]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add code to run test, get malloc counts
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
2cb4b5f6
MC		 17
18#include "ssltestlib.h"
c887104f 19#include "testutil.h"
f297e4ec 20#include "testutil/output.h"
176db6dc 21#include "internal/nelem.h"
ca0413ae 22#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 23
24static char *cert = NULL;
25static char *privkey = NULL;
26
6acdd3e5
CB		 27#define LOG_BUFFER_SIZE 1024
28static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 29static size_t server_log_buffer_index = 0;
6acdd3e5 30static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 31static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 32static int error_writing_log = 0;
33
8f8c11d8 34#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 35static const unsigned char orespder[] = "Dummy OCSP Response";
36static int ocsp_server_called = 0;
37static int ocsp_client_called = 0;
38
39static int cdummyarg = 1;
40static X509 *ocspcert = NULL;
8f8c11d8 41#endif
ba881d3b 42
84d5549e 43#define NUM_EXTRA_CERTS 40
cf72c757 44#define CLIENT_VERSION_LEN 2
84d5549e 45
f1a5939f
CB		 46/*
47 * This structure is used to validate that the correct number of log messages
48 * of various types are emitted when emitting secret logs.
49 */
50struct sslapitest_log_counts {
51 unsigned int rsa_key_exchange_count;
52 unsigned int master_secret_count;
53 unsigned int client_handshake_secret_count;
54 unsigned int server_handshake_secret_count;
55 unsigned int client_application_secret_count;
56 unsigned int server_application_secret_count;
57};
58
16afd71c
MC		 59
60static unsigned char serverinfov1[] = {
61 0xff, 0xff, /* Dummy extension type */
62 0x00, 0x01, /* Extension length is 1 byte */
63 0xff /* Dummy extension data */
64};
65
66static unsigned char serverinfov2[] = {
67 0x00, 0x00, 0x00,
68 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
710756a9
RS		 74static void client_keylog_callback(const SSL *ssl, const char *line)
75{
6acdd3e5
CB		 76 int line_length = strlen(line);
77
78 /* If the log doesn't fit, error out. */
710756a9
RS		 79 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
80 TEST_info("Client log too full");
6acdd3e5
CB		 81 error_writing_log = 1;
82 return;
83 }
84
85 strcat(client_log_buffer, line);
86 client_log_buffer_index += line_length;
710756a9 87 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 88}
89
710756a9
RS		 90static void server_keylog_callback(const SSL *ssl, const char *line)
91{
6acdd3e5
CB		 92 int line_length = strlen(line);
93
94 /* If the log doesn't fit, error out. */
710756a9 95 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 96 TEST_info("Server log too full");
6acdd3e5
CB		 97 error_writing_log = 1;
98 return;
99 }
100
101 strcat(server_log_buffer, line);
102 server_log_buffer_index += line_length;
710756a9 103 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 104}
105
106static int compare_hex_encoded_buffer(const char *hex_encoded,
107 size_t hex_length,
108 const uint8_t *raw,
710756a9
RS		 109 size_t raw_length)
110{
111 size_t i, j;
112 char hexed[3];
6acdd3e5 113
710756a9 114 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 115 return 1;
6acdd3e5 116
710756a9 117 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 118 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 119 if (!TEST_int_eq(hexed[0], hex_encoded[j])
120 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 121 return 1;
6acdd3e5
CB		 122 }
123
124 return 0;
125}
126
127static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 128 const SSL_SESSION *session,
710756a9
RS		 129 struct sslapitest_log_counts *expected)
130{
6acdd3e5
CB		 131 char *token = NULL;
132 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
133 size_t client_random_size = SSL3_RANDOM_SIZE;
134 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
135 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 136 unsigned int rsa_key_exchange_count = 0;
137 unsigned int master_secret_count = 0;
138 unsigned int client_handshake_secret_count = 0;
139 unsigned int server_handshake_secret_count = 0;
140 unsigned int client_application_secret_count = 0;
141 unsigned int server_application_secret_count = 0;
6acdd3e5 142
710756a9
RS		 143 for (token = strtok(buffer, " \n"); token != NULL;
144 token = strtok(NULL, " \n")) {
6acdd3e5 145 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 146 /*
147 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 148 * hex-encoded encrypted secret, then the hex-encoded pre-master
149 * secret.
150 */
710756a9 151 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 152 return 0;
710756a9 153 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 154 return 0;
710756a9 155 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 156 return 0;
f1a5939f
CB		 157 /*
158 * We can't sensibly check the log because the premaster secret is
159 * transient, and OpenSSL doesn't keep hold of it once the master
160 * secret is generated.
161 */
162 rsa_key_exchange_count++;
6acdd3e5 163 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 164 /*
165 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 166 * client random, then the hex-encoded master secret.
167 */
168 client_random_size = SSL_get_client_random(ssl,
169 actual_client_random,
170 SSL3_RANDOM_SIZE);
710756a9 171 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 172 return 0;
6acdd3e5 173
710756a9 174 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 175 return 0;
710756a9 176 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 177 return 0;
710756a9
RS		 178 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
179 actual_client_random,
180 client_random_size)))
f1a5939f 181 return 0;
6acdd3e5 182
710756a9 183 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 184 return 0;
6acdd3e5
CB		 185 master_key_size = SSL_SESSION_get_master_key(session,
186 actual_master_key,
187 master_key_size);
710756a9 188 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 189 return 0;
710756a9
RS		 190 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
191 actual_master_key,
192 master_key_size)))
f1a5939f 193 return 0;
f1a5939f 194 master_secret_count++;
710756a9
RS		 195 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
197 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
198 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
f1a5939f
CB		 199 /*
200 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
201 * client random, and then the hex-encoded secret. In this case,
202 * we treat all of these secrets identically and then just
203 * distinguish between them when counting what we saw.
204 */
205 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 client_handshake_secret_count++;
207 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
208 server_handshake_secret_count++;
209 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
210 client_application_secret_count++;
211 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
212 server_application_secret_count++;
213
214 client_random_size = SSL_get_client_random(ssl,
215 actual_client_random,
216 SSL3_RANDOM_SIZE);
710756a9 217 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 218 return 0;
f1a5939f 219
710756a9 220 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 221 return 0;
710756a9 222 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 223 return 0;
710756a9
RS		 224 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
225 actual_client_random,
226 client_random_size)))
f1a5939f 227 return 0;
6acdd3e5 228
710756a9 229 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 230 return 0;
f1a5939f
CB		 231
232 /*
233 * TODO(TLS1.3): test that application traffic secrets are what
234 * we expect */
6acdd3e5 235 } else {
710756a9 236 TEST_info("Unexpected token %s\n", token);
f1a5939f 237 return 0;
6acdd3e5 238 }
6acdd3e5
CB		 239 }
240
710756a9
RS		 241 /* Got what we expected? */
242 if (!TEST_size_t_eq(rsa_key_exchange_count,
243 expected->rsa_key_exchange_count)
244 || !TEST_size_t_eq(master_secret_count,
245 expected->master_secret_count)
246 || !TEST_size_t_eq(client_handshake_secret_count,
247 expected->client_handshake_secret_count)
248 || !TEST_size_t_eq(server_handshake_secret_count,
249 expected->server_handshake_secret_count)
250 || !TEST_size_t_eq(client_application_secret_count,
251 expected->client_application_secret_count)
252 || !TEST_size_t_eq(server_application_secret_count,
253 expected->server_application_secret_count))
254 return 0;
255 return 1;
6acdd3e5
CB		 256}
257
c423ecaa 258#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 259static int test_keylog(void)
260{
6acdd3e5
CB		 261 SSL_CTX *cctx = NULL, *sctx = NULL;
262 SSL *clientssl = NULL, *serverssl = NULL;
263 int testresult = 0;
f1a5939f 264 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 265
266 /* Clean up logging space */
710756a9
RS		 267 memset(client_log_buffer, 0, sizeof(client_log_buffer));
268 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 269 client_log_buffer_index = 0;
270 server_log_buffer_index = 0;
271 error_writing_log = 0;
272
710756a9
RS		 273 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
274 TLS_client_method(),
275 &sctx, &cctx, cert, privkey)))
6acdd3e5 276 return 0;
6acdd3e5
CB		 277
278 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
279 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
280 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
281
f0deb4d3 282 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 283 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 284 goto end;
f0deb4d3 285
cf10df81
RS		 286 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
287 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 288 goto end;
6acdd3e5 289 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 290 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
291 == client_keylog_callback))
6acdd3e5 292 goto end;
710756a9 293 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 294 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
295 == server_keylog_callback))
6acdd3e5 296 goto end;
6acdd3e5 297
710756a9
RS		 298 /* Now do a handshake and check that the logs have been written to. */
299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
300 &clientssl, NULL, NULL))
301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
302 SSL_ERROR_NONE))
303 || !TEST_false(error_writing_log)
304 || !TEST_int_gt(client_log_buffer_index, 0)
305 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 306 goto end;
6acdd3e5 307
f1a5939f
CB		 308 /*
309 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 310 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 311 * data we expect. For both client and server, we expect to see one master
312 * secret. The client should also see a RSA key exchange.
6acdd3e5 313 */
f1a5939f
CB		 314 expected.rsa_key_exchange_count = 1;
315 expected.master_secret_count = 1;
710756a9
RS		 316 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
317 SSL_get_session(clientssl), &expected)))
6acdd3e5 318 goto end;
f1a5939f
CB		 319
320 expected.rsa_key_exchange_count = 0;
710756a9
RS		 321 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
322 SSL_get_session(serverssl), &expected)))
6acdd3e5 323 goto end;
6acdd3e5
CB		 324
325 testresult = 1;
326
327end:
328 SSL_free(serverssl);
329 SSL_free(clientssl);
330 SSL_CTX_free(sctx);
331 SSL_CTX_free(cctx);
332
333 return testresult;
334}
c423ecaa 335#endif
6acdd3e5
CB		 336
337#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 338static int test_keylog_no_master_key(void)
339{
6acdd3e5
CB		 340 SSL_CTX *cctx = NULL, *sctx = NULL;
341 SSL *clientssl = NULL, *serverssl = NULL;
342 int testresult = 0;
f1a5939f 343 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 344
345 /* Clean up logging space */
710756a9
RS		 346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
351
710756a9
RS		 352 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
353 TLS_client_method(), &sctx,
354 &cctx, cert, privkey)))
6acdd3e5 355 return 0;
6acdd3e5 356
cf10df81
RS		 357 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
358 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 359 goto end;
6acdd3e5
CB		 360
361 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 362 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
363 == client_keylog_callback))
6acdd3e5 364 goto end;
6acdd3e5 365
710756a9 366 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 367 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
368 == server_keylog_callback))
6acdd3e5 369 goto end;
6acdd3e5 370
710756a9
RS		 371 /* Now do a handshake and check that the logs have been written to. */
372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
373 &clientssl, NULL, NULL))
374 || !TEST_true(create_ssl_connection(serverssl, clientssl,
375 SSL_ERROR_NONE))
376 || !TEST_false(error_writing_log))
6acdd3e5 377 goto end;
6acdd3e5 378
f1a5939f
CB		 379 /*
380 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 381 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 382 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 383 */
f1a5939f
CB		 384 expected.client_handshake_secret_count = 1;
385 expected.server_handshake_secret_count = 1;
386 expected.client_application_secret_count = 1;
387 expected.server_application_secret_count = 1;
710756a9
RS		 388 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
389 SSL_get_session(clientssl), &expected))
390 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
391 SSL_get_session(serverssl),
392 &expected)))
6acdd3e5 393 goto end;
6acdd3e5
CB		 394
395 testresult = 1;
396
397end:
398 SSL_free(serverssl);
399 SSL_free(clientssl);
400 SSL_CTX_free(sctx);
401 SSL_CTX_free(cctx);
402
403 return testresult;
404}
405#endif
406
e9ee6536 407#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 408static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 409{
410 int *ctr = arg;
411 const unsigned char *p;
8ea404fb 412 int *exts;
2afaee51
BK		 413 /* We only configure two ciphers, but the SCSV is added automatically. */
414#ifdef OPENSSL_NO_EC
415 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
416#else
417 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
418 0x2c, 0x00, 0xff};
419#endif
8ea404fb
BK		 420 const int expected_extensions[] = {
421#ifndef OPENSSL_NO_EC
422 11, 10,
423#endif
10ed1b72 424 35, 22, 23, 13};
2afaee51
BK		 425 size_t len;
426
427 /* Make sure we can defer processing and get called back. */
428 if ((*ctr)++ == 0)
f1b97da1 429 return SSL_CLIENT_HELLO_RETRY;
2afaee51 430
a9c0d8be 431 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 432 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 433 || !TEST_size_t_eq(
434 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 435 || !TEST_int_eq(*p, 0))
f1b97da1 436 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 437 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 438 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 439 if (len != OSSL_NELEM(expected_extensions) ||
440 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 441 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 442 OPENSSL_free(exts);
f1b97da1 443 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 444 }
445 OPENSSL_free(exts);
f1b97da1 446 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 447}
448
a9c0d8be 449static int test_client_hello_cb(void)
710756a9 450{
2afaee51
BK		 451 SSL_CTX *cctx = NULL, *sctx = NULL;
452 SSL *clientssl = NULL, *serverssl = NULL;
453 int testctr = 0, testresult = 0;
454
710756a9
RS		 455 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
456 TLS_client_method(), &sctx,
457 &cctx, cert, privkey)))
2afaee51 458 goto end;
a9c0d8be 459 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 460
2afaee51
BK		 461 /* The gimpy cipher list we configure can't do TLS 1.3. */
462 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 463
710756a9
RS		 464 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
465 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 469 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 470 /*
471 * Passing a -1 literal is a hack since
472 * the real value was lost.
473 * */
a9c0d8be
DB		 474 || !TEST_int_eq(SSL_get_error(serverssl, -1),
475 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 SSL_ERROR_NONE)))
2afaee51 478 goto end;
2afaee51
BK		 479
480 testresult = 1;
481
482end:
483 SSL_free(serverssl);
484 SSL_free(clientssl);
485 SSL_CTX_free(sctx);
486 SSL_CTX_free(cctx);
487
488 return testresult;
489}
e9ee6536 490#endif
2afaee51 491
84d5549e 492static int execute_test_large_message(const SSL_METHOD *smeth,
7856332e 493 const SSL_METHOD *cmeth, int read_ahead)
84d5549e
MC		 494{
495 SSL_CTX *cctx = NULL, *sctx = NULL;
496 SSL *clientssl = NULL, *serverssl = NULL;
497 int testresult = 0;
498 int i;
710756a9 499 BIO *certbio = NULL;
84d5549e
MC		 500 X509 *chaincert = NULL;
501 int certlen;
502
710756a9 503 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 504 goto end;
84d5549e 505 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 506 BIO_free(certbio);
507 certbio = NULL;
710756a9 508 if (!TEST_ptr(chaincert))
fa454945 509 goto end;
84d5549e 510
710756a9
RS		 511 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
512 &cctx, cert, privkey)))
84d5549e 513 goto end;
84d5549e 514
710756a9 515 if (read_ahead) {
7856332e
MC		 516 /*
517 * Test that read_ahead works correctly when dealing with large
518 * records
519 */
520 SSL_CTX_set_read_ahead(cctx, 1);
521 }
522
84d5549e
MC		 523 /*
524 * We assume the supplied certificate is big enough so that if we add
525 * NUM_EXTRA_CERTS it will make the overall message large enough. The
526 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 527 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
528 * test we need to have a message larger than that.
84d5549e
MC		 529 */
530 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 531 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
532 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 533 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 534 if (!X509_up_ref(chaincert))
84d5549e 535 goto end;
84d5549e 536 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 537 X509_free(chaincert);
538 goto end;
539 }
540 }
541
710756a9
RS		 542 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
543 NULL, NULL))
544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
545 SSL_ERROR_NONE)))
84d5549e 546 goto end;
84d5549e 547
4bf08600
MC		 548 /*
549 * Calling SSL_clear() first is not required but this tests that SSL_clear()
550 * doesn't leak (when using enable-crypto-mdebug).
551 */
710756a9 552 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 553 goto end;
84d5549e 554
4bf08600 555 testresult = 1;
84d5549e
MC		 556 end:
557 X509_free(chaincert);
558 SSL_free(serverssl);
559 SSL_free(clientssl);
560 SSL_CTX_free(sctx);
561 SSL_CTX_free(cctx);
562
563 return testresult;
564}
565
566static int test_large_message_tls(void)
567{
7856332e
MC		 568 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
569 0);
570}
571
572static int test_large_message_tls_read_ahead(void)
573{
574 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
575 1);
84d5549e
MC		 576}
577
55386bef 578#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 579static int test_large_message_dtls(void)
580{
7856332e
MC		 581 /*
582 * read_ahead is not relevant to DTLS because DTLS always acts as if
583 * read_ahead is set.
584 */
84d5549e 585 return execute_test_large_message(DTLS_server_method(),
7856332e 586 DTLS_client_method(), 0);
84d5549e 587}
55386bef 588#endif
84d5549e 589
8f8c11d8 590#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 591static int ocsp_server_cb(SSL *s, void *arg)
592{
593 int *argi = (int *)arg;
710756a9 594 unsigned char *copy = NULL;
ba881d3b
MC		 595 STACK_OF(OCSP_RESPID) *ids = NULL;
596 OCSP_RESPID *id = NULL;
597
598 if (*argi == 2) {
599 /* In this test we are expecting exactly 1 OCSP_RESPID */
600 SSL_get_tlsext_status_ids(s, &ids);
601 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603
604 id = sk_OCSP_RESPID_value(ids, 0);
605 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
606 return SSL_TLSEXT_ERR_ALERT_FATAL;
607 } else if (*argi != 1) {
608 return SSL_TLSEXT_ERR_ALERT_FATAL;
609 }
610
710756a9 611 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 612 return SSL_TLSEXT_ERR_ALERT_FATAL;
613
710756a9 614 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 615 ocsp_server_called = 1;
ba881d3b
MC		 616 return SSL_TLSEXT_ERR_OK;
617}
618
619static int ocsp_client_cb(SSL *s, void *arg)
620{
621 int *argi = (int *)arg;
622 const unsigned char *respderin;
623 size_t len;
624
625 if (*argi != 1 && *argi != 2)
626 return 0;
627
628 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 629 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 630 return 0;
631
632 ocsp_client_called = 1;
ba881d3b
MC		 633 return 1;
634}
635
2cb4b5f6
MC		 636static int test_tlsext_status_type(void)
637{
ba881d3b
MC		 638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 640 int testresult = 0;
ba881d3b
MC		 641 STACK_OF(OCSP_RESPID) *ids = NULL;
642 OCSP_RESPID *id = NULL;
643 BIO *certbio = NULL;
2cb4b5f6 644
ba881d3b 645 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
710756a9 646 &cctx, cert, privkey))
ba881d3b 647 return 0;
2cb4b5f6 648
710756a9 649 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 650 goto end;
2cb4b5f6 651
ba881d3b 652 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 653
ba881d3b 654 clientssl = SSL_new(cctx);
710756a9
RS		 655 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
656 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
657 TLSEXT_STATUSTYPE_ocsp))
658 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
659 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 660 goto end;
2cb4b5f6 661
ba881d3b
MC		 662 SSL_free(clientssl);
663 clientssl = NULL;
2cb4b5f6 664
710756a9
RS		 665 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
666 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 667 goto end;
2cb4b5f6 668
ba881d3b 669 clientssl = SSL_new(cctx);
710756a9 670 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 671 goto end;
ba881d3b
MC		 672 SSL_free(clientssl);
673 clientssl = NULL;
674
675 /*
676 * Now actually do a handshake and check OCSP information is exchanged and
677 * the callbacks get called
678 */
ba881d3b
MC		 679 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
680 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
681 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
682 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 683 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
684 &clientssl, NULL, NULL))
685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
686 SSL_ERROR_NONE))
687 || !TEST_true(ocsp_client_called)
688 || !TEST_true(ocsp_server_called))
ba881d3b 689 goto end;
ba881d3b
MC		 690 SSL_free(serverssl);
691 SSL_free(clientssl);
692 serverssl = NULL;
693 clientssl = NULL;
694
695 /* Try again but this time force the server side callback to fail */
696 ocsp_client_called = 0;
697 ocsp_server_called = 0;
698 cdummyarg = 0;
710756a9
RS		 699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
700 &clientssl, NULL, NULL))
701 /* This should fail because the callback will fail */
702 || !TEST_false(create_ssl_connection(serverssl, clientssl,
703 SSL_ERROR_NONE))
704 || !TEST_false(ocsp_client_called)
705 || !TEST_false(ocsp_server_called))
ba881d3b 706 goto end;
ba881d3b
MC		 707 SSL_free(serverssl);
708 SSL_free(clientssl);
709 serverssl = NULL;
710 clientssl = NULL;
711
712 /*
713 * This time we'll get the client to send an OCSP_RESPID that it will
714 * accept.
715 */
716 ocsp_client_called = 0;
717 ocsp_server_called = 0;
718 cdummyarg = 2;
710756a9
RS		 719 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
720 &clientssl, NULL, NULL)))
ba881d3b 721 goto end;
ba881d3b
MC		 722
723 /*
724 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 725 * specific one. We'll use the server cert.
ba881d3b 726 */
710756a9
RS		 727 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
728 || !TEST_ptr(id = OCSP_RESPID_new())
729 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
730 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
731 NULL, NULL, NULL))
732 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
733 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 734 goto end;
ba881d3b
MC		 735 id = NULL;
736 SSL_set_tlsext_status_ids(clientssl, ids);
737 /* Control has been transferred */
738 ids = NULL;
739
740 BIO_free(certbio);
741 certbio = NULL;
742
710756a9
RS		 743 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
744 SSL_ERROR_NONE))
745 || !TEST_true(ocsp_client_called)
746 || !TEST_true(ocsp_server_called))
ba881d3b 747 goto end;
ba881d3b 748
2cb4b5f6
MC		 749 testresult = 1;
750
751 end:
ba881d3b
MC		 752 SSL_free(serverssl);
753 SSL_free(clientssl);
754 SSL_CTX_free(sctx);
755 SSL_CTX_free(cctx);
756 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
757 OCSP_RESPID_free(id);
758 BIO_free(certbio);
759 X509_free(ocspcert);
760 ocspcert = NULL;
2cb4b5f6
MC		 761
762 return testresult;
763}
8f8c11d8 764#endif
2cb4b5f6 765
bf208d95 766#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 767static int new_called, remove_called, get_called;
eaa776da 768
eaa776da
MC		 769static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
770{
771 new_called++;
c0537ebd
MC		 772 /*
773 * sess has been up-refed for us, but we don't actually need it so free it
774 * immediately.
775 */
776 SSL_SESSION_free(sess);
eaa776da
MC		 777 return 1;
778}
779
780static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
781{
782 remove_called++;
783}
784
7a301f08
MC		 785static SSL_SESSION *get_sess_val = NULL;
786
787static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
788 int *copy)
789{
0afca811 790 get_called++;
7a301f08
MC		 791 *copy = 1;
792 return get_sess_val;
793}
794
7a301f08
MC		 795static int execute_test_session(int maxprot, int use_int_cache,
796 int use_ext_cache)
2cb4b5f6
MC		 797{
798 SSL_CTX *sctx = NULL, *cctx = NULL;
799 SSL *serverssl1 = NULL, *clientssl1 = NULL;
800 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 801# ifndef OPENSSL_NO_TLS1_1
eaa776da 802 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 803# endif
2cb4b5f6
MC		 804 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
805 int testresult = 0;
806
7e885b7b
P		 807 new_called = remove_called = 0;
808
710756a9
RS		 809 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
810 TLS_client_method(), &sctx,
811 &cctx, cert, privkey)))
2cb4b5f6 812 return 0;
2cb4b5f6 813
7a301f08
MC		 814 /*
815 * Only allow the max protocol version so we can force a connection failure
816 * later
817 */
818 SSL_CTX_set_min_proto_version(cctx, maxprot);
819 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 820
821 /* Set up session cache */
7e885b7b 822 if (use_ext_cache) {
eaa776da
MC		 823 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
824 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
825 }
7e885b7b 826 if (use_int_cache) {
eaa776da
MC		 827 /* Also covers instance where both are set */
828 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
829 } else {
830 SSL_CTX_set_session_cache_mode(cctx,
831 SSL_SESS_CACHE_CLIENT
832 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
833 }
2cb4b5f6 834
710756a9
RS		 835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
836 NULL, NULL))
837 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
838 SSL_ERROR_NONE))
839 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 840 goto end;
2cb4b5f6 841
710756a9 842 /* Should fail because it should already be in the cache */
7e885b7b 843 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 844 goto end;
7a301f08
MC		 845 if (use_ext_cache
846 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
b4982125 847 goto end;
b4982125 848
c0537ebd
MC		 849 new_called = remove_called = 0;
850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
851 &clientssl2, NULL, NULL))
852 || !TEST_true(SSL_set_session(clientssl2, sess1))
853 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
854 SSL_ERROR_NONE))
855 || !TEST_true(SSL_session_reused(clientssl2)))
856 goto end;
857
7a301f08
MC		 858 if (maxprot == TLS1_3_VERSION) {
859 /*
860 * In TLSv1.3 we should have created a new session even though we have
861 * resumed. The original session should also have been removed.
862 */
863 if (use_ext_cache
864 && (!TEST_int_eq(new_called, 1)
865 || !TEST_int_eq(remove_called, 1)))
866 goto end;
867 } else {
868 /*
869 * In TLSv1.2 we expect to have resumed so no sessions added or
870 * removed.
871 */
872 if (use_ext_cache
873 && (!TEST_int_eq(new_called, 0)
874 || !TEST_int_eq(remove_called, 0)))
875 goto end;
876 }
c0537ebd
MC		 877
878 SSL_SESSION_free(sess1);
879 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
880 goto end;
881 shutdown_ssl_connection(serverssl2, clientssl2);
882 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 883
884 new_called = remove_called = 0;
710756a9
RS		 885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
886 &clientssl2, NULL, NULL))
887 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
888 SSL_ERROR_NONE)))
2cb4b5f6 889 goto end;
2cb4b5f6 890
710756a9 891 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 892 goto end;
2cb4b5f6 893
7a301f08
MC		 894 if (use_ext_cache
895 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
eaa776da 896 goto end;
eaa776da 897
c0537ebd 898 new_called = remove_called = 0;
2cb4b5f6 899 /*
710756a9
RS		 900 * This should clear sess2 from the cache because it is a "bad" session.
901 * See SSL_set_session() documentation.
2cb4b5f6 902 */
710756a9 903 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 904 goto end;
7a301f08
MC		 905 if (use_ext_cache
906 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 907 goto end;
710756a9 908 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 909 goto end;
2cb4b5f6 910
7e885b7b 911 if (use_int_cache) {
710756a9
RS		 912 /* Should succeeded because it should not already be in the cache */
913 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
914 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 915 goto end;
eaa776da
MC		 916 }
917
c0537ebd 918 new_called = remove_called = 0;
eaa776da 919 /* This shouldn't be in the cache so should fail */
710756a9 920 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 921 goto end;
2cb4b5f6 922
7a301f08
MC		 923 if (use_ext_cache
924 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 925 goto end;
2cb4b5f6 926
bf208d95 927# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 928 new_called = remove_called = 0;
eaa776da
MC		 929 /* Force a connection failure */
930 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
932 &clientssl3, NULL, NULL))
933 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 934 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 935 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
936 SSL_ERROR_NONE)))
eaa776da 937 goto end;
b4982125 938
eaa776da 939 /* We should have automatically removed the session from the cache */
7a301f08
MC		 940 if (use_ext_cache
941 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 942 goto end;
2cb4b5f6 943
710756a9 944 /* Should succeed because it should not already be in the cache */
7e885b7b 945 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 946 goto end;
bf208d95 947# endif
eaa776da 948
7a301f08
MC		 949 /* Now do some tests for server side caching */
950 if (use_ext_cache) {
951 SSL_CTX_sess_set_new_cb(cctx, NULL);
952 SSL_CTX_sess_set_remove_cb(cctx, NULL);
953 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
954 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
955 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
956 get_sess_val = NULL;
957 }
958
959 SSL_CTX_set_session_cache_mode(cctx, 0);
960 /* Internal caching is the default on the server side */
961 if (!use_int_cache)
962 SSL_CTX_set_session_cache_mode(sctx,
963 SSL_SESS_CACHE_SERVER
964 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
965
966 SSL_free(serverssl1);
967 SSL_free(clientssl1);
968 serverssl1 = clientssl1 = NULL;
969 SSL_free(serverssl2);
970 SSL_free(clientssl2);
971 serverssl2 = clientssl2 = NULL;
972 SSL_SESSION_free(sess1);
973 sess1 = NULL;
974 SSL_SESSION_free(sess2);
975 sess2 = NULL;
976
977 SSL_CTX_set_max_proto_version(sctx, maxprot);
978 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 979 new_called = remove_called = get_called = 0;
7a301f08
MC		 980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
981 NULL, NULL))
982 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
983 SSL_ERROR_NONE))
984 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
985 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
986 goto end;
987
988 /* Should fail because it should already be in the cache */
989 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
990 goto end;
991
992 if (use_ext_cache) {
993 SSL_SESSION *tmp = sess2;
994
0afca811
KY		 995 if (!TEST_int_eq(new_called, 1)
996 || !TEST_int_eq(remove_called, 0)
997 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 998 goto end;
999 /*
1000 * Delete the session from the internal cache to force a lookup from
1001 * the external cache. We take a copy first because
1002 * SSL_CTX_remove_session() also marks the session as non-resumable.
1003 */
3cb6a4d6
BK		 1004 if (use_int_cache) {
1005 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1006 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1007 goto end;
1008 SSL_SESSION_free(sess2);
1009 }
7a301f08
MC		 1010 sess2 = tmp;
1011 }
1012
0afca811 1013 new_called = remove_called = get_called = 0;
7a301f08
MC		 1014 get_sess_val = sess2;
1015 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1016 &clientssl2, NULL, NULL))
1017 || !TEST_true(SSL_set_session(clientssl2, sess1))
1018 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1019 SSL_ERROR_NONE))
1020 || !TEST_true(SSL_session_reused(clientssl2)))
1021 goto end;
1022
0afca811
KY		 1023 if (use_ext_cache) {
1024 if (!TEST_int_eq(new_called, 0)
1025 || !TEST_int_eq(remove_called, 0))
1026 goto end;
1027
1028 if (maxprot == TLS1_3_VERSION) {
1029 if (!TEST_int_eq(get_called, 0))
1030 goto end;
1031 } else {
1032 if (!TEST_int_eq(get_called, 1))
1033 goto end;
1034 }
1035 }
7a301f08 1036
2cb4b5f6 1037 testresult = 1;
eaa776da 1038
2cb4b5f6
MC		 1039 end:
1040 SSL_free(serverssl1);
1041 SSL_free(clientssl1);
1042 SSL_free(serverssl2);
1043 SSL_free(clientssl2);
bf208d95 1044# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1045 SSL_free(serverssl3);
1046 SSL_free(clientssl3);
bf208d95 1047# endif
2cb4b5f6
MC		 1048 SSL_SESSION_free(sess1);
1049 SSL_SESSION_free(sess2);
1050 SSL_CTX_free(sctx);
1051 SSL_CTX_free(cctx);
1052
1053 return testresult;
1054}
bf208d95 1055#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1056
7fb4c820
MC		 1057static int test_session_with_only_int_cache(void)
1058{
7a301f08
MC		 1059#ifndef OPENSSL_NO_TLS1_3
1060 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1061 return 0;
1062#endif
1063
1064#ifndef OPENSSL_NO_TLS1_2
1065 return execute_test_session(TLS1_2_VERSION, 1, 0);
1066#else
1067 return 1;
1068#endif
eaa776da
MC		 1069}
1070
7fb4c820
MC		 1071static int test_session_with_only_ext_cache(void)
1072{
7a301f08
MC		 1073#ifndef OPENSSL_NO_TLS1_3
1074 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1075 return 0;
1076#endif
1077
1078#ifndef OPENSSL_NO_TLS1_2
1079 return execute_test_session(TLS1_2_VERSION, 0, 1);
1080#else
1081 return 1;
1082#endif
eaa776da
MC		 1083}
1084
7fb4c820
MC		 1085static int test_session_with_both_cache(void)
1086{
7a301f08
MC		 1087#ifndef OPENSSL_NO_TLS1_3
1088 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1089 return 0;
1090#endif
1091
1092#ifndef OPENSSL_NO_TLS1_2
1093 return execute_test_session(TLS1_2_VERSION, 1, 1);
1094#else
1095 return 1;
1096#endif
eaa776da
MC		 1097}
1098
7fb4c820
MC		 1099#define USE_NULL 0
1100#define USE_BIO_1 1
1101#define USE_BIO_2 2
1102
1103#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1104
1105static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1106{
1107 switch (type) {
1108 case USE_NULL:
1109 *res = NULL;
1110 break;
1111 case USE_BIO_1:
1112 *res = bio1;
1113 break;
1114 case USE_BIO_2:
1115 *res = bio2;
1116 break;
1117 }
1118}
1119
1120static int test_ssl_set_bio(int idx)
1121{
710756a9 1122 SSL_CTX *ctx;
7fb4c820
MC		 1123 BIO *bio1 = NULL;
1124 BIO *bio2 = NULL;
0fae8150 1125 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7fb4c820
MC		 1126 SSL *ssl = NULL;
1127 int initrbio, initwbio, newrbio, newwbio;
1128 int testresult = 0;
1129
7fb4c820
MC		 1130 initrbio = idx % 3;
1131 idx /= 3;
1132 initwbio = idx % 3;
1133 idx /= 3;
1134 newrbio = idx % 3;
1135 idx /= 3;
1136 newwbio = idx;
710756a9
RS		 1137 if (!TEST_int_le(newwbio, 2))
1138 return 0;
1139
1140 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1141 || !TEST_ptr(ssl = SSL_new(ctx)))
1142 goto end;
7fb4c820 1143
710756a9
RS		 1144 if (initrbio == USE_BIO_1
1145 || initwbio == USE_BIO_1
1146 || newrbio == USE_BIO_1
7fb4c820 1147 || newwbio == USE_BIO_1) {
710756a9 1148 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1149 goto end;
7fb4c820
MC		 1150 }
1151
710756a9
RS		 1152 if (initrbio == USE_BIO_2
1153 || initwbio == USE_BIO_2
1154 || newrbio == USE_BIO_2
7fb4c820 1155 || newwbio == USE_BIO_2) {
710756a9 1156 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1157 goto end;
7fb4c820
MC		 1158 }
1159
1160 setupbio(&irbio, bio1, bio2, initrbio);
1161 setupbio(&iwbio, bio1, bio2, initwbio);
1162
1163 /*
1164 * We want to maintain our own refs to these BIO, so do an up ref for each
69687aa8 1165 * BIO that will have ownership transferred in the SSL_set_bio() call
7fb4c820
MC		 1166 */
1167 if (irbio != NULL)
1168 BIO_up_ref(irbio);
1169 if (iwbio != NULL && iwbio != irbio)
1170 BIO_up_ref(iwbio);
1171
1172 SSL_set_bio(ssl, irbio, iwbio);
1173
1174 setupbio(&nrbio, bio1, bio2, newrbio);
1175 setupbio(&nwbio, bio1, bio2, newwbio);
1176
1177 /*
1178 * We will (maybe) transfer ownership again so do more up refs.
1179 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1180 * already been set!
1181 */
710756a9
RS		 1182 if (nrbio != NULL
1183 && nrbio != irbio
1184 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1185 BIO_up_ref(nrbio);
710756a9
RS		 1186 if (nwbio != NULL
1187 && nwbio != nrbio
1188 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1189 BIO_up_ref(nwbio);
1190
1191 SSL_set_bio(ssl, nrbio, nwbio);
1192
1193 testresult = 1;
1194
1195 end:
1196 SSL_free(ssl);
1197 BIO_free(bio1);
1198 BIO_free(bio2);
710756a9 1199
7fb4c820
MC		 1200 /*
1201 * This test is checking that the ref counting for SSL_set_bio is correct.
1202 * If we get here and we did too many frees then we will fail in the above
1203 * functions. If we haven't done enough then this will only be detected in
1204 * a crypto-mdebug build
1205 */
1206 SSL_CTX_free(ctx);
7fb4c820
MC		 1207 return testresult;
1208}
1209
7e885b7b 1210typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1211
7e885b7b 1212static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1213{
1214 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1215 SSL_CTX *ctx;
9a716987
MC		 1216 SSL *ssl = NULL;
1217 int testresult = 0;
1218
710756a9
RS		 1219 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1220 || !TEST_ptr(ssl = SSL_new(ctx))
1221 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1222 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1223 goto end;
9a716987
MC		 1224
1225 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1226
1227 /*
1228 * If anything goes wrong here then we could leak memory, so this will
1229 * be caught in a crypto-mdebug build
1230 */
1231 BIO_push(sslbio, membio1);
1232
69687aa8 1233 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1234 if (change_bio != NO_BIO_CHANGE) {
710756a9 1235 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1236 goto end;
7e885b7b 1237 if (change_bio == CHANGE_RBIO)
65e2d672 1238 SSL_set0_rbio(ssl, membio2);
9a716987 1239 else
65e2d672 1240 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1241 }
1242 ssl = NULL;
1243
7e885b7b 1244 if (pop_ssl)
9a716987
MC		 1245 BIO_pop(sslbio);
1246 else
1247 BIO_pop(membio1);
1248
1249 testresult = 1;
1250 end:
1251 BIO_free(membio1);
1252 BIO_free(sslbio);
1253 SSL_free(ssl);
1254 SSL_CTX_free(ctx);
1255
1256 return testresult;
1257}
1258
1259static int test_ssl_bio_pop_next_bio(void)
1260{
7e885b7b 1261 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1262}
1263
1264static int test_ssl_bio_pop_ssl_bio(void)
1265{
7e885b7b 1266 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1267}
1268
1269static int test_ssl_bio_change_rbio(void)
1270{
7e885b7b 1271 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1272}
1273
1274static int test_ssl_bio_change_wbio(void)
1275{
7e885b7b 1276 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1277}
1278
c423ecaa 1279#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1280typedef struct {
1281 /* The list of sig algs */
1282 const int *list;
1283 /* The length of the list */
1284 size_t listlen;
1285 /* A sigalgs list in string format */
1286 const char *liststr;
1287 /* Whether setting the list should succeed */
1288 int valid;
1289 /* Whether creating a connection with the list should succeed */
1290 int connsuccess;
1291} sigalgs_list;
1292
1293static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1294# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1295static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1296static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1297# endif
f1b25aae
MC		 1298static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1299static const int invalidlist2[] = {NID_sha256, NID_undef};
1300static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1301static const int invalidlist4[] = {NID_sha256};
1302static const sigalgs_list testsigalgs[] = {
1303 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1304# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1305 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1306 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1307# endif
f1b25aae 1308 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1309# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1310 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1311 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1312# endif
f1b25aae
MC		 1313 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1314 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1315 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1316 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1317 {NULL, 0, "RSA", 0, 0},
1318 {NULL, 0, "SHA256", 0, 0},
1319 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1320 {NULL, 0, "Invalid", 0, 0}
1321};
f1b25aae
MC		 1322
1323static int test_set_sigalgs(int idx)
1324{
1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
1327 int testresult = 0;
1328 const sigalgs_list *curr;
1329 int testctx;
1330
1331 /* Should never happen */
710756a9 1332 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1333 return 0;
1334
1335 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1336 curr = testctx ? &testsigalgs[idx]
1337 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1338
710756a9
RS		 1339 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1340 TLS_client_method(), &sctx,
1341 &cctx, cert, privkey)))
f1b25aae 1342 return 0;
f1b25aae 1343
d2e491f2
MC		 1344 /*
1345 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1346 * for TLSv1.2 for now until we add a new API.
1347 */
1348 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1349
f1b25aae
MC		 1350 if (testctx) {
1351 int ret;
710756a9 1352
f1b25aae
MC		 1353 if (curr->list != NULL)
1354 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1355 else
1356 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1357
1358 if (!ret) {
1359 if (curr->valid)
710756a9 1360 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1361 else
1362 testresult = 1;
1363 goto end;
1364 }
1365 if (!curr->valid) {
710756a9 1366 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1367 goto end;
1368 }
1369 }
1370
710756a9
RS		 1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL)))
f1b25aae 1373 goto end;
f1b25aae
MC		 1374
1375 if (!testctx) {
1376 int ret;
1377
1378 if (curr->list != NULL)
1379 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1380 else
1381 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1382 if (!ret) {
1383 if (curr->valid)
710756a9 1384 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1385 else
1386 testresult = 1;
1387 goto end;
1388 }
710756a9 1389 if (!curr->valid)
f1b25aae 1390 goto end;
f1b25aae
MC		 1391 }
1392
710756a9
RS		 1393 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1394 SSL_ERROR_NONE),
1395 curr->connsuccess))
f1b25aae 1396 goto end;
f1b25aae
MC		 1397
1398 testresult = 1;
1399
1400 end:
1401 SSL_free(serverssl);
1402 SSL_free(clientssl);
1403 SSL_CTX_free(sctx);
1404 SSL_CTX_free(cctx);
1405
1406 return testresult;
1407}
c423ecaa 1408#endif
f1b25aae 1409
fff202e5
MC		 1410#ifndef OPENSSL_NO_TLS1_3
1411
57dee9bb
MC		 1412static SSL_SESSION *clientpsk = NULL;
1413static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1414static const char *pskid = "Identity";
1415static const char *srvid;
1416
1417static int use_session_cb_cnt = 0;
1418static int find_session_cb_cnt = 0;
532f9578
MC		 1419static int psk_client_cb_cnt = 0;
1420static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1421
1422static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1423 size_t *idlen, SSL_SESSION **sess)
1424{
1425 switch (++use_session_cb_cnt) {
1426 case 1:
1427 /* The first call should always have a NULL md */
1428 if (md != NULL)
1429 return 0;
1430 break;
1431
1432 case 2:
1433 /* The second call should always have an md */
1434 if (md == NULL)
1435 return 0;
1436 break;
1437
1438 default:
1439 /* We should only be called a maximum of twice */
1440 return 0;
1441 }
1442
57dee9bb
MC		 1443 if (clientpsk != NULL)
1444 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1445
57dee9bb 1446 *sess = clientpsk;
02a3ed5a
MC		 1447 *id = (const unsigned char *)pskid;
1448 *idlen = strlen(pskid);
1449
1450 return 1;
1451}
1452
532f9578
MC		 1453static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1454 unsigned int max_id_len,
1455 unsigned char *psk,
1456 unsigned int max_psk_len)
1457{
1458 unsigned int psklen = 0;
1459
1460 psk_client_cb_cnt++;
1461
1462 if (strlen(pskid) + 1 > max_id_len)
1463 return 0;
1464
1465 /* We should only ever be called a maximum of twice per connection */
1466 if (psk_client_cb_cnt > 2)
1467 return 0;
1468
1469 if (clientpsk == NULL)
1470 return 0;
1471
1472 /* We'll reuse the PSK we set up for TLSv1.3 */
1473 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1474 return 0;
1475 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1476 strncpy(id, pskid, max_id_len);
1477
1478 return psklen;
1479}
1480
02a3ed5a
MC		 1481static int find_session_cb(SSL *ssl, const unsigned char *identity,
1482 size_t identity_len, SSL_SESSION **sess)
1483{
1484 find_session_cb_cnt++;
1485
1486 /* We should only ever be called a maximum of twice per connection */
1487 if (find_session_cb_cnt > 2)
1488 return 0;
1489
57dee9bb 1490 if (serverpsk == NULL)
02a3ed5a
MC		 1491 return 0;
1492
1493 /* Identity should match that set by the client */
1494 if (strlen(srvid) != identity_len
1495 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1496 /* No PSK found, continue but without a PSK */
1497 *sess = NULL;
1498 return 1;
1499 }
1500
57dee9bb
MC		 1501 SSL_SESSION_up_ref(serverpsk);
1502 *sess = serverpsk;
02a3ed5a
MC		 1503
1504 return 1;
1505}
1506
532f9578
MC		 1507static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1508 unsigned char *psk, unsigned int max_psk_len)
1509{
1510 unsigned int psklen = 0;
1511
1512 psk_server_cb_cnt++;
1513
1514 /* We should only ever be called a maximum of twice per connection */
1515 if (find_session_cb_cnt > 2)
1516 return 0;
1517
1518 if (serverpsk == NULL)
1519 return 0;
1520
1521 /* Identity should match that set by the client */
1522 if (strcmp(srvid, identity) != 0) {
1523 return 0;
1524 }
1525
1526 /* We'll reuse the PSK we set up for TLSv1.3 */
1527 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1528 return 0;
1529 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1530
1531 return psklen;
1532}
1533
5f982038
MC		 1534#define MSG1 "Hello"
1535#define MSG2 "World."
1536#define MSG3 "This"
1537#define MSG4 "is"
1538#define MSG5 "a"
90049cea
MC		 1539#define MSG6 "test"
1540#define MSG7 "message."
5f982038 1541
02a3ed5a 1542#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1543#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1544
5f982038
MC		 1545/*
1546 * Helper method to setup objects for early data test. Caller frees objects on
1547 * error.
1548 */
1549static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1550 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1551{
710756a9
RS		 1552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1553 TLS_client_method(), sctx,
c39e4048
BK		 1554 cctx, cert, privkey))
1555 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1556 SSL3_RT_MAX_PLAIN_LENGTH))
1557 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1558 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1559 return 0;
5f982038 1560
02a3ed5a
MC		 1561 if (idx == 1) {
1562 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1563 SSL_CTX_set_read_ahead(*cctx, 1);
1564 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1565 } else if (idx == 2) {
1566 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1567 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1568 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1569 use_session_cb_cnt = 0;
1570 find_session_cb_cnt = 0;
1571 srvid = pskid;
3cb47b4e
MC		 1572 }
1573
710756a9 1574 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1575 NULL, NULL)))
1576 return 0;
1577
141e4709
MC		 1578 /*
1579 * For one of the run throughs (doesn't matter which one), we'll try sending
1580 * some SNI data in the initial ClientHello. This will be ignored (because
1581 * there is no SNI cb set up by the server), so it should not impact
1582 * early_data.
1583 */
1584 if (idx == 1
1585 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1586 return 0;
1587
02a3ed5a
MC		 1588 if (idx == 2) {
1589 /* Create the PSK */
1590 const SSL_CIPHER *cipher = NULL;
1591 const unsigned char key[] = {
1592 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1593 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1594 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1595 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1596 0x2c, 0x2d, 0x2e, 0x2f
1597 };
1598
1599 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1600 clientpsk = SSL_SESSION_new();
1601 if (!TEST_ptr(clientpsk)
02a3ed5a 1602 || !TEST_ptr(cipher)
57dee9bb 1603 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1604 sizeof(key)))
57dee9bb 1605 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1606 || !TEST_true(
57dee9bb 1607 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1608 TLS1_3_VERSION))
1609 /*
1610 * We just choose an arbitrary value for max_early_data which
1611 * should be big enough for testing purposes.
1612 */
57dee9bb
MC		 1613 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1614 0x100))
1615 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1616 SSL_SESSION_free(clientpsk);
1617 clientpsk = NULL;
02a3ed5a
MC		 1618 return 0;
1619 }
57dee9bb 1620 serverpsk = clientpsk;
02a3ed5a
MC		 1621
1622 if (sess != NULL)
57dee9bb 1623 *sess = clientpsk;
02a3ed5a
MC		 1624 return 1;
1625 }
1626
1627 if (sess == NULL)
1628 return 1;
1629
1630 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1631 SSL_ERROR_NONE)))
5f982038 1632 return 0;
5f982038
MC		 1633
1634 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1635 SSL_shutdown(*clientssl);
1636 SSL_shutdown(*serverssl);
5f982038
MC		 1637 SSL_free(*serverssl);
1638 SSL_free(*clientssl);
1639 *serverssl = *clientssl = NULL;
1640
710756a9
RS		 1641 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1642 clientssl, NULL, NULL))
1643 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1644 return 0;
5f982038
MC		 1645
1646 return 1;
1647}
1648
3cb47b4e 1649static int test_early_data_read_write(int idx)
5f982038
MC		 1650{
1651 SSL_CTX *cctx = NULL, *sctx = NULL;
1652 SSL *clientssl = NULL, *serverssl = NULL;
1653 int testresult = 0;
1654 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1655 unsigned char buf[20], data[1024];
1656 size_t readbytes, written, eoedlen, rawread, rawwritten;
1657 BIO *rbio;
5f982038 1658
710756a9
RS		 1659 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1660 &serverssl, &sess, idx)))
5f982038
MC		 1661 goto end;
1662
1663 /* Write and read some early data */
710756a9
RS		 1664 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1665 &written))
1666 || !TEST_size_t_eq(written, strlen(MSG1))
1667 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1668 sizeof(buf), &readbytes),
1669 SSL_READ_EARLY_DATA_SUCCESS)
1670 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1671 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1672 SSL_EARLY_DATA_ACCEPTED))
5f982038 1673 goto end;
5f982038
MC		 1674
1675 /*
09f28874 1676 * Server should be able to write data, and client should be able to
5f982038
MC		 1677 * read it.
1678 */
710756a9
RS		 1679 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1680 &written))
1681 || !TEST_size_t_eq(written, strlen(MSG2))
1682 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1683 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1684 goto end;
5f982038
MC		 1685
1686 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1687 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1688 &written))
1689 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1690 goto end;
5f982038 1691
09f28874 1692 /* Server should still be able read early data after writing data */
710756a9
RS		 1693 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1694 &readbytes),
1695 SSL_READ_EARLY_DATA_SUCCESS)
1696 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1697 goto end;
5f982038 1698
09f28874 1699 /* Write more data from server and read it from client */
710756a9
RS		 1700 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1701 &written))
1702 || !TEST_size_t_eq(written, strlen(MSG4))
1703 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1704 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1705 goto end;
5f982038
MC		 1706
1707 /*
1708 * If client writes normal data it should mean writing early data is no
1709 * longer possible.
1710 */
710756a9
RS		 1711 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1712 || !TEST_size_t_eq(written, strlen(MSG5))
1713 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1714 SSL_EARLY_DATA_ACCEPTED))
5f982038 1715 goto end;
5f982038 1716
9b5c865d
MC		 1717 /*
1718 * At this point the client has written EndOfEarlyData, ClientFinished and
1719 * normal (fully protected) data. We are going to cause a delay between the
1720 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1721 * in the read BIO, and then just put back the EndOfEarlyData message.
1722 */
1723 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1724 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1725 || !TEST_size_t_lt(rawread, sizeof(data))
1726 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1727 goto end;
710756a9 1728
9b5c865d
MC		 1729 /* Record length is in the 4th and 5th bytes of the record header */
1730 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1731 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1732 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1733 goto end;
9b5c865d 1734
5f982038 1735 /* Server should be told that there is no more early data */
710756a9
RS		 1736 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1737 &readbytes),
1738 SSL_READ_EARLY_DATA_FINISH)
1739 || !TEST_size_t_eq(readbytes, 0))
5f982038 1740 goto end;
5f982038 1741
9b5c865d
MC		 1742 /*
1743 * Server has not finished init yet, so should still be able to write early
1744 * data.
1745 */
710756a9
RS		 1746 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1747 &written))
1748 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 1749 goto end;
9b5c865d 1750
f8a303fa 1751 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 1752 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1753 &rawwritten))
1754 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 1755 goto end;
f8a303fa 1756
5f982038 1757 /* Server should be able to read normal data */
710756a9
RS		 1758 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1759 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1760 goto end;
5f982038 1761
09f28874 1762 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1763 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1764 &written)))
5f982038 1765 goto end;
5f982038 1766 ERR_clear_error();
710756a9
RS		 1767 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1768 &readbytes),
1769 SSL_READ_EARLY_DATA_ERROR))
5f982038 1770 goto end;
5f982038
MC		 1771 ERR_clear_error();
1772
9b5c865d 1773 /* Client should be able to read the data sent by the server */
710756a9
RS		 1774 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1775 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 1776 goto end;
710756a9 1777
f8a303fa
MC		 1778 /*
1779 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1780 * We attempt a read which we do not expect to return any data.
1781 */
710756a9 1782 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
f8a303fa 1783 goto end;
5f982038 1784
90049cea 1785 /* Server should be able to write normal data */
710756a9
RS		 1786 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1787 || !TEST_size_t_eq(written, strlen(MSG7))
1788 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1789 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 1790 goto end;
90049cea 1791
02a3ed5a
MC		 1792 /* We keep the PSK session around if using PSK */
1793 if (idx != 2)
1794 SSL_SESSION_free(sess);
5f982038 1795 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 1796 use_session_cb_cnt = 0;
1797 find_session_cb_cnt = 0;
5f982038
MC		 1798
1799 SSL_shutdown(clientssl);
1800 SSL_shutdown(serverssl);
5f982038
MC		 1801 SSL_free(serverssl);
1802 SSL_free(clientssl);
1803 serverssl = clientssl = NULL;
710756a9
RS		 1804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1805 &clientssl, NULL, NULL))
1806 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 1807 goto end;
5f982038
MC		 1808
1809 /* Write and read some early data */
710756a9
RS		 1810 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1811 &written))
1812 || !TEST_size_t_eq(written, strlen(MSG1))
1813 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1814 &readbytes),
1815 SSL_READ_EARLY_DATA_SUCCESS)
1816 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 1817 goto end;
5f982038 1818
710756a9
RS		 1819 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1820 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 1821 goto end;
5f982038 1822
09f28874 1823 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1824 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1825 &written)))
5f982038 1826 goto end;
5f982038 1827 ERR_clear_error();
710756a9
RS		 1828 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1829 &readbytes),
1830 SSL_READ_EARLY_DATA_ERROR))
5f982038 1831 goto end;
5f982038
MC		 1832 ERR_clear_error();
1833
1834 /* Client and server should be able to write/read normal data */
710756a9
RS		 1835 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1836 || !TEST_size_t_eq(written, strlen(MSG5))
1837 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1838 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1839 goto end;
5f982038
MC		 1840
1841 testresult = 1;
1842
1843 end:
57dee9bb
MC		 1844 if (sess != clientpsk)
1845 SSL_SESSION_free(sess);
1846 SSL_SESSION_free(clientpsk);
1847 SSL_SESSION_free(serverpsk);
1848 clientpsk = serverpsk = NULL;
5f982038
MC		 1849 SSL_free(serverssl);
1850 SSL_free(clientssl);
1851 SSL_CTX_free(sctx);
1852 SSL_CTX_free(cctx);
5f982038
MC		 1853 return testresult;
1854}
1855
710756a9 1856/*
6b84e6bf
MC		 1857 * Helper function to test that a server attempting to read early data can
1858 * handle a connection from a client where the early data should be skipped.
710756a9 1859 */
6b84e6bf 1860static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 1861{
1862 SSL_CTX *cctx = NULL, *sctx = NULL;
1863 SSL *clientssl = NULL, *serverssl = NULL;
1864 int testresult = 0;
018fcbec 1865 SSL_SESSION *sess = NULL;
5f982038
MC		 1866 unsigned char buf[20];
1867 size_t readbytes, written;
1868
710756a9
RS		 1869 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1870 &serverssl, &sess, idx)))
5f982038
MC		 1871 goto end;
1872
6b84e6bf
MC		 1873 if (hrr) {
1874 /* Force an HRR to occur */
1875 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1876 goto end;
02a3ed5a
MC		 1877 } else if (idx == 2) {
1878 /*
1879 * We force early_data rejection by ensuring the PSK identity is
1880 * unrecognised
1881 */
1882 srvid = "Dummy Identity";
6b84e6bf
MC		 1883 } else {
1884 /*
1885 * Deliberately corrupt the creation time. We take 20 seconds off the
1886 * time. It could be any value as long as it is not within tolerance.
1887 * This should mean the ticket is rejected.
1888 */
5d99881e 1889 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 1890 goto end;
1891 }
5f982038
MC		 1892
1893 /* Write some early data */
710756a9
RS		 1894 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1895 &written))
1896 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 1897 goto end;
5f982038
MC		 1898
1899 /* Server should reject the early data and skip over it */
710756a9
RS		 1900 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1901 &readbytes),
1902 SSL_READ_EARLY_DATA_FINISH)
1903 || !TEST_size_t_eq(readbytes, 0)
1904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1905 SSL_EARLY_DATA_REJECTED))
5f982038 1906 goto end;
5f982038 1907
6b84e6bf
MC		 1908 if (hrr) {
1909 /*
1910 * Finish off the handshake. We perform the same writes and reads as
1911 * further down but we expect them to fail due to the incomplete
1912 * handshake.
1913 */
1914 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1915 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1916 &readbytes)))
1917 goto end;
1918 }
1919
710756a9
RS		 1920 /* Should be able to send normal data despite rejection of early data */
1921 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1922 || !TEST_size_t_eq(written, strlen(MSG2))
1923 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1924 SSL_EARLY_DATA_REJECTED)
1925 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1926 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1927 goto end;
5f982038
MC		 1928
1929 testresult = 1;
1930
1931 end:
57dee9bb
MC		 1932 if (sess != clientpsk)
1933 SSL_SESSION_free(clientpsk);
1934 SSL_SESSION_free(serverpsk);
1935 clientpsk = serverpsk = NULL;
5f982038
MC		 1936 SSL_SESSION_free(sess);
1937 SSL_free(serverssl);
1938 SSL_free(clientssl);
1939 SSL_CTX_free(sctx);
1940 SSL_CTX_free(cctx);
5f982038
MC		 1941 return testresult;
1942}
1943
6b84e6bf
MC		 1944/*
1945 * Test that a server attempting to read early data can handle a connection
1946 * from a client where the early data is not acceptable.
1947 */
1948static int test_early_data_skip(int idx)
1949{
1950 return early_data_skip_helper(0, idx);
1951}
1952
1953/*
1954 * Test that a server attempting to read early data can handle a connection
1955 * from a client where an HRR occurs.
1956 */
1957static int test_early_data_skip_hrr(int idx)
1958{
1959 return early_data_skip_helper(1, idx);
1960}
1961
710756a9
RS		 1962/*
1963 * Test that a server attempting to read early data can handle a connection
1964 * from a client that doesn't send any.
1965 */
3cb47b4e 1966static int test_early_data_not_sent(int idx)
5f982038
MC		 1967{
1968 SSL_CTX *cctx = NULL, *sctx = NULL;
1969 SSL *clientssl = NULL, *serverssl = NULL;
1970 int testresult = 0;
018fcbec 1971 SSL_SESSION *sess = NULL;
5f982038
MC		 1972 unsigned char buf[20];
1973 size_t readbytes, written;
1974
710756a9
RS		 1975 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1976 &serverssl, &sess, idx)))
5f982038
MC		 1977 goto end;
1978
1979 /* Write some data - should block due to handshake with server */
1980 SSL_set_connect_state(clientssl);
710756a9 1981 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 1982 goto end;
5f982038
MC		 1983
1984 /* Server should detect that early data has not been sent */
710756a9
RS		 1985 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1986 &readbytes),
1987 SSL_READ_EARLY_DATA_FINISH)
1988 || !TEST_size_t_eq(readbytes, 0)
1989 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1990 SSL_EARLY_DATA_NOT_SENT)
1991 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1992 SSL_EARLY_DATA_NOT_SENT))
5f982038 1993 goto end;
5f982038
MC		 1994
1995 /* Continue writing the message we started earlier */
710756a9
RS		 1996 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1997 || !TEST_size_t_eq(written, strlen(MSG1))
1998 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1999 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2000 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2001 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2002 goto end;
5f982038 2003
3cb47b4e
MC		 2004 /*
2005 * Should block due to the NewSessionTicket arrival unless we're using
2006 * read_ahead
2007 */
02a3ed5a 2008 if (idx != 1) {
710756a9 2009 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 2010 goto end;
5f982038
MC		 2011 }
2012
710756a9
RS		 2013 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2014 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2015 goto end;
5f982038
MC		 2016
2017 testresult = 1;
2018
2019 end:
57dee9bb 2020 /* If using PSK then clientpsk and sess are the same */
5f982038 2021 SSL_SESSION_free(sess);
57dee9bb
MC		 2022 SSL_SESSION_free(serverpsk);
2023 clientpsk = serverpsk = NULL;
5f982038
MC		 2024 SSL_free(serverssl);
2025 SSL_free(clientssl);
2026 SSL_CTX_free(sctx);
2027 SSL_CTX_free(cctx);
5f982038
MC		 2028 return testresult;
2029}
2030
976e5323
MC		 2031static int hostname_cb(SSL *s, int *al, void *arg)
2032{
2033 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2034
281bf233 2035 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2036 return SSL_TLSEXT_ERR_OK;
2037
2038 return SSL_TLSEXT_ERR_NOACK;
2039}
2040
2041static const char *servalpn;
2042
c7558d5b
PY		 2043static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2044 unsigned char *outlen, const unsigned char *in,
2045 unsigned int inlen, void *arg)
976e5323 2046{
c7558d5b 2047 unsigned int protlen = 0;
976e5323
MC		 2048 const unsigned char *prot;
2049
c7558d5b
PY		 2050 for (prot = in; prot < in + inlen; prot += protlen) {
2051 protlen = *prot++;
5d99881e 2052 if (in + inlen < prot + protlen)
976e5323
MC		 2053 return SSL_TLSEXT_ERR_NOACK;
2054
2055 if (protlen == strlen(servalpn)
0bd42fde 2056 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2057 *out = prot;
2058 *outlen = protlen;
2059 return SSL_TLSEXT_ERR_OK;
2060 }
2061 }
2062
2063 return SSL_TLSEXT_ERR_NOACK;
2064}
2065
57dee9bb 2066/* Test that a PSK can be used to send early_data */
976e5323
MC		 2067static int test_early_data_psk(int idx)
2068{
2069 SSL_CTX *cctx = NULL, *sctx = NULL;
2070 SSL *clientssl = NULL, *serverssl = NULL;
2071 int testresult = 0;
2072 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2073 unsigned char alpnlist[] = {
2074 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2075 'l', 'p', 'n'
2076 };
2077#define GOODALPNLEN 9
2078#define BADALPNLEN 8
2079#define GOODALPN (alpnlist)
2080#define BADALPN (alpnlist + GOODALPNLEN)
2081 int err = 0;
976e5323
MC		 2082 unsigned char buf[20];
2083 size_t readbytes, written;
57dee9bb 2084 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2085 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2086
2087 /* We always set this up with a final parameter of "2" for PSK */
2088 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2089 &serverssl, &sess, 2)))
2090 goto end;
2091
976e5323
MC		 2092 servalpn = "goodalpn";
2093
57dee9bb
MC		 2094 /*
2095 * Note: There is no test for inconsistent SNI with late client detection.
2096 * This is because servers do not acknowledge SNI even if they are using
2097 * it in a resumption handshake - so it is not actually possible for a
2098 * client to detect a problem.
2099 */
976e5323
MC		 2100 switch (idx) {
2101 case 0:
57dee9bb 2102 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2103 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2104 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2105 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2106 goto end;
2107 break;
2108
2109 case 1:
57dee9bb 2110 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2111 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2112 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2113 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2114 GOODALPNLEN))
2115 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2116 BADALPNLEN)))
976e5323
MC		 2117 goto end;
2118 break;
2119
2120 case 2:
2121 /*
2122 * Set invalid protocol version. Technically this affects PSKs without
2123 * early_data too, but we test it here because it is similar to the
2124 * SNI/ALPN consistency tests.
2125 */
2126 err = SSL_R_BAD_PSK;
2127 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2128 goto end;
2129 break;
2130
2131 case 3:
2132 /*
2133 * Set inconsistent SNI (server detected). In this case the connection
2134 * will succeed but reject early_data.
2135 */
281bf233
MC		 2136 SSL_SESSION_free(serverpsk);
2137 serverpsk = SSL_SESSION_dup(clientpsk);
2138 if (!TEST_ptr(serverpsk)
2139 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2140 goto end;
976e5323
MC		 2141 edstatus = SSL_EARLY_DATA_REJECTED;
2142 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2143 /* Fall through */
2144 case 4:
2145 /* Set consistent SNI */
976e5323
MC		 2146 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2147 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2148 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2149 hostname_cb)))
2150 goto end;
2151 break;
2152
2153 case 5:
2154 /*
2155 * Set inconsistent ALPN (server detected). In this case the connection
2156 * will succeed but reject early_data.
2157 */
2158 servalpn = "badalpn";
2159 edstatus = SSL_EARLY_DATA_REJECTED;
2160 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2161 /* Fall through */
2162 case 6:
976e5323 2163 /*
57dee9bb 2164 * Set consistent ALPN.
976e5323
MC		 2165 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2166 * accepts a list of protos (each one length prefixed).
2167 * SSL_set1_alpn_selected accepts a single protocol (not length
2168 * prefixed)
2169 */
57dee9bb
MC		 2170 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2171 GOODALPNLEN - 1))
2172 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2173 GOODALPNLEN)))
976e5323
MC		 2174 goto end;
2175
2176 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2177 break;
2178
57dee9bb
MC		 2179 case 7:
2180 /* Set inconsistent ALPN (late client detection) */
2181 SSL_SESSION_free(serverpsk);
2182 serverpsk = SSL_SESSION_dup(clientpsk);
2183 if (!TEST_ptr(serverpsk)
2184 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2185 BADALPN + 1,
2186 BADALPNLEN - 1))
2187 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2188 GOODALPN + 1,
2189 GOODALPNLEN - 1))
2190 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2191 sizeof(alpnlist))))
2192 goto end;
2193 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2194 edstatus = SSL_EARLY_DATA_ACCEPTED;
2195 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2196 /* SSL_connect() call should fail */
2197 connectres = -1;
2198 break;
2199
976e5323
MC		 2200 default:
2201 TEST_error("Bad test index");
2202 goto end;
2203 }
2204
2205 SSL_set_connect_state(clientssl);
2206 if (err != 0) {
2207 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2208 &written))
2209 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2210 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2211 goto end;
2212 } else {
2213 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2214 &written)))
2215 goto end;
2216
2217 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2218 &readbytes), readearlyres)
976e5323
MC		 2219 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2220 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2221 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2222 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2223 goto end;
2224 }
2225
2226 testresult = 1;
2227
2228 end:
57dee9bb
MC		 2229 SSL_SESSION_free(clientpsk);
2230 SSL_SESSION_free(serverpsk);
2231 clientpsk = serverpsk = NULL;
976e5323
MC		 2232 SSL_free(serverssl);
2233 SSL_free(clientssl);
2234 SSL_CTX_free(sctx);
2235 SSL_CTX_free(cctx);
2236 return testresult;
2237}
2238
710756a9
RS		 2239/*
2240 * Test that a server that doesn't try to read early data can handle a
2241 * client sending some.
2242 */
3cb47b4e 2243static int test_early_data_not_expected(int idx)
5f982038
MC		 2244{
2245 SSL_CTX *cctx = NULL, *sctx = NULL;
2246 SSL *clientssl = NULL, *serverssl = NULL;
2247 int testresult = 0;
018fcbec 2248 SSL_SESSION *sess = NULL;
5f982038
MC		 2249 unsigned char buf[20];
2250 size_t readbytes, written;
2251
710756a9
RS		 2252 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2253 &serverssl, &sess, idx)))
5f982038
MC		 2254 goto end;
2255
2256 /* Write some early data */
710756a9
RS		 2257 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2258 &written)))
5f982038 2259 goto end;
5f982038
MC		 2260
2261 /*
2262 * Server should skip over early data and then block waiting for client to
2263 * continue handshake
2264 */
710756a9
RS		 2265 if (!TEST_int_le(SSL_accept(serverssl), 0)
2266 || !TEST_int_gt(SSL_connect(clientssl), 0)
2267 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2268 SSL_EARLY_DATA_REJECTED)
2269 || !TEST_int_gt(SSL_accept(serverssl), 0)
2270 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2271 SSL_EARLY_DATA_REJECTED))
5f982038 2272 goto end;
5f982038
MC		 2273
2274 /* Send some normal data from client to server */
710756a9
RS		 2275 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2277 goto end;
5f982038 2278
710756a9
RS		 2279 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2280 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2281 goto end;
5f982038
MC		 2282
2283 testresult = 1;
2284
2285 end:
57dee9bb 2286 /* If using PSK then clientpsk and sess are the same */
5f982038 2287 SSL_SESSION_free(sess);
57dee9bb
MC		 2288 SSL_SESSION_free(serverpsk);
2289 clientpsk = serverpsk = NULL;
5f982038
MC		 2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2292 SSL_CTX_free(sctx);
2293 SSL_CTX_free(cctx);
5f982038
MC		 2294 return testresult;
2295}
2296
2297
2298# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2299/*
2300 * Test that a server attempting to read early data can handle a connection
2301 * from a TLSv1.2 client.
2302 */
3cb47b4e 2303static int test_early_data_tls1_2(int idx)
5f982038
MC		 2304{
2305 SSL_CTX *cctx = NULL, *sctx = NULL;
2306 SSL *clientssl = NULL, *serverssl = NULL;
2307 int testresult = 0;
2308 unsigned char buf[20];
2309 size_t readbytes, written;
2310
02a3ed5a
MC		 2311 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2312 &serverssl, NULL, idx)))
5f982038 2313 goto end;
5f982038
MC		 2314
2315 /* Write some data - should block due to handshake with server */
2316 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2317 SSL_set_connect_state(clientssl);
710756a9 2318 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2319 goto end;
5f982038
MC		 2320
2321 /*
2322 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2323 * messages from client after ServerDone. Then SSL_read_early_data should
2324 * finish and detect that early data has not been sent
5f982038 2325 */
710756a9
RS		 2326 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2327 &readbytes),
2328 SSL_READ_EARLY_DATA_ERROR))
5f982038 2329 goto end;
5f982038
MC		 2330
2331 /*
2332 * Continue writing the message we started earlier. Will still block waiting
2333 * for the CCS/Finished from server
2334 */
710756a9
RS		 2335 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2336 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2337 &readbytes),
2338 SSL_READ_EARLY_DATA_FINISH)
2339 || !TEST_size_t_eq(readbytes, 0)
2340 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2341 SSL_EARLY_DATA_NOT_SENT))
5f982038 2342 goto end;
5f982038
MC		 2343
2344 /* Continue writing the message we started earlier */
710756a9
RS		 2345 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2346 || !TEST_size_t_eq(written, strlen(MSG1))
2347 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2348 SSL_EARLY_DATA_NOT_SENT)
2349 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2350 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2351 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2352 || !TEST_size_t_eq(written, strlen(MSG2))
2353 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2354 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2355 goto end;
5f982038
MC		 2356
2357 testresult = 1;
2358
2359 end:
57dee9bb
MC		 2360 /* If using PSK then clientpsk and sess are the same */
2361 SSL_SESSION_free(clientpsk);
2362 SSL_SESSION_free(serverpsk);
2363 clientpsk = serverpsk = NULL;
5f982038
MC		 2364 SSL_free(serverssl);
2365 SSL_free(clientssl);
2366 SSL_CTX_free(sctx);
2367 SSL_CTX_free(cctx);
2368
2369 return testresult;
2370}
ca0413ae
MC		 2371# endif /* OPENSSL_NO_TLS1_2 */
2372
2373static int test_ciphersuite_change(void)
2374{
2375 SSL_CTX *cctx = NULL, *sctx = NULL;
2376 SSL *clientssl = NULL, *serverssl = NULL;
2377 SSL_SESSION *clntsess = NULL;
2378 int testresult = 0;
2379 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2380
2381 /* Create a session based on SHA-256 */
2382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2383 TLS_client_method(), &sctx,
2384 &cctx, cert, privkey))
f865b081
MC		 2385 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2386 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2387 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2388 &clientssl, NULL, NULL))
2389 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2390 SSL_ERROR_NONE)))
2391 goto end;
2392
2393 clntsess = SSL_get1_session(clientssl);
2394 /* Save for later */
2395 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2396 SSL_shutdown(clientssl);
2397 SSL_shutdown(serverssl);
2398 SSL_free(serverssl);
2399 SSL_free(clientssl);
2400 serverssl = clientssl = NULL;
2401
71cff963 2402# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2403 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2404 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2405 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2406 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2407 NULL, NULL))
2408 || !TEST_true(SSL_set_session(clientssl, clntsess))
2409 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2410 SSL_ERROR_NONE))
2411 || !TEST_true(SSL_session_reused(clientssl)))
2412 goto end;
2413
2414 SSL_SESSION_free(clntsess);
2415 clntsess = SSL_get1_session(clientssl);
2416 SSL_shutdown(clientssl);
2417 SSL_shutdown(serverssl);
2418 SSL_free(serverssl);
2419 SSL_free(clientssl);
2420 serverssl = clientssl = NULL;
71cff963 2421# endif
ca0413ae
MC		 2422
2423 /*
2424 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2425 * succeeds but does not resume.
ca0413ae 2426 */
f865b081 2427 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2428 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2429 NULL, NULL))
2430 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2431 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2432 SSL_ERROR_SSL))
0de6d66d 2433 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2434 goto end;
2435
2436 SSL_SESSION_free(clntsess);
2437 clntsess = NULL;
2438 SSL_shutdown(clientssl);
2439 SSL_shutdown(serverssl);
2440 SSL_free(serverssl);
2441 SSL_free(clientssl);
2442 serverssl = clientssl = NULL;
2443
2444 /* Create a session based on SHA384 */
f865b081 2445 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2446 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2447 &clientssl, NULL, NULL))
2448 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2449 SSL_ERROR_NONE)))
2450 goto end;
2451
2452 clntsess = SSL_get1_session(clientssl);
2453 SSL_shutdown(clientssl);
2454 SSL_shutdown(serverssl);
2455 SSL_free(serverssl);
2456 SSL_free(clientssl);
2457 serverssl = clientssl = NULL;
2458
f865b081
MC		 2459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2460 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2461 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2462 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2463 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2464 NULL, NULL))
2465 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2466 /*
2467 * We use SSL_ERROR_WANT_READ below so that we can pause the
2468 * connection after the initial ClientHello has been sent to
2469 * enable us to make some session changes.
2470 */
ca0413ae
MC		 2471 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2472 SSL_ERROR_WANT_READ)))
2473 goto end;
2474
2475 /* Trick the client into thinking this session is for a different digest */
2476 clntsess->cipher = aes_128_gcm_sha256;
2477 clntsess->cipher_id = clntsess->cipher->id;
2478
2479 /*
3b0e88d3
MC		 2480 * Continue the previously started connection. Server has selected a SHA-384
2481 * ciphersuite, but client thinks the session is for SHA-256, so it should
2482 * bail out.
ca0413ae
MC		 2483 */
2484 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2485 SSL_ERROR_SSL))
2486 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2487 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2488 goto end;
2489
2490 testresult = 1;
2491
2492 end:
2493 SSL_SESSION_free(clntsess);
2494 SSL_free(serverssl);
2495 SSL_free(clientssl);
2496 SSL_CTX_free(sctx);
2497 SSL_CTX_free(cctx);
2498
2499 return testresult;
2500}
2501
532f9578 2502static int test_tls13_psk(int idx)
ca8c71ba
MC		 2503{
2504 SSL_CTX *sctx = NULL, *cctx = NULL;
2505 SSL *serverssl = NULL, *clientssl = NULL;
2506 const SSL_CIPHER *cipher = NULL;
2507 const unsigned char key[] = {
2508 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2509 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2510 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2511 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2512 };
2513 int testresult = 0;
2514
2515 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2516 TLS_client_method(), &sctx,
2517 &cctx, cert, privkey)))
2518 goto end;
2519
532f9578
MC		 2520 /*
2521 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2522 * which will always default to SHA256
2523 */
f865b081 2524 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
532f9578
MC		 2525 goto end;
2526
2527 /*
2528 * Test 0: New style callbacks only
2529 * Test 1: New and old style callbacks (only the new ones should be used)
2530 * Test 2: Old style callbacks only
2531 */
2532 if (idx == 0 || idx == 1) {
2533 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2534 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2535 }
2536 if (idx == 1 || idx == 2) {
2537 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2538 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2539 }
ca8c71ba 2540 srvid = pskid;
02a3ed5a
MC		 2541 use_session_cb_cnt = 0;
2542 find_session_cb_cnt = 0;
532f9578
MC		 2543 psk_client_cb_cnt = 0;
2544 psk_server_cb_cnt = 0;
ca8c71ba
MC		 2545
2546 /* Check we can create a connection if callback decides not to send a PSK */
2547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2548 NULL, NULL))
2549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2550 SSL_ERROR_NONE))
2551 || !TEST_false(SSL_session_reused(clientssl))
532f9578 2552 || !TEST_false(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2553 goto end;
2554
532f9578
MC		 2555 if (idx == 0 || idx == 1) {
2556 if (!TEST_true(use_session_cb_cnt == 1)
2557 || !TEST_true(find_session_cb_cnt == 0)
2558 /*
2559 * If no old style callback then below should be 0
2560 * otherwise 1
2561 */
2562 || !TEST_true(psk_client_cb_cnt == idx)
2563 || !TEST_true(psk_server_cb_cnt == 0))
2564 goto end;
2565 } else {
2566 if (!TEST_true(use_session_cb_cnt == 0)
2567 || !TEST_true(find_session_cb_cnt == 0)
2568 || !TEST_true(psk_client_cb_cnt == 1)
2569 || !TEST_true(psk_server_cb_cnt == 0))
2570 goto end;
2571 }
2572
ca8c71ba
MC		 2573 shutdown_ssl_connection(serverssl, clientssl);
2574 serverssl = clientssl = NULL;
532f9578 2575 use_session_cb_cnt = psk_client_cb_cnt = 0;
ca8c71ba
MC		 2576
2577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2578 NULL, NULL)))
2579 goto end;
2580
2581 /* Create the PSK */
532f9578 2582 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 2583 clientpsk = SSL_SESSION_new();
2584 if (!TEST_ptr(clientpsk)
ca8c71ba 2585 || !TEST_ptr(cipher)
57dee9bb
MC		 2586 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2587 sizeof(key)))
2588 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2589 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2590 TLS1_3_VERSION))
2591 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2592 goto end;
57dee9bb 2593 serverpsk = clientpsk;
ca8c71ba
MC		 2594
2595 /* Check we can create a connection and the PSK is used */
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2597 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2598 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2599 goto end;
2600
532f9578
MC		 2601 if (idx == 0 || idx == 1) {
2602 if (!TEST_true(use_session_cb_cnt == 1)
2603 || !TEST_true(find_session_cb_cnt == 1)
2604 || !TEST_true(psk_client_cb_cnt == 0)
2605 || !TEST_true(psk_server_cb_cnt == 0))
2606 goto end;
2607 } else {
2608 if (!TEST_true(use_session_cb_cnt == 0)
2609 || !TEST_true(find_session_cb_cnt == 0)
2610 || !TEST_true(psk_client_cb_cnt == 1)
2611 || !TEST_true(psk_server_cb_cnt == 1))
2612 goto end;
2613 }
2614
ca8c71ba
MC		 2615 shutdown_ssl_connection(serverssl, clientssl);
2616 serverssl = clientssl = NULL;
2617 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2618 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 2619
2620 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2621 NULL, NULL)))
2622 goto end;
2623
2624 /* Force an HRR */
2625 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2626 goto end;
2627
2628 /*
2629 * Check we can create a connection, the PSK is used and the callbacks are
2630 * called twice.
2631 */
2632 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2633 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2634 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2635 goto end;
2636
532f9578
MC		 2637 if (idx == 0 || idx == 1) {
2638 if (!TEST_true(use_session_cb_cnt == 2)
2639 || !TEST_true(find_session_cb_cnt == 2)
2640 || !TEST_true(psk_client_cb_cnt == 0)
2641 || !TEST_true(psk_server_cb_cnt == 0))
2642 goto end;
2643 } else {
2644 if (!TEST_true(use_session_cb_cnt == 0)
2645 || !TEST_true(find_session_cb_cnt == 0)
2646 || !TEST_true(psk_client_cb_cnt == 2)
2647 || !TEST_true(psk_server_cb_cnt == 2))
2648 goto end;
2649 }
2650
ca8c71ba
MC		 2651 shutdown_ssl_connection(serverssl, clientssl);
2652 serverssl = clientssl = NULL;
2653 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2654 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 2655
2656 /*
2657 * Check that if the server rejects the PSK we can still connect, but with
2658 * a full handshake
2659 */
2660 srvid = "Dummy Identity";
2661 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2662 NULL, NULL))
2663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2664 SSL_ERROR_NONE))
2665 || !TEST_false(SSL_session_reused(clientssl))
532f9578 2666 || !TEST_false(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2667 goto end;
2668
532f9578
MC		 2669 if (idx == 0 || idx == 1) {
2670 if (!TEST_true(use_session_cb_cnt == 1)
2671 || !TEST_true(find_session_cb_cnt == 1)
2672 || !TEST_true(psk_client_cb_cnt == 0)
2673 /*
2674 * If no old style callback then below should be 0
2675 * otherwise 1
2676 */
2677 || !TEST_true(psk_server_cb_cnt == idx))
2678 goto end;
2679 } else {
2680 if (!TEST_true(use_session_cb_cnt == 0)
2681 || !TEST_true(find_session_cb_cnt == 0)
2682 || !TEST_true(psk_client_cb_cnt == 1)
2683 || !TEST_true(psk_server_cb_cnt == 1))
2684 goto end;
2685 }
2686
ca8c71ba
MC		 2687 shutdown_ssl_connection(serverssl, clientssl);
2688 serverssl = clientssl = NULL;
2689 testresult = 1;
2690
2691 end:
57dee9bb
MC		 2692 SSL_SESSION_free(clientpsk);
2693 SSL_SESSION_free(serverpsk);
2694 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 2695 SSL_free(serverssl);
2696 SSL_free(clientssl);
2697 SSL_CTX_free(sctx);
2698 SSL_CTX_free(cctx);
2699 return testresult;
2700}
2701
c7b8ff25
MC		 2702static unsigned char cookie_magic_value[] = "cookie magic";
2703
2704static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2705 unsigned int *cookie_len)
2706{
2707 /*
2708 * Not suitable as a real cookie generation function but good enough for
2709 * testing!
2710 */
97ea1e7f
MC		 2711 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2712 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 2713
2714 return 1;
2715}
2716
2717static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2718 unsigned int cookie_len)
2719{
97ea1e7f 2720 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 2721 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2722 return 1;
2723
2724 return 0;
2725}
2726
3fa2812f
BS		 2727static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
2728 size_t *cookie_len)
2729{
2730 unsigned int temp;
2731 int res = generate_cookie_callback(ssl, cookie, &temp);
2732 *cookie_len = temp;
2733 return res;
2734}
2735
2736static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
2737 size_t cookie_len)
2738{
2739 return verify_cookie_callback(ssl, cookie, cookie_len);
2740}
2741
c7b8ff25
MC		 2742static int test_stateless(void)
2743{
2744 SSL_CTX *sctx = NULL, *cctx = NULL;
2745 SSL *serverssl = NULL, *clientssl = NULL;
2746 int testresult = 0;
2747
2748 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2749 TLS_client_method(), &sctx,
2750 &cctx, cert, privkey)))
2751 goto end;
2752
e440f513
MC		 2753 /* The arrival of CCS messages can confuse the test */
2754 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2755
2756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2757 NULL, NULL))
2758 /* Send the first ClientHello */
2759 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2760 SSL_ERROR_WANT_READ))
2761 /*
2762 * This should fail with a -1 return because we have no callbacks
2763 * set up
2764 */
2765 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2766 goto end;
2767
2768 /* Fatal error so abandon the connection from this client */
2769 SSL_free(clientssl);
2770 clientssl = NULL;
2771
c7b8ff25 2772 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 2773 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
2774 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 2775
e440f513
MC		 2776 /*
2777 * Create a new connection from the client (we can reuse the server SSL
2778 * object).
2779 */
c7b8ff25
MC		 2780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2781 NULL, NULL))
2782 /* Send the first ClientHello */
2783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2784 SSL_ERROR_WANT_READ))
2785 /* This should fail because there is no cookie */
e440f513 2786 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 2787 goto end;
2788
2789 /* Abandon the connection from this client */
2790 SSL_free(clientssl);
2791 clientssl = NULL;
2792
2793 /*
2794 * Now create a connection from a new client but with the same server SSL
2795 * object
2796 */
2797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2798 NULL, NULL))
2799 /* Send the first ClientHello */
2800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2801 SSL_ERROR_WANT_READ))
2802 /* This should fail because there is no cookie */
e440f513 2803 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 2804 /* Send the second ClientHello */
2805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2806 SSL_ERROR_WANT_READ))
2807 /* This should succeed because a cookie is now present */
e440f513 2808 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 2809 /* Complete the connection */
2810 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2811 SSL_ERROR_NONE)))
2812 goto end;
2813
2814 shutdown_ssl_connection(serverssl, clientssl);
2815 serverssl = clientssl = NULL;
2816 testresult = 1;
2817
2818 end:
2819 SSL_free(serverssl);
2820 SSL_free(clientssl);
2821 SSL_CTX_free(sctx);
2822 SSL_CTX_free(cctx);
2823 return testresult;
2824
2825}
ca0413ae 2826#endif /* OPENSSL_NO_TLS1_3 */
5f982038 2827
a37008d9
MC		 2828static int clntaddoldcb = 0;
2829static int clntparseoldcb = 0;
2830static int srvaddoldcb = 0;
2831static int srvparseoldcb = 0;
2832static int clntaddnewcb = 0;
2833static int clntparsenewcb = 0;
2834static int srvaddnewcb = 0;
2835static int srvparsenewcb = 0;
bb01ef3f 2836static int snicb = 0;
a37008d9
MC		 2837
2838#define TEST_EXT_TYPE1 0xff00
2839
2840static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2841 size_t *outlen, int *al, void *add_arg)
2842{
2843 int *server = (int *)add_arg;
2844 unsigned char *data;
2845
2846 if (SSL_is_server(s))
2847 srvaddoldcb++;
2848 else
2849 clntaddoldcb++;
2850
710756a9
RS		 2851 if (*server != SSL_is_server(s)
2852 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2853 return -1;
2854
2855 *data = 1;
2856 *out = data;
2857 *outlen = sizeof(char);
a37008d9
MC		 2858 return 1;
2859}
2860
2861static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2862 void *add_arg)
2863{
2864 OPENSSL_free((unsigned char *)out);
2865}
2866
2867static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2868 size_t inlen, int *al, void *parse_arg)
2869{
2870 int *server = (int *)parse_arg;
2871
2872 if (SSL_is_server(s))
2873 srvparseoldcb++;
2874 else
2875 clntparseoldcb++;
2876
710756a9
RS		 2877 if (*server != SSL_is_server(s)
2878 || inlen != sizeof(char)
2879 || *in != 1)
a37008d9
MC		 2880 return -1;
2881
2882 return 1;
2883}
2884
2885static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2886 const unsigned char **out, size_t *outlen, X509 *x,
2887 size_t chainidx, int *al, void *add_arg)
2888{
2889 int *server = (int *)add_arg;
2890 unsigned char *data;
2891
2892 if (SSL_is_server(s))
2893 srvaddnewcb++;
2894 else
2895 clntaddnewcb++;
2896
710756a9
RS		 2897 if (*server != SSL_is_server(s)
2898 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2899 return -1;
2900
2901 *data = 1;
2902 *out = data;
710756a9 2903 *outlen = sizeof(*data);
a37008d9
MC		 2904 return 1;
2905}
2906
2907static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2908 const unsigned char *out, void *add_arg)
2909{
2910 OPENSSL_free((unsigned char *)out);
2911}
2912
2913static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2914 const unsigned char *in, size_t inlen, X509 *x,
2915 size_t chainidx, int *al, void *parse_arg)
2916{
2917 int *server = (int *)parse_arg;
2918
2919 if (SSL_is_server(s))
2920 srvparsenewcb++;
2921 else
2922 clntparsenewcb++;
2923
710756a9
RS		 2924 if (*server != SSL_is_server(s)
2925 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 2926 return -1;
2927
2928 return 1;
2929}
bb01ef3f
MC		 2930
2931static int sni_cb(SSL *s, int *al, void *arg)
2932{
2933 SSL_CTX *ctx = (SSL_CTX *)arg;
2934
2935 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2936 *al = SSL_AD_INTERNAL_ERROR;
2937 return SSL_TLSEXT_ERR_ALERT_FATAL;
2938 }
2939 snicb++;
2940 return SSL_TLSEXT_ERR_OK;
2941}
2942
a37008d9
MC		 2943/*
2944 * Custom call back tests.
2945 * Test 0: Old style callbacks in TLSv1.2
2946 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 2947 * Test 2: New style callbacks in TLSv1.2 with SNI
2948 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2949 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 2950 */
710756a9
RS		 2951static int test_custom_exts(int tst)
2952{
bb01ef3f 2953 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 2954 SSL *clientssl = NULL, *serverssl = NULL;
2955 int testresult = 0;
2956 static int server = 1;
2957 static int client = 0;
2958 SSL_SESSION *sess = NULL;
2959 unsigned int context;
2960
c423ecaa
MC		 2961#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2962 /* Skip tests for TLSv1.2 and below in this case */
2963 if (tst < 3)
2964 return 1;
2965#endif
2966
a37008d9
MC		 2967 /* Reset callback counters */
2968 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2969 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 2970 snicb = 0;
a37008d9 2971
710756a9
RS		 2972 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2973 TLS_client_method(), &sctx,
2974 &cctx, cert, privkey)))
2975 goto end;
a37008d9 2976
bb01ef3f
MC		 2977 if (tst == 2
2978 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2979 NULL, cert, privkey)))
2980 goto end;
2981
2982
2983 if (tst < 3) {
a37008d9
MC		 2984 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2985 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 2986 if (sctx2 != NULL)
2987 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 2988 }
2989
bb01ef3f 2990 if (tst == 4) {
710756a9
RS		 2991 context = SSL_EXT_CLIENT_HELLO
2992 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2993 | SSL_EXT_TLS1_3_SERVER_HELLO
2994 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2995 | SSL_EXT_TLS1_3_CERTIFICATE
2996 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2997 } else {
710756a9
RS		 2998 context = SSL_EXT_CLIENT_HELLO
2999 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3000 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3001 }
3002
3003 /* Create a client side custom extension */
3004 if (tst == 0) {
710756a9
RS		 3005 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3006 old_add_cb, old_free_cb,
3007 &client, old_parse_cb,
3008 &client)))
3009 goto end;
a37008d9 3010 } else {
710756a9
RS		 3011 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3012 new_add_cb, new_free_cb,
3013 &client, new_parse_cb, &client)))
3014 goto end;
a37008d9
MC		 3015 }
3016
3017 /* Should not be able to add duplicates */
710756a9
RS		 3018 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3019 old_add_cb, old_free_cb,
3020 &client, old_parse_cb,
3021 &client))
3022 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3023 context, new_add_cb,
3024 new_free_cb, &client,
3025 new_parse_cb, &client)))
3026 goto end;
a37008d9
MC		 3027
3028 /* Create a server side custom extension */
3029 if (tst == 0) {
710756a9
RS		 3030 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3031 old_add_cb, old_free_cb,
3032 &server, old_parse_cb,
3033 &server)))
3034 goto end;
a37008d9 3035 } else {
710756a9
RS		 3036 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3037 new_add_cb, new_free_cb,
3038 &server, new_parse_cb, &server)))
3039 goto end;
bb01ef3f
MC		 3040 if (sctx2 != NULL
3041 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3042 context, new_add_cb,
3043 new_free_cb, &server,
3044 new_parse_cb, &server)))
3045 goto end;
a37008d9
MC		 3046 }
3047
3048 /* Should not be able to add duplicates */
710756a9
RS		 3049 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3050 old_add_cb, old_free_cb,
3051 &server, old_parse_cb,
3052 &server))
3053 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3054 context, new_add_cb,
3055 new_free_cb, &server,
3056 new_parse_cb, &server)))
a37008d9 3057 goto end;
a37008d9 3058
bb01ef3f
MC		 3059 if (tst == 2) {
3060 /* Set up SNI */
3061 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3062 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3063 goto end;
3064 }
3065
710756a9
RS		 3066 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3067 &clientssl, NULL, NULL))
3068 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3069 SSL_ERROR_NONE)))
a37008d9 3070 goto end;
a37008d9
MC		 3071
3072 if (tst == 0) {
710756a9
RS		 3073 if (clntaddoldcb != 1
3074 || clntparseoldcb != 1
3075 || srvaddoldcb != 1
3076 || srvparseoldcb != 1)
a37008d9 3077 goto end;
bb01ef3f 3078 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3079 if (clntaddnewcb != 1
3080 || clntparsenewcb != 1
3081 || srvaddnewcb != 1
bb01ef3f
MC		 3082 || srvparsenewcb != 1
3083 || (tst != 2 && snicb != 0)
3084 || (tst == 2 && snicb != 1))
a37008d9 3085 goto end;
a37008d9 3086 } else {
710756a9
RS		 3087 if (clntaddnewcb != 1
3088 || clntparsenewcb != 4
3089 || srvaddnewcb != 4
3090 || srvparsenewcb != 1)
a37008d9 3091 goto end;
a37008d9
MC		 3092 }
3093
3094 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3095 SSL_shutdown(clientssl);
3096 SSL_shutdown(serverssl);
a37008d9
MC		 3097 SSL_free(serverssl);
3098 SSL_free(clientssl);
3099 serverssl = clientssl = NULL;
3100
bb01ef3f
MC		 3101 if (tst == 3) {
3102 /* We don't bother with the resumption aspects for this test */
3103 testresult = 1;
3104 goto end;
3105 }
3106
710756a9
RS		 3107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3108 NULL, NULL))
3109 || !TEST_true(SSL_set_session(clientssl, sess))
3110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3111 SSL_ERROR_NONE)))
a37008d9 3112 goto end;
a37008d9
MC		 3113
3114 /*
3115 * For a resumed session we expect to add the ClientHello extension. For the
3116 * old style callbacks we ignore it on the server side because they set
3117 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3118 * them.
3119 */
3120 if (tst == 0) {
710756a9
RS		 3121 if (clntaddoldcb != 2
3122 || clntparseoldcb != 1
3123 || srvaddoldcb != 1
3124 || srvparseoldcb != 1)
a37008d9 3125 goto end;
bb01ef3f 3126 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3127 if (clntaddnewcb != 2
3128 || clntparsenewcb != 2
3129 || srvaddnewcb != 2
3130 || srvparsenewcb != 2)
a37008d9 3131 goto end;
a37008d9
MC		 3132 } else {
3133 /* No Certificate message extensions in the resumption handshake */
710756a9
RS		 3134 if (clntaddnewcb != 2
3135 || clntparsenewcb != 7
3136 || srvaddnewcb != 7
3137 || srvparsenewcb != 2)
a37008d9 3138 goto end;
a37008d9
MC		 3139 }
3140
3141 testresult = 1;
3142
3143end:
3144 SSL_SESSION_free(sess);
3145 SSL_free(serverssl);
3146 SSL_free(clientssl);
bb01ef3f 3147 SSL_CTX_free(sctx2);
a37008d9
MC		 3148 SSL_CTX_free(sctx);
3149 SSL_CTX_free(cctx);
a37008d9
MC		 3150 return testresult;
3151}
3152
16afd71c
MC		 3153/*
3154 * Test loading of serverinfo data in various formats. test_sslmessages actually
3155 * tests to make sure the extensions appear in the handshake
3156 */
3157static int test_serverinfo(int tst)
3158{
3159 unsigned int version;
3160 unsigned char *sibuf;
3161 size_t sibuflen;
3162 int ret, expected, testresult = 0;
3163 SSL_CTX *ctx;
3164
3165 ctx = SSL_CTX_new(TLS_method());
3166 if (!TEST_ptr(ctx))
3167 goto end;
3168
3169 if ((tst & 0x01) == 0x01)
3170 version = SSL_SERVERINFOV2;
3171 else
3172 version = SSL_SERVERINFOV1;
3173
3174 if ((tst & 0x02) == 0x02) {
3175 sibuf = serverinfov2;
3176 sibuflen = sizeof(serverinfov2);
3177 expected = (version == SSL_SERVERINFOV2);
3178 } else {
3179 sibuf = serverinfov1;
3180 sibuflen = sizeof(serverinfov1);
3181 expected = (version == SSL_SERVERINFOV1);
3182 }
3183
3184 if ((tst & 0x04) == 0x04) {
3185 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3186 } else {
3187 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3188
3189 /*
3190 * The version variable is irrelevant in this case - it's what is in the
3191 * buffer that matters
3192 */
3193 if ((tst & 0x02) == 0x02)
3194 expected = 0;
3195 else
3196 expected = 1;
3197 }
3198
3199 if (!TEST_true(ret == expected))
3200 goto end;
3201
3202 testresult = 1;
3203
3204 end:
3205 SSL_CTX_free(ctx);
3206
3207 return testresult;
3208}
3209
2197d1df
MC		 3210/*
3211 * Test that SSL_export_keying_material() produces expected results. There are
3212 * no test vectors so all we do is test that both sides of the communication
3213 * produce the same results for different protocol versions.
3214 */
3215static int test_export_key_mat(int tst)
3216{
a599574b 3217 int testresult = 0;
2197d1df
MC		 3218 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3219 SSL *clientssl = NULL, *serverssl = NULL;
3220 const char label[] = "test label";
3221 const unsigned char context[] = "context";
3222 const unsigned char *emptycontext = NULL;
3223 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3224 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3225 const int protocols[] = {
3226 TLS1_VERSION,
3227 TLS1_1_VERSION,
3228 TLS1_2_VERSION,
3229 TLS1_3_VERSION
3230 };
2197d1df
MC		 3231
3232#ifdef OPENSSL_NO_TLS1
3233 if (tst == 0)
3234 return 1;
3235#endif
3236#ifdef OPENSSL_NO_TLS1_1
3237 if (tst == 1)
3238 return 1;
3239#endif
3240#ifdef OPENSSL_NO_TLS1_2
3241 if (tst == 2)
3242 return 1;
3243#endif
3244#ifdef OPENSSL_NO_TLS1_3
3245 if (tst == 3)
3246 return 1;
3247#endif
3248 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3249 TLS_client_method(), &sctx,
3250 &cctx, cert, privkey)))
3251 goto end;
3252
a599574b
MC		 3253 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3254 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3255 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3256
3257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3258 NULL))
3259 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3260 SSL_ERROR_NONE)))
3261 goto end;
3262
3263 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3264 sizeof(ckeymat1), label,
3265 sizeof(label) - 1, context,
3266 sizeof(context) - 1, 1), 1)
3267 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3268 sizeof(ckeymat2), label,
3269 sizeof(label) - 1,
3270 emptycontext,
3271 0, 1), 1)
3272 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3273 sizeof(ckeymat3), label,
3274 sizeof(label) - 1,
3275 NULL, 0, 0), 1)
3276 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3277 sizeof(skeymat1), label,
3278 sizeof(label) - 1,
3279 context,
3280 sizeof(context) -1, 1),
3281 1)
3282 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3283 sizeof(skeymat2), label,
3284 sizeof(label) - 1,
3285 emptycontext,
3286 0, 1), 1)
3287 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3288 sizeof(skeymat3), label,
3289 sizeof(label) - 1,
3290 NULL, 0, 0), 1)
3291 /*
3292 * Check that both sides created the same key material with the
3293 * same context.
3294 */
3295 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3296 sizeof(skeymat1))
3297 /*
3298 * Check that both sides created the same key material with an
3299 * empty context.
3300 */
3301 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3302 sizeof(skeymat2))
3303 /*
3304 * Check that both sides created the same key material without a
3305 * context.
3306 */
3307 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3308 sizeof(skeymat3))
3309 /* Different contexts should produce different results */
3310 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3311 sizeof(ckeymat2)))
3312 goto end;
3313
3314 /*
3315 * Check that an empty context and no context produce different results in
3316 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3317 */
3318 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3319 sizeof(ckeymat3)))
3320 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3321 sizeof(ckeymat3))))
3322 goto end;
3323
3324 testresult = 1;
3325
3326 end:
3327 SSL_free(serverssl);
3328 SSL_free(clientssl);
3329 SSL_CTX_free(sctx2);
3330 SSL_CTX_free(sctx);
3331 SSL_CTX_free(cctx);
3332
3333 return testresult;
3334}
3335
b38ede80
TT		 3336#ifndef OPENSSL_NO_TLS1_3
3337/*
3338 * Test that SSL_export_keying_material_early() produces expected
3339 * results. There are no test vectors so all we do is test that both
3340 * sides of the communication produce the same results for different
3341 * protocol versions.
3342 */
3343static int test_export_key_mat_early(int idx)
3344{
3345 static const char label[] = "test label";
3346 static const unsigned char context[] = "context";
3347 int testresult = 0;
3348 SSL_CTX *cctx = NULL, *sctx = NULL;
3349 SSL *clientssl = NULL, *serverssl = NULL;
3350 SSL_SESSION *sess = NULL;
3351 const unsigned char *emptycontext = NULL;
3352 unsigned char ckeymat1[80], ckeymat2[80];
3353 unsigned char skeymat1[80], skeymat2[80];
3354 unsigned char buf[1];
3355 size_t readbytes, written;
3356
3357 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3358 &sess, idx)))
3359 goto end;
3360
3361 /* Here writing 0 length early data is enough. */
3362 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3363 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3364 &readbytes),
3365 SSL_READ_EARLY_DATA_ERROR)
3366 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3367 SSL_EARLY_DATA_ACCEPTED))
3368 goto end;
3369
3370 if (!TEST_int_eq(SSL_export_keying_material_early(
3371 clientssl, ckeymat1, sizeof(ckeymat1), label,
3372 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3373 || !TEST_int_eq(SSL_export_keying_material_early(
3374 clientssl, ckeymat2, sizeof(ckeymat2), label,
3375 sizeof(label) - 1, emptycontext, 0), 1)
3376 || !TEST_int_eq(SSL_export_keying_material_early(
3377 serverssl, skeymat1, sizeof(skeymat1), label,
3378 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3379 || !TEST_int_eq(SSL_export_keying_material_early(
3380 serverssl, skeymat2, sizeof(skeymat2), label,
3381 sizeof(label) - 1, emptycontext, 0), 1)
3382 /*
3383 * Check that both sides created the same key material with the
3384 * same context.
3385 */
3386 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3387 sizeof(skeymat1))
3388 /*
3389 * Check that both sides created the same key material with an
3390 * empty context.
3391 */
3392 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3393 sizeof(skeymat2))
3394 /* Different contexts should produce different results */
3395 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3396 sizeof(ckeymat2)))
3397 goto end;
3398
3399 testresult = 1;
3400
3401 end:
3402 if (sess != clientpsk)
3403 SSL_SESSION_free(sess);
3404 SSL_SESSION_free(clientpsk);
3405 SSL_SESSION_free(serverpsk);
34ff74eb 3406 clientpsk = serverpsk = NULL;
b38ede80
TT		 3407 SSL_free(serverssl);
3408 SSL_free(clientssl);
3409 SSL_CTX_free(sctx);
3410 SSL_CTX_free(cctx);
3411
3412 return testresult;
3413}
3414#endif /* OPENSSL_NO_TLS1_3 */
3415
e11b6aa4
MC		 3416static int test_ssl_clear(int idx)
3417{
3418 SSL_CTX *cctx = NULL, *sctx = NULL;
3419 SSL *clientssl = NULL, *serverssl = NULL;
3420 int testresult = 0;
3421
3422#ifdef OPENSSL_NO_TLS1_2
3423 if (idx == 1)
3424 return 1;
3425#endif
3426
3427 /* Create an initial connection */
3428 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3429 TLS_client_method(), &sctx,
3430 &cctx, cert, privkey))
3431 || (idx == 1
3432 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3433 TLS1_2_VERSION)))
3434 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3435 &clientssl, NULL, NULL))
3436 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3437 SSL_ERROR_NONE)))
3438 goto end;
3439
3440 SSL_shutdown(clientssl);
3441 SSL_shutdown(serverssl);
3442 SSL_free(serverssl);
3443 serverssl = NULL;
3444
3445 /* Clear clientssl - we're going to reuse the object */
3446 if (!TEST_true(SSL_clear(clientssl)))
3447 goto end;
3448
3449 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3450 NULL, NULL))
3451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3452 SSL_ERROR_NONE))
3453 || !TEST_true(SSL_session_reused(clientssl)))
3454 goto end;
3455
3456 SSL_shutdown(clientssl);
3457 SSL_shutdown(serverssl);
3458
3459 testresult = 1;
3460
3461 end:
3462 SSL_free(serverssl);
3463 SSL_free(clientssl);
3464 SSL_CTX_free(sctx);
3465 SSL_CTX_free(cctx);
3466
3467 return testresult;
3468}
3469
cf72c757
F		 3470/* Parse CH and retrieve any MFL extension value if present */
3471static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3472{
3473 long len;
3474 unsigned char *data;
3475 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3476 unsigned int MFL_code = 0, type = 0;
3477
3478 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3479 goto end;
3480
3481 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3482 /* Skip the record header */
3483 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3484 /* Skip the handshake message header */
3485 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3486 /* Skip client version and random */
3487 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3488 + SSL3_RANDOM_SIZE))
3489 /* Skip session id */
3490 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3491 /* Skip ciphers */
3492 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3493 /* Skip compression */
3494 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3495 /* Extensions len */
3496 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3497 goto end;
3498
3499 /* Loop through all extensions */
3500 while (PACKET_remaining(&pkt2)) {
3501 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3502 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3503 goto end;
3504
3505 if (type == TLSEXT_TYPE_max_fragment_length) {
3506 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3507 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3508 goto end;
3509
3510 *mfl_codemfl_code = MFL_code;
3511 return 1;
3512 }
3513 }
3514
3515 end:
3516 return 0;
3517}
3518
3519/* Maximum-Fragment-Length TLS extension mode to test */
3520static const unsigned char max_fragment_len_test[] = {
3521 TLSEXT_max_fragment_length_512,
3522 TLSEXT_max_fragment_length_1024,
3523 TLSEXT_max_fragment_length_2048,
3524 TLSEXT_max_fragment_length_4096
3525};
3526
3527static int test_max_fragment_len_ext(int idx_tst)
3528{
3529 SSL_CTX *ctx;
3530 SSL *con = NULL;
3531 int testresult = 0, MFL_mode = 0;
3532 BIO *rbio, *wbio;
3533
3534 ctx = SSL_CTX_new(TLS_method());
3535 if (!TEST_ptr(ctx))
3536 goto end;
3537
3538 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3539 ctx, max_fragment_len_test[idx_tst])))
3540 goto end;
3541
3542 con = SSL_new(ctx);
3543 if (!TEST_ptr(con))
3544 goto end;
3545
3546 rbio = BIO_new(BIO_s_mem());
3547 wbio = BIO_new(BIO_s_mem());
3548 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3549 BIO_free(rbio);
3550 BIO_free(wbio);
3551 goto end;
3552 }
3553
3554 SSL_set_bio(con, rbio, wbio);
3555 SSL_set_connect_state(con);
3556
3557 if (!TEST_int_le(SSL_connect(con), 0)) {
3558 /* This shouldn't succeed because we don't have a server! */
3559 goto end;
3560 }
3561
3562 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3563 /* no MFL in client hello */
3564 goto end;
3565 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3566 goto end;
3567
3568 testresult = 1;
3569
3570end:
3571 SSL_free(con);
3572 SSL_CTX_free(ctx);
3573
3574 return testresult;
3575}
3576
9d75dce3
TS		 3577#ifndef OPENSSL_NO_TLS1_3
3578static int test_pha_key_update(void)
3579{
3580 SSL_CTX *cctx = NULL, *sctx = NULL;
3581 SSL *clientssl = NULL, *serverssl = NULL;
3582 int testresult = 0;
3583
3584 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3585 TLS_client_method(),
3586 &sctx, &cctx, cert, privkey)))
3587 return 0;
3588
3589 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3590 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3591 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3592 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3593 goto end;
3594
3595
3596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3597 NULL, NULL)))
3598 goto end;
3599
3600 SSL_force_post_handshake_auth(clientssl);
3601
3602 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3603 SSL_ERROR_NONE)))
3604 goto end;
3605
3606 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3607 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3608 goto end;
3609
3610 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3611 goto end;
3612
3613 /* Start handshake on the server */
3614 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3615 goto end;
3616
3617 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3618 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3619 SSL_ERROR_NONE)))
3620 goto end;
3621
3622 SSL_shutdown(clientssl);
3623 SSL_shutdown(serverssl);
3624
3625 testresult = 1;
3626
3627 end:
3628 SSL_free(serverssl);
3629 SSL_free(clientssl);
3630 SSL_CTX_free(sctx);
3631 SSL_CTX_free(cctx);
3632 return testresult;
3633}
3634#endif
3635
ad887416 3636int setup_tests(void)
2cb4b5f6 3637{
ad887416
P		 3638 if (!TEST_ptr(cert = test_get_argument(0))
3639 || !TEST_ptr(privkey = test_get_argument(1)))
710756a9 3640 return 0;
2cb4b5f6 3641
f297e4ec
RS		 3642 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
3643#ifdef OPENSSL_NO_CRYPTO_MDEBUG
3644 TEST_error("not supported in this build");
3645 return 0;
3646#else
3647 int i, mcount, rcount, fcount;
3648
3649 for (i = 0; i < 4; i++)
3650 test_export_key_mat(i);
3651 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
3652 test_printf_stdout("malloc %d realloc %d free %d\n",
3653 mcount, rcount, fcount);
3654 return 1;
3655#endif
3656 }
3657
84d5549e 3658 ADD_TEST(test_large_message_tls);
7856332e 3659 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 3660#ifndef OPENSSL_NO_DTLS
84d5549e 3661 ADD_TEST(test_large_message_dtls);
55386bef 3662#endif
8f8c11d8 3663#ifndef OPENSSL_NO_OCSP
c887104f 3664 ADD_TEST(test_tlsext_status_type);
8f8c11d8 3665#endif
eaa776da
MC		 3666 ADD_TEST(test_session_with_only_int_cache);
3667 ADD_TEST(test_session_with_only_ext_cache);
3668 ADD_TEST(test_session_with_both_cache);
7fb4c820 3669 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 3670 ADD_TEST(test_ssl_bio_pop_next_bio);
3671 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3672 ADD_TEST(test_ssl_bio_change_rbio);
3673 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 3674#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 3675 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 3676 ADD_TEST(test_keylog);
c423ecaa 3677#endif
6acdd3e5
CB		 3678#ifndef OPENSSL_NO_TLS1_3
3679 ADD_TEST(test_keylog_no_master_key);
3680#endif
e9ee6536 3681#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 3682 ADD_TEST(test_client_hello_cb);
5f982038
MC		 3683#endif
3684#ifndef OPENSSL_NO_TLS1_3
02a3ed5a
MC		 3685 ADD_ALL_TESTS(test_early_data_read_write, 3);
3686 ADD_ALL_TESTS(test_early_data_skip, 3);
3687 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3688 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 3689 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 3690 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 3691# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 3692 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 3693# endif
e9ee6536 3694#endif
a273157a 3695#ifndef OPENSSL_NO_TLS1_3
ca0413ae 3696 ADD_TEST(test_ciphersuite_change);
532f9578 3697 ADD_ALL_TESTS(test_tls13_psk, 3);
bb01ef3f 3698 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 3699 ADD_TEST(test_stateless);
9d75dce3 3700 ADD_TEST(test_pha_key_update);
a273157a 3701#else
bb01ef3f 3702 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 3703#endif
16afd71c 3704 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 3705 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 3706#ifndef OPENSSL_NO_TLS1_3
3707 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3708#endif
e11b6aa4 3709 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 3710 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
ad887416
P		 3711 return 1;
3712}
2cb4b5f6 3713
ad887416
P		 3714void cleanup_tests(void)
3715{
fa454945 3716 bio_s_mempacket_test_free();
2cb4b5f6 3717}
A mirror of the official openssl repository