDER_unload(defctxnull);
7484 OPENSSL_CTX_free(libctx);
2cb4b5f6 7485}
A mirror of the official openssl repository