]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add support for SSL_CTX_set_post_handshake_auth()
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 947 * resumed. Since we attempted a resume we should also have removed the
948 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 949 */
950 if (use_ext_cache
951 && (!TEST_int_eq(new_called, 1)
4cb00457 952 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 953 goto end;
954 } else {
955 /*
956 * In TLSv1.2 we expect to have resumed so no sessions added or
957 * removed.
958 */
959 if (use_ext_cache
960 && (!TEST_int_eq(new_called, 0)
961 || !TEST_int_eq(remove_called, 0)))
962 goto end;
963 }
c0537ebd
MC		 964
965 SSL_SESSION_free(sess1);
966 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
967 goto end;
968 shutdown_ssl_connection(serverssl2, clientssl2);
969 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 970
971 new_called = remove_called = 0;
710756a9
RS		 972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
973 &clientssl2, NULL, NULL))
974 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
975 SSL_ERROR_NONE)))
2cb4b5f6 976 goto end;
2cb4b5f6 977
710756a9 978 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 979 goto end;
2cb4b5f6 980
7a301f08 981 if (use_ext_cache
36ff232c
MC		 982 && (!TEST_int_eq(new_called, numnewsesstick)
983 || !TEST_int_eq(remove_called, 0)))
eaa776da 984 goto end;
eaa776da 985
c0537ebd 986 new_called = remove_called = 0;
2cb4b5f6 987 /*
710756a9
RS		 988 * This should clear sess2 from the cache because it is a "bad" session.
989 * See SSL_set_session() documentation.
2cb4b5f6 990 */
710756a9 991 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 992 goto end;
7a301f08
MC		 993 if (use_ext_cache
994 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 995 goto end;
710756a9 996 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 997 goto end;
2cb4b5f6 998
7e885b7b 999 if (use_int_cache) {
710756a9
RS		 1000 /* Should succeeded because it should not already be in the cache */
1001 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1002 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1003 goto end;
eaa776da
MC		 1004 }
1005
c0537ebd 1006 new_called = remove_called = 0;
eaa776da 1007 /* This shouldn't be in the cache so should fail */
710756a9 1008 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1009 goto end;
2cb4b5f6 1010
7a301f08
MC		 1011 if (use_ext_cache
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1013 goto end;
2cb4b5f6 1014
bf208d95 1015# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1016 new_called = remove_called = 0;
eaa776da
MC		 1017 /* Force a connection failure */
1018 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1020 &clientssl3, NULL, NULL))
1021 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1022 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1023 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1024 SSL_ERROR_NONE)))
eaa776da 1025 goto end;
b4982125 1026
eaa776da 1027 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1028 if (use_ext_cache
1029 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1030 goto end;
2cb4b5f6 1031
710756a9 1032 /* Should succeed because it should not already be in the cache */
7e885b7b 1033 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1034 goto end;
bf208d95 1035# endif
eaa776da 1036
7a301f08
MC		 1037 /* Now do some tests for server side caching */
1038 if (use_ext_cache) {
1039 SSL_CTX_sess_set_new_cb(cctx, NULL);
1040 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1041 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1042 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1043 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1044 get_sess_val = NULL;
1045 }
1046
1047 SSL_CTX_set_session_cache_mode(cctx, 0);
1048 /* Internal caching is the default on the server side */
1049 if (!use_int_cache)
1050 SSL_CTX_set_session_cache_mode(sctx,
1051 SSL_SESS_CACHE_SERVER
1052 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1053
1054 SSL_free(serverssl1);
1055 SSL_free(clientssl1);
1056 serverssl1 = clientssl1 = NULL;
1057 SSL_free(serverssl2);
1058 SSL_free(clientssl2);
1059 serverssl2 = clientssl2 = NULL;
1060 SSL_SESSION_free(sess1);
1061 sess1 = NULL;
1062 SSL_SESSION_free(sess2);
1063 sess2 = NULL;
1064
1065 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1066 if (maxprot == TLS1_2_VERSION)
1067 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1068 new_called = remove_called = get_called = 0;
7a301f08
MC		 1069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1070 NULL, NULL))
1071 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1072 SSL_ERROR_NONE))
1073 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1074 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1075 goto end;
1076
ee94ec2e
MC		 1077 if (use_int_cache) {
1078 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1079 /*
1080 * In TLSv1.3 it should not have been added to the internal cache,
1081 * except in the case where we also have an external cache (in that
1082 * case it gets added to the cache in order to generate remove
1083 * events after timeout).
1084 */
1085 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1086 goto end;
1087 } else {
1088 /* Should fail because it should already be in the cache */
1089 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1090 goto end;
1091 }
1092 }
7a301f08
MC		 1093
1094 if (use_ext_cache) {
1095 SSL_SESSION *tmp = sess2;
1096
36ff232c 1097 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1098 || !TEST_int_eq(remove_called, 0)
1099 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1100 goto end;
1101 /*
1102 * Delete the session from the internal cache to force a lookup from
1103 * the external cache. We take a copy first because
1104 * SSL_CTX_remove_session() also marks the session as non-resumable.
1105 */
ee94ec2e 1106 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1107 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1108 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1109 goto end;
1110 SSL_SESSION_free(sess2);
1111 }
7a301f08
MC		 1112 sess2 = tmp;
1113 }
1114
0afca811 1115 new_called = remove_called = get_called = 0;
7a301f08
MC		 1116 get_sess_val = sess2;
1117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1118 &clientssl2, NULL, NULL))
1119 || !TEST_true(SSL_set_session(clientssl2, sess1))
1120 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1121 SSL_ERROR_NONE))
1122 || !TEST_true(SSL_session_reused(clientssl2)))
1123 goto end;
1124
0afca811 1125 if (use_ext_cache) {
32305f88 1126 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1127 goto end;
1128
1129 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1130 if (!TEST_int_eq(new_called, 1)
1131 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1132 goto end;
1133 } else {
32305f88
MC		 1134 if (!TEST_int_eq(new_called, 0)
1135 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1136 goto end;
1137 }
1138 }
7a301f08 1139
2cb4b5f6 1140 testresult = 1;
eaa776da 1141
2cb4b5f6
MC		 1142 end:
1143 SSL_free(serverssl1);
1144 SSL_free(clientssl1);
1145 SSL_free(serverssl2);
1146 SSL_free(clientssl2);
bf208d95 1147# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1148 SSL_free(serverssl3);
1149 SSL_free(clientssl3);
bf208d95 1150# endif
2cb4b5f6
MC		 1151 SSL_SESSION_free(sess1);
1152 SSL_SESSION_free(sess2);
1153 SSL_CTX_free(sctx);
1154 SSL_CTX_free(cctx);
1155
1156 return testresult;
1157}
bf208d95 1158#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1159
7fb4c820
MC		 1160static int test_session_with_only_int_cache(void)
1161{
7a301f08
MC		 1162#ifndef OPENSSL_NO_TLS1_3
1163 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1164 return 0;
1165#endif
1166
1167#ifndef OPENSSL_NO_TLS1_2
1168 return execute_test_session(TLS1_2_VERSION, 1, 0);
1169#else
1170 return 1;
1171#endif
eaa776da
MC		 1172}
1173
7fb4c820
MC		 1174static int test_session_with_only_ext_cache(void)
1175{
7a301f08
MC		 1176#ifndef OPENSSL_NO_TLS1_3
1177 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1178 return 0;
1179#endif
1180
1181#ifndef OPENSSL_NO_TLS1_2
1182 return execute_test_session(TLS1_2_VERSION, 0, 1);
1183#else
1184 return 1;
1185#endif
eaa776da
MC		 1186}
1187
7fb4c820
MC		 1188static int test_session_with_both_cache(void)
1189{
7a301f08
MC		 1190#ifndef OPENSSL_NO_TLS1_3
1191 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1192 return 0;
1193#endif
1194
1195#ifndef OPENSSL_NO_TLS1_2
1196 return execute_test_session(TLS1_2_VERSION, 1, 1);
1197#else
1198 return 1;
1199#endif
eaa776da
MC		 1200}
1201
04225915 1202#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1203static SSL_SESSION *sesscache[6];
1204static int do_cache;
36ff232c
MC		 1205
1206static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1207{
c22365b3
MC		 1208 if (do_cache) {
1209 sesscache[new_called] = sess;
1210 } else {
1211 /* We don't need the reference to the session, so free it */
1212 SSL_SESSION_free(sess);
1213 }
1214 new_called++;
1215
1216 return 1;
1217}
1218
1219static int post_handshake_verify(SSL *sssl, SSL *cssl)
1220{
1221 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1222 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1223 return 0;
1224
1225 /* Start handshake on the server and client */
1226 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1227 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1228 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1229 || !TEST_true(create_ssl_connection(sssl, cssl,
1230 SSL_ERROR_NONE)))
1231 return 0;
36ff232c
MC		 1232
1233 return 1;
1234}
1235
fbe9dafd 1236static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1237 SSL_CTX **cctx)
1238{
1239 int sess_id_ctx = 1;
1240
1241 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1242 TLS1_VERSION, TLS_MAX_VERSION, sctx,
1243 cctx, cert, privkey))
1244 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1245 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1246 (void *)&sess_id_ctx,
1247 sizeof(sess_id_ctx))))
1248 return 0;
1249
1250 if (stateful)
1251 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1252
1253 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1255 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1256
1257 return 1;
1258}
1259
1260static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1261{
1262 SSL *serverssl = NULL, *clientssl = NULL;
1263 int i;
1264
1265 /* Test that we can resume with all the tickets we got given */
1266 for (i = 0; i < idx * 2; i++) {
1267 new_called = 0;
1268 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1269 &clientssl, NULL, NULL))
1270 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1271 goto end;
1272
32097b33 1273 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1274
1275 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1276 SSL_ERROR_NONE)))
1277 goto end;
1278
1279 /*
1280 * Following a successful resumption we only get 1 ticket. After a
1281 * failed one we should get idx tickets.
1282 */
1283 if (succ) {
1284 if (!TEST_true(SSL_session_reused(clientssl))
1285 || !TEST_int_eq(new_called, 1))
1286 goto end;
1287 } else {
1288 if (!TEST_false(SSL_session_reused(clientssl))
1289 || !TEST_int_eq(new_called, idx))
1290 goto end;
1291 }
1292
1293 new_called = 0;
1294 /* After a post-handshake authentication we should get 1 new ticket */
1295 if (succ
1296 && (!post_handshake_verify(serverssl, clientssl)
1297 || !TEST_int_eq(new_called, 1)))
1298 goto end;
1299
1300 SSL_shutdown(clientssl);
1301 SSL_shutdown(serverssl);
1302 SSL_free(serverssl);
1303 SSL_free(clientssl);
1304 serverssl = clientssl = NULL;
1305 SSL_SESSION_free(sesscache[i]);
1306 sesscache[i] = NULL;
1307 }
1308
1309 return 1;
1310
1311 end:
1312 SSL_free(clientssl);
1313 SSL_free(serverssl);
1314 return 0;
1315}
1316
04d7814a 1317static int test_tickets(int stateful, int idx)
36ff232c
MC		 1318{
1319 SSL_CTX *sctx = NULL, *cctx = NULL;
1320 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1321 int testresult = 0;
36ff232c
MC		 1322 size_t j;
1323
1324 /* idx is the test number, but also the number of tickets we want */
1325
1326 new_called = 0;
c22365b3 1327 do_cache = 1;
36ff232c 1328
fbe9dafd 1329 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1330 goto end;
1331
03cdf559
MC		 1332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1333 &clientssl, NULL, NULL)))
1334 goto end;
1335
1336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1337 SSL_ERROR_NONE))
1338 /* Check we got the number of tickets we were expecting */
1339 || !TEST_int_eq(idx, new_called))
1340 goto end;
04d7814a 1341
03cdf559
MC		 1342 SSL_shutdown(clientssl);
1343 SSL_shutdown(serverssl);
1344 SSL_free(serverssl);
1345 SSL_free(clientssl);
1346 SSL_CTX_free(sctx);
1347 SSL_CTX_free(cctx);
1348 clientssl = serverssl = NULL;
1349 sctx = cctx = NULL;
1350
1351 /*
1352 * Now we try to resume with the tickets we previously created. The
1353 * resumption attempt is expected to fail (because we're now using a new
1354 * SSL_CTX). We should see idx number of tickets issued again.
1355 */
1356
1357 /* Stop caching sessions - just count them */
1358 do_cache = 0;
1359
fbe9dafd 1360 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1361 goto end;
1362
1363 if (!check_resumption(idx, sctx, cctx, 0))
1364 goto end;
1365
1366 /* Start again with caching sessions */
1367 new_called = 0;
1368 do_cache = 1;
fbe9dafd
MC		 1369 SSL_CTX_free(sctx);
1370 SSL_CTX_free(cctx);
1371 sctx = cctx = NULL;
03cdf559 1372
fbe9dafd 1373 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1374 goto end;
36ff232c
MC		 1375
1376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1377 &clientssl, NULL, NULL)))
1378 goto end;
1379
32097b33 1380 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1381
1382 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1383 SSL_ERROR_NONE))
1384 /* Check we got the number of tickets we were expecting */
1385 || !TEST_int_eq(idx, new_called))
1386 goto end;
1387
1388 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1389 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1390 || !TEST_int_eq(idx * 2, new_called))
1391 goto end;
1392
36ff232c
MC		 1393 SSL_shutdown(clientssl);
1394 SSL_shutdown(serverssl);
1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1397 serverssl = clientssl = NULL;
1398
c22365b3
MC		 1399 /* Stop caching sessions - just count them */
1400 do_cache = 0;
1401
03cdf559
MC		 1402 /*
1403 * Check we can resume with all the tickets we created. This time around the
1404 * resumptions should all be successful.
1405 */
1406 if (!check_resumption(idx, sctx, cctx, 1))
1407 goto end;
36ff232c
MC		 1408
1409 testresult = 1;
1410
1411 end:
1412 SSL_free(serverssl);
1413 SSL_free(clientssl);
c22365b3 1414 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1415 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1416 sesscache[j] = NULL;
1417 }
36ff232c
MC		 1418 SSL_CTX_free(sctx);
1419 SSL_CTX_free(cctx);
1420
1421 return testresult;
1422}
04d7814a
MC		 1423
1424static int test_stateless_tickets(int idx)
1425{
1426 return test_tickets(0, idx);
1427}
1428
1429static int test_stateful_tickets(int idx)
1430{
1431 return test_tickets(1, idx);
1432}
04225915 1433#endif
36ff232c 1434
7d4488bb
MC		 1435#define USE_NULL 0
1436#define USE_BIO_1 1
1437#define USE_BIO_2 2
1438#define USE_DEFAULT 3
1439
1440#define CONNTYPE_CONNECTION_SUCCESS 0
1441#define CONNTYPE_CONNECTION_FAIL 1
1442#define CONNTYPE_NO_CONNECTION 2
1443
1444#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1445#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1446#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1447# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1448#else
1449# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1450#endif
1451
7d4488bb
MC		 1452#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1453 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1454 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1455
1456static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1457{
1458 switch (type) {
1459 case USE_NULL:
1460 *res = NULL;
1461 break;
1462 case USE_BIO_1:
1463 *res = bio1;
1464 break;
1465 case USE_BIO_2:
1466 *res = bio2;
1467 break;
1468 }
1469}
1470
7d4488bb
MC		 1471
1472/*
1473 * Tests calls to SSL_set_bio() under various conditions.
1474 *
1475 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1476 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1477 * then do more tests where we create a successful connection first using our
1478 * standard connection setup functions, and then call SSL_set_bio() with
1479 * various combinations of valid BIOs or NULL. We then repeat these tests
1480 * following a failed connection. In this last case we are looking to check that
1481 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1482 */
7fb4c820
MC		 1483static int test_ssl_set_bio(int idx)
1484{
7d4488bb 1485 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1486 BIO *bio1 = NULL;
1487 BIO *bio2 = NULL;
0fae8150 1488 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1489 SSL *serverssl = NULL, *clientssl = NULL;
1490 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1491 int testresult = 0;
1492
7d4488bb
MC		 1493 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1494 initrbio = idx % 3;
1495 idx /= 3;
1496 initwbio = idx % 3;
1497 idx /= 3;
1498 newrbio = idx % 3;
1499 idx /= 3;
1500 newwbio = idx % 3;
1501 conntype = CONNTYPE_NO_CONNECTION;
1502 } else {
1503 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1504 initrbio = initwbio = USE_DEFAULT;
1505 newrbio = idx % 2;
1506 idx /= 2;
1507 newwbio = idx % 2;
1508 idx /= 2;
1509 conntype = idx % 2;
1510 }
710756a9 1511
7d4488bb
MC		 1512 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1513 TLS1_VERSION, TLS_MAX_VERSION,
1514 &sctx, &cctx, cert, privkey)))
1515 goto end;
1516
1517 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1518 /*
1519 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1520 * because we reduced the number of tests in the definition of
1521 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1522 * mismatched protocol versions we will force a connection failure.
1523 */
1524 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1525 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1526 }
1527
1528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1529 NULL, NULL)))
710756a9 1530 goto end;
7fb4c820 1531
710756a9
RS		 1532 if (initrbio == USE_BIO_1
1533 || initwbio == USE_BIO_1
1534 || newrbio == USE_BIO_1
7fb4c820 1535 || newwbio == USE_BIO_1) {
710756a9 1536 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1537 goto end;
7fb4c820
MC		 1538 }
1539
710756a9
RS		 1540 if (initrbio == USE_BIO_2
1541 || initwbio == USE_BIO_2
1542 || newrbio == USE_BIO_2
7fb4c820 1543 || newwbio == USE_BIO_2) {
710756a9 1544 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1545 goto end;
7fb4c820
MC		 1546 }
1547
7d4488bb
MC		 1548 if (initrbio != USE_DEFAULT) {
1549 setupbio(&irbio, bio1, bio2, initrbio);
1550 setupbio(&iwbio, bio1, bio2, initwbio);
1551 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1552
7d4488bb
MC		 1553 /*
1554 * We want to maintain our own refs to these BIO, so do an up ref for
1555 * each BIO that will have ownership transferred in the SSL_set_bio()
1556 * call
1557 */
1558 if (irbio != NULL)
1559 BIO_up_ref(irbio);
1560 if (iwbio != NULL && iwbio != irbio)
1561 BIO_up_ref(iwbio);
1562 }
7fb4c820 1563
7d4488bb
MC		 1564 if (conntype != CONNTYPE_NO_CONNECTION
1565 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1566 SSL_ERROR_NONE)
1567 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1568 goto end;
7fb4c820
MC		 1569
1570 setupbio(&nrbio, bio1, bio2, newrbio);
1571 setupbio(&nwbio, bio1, bio2, newwbio);
1572
1573 /*
1574 * We will (maybe) transfer ownership again so do more up refs.
1575 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1576 * already been set!
1577 */
710756a9
RS		 1578 if (nrbio != NULL
1579 && nrbio != irbio
1580 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1581 BIO_up_ref(nrbio);
710756a9
RS		 1582 if (nwbio != NULL
1583 && nwbio != nrbio
1584 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1585 BIO_up_ref(nwbio);
1586
7d4488bb 1587 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1588
1589 testresult = 1;
1590
1591 end:
7fb4c820
MC		 1592 BIO_free(bio1);
1593 BIO_free(bio2);
710756a9 1594
7fb4c820
MC		 1595 /*
1596 * This test is checking that the ref counting for SSL_set_bio is correct.
1597 * If we get here and we did too many frees then we will fail in the above
1598 * functions. If we haven't done enough then this will only be detected in
1599 * a crypto-mdebug build
1600 */
7d4488bb
MC		 1601 SSL_free(serverssl);
1602 SSL_free(clientssl);
1603 SSL_CTX_free(sctx);
1604 SSL_CTX_free(cctx);
7fb4c820
MC		 1605 return testresult;
1606}
1607
7e885b7b 1608typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1609
7e885b7b 1610static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1611{
1612 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1613 SSL_CTX *ctx;
9a716987
MC		 1614 SSL *ssl = NULL;
1615 int testresult = 0;
1616
710756a9
RS		 1617 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1618 || !TEST_ptr(ssl = SSL_new(ctx))
1619 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1620 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1621 goto end;
9a716987
MC		 1622
1623 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1624
1625 /*
1626 * If anything goes wrong here then we could leak memory, so this will
1627 * be caught in a crypto-mdebug build
1628 */
1629 BIO_push(sslbio, membio1);
1630
69687aa8 1631 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1632 if (change_bio != NO_BIO_CHANGE) {
710756a9 1633 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1634 goto end;
7e885b7b 1635 if (change_bio == CHANGE_RBIO)
65e2d672 1636 SSL_set0_rbio(ssl, membio2);
9a716987 1637 else
65e2d672 1638 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1639 }
1640 ssl = NULL;
1641
7e885b7b 1642 if (pop_ssl)
9a716987
MC		 1643 BIO_pop(sslbio);
1644 else
1645 BIO_pop(membio1);
1646
1647 testresult = 1;
1648 end:
1649 BIO_free(membio1);
1650 BIO_free(sslbio);
1651 SSL_free(ssl);
1652 SSL_CTX_free(ctx);
1653
1654 return testresult;
1655}
1656
1657static int test_ssl_bio_pop_next_bio(void)
1658{
7e885b7b 1659 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1660}
1661
1662static int test_ssl_bio_pop_ssl_bio(void)
1663{
7e885b7b 1664 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1665}
1666
1667static int test_ssl_bio_change_rbio(void)
1668{
7e885b7b 1669 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1670}
1671
1672static int test_ssl_bio_change_wbio(void)
1673{
7e885b7b 1674 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1675}
1676
c423ecaa 1677#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1678typedef struct {
1679 /* The list of sig algs */
1680 const int *list;
1681 /* The length of the list */
1682 size_t listlen;
1683 /* A sigalgs list in string format */
1684 const char *liststr;
1685 /* Whether setting the list should succeed */
1686 int valid;
1687 /* Whether creating a connection with the list should succeed */
1688 int connsuccess;
1689} sigalgs_list;
1690
1691static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1692# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1693static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1694static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1695# endif
f1b25aae
MC		 1696static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1697static const int invalidlist2[] = {NID_sha256, NID_undef};
1698static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1699static const int invalidlist4[] = {NID_sha256};
1700static const sigalgs_list testsigalgs[] = {
1701 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1702# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1703 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1704 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1705# endif
f1b25aae 1706 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1707# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1708 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1709 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1710# endif
f1b25aae
MC		 1711 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1712 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1713 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1714 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1715 {NULL, 0, "RSA", 0, 0},
1716 {NULL, 0, "SHA256", 0, 0},
1717 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1718 {NULL, 0, "Invalid", 0, 0}
1719};
f1b25aae
MC		 1720
1721static int test_set_sigalgs(int idx)
1722{
1723 SSL_CTX *cctx = NULL, *sctx = NULL;
1724 SSL *clientssl = NULL, *serverssl = NULL;
1725 int testresult = 0;
1726 const sigalgs_list *curr;
1727 int testctx;
1728
1729 /* Should never happen */
710756a9 1730 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1731 return 0;
1732
1733 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1734 curr = testctx ? &testsigalgs[idx]
1735 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1736
7d7f6834
RL		 1737 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1738 TLS1_VERSION, TLS_MAX_VERSION,
1739 &sctx, &cctx, cert, privkey)))
f1b25aae 1740 return 0;
f1b25aae 1741
d2e491f2
MC		 1742 /*
1743 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1744 * for TLSv1.2 for now until we add a new API.
1745 */
1746 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1747
f1b25aae
MC		 1748 if (testctx) {
1749 int ret;
710756a9 1750
f1b25aae
MC		 1751 if (curr->list != NULL)
1752 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1753 else
1754 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1755
1756 if (!ret) {
1757 if (curr->valid)
710756a9 1758 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1759 else
1760 testresult = 1;
1761 goto end;
1762 }
1763 if (!curr->valid) {
710756a9 1764 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1765 goto end;
1766 }
1767 }
1768
710756a9
RS		 1769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1770 &clientssl, NULL, NULL)))
f1b25aae 1771 goto end;
f1b25aae
MC		 1772
1773 if (!testctx) {
1774 int ret;
1775
1776 if (curr->list != NULL)
1777 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1778 else
1779 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1780 if (!ret) {
1781 if (curr->valid)
710756a9 1782 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1783 else
1784 testresult = 1;
1785 goto end;
1786 }
710756a9 1787 if (!curr->valid)
f1b25aae 1788 goto end;
f1b25aae
MC		 1789 }
1790
710756a9
RS		 1791 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1792 SSL_ERROR_NONE),
1793 curr->connsuccess))
f1b25aae 1794 goto end;
f1b25aae
MC		 1795
1796 testresult = 1;
1797
1798 end:
1799 SSL_free(serverssl);
1800 SSL_free(clientssl);
1801 SSL_CTX_free(sctx);
1802 SSL_CTX_free(cctx);
1803
1804 return testresult;
1805}
c423ecaa 1806#endif
f1b25aae 1807
fff202e5
MC		 1808#ifndef OPENSSL_NO_TLS1_3
1809
57dee9bb
MC		 1810static SSL_SESSION *clientpsk = NULL;
1811static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1812static const char *pskid = "Identity";
1813static const char *srvid;
1814
1815static int use_session_cb_cnt = 0;
1816static int find_session_cb_cnt = 0;
532f9578
MC		 1817static int psk_client_cb_cnt = 0;
1818static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1819
1820static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1821 size_t *idlen, SSL_SESSION **sess)
1822{
1823 switch (++use_session_cb_cnt) {
1824 case 1:
1825 /* The first call should always have a NULL md */
1826 if (md != NULL)
1827 return 0;
1828 break;
1829
1830 case 2:
1831 /* The second call should always have an md */
1832 if (md == NULL)
1833 return 0;
1834 break;
1835
1836 default:
1837 /* We should only be called a maximum of twice */
1838 return 0;
1839 }
1840
57dee9bb
MC		 1841 if (clientpsk != NULL)
1842 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1843
57dee9bb 1844 *sess = clientpsk;
02a3ed5a
MC		 1845 *id = (const unsigned char *)pskid;
1846 *idlen = strlen(pskid);
1847
1848 return 1;
1849}
1850
c2b290c3 1851#ifndef OPENSSL_NO_PSK
532f9578
MC		 1852static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1853 unsigned int max_id_len,
1854 unsigned char *psk,
1855 unsigned int max_psk_len)
1856{
1857 unsigned int psklen = 0;
1858
1859 psk_client_cb_cnt++;
1860
1861 if (strlen(pskid) + 1 > max_id_len)
1862 return 0;
1863
1864 /* We should only ever be called a maximum of twice per connection */
1865 if (psk_client_cb_cnt > 2)
1866 return 0;
1867
1868 if (clientpsk == NULL)
1869 return 0;
1870
1871 /* We'll reuse the PSK we set up for TLSv1.3 */
1872 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1873 return 0;
1874 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1875 strncpy(id, pskid, max_id_len);
1876
1877 return psklen;
1878}
c2b290c3 1879#endif /* OPENSSL_NO_PSK */
532f9578 1880
02a3ed5a
MC		 1881static int find_session_cb(SSL *ssl, const unsigned char *identity,
1882 size_t identity_len, SSL_SESSION **sess)
1883{
1884 find_session_cb_cnt++;
1885
1886 /* We should only ever be called a maximum of twice per connection */
1887 if (find_session_cb_cnt > 2)
1888 return 0;
1889
57dee9bb 1890 if (serverpsk == NULL)
02a3ed5a
MC		 1891 return 0;
1892
1893 /* Identity should match that set by the client */
1894 if (strlen(srvid) != identity_len
1895 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1896 /* No PSK found, continue but without a PSK */
1897 *sess = NULL;
1898 return 1;
1899 }
1900
57dee9bb
MC		 1901 SSL_SESSION_up_ref(serverpsk);
1902 *sess = serverpsk;
02a3ed5a
MC		 1903
1904 return 1;
1905}
1906
c2b290c3 1907#ifndef OPENSSL_NO_PSK
532f9578
MC		 1908static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1909 unsigned char *psk, unsigned int max_psk_len)
1910{
1911 unsigned int psklen = 0;
1912
1913 psk_server_cb_cnt++;
1914
1915 /* We should only ever be called a maximum of twice per connection */
1916 if (find_session_cb_cnt > 2)
1917 return 0;
1918
1919 if (serverpsk == NULL)
1920 return 0;
1921
1922 /* Identity should match that set by the client */
1923 if (strcmp(srvid, identity) != 0) {
1924 return 0;
1925 }
1926
1927 /* We'll reuse the PSK we set up for TLSv1.3 */
1928 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1929 return 0;
1930 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1931
1932 return psklen;
1933}
c2b290c3 1934#endif /* OPENSSL_NO_PSK */
532f9578 1935
5f982038
MC		 1936#define MSG1 "Hello"
1937#define MSG2 "World."
1938#define MSG3 "This"
1939#define MSG4 "is"
1940#define MSG5 "a"
90049cea
MC		 1941#define MSG6 "test"
1942#define MSG7 "message."
5f982038 1943
02a3ed5a 1944#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1945#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1946
5f982038
MC		 1947/*
1948 * Helper method to setup objects for early data test. Caller frees objects on
1949 * error.
1950 */
1951static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1952 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1953{
5a421415
MC		 1954 if (*sctx == NULL
1955 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1956 TLS_client_method(),
1957 TLS1_VERSION, TLS_MAX_VERSION,
1958 sctx, cctx, cert, privkey)))
1959 return 0;
1960
1961 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1962 return 0;
5f982038 1963
02a3ed5a
MC		 1964 if (idx == 1) {
1965 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1966 SSL_CTX_set_read_ahead(*cctx, 1);
1967 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1968 } else if (idx == 2) {
1969 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1970 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1971 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1972 use_session_cb_cnt = 0;
1973 find_session_cb_cnt = 0;
1974 srvid = pskid;
3cb47b4e
MC		 1975 }
1976
710756a9 1977 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1978 NULL, NULL)))
1979 return 0;
1980
141e4709
MC		 1981 /*
1982 * For one of the run throughs (doesn't matter which one), we'll try sending
1983 * some SNI data in the initial ClientHello. This will be ignored (because
1984 * there is no SNI cb set up by the server), so it should not impact
1985 * early_data.
1986 */
1987 if (idx == 1
1988 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1989 return 0;
1990
02a3ed5a
MC		 1991 if (idx == 2) {
1992 /* Create the PSK */
1993 const SSL_CIPHER *cipher = NULL;
1994 const unsigned char key[] = {
1995 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1996 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1997 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1998 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1999 0x2c, 0x2d, 0x2e, 0x2f
2000 };
2001
2002 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 2003 clientpsk = SSL_SESSION_new();
2004 if (!TEST_ptr(clientpsk)
02a3ed5a 2005 || !TEST_ptr(cipher)
57dee9bb 2006 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 2007 sizeof(key)))
57dee9bb 2008 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 2009 || !TEST_true(
57dee9bb 2010 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 2011 TLS1_3_VERSION))
2012 /*
2013 * We just choose an arbitrary value for max_early_data which
2014 * should be big enough for testing purposes.
2015 */
57dee9bb
MC		 2016 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2017 0x100))
2018 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2019 SSL_SESSION_free(clientpsk);
2020 clientpsk = NULL;
02a3ed5a
MC		 2021 return 0;
2022 }
57dee9bb 2023 serverpsk = clientpsk;
02a3ed5a 2024
c20e3b28
MC		 2025 if (sess != NULL) {
2026 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2027 SSL_SESSION_free(clientpsk);
2028 SSL_SESSION_free(serverpsk);
2029 clientpsk = serverpsk = NULL;
2030 return 0;
2031 }
57dee9bb 2032 *sess = clientpsk;
c20e3b28 2033 }
02a3ed5a
MC		 2034 return 1;
2035 }
2036
2037 if (sess == NULL)
2038 return 1;
2039
2040 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2041 SSL_ERROR_NONE)))
5f982038 2042 return 0;
5f982038
MC		 2043
2044 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2045 SSL_shutdown(*clientssl);
2046 SSL_shutdown(*serverssl);
5f982038
MC		 2047 SSL_free(*serverssl);
2048 SSL_free(*clientssl);
2049 *serverssl = *clientssl = NULL;
2050
710756a9
RS		 2051 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2052 clientssl, NULL, NULL))
2053 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2054 return 0;
5f982038
MC		 2055
2056 return 1;
2057}
2058
3cb47b4e 2059static int test_early_data_read_write(int idx)
5f982038
MC		 2060{
2061 SSL_CTX *cctx = NULL, *sctx = NULL;
2062 SSL *clientssl = NULL, *serverssl = NULL;
2063 int testresult = 0;
2064 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2065 unsigned char buf[20], data[1024];
2066 size_t readbytes, written, eoedlen, rawread, rawwritten;
2067 BIO *rbio;
5f982038 2068
710756a9
RS		 2069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2070 &serverssl, &sess, idx)))
5f982038
MC		 2071 goto end;
2072
2073 /* Write and read some early data */
710756a9
RS		 2074 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2075 &written))
2076 || !TEST_size_t_eq(written, strlen(MSG1))
2077 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2078 sizeof(buf), &readbytes),
2079 SSL_READ_EARLY_DATA_SUCCESS)
2080 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2081 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2082 SSL_EARLY_DATA_ACCEPTED))
5f982038 2083 goto end;
5f982038
MC		 2084
2085 /*
09f28874 2086 * Server should be able to write data, and client should be able to
5f982038
MC		 2087 * read it.
2088 */
710756a9
RS		 2089 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2090 &written))
2091 || !TEST_size_t_eq(written, strlen(MSG2))
2092 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2093 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2094 goto end;
5f982038
MC		 2095
2096 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2097 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2098 &written))
2099 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2100 goto end;
5f982038 2101
09f28874 2102 /* Server should still be able read early data after writing data */
710756a9
RS		 2103 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2104 &readbytes),
2105 SSL_READ_EARLY_DATA_SUCCESS)
2106 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2107 goto end;
5f982038 2108
09f28874 2109 /* Write more data from server and read it from client */
710756a9
RS		 2110 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2111 &written))
2112 || !TEST_size_t_eq(written, strlen(MSG4))
2113 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2114 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2115 goto end;
5f982038
MC		 2116
2117 /*
2118 * If client writes normal data it should mean writing early data is no
2119 * longer possible.
2120 */
710756a9
RS		 2121 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2122 || !TEST_size_t_eq(written, strlen(MSG5))
2123 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2124 SSL_EARLY_DATA_ACCEPTED))
5f982038 2125 goto end;
5f982038 2126
9b5c865d
MC		 2127 /*
2128 * At this point the client has written EndOfEarlyData, ClientFinished and
2129 * normal (fully protected) data. We are going to cause a delay between the
2130 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2131 * in the read BIO, and then just put back the EndOfEarlyData message.
2132 */
2133 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2134 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2135 || !TEST_size_t_lt(rawread, sizeof(data))
2136 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2137 goto end;
710756a9 2138
9b5c865d
MC		 2139 /* Record length is in the 4th and 5th bytes of the record header */
2140 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2141 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2142 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2143 goto end;
9b5c865d 2144
5f982038 2145 /* Server should be told that there is no more early data */
710756a9
RS		 2146 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2147 &readbytes),
2148 SSL_READ_EARLY_DATA_FINISH)
2149 || !TEST_size_t_eq(readbytes, 0))
5f982038 2150 goto end;
5f982038 2151
9b5c865d
MC		 2152 /*
2153 * Server has not finished init yet, so should still be able to write early
2154 * data.
2155 */
710756a9
RS		 2156 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2157 &written))
2158 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2159 goto end;
9b5c865d 2160
f8a303fa 2161 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2162 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2163 &rawwritten))
2164 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2165 goto end;
f8a303fa 2166
5f982038 2167 /* Server should be able to read normal data */
710756a9
RS		 2168 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2169 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2170 goto end;
5f982038 2171
09f28874 2172 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2173 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2174 &written)))
5f982038 2175 goto end;
5f982038 2176 ERR_clear_error();
710756a9
RS		 2177 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2178 &readbytes),
2179 SSL_READ_EARLY_DATA_ERROR))
5f982038 2180 goto end;
5f982038
MC		 2181 ERR_clear_error();
2182
9b5c865d 2183 /* Client should be able to read the data sent by the server */
710756a9
RS		 2184 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2185 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2186 goto end;
710756a9 2187
f8a303fa 2188 /*
36ff232c
MC		 2189 * Make sure we process the two NewSessionTickets. These arrive
2190 * post-handshake. We attempt reads which we do not expect to return any
2191 * data.
f8a303fa 2192 */
36ff232c
MC		 2193 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2194 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2195 &readbytes)))
f8a303fa 2196 goto end;
5f982038 2197
90049cea 2198 /* Server should be able to write normal data */
710756a9
RS		 2199 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2200 || !TEST_size_t_eq(written, strlen(MSG7))
2201 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2202 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2203 goto end;
90049cea 2204
c20e3b28 2205 SSL_SESSION_free(sess);
5f982038 2206 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2207 use_session_cb_cnt = 0;
2208 find_session_cb_cnt = 0;
5f982038
MC		 2209
2210 SSL_shutdown(clientssl);
2211 SSL_shutdown(serverssl);
5f982038
MC		 2212 SSL_free(serverssl);
2213 SSL_free(clientssl);
2214 serverssl = clientssl = NULL;
710756a9
RS		 2215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2216 &clientssl, NULL, NULL))
2217 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2218 goto end;
5f982038
MC		 2219
2220 /* Write and read some early data */
710756a9
RS		 2221 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2222 &written))
2223 || !TEST_size_t_eq(written, strlen(MSG1))
2224 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2225 &readbytes),
2226 SSL_READ_EARLY_DATA_SUCCESS)
2227 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2228 goto end;
5f982038 2229
710756a9
RS		 2230 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2231 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2232 goto end;
5f982038 2233
09f28874 2234 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2235 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2236 &written)))
5f982038 2237 goto end;
5f982038 2238 ERR_clear_error();
710756a9
RS		 2239 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2240 &readbytes),
2241 SSL_READ_EARLY_DATA_ERROR))
5f982038 2242 goto end;
5f982038
MC		 2243 ERR_clear_error();
2244
2245 /* Client and server should be able to write/read normal data */
710756a9
RS		 2246 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2247 || !TEST_size_t_eq(written, strlen(MSG5))
2248 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2249 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2250 goto end;
5f982038
MC		 2251
2252 testresult = 1;
2253
2254 end:
c20e3b28 2255 SSL_SESSION_free(sess);
57dee9bb
MC		 2256 SSL_SESSION_free(clientpsk);
2257 SSL_SESSION_free(serverpsk);
2258 clientpsk = serverpsk = NULL;
5f982038
MC		 2259 SSL_free(serverssl);
2260 SSL_free(clientssl);
2261 SSL_CTX_free(sctx);
2262 SSL_CTX_free(cctx);
5f982038
MC		 2263 return testresult;
2264}
2265
5a421415
MC		 2266static int allow_ed_cb_called = 0;
2267
2268static int allow_early_data_cb(SSL *s, void *arg)
2269{
2270 int *usecb = (int *)arg;
2271
2272 allow_ed_cb_called++;
2273
2274 if (*usecb == 1)
2275 return 0;
2276
2277 return 1;
2278}
2279
2280/*
2281 * idx == 0: Standard early_data setup
2282 * idx == 1: early_data setup using read_ahead
2283 * usecb == 0: Don't use a custom early data callback
2284 * usecb == 1: Use a custom early data callback and reject the early data
2285 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2286 * confopt == 0: Configure anti-replay directly
2287 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2288 */
3bb5e5b0 2289static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2290{
2291 SSL_CTX *cctx = NULL, *sctx = NULL;
2292 SSL *clientssl = NULL, *serverssl = NULL;
2293 int testresult = 0;
2294 SSL_SESSION *sess = NULL;
5a421415
MC		 2295 size_t readbytes, written;
2296 unsigned char buf[20];
2297
2298 allow_ed_cb_called = 0;
2299
2300 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2301 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2302 &cctx, cert, privkey)))
2303 return 0;
2304
2305 if (usecb > 0) {
3bb5e5b0
MC		 2306 if (confopt == 0) {
2307 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2308 } else {
2309 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2310
2311 if (!TEST_ptr(confctx))
2312 goto end;
2313 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2314 | SSL_CONF_FLAG_SERVER);
2315 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2316 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2317 2)) {
2318 SSL_CONF_CTX_free(confctx);
2319 goto end;
2320 }
2321 SSL_CONF_CTX_free(confctx);
2322 }
5a421415
MC		 2323 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2324 }
78fb5374
MC		 2325
2326 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2327 &serverssl, &sess, idx)))
2328 goto end;
2329
2330 /*
2331 * The server is configured to accept early data. Create a connection to
2332 * "use up" the ticket
2333 */
2334 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2335 || !TEST_true(SSL_session_reused(clientssl)))
2336 goto end;
2337
2338 SSL_shutdown(clientssl);
2339 SSL_shutdown(serverssl);
2340 SSL_free(serverssl);
2341 SSL_free(clientssl);
2342 serverssl = clientssl = NULL;
2343
2344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2345 &clientssl, NULL, NULL))
5a421415
MC		 2346 || !TEST_true(SSL_set_session(clientssl, sess)))
2347 goto end;
2348
2349 /* Write and read some early data */
2350 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2351 &written))
2352 || !TEST_size_t_eq(written, strlen(MSG1)))
2353 goto end;
2354
2355 if (usecb <= 1) {
2356 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2357 &readbytes),
2358 SSL_READ_EARLY_DATA_FINISH)
2359 /*
2360 * The ticket was reused, so the we should have rejected the
2361 * early data
2362 */
2363 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2364 SSL_EARLY_DATA_REJECTED))
2365 goto end;
2366 } else {
2367 /* In this case the callback decides to accept the early data */
2368 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2369 &readbytes),
2370 SSL_READ_EARLY_DATA_SUCCESS)
2371 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2372 /*
2373 * Server will have sent its flight so client can now send
2374 * end of early data and complete its half of the handshake
2375 */
2376 || !TEST_int_gt(SSL_connect(clientssl), 0)
2377 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2378 &readbytes),
2379 SSL_READ_EARLY_DATA_FINISH)
2380 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2381 SSL_EARLY_DATA_ACCEPTED))
2382 goto end;
2383 }
2384
2385 /* Complete the connection */
2386 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2387 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2388 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2389 goto end;
2390
2391 testresult = 1;
2392
2393 end:
c20e3b28 2394 SSL_SESSION_free(sess);
78fb5374
MC		 2395 SSL_SESSION_free(clientpsk);
2396 SSL_SESSION_free(serverpsk);
2397 clientpsk = serverpsk = NULL;
2398 SSL_free(serverssl);
2399 SSL_free(clientssl);
2400 SSL_CTX_free(sctx);
2401 SSL_CTX_free(cctx);
2402 return testresult;
2403}
2404
5a421415
MC		 2405static int test_early_data_replay(int idx)
2406{
3bb5e5b0 2407 int ret = 1, usecb, confopt;
5a421415 2408
3bb5e5b0
MC		 2409 for (usecb = 0; usecb < 3; usecb++) {
2410 for (confopt = 0; confopt < 2; confopt++)
2411 ret &= test_early_data_replay_int(idx, usecb, confopt);
2412 }
5a421415
MC		 2413
2414 return ret;
2415}
2416
710756a9 2417/*
6b84e6bf
MC		 2418 * Helper function to test that a server attempting to read early data can
2419 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2420 * testtype: 0 == No HRR
2421 * testtype: 1 == HRR
0efa0ba4
MC		 2422 * testtype: 2 == HRR, invalid early_data sent after HRR
2423 * testtype: 3 == recv_max_early_data set to 0
710756a9 2424 */
0d1b7789 2425static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2426{
2427 SSL_CTX *cctx = NULL, *sctx = NULL;
2428 SSL *clientssl = NULL, *serverssl = NULL;
2429 int testresult = 0;
018fcbec 2430 SSL_SESSION *sess = NULL;
5f982038
MC		 2431 unsigned char buf[20];
2432 size_t readbytes, written;
2433
710756a9
RS		 2434 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2435 &serverssl, &sess, idx)))
5f982038
MC		 2436 goto end;
2437
0efa0ba4 2438 if (testtype == 1 || testtype == 2) {
6b84e6bf
MC		 2439 /* Force an HRR to occur */
2440 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2441 goto end;
02a3ed5a
MC		 2442 } else if (idx == 2) {
2443 /*
2444 * We force early_data rejection by ensuring the PSK identity is
2445 * unrecognised
2446 */
2447 srvid = "Dummy Identity";
6b84e6bf
MC		 2448 } else {
2449 /*
2450 * Deliberately corrupt the creation time. We take 20 seconds off the
2451 * time. It could be any value as long as it is not within tolerance.
2452 * This should mean the ticket is rejected.
2453 */
5d99881e 2454 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2455 goto end;
2456 }
5f982038 2457
0efa0ba4 2458 if (testtype == 3
0d1b7789
MC		 2459 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2460 goto end;
2461
5f982038 2462 /* Write some early data */
710756a9
RS		 2463 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2464 &written))
2465 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2466 goto end;
5f982038 2467
0d1b7789 2468 /* Server should reject the early data */
710756a9
RS		 2469 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2470 &readbytes),
2471 SSL_READ_EARLY_DATA_FINISH)
2472 || !TEST_size_t_eq(readbytes, 0)
2473 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2474 SSL_EARLY_DATA_REJECTED))
5f982038 2475 goto end;
5f982038 2476
0efa0ba4
MC		 2477 switch (testtype) {
2478 case 0:
2479 /* Nothing to do */
2480 break;
2481
2482 case 1:
6b84e6bf
MC		 2483 /*
2484 * Finish off the handshake. We perform the same writes and reads as
2485 * further down but we expect them to fail due to the incomplete
2486 * handshake.
2487 */
2488 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2489 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2490 &readbytes)))
2491 goto end;
0efa0ba4
MC		 2492 break;
2493
2494 case 2:
2495 {
2496 BIO *wbio = SSL_get_wbio(clientssl);
2497 /* A record that will appear as bad early_data */
2498 const unsigned char bad_early_data[] = {
2499 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2500 };
2501
2502 /*
2503 * We force the client to attempt a write. This will fail because
2504 * we're still in the handshake. It will cause the second
2505 * ClientHello to be sent.
2506 */
2507 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2508 &written)))
2509 goto end;
2510
2511 /*
2512 * Inject some early_data after the second ClientHello. This should
2513 * cause the server to fail
2514 */
2515 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2516 sizeof(bad_early_data), &written)))
2517 goto end;
2518 }
2519 /* fallthrough */
2520
2521 case 3:
0d1b7789 2522 /*
0efa0ba4
MC		 2523 * This client has sent more early_data than we are willing to skip
2524 * (case 3) or sent invalid early_data (case 2) so the connection should
2525 * abort.
0d1b7789
MC		 2526 */
2527 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2528 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2529 goto end;
2530
2531 /* Connection has failed - nothing more to do */
2532 testresult = 1;
2533 goto end;
0efa0ba4
MC		 2534
2535 default:
2536 TEST_error("Invalid test type");
2537 goto end;
6b84e6bf
MC		 2538 }
2539
0d1b7789
MC		 2540 /*
2541 * Should be able to send normal data despite rejection of early data. The
2542 * early_data should be skipped.
2543 */
710756a9
RS		 2544 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2545 || !TEST_size_t_eq(written, strlen(MSG2))
2546 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2547 SSL_EARLY_DATA_REJECTED)
2548 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2549 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2550 goto end;
5f982038
MC		 2551
2552 testresult = 1;
2553
2554 end:
c20e3b28 2555 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2556 SSL_SESSION_free(serverpsk);
2557 clientpsk = serverpsk = NULL;
5f982038
MC		 2558 SSL_SESSION_free(sess);
2559 SSL_free(serverssl);
2560 SSL_free(clientssl);
2561 SSL_CTX_free(sctx);
2562 SSL_CTX_free(cctx);
5f982038
MC		 2563 return testresult;
2564}
2565
6b84e6bf
MC		 2566/*
2567 * Test that a server attempting to read early data can handle a connection
2568 * from a client where the early data is not acceptable.
2569 */
2570static int test_early_data_skip(int idx)
2571{
2572 return early_data_skip_helper(0, idx);
2573}
2574
2575/*
2576 * Test that a server attempting to read early data can handle a connection
2577 * from a client where an HRR occurs.
2578 */
2579static int test_early_data_skip_hrr(int idx)
2580{
2581 return early_data_skip_helper(1, idx);
2582}
2583
0efa0ba4
MC		 2584/*
2585 * Test that a server attempting to read early data can handle a connection
2586 * from a client where an HRR occurs and correctly fails if early_data is sent
2587 * after the HRR
2588 */
2589static int test_early_data_skip_hrr_fail(int idx)
2590{
2591 return early_data_skip_helper(2, idx);
2592}
2593
0d1b7789
MC		 2594/*
2595 * Test that a server attempting to read early data will abort if it tries to
2596 * skip over too much.
2597 */
2598static int test_early_data_skip_abort(int idx)
2599{
0efa0ba4 2600 return early_data_skip_helper(3, idx);
0d1b7789
MC		 2601}
2602
710756a9
RS		 2603/*
2604 * Test that a server attempting to read early data can handle a connection
2605 * from a client that doesn't send any.
2606 */
3cb47b4e 2607static int test_early_data_not_sent(int idx)
5f982038
MC		 2608{
2609 SSL_CTX *cctx = NULL, *sctx = NULL;
2610 SSL *clientssl = NULL, *serverssl = NULL;
2611 int testresult = 0;
018fcbec 2612 SSL_SESSION *sess = NULL;
5f982038
MC		 2613 unsigned char buf[20];
2614 size_t readbytes, written;
2615
710756a9
RS		 2616 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2617 &serverssl, &sess, idx)))
5f982038
MC		 2618 goto end;
2619
2620 /* Write some data - should block due to handshake with server */
2621 SSL_set_connect_state(clientssl);
710756a9 2622 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2623 goto end;
5f982038
MC		 2624
2625 /* Server should detect that early data has not been sent */
710756a9
RS		 2626 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2627 &readbytes),
2628 SSL_READ_EARLY_DATA_FINISH)
2629 || !TEST_size_t_eq(readbytes, 0)
2630 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2631 SSL_EARLY_DATA_NOT_SENT)
2632 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2633 SSL_EARLY_DATA_NOT_SENT))
5f982038 2634 goto end;
5f982038
MC		 2635
2636 /* Continue writing the message we started earlier */
710756a9
RS		 2637 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2638 || !TEST_size_t_eq(written, strlen(MSG1))
2639 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2640 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2641 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2642 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2643 goto end;
5f982038 2644
710756a9
RS		 2645 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2646 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2647 goto end;
5f982038
MC		 2648
2649 testresult = 1;
2650
2651 end:
5f982038 2652 SSL_SESSION_free(sess);
c20e3b28 2653 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2654 SSL_SESSION_free(serverpsk);
2655 clientpsk = serverpsk = NULL;
5f982038
MC		 2656 SSL_free(serverssl);
2657 SSL_free(clientssl);
2658 SSL_CTX_free(sctx);
2659 SSL_CTX_free(cctx);
5f982038
MC		 2660 return testresult;
2661}
2662
976e5323
MC		 2663static int hostname_cb(SSL *s, int *al, void *arg)
2664{
2665 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2666
281bf233 2667 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2668 return SSL_TLSEXT_ERR_OK;
2669
2670 return SSL_TLSEXT_ERR_NOACK;
2671}
2672
2673static const char *servalpn;
2674
c7558d5b
PY		 2675static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2676 unsigned char *outlen, const unsigned char *in,
2677 unsigned int inlen, void *arg)
976e5323 2678{
c7558d5b 2679 unsigned int protlen = 0;
976e5323
MC		 2680 const unsigned char *prot;
2681
c7558d5b
PY		 2682 for (prot = in; prot < in + inlen; prot += protlen) {
2683 protlen = *prot++;
5d99881e 2684 if (in + inlen < prot + protlen)
976e5323
MC		 2685 return SSL_TLSEXT_ERR_NOACK;
2686
2687 if (protlen == strlen(servalpn)
0bd42fde 2688 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2689 *out = prot;
2690 *outlen = protlen;
2691 return SSL_TLSEXT_ERR_OK;
2692 }
2693 }
2694
2695 return SSL_TLSEXT_ERR_NOACK;
2696}
2697
57dee9bb 2698/* Test that a PSK can be used to send early_data */
976e5323
MC		 2699static int test_early_data_psk(int idx)
2700{
2701 SSL_CTX *cctx = NULL, *sctx = NULL;
2702 SSL *clientssl = NULL, *serverssl = NULL;
2703 int testresult = 0;
2704 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2705 unsigned char alpnlist[] = {
2706 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2707 'l', 'p', 'n'
2708 };
2709#define GOODALPNLEN 9
2710#define BADALPNLEN 8
2711#define GOODALPN (alpnlist)
2712#define BADALPN (alpnlist + GOODALPNLEN)
2713 int err = 0;
976e5323
MC		 2714 unsigned char buf[20];
2715 size_t readbytes, written;
57dee9bb 2716 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2717 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2718
2719 /* We always set this up with a final parameter of "2" for PSK */
2720 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2721 &serverssl, &sess, 2)))
2722 goto end;
2723
976e5323
MC		 2724 servalpn = "goodalpn";
2725
57dee9bb
MC		 2726 /*
2727 * Note: There is no test for inconsistent SNI with late client detection.
2728 * This is because servers do not acknowledge SNI even if they are using
2729 * it in a resumption handshake - so it is not actually possible for a
2730 * client to detect a problem.
2731 */
976e5323
MC		 2732 switch (idx) {
2733 case 0:
57dee9bb 2734 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2735 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2736 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2737 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2738 goto end;
2739 break;
2740
2741 case 1:
57dee9bb 2742 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2743 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2744 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2745 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2746 GOODALPNLEN))
2747 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2748 BADALPNLEN)))
976e5323
MC		 2749 goto end;
2750 break;
2751
2752 case 2:
2753 /*
2754 * Set invalid protocol version. Technically this affects PSKs without
2755 * early_data too, but we test it here because it is similar to the
2756 * SNI/ALPN consistency tests.
2757 */
2758 err = SSL_R_BAD_PSK;
2759 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2760 goto end;
2761 break;
2762
2763 case 3:
2764 /*
2765 * Set inconsistent SNI (server detected). In this case the connection
2766 * will succeed but reject early_data.
2767 */
281bf233
MC		 2768 SSL_SESSION_free(serverpsk);
2769 serverpsk = SSL_SESSION_dup(clientpsk);
2770 if (!TEST_ptr(serverpsk)
2771 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2772 goto end;
976e5323
MC		 2773 edstatus = SSL_EARLY_DATA_REJECTED;
2774 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2775 /* Fall through */
2776 case 4:
2777 /* Set consistent SNI */
976e5323
MC		 2778 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2779 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2780 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2781 hostname_cb)))
2782 goto end;
2783 break;
2784
2785 case 5:
2786 /*
2787 * Set inconsistent ALPN (server detected). In this case the connection
2788 * will succeed but reject early_data.
2789 */
2790 servalpn = "badalpn";
2791 edstatus = SSL_EARLY_DATA_REJECTED;
2792 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2793 /* Fall through */
2794 case 6:
976e5323 2795 /*
57dee9bb 2796 * Set consistent ALPN.
976e5323
MC		 2797 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2798 * accepts a list of protos (each one length prefixed).
2799 * SSL_set1_alpn_selected accepts a single protocol (not length
2800 * prefixed)
2801 */
57dee9bb
MC		 2802 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2803 GOODALPNLEN - 1))
2804 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2805 GOODALPNLEN)))
976e5323
MC		 2806 goto end;
2807
2808 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2809 break;
2810
57dee9bb
MC		 2811 case 7:
2812 /* Set inconsistent ALPN (late client detection) */
2813 SSL_SESSION_free(serverpsk);
2814 serverpsk = SSL_SESSION_dup(clientpsk);
2815 if (!TEST_ptr(serverpsk)
2816 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2817 BADALPN + 1,
2818 BADALPNLEN - 1))
2819 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2820 GOODALPN + 1,
2821 GOODALPNLEN - 1))
2822 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2823 sizeof(alpnlist))))
2824 goto end;
2825 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2826 edstatus = SSL_EARLY_DATA_ACCEPTED;
2827 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2828 /* SSL_connect() call should fail */
2829 connectres = -1;
2830 break;
2831
976e5323
MC		 2832 default:
2833 TEST_error("Bad test index");
2834 goto end;
2835 }
2836
2837 SSL_set_connect_state(clientssl);
2838 if (err != 0) {
2839 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2840 &written))
2841 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2842 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2843 goto end;
2844 } else {
2845 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2846 &written)))
2847 goto end;
2848
2849 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2850 &readbytes), readearlyres)
976e5323
MC		 2851 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2852 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2853 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2854 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2855 goto end;
2856 }
2857
2858 testresult = 1;
2859
2860 end:
c20e3b28 2861 SSL_SESSION_free(sess);
57dee9bb
MC		 2862 SSL_SESSION_free(clientpsk);
2863 SSL_SESSION_free(serverpsk);
2864 clientpsk = serverpsk = NULL;
976e5323
MC		 2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 SSL_CTX_free(sctx);
2868 SSL_CTX_free(cctx);
2869 return testresult;
2870}
2871
710756a9
RS		 2872/*
2873 * Test that a server that doesn't try to read early data can handle a
2874 * client sending some.
2875 */
3cb47b4e 2876static int test_early_data_not_expected(int idx)
5f982038
MC		 2877{
2878 SSL_CTX *cctx = NULL, *sctx = NULL;
2879 SSL *clientssl = NULL, *serverssl = NULL;
2880 int testresult = 0;
018fcbec 2881 SSL_SESSION *sess = NULL;
5f982038
MC		 2882 unsigned char buf[20];
2883 size_t readbytes, written;
2884
710756a9
RS		 2885 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2886 &serverssl, &sess, idx)))
5f982038
MC		 2887 goto end;
2888
2889 /* Write some early data */
710756a9
RS		 2890 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2891 &written)))
5f982038 2892 goto end;
5f982038
MC		 2893
2894 /*
2895 * Server should skip over early data and then block waiting for client to
2896 * continue handshake
2897 */
710756a9
RS		 2898 if (!TEST_int_le(SSL_accept(serverssl), 0)
2899 || !TEST_int_gt(SSL_connect(clientssl), 0)
2900 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2901 SSL_EARLY_DATA_REJECTED)
2902 || !TEST_int_gt(SSL_accept(serverssl), 0)
2903 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2904 SSL_EARLY_DATA_REJECTED))
5f982038 2905 goto end;
5f982038
MC		 2906
2907 /* Send some normal data from client to server */
710756a9
RS		 2908 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2909 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2910 goto end;
5f982038 2911
710756a9
RS		 2912 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2913 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2914 goto end;
5f982038
MC		 2915
2916 testresult = 1;
2917
2918 end:
5f982038 2919 SSL_SESSION_free(sess);
c20e3b28 2920 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2921 SSL_SESSION_free(serverpsk);
2922 clientpsk = serverpsk = NULL;
5f982038
MC		 2923 SSL_free(serverssl);
2924 SSL_free(clientssl);
2925 SSL_CTX_free(sctx);
2926 SSL_CTX_free(cctx);
5f982038
MC		 2927 return testresult;
2928}
2929
2930
2931# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2932/*
2933 * Test that a server attempting to read early data can handle a connection
2934 * from a TLSv1.2 client.
2935 */
3cb47b4e 2936static int test_early_data_tls1_2(int idx)
5f982038
MC		 2937{
2938 SSL_CTX *cctx = NULL, *sctx = NULL;
2939 SSL *clientssl = NULL, *serverssl = NULL;
2940 int testresult = 0;
2941 unsigned char buf[20];
2942 size_t readbytes, written;
2943
02a3ed5a
MC		 2944 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2945 &serverssl, NULL, idx)))
5f982038 2946 goto end;
5f982038
MC		 2947
2948 /* Write some data - should block due to handshake with server */
2949 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2950 SSL_set_connect_state(clientssl);
710756a9 2951 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2952 goto end;
5f982038
MC		 2953
2954 /*
2955 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2956 * messages from client after ServerDone. Then SSL_read_early_data should
2957 * finish and detect that early data has not been sent
5f982038 2958 */
710756a9
RS		 2959 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2960 &readbytes),
2961 SSL_READ_EARLY_DATA_ERROR))
5f982038 2962 goto end;
5f982038
MC		 2963
2964 /*
2965 * Continue writing the message we started earlier. Will still block waiting
2966 * for the CCS/Finished from server
2967 */
710756a9
RS		 2968 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2969 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2970 &readbytes),
2971 SSL_READ_EARLY_DATA_FINISH)
2972 || !TEST_size_t_eq(readbytes, 0)
2973 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2974 SSL_EARLY_DATA_NOT_SENT))
5f982038 2975 goto end;
5f982038
MC		 2976
2977 /* Continue writing the message we started earlier */
710756a9
RS		 2978 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2979 || !TEST_size_t_eq(written, strlen(MSG1))
2980 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2981 SSL_EARLY_DATA_NOT_SENT)
2982 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2983 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2984 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2985 || !TEST_size_t_eq(written, strlen(MSG2))
2986 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2988 goto end;
5f982038
MC		 2989
2990 testresult = 1;
2991
2992 end:
57dee9bb
MC		 2993 SSL_SESSION_free(clientpsk);
2994 SSL_SESSION_free(serverpsk);
2995 clientpsk = serverpsk = NULL;
5f982038
MC		 2996 SSL_free(serverssl);
2997 SSL_free(clientssl);
2998 SSL_CTX_free(sctx);
2999 SSL_CTX_free(cctx);
3000
3001 return testresult;
3002}
ca0413ae
MC		 3003# endif /* OPENSSL_NO_TLS1_2 */
3004
034cb87b
MC		 3005/*
3006 * Test configuring the TLSv1.3 ciphersuites
3007 *
3008 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3009 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3010 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3011 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3012 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3013 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3014 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3015 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3016 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3017 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3018 */
3019static int test_set_ciphersuite(int idx)
3020{
3021 SSL_CTX *cctx = NULL, *sctx = NULL;
3022 SSL *clientssl = NULL, *serverssl = NULL;
3023 int testresult = 0;
3024
3025 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3026 TLS1_VERSION, TLS_MAX_VERSION,
3027 &sctx, &cctx, cert, privkey))
3028 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3029 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3030 goto end;
3031
3032 if (idx >=4 && idx <= 7) {
3033 /* SSL_CTX explicit cipher list */
3034 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3035 goto end;
3036 }
3037
3038 if (idx == 0 || idx == 4) {
3039 /* Default ciphersuite */
3040 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3041 "TLS_AES_128_GCM_SHA256")))
3042 goto end;
3043 } else if (idx == 1 || idx == 5) {
3044 /* Non default ciphersuite */
3045 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3046 "TLS_AES_128_CCM_SHA256")))
3047 goto end;
3048 }
3049
3050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3051 &clientssl, NULL, NULL)))
3052 goto end;
3053
3054 if (idx == 8 || idx == 9) {
3055 /* SSL explicit cipher list */
3056 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3057 goto end;
3058 }
3059
3060 if (idx == 2 || idx == 6 || idx == 8) {
3061 /* Default ciphersuite */
3062 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3063 "TLS_AES_128_GCM_SHA256")))
3064 goto end;
3065 } else if (idx == 3 || idx == 7 || idx == 9) {
3066 /* Non default ciphersuite */
3067 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3068 "TLS_AES_128_CCM_SHA256")))
3069 goto end;
3070 }
3071
3072 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3073 goto end;
3074
3075 testresult = 1;
3076
3077 end:
3078 SSL_free(serverssl);
3079 SSL_free(clientssl);
3080 SSL_CTX_free(sctx);
3081 SSL_CTX_free(cctx);
3082
3083 return testresult;
3084}
3085
ca0413ae
MC		 3086static int test_ciphersuite_change(void)
3087{
3088 SSL_CTX *cctx = NULL, *sctx = NULL;
3089 SSL *clientssl = NULL, *serverssl = NULL;
3090 SSL_SESSION *clntsess = NULL;
3091 int testresult = 0;
3092 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3093
3094 /* Create a session based on SHA-256 */
7d7f6834
RL		 3095 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3096 TLS1_VERSION, TLS_MAX_VERSION,
3097 &sctx, &cctx, cert, privkey))
f865b081
MC		 3098 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3099 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3100 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3101 &clientssl, NULL, NULL))
3102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3103 SSL_ERROR_NONE)))
3104 goto end;
3105
3106 clntsess = SSL_get1_session(clientssl);
3107 /* Save for later */
3108 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3109 SSL_shutdown(clientssl);
3110 SSL_shutdown(serverssl);
3111 SSL_free(serverssl);
3112 SSL_free(clientssl);
3113 serverssl = clientssl = NULL;
3114
71cff963 3115# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3116 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3117 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3118 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3119 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3120 NULL, NULL))
3121 || !TEST_true(SSL_set_session(clientssl, clntsess))
3122 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3123 SSL_ERROR_NONE))
3124 || !TEST_true(SSL_session_reused(clientssl)))
3125 goto end;
3126
3127 SSL_SESSION_free(clntsess);
3128 clntsess = SSL_get1_session(clientssl);
3129 SSL_shutdown(clientssl);
3130 SSL_shutdown(serverssl);
3131 SSL_free(serverssl);
3132 SSL_free(clientssl);
3133 serverssl = clientssl = NULL;
71cff963 3134# endif
ca0413ae
MC		 3135
3136 /*
3137 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3138 * succeeds but does not resume.
ca0413ae 3139 */
f865b081 3140 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3141 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3142 NULL, NULL))
3143 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3144 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3145 SSL_ERROR_SSL))
0de6d66d 3146 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3147 goto end;
3148
3149 SSL_SESSION_free(clntsess);
3150 clntsess = NULL;
3151 SSL_shutdown(clientssl);
3152 SSL_shutdown(serverssl);
3153 SSL_free(serverssl);
3154 SSL_free(clientssl);
3155 serverssl = clientssl = NULL;
3156
3157 /* Create a session based on SHA384 */
f865b081 3158 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3159 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3160 &clientssl, NULL, NULL))
3161 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3162 SSL_ERROR_NONE)))
3163 goto end;
3164
3165 clntsess = SSL_get1_session(clientssl);
3166 SSL_shutdown(clientssl);
3167 SSL_shutdown(serverssl);
3168 SSL_free(serverssl);
3169 SSL_free(clientssl);
3170 serverssl = clientssl = NULL;
3171
f865b081
MC		 3172 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3173 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3174 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3175 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3176 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3177 NULL, NULL))
3178 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3179 /*
3180 * We use SSL_ERROR_WANT_READ below so that we can pause the
3181 * connection after the initial ClientHello has been sent to
3182 * enable us to make some session changes.
3183 */
ca0413ae
MC		 3184 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3185 SSL_ERROR_WANT_READ)))
3186 goto end;
3187
3188 /* Trick the client into thinking this session is for a different digest */
3189 clntsess->cipher = aes_128_gcm_sha256;
3190 clntsess->cipher_id = clntsess->cipher->id;
3191
3192 /*
3b0e88d3
MC		 3193 * Continue the previously started connection. Server has selected a SHA-384
3194 * ciphersuite, but client thinks the session is for SHA-256, so it should
3195 * bail out.
ca0413ae
MC		 3196 */
3197 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3198 SSL_ERROR_SSL))
3199 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3200 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3201 goto end;
3202
3203 testresult = 1;
3204
3205 end:
3206 SSL_SESSION_free(clntsess);
3207 SSL_free(serverssl);
3208 SSL_free(clientssl);
3209 SSL_CTX_free(sctx);
3210 SSL_CTX_free(cctx);
3211
3212 return testresult;
3213}
3214
0d8da779
MC		 3215/*
3216 * Test TLSv1.3 PSKs
3217 * Test 0 = Test new style callbacks
3218 * Test 1 = Test both new and old style callbacks
3219 * Test 2 = Test old style callbacks
3220 * Test 3 = Test old style callbacks with no certificate
3221 */
532f9578 3222static int test_tls13_psk(int idx)
ca8c71ba
MC		 3223{
3224 SSL_CTX *sctx = NULL, *cctx = NULL;
3225 SSL *serverssl = NULL, *clientssl = NULL;
3226 const SSL_CIPHER *cipher = NULL;
3227 const unsigned char key[] = {
3228 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3229 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3230 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3231 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3232 };
3233 int testresult = 0;
3234
7d7f6834
RL		 3235 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3236 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 3237 &sctx, &cctx, idx == 3 ? NULL : cert,
3238 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3239 goto end;
3240
0d8da779
MC		 3241 if (idx != 3) {
3242 /*
3243 * We use a ciphersuite with SHA256 to ease testing old style PSK
3244 * callbacks which will always default to SHA256. This should not be
3245 * necessary if we have no cert/priv key. In that case the server should
3246 * prefer SHA256 automatically.
3247 */
3248 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3249 "TLS_AES_128_GCM_SHA256")))
3250 goto end;
3251 }
532f9578
MC		 3252
3253 /*
3254 * Test 0: New style callbacks only
3255 * Test 1: New and old style callbacks (only the new ones should be used)
3256 * Test 2: Old style callbacks only
3257 */
3258 if (idx == 0 || idx == 1) {
3259 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3260 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3261 }
c2b290c3 3262#ifndef OPENSSL_NO_PSK
0d8da779 3263 if (idx >= 1) {
532f9578
MC		 3264 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3265 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3266 }
c2b290c3 3267#endif
ca8c71ba 3268 srvid = pskid;
02a3ed5a
MC		 3269 use_session_cb_cnt = 0;
3270 find_session_cb_cnt = 0;
532f9578
MC		 3271 psk_client_cb_cnt = 0;
3272 psk_server_cb_cnt = 0;
ca8c71ba 3273
0d8da779
MC		 3274 if (idx != 3) {
3275 /*
3276 * Check we can create a connection if callback decides not to send a
3277 * PSK
3278 */
3279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3280 NULL, NULL))
3281 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3282 SSL_ERROR_NONE))
3283 || !TEST_false(SSL_session_reused(clientssl))
3284 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3285 goto end;
532f9578 3286
0d8da779
MC		 3287 if (idx == 0 || idx == 1) {
3288 if (!TEST_true(use_session_cb_cnt == 1)
3289 || !TEST_true(find_session_cb_cnt == 0)
3290 /*
3291 * If no old style callback then below should be 0
3292 * otherwise 1
3293 */
3294 || !TEST_true(psk_client_cb_cnt == idx)
3295 || !TEST_true(psk_server_cb_cnt == 0))
3296 goto end;
3297 } else {
3298 if (!TEST_true(use_session_cb_cnt == 0)
3299 || !TEST_true(find_session_cb_cnt == 0)
3300 || !TEST_true(psk_client_cb_cnt == 1)
3301 || !TEST_true(psk_server_cb_cnt == 0))
3302 goto end;
3303 }
3304
3305 shutdown_ssl_connection(serverssl, clientssl);
3306 serverssl = clientssl = NULL;
3307 use_session_cb_cnt = psk_client_cb_cnt = 0;
3308 }
ca8c71ba
MC		 3309
3310 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3311 NULL, NULL)))
3312 goto end;
3313
3314 /* Create the PSK */
532f9578 3315 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3316 clientpsk = SSL_SESSION_new();
3317 if (!TEST_ptr(clientpsk)
ca8c71ba 3318 || !TEST_ptr(cipher)
57dee9bb
MC		 3319 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3320 sizeof(key)))
3321 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3322 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3323 TLS1_3_VERSION))
3324 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3325 goto end;
57dee9bb 3326 serverpsk = clientpsk;
ca8c71ba
MC		 3327
3328 /* Check we can create a connection and the PSK is used */
3329 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3330 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3331 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3332 goto end;
3333
532f9578
MC		 3334 if (idx == 0 || idx == 1) {
3335 if (!TEST_true(use_session_cb_cnt == 1)
3336 || !TEST_true(find_session_cb_cnt == 1)
3337 || !TEST_true(psk_client_cb_cnt == 0)
3338 || !TEST_true(psk_server_cb_cnt == 0))
3339 goto end;
3340 } else {
3341 if (!TEST_true(use_session_cb_cnt == 0)
3342 || !TEST_true(find_session_cb_cnt == 0)
3343 || !TEST_true(psk_client_cb_cnt == 1)
3344 || !TEST_true(psk_server_cb_cnt == 1))
3345 goto end;
3346 }
3347
ca8c71ba
MC		 3348 shutdown_ssl_connection(serverssl, clientssl);
3349 serverssl = clientssl = NULL;
3350 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3351 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3352
3353 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3354 NULL, NULL)))
3355 goto end;
3356
3357 /* Force an HRR */
3358 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3359 goto end;
3360
3361 /*
3362 * Check we can create a connection, the PSK is used and the callbacks are
3363 * called twice.
3364 */
3365 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3366 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3367 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3368 goto end;
3369
532f9578
MC		 3370 if (idx == 0 || idx == 1) {
3371 if (!TEST_true(use_session_cb_cnt == 2)
3372 || !TEST_true(find_session_cb_cnt == 2)
3373 || !TEST_true(psk_client_cb_cnt == 0)
3374 || !TEST_true(psk_server_cb_cnt == 0))
3375 goto end;
3376 } else {
3377 if (!TEST_true(use_session_cb_cnt == 0)
3378 || !TEST_true(find_session_cb_cnt == 0)
3379 || !TEST_true(psk_client_cb_cnt == 2)
3380 || !TEST_true(psk_server_cb_cnt == 2))
3381 goto end;
3382 }
3383
ca8c71ba
MC		 3384 shutdown_ssl_connection(serverssl, clientssl);
3385 serverssl = clientssl = NULL;
3386 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3387 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3388
0d8da779
MC		 3389 if (idx != 3) {
3390 /*
3391 * Check that if the server rejects the PSK we can still connect, but with
3392 * a full handshake
3393 */
3394 srvid = "Dummy Identity";
3395 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3396 NULL, NULL))
3397 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3398 SSL_ERROR_NONE))
3399 || !TEST_false(SSL_session_reused(clientssl))
3400 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3401 goto end;
532f9578 3402
0d8da779
MC		 3403 if (idx == 0 || idx == 1) {
3404 if (!TEST_true(use_session_cb_cnt == 1)
3405 || !TEST_true(find_session_cb_cnt == 1)
3406 || !TEST_true(psk_client_cb_cnt == 0)
3407 /*
3408 * If no old style callback then below should be 0
3409 * otherwise 1
3410 */
3411 || !TEST_true(psk_server_cb_cnt == idx))
3412 goto end;
3413 } else {
3414 if (!TEST_true(use_session_cb_cnt == 0)
3415 || !TEST_true(find_session_cb_cnt == 0)
3416 || !TEST_true(psk_client_cb_cnt == 1)
3417 || !TEST_true(psk_server_cb_cnt == 1))
3418 goto end;
3419 }
3420
3421 shutdown_ssl_connection(serverssl, clientssl);
3422 serverssl = clientssl = NULL;
3423 }
ca8c71ba
MC		 3424 testresult = 1;
3425
3426 end:
57dee9bb
MC		 3427 SSL_SESSION_free(clientpsk);
3428 SSL_SESSION_free(serverpsk);
3429 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3430 SSL_free(serverssl);
3431 SSL_free(clientssl);
3432 SSL_CTX_free(sctx);
3433 SSL_CTX_free(cctx);
3434 return testresult;
3435}
3436
c7b8ff25
MC		 3437static unsigned char cookie_magic_value[] = "cookie magic";
3438
3439static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3440 unsigned int *cookie_len)
3441{
3442 /*
3443 * Not suitable as a real cookie generation function but good enough for
3444 * testing!
3445 */
97ea1e7f
MC		 3446 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3447 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3448
3449 return 1;
3450}
3451
3452static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3453 unsigned int cookie_len)
3454{
97ea1e7f 3455 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3456 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3457 return 1;
3458
3459 return 0;
3460}
3461
3fa2812f
BS		 3462static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3463 size_t *cookie_len)
3464{
3465 unsigned int temp;
3466 int res = generate_cookie_callback(ssl, cookie, &temp);
3467 *cookie_len = temp;
3468 return res;
3469}
3470
3471static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3472 size_t cookie_len)
3473{
3474 return verify_cookie_callback(ssl, cookie, cookie_len);
3475}
3476
c7b8ff25
MC		 3477static int test_stateless(void)
3478{
3479 SSL_CTX *sctx = NULL, *cctx = NULL;
3480 SSL *serverssl = NULL, *clientssl = NULL;
3481 int testresult = 0;
3482
7d7f6834
RL		 3483 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3484 TLS1_VERSION, TLS_MAX_VERSION,
3485 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3486 goto end;
3487
e440f513
MC		 3488 /* The arrival of CCS messages can confuse the test */
3489 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3490
3491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3492 NULL, NULL))
3493 /* Send the first ClientHello */
3494 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3495 SSL_ERROR_WANT_READ))
3496 /*
3497 * This should fail with a -1 return because we have no callbacks
3498 * set up
3499 */
3500 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3501 goto end;
3502
3503 /* Fatal error so abandon the connection from this client */
3504 SSL_free(clientssl);
3505 clientssl = NULL;
3506
c7b8ff25 3507 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3508 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3509 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3510
e440f513
MC		 3511 /*
3512 * Create a new connection from the client (we can reuse the server SSL
3513 * object).
3514 */
c7b8ff25
MC		 3515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3516 NULL, NULL))
3517 /* Send the first ClientHello */
3518 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3519 SSL_ERROR_WANT_READ))
3520 /* This should fail because there is no cookie */
e440f513 3521 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3522 goto end;
3523
3524 /* Abandon the connection from this client */
3525 SSL_free(clientssl);
3526 clientssl = NULL;
3527
3528 /*
3529 * Now create a connection from a new client but with the same server SSL
3530 * object
3531 */
3532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3533 NULL, NULL))
3534 /* Send the first ClientHello */
3535 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3536 SSL_ERROR_WANT_READ))
3537 /* This should fail because there is no cookie */
e440f513 3538 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3539 /* Send the second ClientHello */
3540 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3541 SSL_ERROR_WANT_READ))
3542 /* This should succeed because a cookie is now present */
e440f513 3543 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3544 /* Complete the connection */
3545 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3546 SSL_ERROR_NONE)))
3547 goto end;
3548
3549 shutdown_ssl_connection(serverssl, clientssl);
3550 serverssl = clientssl = NULL;
3551 testresult = 1;
3552
3553 end:
3554 SSL_free(serverssl);
3555 SSL_free(clientssl);
3556 SSL_CTX_free(sctx);
3557 SSL_CTX_free(cctx);
3558 return testresult;
3559
3560}
ca0413ae 3561#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3562
a37008d9
MC		 3563static int clntaddoldcb = 0;
3564static int clntparseoldcb = 0;
3565static int srvaddoldcb = 0;
3566static int srvparseoldcb = 0;
3567static int clntaddnewcb = 0;
3568static int clntparsenewcb = 0;
3569static int srvaddnewcb = 0;
3570static int srvparsenewcb = 0;
bb01ef3f 3571static int snicb = 0;
a37008d9
MC		 3572
3573#define TEST_EXT_TYPE1 0xff00
3574
3575static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3576 size_t *outlen, int *al, void *add_arg)
3577{
3578 int *server = (int *)add_arg;
3579 unsigned char *data;
3580
3581 if (SSL_is_server(s))
3582 srvaddoldcb++;
3583 else
3584 clntaddoldcb++;
3585
710756a9
RS		 3586 if (*server != SSL_is_server(s)
3587 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3588 return -1;
3589
3590 *data = 1;
3591 *out = data;
3592 *outlen = sizeof(char);
a37008d9
MC		 3593 return 1;
3594}
3595
3596static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3597 void *add_arg)
3598{
3599 OPENSSL_free((unsigned char *)out);
3600}
3601
3602static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3603 size_t inlen, int *al, void *parse_arg)
3604{
3605 int *server = (int *)parse_arg;
3606
3607 if (SSL_is_server(s))
3608 srvparseoldcb++;
3609 else
3610 clntparseoldcb++;
3611
710756a9
RS		 3612 if (*server != SSL_is_server(s)
3613 || inlen != sizeof(char)
3614 || *in != 1)
a37008d9
MC		 3615 return -1;
3616
3617 return 1;
3618}
3619
3620static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3621 const unsigned char **out, size_t *outlen, X509 *x,
3622 size_t chainidx, int *al, void *add_arg)
3623{
3624 int *server = (int *)add_arg;
3625 unsigned char *data;
3626
3627 if (SSL_is_server(s))
3628 srvaddnewcb++;
3629 else
3630 clntaddnewcb++;
3631
710756a9
RS		 3632 if (*server != SSL_is_server(s)
3633 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3634 return -1;
3635
3636 *data = 1;
3637 *out = data;
710756a9 3638 *outlen = sizeof(*data);
a37008d9
MC		 3639 return 1;
3640}
3641
3642static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3643 const unsigned char *out, void *add_arg)
3644{
3645 OPENSSL_free((unsigned char *)out);
3646}
3647
3648static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3649 const unsigned char *in, size_t inlen, X509 *x,
3650 size_t chainidx, int *al, void *parse_arg)
3651{
3652 int *server = (int *)parse_arg;
3653
3654 if (SSL_is_server(s))
3655 srvparsenewcb++;
3656 else
3657 clntparsenewcb++;
3658
710756a9
RS		 3659 if (*server != SSL_is_server(s)
3660 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3661 return -1;
3662
3663 return 1;
3664}
bb01ef3f
MC		 3665
3666static int sni_cb(SSL *s, int *al, void *arg)
3667{
3668 SSL_CTX *ctx = (SSL_CTX *)arg;
3669
3670 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3671 *al = SSL_AD_INTERNAL_ERROR;
3672 return SSL_TLSEXT_ERR_ALERT_FATAL;
3673 }
3674 snicb++;
3675 return SSL_TLSEXT_ERR_OK;
3676}
3677
a37008d9
MC		 3678/*
3679 * Custom call back tests.
3680 * Test 0: Old style callbacks in TLSv1.2
3681 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3682 * Test 2: New style callbacks in TLSv1.2 with SNI
3683 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3684 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3685 */
710756a9
RS		 3686static int test_custom_exts(int tst)
3687{
bb01ef3f 3688 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3689 SSL *clientssl = NULL, *serverssl = NULL;
3690 int testresult = 0;
3691 static int server = 1;
3692 static int client = 0;
3693 SSL_SESSION *sess = NULL;
3694 unsigned int context;
3695
c423ecaa
MC		 3696#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3697 /* Skip tests for TLSv1.2 and below in this case */
3698 if (tst < 3)
3699 return 1;
3700#endif
3701
a37008d9
MC		 3702 /* Reset callback counters */
3703 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3704 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3705 snicb = 0;
a37008d9 3706
7d7f6834
RL		 3707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3708 TLS1_VERSION, TLS_MAX_VERSION,
3709 &sctx, &cctx, cert, privkey)))
710756a9 3710 goto end;
a37008d9 3711
bb01ef3f 3712 if (tst == 2
7d7f6834
RL		 3713 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3714 TLS1_VERSION, TLS_MAX_VERSION,
3715 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3716 goto end;
3717
3718
3719 if (tst < 3) {
a37008d9
MC		 3720 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3721 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3722 if (sctx2 != NULL)
3723 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3724 }
3725
bb01ef3f 3726 if (tst == 4) {
710756a9
RS		 3727 context = SSL_EXT_CLIENT_HELLO
3728 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3729 | SSL_EXT_TLS1_3_SERVER_HELLO
3730 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3731 | SSL_EXT_TLS1_3_CERTIFICATE
3732 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3733 } else {
710756a9
RS		 3734 context = SSL_EXT_CLIENT_HELLO
3735 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3736 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3737 }
3738
3739 /* Create a client side custom extension */
3740 if (tst == 0) {
710756a9
RS		 3741 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3742 old_add_cb, old_free_cb,
3743 &client, old_parse_cb,
3744 &client)))
3745 goto end;
a37008d9 3746 } else {
710756a9
RS		 3747 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3748 new_add_cb, new_free_cb,
3749 &client, new_parse_cb, &client)))
3750 goto end;
a37008d9
MC		 3751 }
3752
3753 /* Should not be able to add duplicates */
710756a9
RS		 3754 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3755 old_add_cb, old_free_cb,
3756 &client, old_parse_cb,
3757 &client))
3758 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3759 context, new_add_cb,
3760 new_free_cb, &client,
3761 new_parse_cb, &client)))
3762 goto end;
a37008d9
MC		 3763
3764 /* Create a server side custom extension */
3765 if (tst == 0) {
710756a9
RS		 3766 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3767 old_add_cb, old_free_cb,
3768 &server, old_parse_cb,
3769 &server)))
3770 goto end;
a37008d9 3771 } else {
710756a9
RS		 3772 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3773 new_add_cb, new_free_cb,
3774 &server, new_parse_cb, &server)))
3775 goto end;
bb01ef3f
MC		 3776 if (sctx2 != NULL
3777 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3778 context, new_add_cb,
3779 new_free_cb, &server,
3780 new_parse_cb, &server)))
3781 goto end;
a37008d9
MC		 3782 }
3783
3784 /* Should not be able to add duplicates */
710756a9
RS		 3785 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3786 old_add_cb, old_free_cb,
3787 &server, old_parse_cb,
3788 &server))
3789 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3790 context, new_add_cb,
3791 new_free_cb, &server,
3792 new_parse_cb, &server)))
a37008d9 3793 goto end;
a37008d9 3794
bb01ef3f
MC		 3795 if (tst == 2) {
3796 /* Set up SNI */
3797 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3798 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3799 goto end;
3800 }
3801
710756a9
RS		 3802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3803 &clientssl, NULL, NULL))
3804 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3805 SSL_ERROR_NONE)))
a37008d9 3806 goto end;
a37008d9
MC		 3807
3808 if (tst == 0) {
710756a9
RS		 3809 if (clntaddoldcb != 1
3810 || clntparseoldcb != 1
3811 || srvaddoldcb != 1
3812 || srvparseoldcb != 1)
a37008d9 3813 goto end;
bb01ef3f 3814 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3815 if (clntaddnewcb != 1
3816 || clntparsenewcb != 1
3817 || srvaddnewcb != 1
bb01ef3f
MC		 3818 || srvparsenewcb != 1
3819 || (tst != 2 && snicb != 0)
3820 || (tst == 2 && snicb != 1))
a37008d9 3821 goto end;
a37008d9 3822 } else {
36ff232c 3823 /* In this case there 2 NewSessionTicket messages created */
710756a9 3824 if (clntaddnewcb != 1
36ff232c
MC		 3825 || clntparsenewcb != 5
3826 || srvaddnewcb != 5
710756a9 3827 || srvparsenewcb != 1)
a37008d9 3828 goto end;
a37008d9
MC		 3829 }
3830
3831 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3832 SSL_shutdown(clientssl);
3833 SSL_shutdown(serverssl);
a37008d9
MC		 3834 SSL_free(serverssl);
3835 SSL_free(clientssl);
3836 serverssl = clientssl = NULL;
3837
bb01ef3f
MC		 3838 if (tst == 3) {
3839 /* We don't bother with the resumption aspects for this test */
3840 testresult = 1;
3841 goto end;
3842 }
3843
710756a9
RS		 3844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3845 NULL, NULL))
3846 || !TEST_true(SSL_set_session(clientssl, sess))
3847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3848 SSL_ERROR_NONE)))
a37008d9 3849 goto end;
a37008d9
MC		 3850
3851 /*
3852 * For a resumed session we expect to add the ClientHello extension. For the
3853 * old style callbacks we ignore it on the server side because they set
3854 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3855 * them.
3856 */
3857 if (tst == 0) {
710756a9
RS		 3858 if (clntaddoldcb != 2
3859 || clntparseoldcb != 1
3860 || srvaddoldcb != 1
3861 || srvparseoldcb != 1)
a37008d9 3862 goto end;
bb01ef3f 3863 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3864 if (clntaddnewcb != 2
3865 || clntparsenewcb != 2
3866 || srvaddnewcb != 2
3867 || srvparsenewcb != 2)
a37008d9 3868 goto end;
a37008d9 3869 } else {
36ff232c
MC		 3870 /*
3871 * No Certificate message extensions in the resumption handshake,
3872 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3873 */
710756a9 3874 if (clntaddnewcb != 2
36ff232c
MC		 3875 || clntparsenewcb != 8
3876 || srvaddnewcb != 8
710756a9 3877 || srvparsenewcb != 2)
a37008d9 3878 goto end;
a37008d9
MC		 3879 }
3880
3881 testresult = 1;
3882
3883end:
3884 SSL_SESSION_free(sess);
3885 SSL_free(serverssl);
3886 SSL_free(clientssl);
bb01ef3f 3887 SSL_CTX_free(sctx2);
a37008d9
MC		 3888 SSL_CTX_free(sctx);
3889 SSL_CTX_free(cctx);
a37008d9
MC		 3890 return testresult;
3891}
3892
16afd71c
MC		 3893/*
3894 * Test loading of serverinfo data in various formats. test_sslmessages actually
3895 * tests to make sure the extensions appear in the handshake
3896 */
3897static int test_serverinfo(int tst)
3898{
3899 unsigned int version;
3900 unsigned char *sibuf;
3901 size_t sibuflen;
3902 int ret, expected, testresult = 0;
3903 SSL_CTX *ctx;
3904
3905 ctx = SSL_CTX_new(TLS_method());
3906 if (!TEST_ptr(ctx))
3907 goto end;
3908
3909 if ((tst & 0x01) == 0x01)
3910 version = SSL_SERVERINFOV2;
3911 else
3912 version = SSL_SERVERINFOV1;
3913
3914 if ((tst & 0x02) == 0x02) {
3915 sibuf = serverinfov2;
3916 sibuflen = sizeof(serverinfov2);
3917 expected = (version == SSL_SERVERINFOV2);
3918 } else {
3919 sibuf = serverinfov1;
3920 sibuflen = sizeof(serverinfov1);
3921 expected = (version == SSL_SERVERINFOV1);
3922 }
3923
3924 if ((tst & 0x04) == 0x04) {
3925 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3926 } else {
3927 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3928
3929 /*
3930 * The version variable is irrelevant in this case - it's what is in the
3931 * buffer that matters
3932 */
3933 if ((tst & 0x02) == 0x02)
3934 expected = 0;
3935 else
3936 expected = 1;
3937 }
3938
3939 if (!TEST_true(ret == expected))
3940 goto end;
3941
3942 testresult = 1;
3943
3944 end:
3945 SSL_CTX_free(ctx);
3946
3947 return testresult;
3948}
3949
2197d1df
MC		 3950/*
3951 * Test that SSL_export_keying_material() produces expected results. There are
3952 * no test vectors so all we do is test that both sides of the communication
3953 * produce the same results for different protocol versions.
3954 */
3955static int test_export_key_mat(int tst)
3956{
a599574b 3957 int testresult = 0;
2197d1df
MC		 3958 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3959 SSL *clientssl = NULL, *serverssl = NULL;
3960 const char label[] = "test label";
3961 const unsigned char context[] = "context";
3962 const unsigned char *emptycontext = NULL;
3963 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3964 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3965 const int protocols[] = {
3966 TLS1_VERSION,
3967 TLS1_1_VERSION,
3968 TLS1_2_VERSION,
3969 TLS1_3_VERSION
3970 };
2197d1df
MC		 3971
3972#ifdef OPENSSL_NO_TLS1
3973 if (tst == 0)
3974 return 1;
3975#endif
3976#ifdef OPENSSL_NO_TLS1_1
3977 if (tst == 1)
3978 return 1;
3979#endif
3980#ifdef OPENSSL_NO_TLS1_2
3981 if (tst == 2)
3982 return 1;
3983#endif
3984#ifdef OPENSSL_NO_TLS1_3
3985 if (tst == 3)
3986 return 1;
3987#endif
7d7f6834
RL		 3988 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3989 TLS1_VERSION, TLS_MAX_VERSION,
3990 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3991 goto end;
3992
a599574b
MC		 3993 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3994 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3995 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3996
3997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3998 NULL))
3999 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4000 SSL_ERROR_NONE)))
4001 goto end;
4002
4003 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4004 sizeof(ckeymat1), label,
4005 sizeof(label) - 1, context,
4006 sizeof(context) - 1, 1), 1)
4007 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4008 sizeof(ckeymat2), label,
4009 sizeof(label) - 1,
4010 emptycontext,
4011 0, 1), 1)
4012 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4013 sizeof(ckeymat3), label,
4014 sizeof(label) - 1,
4015 NULL, 0, 0), 1)
4016 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4017 sizeof(skeymat1), label,
4018 sizeof(label) - 1,
4019 context,
4020 sizeof(context) -1, 1),
4021 1)
4022 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4023 sizeof(skeymat2), label,
4024 sizeof(label) - 1,
4025 emptycontext,
4026 0, 1), 1)
4027 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4028 sizeof(skeymat3), label,
4029 sizeof(label) - 1,
4030 NULL, 0, 0), 1)
4031 /*
4032 * Check that both sides created the same key material with the
4033 * same context.
4034 */
4035 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4036 sizeof(skeymat1))
4037 /*
4038 * Check that both sides created the same key material with an
4039 * empty context.
4040 */
4041 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4042 sizeof(skeymat2))
4043 /*
4044 * Check that both sides created the same key material without a
4045 * context.
4046 */
4047 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4048 sizeof(skeymat3))
4049 /* Different contexts should produce different results */
4050 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4051 sizeof(ckeymat2)))
4052 goto end;
4053
4054 /*
4055 * Check that an empty context and no context produce different results in
4056 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4057 */
4058 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
4059 sizeof(ckeymat3)))
4060 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4061 sizeof(ckeymat3))))
4062 goto end;
4063
4064 testresult = 1;
4065
4066 end:
4067 SSL_free(serverssl);
4068 SSL_free(clientssl);
4069 SSL_CTX_free(sctx2);
4070 SSL_CTX_free(sctx);
4071 SSL_CTX_free(cctx);
4072
4073 return testresult;
4074}
4075
b38ede80
TT		 4076#ifndef OPENSSL_NO_TLS1_3
4077/*
4078 * Test that SSL_export_keying_material_early() produces expected
4079 * results. There are no test vectors so all we do is test that both
4080 * sides of the communication produce the same results for different
4081 * protocol versions.
4082 */
4083static int test_export_key_mat_early(int idx)
4084{
4085 static const char label[] = "test label";
4086 static const unsigned char context[] = "context";
4087 int testresult = 0;
4088 SSL_CTX *cctx = NULL, *sctx = NULL;
4089 SSL *clientssl = NULL, *serverssl = NULL;
4090 SSL_SESSION *sess = NULL;
4091 const unsigned char *emptycontext = NULL;
4092 unsigned char ckeymat1[80], ckeymat2[80];
4093 unsigned char skeymat1[80], skeymat2[80];
4094 unsigned char buf[1];
4095 size_t readbytes, written;
4096
4097 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4098 &sess, idx)))
4099 goto end;
4100
4101 /* Here writing 0 length early data is enough. */
4102 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4103 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4104 &readbytes),
4105 SSL_READ_EARLY_DATA_ERROR)
4106 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4107 SSL_EARLY_DATA_ACCEPTED))
4108 goto end;
4109
4110 if (!TEST_int_eq(SSL_export_keying_material_early(
4111 clientssl, ckeymat1, sizeof(ckeymat1), label,
4112 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4113 || !TEST_int_eq(SSL_export_keying_material_early(
4114 clientssl, ckeymat2, sizeof(ckeymat2), label,
4115 sizeof(label) - 1, emptycontext, 0), 1)
4116 || !TEST_int_eq(SSL_export_keying_material_early(
4117 serverssl, skeymat1, sizeof(skeymat1), label,
4118 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4119 || !TEST_int_eq(SSL_export_keying_material_early(
4120 serverssl, skeymat2, sizeof(skeymat2), label,
4121 sizeof(label) - 1, emptycontext, 0), 1)
4122 /*
4123 * Check that both sides created the same key material with the
4124 * same context.
4125 */
4126 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4127 sizeof(skeymat1))
4128 /*
4129 * Check that both sides created the same key material with an
4130 * empty context.
4131 */
4132 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4133 sizeof(skeymat2))
4134 /* Different contexts should produce different results */
4135 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4136 sizeof(ckeymat2)))
4137 goto end;
4138
4139 testresult = 1;
4140
4141 end:
c20e3b28 4142 SSL_SESSION_free(sess);
b38ede80
TT		 4143 SSL_SESSION_free(clientpsk);
4144 SSL_SESSION_free(serverpsk);
34ff74eb 4145 clientpsk = serverpsk = NULL;
b38ede80
TT		 4146 SSL_free(serverssl);
4147 SSL_free(clientssl);
4148 SSL_CTX_free(sctx);
4149 SSL_CTX_free(cctx);
4150
4151 return testresult;
4152}
4153#endif /* OPENSSL_NO_TLS1_3 */
4154
e11b6aa4
MC		 4155static int test_ssl_clear(int idx)
4156{
4157 SSL_CTX *cctx = NULL, *sctx = NULL;
4158 SSL *clientssl = NULL, *serverssl = NULL;
4159 int testresult = 0;
4160
4161#ifdef OPENSSL_NO_TLS1_2
4162 if (idx == 1)
4163 return 1;
4164#endif
4165
4166 /* Create an initial connection */
7d7f6834
RL		 4167 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4168 TLS1_VERSION, TLS_MAX_VERSION,
4169 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 4170 || (idx == 1
4171 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4172 TLS1_2_VERSION)))
4173 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4174 &clientssl, NULL, NULL))
4175 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4176 SSL_ERROR_NONE)))
4177 goto end;
4178
4179 SSL_shutdown(clientssl);
4180 SSL_shutdown(serverssl);
4181 SSL_free(serverssl);
4182 serverssl = NULL;
4183
4184 /* Clear clientssl - we're going to reuse the object */
4185 if (!TEST_true(SSL_clear(clientssl)))
4186 goto end;
4187
4188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4189 NULL, NULL))
4190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4191 SSL_ERROR_NONE))
4192 || !TEST_true(SSL_session_reused(clientssl)))
4193 goto end;
4194
4195 SSL_shutdown(clientssl);
4196 SSL_shutdown(serverssl);
4197
4198 testresult = 1;
4199
4200 end:
4201 SSL_free(serverssl);
4202 SSL_free(clientssl);
4203 SSL_CTX_free(sctx);
4204 SSL_CTX_free(cctx);
4205
4206 return testresult;
4207}
4208
cf72c757
F		 4209/* Parse CH and retrieve any MFL extension value if present */
4210static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4211{
4212 long len;
4213 unsigned char *data;
4214 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4215 unsigned int MFL_code = 0, type = 0;
4216
4217 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4218 goto end;
4219
4220 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4221 /* Skip the record header */
4222 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4223 /* Skip the handshake message header */
4224 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4225 /* Skip client version and random */
4226 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4227 + SSL3_RANDOM_SIZE))
4228 /* Skip session id */
4229 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4230 /* Skip ciphers */
4231 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4232 /* Skip compression */
4233 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4234 /* Extensions len */
4235 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4236 goto end;
4237
4238 /* Loop through all extensions */
4239 while (PACKET_remaining(&pkt2)) {
4240 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4241 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4242 goto end;
4243
4244 if (type == TLSEXT_TYPE_max_fragment_length) {
4245 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4246 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4247 goto end;
4248
4249 *mfl_codemfl_code = MFL_code;
4250 return 1;
4251 }
4252 }
4253
4254 end:
4255 return 0;
4256}
4257
4258/* Maximum-Fragment-Length TLS extension mode to test */
4259static const unsigned char max_fragment_len_test[] = {
4260 TLSEXT_max_fragment_length_512,
4261 TLSEXT_max_fragment_length_1024,
4262 TLSEXT_max_fragment_length_2048,
4263 TLSEXT_max_fragment_length_4096
4264};
4265
4266static int test_max_fragment_len_ext(int idx_tst)
4267{
4268 SSL_CTX *ctx;
4269 SSL *con = NULL;
4270 int testresult = 0, MFL_mode = 0;
4271 BIO *rbio, *wbio;
4272
4273 ctx = SSL_CTX_new(TLS_method());
4274 if (!TEST_ptr(ctx))
4275 goto end;
4276
4277 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4278 ctx, max_fragment_len_test[idx_tst])))
4279 goto end;
4280
4281 con = SSL_new(ctx);
4282 if (!TEST_ptr(con))
4283 goto end;
4284
4285 rbio = BIO_new(BIO_s_mem());
4286 wbio = BIO_new(BIO_s_mem());
4287 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4288 BIO_free(rbio);
4289 BIO_free(wbio);
4290 goto end;
4291 }
4292
4293 SSL_set_bio(con, rbio, wbio);
4294 SSL_set_connect_state(con);
4295
4296 if (!TEST_int_le(SSL_connect(con), 0)) {
4297 /* This shouldn't succeed because we don't have a server! */
4298 goto end;
4299 }
4300
4301 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4302 /* no MFL in client hello */
4303 goto end;
4304 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4305 goto end;
4306
4307 testresult = 1;
4308
4309end:
4310 SSL_free(con);
4311 SSL_CTX_free(ctx);
4312
4313 return testresult;
4314}
4315
9d75dce3
TS		 4316#ifndef OPENSSL_NO_TLS1_3
4317static int test_pha_key_update(void)
4318{
4319 SSL_CTX *cctx = NULL, *sctx = NULL;
4320 SSL *clientssl = NULL, *serverssl = NULL;
4321 int testresult = 0;
4322
7d7f6834
RL		 4323 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4324 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4325 &sctx, &cctx, cert, privkey)))
4326 return 0;
4327
4328 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4329 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4330 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4331 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4332 goto end;
4333
e97be718 4334 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 4335
4336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4337 NULL, NULL)))
4338 goto end;
4339
9d75dce3
TS		 4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4341 SSL_ERROR_NONE)))
4342 goto end;
4343
4344 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4345 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4346 goto end;
4347
4348 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4349 goto end;
4350
4351 /* Start handshake on the server */
4352 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4353 goto end;
4354
4355 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4356 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4357 SSL_ERROR_NONE)))
4358 goto end;
4359
4360 SSL_shutdown(clientssl);
4361 SSL_shutdown(serverssl);
4362
4363 testresult = 1;
4364
4365 end:
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 SSL_CTX_free(sctx);
4369 SSL_CTX_free(cctx);
4370 return testresult;
4371}
4372#endif
4373
76fd7a1d
MC		 4374#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4375
4376static SRP_VBASE *vbase = NULL;
4377
4378static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4379{
4380 int ret = SSL3_AL_FATAL;
4381 char *username;
4382 SRP_user_pwd *user = NULL;
4383
4384 username = SSL_get_srp_username(s);
4385 if (username == NULL) {
4386 *ad = SSL_AD_INTERNAL_ERROR;
4387 goto err;
4388 }
4389
4390 user = SRP_VBASE_get1_by_user(vbase, username);
4391 if (user == NULL) {
4392 *ad = SSL_AD_INTERNAL_ERROR;
4393 goto err;
4394 }
4395
4396 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4397 user->info) <= 0) {
4398 *ad = SSL_AD_INTERNAL_ERROR;
4399 goto err;
4400 }
4401
4402 ret = 0;
4403
4404 err:
4405 SRP_user_pwd_free(user);
4406 return ret;
4407}
4408
4409static int create_new_vfile(char *userid, char *password, const char *filename)
4410{
4411 char *gNid = NULL;
4412 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4413 TXT_DB *db = NULL;
4414 int ret = 0;
4415 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4416 size_t i;
4417
4418 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4419 goto end;
4420
4421 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4422 &row[DB_srpverifier], NULL, NULL);
4423 if (!TEST_ptr(gNid))
4424 goto end;
4425
4426 /*
4427 * The only way to create an empty TXT_DB is to provide a BIO with no data
4428 * in it!
4429 */
4430 db = TXT_DB_read(dummy, DB_NUMBER);
4431 if (!TEST_ptr(db))
4432 goto end;
4433
4434 out = BIO_new_file(filename, "w");
4435 if (!TEST_ptr(out))
4436 goto end;
4437
4438 row[DB_srpid] = OPENSSL_strdup(userid);
4439 row[DB_srptype] = OPENSSL_strdup("V");
4440 row[DB_srpgN] = OPENSSL_strdup(gNid);
4441
4442 if (!TEST_ptr(row[DB_srpid])
4443 || !TEST_ptr(row[DB_srptype])
4444 || !TEST_ptr(row[DB_srpgN])
4445 || !TEST_true(TXT_DB_insert(db, row)))
4446 goto end;
4447
4448 row = NULL;
4449
4450 if (!TXT_DB_write(out, db))
4451 goto end;
4452
4453 ret = 1;
4454 end:
4455 if (row != NULL) {
4456 for (i = 0; i < DB_NUMBER; i++)
4457 OPENSSL_free(row[i]);
4458 }
4459 OPENSSL_free(row);
4460 BIO_free(dummy);
4461 BIO_free(out);
4462 TXT_DB_free(db);
4463
4464 return ret;
4465}
4466
4467static int create_new_vbase(char *userid, char *password)
4468{
4469 BIGNUM *verifier = NULL, *salt = NULL;
4470 const SRP_gN *lgN = NULL;
4471 SRP_user_pwd *user_pwd = NULL;
4472 int ret = 0;
4473
4474 lgN = SRP_get_default_gN(NULL);
4475 if (!TEST_ptr(lgN))
4476 goto end;
4477
4478 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4479 lgN->N, lgN->g)))
4480 goto end;
4481
4482 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4483 if (!TEST_ptr(user_pwd))
4484 goto end;
4485
4486 user_pwd->N = lgN->N;
4487 user_pwd->g = lgN->g;
4488 user_pwd->id = OPENSSL_strdup(userid);
4489 if (!TEST_ptr(user_pwd->id))
4490 goto end;
4491
4492 user_pwd->v = verifier;
4493 user_pwd->s = salt;
4494 verifier = salt = NULL;
4495
4496 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4497 goto end;
4498 user_pwd = NULL;
4499
4500 ret = 1;
4501end:
4502 SRP_user_pwd_free(user_pwd);
4503 BN_free(salt);
4504 BN_free(verifier);
4505
4506 return ret;
4507}
4508
4509/*
4510 * SRP tests
4511 *
4512 * Test 0: Simple successful SRP connection, new vbase
4513 * Test 1: Connection failure due to bad password, new vbase
4514 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4515 * Test 3: Connection failure due to bad password, vbase loaded from existing
4516 * file
4517 * Test 4: Simple successful SRP connection, vbase loaded from new file
4518 * Test 5: Connection failure due to bad password, vbase loaded from new file
4519 */
4520static int test_srp(int tst)
4521{
4522 char *userid = "test", *password = "password", *tstsrpfile;
4523 SSL_CTX *cctx = NULL, *sctx = NULL;
4524 SSL *clientssl = NULL, *serverssl = NULL;
4525 int ret, testresult = 0;
4526
4527 vbase = SRP_VBASE_new(NULL);
4528 if (!TEST_ptr(vbase))
4529 goto end;
4530
4531 if (tst == 0 || tst == 1) {
4532 if (!TEST_true(create_new_vbase(userid, password)))
4533 goto end;
4534 } else {
4535 if (tst == 4 || tst == 5) {
4536 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4537 goto end;
4538 tstsrpfile = tmpfilename;
4539 } else {
4540 tstsrpfile = srpvfile;
4541 }
4542 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4543 goto end;
4544 }
4545
4546 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4547 TLS1_VERSION, TLS_MAX_VERSION,
4548 &sctx, &cctx, cert, privkey)))
4549 goto end;
4550
4551 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4552 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4553 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4554 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4555 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4556 goto end;
4557
4558 if (tst % 2 == 1) {
4559 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4560 goto end;
4561 } else {
4562 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4563 goto end;
4564 }
4565
4566 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4567 NULL, NULL)))
4568 goto end;
4569
4570 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4571 if (ret) {
4572 if (!TEST_true(tst % 2 == 0))
4573 goto end;
4574 } else {
4575 if (!TEST_true(tst % 2 == 1))
4576 goto end;
4577 }
4578
4579 testresult = 1;
4580
4581 end:
4582 SRP_VBASE_free(vbase);
4583 vbase = NULL;
4584 SSL_free(serverssl);
4585 SSL_free(clientssl);
4586 SSL_CTX_free(sctx);
4587 SSL_CTX_free(cctx);
4588
4589 return testresult;
4590}
4591#endif
4592
5718fe45
MC		 4593static int info_cb_failed = 0;
4594static int info_cb_offset = 0;
4595static int info_cb_this_state = -1;
4596
4597static struct info_cb_states_st {
4598 int where;
4599 const char *statestr;
4600} info_cb_states[][60] = {
4601 {
4602 /* TLSv1.2 server followed by resumption */
4603 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4604 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4605 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4606 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4607 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4608 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4609 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4610 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4611 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4612 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4613 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4614 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4615 {SSL_CB_EXIT, NULL}, {0, NULL},
4616 }, {
4617 /* TLSv1.2 client followed by resumption */
4618 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4619 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4620 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4621 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4622 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4623 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4624 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4625 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4626 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4627 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4628 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4629 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4630 }, {
4631 /* TLSv1.3 server followed by resumption */
4632 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4633 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4634 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4635 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4636 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4637 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4638 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4639 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4640 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4641 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4642 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4643 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4644 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4645 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4646 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4647 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4648 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4649 }, {
4650 /* TLSv1.3 client followed by resumption */
4651 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4652 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4653 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4654 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4655 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4656 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4657 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4658 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4659 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4660 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4661 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4662 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4663 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4664 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4665 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4667 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4668 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4669 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4670 }, {
4671 /* TLSv1.3 server, early_data */
4672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4673 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4674 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4675 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4676 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4677 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4678 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4679 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4680 {SSL_CB_EXIT, NULL}, {0, NULL},
4681 }, {
4682 /* TLSv1.3 client, early_data */
4683 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4684 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4685 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4686 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4687 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4688 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4689 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4690 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4691 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4692 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4693 }, {
4694 {0, NULL},
4695 }
4696};
4697
4698static void sslapi_info_callback(const SSL *s, int where, int ret)
4699{
4700 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4701
4702 /* We do not ever expect a connection to fail in this test */
4703 if (!TEST_false(ret == 0)) {
4704 info_cb_failed = 1;
4705 return;
4706 }
4707
4708 /*
4709 * Do some sanity checks. We never expect these things to happen in this
4710 * test
4711 */
4712 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4713 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4714 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4715 info_cb_failed = 1;
4716 return;
4717 }
4718
4719 /* Now check we're in the right state */
4720 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4721 info_cb_failed = 1;
4722 return;
4723 }
4724 if ((where & SSL_CB_LOOP) != 0
4725 && !TEST_int_eq(strcmp(SSL_state_string(s),
4726 state[info_cb_this_state].statestr), 0)) {
4727 info_cb_failed = 1;
4728 return;
4729 }
033c181b
MC		 4730
4731 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4732 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4733 info_cb_failed = 1;
4734 return;
4735 }
5718fe45
MC		 4736}
4737
4738/*
4739 * Test the info callback gets called when we expect it to.
4740 *
4741 * Test 0: TLSv1.2, server
4742 * Test 1: TLSv1.2, client
4743 * Test 2: TLSv1.3, server
4744 * Test 3: TLSv1.3, client
4745 * Test 4: TLSv1.3, server, early_data
4746 * Test 5: TLSv1.3, client, early_data
4747 */
4748static int test_info_callback(int tst)
4749{
4750 SSL_CTX *cctx = NULL, *sctx = NULL;
4751 SSL *clientssl = NULL, *serverssl = NULL;
4752 SSL_SESSION *clntsess = NULL;
4753 int testresult = 0;
4754 int tlsvers;
4755
4756 if (tst < 2) {
1aac20f5
MC		 4757/* We need either ECDHE or DHE for the TLSv1.2 test to work */
4758#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4759 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 4760 tlsvers = TLS1_2_VERSION;
4761#else
4762 return 1;
4763#endif
4764 } else {
4765#ifndef OPENSSL_NO_TLS1_3
4766 tlsvers = TLS1_3_VERSION;
4767#else
4768 return 1;
4769#endif
4770 }
4771
4772 /* Reset globals */
4773 info_cb_failed = 0;
4774 info_cb_this_state = -1;
4775 info_cb_offset = tst;
4776
6e07834c 4777#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4778 if (tst >= 4) {
4779 SSL_SESSION *sess = NULL;
4780 size_t written, readbytes;
4781 unsigned char buf[80];
4782
4783 /* early_data tests */
4784 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4785 &serverssl, &sess, 0)))
4786 goto end;
4787
4788 /* We don't actually need this reference */
4789 SSL_SESSION_free(sess);
4790
4791 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4792 sslapi_info_callback);
4793
4794 /* Write and read some early data and then complete the connection */
4795 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4796 &written))
4797 || !TEST_size_t_eq(written, strlen(MSG1))
4798 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4799 sizeof(buf), &readbytes),
4800 SSL_READ_EARLY_DATA_SUCCESS)
4801 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4802 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4803 SSL_EARLY_DATA_ACCEPTED)
4804 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4805 SSL_ERROR_NONE))
4806 || !TEST_false(info_cb_failed))
4807 goto end;
4808
4809 testresult = 1;
4810 goto end;
4811 }
6e07834c 4812#endif
5718fe45
MC		 4813
4814 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4815 TLS_client_method(),
4816 tlsvers, tlsvers, &sctx, &cctx, cert,
4817 privkey)))
4818 goto end;
4819
4820 /*
4821 * For even numbered tests we check the server callbacks. For odd numbers we
4822 * check the client.
4823 */
4824 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4825 sslapi_info_callback);
4826
4827 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4828 &clientssl, NULL, NULL))
4829 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4830 SSL_ERROR_NONE))
4831 || !TEST_false(info_cb_failed))
4832 goto end;
4833
4834
4835
4836 clntsess = SSL_get1_session(clientssl);
4837 SSL_shutdown(clientssl);
4838 SSL_shutdown(serverssl);
4839 SSL_free(serverssl);
4840 SSL_free(clientssl);
4841 serverssl = clientssl = NULL;
4842
4843 /* Now do a resumption */
4844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4845 NULL))
4846 || !TEST_true(SSL_set_session(clientssl, clntsess))
4847 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4848 SSL_ERROR_NONE))
4849 || !TEST_true(SSL_session_reused(clientssl))
4850 || !TEST_false(info_cb_failed))
4851 goto end;
4852
4853 testresult = 1;
4854
4855 end:
4856 SSL_free(serverssl);
4857 SSL_free(clientssl);
4858 SSL_SESSION_free(clntsess);
4859 SSL_CTX_free(sctx);
4860 SSL_CTX_free(cctx);
4861 return testresult;
4862}
4863
4a432af8
MC		 4864static int test_ssl_pending(int tst)
4865{
4866 SSL_CTX *cctx = NULL, *sctx = NULL;
4867 SSL *clientssl = NULL, *serverssl = NULL;
4868 int testresult = 0;
4869 char msg[] = "A test message";
4870 char buf[5];
4871 size_t written, readbytes;
4872
4873 if (tst == 0) {
4874 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4875 TLS_client_method(),
4876 TLS1_VERSION, TLS_MAX_VERSION,
4877 &sctx, &cctx, cert, privkey)))
4878 goto end;
4879 } else {
4880#ifndef OPENSSL_NO_DTLS
4881 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4882 DTLS_client_method(),
4883 DTLS1_VERSION, DTLS_MAX_VERSION,
4884 &sctx, &cctx, cert, privkey)))
4885 goto end;
4886#else
4887 return 1;
4888#endif
4889 }
4890
4891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4892 NULL, NULL))
4893 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4894 SSL_ERROR_NONE)))
4895 goto end;
4896
e8251092
MC		 4897 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4898 || !TEST_false(SSL_has_pending(clientssl))
4899 || !TEST_int_eq(SSL_pending(serverssl), 0)
4900 || !TEST_false(SSL_has_pending(serverssl))
4901 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4902 || !TEST_size_t_eq(written, sizeof(msg))
4903 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4904 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4905 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4906 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4907 goto end;
4908
4909 testresult = 1;
4910
4911 end:
4912 SSL_free(serverssl);
4913 SSL_free(clientssl);
4914 SSL_CTX_free(sctx);
4915 SSL_CTX_free(cctx);
4916
4917 return testresult;
4918}
4919
e401389a
MC		 4920static struct {
4921 unsigned int maxprot;
4922 const char *clntciphers;
4923 const char *clnttls13ciphers;
4924 const char *srvrciphers;
4925 const char *srvrtls13ciphers;
4926 const char *shared;
4927} shared_ciphers_data[] = {
60155b9a
MC		 4928/*
4929 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4930 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4931 */
4932#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4933 {
4934 TLS1_2_VERSION,
4935 "AES128-SHA:AES256-SHA",
4936 NULL,
4937 "AES256-SHA:DHE-RSA-AES128-SHA",
4938 NULL,
4939 "AES256-SHA"
4940 },
4941 {
4942 TLS1_2_VERSION,
4943 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4944 NULL,
4945 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4946 NULL,
4947 "AES128-SHA:AES256-SHA"
4948 },
4949 {
4950 TLS1_2_VERSION,
4951 "AES128-SHA:AES256-SHA",
4952 NULL,
4953 "AES128-SHA:DHE-RSA-AES128-SHA",
4954 NULL,
4955 "AES128-SHA"
4956 },
60155b9a
MC		 4957#endif
4958/*
4959 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4960 * enabled.
4961 */
4962#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4963 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4964 {
4965 TLS1_3_VERSION,
4966 "AES128-SHA:AES256-SHA",
4967 NULL,
4968 "AES256-SHA:AES128-SHA256",
4969 NULL,
4970 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4971 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4972 },
60155b9a
MC		 4973#endif
4974#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4975 {
4976 TLS1_3_VERSION,
4977 "AES128-SHA",
4978 "TLS_AES_256_GCM_SHA384",
4979 "AES256-SHA",
4980 "TLS_AES_256_GCM_SHA384",
4981 "TLS_AES_256_GCM_SHA384"
4982 },
4983#endif
4984};
4985
4986static int test_ssl_get_shared_ciphers(int tst)
4987{
4988 SSL_CTX *cctx = NULL, *sctx = NULL;
4989 SSL *clientssl = NULL, *serverssl = NULL;
4990 int testresult = 0;
4991 char buf[1024];
4992
4993 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4994 TLS_client_method(),
4995 TLS1_VERSION,
4996 shared_ciphers_data[tst].maxprot,
4997 &sctx, &cctx, cert, privkey)))
4998 goto end;
4999
5000 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5001 shared_ciphers_data[tst].clntciphers))
5002 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5003 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5004 shared_ciphers_data[tst].clnttls13ciphers)))
5005 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5006 shared_ciphers_data[tst].srvrciphers))
5007 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5008 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5009 shared_ciphers_data[tst].srvrtls13ciphers))))
5010 goto end;
5011
5012
5013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5014 NULL, NULL))
5015 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5016 SSL_ERROR_NONE)))
5017 goto end;
5018
5019 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5020 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5021 TEST_info("Shared ciphers are: %s\n", buf);
5022 goto end;
5023 }
5024
5025 testresult = 1;
5026
5027 end:
5028 SSL_free(serverssl);
5029 SSL_free(clientssl);
5030 SSL_CTX_free(sctx);
5031 SSL_CTX_free(cctx);
5032
5033 return testresult;
5034}
5035
d0191fe0 5036static const char *appdata = "Hello World";
61fb5923
MC		 5037static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5038static int tick_key_renew = 0;
5039static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 5040
5041static int gen_tick_cb(SSL *s, void *arg)
5042{
5043 gen_tick_called = 1;
5044
5045 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5046 strlen(appdata));
5047}
5048
5049static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5050 const unsigned char *keyname,
5051 size_t keyname_length,
61fb5923
MC		 5052 SSL_TICKET_STATUS status,
5053 void *arg)
d0191fe0
MC		 5054{
5055 void *tickdata;
5056 size_t tickdlen;
5057
5058 dec_tick_called = 1;
5059
61fb5923
MC		 5060 if (status == SSL_TICKET_EMPTY)
5061 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 5062
61fb5923
MC		 5063 if (!TEST_true(status == SSL_TICKET_SUCCESS
5064 || status == SSL_TICKET_SUCCESS_RENEW))
5065 return SSL_TICKET_RETURN_ABORT;
5066
5067 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5068 &tickdlen))
d0191fe0
MC		 5069 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5070 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 5071 return SSL_TICKET_RETURN_ABORT;
d0191fe0 5072
61fb5923
MC		 5073 if (tick_key_cb_called) {
5074 /* Don't change what the ticket key callback wanted to do */
5075 switch (status) {
5076 case SSL_TICKET_NO_DECRYPT:
5077 return SSL_TICKET_RETURN_IGNORE_RENEW;
5078
5079 case SSL_TICKET_SUCCESS:
5080 return SSL_TICKET_RETURN_USE;
d0191fe0 5081
61fb5923
MC		 5082 case SSL_TICKET_SUCCESS_RENEW:
5083 return SSL_TICKET_RETURN_USE_RENEW;
5084
5085 default:
5086 return SSL_TICKET_RETURN_ABORT;
5087 }
5088 }
5089 return tick_dec_ret;
5090
5091}
d0191fe0
MC		 5092
5093static int tick_key_cb(SSL *s, unsigned char key_name[16],
5094 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5095 HMAC_CTX *hctx, int enc)
5096{
5097 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5098 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5099
61fb5923 5100 tick_key_cb_called = 1;
d0191fe0
MC		 5101 memset(iv, 0, AES_BLOCK_SIZE);
5102 memset(key_name, 0, 16);
5103 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5104 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5105 EVP_sha256(), NULL))
5106 return -1;
5107
61fb5923 5108 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 5109}
5110
5111/*
5112 * Test the various ticket callbacks
61fb5923
MC		 5113 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5114 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5115 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5116 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5117 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5118 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5119 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5120 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5121 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5122 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5123 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5124 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 5125 */
5126static int test_ticket_callbacks(int tst)
5127{
5128 SSL_CTX *cctx = NULL, *sctx = NULL;
5129 SSL *clientssl = NULL, *serverssl = NULL;
5130 SSL_SESSION *clntsess = NULL;
5131 int testresult = 0;
5132
5133#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 5134 if (tst % 2 == 0)
d0191fe0
MC		 5135 return 1;
5136#endif
5137#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 5138 if (tst % 2 == 1)
d0191fe0
MC		 5139 return 1;
5140#endif
5141
61fb5923 5142 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 5143
5144 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 5145 if (tst == 10 || tst == 11)
5146 tick_key_renew = 1;
d0191fe0 5147 else
61fb5923
MC		 5148 tick_key_renew = 0;
5149
5150 /* Which tests the decrypt ticket callback should request renewal for */
5151 switch (tst) {
5152 case 0:
5153 case 1:
5154 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5155 break;
5156
5157 case 2:
5158 case 3:
5159 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5160 break;
5161
5162 case 4:
5163 case 5:
5164 tick_dec_ret = SSL_TICKET_RETURN_USE;
5165 break;
5166
5167 case 6:
5168 case 7:
5169 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5170 break;
5171
5172 default:
5173 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5174 }
d0191fe0
MC		 5175
5176 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5177 TLS_client_method(),
5178 TLS1_VERSION,
61fb5923
MC		 5179 ((tst % 2) == 0) ? TLS1_2_VERSION
5180 : TLS1_3_VERSION,
d0191fe0
MC		 5181 &sctx, &cctx, cert, privkey)))
5182 goto end;
5183
61fb5923
MC		 5184 /*
5185 * We only want sessions to resume from tickets - not the session cache. So
5186 * switch the cache off.
5187 */
5188 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5189 goto end;
5190
d0191fe0
MC		 5191 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5192 NULL)))
5193 goto end;
5194
61fb5923 5195 if (tst >= 8
d0191fe0
MC		 5196 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5197 goto end;
5198
5199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5200 NULL, NULL))
5201 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5202 SSL_ERROR_NONE)))
5203 goto end;
5204
61fb5923
MC		 5205 /*
5206 * The decrypt ticket key callback in TLSv1.2 should be called even though
5207 * we have no ticket yet, because it gets called with a status of
5208 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5209 * actually send any ticket data). This does not happen in TLSv1.3 because
5210 * it is not valid to send empty ticket data in TLSv1.3.
5211 */
d0191fe0 5212 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5213 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5214 goto end;
5215
5216 gen_tick_called = dec_tick_called = 0;
5217
5218 clntsess = SSL_get1_session(clientssl);
5219 SSL_shutdown(clientssl);
5220 SSL_shutdown(serverssl);
5221 SSL_free(serverssl);
5222 SSL_free(clientssl);
5223 serverssl = clientssl = NULL;
5224
5225 /* Now do a resumption */
5226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5227 NULL))
5228 || !TEST_true(SSL_set_session(clientssl, clntsess))
5229 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5230 SSL_ERROR_NONE)))
d0191fe0
MC		 5231 goto end;
5232
61fb5923
MC		 5233 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5234 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5235 if (!TEST_false(SSL_session_reused(clientssl)))
5236 goto end;
5237 } else {
5238 if (!TEST_true(SSL_session_reused(clientssl)))
5239 goto end;
5240 }
5241
d0191fe0 5242 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5243 (tick_key_renew
5244 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5245 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5246 ? 1 : 0)
d0191fe0
MC		 5247 || !TEST_int_eq(dec_tick_called, 1))
5248 goto end;
5249
5250 testresult = 1;
5251
5252 end:
5253 SSL_SESSION_free(clntsess);
5254 SSL_free(serverssl);
5255 SSL_free(clientssl);
5256 SSL_CTX_free(sctx);
5257 SSL_CTX_free(cctx);
5258
5259 return testresult;
5260}
5261
c748834f
MC		 5262/*
5263 * Test bi-directional shutdown.
5264 * Test 0: TLSv1.2
5265 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5266 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5267 * Test 3: TLSv1.3, pending NewSessionTicket messages
5268 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5269 * reads it
5270 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5271 * doesn't read it
5272 */
5273static int test_shutdown(int tst)
5274{
5275 SSL_CTX *cctx = NULL, *sctx = NULL;
5276 SSL *clientssl = NULL, *serverssl = NULL;
5277 int testresult = 0;
5278 char msg[] = "A test message";
5279 char buf[80];
5280 size_t written, readbytes;
5281
5282#ifdef OPENSSL_NO_TLS1_2
a97d19f7 5283 if (tst <= 1)
c748834f
MC		 5284 return 1;
5285#endif
5286#ifdef OPENSSL_NO_TLS1_3
a97d19f7 5287 if (tst >= 2)
c748834f
MC		 5288 return 1;
5289#endif
5290
5291 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5292 TLS_client_method(),
5293 TLS1_VERSION,
5294 (tst <= 1) ? TLS1_2_VERSION
5295 : TLS1_3_VERSION,
5296 &sctx, &cctx, cert, privkey))
5297 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5298 NULL, NULL)))
5299 goto end;
5300
5301 if (tst == 3) {
5302 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5303 SSL_ERROR_NONE)))
5304 goto end;
5305 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5306 SSL_ERROR_NONE))) {
5307 goto end;
5308 }
5309
5310 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5311 goto end;
5312
5313 if (tst >= 4) {
5314 /*
5315 * Reading on the server after the client has sent close_notify should
5316 * fail and provide SSL_ERROR_ZERO_RETURN
5317 */
5318 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5319 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5320 SSL_ERROR_ZERO_RETURN)
5321 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5322 SSL_RECEIVED_SHUTDOWN)
5323 /*
5324 * Even though we're shutdown on receive we should still be
5325 * able to write.
5326 */
5327 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5328 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5329 goto end;
5330 if (tst == 4) {
5331 /* Should still be able to read data from server */
5332 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5333 &readbytes))
5334 || !TEST_size_t_eq(readbytes, sizeof(msg))
5335 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5336 goto end;
5337 }
5338 }
5339
5340 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5341 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5342 goto end;
5343
5344 if (tst < 4) {
5345 /*
5346 * For these tests the client has sent close_notify but it has not yet
5347 * been received by the server. The server has not sent close_notify
5348 * yet.
5349 */
5350 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5351 /*
5352 * Writing on the server after sending close_notify shouldn't
5353 * be possible.
5354 */
5355 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f
MC		 5356 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5357 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5358 goto end;
358ffa05 5359 } else if (tst == 4) {
c748834f
MC		 5360 /*
5361 * In this test the client has sent close_notify and it has been
5362 * received by the server which has responded with a close_notify. The
358ffa05 5363 * client needs to read the close_notify sent by the server.
c748834f 5364 */
c748834f
MC		 5365 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5366 goto end;
358ffa05
MC		 5367 } else {
5368 /*
5369 * tst == 5
5370 *
5371 * The client has sent close_notify and is expecting a close_notify
5372 * back, but instead there is application data first. The shutdown
5373 * should fail with a fatal error.
5374 */
5375 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5376 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5377 goto end;
c748834f
MC		 5378 }
5379
5380 testresult = 1;
5381
5382 end:
5383 SSL_free(serverssl);
5384 SSL_free(clientssl);
5385 SSL_CTX_free(sctx);
5386 SSL_CTX_free(cctx);
5387
5388 return testresult;
5389}
5390
ad887416 5391int setup_tests(void)
2cb4b5f6 5392{
ad887416 5393 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 5394 || !TEST_ptr(privkey = test_get_argument(1))
5395 || !TEST_ptr(srpvfile = test_get_argument(2))
5396 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 5397 return 0;
2cb4b5f6 5398
f297e4ec
RS		 5399 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5400#ifdef OPENSSL_NO_CRYPTO_MDEBUG
5401 TEST_error("not supported in this build");
5402 return 0;
5403#else
5404 int i, mcount, rcount, fcount;
5405
5406 for (i = 0; i < 4; i++)
5407 test_export_key_mat(i);
5408 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5409 test_printf_stdout("malloc %d realloc %d free %d\n",
5410 mcount, rcount, fcount);
5411 return 1;
5412#endif
5413 }
5414
84d5549e 5415 ADD_TEST(test_large_message_tls);
7856332e 5416 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5417#ifndef OPENSSL_NO_DTLS
84d5549e 5418 ADD_TEST(test_large_message_dtls);
55386bef 5419#endif
8f8c11d8 5420#ifndef OPENSSL_NO_OCSP
c887104f 5421 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5422#endif
eaa776da
MC		 5423 ADD_TEST(test_session_with_only_int_cache);
5424 ADD_TEST(test_session_with_only_ext_cache);
5425 ADD_TEST(test_session_with_both_cache);
36ff232c 5426#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 5427 ADD_ALL_TESTS(test_stateful_tickets, 3);
5428 ADD_ALL_TESTS(test_stateless_tickets, 3);
36ff232c 5429#endif
7fb4c820 5430 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5431 ADD_TEST(test_ssl_bio_pop_next_bio);
5432 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5433 ADD_TEST(test_ssl_bio_change_rbio);
5434 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5435#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5436 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5437 ADD_TEST(test_keylog);
c423ecaa 5438#endif
6acdd3e5
CB		 5439#ifndef OPENSSL_NO_TLS1_3
5440 ADD_TEST(test_keylog_no_master_key);
5441#endif
e9ee6536 5442#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5443 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5444#endif
5445#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5446 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5447 /*
5448 * We don't do replay tests for external PSK. Replay protection isn't used
5449 * in that scenario.
5450 */
5451 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5452 ADD_ALL_TESTS(test_early_data_skip, 3);
5453 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 5454 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 5455 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 5456 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5457 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5458 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5459# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5460 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5461# endif
e9ee6536 5462#endif
a273157a 5463#ifndef OPENSSL_NO_TLS1_3
034cb87b 5464 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5465 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5466#ifdef OPENSSL_NO_PSK
5467 ADD_ALL_TESTS(test_tls13_psk, 1);
5468#else
0d8da779 5469 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5470#endif /* OPENSSL_NO_PSK */
bb01ef3f 5471 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5472 ADD_TEST(test_stateless);
9d75dce3 5473 ADD_TEST(test_pha_key_update);
a273157a 5474#else
bb01ef3f 5475 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5476#endif
16afd71c 5477 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5478 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5479#ifndef OPENSSL_NO_TLS1_3
5480 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5481#endif
e11b6aa4 5482 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5483 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5484#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5485 ADD_ALL_TESTS(test_srp, 6);
5486#endif
5718fe45 5487 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5488 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5489 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5490 ADD_ALL_TESTS(test_ticket_callbacks, 12);
c748834f 5491 ADD_ALL_TESTS(test_shutdown, 6);
ad887416
P		 5492 return 1;
5493}
2cb4b5f6 5494
ad887416
P		 5495void cleanup_tests(void)
5496{
fa454945 5497 bio_s_mempacket_test_free();
2cb4b5f6 5498}
A mirror of the official openssl repository