]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
test: remove TODOs
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
2cb4b5f6 35
20f8bc72 36#include "helpers/ssltestlib.h"
c887104f 37#include "testutil.h"
f297e4ec 38#include "testutil/output.h"
176db6dc 39#include "internal/nelem.h"
fe5d9450 40#include "internal/ktls.h"
706457b7 41#include "../ssl/ssl_local.h"
b0001d0c 42#include "filterprov.h"
2cb4b5f6 43
a763ca11
MC		 44#undef OSSL_NO_USABLE_TLS1_3
45#if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
47/*
48 * If we don't have ec or dh then there are no built-in groups that are usable
49 * with TLSv1.3
50 */
51# define OSSL_NO_USABLE_TLS1_3
52#endif
53
0c13cdf8
MC		 54/* Defined in tls-provider.c */
55int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
58 void **provctx);
852c2ed2 59
b4250010 60static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 61static OSSL_PROVIDER *defctxnull = NULL;
62
a763ca11 63#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 64
65static SSL_SESSION *clientpsk = NULL;
66static SSL_SESSION *serverpsk = NULL;
67static const char *pskid = "Identity";
68static const char *srvid;
69
70static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
74
75static int use_session_cb_cnt = 0;
76static int find_session_cb_cnt = 0;
77
78static SSL_SESSION *create_a_psk(SSL *ssl);
79#endif
80
1a2a3a42 81static char *certsdir = NULL;
2cb4b5f6
MC		 82static char *cert = NULL;
83static char *privkey = NULL;
b3842539
MC		 84static char *cert2 = NULL;
85static char *privkey2 = NULL;
3105d846
MC		 86static char *cert1024 = NULL;
87static char *privkey1024 = NULL;
88static char *cert3072 = NULL;
89static char *privkey3072 = NULL;
90static char *cert4096 = NULL;
91static char *privkey4096 = NULL;
92static char *cert8192 = NULL;
93static char *privkey8192 = NULL;
76fd7a1d
MC		 94static char *srpvfile = NULL;
95static char *tmpfilename = NULL;
2cb4b5f6 96
4f6c7044
MC		 97static int is_fips = 0;
98
cffe973c 99#define LOG_BUFFER_SIZE 2048
6acdd3e5 100static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 101static size_t server_log_buffer_index = 0;
6acdd3e5 102static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 103static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 104static int error_writing_log = 0;
105
8f8c11d8 106#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 107static const unsigned char orespder[] = "Dummy OCSP Response";
108static int ocsp_server_called = 0;
109static int ocsp_client_called = 0;
110
111static int cdummyarg = 1;
112static X509 *ocspcert = NULL;
8f8c11d8 113#endif
ba881d3b 114
84d5549e 115#define NUM_EXTRA_CERTS 40
cf72c757 116#define CLIENT_VERSION_LEN 2
84d5549e 117
f1a5939f
CB		 118/*
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
121 */
122struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
cffe973c 125 unsigned int client_early_secret_count;
f1a5939f
CB		 126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
01a2a654 130 unsigned int early_exporter_secret_count;
6329ce8f 131 unsigned int exporter_secret_count;
f1a5939f
CB		 132};
133
16afd71c
MC		 134
135static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
141static unsigned char serverinfov2[] = {
142 0x00, 0x00, 0x00,
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
147};
148
104a733d
MC		 149static int hostname_cb(SSL *s, int *al, void *arg)
150{
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
156
157 return SSL_TLSEXT_ERR_NOACK;
158}
159
710756a9
RS		 160static void client_keylog_callback(const SSL *ssl, const char *line)
161{
6acdd3e5
CB		 162 int line_length = strlen(line);
163
164 /* If the log doesn't fit, error out. */
710756a9
RS		 165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
6acdd3e5
CB		 167 error_writing_log = 1;
168 return;
169 }
170
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
710756a9 173 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 174}
175
710756a9
RS		 176static void server_keylog_callback(const SSL *ssl, const char *line)
177{
6acdd3e5
CB		 178 int line_length = strlen(line);
179
180 /* If the log doesn't fit, error out. */
710756a9 181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 182 TEST_info("Server log too full");
6acdd3e5
CB		 183 error_writing_log = 1;
184 return;
185 }
186
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
710756a9 189 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 190}
191
192static int compare_hex_encoded_buffer(const char *hex_encoded,
193 size_t hex_length,
194 const uint8_t *raw,
710756a9
RS		 195 size_t raw_length)
196{
197 size_t i, j;
198 char hexed[3];
6acdd3e5 199
710756a9 200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 201 return 1;
6acdd3e5 202
710756a9 203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 204 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 207 return 1;
6acdd3e5
CB		 208 }
209
210 return 0;
211}
212
213static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 214 const SSL_SESSION *session,
710756a9
RS		 215 struct sslapitest_log_counts *expected)
216{
6acdd3e5
CB		 217 char *token = NULL;
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
cffe973c 224 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
01a2a654 229 unsigned int early_exporter_secret_count = 0;
6329ce8f 230 unsigned int exporter_secret_count = 0;
6acdd3e5 231
710756a9
RS		 232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
6acdd3e5 234 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 235 /*
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 237 * hex-encoded encrypted secret, then the hex-encoded pre-master
238 * secret.
239 */
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 243 return 0;
710756a9 244 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 245 return 0;
f1a5939f
CB		 246 /*
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
250 */
251 rsa_key_exchange_count++;
6acdd3e5 252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 253 /*
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 255 * client random, then the hex-encoded master secret.
256 */
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
259 SSL3_RANDOM_SIZE);
710756a9 260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 261 return 0;
6acdd3e5 262
710756a9 263 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 264 return 0;
710756a9 265 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 266 return 0;
710756a9
RS		 267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
f1a5939f 270 return 0;
6acdd3e5 271
710756a9 272 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 273 return 0;
6acdd3e5
CB		 274 master_key_size = SSL_SESSION_get_master_key(session,
275 actual_master_key,
276 master_key_size);
710756a9 277 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 278 return 0;
710756a9
RS		 279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
280 actual_master_key,
281 master_key_size)))
f1a5939f 282 return 0;
f1a5939f 283 master_secret_count++;
cffe973c
PW		 284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 290 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 291 /*
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
296 */
cffe973c
PW		 297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
01a2a654
PW		 307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
6329ce8f
PW		 309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
f1a5939f
CB		 311
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
314 SSL3_RANDOM_SIZE);
710756a9 315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 316 return 0;
f1a5939f 317
710756a9 318 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 319 return 0;
710756a9 320 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 321 return 0;
710756a9
RS		 322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
f1a5939f 325 return 0;
6acdd3e5 326
710756a9 327 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 328 return 0;
6acdd3e5 329 } else {
710756a9 330 TEST_info("Unexpected token %s\n", token);
f1a5939f 331 return 0;
6acdd3e5 332 }
6acdd3e5
CB		 333 }
334
710756a9
RS		 335 /* Got what we expected? */
336 if (!TEST_size_t_eq(rsa_key_exchange_count,
337 expected->rsa_key_exchange_count)
338 || !TEST_size_t_eq(master_secret_count,
339 expected->master_secret_count)
cffe973c
PW		 340 || !TEST_size_t_eq(client_early_secret_count,
341 expected->client_early_secret_count)
710756a9
RS		 342 || !TEST_size_t_eq(client_handshake_secret_count,
343 expected->client_handshake_secret_count)
344 || !TEST_size_t_eq(server_handshake_secret_count,
345 expected->server_handshake_secret_count)
346 || !TEST_size_t_eq(client_application_secret_count,
347 expected->client_application_secret_count)
348 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 349 expected->server_application_secret_count)
01a2a654
PW		 350 || !TEST_size_t_eq(early_exporter_secret_count,
351 expected->early_exporter_secret_count)
6329ce8f
PW		 352 || !TEST_size_t_eq(exporter_secret_count,
353 expected->exporter_secret_count))
710756a9
RS		 354 return 0;
355 return 1;
6acdd3e5
CB		 356}
357
a763ca11 358#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 359static int test_keylog(void)
360{
6acdd3e5
CB		 361 SSL_CTX *cctx = NULL, *sctx = NULL;
362 SSL *clientssl = NULL, *serverssl = NULL;
363 int testresult = 0;
6fc1e624 364 struct sslapitest_log_counts expected;
6acdd3e5
CB		 365
366 /* Clean up logging space */
6fc1e624 367 memset(&expected, 0, sizeof(expected));
710756a9
RS		 368 memset(client_log_buffer, 0, sizeof(client_log_buffer));
369 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 370 client_log_buffer_index = 0;
371 server_log_buffer_index = 0;
372 error_writing_log = 0;
373
5e30f2fd 374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 375 TLS_client_method(),
5c587fb6 376 TLS1_VERSION, 0,
710756a9 377 &sctx, &cctx, cert, privkey)))
6acdd3e5 378 return 0;
6acdd3e5
CB		 379
380 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
381 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
382 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
383
f0deb4d3 384 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 385 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 386 goto end;
f0deb4d3 387
cf10df81
RS		 388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
389 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 390 goto end;
6acdd3e5 391 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
393 == client_keylog_callback))
6acdd3e5 394 goto end;
710756a9 395 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 396 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
397 == server_keylog_callback))
6acdd3e5 398 goto end;
6acdd3e5 399
710756a9
RS		 400 /* Now do a handshake and check that the logs have been written to. */
401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
402 &clientssl, NULL, NULL))
403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
404 SSL_ERROR_NONE))
405 || !TEST_false(error_writing_log)
406 || !TEST_int_gt(client_log_buffer_index, 0)
407 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 408 goto end;
6acdd3e5 409
f1a5939f
CB		 410 /*
411 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 412 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 413 * data we expect. For both client and server, we expect to see one master
414 * secret. The client should also see a RSA key exchange.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.rsa_key_exchange_count = 1;
417 expected.master_secret_count = 1;
710756a9
RS		 418 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
419 SSL_get_session(clientssl), &expected)))
6acdd3e5 420 goto end;
f1a5939f
CB		 421
422 expected.rsa_key_exchange_count = 0;
710756a9
RS		 423 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl), &expected)))
6acdd3e5 425 goto end;
6acdd3e5
CB		 426
427 testresult = 1;
428
429end:
430 SSL_free(serverssl);
431 SSL_free(clientssl);
432 SSL_CTX_free(sctx);
433 SSL_CTX_free(cctx);
434
435 return testresult;
436}
c423ecaa 437#endif
6acdd3e5 438
a763ca11 439#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 440static int test_keylog_no_master_key(void)
441{
6acdd3e5
CB		 442 SSL_CTX *cctx = NULL, *sctx = NULL;
443 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 444 SSL_SESSION *sess = NULL;
6acdd3e5 445 int testresult = 0;
6fc1e624 446 struct sslapitest_log_counts expected;
cffe973c
PW		 447 unsigned char buf[1];
448 size_t readbytes, written;
6acdd3e5
CB		 449
450 /* Clean up logging space */
6fc1e624 451 memset(&expected, 0, sizeof(expected));
710756a9
RS		 452 memset(client_log_buffer, 0, sizeof(client_log_buffer));
453 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 454 client_log_buffer_index = 0;
455 server_log_buffer_index = 0;
456 error_writing_log = 0;
457
5e30f2fd
MC		 458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
459 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 460 &sctx, &cctx, cert, privkey))
461 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 462 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 463 return 0;
6acdd3e5 464
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
466 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 467 goto end;
6acdd3e5
CB		 468
469 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 470 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
471 == client_keylog_callback))
6acdd3e5 472 goto end;
6acdd3e5 473
710756a9 474 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 475 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
476 == server_keylog_callback))
6acdd3e5 477 goto end;
6acdd3e5 478
710756a9
RS		 479 /* Now do a handshake and check that the logs have been written to. */
480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
481 &clientssl, NULL, NULL))
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
483 SSL_ERROR_NONE))
484 || !TEST_false(error_writing_log))
6acdd3e5 485 goto end;
6acdd3e5 486
f1a5939f
CB		 487 /*
488 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 489 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 490 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 491 */
f1a5939f
CB		 492 expected.client_handshake_secret_count = 1;
493 expected.server_handshake_secret_count = 1;
494 expected.client_application_secret_count = 1;
495 expected.server_application_secret_count = 1;
6329ce8f 496 expected.exporter_secret_count = 1;
710756a9
RS		 497 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
498 SSL_get_session(clientssl), &expected))
499 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
500 SSL_get_session(serverssl),
501 &expected)))
6acdd3e5 502 goto end;
6acdd3e5 503
cffe973c
PW		 504 /* Terminate old session and resume with early data. */
505 sess = SSL_get1_session(clientssl);
506 SSL_shutdown(clientssl);
507 SSL_shutdown(serverssl);
508 SSL_free(serverssl);
509 SSL_free(clientssl);
510 serverssl = clientssl = NULL;
511
512 /* Reset key log */
513 memset(client_log_buffer, 0, sizeof(client_log_buffer));
514 memset(server_log_buffer, 0, sizeof(server_log_buffer));
515 client_log_buffer_index = 0;
516 server_log_buffer_index = 0;
517
518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
519 &clientssl, NULL, NULL))
520 || !TEST_true(SSL_set_session(clientssl, sess))
521 /* Here writing 0 length early data is enough. */
522 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
523 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
524 &readbytes),
525 SSL_READ_EARLY_DATA_ERROR)
526 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
527 SSL_EARLY_DATA_ACCEPTED)
528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
529 SSL_ERROR_NONE))
530 || !TEST_true(SSL_session_reused(clientssl)))
531 goto end;
532
533 /* In addition to the previous entries, expect early secrets. */
534 expected.client_early_secret_count = 1;
01a2a654 535 expected.early_exporter_secret_count = 1;
cffe973c
PW		 536 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
537 SSL_get_session(clientssl), &expected))
538 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
539 SSL_get_session(serverssl),
540 &expected)))
541 goto end;
542
6acdd3e5
CB		 543 testresult = 1;
544
545end:
cffe973c 546 SSL_SESSION_free(sess);
6acdd3e5
CB		 547 SSL_free(serverssl);
548 SSL_free(clientssl);
549 SSL_CTX_free(sctx);
550 SSL_CTX_free(cctx);
551
552 return testresult;
553}
554#endif
555
0c3eb279
DDO		 556static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
557{
558 int res = X509_verify_cert(ctx);
559
560 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
561 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
562 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
563 return res;
564}
565
566static int test_client_cert_verify_cb(void)
567{
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
578 int testresult = 0;
579
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
583 goto end;
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 goto end;
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 goto end;
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
595 goto end;
596
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
600 goto end;
601
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 goto end;
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 goto end;
610 crt1 = NULL;
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
612 goto end;
613 crt2 = NULL;
614
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
617 SSL_ERROR_NONE)))
618 goto end;
619
620 testresult = 1;
621
622end:
623 X509_free(crt1);
624 X509_free(crt2);
c38048e7
P		 625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
627 SSL_free(clientssl);
628 }
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
631 SSL_free(serverssl);
632 }
0c3eb279
DDO		 633 SSL_CTX_free(sctx);
634 SSL_CTX_free(cctx);
635
636 OPENSSL_free(skey);
637 OPENSSL_free(leaf);
638 OPENSSL_free(int2);
639 OPENSSL_free(int1);
640 OPENSSL_free(root);
641
642 return testresult;
643}
644
4e4ae840
SL		 645static int test_ssl_build_cert_chain(void)
646{
647 int ret = 0;
648 SSL_CTX *ssl_ctx = NULL;
649 SSL *ssl = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 goto end;
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 goto end;
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 goto end;
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
664 goto end;
665 ret = 1;
666end:
667 SSL_free(ssl);
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
670 OPENSSL_free(skey);
671 return ret;
672}
673
674static int test_ssl_ctx_build_cert_chain(void)
675{
676 int ret = 0;
677 SSL_CTX *ctx = NULL;
678 char *skey = test_mk_file_path(certsdir, "leaf.key");
679 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
680
681 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
682 goto end;
683 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
684 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
685 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
686 SSL_FILETYPE_PEM), 1)
687 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
688 goto end;
689 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
690 | SSL_BUILD_CHAIN_FLAG_CHECK)))
691 goto end;
692 ret = 1;
693end:
694 SSL_CTX_free(ctx);
695 OPENSSL_free(leaf_chain);
696 OPENSSL_free(skey);
697 return ret;
698}
699
e9ee6536 700#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 701static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 702{
703 int *ctr = arg;
704 const unsigned char *p;
8ea404fb 705 int *exts;
2afaee51
BK		 706 /* We only configure two ciphers, but the SCSV is added automatically. */
707#ifdef OPENSSL_NO_EC
708 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
709#else
710 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
711 0x2c, 0x00, 0xff};
712#endif
8ea404fb
BK		 713 const int expected_extensions[] = {
714#ifndef OPENSSL_NO_EC
715 11, 10,
716#endif
10ed1b72 717 35, 22, 23, 13};
2afaee51
BK		 718 size_t len;
719
720 /* Make sure we can defer processing and get called back. */
721 if ((*ctr)++ == 0)
f1b97da1 722 return SSL_CLIENT_HELLO_RETRY;
2afaee51 723
a9c0d8be 724 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 725 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 726 || !TEST_size_t_eq(
727 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 728 || !TEST_int_eq(*p, 0))
f1b97da1 729 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 730 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 731 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 732 if (len != OSSL_NELEM(expected_extensions) ||
733 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 734 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 735 OPENSSL_free(exts);
f1b97da1 736 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 737 }
738 OPENSSL_free(exts);
f1b97da1 739 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 740}
741
a9c0d8be 742static int test_client_hello_cb(void)
710756a9 743{
2afaee51
BK		 744 SSL_CTX *cctx = NULL, *sctx = NULL;
745 SSL *clientssl = NULL, *serverssl = NULL;
746 int testctr = 0, testresult = 0;
747
5e30f2fd
MC		 748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
749 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 750 &sctx, &cctx, cert, privkey)))
2afaee51 751 goto end;
a9c0d8be 752 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 753
2afaee51
BK		 754 /* The gimpy cipher list we configure can't do TLS 1.3. */
755 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 756
710756a9
RS		 757 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
758 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
760 &clientssl, NULL, NULL))
761 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 762 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 763 /*
764 * Passing a -1 literal is a hack since
765 * the real value was lost.
766 * */
a9c0d8be
DB		 767 || !TEST_int_eq(SSL_get_error(serverssl, -1),
768 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 769 || !TEST_true(create_ssl_connection(serverssl, clientssl,
770 SSL_ERROR_NONE)))
2afaee51 771 goto end;
2afaee51
BK		 772
773 testresult = 1;
774
088dfa13
TS		 775end:
776 SSL_free(serverssl);
777 SSL_free(clientssl);
778 SSL_CTX_free(sctx);
779 SSL_CTX_free(cctx);
780
781 return testresult;
782}
783
784static int test_no_ems(void)
785{
786 SSL_CTX *cctx = NULL, *sctx = NULL;
787 SSL *clientssl = NULL, *serverssl = NULL;
788 int testresult = 0;
789
5e30f2fd 790 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 791 TLS1_VERSION, TLS1_2_VERSION,
792 &sctx, &cctx, cert, privkey)) {
793 printf("Unable to create SSL_CTX pair\n");
794 goto end;
795 }
796
797 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
798
799 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
800 printf("Unable to create SSL objects\n");
801 goto end;
802 }
803
804 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
805 printf("Creating SSL connection failed\n");
806 goto end;
807 }
808
809 if (SSL_get_extms_support(serverssl)) {
810 printf("Server reports Extended Master Secret support\n");
811 goto end;
812 }
813
814 if (SSL_get_extms_support(clientssl)) {
815 printf("Client reports Extended Master Secret support\n");
816 goto end;
817 }
818 testresult = 1;
819
2afaee51
BK		 820end:
821 SSL_free(serverssl);
822 SSL_free(clientssl);
823 SSL_CTX_free(sctx);
824 SSL_CTX_free(cctx);
825
826 return testresult;
827}
828
3cd14e5e
BK		 829/*
830 * Very focused test to exercise a single case in the server-side state
831 * machine, when the ChangeCipherState message needs to actually change
832 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 833 * encryption to real encryption).
3cd14e5e
BK		 834 */
835static int test_ccs_change_cipher(void)
836{
837 SSL_CTX *cctx = NULL, *sctx = NULL;
838 SSL *clientssl = NULL, *serverssl = NULL;
839 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
840 int testresult = 0;
841 int i;
842 unsigned char buf;
843 size_t readbytes;
844
845 /*
846 * Create a conection so we can resume and potentially (but not) use
847 * a different cipher in the second connection.
848 */
5e30f2fd 849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 850 TLS_client_method(),
851 TLS1_VERSION, TLS1_2_VERSION,
852 &sctx, &cctx, cert, privkey))
853 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
854 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
855 NULL, NULL))
856 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
858 SSL_ERROR_NONE))
859 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
860 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
861 goto end;
862
863 shutdown_ssl_connection(serverssl, clientssl);
864 serverssl = clientssl = NULL;
865
866 /* Resume, preferring a different cipher. Our server will force the
867 * same cipher to be used as the initial handshake. */
868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
869 NULL, NULL))
870 || !TEST_true(SSL_set_session(clientssl, sess))
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
873 SSL_ERROR_NONE))
874 || !TEST_true(SSL_session_reused(clientssl))
875 || !TEST_true(SSL_session_reused(serverssl))
876 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
877 || !TEST_ptr_eq(sesspre, sesspost)
878 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
879 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
880 goto end;
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
883
884 /*
885 * Now create a fresh connection and try to renegotiate a different
886 * cipher on it.
887 */
b3e6d666
BK		 888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
889 NULL, NULL))
3cd14e5e
BK		 890 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 SSL_ERROR_NONE))
893 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
895 || !TEST_true(SSL_renegotiate(clientssl))
896 || !TEST_true(SSL_renegotiate_pending(clientssl)))
897 goto end;
898 /* Actually drive the renegotiation. */
899 for (i = 0; i < 3; i++) {
900 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
901 if (!TEST_ulong_eq(readbytes, 0))
902 goto end;
903 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
904 SSL_ERROR_WANT_READ)) {
905 goto end;
906 }
907 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
908 if (!TEST_ulong_eq(readbytes, 0))
909 goto end;
910 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
911 SSL_ERROR_WANT_READ)) {
912 goto end;
913 }
914 }
915 /* sesspre and sesspost should be different since the cipher changed. */
916 if (!TEST_false(SSL_renegotiate_pending(clientssl))
917 || !TEST_false(SSL_session_reused(clientssl))
918 || !TEST_false(SSL_session_reused(serverssl))
919 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
920 || !TEST_ptr_ne(sesspre, sesspost)
921 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
922 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
923 goto end;
924
925 shutdown_ssl_connection(serverssl, clientssl);
926 serverssl = clientssl = NULL;
927
928 testresult = 1;
929
930end:
931 SSL_free(serverssl);
932 SSL_free(clientssl);
933 SSL_CTX_free(sctx);
934 SSL_CTX_free(cctx);
935 SSL_SESSION_free(sess);
936
937 return testresult;
938}
fb121631 939#endif
3cd14e5e 940
84d5549e 941static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 942 const SSL_METHOD *cmeth,
943 int min_version, int max_version,
944 int read_ahead)
84d5549e
MC		 945{
946 SSL_CTX *cctx = NULL, *sctx = NULL;
947 SSL *clientssl = NULL, *serverssl = NULL;
948 int testresult = 0;
949 int i;
710756a9 950 BIO *certbio = NULL;
84d5549e
MC		 951 X509 *chaincert = NULL;
952 int certlen;
953
710756a9 954 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 955 goto end;
6725682d 956
d8652be0 957 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 958 goto end;
959
960 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
961 goto end;
fa454945
MC		 962 BIO_free(certbio);
963 certbio = NULL;
84d5549e 964
5e30f2fd
MC		 965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
967 privkey)))
84d5549e 968 goto end;
84d5549e 969
8ce390e1
MC		 970#ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
972 /*
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
974 * level 0
975 */
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
979 goto end;
980 }
981#endif
982
710756a9 983 if (read_ahead) {
7856332e
MC		 984 /*
985 * Test that read_ahead works correctly when dealing with large
986 * records
987 */
988 SSL_CTX_set_read_ahead(cctx, 1);
989 }
990
84d5549e
MC		 991 /*
992 * We assume the supplied certificate is big enough so that if we add
993 * NUM_EXTRA_CERTS it will make the overall message large enough. The
994 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 995 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
996 * test we need to have a message larger than that.
84d5549e
MC		 997 */
998 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 999 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1000 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1001 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1002 if (!X509_up_ref(chaincert))
84d5549e 1003 goto end;
84d5549e 1004 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1005 X509_free(chaincert);
1006 goto end;
1007 }
1008 }
1009
710756a9
RS		 1010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1011 NULL, NULL))
1012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1013 SSL_ERROR_NONE)))
84d5549e 1014 goto end;
84d5549e 1015
4bf08600
MC		 1016 /*
1017 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1018 * doesn't leak.
4bf08600 1019 */
710756a9 1020 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1021 goto end;
84d5549e 1022
4bf08600 1023 testresult = 1;
84d5549e 1024 end:
6725682d 1025 BIO_free(certbio);
84d5549e
MC		 1026 X509_free(chaincert);
1027 SSL_free(serverssl);
1028 SSL_free(clientssl);
1029 SSL_CTX_free(sctx);
1030 SSL_CTX_free(cctx);
1031
1032 return testresult;
1033}
1034
da4db160 1035#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1036 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
da4db160 1037#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 1038/* sock must be connected */
1039static int ktls_chk_platform(int sock)
1040{
1041 if (!ktls_enable(sock))
1042 return 0;
1043 return 1;
1044}
1045
da4db160 1046static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 1047{
1048 static char count = 1;
1049 unsigned char cbuf[16000] = {0};
1050 unsigned char sbuf[16000];
1051 size_t err = 0;
da4db160
VF		 1052 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1053 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1054 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1055 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1056 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1057 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1058 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1059 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 1060
1061 cbuf[0] = count++;
da4db160
VF		 1062 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
1063 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
1064 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
1065 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1066
1067 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1068 goto end;
1069
1070 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1071 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1072 goto end;
1073 }
1074 }
1075
1076 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1077 goto end;
1078
1079 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1080 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1081 goto end;
1082 }
1083 }
1084
da4db160
VF		 1085 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1086 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1087 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1088 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1089
1090 /* verify the payload */
1091 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1092 goto end;
1093
1094 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
a3a54179 1095 if ((SSL_get_options(clientssl) & SSL_OP_ENABLE_KTLS) == 0) {
da4db160
VF		 1096 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1097 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1098 goto end;
1099 } else {
da4db160
VF		 1100 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1101 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1102 goto end;
1103 }
1104
a3a54179 1105 if ((SSL_get_options(serverssl) & SSL_OP_ENABLE_KTLS) == 0) {
da4db160
VF		 1106 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1107 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1108 goto end;
1109 } else {
da4db160
VF		 1110 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1111 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1112 goto end;
1113 }
1114
a3a54179
MC		 1115 if ((SSL_get_options(clientssl) & SSL_OP_ENABLE_KTLS) == 0
1116#if defined(OPENSSL_NO_KTLS_RX)
1117 || 1
1118#endif
1119 ) {
da4db160
VF		 1120 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1121 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1122 goto end;
1123 } else {
da4db160
VF		 1124 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1125 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1126 goto end;
1127 }
1128
a3a54179
MC		 1129 if ((SSL_get_options(serverssl) & SSL_OP_ENABLE_KTLS) == 0
1130#if defined(OPENSSL_NO_KTLS_RX)
1131 || 1
1132#endif
1133 ) {
da4db160
VF		 1134 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1135 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1136 goto end;
1137 } else {
da4db160
VF		 1138 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1139 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1140 goto end;
1141 }
fe5d9450
BP		 1142
1143 return 1;
1144end:
1145 return 0;
1146}
1147
a3a54179 1148static int execute_test_ktls(int cis_ktls, int sis_ktls,
da4db160
VF		 1149 int tls_version, const char *cipher,
1150 int rec_seq_size)
fe5d9450
BP		 1151{
1152 SSL_CTX *cctx = NULL, *sctx = NULL;
1153 SSL *clientssl = NULL, *serverssl = NULL;
1154 int testresult = 0;
1155 int cfd, sfd;
1156
1157 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1158 goto end;
1159
1160 /* Skip this test if the platform does not support ktls */
1161 if (!ktls_chk_platform(cfd))
1162 return 1;
1163
1164 /* Create a session based on SHA-256 */
5e30f2fd 1165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1166 TLS_client_method(),
da4db160 1167 tls_version, tls_version,
fe5d9450 1168 &sctx, &cctx, cert, privkey))
da4db160 1169 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1170 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1171 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1172 &clientssl, sfd, cfd)))
1173 goto end;
1174
a3a54179
MC		 1175 if (cis_ktls) {
1176 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1177 goto end;
1178 }
1179
a3a54179
MC		 1180 if (sis_ktls) {
1181 if (!TEST_true(SSL_set_mode(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1182 goto end;
1183 }
1184
fe5d9450
BP		 1185 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1186 SSL_ERROR_NONE)))
1187 goto end;
1188
a3a54179 1189 if (!cis_ktls) {
fe5d9450
BP		 1190 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1191 goto end;
1192 } else {
1193 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1194 goto end;
1195 }
1196
a3a54179 1197 if (!sis_ktls) {
fe5d9450
BP		 1198 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1199 goto end;
1200 } else {
1201 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1202 goto end;
1203 }
1204
a3a54179
MC		 1205 if (!cis_ktls
1206#if defined(OPENSSL_NO_KTLS_RX)
1207 || 1
1208#endif
1209 ) {
2fab79af
BP		 1210 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1211 goto end;
1212 } else {
1213 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1214 goto end;
1215 }
1216
a3a54179
MC		 1217 if (!sis_ktls
1218#if defined(OPENSSL_NO_KTLS_RX)
1219 || 1
1220#endif
1221 ) {
2fab79af
BP		 1222 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1223 goto end;
1224 } else {
1225 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1226 goto end;
1227 }
1228
da4db160
VF		 1229 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1230 rec_seq_size)))
fe5d9450
BP		 1231 goto end;
1232
1233 testresult = 1;
1234end:
1235 if (clientssl) {
1236 SSL_shutdown(clientssl);
1237 SSL_free(clientssl);
1238 }
1239 if (serverssl) {
1240 SSL_shutdown(serverssl);
1241 SSL_free(serverssl);
1242 }
1243 SSL_CTX_free(sctx);
1244 SSL_CTX_free(cctx);
1245 serverssl = clientssl = NULL;
1246 return testresult;
1247}
1248
7c3a7561
BP		 1249#define SENDFILE_SZ (16 * 4096)
1250#define SENDFILE_CHUNK (4 * 4096)
1251#define min(a,b) ((a) > (b) ? (b) : (a))
1252
da4db160 1253static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1254{
1255 SSL_CTX *cctx = NULL, *sctx = NULL;
1256 SSL *clientssl = NULL, *serverssl = NULL;
1257 unsigned char *buf, *buf_dst;
1258 BIO *out = NULL, *in = NULL;
1259 int cfd, sfd, ffd, err;
1260 ssize_t chunk_size = 0;
1261 off_t chunk_off = 0;
1262 int testresult = 0;
1263 FILE *ffdp;
1264
1265 buf = OPENSSL_zalloc(SENDFILE_SZ);
1266 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1267 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1268 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1269 goto end;
1270
1271 /* Skip this test if the platform does not support ktls */
1272 if (!ktls_chk_platform(sfd)) {
1273 testresult = 1;
1274 goto end;
1275 }
1276
1277 /* Create a session based on SHA-256 */
5e30f2fd 1278 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1279 TLS_client_method(),
da4db160 1280 tls_version, tls_version,
7c3a7561 1281 &sctx, &cctx, cert, privkey))
da4db160 1282 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1283 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1284 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1285 &clientssl, sfd, cfd)))
1286 goto end;
1287
1288 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1289 SSL_ERROR_NONE))
1290 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1291 goto end;
1292
23e97567 1293 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
72c1e374
JB		 1294 goto end;
1295
7c3a7561
BP		 1296 out = BIO_new_file(tmpfilename, "wb");
1297 if (!TEST_ptr(out))
1298 goto end;
1299
1300 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1301 goto end;
1302
1303 BIO_free(out);
1304 out = NULL;
1305 in = BIO_new_file(tmpfilename, "rb");
1306 BIO_get_fp(in, &ffdp);
1307 ffd = fileno(ffdp);
1308
1309 while (chunk_off < SENDFILE_SZ) {
1310 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1311 while ((err = SSL_sendfile(serverssl,
1312 ffd,
1313 chunk_off,
1314 chunk_size,
1315 0)) != chunk_size) {
1316 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1317 goto end;
1318 }
1319 while ((err = SSL_read(clientssl,
1320 buf_dst + chunk_off,
1321 chunk_size)) != chunk_size) {
1322 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1323 goto end;
1324 }
1325
1326 /* verify the payload */
1327 if (!TEST_mem_eq(buf_dst + chunk_off,
1328 chunk_size,
1329 buf + chunk_off,
1330 chunk_size))
1331 goto end;
1332
1333 chunk_off += chunk_size;
1334 }
1335
1336 testresult = 1;
1337end:
1338 if (clientssl) {
1339 SSL_shutdown(clientssl);
1340 SSL_free(clientssl);
1341 }
1342 if (serverssl) {
1343 SSL_shutdown(serverssl);
1344 SSL_free(serverssl);
1345 }
1346 SSL_CTX_free(sctx);
1347 SSL_CTX_free(cctx);
1348 serverssl = clientssl = NULL;
1349 BIO_free(out);
1350 BIO_free(in);
1351 OPENSSL_free(buf);
1352 OPENSSL_free(buf_dst);
1353 return testresult;
1354}
1355
a763ca11 1356#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1357static int test_ktls(int test)
1358{
a3a54179 1359 int cis_ktls, sis_ktls;
eb818d23 1360 int tlsver, testresult;
da4db160 1361
a3a54179 1362 if (test > 3) {
a763ca11 1363#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1364 return 1;
1365#else
a3a54179 1366 test -= 4;
da4db160
VF		 1367 tlsver = TLS1_3_VERSION;
1368#endif
1369 } else {
1370#if defined(OPENSSL_NO_TLS1_2)
1371 return 1;
1372#else
1373 tlsver = TLS1_2_VERSION;
1374#endif
1375 }
1376
a3a54179
MC		 1377 cis_ktls = (test & 1) != 0;
1378 sis_ktls = (test & 2) != 0;
cd03b5dc 1379
eb818d23
JB		 1380 testresult = 1;
1381#ifdef OPENSSL_KTLS_AES_GCM_128
a3a54179
MC		 1382 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver,
1383 "AES128-GCM-SHA256",
eb818d23
JB		 1384 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1385#endif
1386#ifdef OPENSSL_KTLS_AES_CCM_128
a3a54179 1387 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver, "AES128-CCM",
eb818d23
JB		 1388 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1389#endif
1390#ifdef OPENSSL_KTLS_AES_GCM_256
a3a54179
MC		 1391 testresult &= execute_test_ktls(cis_ktls, sis_ktls, tlsver,
1392 "AES256-GCM-SHA384",
eb818d23
JB		 1393 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1394#endif
1395 return testresult;
2fab79af
BP		 1396}
1397
da4db160 1398static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1399{
ab114c6d 1400 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1401 int tlsver;
1402
1403 if (tst > 2) {
a763ca11 1404#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1405 return 1;
1406#else
1407 tst -= 3;
1408 tlsver = TLS1_3_VERSION;
1409#endif
1410 } else {
1411#if defined(OPENSSL_NO_TLS1_2)
1412 return 1;
1413#else
1414 tlsver = TLS1_2_VERSION;
1415#endif
1416 }
1417
1418#ifndef OPENSSL_KTLS_AES_GCM_128
1419 if(tst == 0) return 1;
1420#endif
1421#ifndef OPENSSL_KTLS_AES_CCM_128
1422 if(tst == 1) return 1;
1423#endif
1424#ifndef OPENSSL_KTLS_AES_GCM_256
1425 if(tst == 2) return 1;
1426#endif
1427 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1428}
da4db160
VF		 1429
1430#endif
fe5d9450
BP		 1431#endif
1432
84d5549e
MC		 1433static int test_large_message_tls(void)
1434{
7856332e 1435 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1436 TLS1_VERSION, 0, 0);
7856332e
MC		 1437}
1438
1439static int test_large_message_tls_read_ahead(void)
1440{
1441 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1442 TLS1_VERSION, 0, 1);
84d5549e
MC		 1443}
1444
55386bef 1445#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1446static int test_large_message_dtls(void)
1447{
8ce390e1
MC		 1448# ifdef OPENSSL_NO_DTLS1_2
1449 /* Not supported in the FIPS provider */
1450 if (is_fips)
1451 return 1;
1452# endif
7856332e
MC		 1453 /*
1454 * read_ahead is not relevant to DTLS because DTLS always acts as if
1455 * read_ahead is set.
1456 */
84d5549e 1457 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1458 DTLS_client_method(),
5c587fb6 1459 DTLS1_VERSION, 0, 0);
84d5549e 1460}
55386bef 1461#endif
84d5549e 1462
163b8016
ME		 1463static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1464 const SSL_METHOD *cmeth,
1465 int min_version, int max_version)
1466{
1467 size_t i;
1468 SSL_CTX *cctx = NULL, *sctx = NULL;
1469 SSL *clientssl = NULL, *serverssl = NULL;
1470 int testresult = 0;
1471 SSL3_RECORD *rr;
1472 void *zbuf;
1473
1474 static unsigned char cbuf[16000];
1475 static unsigned char sbuf[16000];
1476
1477 if (!TEST_true(create_ssl_ctx_pair(libctx,
1478 smeth, cmeth,
1479 min_version, max_version,
1480 &sctx, &cctx, cert,
1481 privkey)))
1482 goto end;
1483
8ce390e1
MC		 1484#ifdef OPENSSL_NO_DTLS1_2
1485 if (smeth == DTLS_server_method()) {
1486# ifdef OPENSSL_NO_DTLS1_2
1487 /* Not supported in the FIPS provider */
1488 if (is_fips) {
1489 testresult = 1;
1490 goto end;
1491 };
1492# endif
1493 /*
1494 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1495 * level 0
1496 */
1497 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1498 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1499 "DEFAULT:@SECLEVEL=0")))
1500 goto end;
1501 }
1502#endif
1503
163b8016
ME		 1504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1505 NULL, NULL)))
1506 goto end;
1507
1508 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1509 goto end;
1510
1511 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1512 SSL_ERROR_NONE)))
1513 goto end;
1514
1515 for (i = 0; i < sizeof(cbuf); i++) {
1516 cbuf[i] = i & 0xff;
1517 }
1518
1519 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1520 goto end;
1521
1522 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1523 goto end;
1524
1525 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1526 goto end;
1527
1528 /*
1529 * Since we called SSL_peek(), we know the data in the record
1530 * layer is a plaintext record. We can gather the pointer to check
1531 * for zeroization after SSL_read().
1532 */
1533 rr = serverssl->rlayer.rrec;
1534 zbuf = &rr->data[rr->off];
1535 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1536 goto end;
1537
1538 /*
1539 * After SSL_peek() the plaintext must still be stored in the
1540 * record.
1541 */
1542 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1543 goto end;
1544
1545 memset(sbuf, 0, sizeof(sbuf));
1546 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1547 goto end;
1548
1549 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1550 goto end;
1551
1552 /* Check if rbuf is cleansed */
1553 memset(cbuf, 0, sizeof(cbuf));
1554 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1555 goto end;
1556
1557 testresult = 1;
1558 end:
1559 SSL_free(serverssl);
1560 SSL_free(clientssl);
1561 SSL_CTX_free(sctx);
1562 SSL_CTX_free(cctx);
1563
1564 return testresult;
1565}
1566
1567static int test_cleanse_plaintext(void)
1568{
1569#if !defined(OPENSSL_NO_TLS1_2)
1570 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1571 TLS_client_method(),
1572 TLS1_2_VERSION,
1573 TLS1_2_VERSION)))
1574 return 0;
1575
1576#endif
1577
a763ca11 1578#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1579 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1580 TLS_client_method(),
1581 TLS1_3_VERSION,
1582 TLS1_3_VERSION)))
1583 return 0;
1584#endif
1585
1586#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1587
163b8016
ME		 1588 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1589 DTLS_client_method(),
1590 DTLS1_VERSION,
1591 0)))
1592 return 0;
1593#endif
1594 return 1;
1595}
1596
8f8c11d8 1597#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1598static int ocsp_server_cb(SSL *s, void *arg)
1599{
1600 int *argi = (int *)arg;
710756a9 1601 unsigned char *copy = NULL;
ba881d3b
MC		 1602 STACK_OF(OCSP_RESPID) *ids = NULL;
1603 OCSP_RESPID *id = NULL;
1604
1605 if (*argi == 2) {
1606 /* In this test we are expecting exactly 1 OCSP_RESPID */
1607 SSL_get_tlsext_status_ids(s, &ids);
1608 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1609 return SSL_TLSEXT_ERR_ALERT_FATAL;
1610
1611 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1612 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1613 return SSL_TLSEXT_ERR_ALERT_FATAL;
1614 } else if (*argi != 1) {
1615 return SSL_TLSEXT_ERR_ALERT_FATAL;
1616 }
1617
710756a9 1618 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1619 return SSL_TLSEXT_ERR_ALERT_FATAL;
1620
710756a9 1621 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1622 ocsp_server_called = 1;
ba881d3b
MC		 1623 return SSL_TLSEXT_ERR_OK;
1624}
1625
1626static int ocsp_client_cb(SSL *s, void *arg)
1627{
1628 int *argi = (int *)arg;
1629 const unsigned char *respderin;
1630 size_t len;
1631
1632 if (*argi != 1 && *argi != 2)
1633 return 0;
1634
1635 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1636 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1637 return 0;
1638
1639 ocsp_client_called = 1;
ba881d3b
MC		 1640 return 1;
1641}
1642
2cb4b5f6
MC		 1643static int test_tlsext_status_type(void)
1644{
ba881d3b
MC		 1645 SSL_CTX *cctx = NULL, *sctx = NULL;
1646 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1647 int testresult = 0;
ba881d3b
MC		 1648 STACK_OF(OCSP_RESPID) *ids = NULL;
1649 OCSP_RESPID *id = NULL;
1650 BIO *certbio = NULL;
2cb4b5f6 1651
5e30f2fd 1652 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1653 TLS1_VERSION, 0,
7d7f6834 1654 &sctx, &cctx, cert, privkey))
ba881d3b 1655 return 0;
2cb4b5f6 1656
710756a9 1657 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1658 goto end;
2cb4b5f6 1659
ba881d3b 1660 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1661
ba881d3b 1662 clientssl = SSL_new(cctx);
710756a9
RS		 1663 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1664 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1665 TLSEXT_STATUSTYPE_ocsp))
1666 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1667 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1668 goto end;
2cb4b5f6 1669
ba881d3b
MC		 1670 SSL_free(clientssl);
1671 clientssl = NULL;
2cb4b5f6 1672
710756a9
RS		 1673 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1674 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1675 goto end;
2cb4b5f6 1676
ba881d3b 1677 clientssl = SSL_new(cctx);
710756a9 1678 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1679 goto end;
ba881d3b
MC		 1680 SSL_free(clientssl);
1681 clientssl = NULL;
1682
1683 /*
1684 * Now actually do a handshake and check OCSP information is exchanged and
1685 * the callbacks get called
1686 */
ba881d3b
MC		 1687 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1688 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1689 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1690 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1692 &clientssl, NULL, NULL))
1693 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1694 SSL_ERROR_NONE))
1695 || !TEST_true(ocsp_client_called)
1696 || !TEST_true(ocsp_server_called))
ba881d3b 1697 goto end;
ba881d3b
MC		 1698 SSL_free(serverssl);
1699 SSL_free(clientssl);
1700 serverssl = NULL;
1701 clientssl = NULL;
1702
1703 /* Try again but this time force the server side callback to fail */
1704 ocsp_client_called = 0;
1705 ocsp_server_called = 0;
1706 cdummyarg = 0;
710756a9
RS		 1707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1708 &clientssl, NULL, NULL))
1709 /* This should fail because the callback will fail */
1710 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1711 SSL_ERROR_NONE))
1712 || !TEST_false(ocsp_client_called)
1713 || !TEST_false(ocsp_server_called))
ba881d3b 1714 goto end;
ba881d3b
MC		 1715 SSL_free(serverssl);
1716 SSL_free(clientssl);
1717 serverssl = NULL;
1718 clientssl = NULL;
1719
1720 /*
1721 * This time we'll get the client to send an OCSP_RESPID that it will
1722 * accept.
1723 */
1724 ocsp_client_called = 0;
1725 ocsp_server_called = 0;
1726 cdummyarg = 2;
710756a9
RS		 1727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1728 &clientssl, NULL, NULL)))
ba881d3b 1729 goto end;
ba881d3b
MC		 1730
1731 /*
1732 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1733 * specific one. We'll use the server cert.
ba881d3b 1734 */
710756a9
RS		 1735 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1736 || !TEST_ptr(id = OCSP_RESPID_new())
1737 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1738 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1739 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1740 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1741 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1742 goto end;
ba881d3b
MC		 1743 id = NULL;
1744 SSL_set_tlsext_status_ids(clientssl, ids);
1745 /* Control has been transferred */
1746 ids = NULL;
1747
1748 BIO_free(certbio);
1749 certbio = NULL;
1750
710756a9
RS		 1751 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1752 SSL_ERROR_NONE))
1753 || !TEST_true(ocsp_client_called)
1754 || !TEST_true(ocsp_server_called))
ba881d3b 1755 goto end;
ba881d3b 1756
2cb4b5f6
MC		 1757 testresult = 1;
1758
1759 end:
ba881d3b
MC		 1760 SSL_free(serverssl);
1761 SSL_free(clientssl);
1762 SSL_CTX_free(sctx);
1763 SSL_CTX_free(cctx);
1764 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1765 OCSP_RESPID_free(id);
1766 BIO_free(certbio);
1767 X509_free(ocspcert);
1768 ocspcert = NULL;
2cb4b5f6
MC		 1769
1770 return testresult;
1771}
8f8c11d8 1772#endif
2cb4b5f6 1773
a763ca11 1774#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1775static int new_called, remove_called, get_called;
eaa776da 1776
eaa776da
MC		 1777static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1778{
1779 new_called++;
c0537ebd
MC		 1780 /*
1781 * sess has been up-refed for us, but we don't actually need it so free it
1782 * immediately.
1783 */
1784 SSL_SESSION_free(sess);
eaa776da
MC		 1785 return 1;
1786}
1787
1788static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1789{
1790 remove_called++;
1791}
1792
7a301f08
MC		 1793static SSL_SESSION *get_sess_val = NULL;
1794
1795static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1796 int *copy)
1797{
0afca811 1798 get_called++;
7a301f08
MC		 1799 *copy = 1;
1800 return get_sess_val;
1801}
1802
7a301f08 1803static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1804 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1805{
1806 SSL_CTX *sctx = NULL, *cctx = NULL;
1807 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1808 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1809# ifndef OPENSSL_NO_TLS1_1
eaa776da 1810 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1811# endif
2cb4b5f6 1812 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1813 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1814
7e885b7b
P		 1815 new_called = remove_called = 0;
1816
36ff232c
MC		 1817 /* TLSv1.3 sends 2 NewSessionTickets */
1818 if (maxprot == TLS1_3_VERSION)
1819 numnewsesstick = 2;
1820
5e30f2fd
MC		 1821 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1822 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1823 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1824 return 0;
2cb4b5f6 1825
7a301f08
MC		 1826 /*
1827 * Only allow the max protocol version so we can force a connection failure
1828 * later
1829 */
1830 SSL_CTX_set_min_proto_version(cctx, maxprot);
1831 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1832
1833 /* Set up session cache */
7e885b7b 1834 if (use_ext_cache) {
eaa776da
MC		 1835 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1836 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1837 }
7e885b7b 1838 if (use_int_cache) {
eaa776da
MC		 1839 /* Also covers instance where both are set */
1840 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1841 } else {
1842 SSL_CTX_set_session_cache_mode(cctx,
1843 SSL_SESS_CACHE_CLIENT
1844 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1845 }
2cb4b5f6 1846
90fc2c26
NM		 1847 if (s_options) {
1848 SSL_CTX_set_options(sctx, s_options);
1849 }
1850
710756a9
RS		 1851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1852 NULL, NULL))
1853 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1854 SSL_ERROR_NONE))
1855 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1856 goto end;
2cb4b5f6 1857
710756a9 1858 /* Should fail because it should already be in the cache */
7e885b7b 1859 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1860 goto end;
7a301f08 1861 if (use_ext_cache
36ff232c
MC		 1862 && (!TEST_int_eq(new_called, numnewsesstick)
1863
1864 || !TEST_int_eq(remove_called, 0)))
b4982125 1865 goto end;
b4982125 1866
c0537ebd
MC		 1867 new_called = remove_called = 0;
1868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1869 &clientssl2, NULL, NULL))
1870 || !TEST_true(SSL_set_session(clientssl2, sess1))
1871 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1872 SSL_ERROR_NONE))
1873 || !TEST_true(SSL_session_reused(clientssl2)))
1874 goto end;
1875
7a301f08
MC		 1876 if (maxprot == TLS1_3_VERSION) {
1877 /*
1878 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1879 * resumed. Since we attempted a resume we should also have removed the
1880 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1881 */
1882 if (use_ext_cache
1883 && (!TEST_int_eq(new_called, 1)
4cb00457 1884 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1885 goto end;
1886 } else {
1887 /*
1888 * In TLSv1.2 we expect to have resumed so no sessions added or
1889 * removed.
1890 */
1891 if (use_ext_cache
1892 && (!TEST_int_eq(new_called, 0)
1893 || !TEST_int_eq(remove_called, 0)))
1894 goto end;
1895 }
c0537ebd
MC		 1896
1897 SSL_SESSION_free(sess1);
1898 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1899 goto end;
1900 shutdown_ssl_connection(serverssl2, clientssl2);
1901 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1902
1903 new_called = remove_called = 0;
710756a9
RS		 1904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1905 &clientssl2, NULL, NULL))
1906 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1907 SSL_ERROR_NONE)))
2cb4b5f6 1908 goto end;
2cb4b5f6 1909
710756a9 1910 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1911 goto end;
2cb4b5f6 1912
7a301f08 1913 if (use_ext_cache
36ff232c
MC		 1914 && (!TEST_int_eq(new_called, numnewsesstick)
1915 || !TEST_int_eq(remove_called, 0)))
eaa776da 1916 goto end;
eaa776da 1917
c0537ebd 1918 new_called = remove_called = 0;
2cb4b5f6 1919 /*
710756a9
RS		 1920 * This should clear sess2 from the cache because it is a "bad" session.
1921 * See SSL_set_session() documentation.
2cb4b5f6 1922 */
710756a9 1923 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1924 goto end;
7a301f08
MC		 1925 if (use_ext_cache
1926 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1927 goto end;
710756a9 1928 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1929 goto end;
2cb4b5f6 1930
7e885b7b 1931 if (use_int_cache) {
710756a9
RS		 1932 /* Should succeeded because it should not already be in the cache */
1933 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1934 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1935 goto end;
eaa776da
MC		 1936 }
1937
c0537ebd 1938 new_called = remove_called = 0;
eaa776da 1939 /* This shouldn't be in the cache so should fail */
710756a9 1940 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1941 goto end;
2cb4b5f6 1942
7a301f08
MC		 1943 if (use_ext_cache
1944 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1945 goto end;
2cb4b5f6 1946
bf208d95 1947# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1948 new_called = remove_called = 0;
eaa776da
MC		 1949 /* Force a connection failure */
1950 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1951 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1952 &clientssl3, NULL, NULL))
1953 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1954 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1955 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1956 SSL_ERROR_NONE)))
eaa776da 1957 goto end;
b4982125 1958
eaa776da 1959 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1960 if (use_ext_cache
1961 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1962 goto end;
2cb4b5f6 1963
710756a9 1964 /* Should succeed because it should not already be in the cache */
7e885b7b 1965 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1966 goto end;
bf208d95 1967# endif
eaa776da 1968
7a301f08
MC		 1969 /* Now do some tests for server side caching */
1970 if (use_ext_cache) {
1971 SSL_CTX_sess_set_new_cb(cctx, NULL);
1972 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1973 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1974 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1975 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1976 get_sess_val = NULL;
1977 }
1978
1979 SSL_CTX_set_session_cache_mode(cctx, 0);
1980 /* Internal caching is the default on the server side */
1981 if (!use_int_cache)
1982 SSL_CTX_set_session_cache_mode(sctx,
1983 SSL_SESS_CACHE_SERVER
1984 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1985
1986 SSL_free(serverssl1);
1987 SSL_free(clientssl1);
1988 serverssl1 = clientssl1 = NULL;
1989 SSL_free(serverssl2);
1990 SSL_free(clientssl2);
1991 serverssl2 = clientssl2 = NULL;
1992 SSL_SESSION_free(sess1);
1993 sess1 = NULL;
1994 SSL_SESSION_free(sess2);
1995 sess2 = NULL;
1996
1997 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1998 if (maxprot == TLS1_2_VERSION)
1999 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2000 new_called = remove_called = get_called = 0;
7a301f08
MC		 2001 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2002 NULL, NULL))
2003 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2004 SSL_ERROR_NONE))
2005 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2006 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2007 goto end;
2008
ee94ec2e
MC		 2009 if (use_int_cache) {
2010 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2011 /*
2012 * In TLSv1.3 it should not have been added to the internal cache,
2013 * except in the case where we also have an external cache (in that
2014 * case it gets added to the cache in order to generate remove
2015 * events after timeout).
2016 */
2017 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2018 goto end;
2019 } else {
2020 /* Should fail because it should already be in the cache */
2021 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2022 goto end;
2023 }
2024 }
7a301f08
MC		 2025
2026 if (use_ext_cache) {
2027 SSL_SESSION *tmp = sess2;
2028
36ff232c 2029 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2030 || !TEST_int_eq(remove_called, 0)
2031 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2032 goto end;
2033 /*
2034 * Delete the session from the internal cache to force a lookup from
2035 * the external cache. We take a copy first because
2036 * SSL_CTX_remove_session() also marks the session as non-resumable.
2037 */
ee94ec2e 2038 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2039 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2040 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2041 goto end;
2042 SSL_SESSION_free(sess2);
2043 }
7a301f08
MC		 2044 sess2 = tmp;
2045 }
2046
0afca811 2047 new_called = remove_called = get_called = 0;
7a301f08
MC		 2048 get_sess_val = sess2;
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2050 &clientssl2, NULL, NULL))
2051 || !TEST_true(SSL_set_session(clientssl2, sess1))
2052 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2053 SSL_ERROR_NONE))
2054 || !TEST_true(SSL_session_reused(clientssl2)))
2055 goto end;
2056
0afca811 2057 if (use_ext_cache) {
32305f88 2058 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2059 goto end;
2060
2061 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2062 if (!TEST_int_eq(new_called, 1)
2063 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2064 goto end;
2065 } else {
32305f88
MC		 2066 if (!TEST_int_eq(new_called, 0)
2067 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2068 goto end;
2069 }
2070 }
7a301f08 2071
2cb4b5f6 2072 testresult = 1;
eaa776da 2073
2cb4b5f6
MC		 2074 end:
2075 SSL_free(serverssl1);
2076 SSL_free(clientssl1);
2077 SSL_free(serverssl2);
2078 SSL_free(clientssl2);
bf208d95 2079# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2080 SSL_free(serverssl3);
2081 SSL_free(clientssl3);
bf208d95 2082# endif
2cb4b5f6
MC		 2083 SSL_SESSION_free(sess1);
2084 SSL_SESSION_free(sess2);
2085 SSL_CTX_free(sctx);
2086 SSL_CTX_free(cctx);
2087
2088 return testresult;
2089}
a763ca11 2090#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2091
7fb4c820
MC		 2092static int test_session_with_only_int_cache(void)
2093{
a763ca11 2094#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2095 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2096 return 0;
2097#endif
2098
2099#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2100 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2101#else
2102 return 1;
2103#endif
eaa776da
MC		 2104}
2105
7fb4c820
MC		 2106static int test_session_with_only_ext_cache(void)
2107{
a763ca11 2108#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2109 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2110 return 0;
2111#endif
2112
2113#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2114 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2115#else
2116 return 1;
2117#endif
eaa776da
MC		 2118}
2119
7fb4c820
MC		 2120static int test_session_with_both_cache(void)
2121{
a763ca11 2122#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2123 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2124 return 0;
2125#endif
2126
2127#ifndef OPENSSL_NO_TLS1_2
2128 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2129#else
2130 return 1;
2131#endif
2132}
2133
2134static int test_session_wo_ca_names(void)
2135{
a763ca11 2136#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2137 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2138 return 0;
2139#endif
2140
2141#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2142 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2143#else
2144 return 1;
2145#endif
eaa776da
MC		 2146}
2147
90fc2c26 2148
a763ca11 2149#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2150static SSL_SESSION *sesscache[6];
2151static int do_cache;
36ff232c
MC		 2152
2153static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2154{
c22365b3
MC		 2155 if (do_cache) {
2156 sesscache[new_called] = sess;
2157 } else {
2158 /* We don't need the reference to the session, so free it */
2159 SSL_SESSION_free(sess);
2160 }
2161 new_called++;
2162
2163 return 1;
2164}
2165
2166static int post_handshake_verify(SSL *sssl, SSL *cssl)
2167{
2168 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2169 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2170 return 0;
2171
2172 /* Start handshake on the server and client */
2173 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2174 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2175 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2176 || !TEST_true(create_ssl_connection(sssl, cssl,
2177 SSL_ERROR_NONE)))
2178 return 0;
36ff232c
MC		 2179
2180 return 1;
2181}
2182
fbe9dafd 2183static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2184 SSL_CTX **cctx)
2185{
2186 int sess_id_ctx = 1;
2187
5e30f2fd
MC		 2188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2189 TLS_client_method(), TLS1_VERSION, 0,
2190 sctx, cctx, cert, privkey))
03cdf559
MC		 2191 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2192 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2193 (void *)&sess_id_ctx,
2194 sizeof(sess_id_ctx))))
2195 return 0;
2196
2197 if (stateful)
2198 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2199
2200 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2201 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2202 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2203
2204 return 1;
2205}
2206
2207static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2208{
2209 SSL *serverssl = NULL, *clientssl = NULL;
2210 int i;
2211
2212 /* Test that we can resume with all the tickets we got given */
2213 for (i = 0; i < idx * 2; i++) {
2214 new_called = 0;
2215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2216 &clientssl, NULL, NULL))
2217 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2218 goto end;
2219
32097b33 2220 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2221
2222 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2223 SSL_ERROR_NONE)))
2224 goto end;
2225
2226 /*
2227 * Following a successful resumption we only get 1 ticket. After a
2228 * failed one we should get idx tickets.
2229 */
2230 if (succ) {
2231 if (!TEST_true(SSL_session_reused(clientssl))
2232 || !TEST_int_eq(new_called, 1))
2233 goto end;
2234 } else {
2235 if (!TEST_false(SSL_session_reused(clientssl))
2236 || !TEST_int_eq(new_called, idx))
2237 goto end;
2238 }
2239
2240 new_called = 0;
2241 /* After a post-handshake authentication we should get 1 new ticket */
2242 if (succ
2243 && (!post_handshake_verify(serverssl, clientssl)
2244 || !TEST_int_eq(new_called, 1)))
2245 goto end;
2246
2247 SSL_shutdown(clientssl);
2248 SSL_shutdown(serverssl);
2249 SSL_free(serverssl);
2250 SSL_free(clientssl);
2251 serverssl = clientssl = NULL;
2252 SSL_SESSION_free(sesscache[i]);
2253 sesscache[i] = NULL;
2254 }
2255
2256 return 1;
2257
2258 end:
2259 SSL_free(clientssl);
2260 SSL_free(serverssl);
2261 return 0;
2262}
2263
04d7814a 2264static int test_tickets(int stateful, int idx)
36ff232c
MC		 2265{
2266 SSL_CTX *sctx = NULL, *cctx = NULL;
2267 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2268 int testresult = 0;
36ff232c
MC		 2269 size_t j;
2270
2271 /* idx is the test number, but also the number of tickets we want */
2272
2273 new_called = 0;
c22365b3 2274 do_cache = 1;
36ff232c 2275
fbe9dafd 2276 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2277 goto end;
2278
03cdf559
MC		 2279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2280 &clientssl, NULL, NULL)))
2281 goto end;
2282
2283 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2284 SSL_ERROR_NONE))
2285 /* Check we got the number of tickets we were expecting */
2286 || !TEST_int_eq(idx, new_called))
2287 goto end;
04d7814a 2288
03cdf559
MC		 2289 SSL_shutdown(clientssl);
2290 SSL_shutdown(serverssl);
2291 SSL_free(serverssl);
2292 SSL_free(clientssl);
2293 SSL_CTX_free(sctx);
2294 SSL_CTX_free(cctx);
2295 clientssl = serverssl = NULL;
2296 sctx = cctx = NULL;
2297
2298 /*
2299 * Now we try to resume with the tickets we previously created. The
2300 * resumption attempt is expected to fail (because we're now using a new
2301 * SSL_CTX). We should see idx number of tickets issued again.
2302 */
2303
2304 /* Stop caching sessions - just count them */
2305 do_cache = 0;
2306
fbe9dafd 2307 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2308 goto end;
2309
2310 if (!check_resumption(idx, sctx, cctx, 0))
2311 goto end;
2312
2313 /* Start again with caching sessions */
2314 new_called = 0;
2315 do_cache = 1;
fbe9dafd
MC		 2316 SSL_CTX_free(sctx);
2317 SSL_CTX_free(cctx);
2318 sctx = cctx = NULL;
03cdf559 2319
fbe9dafd 2320 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2321 goto end;
36ff232c
MC		 2322
2323 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2324 &clientssl, NULL, NULL)))
2325 goto end;
2326
32097b33 2327 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2328
2329 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2330 SSL_ERROR_NONE))
2331 /* Check we got the number of tickets we were expecting */
2332 || !TEST_int_eq(idx, new_called))
2333 goto end;
2334
2335 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2336 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2337 || !TEST_int_eq(idx * 2, new_called))
2338 goto end;
2339
36ff232c
MC		 2340 SSL_shutdown(clientssl);
2341 SSL_shutdown(serverssl);
2342 SSL_free(serverssl);
2343 SSL_free(clientssl);
2344 serverssl = clientssl = NULL;
2345
c22365b3
MC		 2346 /* Stop caching sessions - just count them */
2347 do_cache = 0;
2348
03cdf559
MC		 2349 /*
2350 * Check we can resume with all the tickets we created. This time around the
2351 * resumptions should all be successful.
2352 */
2353 if (!check_resumption(idx, sctx, cctx, 1))
2354 goto end;
36ff232c
MC		 2355
2356 testresult = 1;
2357
2358 end:
2359 SSL_free(serverssl);
2360 SSL_free(clientssl);
c22365b3 2361 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2362 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2363 sesscache[j] = NULL;
2364 }
36ff232c
MC		 2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
04d7814a
MC		 2370
2371static int test_stateless_tickets(int idx)
2372{
2373 return test_tickets(0, idx);
2374}
2375
2376static int test_stateful_tickets(int idx)
2377{
2378 return test_tickets(1, idx);
2379}
8614a4eb
MC		 2380
2381static int test_psk_tickets(void)
2382{
2383 SSL_CTX *sctx = NULL, *cctx = NULL;
2384 SSL *serverssl = NULL, *clientssl = NULL;
2385 int testresult = 0;
2386 int sess_id_ctx = 1;
2387
5e30f2fd
MC		 2388 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2389 TLS_client_method(), TLS1_VERSION, 0,
2390 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2391 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2392 (void *)&sess_id_ctx,
2393 sizeof(sess_id_ctx))))
2394 goto end;
2395
2396 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2397 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2398 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2399 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2400 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2401 use_session_cb_cnt = 0;
2402 find_session_cb_cnt = 0;
2403 srvid = pskid;
2404 new_called = 0;
2405
2406 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2407 NULL, NULL)))
2408 goto end;
2409 clientpsk = serverpsk = create_a_psk(clientssl);
2410 if (!TEST_ptr(clientpsk))
2411 goto end;
2412 SSL_SESSION_up_ref(clientpsk);
2413
2414 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2415 SSL_ERROR_NONE))
2416 || !TEST_int_eq(1, find_session_cb_cnt)
2417 || !TEST_int_eq(1, use_session_cb_cnt)
2418 /* We should always get 1 ticket when using external PSK */
2419 || !TEST_int_eq(1, new_called))
2420 goto end;
2421
2422 testresult = 1;
2423
2424 end:
2425 SSL_free(serverssl);
2426 SSL_free(clientssl);
2427 SSL_CTX_free(sctx);
2428 SSL_CTX_free(cctx);
2429 SSL_SESSION_free(clientpsk);
2430 SSL_SESSION_free(serverpsk);
2431 clientpsk = serverpsk = NULL;
2432
2433 return testresult;
2434}
f0049b86
BK		 2435
2436static int test_extra_tickets(int idx)
2437{
2438 SSL_CTX *sctx = NULL, *cctx = NULL;
2439 SSL *serverssl = NULL, *clientssl = NULL;
2440 BIO *bretry = BIO_new(bio_s_always_retry());
2441 BIO *tmp = NULL;
2442 int testresult = 0;
2443 int stateful = 0;
2444 size_t nbytes;
2445 unsigned char c, buf[1];
2446
2447 new_called = 0;
2448 do_cache = 1;
2449
2450 if (idx >= 3) {
2451 idx -= 3;
2452 stateful = 1;
2453 }
2454
2455 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2456 goto end;
2457 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2458 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2459 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2460
2461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2462 &clientssl, NULL, NULL)))
2463 goto end;
2464
2465 /*
2466 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2467 * incremented by both client and server.
2468 */
2469 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2470 SSL_ERROR_NONE))
2471 /* Check we got the number of tickets we were expecting */
2472 || !TEST_int_eq(idx * 2, new_called)
2473 || !TEST_true(SSL_new_session_ticket(serverssl))
2474 || !TEST_true(SSL_new_session_ticket(serverssl))
2475 || !TEST_int_eq(idx * 2, new_called))
2476 goto end;
2477
2478 /* Now try a (real) write to actually send the tickets */
2479 c = '1';
2480 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2481 || !TEST_size_t_eq(1, nbytes)
2482 || !TEST_int_eq(idx * 2 + 2, new_called)
2483 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2484 || !TEST_int_eq(idx * 2 + 4, new_called)
2485 || !TEST_int_eq(sizeof(buf), nbytes)
2486 || !TEST_int_eq(c, buf[0])
2487 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2488 goto end;
2489
2490 /* Try with only requesting one new ticket, too */
2491 c = '2';
2492 new_called = 0;
2493 if (!TEST_true(SSL_new_session_ticket(serverssl))
2494 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2495 || !TEST_size_t_eq(sizeof(c), nbytes)
2496 || !TEST_int_eq(1, new_called)
2497 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2498 || !TEST_int_eq(2, new_called)
2499 || !TEST_size_t_eq(sizeof(buf), nbytes)
2500 || !TEST_int_eq(c, buf[0]))
2501 goto end;
2502
2503 /* Do it again but use dummy writes to drive the ticket generation */
2504 c = '3';
2505 new_called = 0;
2506 if (!TEST_true(SSL_new_session_ticket(serverssl))
2507 || !TEST_true(SSL_new_session_ticket(serverssl))
2508 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2509 || !TEST_size_t_eq(0, nbytes)
2510 || !TEST_int_eq(2, new_called)
2511 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2512 || !TEST_int_eq(4, new_called))
2513 goto end;
2514
a0bbcb42
BK		 2515 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2516 c = '4';
2517 new_called = 0;
2518 if (!TEST_true(SSL_new_session_ticket(serverssl))
2519 || !TEST_true(SSL_new_session_ticket(serverssl))
2520 || !TEST_true(SSL_do_handshake(serverssl))
2521 || !TEST_int_eq(2, new_called)
2522 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2523 || !TEST_int_eq(4, new_called))
2524 goto end;
2525
f0049b86
BK		 2526 /*
2527 * Use the always-retry BIO to exercise the logic that forces ticket
2528 * generation to wait until a record boundary.
2529 */
a0bbcb42 2530 c = '5';
f0049b86
BK		 2531 new_called = 0;
2532 tmp = SSL_get_wbio(serverssl);
2533 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2534 tmp = NULL;
2535 goto end;
2536 }
2537 SSL_set0_wbio(serverssl, bretry);
2538 bretry = NULL;
2539 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2540 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2541 || !TEST_size_t_eq(nbytes, 0))
2542 goto end;
2543 /* Restore a BIO that will let the write succeed */
2544 SSL_set0_wbio(serverssl, tmp);
2545 tmp = NULL;
a0bbcb42
BK		 2546 /*
2547 * These calls should just queue the request and not send anything
2548 * even if we explicitly try to hit the state machine.
2549 */
f0049b86
BK		 2550 if (!TEST_true(SSL_new_session_ticket(serverssl))
2551 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2552 || !TEST_int_eq(0, new_called)
2553 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2554 || !TEST_int_eq(0, new_called))
2555 goto end;
2556 /* Re-do the write; still no tickets sent */
2557 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2558 || !TEST_size_t_eq(1, nbytes)
2559 || !TEST_int_eq(0, new_called)
2560 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2561 || !TEST_int_eq(0, new_called)
2562 || !TEST_int_eq(sizeof(buf), nbytes)
2563 || !TEST_int_eq(c, buf[0])
2564 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2565 goto end;
a0bbcb42
BK		 2566 /* Even trying to hit the state machine now will still not send tickets */
2567 if (!TEST_true(SSL_do_handshake(serverssl))
2568 || !TEST_int_eq(0, new_called))
2569 goto end;
f0049b86 2570 /* Now the *next* write should send the tickets */
a0bbcb42 2571 c = '6';
f0049b86
BK		 2572 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2573 || !TEST_size_t_eq(1, nbytes)
2574 || !TEST_int_eq(2, new_called)
2575 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2576 || !TEST_int_eq(4, new_called)
2577 || !TEST_int_eq(sizeof(buf), nbytes)
2578 || !TEST_int_eq(c, buf[0])
2579 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2580 goto end;
2581
2582 SSL_shutdown(clientssl);
2583 SSL_shutdown(serverssl);
2584 testresult = 1;
2585
2586 end:
2587 BIO_free(bretry);
2588 BIO_free(tmp);
2589 SSL_free(serverssl);
2590 SSL_free(clientssl);
2591 SSL_CTX_free(sctx);
2592 SSL_CTX_free(cctx);
2593 clientssl = serverssl = NULL;
2594 sctx = cctx = NULL;
2595 return testresult;
2596}
04225915 2597#endif
36ff232c 2598
7d4488bb
MC		 2599#define USE_NULL 0
2600#define USE_BIO_1 1
2601#define USE_BIO_2 2
2602#define USE_DEFAULT 3
2603
2604#define CONNTYPE_CONNECTION_SUCCESS 0
2605#define CONNTYPE_CONNECTION_FAIL 1
2606#define CONNTYPE_NO_CONNECTION 2
2607
2608#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2609#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2610#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2611# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2612#else
2613# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2614#endif
2615
7d4488bb
MC		 2616#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2617 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2618 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2619
2620static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2621{
2622 switch (type) {
2623 case USE_NULL:
2624 *res = NULL;
2625 break;
2626 case USE_BIO_1:
2627 *res = bio1;
2628 break;
2629 case USE_BIO_2:
2630 *res = bio2;
2631 break;
2632 }
2633}
2634
7d4488bb
MC		 2635
2636/*
2637 * Tests calls to SSL_set_bio() under various conditions.
2638 *
2639 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2640 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2641 * then do more tests where we create a successful connection first using our
2642 * standard connection setup functions, and then call SSL_set_bio() with
2643 * various combinations of valid BIOs or NULL. We then repeat these tests
2644 * following a failed connection. In this last case we are looking to check that
2645 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2646 */
7fb4c820
MC		 2647static int test_ssl_set_bio(int idx)
2648{
7d4488bb 2649 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2650 BIO *bio1 = NULL;
2651 BIO *bio2 = NULL;
0fae8150 2652 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2653 SSL *serverssl = NULL, *clientssl = NULL;
2654 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2655 int testresult = 0;
2656
7d4488bb
MC		 2657 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2658 initrbio = idx % 3;
2659 idx /= 3;
2660 initwbio = idx % 3;
2661 idx /= 3;
2662 newrbio = idx % 3;
2663 idx /= 3;
2664 newwbio = idx % 3;
2665 conntype = CONNTYPE_NO_CONNECTION;
2666 } else {
2667 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2668 initrbio = initwbio = USE_DEFAULT;
2669 newrbio = idx % 2;
2670 idx /= 2;
2671 newwbio = idx % 2;
2672 idx /= 2;
2673 conntype = idx % 2;
2674 }
710756a9 2675
5e30f2fd
MC		 2676 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2677 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2678 &sctx, &cctx, cert, privkey)))
2679 goto end;
2680
2681 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2682 /*
2683 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2684 * because we reduced the number of tests in the definition of
2685 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2686 * mismatched protocol versions we will force a connection failure.
2687 */
2688 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2689 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2690 }
2691
2692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2693 NULL, NULL)))
710756a9 2694 goto end;
7fb4c820 2695
710756a9
RS		 2696 if (initrbio == USE_BIO_1
2697 || initwbio == USE_BIO_1
2698 || newrbio == USE_BIO_1
7fb4c820 2699 || newwbio == USE_BIO_1) {
710756a9 2700 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2701 goto end;
7fb4c820
MC		 2702 }
2703
710756a9
RS		 2704 if (initrbio == USE_BIO_2
2705 || initwbio == USE_BIO_2
2706 || newrbio == USE_BIO_2
7fb4c820 2707 || newwbio == USE_BIO_2) {
710756a9 2708 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2709 goto end;
7fb4c820
MC		 2710 }
2711
7d4488bb
MC		 2712 if (initrbio != USE_DEFAULT) {
2713 setupbio(&irbio, bio1, bio2, initrbio);
2714 setupbio(&iwbio, bio1, bio2, initwbio);
2715 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2716
7d4488bb
MC		 2717 /*
2718 * We want to maintain our own refs to these BIO, so do an up ref for
2719 * each BIO that will have ownership transferred in the SSL_set_bio()
2720 * call
2721 */
2722 if (irbio != NULL)
2723 BIO_up_ref(irbio);
2724 if (iwbio != NULL && iwbio != irbio)
2725 BIO_up_ref(iwbio);
2726 }
7fb4c820 2727
7d4488bb
MC		 2728 if (conntype != CONNTYPE_NO_CONNECTION
2729 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2730 SSL_ERROR_NONE)
2731 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2732 goto end;
7fb4c820
MC		 2733
2734 setupbio(&nrbio, bio1, bio2, newrbio);
2735 setupbio(&nwbio, bio1, bio2, newwbio);
2736
2737 /*
2738 * We will (maybe) transfer ownership again so do more up refs.
2739 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2740 * already been set!
2741 */
710756a9
RS		 2742 if (nrbio != NULL
2743 && nrbio != irbio
2744 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2745 BIO_up_ref(nrbio);
710756a9
RS		 2746 if (nwbio != NULL
2747 && nwbio != nrbio
2748 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2749 BIO_up_ref(nwbio);
2750
7d4488bb 2751 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2752
2753 testresult = 1;
2754
2755 end:
7fb4c820
MC		 2756 BIO_free(bio1);
2757 BIO_free(bio2);
710756a9 2758
7fb4c820
MC		 2759 /*
2760 * This test is checking that the ref counting for SSL_set_bio is correct.
2761 * If we get here and we did too many frees then we will fail in the above
742ccab3 2762 * functions.
7fb4c820 2763 */
7d4488bb
MC		 2764 SSL_free(serverssl);
2765 SSL_free(clientssl);
2766 SSL_CTX_free(sctx);
2767 SSL_CTX_free(cctx);
7fb4c820
MC		 2768 return testresult;
2769}
2770
7e885b7b 2771typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2772
7e885b7b 2773static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2774{
2775 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2776 SSL_CTX *ctx;
9a716987
MC		 2777 SSL *ssl = NULL;
2778 int testresult = 0;
2779
d8652be0 2780 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2781 || !TEST_ptr(ssl = SSL_new(ctx))
2782 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2783 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2784 goto end;
9a716987
MC		 2785
2786 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2787
2788 /*
742ccab3 2789 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2790 */
2791 BIO_push(sslbio, membio1);
2792
69687aa8 2793 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2794 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2795 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2796 ssl = NULL;
9a716987 2797 goto end;
493e7898 2798 }
7e885b7b 2799 if (change_bio == CHANGE_RBIO)
65e2d672 2800 SSL_set0_rbio(ssl, membio2);
9a716987 2801 else
65e2d672 2802 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2803 }
2804 ssl = NULL;
2805
7e885b7b 2806 if (pop_ssl)
9a716987
MC		 2807 BIO_pop(sslbio);
2808 else
2809 BIO_pop(membio1);
2810
2811 testresult = 1;
2812 end:
2813 BIO_free(membio1);
2814 BIO_free(sslbio);
2815 SSL_free(ssl);
2816 SSL_CTX_free(ctx);
2817
2818 return testresult;
2819}
2820
2821static int test_ssl_bio_pop_next_bio(void)
2822{
7e885b7b 2823 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2824}
2825
2826static int test_ssl_bio_pop_ssl_bio(void)
2827{
7e885b7b 2828 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2829}
2830
2831static int test_ssl_bio_change_rbio(void)
2832{
7e885b7b 2833 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2834}
2835
2836static int test_ssl_bio_change_wbio(void)
2837{
7e885b7b 2838 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2839}
2840
a763ca11 2841#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2842typedef struct {
2843 /* The list of sig algs */
2844 const int *list;
2845 /* The length of the list */
2846 size_t listlen;
2847 /* A sigalgs list in string format */
2848 const char *liststr;
2849 /* Whether setting the list should succeed */
2850 int valid;
2851 /* Whether creating a connection with the list should succeed */
2852 int connsuccess;
2853} sigalgs_list;
2854
2855static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2856# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2857static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2858static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2859# endif
f1b25aae
MC		 2860static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2861static const int invalidlist2[] = {NID_sha256, NID_undef};
2862static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2863static const int invalidlist4[] = {NID_sha256};
2864static const sigalgs_list testsigalgs[] = {
2865 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2866# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2867 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2868 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2869# endif
f1b25aae 2870 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2871# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2872 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2873 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2874# endif
f1b25aae
MC		 2875 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2876 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2877 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2878 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2879 {NULL, 0, "RSA", 0, 0},
2880 {NULL, 0, "SHA256", 0, 0},
2881 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2882 {NULL, 0, "Invalid", 0, 0}
2883};
f1b25aae
MC		 2884
2885static int test_set_sigalgs(int idx)
2886{
2887 SSL_CTX *cctx = NULL, *sctx = NULL;
2888 SSL *clientssl = NULL, *serverssl = NULL;
2889 int testresult = 0;
2890 const sigalgs_list *curr;
2891 int testctx;
2892
2893 /* Should never happen */
710756a9 2894 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2895 return 0;
2896
2897 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2898 curr = testctx ? &testsigalgs[idx]
2899 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2900
5e30f2fd
MC		 2901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2902 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2903 &sctx, &cctx, cert, privkey)))
f1b25aae 2904 return 0;
f1b25aae 2905
d2e491f2
MC		 2906 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2907
f1b25aae
MC		 2908 if (testctx) {
2909 int ret;
710756a9 2910
f1b25aae
MC		 2911 if (curr->list != NULL)
2912 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2913 else
2914 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2915
2916 if (!ret) {
2917 if (curr->valid)
710756a9 2918 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2919 else
2920 testresult = 1;
2921 goto end;
2922 }
2923 if (!curr->valid) {
710756a9 2924 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2925 goto end;
2926 }
2927 }
2928
710756a9
RS		 2929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2930 &clientssl, NULL, NULL)))
f1b25aae 2931 goto end;
f1b25aae
MC		 2932
2933 if (!testctx) {
2934 int ret;
2935
2936 if (curr->list != NULL)
2937 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2938 else
2939 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2940 if (!ret) {
2941 if (curr->valid)
710756a9 2942 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2943 else
2944 testresult = 1;
2945 goto end;
2946 }
710756a9 2947 if (!curr->valid)
f1b25aae 2948 goto end;
f1b25aae
MC		 2949 }
2950
710756a9
RS		 2951 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2952 SSL_ERROR_NONE),
2953 curr->connsuccess))
f1b25aae 2954 goto end;
f1b25aae
MC		 2955
2956 testresult = 1;
2957
2958 end:
2959 SSL_free(serverssl);
2960 SSL_free(clientssl);
2961 SSL_CTX_free(sctx);
2962 SSL_CTX_free(cctx);
2963
2964 return testresult;
2965}
c423ecaa 2966#endif
f1b25aae 2967
a763ca11 2968#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 2969static int psk_client_cb_cnt = 0;
2970static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2971
2972static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2973 size_t *idlen, SSL_SESSION **sess)
2974{
2975 switch (++use_session_cb_cnt) {
2976 case 1:
2977 /* The first call should always have a NULL md */
2978 if (md != NULL)
2979 return 0;
2980 break;
2981
2982 case 2:
2983 /* The second call should always have an md */
2984 if (md == NULL)
2985 return 0;
2986 break;
2987
2988 default:
2989 /* We should only be called a maximum of twice */
2990 return 0;
2991 }
2992
57dee9bb
MC		 2993 if (clientpsk != NULL)
2994 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2995
57dee9bb 2996 *sess = clientpsk;
02a3ed5a
MC		 2997 *id = (const unsigned char *)pskid;
2998 *idlen = strlen(pskid);
2999
3000 return 1;
3001}
3002
c2b290c3 3003#ifndef OPENSSL_NO_PSK
532f9578
MC		 3004static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3005 unsigned int max_id_len,
3006 unsigned char *psk,
3007 unsigned int max_psk_len)
3008{
3009 unsigned int psklen = 0;
3010
3011 psk_client_cb_cnt++;
3012
3013 if (strlen(pskid) + 1 > max_id_len)
3014 return 0;
3015
3016 /* We should only ever be called a maximum of twice per connection */
3017 if (psk_client_cb_cnt > 2)
3018 return 0;
3019
3020 if (clientpsk == NULL)
3021 return 0;
3022
3023 /* We'll reuse the PSK we set up for TLSv1.3 */
3024 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3025 return 0;
3026 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3027 strncpy(id, pskid, max_id_len);
3028
3029 return psklen;
3030}
c2b290c3 3031#endif /* OPENSSL_NO_PSK */
532f9578 3032
02a3ed5a
MC		 3033static int find_session_cb(SSL *ssl, const unsigned char *identity,
3034 size_t identity_len, SSL_SESSION **sess)
3035{
3036 find_session_cb_cnt++;
3037
3038 /* We should only ever be called a maximum of twice per connection */
3039 if (find_session_cb_cnt > 2)
3040 return 0;
3041
57dee9bb 3042 if (serverpsk == NULL)
02a3ed5a
MC		 3043 return 0;
3044
3045 /* Identity should match that set by the client */
3046 if (strlen(srvid) != identity_len
3047 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3048 /* No PSK found, continue but without a PSK */
3049 *sess = NULL;
3050 return 1;
3051 }
3052
57dee9bb
MC		 3053 SSL_SESSION_up_ref(serverpsk);
3054 *sess = serverpsk;
02a3ed5a
MC		 3055
3056 return 1;
3057}
3058
c2b290c3 3059#ifndef OPENSSL_NO_PSK
532f9578
MC		 3060static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3061 unsigned char *psk, unsigned int max_psk_len)
3062{
3063 unsigned int psklen = 0;
3064
3065 psk_server_cb_cnt++;
3066
3067 /* We should only ever be called a maximum of twice per connection */
3068 if (find_session_cb_cnt > 2)
3069 return 0;
3070
3071 if (serverpsk == NULL)
3072 return 0;
3073
3074 /* Identity should match that set by the client */
3075 if (strcmp(srvid, identity) != 0) {
3076 return 0;
3077 }
3078
3079 /* We'll reuse the PSK we set up for TLSv1.3 */
3080 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3081 return 0;
3082 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3083
3084 return psklen;
3085}
c2b290c3 3086#endif /* OPENSSL_NO_PSK */
532f9578 3087
5f982038
MC		 3088#define MSG1 "Hello"
3089#define MSG2 "World."
3090#define MSG3 "This"
3091#define MSG4 "is"
3092#define MSG5 "a"
90049cea
MC		 3093#define MSG6 "test"
3094#define MSG7 "message."
5f982038 3095
532f9578 3096#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3097#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3098#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3099#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3100#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3101
8614a4eb
MC		 3102
3103static SSL_SESSION *create_a_psk(SSL *ssl)
3104{
3105 const SSL_CIPHER *cipher = NULL;
3106 const unsigned char key[] = {
3107 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3108 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3109 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3110 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3111 0x2c, 0x2d, 0x2e, 0x2f
3112 };
3113 SSL_SESSION *sess = NULL;
3114
3115 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3116 sess = SSL_SESSION_new();
3117 if (!TEST_ptr(sess)
3118 || !TEST_ptr(cipher)
3119 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3120 sizeof(key)))
3121 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3122 || !TEST_true(
3123 SSL_SESSION_set_protocol_version(sess,
3124 TLS1_3_VERSION))) {
3125 SSL_SESSION_free(sess);
3126 return NULL;
3127 }
3128 return sess;
3129}
3130
5f982038
MC		 3131/*
3132 * Helper method to setup objects for early data test. Caller frees objects on
3133 * error.
3134 */
3135static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3136 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3137{
5a421415 3138 if (*sctx == NULL
5e30f2fd 3139 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3140 TLS_client_method(),
5c587fb6 3141 TLS1_VERSION, 0,
5a421415
MC		 3142 sctx, cctx, cert, privkey)))
3143 return 0;
3144
3145 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3146 return 0;
5f982038 3147
02a3ed5a
MC		 3148 if (idx == 1) {
3149 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3150 SSL_CTX_set_read_ahead(*cctx, 1);
3151 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3152 } else if (idx == 2) {
3153 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3154 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3155 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3156 use_session_cb_cnt = 0;
3157 find_session_cb_cnt = 0;
3158 srvid = pskid;
3cb47b4e
MC		 3159 }
3160
710756a9 3161 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3162 NULL, NULL)))
3163 return 0;
3164
141e4709
MC		 3165 /*
3166 * For one of the run throughs (doesn't matter which one), we'll try sending
3167 * some SNI data in the initial ClientHello. This will be ignored (because
3168 * there is no SNI cb set up by the server), so it should not impact
3169 * early_data.
3170 */
3171 if (idx == 1
3172 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3173 return 0;
3174
02a3ed5a 3175 if (idx == 2) {
8614a4eb 3176 clientpsk = create_a_psk(*clientssl);
57dee9bb 3177 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3178 /*
3179 * We just choose an arbitrary value for max_early_data which
3180 * should be big enough for testing purposes.
3181 */
57dee9bb
MC		 3182 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3183 0x100))
3184 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3185 SSL_SESSION_free(clientpsk);
3186 clientpsk = NULL;
02a3ed5a
MC		 3187 return 0;
3188 }
57dee9bb 3189 serverpsk = clientpsk;
02a3ed5a 3190
c20e3b28
MC		 3191 if (sess != NULL) {
3192 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3193 SSL_SESSION_free(clientpsk);
3194 SSL_SESSION_free(serverpsk);
3195 clientpsk = serverpsk = NULL;
3196 return 0;
3197 }
57dee9bb 3198 *sess = clientpsk;
c20e3b28 3199 }
02a3ed5a
MC		 3200 return 1;
3201 }
3202
3203 if (sess == NULL)
3204 return 1;
3205
3206 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3207 SSL_ERROR_NONE)))
5f982038 3208 return 0;
5f982038
MC		 3209
3210 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3211 SSL_shutdown(*clientssl);
3212 SSL_shutdown(*serverssl);
5f982038
MC		 3213 SSL_free(*serverssl);
3214 SSL_free(*clientssl);
3215 *serverssl = *clientssl = NULL;
3216
710756a9
RS		 3217 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3218 clientssl, NULL, NULL))
3219 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3220 return 0;
5f982038
MC		 3221
3222 return 1;
3223}
3224
3cb47b4e 3225static int test_early_data_read_write(int idx)
5f982038
MC		 3226{
3227 SSL_CTX *cctx = NULL, *sctx = NULL;
3228 SSL *clientssl = NULL, *serverssl = NULL;
3229 int testresult = 0;
3230 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3231 unsigned char buf[20], data[1024];
3232 size_t readbytes, written, eoedlen, rawread, rawwritten;
3233 BIO *rbio;
5f982038 3234
710756a9
RS		 3235 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3236 &serverssl, &sess, idx)))
5f982038
MC		 3237 goto end;
3238
3239 /* Write and read some early data */
710756a9
RS		 3240 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3241 &written))
3242 || !TEST_size_t_eq(written, strlen(MSG1))
3243 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3244 sizeof(buf), &readbytes),
3245 SSL_READ_EARLY_DATA_SUCCESS)
3246 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3247 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3248 SSL_EARLY_DATA_ACCEPTED))
5f982038 3249 goto end;
5f982038
MC		 3250
3251 /*
09f28874 3252 * Server should be able to write data, and client should be able to
5f982038
MC		 3253 * read it.
3254 */
710756a9
RS		 3255 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3256 &written))
3257 || !TEST_size_t_eq(written, strlen(MSG2))
3258 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3259 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3260 goto end;
5f982038
MC		 3261
3262 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3263 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3264 &written))
3265 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3266 goto end;
5f982038 3267
09f28874 3268 /* Server should still be able read early data after writing data */
710756a9
RS		 3269 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3270 &readbytes),
3271 SSL_READ_EARLY_DATA_SUCCESS)
3272 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3273 goto end;
5f982038 3274
09f28874 3275 /* Write more data from server and read it from client */
710756a9
RS		 3276 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3277 &written))
3278 || !TEST_size_t_eq(written, strlen(MSG4))
3279 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3280 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3281 goto end;
5f982038
MC		 3282
3283 /*
3284 * If client writes normal data it should mean writing early data is no
3285 * longer possible.
3286 */
710756a9
RS		 3287 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3288 || !TEST_size_t_eq(written, strlen(MSG5))
3289 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3290 SSL_EARLY_DATA_ACCEPTED))
5f982038 3291 goto end;
5f982038 3292
9b5c865d
MC		 3293 /*
3294 * At this point the client has written EndOfEarlyData, ClientFinished and
3295 * normal (fully protected) data. We are going to cause a delay between the
3296 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3297 * in the read BIO, and then just put back the EndOfEarlyData message.
3298 */
3299 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3300 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3301 || !TEST_size_t_lt(rawread, sizeof(data))
3302 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3303 goto end;
710756a9 3304
9b5c865d
MC		 3305 /* Record length is in the 4th and 5th bytes of the record header */
3306 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3307 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3308 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3309 goto end;
9b5c865d 3310
5f982038 3311 /* Server should be told that there is no more early data */
710756a9
RS		 3312 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3313 &readbytes),
3314 SSL_READ_EARLY_DATA_FINISH)
3315 || !TEST_size_t_eq(readbytes, 0))
5f982038 3316 goto end;
5f982038 3317
9b5c865d
MC		 3318 /*
3319 * Server has not finished init yet, so should still be able to write early
3320 * data.
3321 */
710756a9
RS		 3322 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3323 &written))
3324 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3325 goto end;
9b5c865d 3326
f8a303fa 3327 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3328 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3329 &rawwritten))
3330 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3331 goto end;
f8a303fa 3332
5f982038 3333 /* Server should be able to read normal data */
710756a9
RS		 3334 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3335 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3336 goto end;
5f982038 3337
09f28874 3338 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3339 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3340 &written)))
5f982038 3341 goto end;
5f982038 3342 ERR_clear_error();
710756a9
RS		 3343 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3344 &readbytes),
3345 SSL_READ_EARLY_DATA_ERROR))
5f982038 3346 goto end;
5f982038
MC		 3347 ERR_clear_error();
3348
9b5c865d 3349 /* Client should be able to read the data sent by the server */
710756a9
RS		 3350 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3351 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3352 goto end;
710756a9 3353
f8a303fa 3354 /*
36ff232c
MC		 3355 * Make sure we process the two NewSessionTickets. These arrive
3356 * post-handshake. We attempt reads which we do not expect to return any
3357 * data.
f8a303fa 3358 */
36ff232c
MC		 3359 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3360 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3361 &readbytes)))
f8a303fa 3362 goto end;
5f982038 3363
90049cea 3364 /* Server should be able to write normal data */
710756a9
RS		 3365 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3366 || !TEST_size_t_eq(written, strlen(MSG7))
3367 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3368 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3369 goto end;
90049cea 3370
c20e3b28 3371 SSL_SESSION_free(sess);
5f982038 3372 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3373 use_session_cb_cnt = 0;
3374 find_session_cb_cnt = 0;
5f982038
MC		 3375
3376 SSL_shutdown(clientssl);
3377 SSL_shutdown(serverssl);
5f982038
MC		 3378 SSL_free(serverssl);
3379 SSL_free(clientssl);
3380 serverssl = clientssl = NULL;
710756a9
RS		 3381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3382 &clientssl, NULL, NULL))
3383 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3384 goto end;
5f982038
MC		 3385
3386 /* Write and read some early data */
710756a9
RS		 3387 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3388 &written))
3389 || !TEST_size_t_eq(written, strlen(MSG1))
3390 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3391 &readbytes),
3392 SSL_READ_EARLY_DATA_SUCCESS)
3393 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3394 goto end;
5f982038 3395
710756a9
RS		 3396 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3397 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3398 goto end;
5f982038 3399
09f28874 3400 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3401 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3402 &written)))
5f982038 3403 goto end;
5f982038 3404 ERR_clear_error();
710756a9
RS		 3405 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3406 &readbytes),
3407 SSL_READ_EARLY_DATA_ERROR))
5f982038 3408 goto end;
5f982038
MC		 3409 ERR_clear_error();
3410
3411 /* Client and server should be able to write/read normal data */
710756a9
RS		 3412 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3413 || !TEST_size_t_eq(written, strlen(MSG5))
3414 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3415 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3416 goto end;
5f982038
MC		 3417
3418 testresult = 1;
3419
3420 end:
c20e3b28 3421 SSL_SESSION_free(sess);
57dee9bb
MC		 3422 SSL_SESSION_free(clientpsk);
3423 SSL_SESSION_free(serverpsk);
3424 clientpsk = serverpsk = NULL;
5f982038
MC		 3425 SSL_free(serverssl);
3426 SSL_free(clientssl);
3427 SSL_CTX_free(sctx);
3428 SSL_CTX_free(cctx);
5f982038
MC		 3429 return testresult;
3430}
3431
5a421415
MC		 3432static int allow_ed_cb_called = 0;
3433
3434static int allow_early_data_cb(SSL *s, void *arg)
3435{
3436 int *usecb = (int *)arg;
3437
3438 allow_ed_cb_called++;
3439
3440 if (*usecb == 1)
3441 return 0;
3442
3443 return 1;
3444}
3445
3446/*
3447 * idx == 0: Standard early_data setup
3448 * idx == 1: early_data setup using read_ahead
3449 * usecb == 0: Don't use a custom early data callback
3450 * usecb == 1: Use a custom early data callback and reject the early data
3451 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3452 * confopt == 0: Configure anti-replay directly
3453 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3454 */
3bb5e5b0 3455static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3456{
3457 SSL_CTX *cctx = NULL, *sctx = NULL;
3458 SSL *clientssl = NULL, *serverssl = NULL;
3459 int testresult = 0;
3460 SSL_SESSION *sess = NULL;
5a421415
MC		 3461 size_t readbytes, written;
3462 unsigned char buf[20];
3463
3464 allow_ed_cb_called = 0;
3465
5e30f2fd
MC		 3466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3467 TLS_client_method(), TLS1_VERSION, 0,
3468 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3469 return 0;
3470
3471 if (usecb > 0) {
3bb5e5b0
MC		 3472 if (confopt == 0) {
3473 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3474 } else {
3475 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3476
3477 if (!TEST_ptr(confctx))
3478 goto end;
3479 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3480 | SSL_CONF_FLAG_SERVER);
3481 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3482 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3483 2)) {
3484 SSL_CONF_CTX_free(confctx);
3485 goto end;
3486 }
3487 SSL_CONF_CTX_free(confctx);
3488 }
5a421415
MC		 3489 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3490 }
78fb5374
MC		 3491
3492 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3493 &serverssl, &sess, idx)))
3494 goto end;
3495
3496 /*
3497 * The server is configured to accept early data. Create a connection to
3498 * "use up" the ticket
3499 */
3500 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3501 || !TEST_true(SSL_session_reused(clientssl)))
3502 goto end;
3503
3504 SSL_shutdown(clientssl);
3505 SSL_shutdown(serverssl);
3506 SSL_free(serverssl);
3507 SSL_free(clientssl);
3508 serverssl = clientssl = NULL;
3509
3510 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3511 &clientssl, NULL, NULL))
5a421415
MC		 3512 || !TEST_true(SSL_set_session(clientssl, sess)))
3513 goto end;
3514
3515 /* Write and read some early data */
3516 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3517 &written))
3518 || !TEST_size_t_eq(written, strlen(MSG1)))
3519 goto end;
3520
3521 if (usecb <= 1) {
3522 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3523 &readbytes),
3524 SSL_READ_EARLY_DATA_FINISH)
3525 /*
3526 * The ticket was reused, so the we should have rejected the
3527 * early data
3528 */
3529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3530 SSL_EARLY_DATA_REJECTED))
3531 goto end;
3532 } else {
3533 /* In this case the callback decides to accept the early data */
3534 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3535 &readbytes),
3536 SSL_READ_EARLY_DATA_SUCCESS)
3537 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3538 /*
3539 * Server will have sent its flight so client can now send
3540 * end of early data and complete its half of the handshake
3541 */
3542 || !TEST_int_gt(SSL_connect(clientssl), 0)
3543 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3544 &readbytes),
3545 SSL_READ_EARLY_DATA_FINISH)
3546 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3547 SSL_EARLY_DATA_ACCEPTED))
3548 goto end;
3549 }
3550
3551 /* Complete the connection */
3552 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3553 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3554 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3555 goto end;
3556
3557 testresult = 1;
3558
3559 end:
c20e3b28 3560 SSL_SESSION_free(sess);
78fb5374
MC		 3561 SSL_SESSION_free(clientpsk);
3562 SSL_SESSION_free(serverpsk);
3563 clientpsk = serverpsk = NULL;
3564 SSL_free(serverssl);
3565 SSL_free(clientssl);
3566 SSL_CTX_free(sctx);
3567 SSL_CTX_free(cctx);
3568 return testresult;
3569}
3570
5a421415
MC		 3571static int test_early_data_replay(int idx)
3572{
3bb5e5b0 3573 int ret = 1, usecb, confopt;
5a421415 3574
3bb5e5b0
MC		 3575 for (usecb = 0; usecb < 3; usecb++) {
3576 for (confopt = 0; confopt < 2; confopt++)
3577 ret &= test_early_data_replay_int(idx, usecb, confopt);
3578 }
5a421415
MC		 3579
3580 return ret;
3581}
3582
710756a9 3583/*
6b84e6bf
MC		 3584 * Helper function to test that a server attempting to read early data can
3585 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3586 * testtype: 0 == No HRR
3587 * testtype: 1 == HRR
0efa0ba4
MC		 3588 * testtype: 2 == HRR, invalid early_data sent after HRR
3589 * testtype: 3 == recv_max_early_data set to 0
710756a9 3590 */
0d1b7789 3591static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3592{
3593 SSL_CTX *cctx = NULL, *sctx = NULL;
3594 SSL *clientssl = NULL, *serverssl = NULL;
3595 int testresult = 0;
018fcbec 3596 SSL_SESSION *sess = NULL;
5f982038
MC		 3597 unsigned char buf[20];
3598 size_t readbytes, written;
3599
710756a9
RS		 3600 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3601 &serverssl, &sess, idx)))
5f982038
MC		 3602 goto end;
3603
0efa0ba4 3604 if (testtype == 1 || testtype == 2) {
6b84e6bf 3605 /* Force an HRR to occur */
dbc6268f
MC		 3606#if defined(OPENSSL_NO_EC)
3607 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3608 goto end;
3609#else
6b84e6bf
MC		 3610 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3611 goto end;
dbc6268f 3612#endif
02a3ed5a
MC		 3613 } else if (idx == 2) {
3614 /*
3615 * We force early_data rejection by ensuring the PSK identity is
3616 * unrecognised
3617 */
3618 srvid = "Dummy Identity";
6b84e6bf
MC		 3619 } else {
3620 /*
3621 * Deliberately corrupt the creation time. We take 20 seconds off the
3622 * time. It could be any value as long as it is not within tolerance.
3623 * This should mean the ticket is rejected.
3624 */
5d99881e 3625 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3626 goto end;
3627 }
5f982038 3628
0efa0ba4 3629 if (testtype == 3
0d1b7789
MC		 3630 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3631 goto end;
3632
5f982038 3633 /* Write some early data */
710756a9
RS		 3634 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3635 &written))
3636 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3637 goto end;
5f982038 3638
0d1b7789 3639 /* Server should reject the early data */
710756a9
RS		 3640 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3641 &readbytes),
3642 SSL_READ_EARLY_DATA_FINISH)
3643 || !TEST_size_t_eq(readbytes, 0)
3644 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3645 SSL_EARLY_DATA_REJECTED))
5f982038 3646 goto end;
5f982038 3647
0efa0ba4
MC		 3648 switch (testtype) {
3649 case 0:
3650 /* Nothing to do */
3651 break;
3652
3653 case 1:
6b84e6bf
MC		 3654 /*
3655 * Finish off the handshake. We perform the same writes and reads as
3656 * further down but we expect them to fail due to the incomplete
3657 * handshake.
3658 */
3659 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3660 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3661 &readbytes)))
3662 goto end;
0efa0ba4
MC		 3663 break;
3664
3665 case 2:
3666 {
3667 BIO *wbio = SSL_get_wbio(clientssl);
3668 /* A record that will appear as bad early_data */
3669 const unsigned char bad_early_data[] = {
3670 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3671 };
3672
3673 /*
3674 * We force the client to attempt a write. This will fail because
3675 * we're still in the handshake. It will cause the second
3676 * ClientHello to be sent.
3677 */
3678 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3679 &written)))
3680 goto end;
3681
3682 /*
3683 * Inject some early_data after the second ClientHello. This should
3684 * cause the server to fail
3685 */
3686 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3687 sizeof(bad_early_data), &written)))
3688 goto end;
3689 }
3690 /* fallthrough */
3691
3692 case 3:
0d1b7789 3693 /*
0efa0ba4
MC		 3694 * This client has sent more early_data than we are willing to skip
3695 * (case 3) or sent invalid early_data (case 2) so the connection should
3696 * abort.
0d1b7789
MC		 3697 */
3698 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3699 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3700 goto end;
3701
3702 /* Connection has failed - nothing more to do */
3703 testresult = 1;
3704 goto end;
0efa0ba4
MC		 3705
3706 default:
3707 TEST_error("Invalid test type");
3708 goto end;
6b84e6bf
MC		 3709 }
3710
0d1b7789
MC		 3711 /*
3712 * Should be able to send normal data despite rejection of early data. The
3713 * early_data should be skipped.
3714 */
710756a9
RS		 3715 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3716 || !TEST_size_t_eq(written, strlen(MSG2))
3717 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3718 SSL_EARLY_DATA_REJECTED)
3719 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3720 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3721 goto end;
5f982038
MC		 3722
3723 testresult = 1;
3724
3725 end:
c20e3b28 3726 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3727 SSL_SESSION_free(serverpsk);
3728 clientpsk = serverpsk = NULL;
5f982038
MC		 3729 SSL_SESSION_free(sess);
3730 SSL_free(serverssl);
3731 SSL_free(clientssl);
3732 SSL_CTX_free(sctx);
3733 SSL_CTX_free(cctx);
5f982038
MC		 3734 return testresult;
3735}
3736
6b84e6bf
MC		 3737/*
3738 * Test that a server attempting to read early data can handle a connection
3739 * from a client where the early data is not acceptable.
3740 */
3741static int test_early_data_skip(int idx)
3742{
3743 return early_data_skip_helper(0, idx);
3744}
3745
3746/*
3747 * Test that a server attempting to read early data can handle a connection
3748 * from a client where an HRR occurs.
3749 */
3750static int test_early_data_skip_hrr(int idx)
3751{
3752 return early_data_skip_helper(1, idx);
3753}
3754
0efa0ba4
MC		 3755/*
3756 * Test that a server attempting to read early data can handle a connection
3757 * from a client where an HRR occurs and correctly fails if early_data is sent
3758 * after the HRR
3759 */
3760static int test_early_data_skip_hrr_fail(int idx)
3761{
3762 return early_data_skip_helper(2, idx);
3763}
3764
0d1b7789
MC		 3765/*
3766 * Test that a server attempting to read early data will abort if it tries to
3767 * skip over too much.
3768 */
3769static int test_early_data_skip_abort(int idx)
3770{
0efa0ba4 3771 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3772}
3773
710756a9
RS		 3774/*
3775 * Test that a server attempting to read early data can handle a connection
3776 * from a client that doesn't send any.
3777 */
3cb47b4e 3778static int test_early_data_not_sent(int idx)
5f982038
MC		 3779{
3780 SSL_CTX *cctx = NULL, *sctx = NULL;
3781 SSL *clientssl = NULL, *serverssl = NULL;
3782 int testresult = 0;
018fcbec 3783 SSL_SESSION *sess = NULL;
5f982038
MC		 3784 unsigned char buf[20];
3785 size_t readbytes, written;
3786
710756a9
RS		 3787 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3788 &serverssl, &sess, idx)))
5f982038
MC		 3789 goto end;
3790
3791 /* Write some data - should block due to handshake with server */
3792 SSL_set_connect_state(clientssl);
710756a9 3793 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3794 goto end;
5f982038
MC		 3795
3796 /* Server should detect that early data has not been sent */
710756a9
RS		 3797 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3798 &readbytes),
3799 SSL_READ_EARLY_DATA_FINISH)
3800 || !TEST_size_t_eq(readbytes, 0)
3801 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3802 SSL_EARLY_DATA_NOT_SENT)
3803 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3804 SSL_EARLY_DATA_NOT_SENT))
5f982038 3805 goto end;
5f982038
MC		 3806
3807 /* Continue writing the message we started earlier */
710756a9
RS		 3808 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3809 || !TEST_size_t_eq(written, strlen(MSG1))
3810 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3811 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3812 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3813 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3814 goto end;
5f982038 3815
710756a9
RS		 3816 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3817 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3818 goto end;
5f982038
MC		 3819
3820 testresult = 1;
3821
3822 end:
5f982038 3823 SSL_SESSION_free(sess);
c20e3b28 3824 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3825 SSL_SESSION_free(serverpsk);
3826 clientpsk = serverpsk = NULL;
5f982038
MC		 3827 SSL_free(serverssl);
3828 SSL_free(clientssl);
3829 SSL_CTX_free(sctx);
3830 SSL_CTX_free(cctx);
5f982038
MC		 3831 return testresult;
3832}
3833
976e5323
MC		 3834static const char *servalpn;
3835
c7558d5b
PY		 3836static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3837 unsigned char *outlen, const unsigned char *in,
3838 unsigned int inlen, void *arg)
976e5323 3839{
c7558d5b 3840 unsigned int protlen = 0;
976e5323
MC		 3841 const unsigned char *prot;
3842
c7558d5b
PY		 3843 for (prot = in; prot < in + inlen; prot += protlen) {
3844 protlen = *prot++;
5d99881e 3845 if (in + inlen < prot + protlen)
976e5323
MC		 3846 return SSL_TLSEXT_ERR_NOACK;
3847
3848 if (protlen == strlen(servalpn)
0bd42fde 3849 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3850 *out = prot;
3851 *outlen = protlen;
3852 return SSL_TLSEXT_ERR_OK;
3853 }
3854 }
3855
3856 return SSL_TLSEXT_ERR_NOACK;
3857}
3858
57dee9bb 3859/* Test that a PSK can be used to send early_data */
976e5323
MC		 3860static int test_early_data_psk(int idx)
3861{
3862 SSL_CTX *cctx = NULL, *sctx = NULL;
3863 SSL *clientssl = NULL, *serverssl = NULL;
3864 int testresult = 0;
3865 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3866 unsigned char alpnlist[] = {
3867 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3868 'l', 'p', 'n'
3869 };
3870#define GOODALPNLEN 9
3871#define BADALPNLEN 8
3872#define GOODALPN (alpnlist)
3873#define BADALPN (alpnlist + GOODALPNLEN)
3874 int err = 0;
976e5323
MC		 3875 unsigned char buf[20];
3876 size_t readbytes, written;
57dee9bb 3877 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3878 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3879
3880 /* We always set this up with a final parameter of "2" for PSK */
3881 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3882 &serverssl, &sess, 2)))
3883 goto end;
3884
976e5323
MC		 3885 servalpn = "goodalpn";
3886
57dee9bb
MC		 3887 /*
3888 * Note: There is no test for inconsistent SNI with late client detection.
3889 * This is because servers do not acknowledge SNI even if they are using
3890 * it in a resumption handshake - so it is not actually possible for a
3891 * client to detect a problem.
3892 */
976e5323
MC		 3893 switch (idx) {
3894 case 0:
57dee9bb 3895 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3896 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3897 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3898 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3899 goto end;
3900 break;
3901
3902 case 1:
57dee9bb 3903 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3904 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3905 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3906 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3907 GOODALPNLEN))
3908 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3909 BADALPNLEN)))
976e5323
MC		 3910 goto end;
3911 break;
3912
3913 case 2:
3914 /*
3915 * Set invalid protocol version. Technically this affects PSKs without
3916 * early_data too, but we test it here because it is similar to the
3917 * SNI/ALPN consistency tests.
3918 */
3919 err = SSL_R_BAD_PSK;
3920 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3921 goto end;
3922 break;
3923
3924 case 3:
3925 /*
49ef3d07
MC		 3926 * Set inconsistent SNI (server side). In this case the connection
3927 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3928 * is associated with each handshake - not the session. Therefore it
3929 * should not matter that we used a different server name last time.
976e5323 3930 */
281bf233
MC		 3931 SSL_SESSION_free(serverpsk);
3932 serverpsk = SSL_SESSION_dup(clientpsk);
3933 if (!TEST_ptr(serverpsk)
3934 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3935 goto end;
976e5323
MC		 3936 /* Fall through */
3937 case 4:
3938 /* Set consistent SNI */
976e5323
MC		 3939 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3940 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3941 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3942 hostname_cb)))
3943 goto end;
3944 break;
3945
3946 case 5:
3947 /*
3948 * Set inconsistent ALPN (server detected). In this case the connection
3949 * will succeed but reject early_data.
3950 */
3951 servalpn = "badalpn";
3952 edstatus = SSL_EARLY_DATA_REJECTED;
3953 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3954 /* Fall through */
3955 case 6:
976e5323 3956 /*
57dee9bb 3957 * Set consistent ALPN.
976e5323
MC		 3958 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3959 * accepts a list of protos (each one length prefixed).
3960 * SSL_set1_alpn_selected accepts a single protocol (not length
3961 * prefixed)
3962 */
57dee9bb
MC		 3963 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3964 GOODALPNLEN - 1))
3965 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3966 GOODALPNLEN)))
976e5323
MC		 3967 goto end;
3968
3969 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3970 break;
3971
57dee9bb
MC		 3972 case 7:
3973 /* Set inconsistent ALPN (late client detection) */
3974 SSL_SESSION_free(serverpsk);
3975 serverpsk = SSL_SESSION_dup(clientpsk);
3976 if (!TEST_ptr(serverpsk)
3977 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3978 BADALPN + 1,
3979 BADALPNLEN - 1))
3980 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3981 GOODALPN + 1,
3982 GOODALPNLEN - 1))
3983 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3984 sizeof(alpnlist))))
3985 goto end;
3986 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3987 edstatus = SSL_EARLY_DATA_ACCEPTED;
3988 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3989 /* SSL_connect() call should fail */
3990 connectres = -1;
3991 break;
3992
976e5323
MC		 3993 default:
3994 TEST_error("Bad test index");
3995 goto end;
3996 }
3997
3998 SSL_set_connect_state(clientssl);
3999 if (err != 0) {
4000 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4001 &written))
4002 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4003 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4004 goto end;
4005 } else {
4006 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4007 &written)))
4008 goto end;
4009
4010 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4011 &readbytes), readearlyres)
976e5323
MC		 4012 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4013 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4014 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4015 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4016 goto end;
4017 }
4018
4019 testresult = 1;
4020
4021 end:
c20e3b28 4022 SSL_SESSION_free(sess);
57dee9bb
MC		 4023 SSL_SESSION_free(clientpsk);
4024 SSL_SESSION_free(serverpsk);
4025 clientpsk = serverpsk = NULL;
976e5323
MC		 4026 SSL_free(serverssl);
4027 SSL_free(clientssl);
4028 SSL_CTX_free(sctx);
4029 SSL_CTX_free(cctx);
4030 return testresult;
4031}
4032
0b2b0be9 4033/*
4034 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4035 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4036 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4037 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4038 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4039 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4040 */
4041static int test_early_data_psk_with_all_ciphers(int idx)
4042{
4043 SSL_CTX *cctx = NULL, *sctx = NULL;
4044 SSL *clientssl = NULL, *serverssl = NULL;
4045 int testresult = 0;
4046 SSL_SESSION *sess = NULL;
4047 unsigned char buf[20];
4048 size_t readbytes, written;
4049 const SSL_CIPHER *cipher;
4050 const char *cipher_str[] = {
4051 TLS1_3_RFC_AES_128_GCM_SHA256,
4052 TLS1_3_RFC_AES_256_GCM_SHA384,
4053# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4054 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4055# else
4056 NULL,
4057# endif
4058 TLS1_3_RFC_AES_128_CCM_SHA256,
4059 TLS1_3_RFC_AES_128_CCM_8_SHA256
4060 };
4061 const unsigned char *cipher_bytes[] = {
4062 TLS13_AES_128_GCM_SHA256_BYTES,
4063 TLS13_AES_256_GCM_SHA384_BYTES,
4064# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4065 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4066# else
4067 NULL,
4068# endif
4069 TLS13_AES_128_CCM_SHA256_BYTES,
4070 TLS13_AES_128_CCM_8_SHA256_BYTES
4071 };
4072
4073 if (cipher_str[idx] == NULL)
4074 return 1;
4075 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4076 if (idx == 2 && is_fips == 1)
4077 return 1;
4078
4079 /* We always set this up with a final parameter of "2" for PSK */
4080 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4081 &serverssl, &sess, 2)))
4082 goto end;
4083
4084 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4085 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4086 goto end;
4087
4088 /*
4089 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4090 * and assigns to both client and server with incremented reference
4091 * and the same instance is updated in 'sess'.
4092 * So updating ciphersuite in 'sess' which will get reflected in
4093 * PSK handshake using psk use sess and find sess cb.
4094 */
4095 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4096 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4097 goto end;
4098
4099 SSL_set_connect_state(clientssl);
4100 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4101 &written)))
4102 goto end;
4103
4104 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4105 &readbytes),
4106 SSL_READ_EARLY_DATA_SUCCESS)
4107 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4108 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4109 SSL_EARLY_DATA_ACCEPTED)
4110 || !TEST_int_eq(SSL_connect(clientssl), 1)
4111 || !TEST_int_eq(SSL_accept(serverssl), 1))
4112 goto end;
4113
4114 /* Send some normal data from client to server */
4115 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4116 || !TEST_size_t_eq(written, strlen(MSG2)))
4117 goto end;
4118
4119 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4120 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4121 goto end;
4122
4123 testresult = 1;
4124 end:
4125 SSL_SESSION_free(sess);
4126 SSL_SESSION_free(clientpsk);
4127 SSL_SESSION_free(serverpsk);
4128 clientpsk = serverpsk = NULL;
4129 if (clientssl != NULL)
4130 SSL_shutdown(clientssl);
4131 if (serverssl != NULL)
4132 SSL_shutdown(serverssl);
4133 SSL_free(serverssl);
4134 SSL_free(clientssl);
4135 SSL_CTX_free(sctx);
4136 SSL_CTX_free(cctx);
4137 return testresult;
4138}
4139
710756a9
RS		 4140/*
4141 * Test that a server that doesn't try to read early data can handle a
4142 * client sending some.
4143 */
3cb47b4e 4144static int test_early_data_not_expected(int idx)
5f982038
MC		 4145{
4146 SSL_CTX *cctx = NULL, *sctx = NULL;
4147 SSL *clientssl = NULL, *serverssl = NULL;
4148 int testresult = 0;
018fcbec 4149 SSL_SESSION *sess = NULL;
5f982038
MC		 4150 unsigned char buf[20];
4151 size_t readbytes, written;
4152
710756a9
RS		 4153 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4154 &serverssl, &sess, idx)))
5f982038
MC		 4155 goto end;
4156
4157 /* Write some early data */
710756a9
RS		 4158 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4159 &written)))
5f982038 4160 goto end;
5f982038
MC		 4161
4162 /*
4163 * Server should skip over early data and then block waiting for client to
4164 * continue handshake
4165 */
710756a9
RS		 4166 if (!TEST_int_le(SSL_accept(serverssl), 0)
4167 || !TEST_int_gt(SSL_connect(clientssl), 0)
4168 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4169 SSL_EARLY_DATA_REJECTED)
4170 || !TEST_int_gt(SSL_accept(serverssl), 0)
4171 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4172 SSL_EARLY_DATA_REJECTED))
5f982038 4173 goto end;
5f982038
MC		 4174
4175 /* Send some normal data from client to server */
710756a9
RS		 4176 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4177 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4178 goto end;
5f982038 4179
710756a9
RS		 4180 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4181 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4182 goto end;
5f982038
MC		 4183
4184 testresult = 1;
4185
4186 end:
5f982038 4187 SSL_SESSION_free(sess);
c20e3b28 4188 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4189 SSL_SESSION_free(serverpsk);
4190 clientpsk = serverpsk = NULL;
5f982038
MC		 4191 SSL_free(serverssl);
4192 SSL_free(clientssl);
4193 SSL_CTX_free(sctx);
4194 SSL_CTX_free(cctx);
5f982038
MC		 4195 return testresult;
4196}
4197
4198
4199# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4200/*
4201 * Test that a server attempting to read early data can handle a connection
4202 * from a TLSv1.2 client.
4203 */
3cb47b4e 4204static int test_early_data_tls1_2(int idx)
5f982038
MC		 4205{
4206 SSL_CTX *cctx = NULL, *sctx = NULL;
4207 SSL *clientssl = NULL, *serverssl = NULL;
4208 int testresult = 0;
4209 unsigned char buf[20];
4210 size_t readbytes, written;
4211
02a3ed5a
MC		 4212 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4213 &serverssl, NULL, idx)))
5f982038 4214 goto end;
5f982038
MC		 4215
4216 /* Write some data - should block due to handshake with server */
4217 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4218 SSL_set_connect_state(clientssl);
710756a9 4219 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4220 goto end;
5f982038
MC		 4221
4222 /*
4223 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4224 * messages from client after ServerDone. Then SSL_read_early_data should
4225 * finish and detect that early data has not been sent
5f982038 4226 */
710756a9
RS		 4227 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4228 &readbytes),
4229 SSL_READ_EARLY_DATA_ERROR))
5f982038 4230 goto end;
5f982038
MC		 4231
4232 /*
4233 * Continue writing the message we started earlier. Will still block waiting
4234 * for the CCS/Finished from server
4235 */
710756a9
RS		 4236 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4237 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4238 &readbytes),
4239 SSL_READ_EARLY_DATA_FINISH)
4240 || !TEST_size_t_eq(readbytes, 0)
4241 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4242 SSL_EARLY_DATA_NOT_SENT))
5f982038 4243 goto end;
5f982038
MC		 4244
4245 /* Continue writing the message we started earlier */
710756a9
RS		 4246 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4247 || !TEST_size_t_eq(written, strlen(MSG1))
4248 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4249 SSL_EARLY_DATA_NOT_SENT)
4250 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4251 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4252 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4253 || !TEST_size_t_eq(written, strlen(MSG2))
4254 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4255 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4256 goto end;
5f982038
MC		 4257
4258 testresult = 1;
4259
4260 end:
57dee9bb
MC		 4261 SSL_SESSION_free(clientpsk);
4262 SSL_SESSION_free(serverpsk);
4263 clientpsk = serverpsk = NULL;
5f982038
MC		 4264 SSL_free(serverssl);
4265 SSL_free(clientssl);
4266 SSL_CTX_free(sctx);
4267 SSL_CTX_free(cctx);
4268
4269 return testresult;
4270}
ca0413ae
MC		 4271# endif /* OPENSSL_NO_TLS1_2 */
4272
034cb87b
MC		 4273/*
4274 * Test configuring the TLSv1.3 ciphersuites
4275 *
4276 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4277 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4278 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4279 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4280 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4281 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4282 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4283 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4284 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4285 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4286 */
4287static int test_set_ciphersuite(int idx)
4288{
4289 SSL_CTX *cctx = NULL, *sctx = NULL;
4290 SSL *clientssl = NULL, *serverssl = NULL;
4291 int testresult = 0;
4292
5e30f2fd
MC		 4293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4294 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4295 &sctx, &cctx, cert, privkey))
4296 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4297 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4298 goto end;
4299
4300 if (idx >=4 && idx <= 7) {
4301 /* SSL_CTX explicit cipher list */
4302 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4303 goto end;
4304 }
4305
4306 if (idx == 0 || idx == 4) {
4307 /* Default ciphersuite */
4308 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4309 "TLS_AES_128_GCM_SHA256")))
4310 goto end;
4311 } else if (idx == 1 || idx == 5) {
4312 /* Non default ciphersuite */
4313 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4314 "TLS_AES_128_CCM_SHA256")))
4315 goto end;
4316 }
4317
4318 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4319 &clientssl, NULL, NULL)))
4320 goto end;
4321
4322 if (idx == 8 || idx == 9) {
4323 /* SSL explicit cipher list */
4324 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4325 goto end;
4326 }
4327
4328 if (idx == 2 || idx == 6 || idx == 8) {
4329 /* Default ciphersuite */
4330 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4331 "TLS_AES_128_GCM_SHA256")))
4332 goto end;
4333 } else if (idx == 3 || idx == 7 || idx == 9) {
4334 /* Non default ciphersuite */
4335 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4336 "TLS_AES_128_CCM_SHA256")))
4337 goto end;
4338 }
4339
4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4341 goto end;
4342
4343 testresult = 1;
4344
4345 end:
4346 SSL_free(serverssl);
4347 SSL_free(clientssl);
4348 SSL_CTX_free(sctx);
4349 SSL_CTX_free(cctx);
4350
4351 return testresult;
4352}
4353
ca0413ae
MC		 4354static int test_ciphersuite_change(void)
4355{
4356 SSL_CTX *cctx = NULL, *sctx = NULL;
4357 SSL *clientssl = NULL, *serverssl = NULL;
4358 SSL_SESSION *clntsess = NULL;
4359 int testresult = 0;
4360 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4361
4362 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4364 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4365 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4366 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4367 "TLS_AES_128_GCM_SHA256:"
4368 "TLS_AES_256_GCM_SHA384:"
4369 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4370 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4371 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4372 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4373 &clientssl, NULL, NULL))
4374 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4375 SSL_ERROR_NONE)))
4376 goto end;
4377
4378 clntsess = SSL_get1_session(clientssl);
4379 /* Save for later */
4380 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4381 SSL_shutdown(clientssl);
4382 SSL_shutdown(serverssl);
4383 SSL_free(serverssl);
4384 SSL_free(clientssl);
4385 serverssl = clientssl = NULL;
4386
4387 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4388 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4389 "TLS_AES_128_CCM_SHA256"))
4390 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4391 &clientssl, NULL, NULL))
ca0413ae
MC		 4392 || !TEST_true(SSL_set_session(clientssl, clntsess))
4393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4394 SSL_ERROR_NONE))
4395 || !TEST_true(SSL_session_reused(clientssl)))
4396 goto end;
4397
4398 SSL_SESSION_free(clntsess);
4399 clntsess = SSL_get1_session(clientssl);
4400 SSL_shutdown(clientssl);
4401 SSL_shutdown(serverssl);
4402 SSL_free(serverssl);
4403 SSL_free(clientssl);
4404 serverssl = clientssl = NULL;
4405
4406 /*
4407 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4408 * succeeds but does not resume.
ca0413ae 4409 */
f865b081 4410 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4411 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4412 NULL, NULL))
4413 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4415 SSL_ERROR_SSL))
0de6d66d 4416 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4417 goto end;
4418
4419 SSL_SESSION_free(clntsess);
4420 clntsess = NULL;
4421 SSL_shutdown(clientssl);
4422 SSL_shutdown(serverssl);
4423 SSL_free(serverssl);
4424 SSL_free(clientssl);
4425 serverssl = clientssl = NULL;
4426
4427 /* Create a session based on SHA384 */
f865b081 4428 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4429 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4430 &clientssl, NULL, NULL))
4431 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4432 SSL_ERROR_NONE)))
4433 goto end;
4434
4435 clntsess = SSL_get1_session(clientssl);
4436 SSL_shutdown(clientssl);
4437 SSL_shutdown(serverssl);
4438 SSL_free(serverssl);
4439 SSL_free(clientssl);
4440 serverssl = clientssl = NULL;
4441
f865b081
MC		 4442 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4443 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4444 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4445 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4446 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4447 NULL, NULL))
4448 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4449 /*
4450 * We use SSL_ERROR_WANT_READ below so that we can pause the
4451 * connection after the initial ClientHello has been sent to
4452 * enable us to make some session changes.
4453 */
ca0413ae
MC		 4454 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4455 SSL_ERROR_WANT_READ)))
4456 goto end;
4457
4458 /* Trick the client into thinking this session is for a different digest */
4459 clntsess->cipher = aes_128_gcm_sha256;
4460 clntsess->cipher_id = clntsess->cipher->id;
4461
4462 /*
3b0e88d3
MC		 4463 * Continue the previously started connection. Server has selected a SHA-384
4464 * ciphersuite, but client thinks the session is for SHA-256, so it should
4465 * bail out.
ca0413ae
MC		 4466 */
4467 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4468 SSL_ERROR_SSL))
4469 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4470 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4471 goto end;
4472
4473 testresult = 1;
4474
4475 end:
4476 SSL_SESSION_free(clntsess);
4477 SSL_free(serverssl);
4478 SSL_free(clientssl);
4479 SSL_CTX_free(sctx);
4480 SSL_CTX_free(cctx);
4481
4482 return testresult;
4483}
4484
8e63900a 4485/*
5bf2eade 4486 * Test TLSv1.3 Key exchange
4487 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4488 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4489 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4490 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4491 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4492 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4493 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4494 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4495 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4496 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4497 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4498 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4499 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4500 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4501 */
f89d3d69
BK		 4502# ifndef OPENSSL_NO_EC
4503static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4504 NID_secp521r1, NID_X25519, NID_X448};
4505# endif
4506# ifndef OPENSSL_NO_DH
4507static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4508 NID_ffdhe6144, NID_ffdhe8192};
4509# endif
db26ec80 4510static int test_key_exchange(int idx)
8e63900a 4511{
4512 SSL_CTX *sctx = NULL, *cctx = NULL;
4513 SSL *serverssl = NULL, *clientssl = NULL;
4514 int testresult = 0;
fb8c6db4 4515 int kexch_alg;
4516 int *kexch_groups = &kexch_alg;
4517 int kexch_groups_size = 1;
8e63900a 4518 int max_version = TLS1_3_VERSION;
becbacd7 4519 char *kexch_name0 = NULL;
8e63900a 4520
4521 switch (idx) {
5bf2eade 4522# ifndef OPENSSL_NO_EC
db26ec80 4523# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4524 case 12:
fb8c6db4 4525 max_version = TLS1_2_VERSION;
db26ec80 4526# endif
fb8c6db4 4527 /* Fall through */
4528 case 0:
4529 kexch_groups = ecdhe_kexch_groups;
4530 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4531 kexch_name0 = "secp256r1";
fb8c6db4 4532 break;
5bf2eade 4533 case 1:
fb8c6db4 4534 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4535 kexch_name0 = "secp256r1";
fb8c6db4 4536 break;
5bf2eade 4537 case 2:
fb8c6db4 4538 kexch_alg = NID_secp384r1;
becbacd7 4539 kexch_name0 = "secp384r1";
fb8c6db4 4540 break;
5bf2eade 4541 case 3:
fb8c6db4 4542 kexch_alg = NID_secp521r1;
becbacd7 4543 kexch_name0 = "secp521r1";
fb8c6db4 4544 break;
5bf2eade 4545 case 4:
fb8c6db4 4546 kexch_alg = NID_X25519;
becbacd7 4547 kexch_name0 = "x25519";
fb8c6db4 4548 break;
5bf2eade 4549 case 5:
fb8c6db4 4550 kexch_alg = NID_X448;
becbacd7 4551 kexch_name0 = "x448";
fb8c6db4 4552 break;
5bf2eade 4553# endif
4554# ifndef OPENSSL_NO_DH
db26ec80 4555# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4556 case 13:
dbc6268f 4557 max_version = TLS1_2_VERSION;
becbacd7 4558 kexch_name0 = "ffdhe2048";
db26ec80 4559# endif
dbc6268f 4560 /* Fall through */
5bf2eade 4561 case 6:
8e63900a 4562 kexch_groups = ffdhe_kexch_groups;
4563 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4564 kexch_name0 = "ffdhe2048";
8e63900a 4565 break;
5bf2eade 4566 case 7:
fb8c6db4 4567 kexch_alg = NID_ffdhe2048;
becbacd7 4568 kexch_name0 = "ffdhe2048";
fb8c6db4 4569 break;
5bf2eade 4570 case 8:
fb8c6db4 4571 kexch_alg = NID_ffdhe3072;
becbacd7 4572 kexch_name0 = "ffdhe3072";
fb8c6db4 4573 break;
5bf2eade 4574 case 9:
fb8c6db4 4575 kexch_alg = NID_ffdhe4096;
becbacd7 4576 kexch_name0 = "ffdhe4096";
fb8c6db4 4577 break;
5bf2eade 4578 case 10:
fb8c6db4 4579 kexch_alg = NID_ffdhe6144;
becbacd7 4580 kexch_name0 = "ffdhe6144";
fb8c6db4 4581 break;
5bf2eade 4582 case 11:
fb8c6db4 4583 kexch_alg = NID_ffdhe8192;
becbacd7 4584 kexch_name0 = "ffdhe8192";
8e63900a 4585 break;
5bf2eade 4586# endif
6597d62b
MC		 4587 default:
4588 /* We're skipping this test */
4589 return 1;
8e63900a 4590 }
4591
5e30f2fd
MC		 4592 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4593 TLS_client_method(), TLS1_VERSION,
4594 max_version, &sctx, &cctx, cert,
4595 privkey)))
8e63900a 4596 goto end;
4597
5bf2eade 4598 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4599 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4600 goto end;
4601
5bf2eade 4602 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4603 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4604 goto end;
4605
5bf2eade 4606 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4607 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4608 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4609 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4610 goto end;
4611
dbc6268f
MC		 4612 /*
4613 * Must include an EC ciphersuite so that we send supported groups in
4614 * TLSv1.2
4615 */
5bf2eade 4616# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4617 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4618 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4619 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4620 goto end;
5bf2eade 4621# endif
8e63900a 4622
4623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4624 NULL, NULL)))
4625 goto end;
4626
4627 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4628 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4629 goto end;
4630
5bf2eade 4631 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4632 goto end;
8e63900a 4633
dbc6268f 4634 /*
5bf2eade 4635 * If Handshake succeeds the negotiated kexch alg should be the first one in
4636 * configured, except in the case of FFDHE groups (idx 13), which are
4637 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4638 */
4639 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4640 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4641 goto end;
becbacd7
MB		 4642
4643 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4644 kexch_name0))
4645 goto end;
4646
75d48520
BK		 4647 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4648 if (idx != 13) {
fb8c6db4 4649 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4650 goto end;
4651 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4652 goto end;
4653 }
8e63900a 4654
4655 testresult = 1;
4656 end:
4657 SSL_free(serverssl);
4658 SSL_free(clientssl);
4659 SSL_CTX_free(sctx);
4660 SSL_CTX_free(cctx);
4661 return testresult;
4662}
4663
c9cddf05
P		 4664# if !defined(OPENSSL_NO_TLS1_2) \
4665 && !defined(OPENSSL_NO_EC) \
4666 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4667static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4668 int isecdhe, int idx)
4669{
4670 int kexch_alg;
4671 int *kexch_groups = &kexch_alg;
4672 int numec, numff;
4673
4674 numec = OSSL_NELEM(ecdhe_kexch_groups);
4675 numff = OSSL_NELEM(ffdhe_kexch_groups);
4676 if (isecdhe)
4677 kexch_alg = ecdhe_kexch_groups[idx];
4678 else
4679 kexch_alg = ffdhe_kexch_groups[idx];
4680
4681 if (clientmulti) {
4682 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4683 return 0;
4684 if (isecdhe) {
4685 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4686 numec)))
4687 return 0;
4688 } else {
4689 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4690 numff)))
4691 return 0;
4692 }
4693 } else {
4694 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4695 return 0;
4696 if (isecdhe) {
4697 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4698 numec)))
4699 return 0;
4700 } else {
4701 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4702 numff)))
4703 return 0;
4704 }
4705 }
4706 return 1;
4707}
4708
4709/*-
4710 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4711 * Run through both the ECDHE and FFDHE group lists used in the previous
4712 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4713 * confirming the expected result; then perform a resumption handshake
4714 * while offering the same group list, and another resumption handshake
4715 * offering a different group list. The returned value should be the
4716 * negotiated group for the initial handshake; for TLS 1.3 resumption
4717 * handshakes the returned value will be negotiated on the resumption
4718 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4719 * be cached in the session from the original handshake, regardless of what
4720 * was offered in the resumption ClientHello.
4721 *
4722 * Using E for the number of EC groups and F for the number of FF groups:
4723 * E tests of ECDHE with TLS 1.3, client sends only one group
4724 * F tests of FFDHE with TLS 1.3, client sends only one group
4725 * E tests of ECDHE with TLS 1.2, client sends only one group
4726 * F tests of FFDHE with TLS 1.2, client sends only one group
4727 * E tests of ECDHE with TLS 1.3, server only has one group
4728 * F tests of FFDHE with TLS 1.3, server only has one group
4729 * E tests of ECDHE with TLS 1.2, server only has one group
4730 * F tests of FFDHE with TLS 1.2, server only has one group
4731 */
4732static int test_negotiated_group(int idx)
4733{
4734 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4735 int expectednid;
4736 SSL_CTX *sctx = NULL, *cctx = NULL;
4737 SSL *serverssl = NULL, *clientssl = NULL;
4738 SSL_SESSION *origsess = NULL;
4739 int testresult = 0;
4740 int kexch_alg;
4741 int max_version = TLS1_3_VERSION;
4742
4743 numec = OSSL_NELEM(ecdhe_kexch_groups);
4744 numff = OSSL_NELEM(ffdhe_kexch_groups);
4745 numgroups = numec + numff;
4746 clientmulti = (idx < 2 * numgroups);
4747 idx = idx % (2 * numgroups);
4748 istls13 = (idx < numgroups);
4749 idx = idx % numgroups;
4750 isecdhe = (idx < numec);
4751 if (!isecdhe)
4752 idx -= numec;
4753 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4754 if (isecdhe)
4755 kexch_alg = ecdhe_kexch_groups[idx];
4756 else
4757 kexch_alg = ffdhe_kexch_groups[idx];
4758 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4759 if (!istls13 && !isecdhe)
4760 expectednid = NID_undef;
4761 else
4762 expectednid = kexch_alg;
4763
4764 if (!istls13)
4765 max_version = TLS1_2_VERSION;
4766
4767 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4768 TLS_client_method(), TLS1_VERSION,
4769 max_version, &sctx, &cctx, cert,
4770 privkey)))
4771 goto end;
4772
4773 /*
4774 * Force (EC)DHE ciphers for TLS 1.2.
4775 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4776 */
4777 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4778 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4779 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4780 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4781 goto end;
4782 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4783 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4784 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4785 goto end;
4786
4787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4788 NULL, NULL)))
4789 goto end;
4790
4791 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4792 idx)))
4793 goto end;
4794
4795 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4796 goto end;
4797
4798 /* Initial handshake; always the configured one */
4799 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4800 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4801 goto end;
4802
4803 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4804 goto end;
4805
4806 SSL_shutdown(clientssl);
4807 SSL_shutdown(serverssl);
4808 SSL_free(serverssl);
4809 SSL_free(clientssl);
4810 serverssl = clientssl = NULL;
4811
4812 /* First resumption attempt; use the same config as initial handshake */
4813 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4814 NULL, NULL))
4815 || !TEST_true(SSL_set_session(clientssl, origsess))
4816 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4817 isecdhe, idx)))
4818 goto end;
4819
4820 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4821 || !TEST_true(SSL_session_reused(clientssl)))
4822 goto end;
4823
4824 /* Still had better agree, since nothing changed... */
4825 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4826 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4827 goto end;
4828
4829 SSL_shutdown(clientssl);
4830 SSL_shutdown(serverssl);
4831 SSL_free(serverssl);
4832 SSL_free(clientssl);
4833 serverssl = clientssl = NULL;
4834
4835 /*-
4836 * Second resumption attempt
4837 * The party that picks one group changes it, which we effectuate by
4838 * changing 'idx' and updating what we expect.
4839 */
4840 if (idx == 0)
4841 idx = 1;
4842 else
4843 idx--;
4844 if (istls13) {
4845 if (isecdhe)
4846 expectednid = ecdhe_kexch_groups[idx];
4847 else
4848 expectednid = ffdhe_kexch_groups[idx];
4849 /* Verify that we are changing what we expect. */
4850 if (!TEST_int_ne(expectednid, kexch_alg))
4851 goto end;
4852 } else {
4853 /* TLS 1.2 only supports named groups for ECDHE. */
4854 if (isecdhe)
4855 expectednid = kexch_alg;
4856 else
4857 expectednid = 0;
4858 }
4859 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4860 NULL, NULL))
4861 || !TEST_true(SSL_set_session(clientssl, origsess))
4862 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4863 isecdhe, idx)))
4864 goto end;
4865
4866 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4867 || !TEST_true(SSL_session_reused(clientssl)))
4868 goto end;
4869
4870 /* Check that we get what we expected */
4871 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4872 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4873 goto end;
4874
4875 testresult = 1;
4876 end:
4877 SSL_free(serverssl);
4878 SSL_free(clientssl);
4879 SSL_CTX_free(sctx);
4880 SSL_CTX_free(cctx);
4881 SSL_SESSION_free(origsess);
4882 return testresult;
4883}
4884# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4885
5bf2eade 4886/*
4887 * Test TLSv1.3 Cipher Suite
4888 * Test 0 = Set TLS1.3 cipher on context
4889 * Test 1 = Set TLS1.3 cipher on SSL
4890 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4891 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4892 */
4893static int test_tls13_ciphersuite(int idx)
4894{
4895 SSL_CTX *sctx = NULL, *cctx = NULL;
4896 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4897 static const struct {
4898 const char *ciphername;
4899 int fipscapable;
4900 } t13_ciphers[] = {
4901 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4902 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4903 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4904# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4905 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4906 { TLS1_3_RFC_AES_256_GCM_SHA384
4907 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4908# endif
4f6c7044 4909 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4910 };
4911 const char *t13_cipher = NULL;
4912 const char *t12_cipher = NULL;
4913 const char *negotiated_scipher;
4914 const char *negotiated_ccipher;
4915 int set_at_ctx = 0;
4916 int set_at_ssl = 0;
4917 int testresult = 0;
4918 int max_ver;
4919 size_t i;
4920
4921 switch (idx) {
4922 case 0:
4923 set_at_ctx = 1;
4924 break;
4925 case 1:
4926 set_at_ssl = 1;
4927 break;
4928 case 2:
4929 set_at_ctx = 1;
2d900758 4930 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4931 break;
4932 case 3:
4933 set_at_ssl = 1;
2d900758 4934 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4935 break;
4936 }
4937
4938 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4939# ifdef OPENSSL_NO_TLS1_2
4940 if (max_ver == TLS1_2_VERSION)
4941 continue;
4942# endif
4943 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4944 if (is_fips && !t13_ciphers[i].fipscapable)
4945 continue;
4946 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4948 TLS_client_method(),
4949 TLS1_VERSION, max_ver,
4950 &sctx, &cctx, cert, privkey)))
4951 goto end;
4952
4953 if (set_at_ctx) {
4954 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4955 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4956 goto end;
4957 if (t12_cipher != NULL) {
4958 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4959 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4960 t12_cipher)))
4961 goto end;
4962 }
4963 }
4964
4965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4966 &clientssl, NULL, NULL)))
4967 goto end;
4968
4969 if (set_at_ssl) {
4970 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4971 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4972 goto end;
4973 if (t12_cipher != NULL) {
4974 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4975 || !TEST_true(SSL_set_cipher_list(clientssl,
4976 t12_cipher)))
4977 goto end;
4978 }
4979 }
4980
4981 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4982 SSL_ERROR_NONE)))
4983 goto end;
4984
4985 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4986 serverssl));
4987 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4988 clientssl));
4989 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4990 goto end;
4991
4992 /*
4993 * TEST_strn_eq is used below because t13_cipher can contain
4994 * multiple ciphersuites
4995 */
4996 if (max_ver == TLS1_3_VERSION
4997 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4998 strlen(negotiated_scipher)))
4999 goto end;
5000
5001# ifndef OPENSSL_NO_TLS1_2
5002 /* Below validation is not done when t12_cipher is NULL */
5003 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5004 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5005 goto end;
5006# endif
5007
5008 SSL_free(serverssl);
5009 serverssl = NULL;
5010 SSL_free(clientssl);
5011 clientssl = NULL;
5012 SSL_CTX_free(sctx);
5013 sctx = NULL;
5014 SSL_CTX_free(cctx);
5015 cctx = NULL;
5016 }
5017 }
5018
5019 testresult = 1;
5020 end:
5021 SSL_free(serverssl);
5022 SSL_free(clientssl);
5023 SSL_CTX_free(sctx);
5024 SSL_CTX_free(cctx);
5025 return testresult;
5026}
5027
0d8da779
MC		 5028/*
5029 * Test TLSv1.3 PSKs
5030 * Test 0 = Test new style callbacks
5031 * Test 1 = Test both new and old style callbacks
5032 * Test 2 = Test old style callbacks
5033 * Test 3 = Test old style callbacks with no certificate
5034 */
532f9578 5035static int test_tls13_psk(int idx)
ca8c71ba
MC		 5036{
5037 SSL_CTX *sctx = NULL, *cctx = NULL;
5038 SSL *serverssl = NULL, *clientssl = NULL;
5039 const SSL_CIPHER *cipher = NULL;
5040 const unsigned char key[] = {
5041 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5042 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5043 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5044 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5045 };
5046 int testresult = 0;
5047
5e30f2fd
MC		 5048 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5049 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5050 &sctx, &cctx, idx == 3 ? NULL : cert,
5051 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5052 goto end;
5053
0d8da779
MC		 5054 if (idx != 3) {
5055 /*
5056 * We use a ciphersuite with SHA256 to ease testing old style PSK
5057 * callbacks which will always default to SHA256. This should not be
5058 * necessary if we have no cert/priv key. In that case the server should
5059 * prefer SHA256 automatically.
5060 */
5061 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5062 "TLS_AES_128_GCM_SHA256")))
5063 goto end;
4f6c7044
MC		 5064 } else {
5065 /*
5066 * As noted above the server should prefer SHA256 automatically. However
5067 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5068 * code works even if we are testing with only the FIPS provider loaded.
5069 */
5070 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5071 "TLS_AES_256_GCM_SHA384:"
5072 "TLS_AES_128_GCM_SHA256")))
5073 goto end;
0d8da779 5074 }
532f9578
MC		 5075
5076 /*
5077 * Test 0: New style callbacks only
5078 * Test 1: New and old style callbacks (only the new ones should be used)
5079 * Test 2: Old style callbacks only
5080 */
5081 if (idx == 0 || idx == 1) {
5082 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5083 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5084 }
c2b290c3 5085#ifndef OPENSSL_NO_PSK
0d8da779 5086 if (idx >= 1) {
532f9578
MC		 5087 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5088 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5089 }
c2b290c3 5090#endif
ca8c71ba 5091 srvid = pskid;
02a3ed5a
MC		 5092 use_session_cb_cnt = 0;
5093 find_session_cb_cnt = 0;
532f9578
MC		 5094 psk_client_cb_cnt = 0;
5095 psk_server_cb_cnt = 0;
ca8c71ba 5096
0d8da779
MC		 5097 if (idx != 3) {
5098 /*
5099 * Check we can create a connection if callback decides not to send a
5100 * PSK
5101 */
5102 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5103 NULL, NULL))
5104 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5105 SSL_ERROR_NONE))
5106 || !TEST_false(SSL_session_reused(clientssl))
5107 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5108 goto end;
532f9578 5109
0d8da779
MC		 5110 if (idx == 0 || idx == 1) {
5111 if (!TEST_true(use_session_cb_cnt == 1)
5112 || !TEST_true(find_session_cb_cnt == 0)
5113 /*
5114 * If no old style callback then below should be 0
5115 * otherwise 1
5116 */
5117 || !TEST_true(psk_client_cb_cnt == idx)
5118 || !TEST_true(psk_server_cb_cnt == 0))
5119 goto end;
5120 } else {
5121 if (!TEST_true(use_session_cb_cnt == 0)
5122 || !TEST_true(find_session_cb_cnt == 0)
5123 || !TEST_true(psk_client_cb_cnt == 1)
5124 || !TEST_true(psk_server_cb_cnt == 0))
5125 goto end;
5126 }
5127
5128 shutdown_ssl_connection(serverssl, clientssl);
5129 serverssl = clientssl = NULL;
5130 use_session_cb_cnt = psk_client_cb_cnt = 0;
5131 }
ca8c71ba
MC		 5132
5133 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5134 NULL, NULL)))
5135 goto end;
5136
5137 /* Create the PSK */
532f9578 5138 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5139 clientpsk = SSL_SESSION_new();
5140 if (!TEST_ptr(clientpsk)
ca8c71ba 5141 || !TEST_ptr(cipher)
57dee9bb
MC		 5142 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5143 sizeof(key)))
5144 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5145 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5146 TLS1_3_VERSION))
5147 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5148 goto end;
57dee9bb 5149 serverpsk = clientpsk;
ca8c71ba
MC		 5150
5151 /* Check we can create a connection and the PSK is used */
5152 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5153 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5154 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5155 goto end;
5156
532f9578
MC		 5157 if (idx == 0 || idx == 1) {
5158 if (!TEST_true(use_session_cb_cnt == 1)
5159 || !TEST_true(find_session_cb_cnt == 1)
5160 || !TEST_true(psk_client_cb_cnt == 0)
5161 || !TEST_true(psk_server_cb_cnt == 0))
5162 goto end;
5163 } else {
5164 if (!TEST_true(use_session_cb_cnt == 0)
5165 || !TEST_true(find_session_cb_cnt == 0)
5166 || !TEST_true(psk_client_cb_cnt == 1)
5167 || !TEST_true(psk_server_cb_cnt == 1))
5168 goto end;
5169 }
5170
ca8c71ba
MC		 5171 shutdown_ssl_connection(serverssl, clientssl);
5172 serverssl = clientssl = NULL;
5173 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5174 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5175
5176 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5177 NULL, NULL)))
5178 goto end;
5179
5180 /* Force an HRR */
dbc6268f
MC		 5181#if defined(OPENSSL_NO_EC)
5182 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5183 goto end;
5184#else
ca8c71ba
MC		 5185 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5186 goto end;
dbc6268f 5187#endif
ca8c71ba
MC		 5188
5189 /*
5190 * Check we can create a connection, the PSK is used and the callbacks are
5191 * called twice.
5192 */
5193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5194 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5195 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5196 goto end;
5197
532f9578
MC		 5198 if (idx == 0 || idx == 1) {
5199 if (!TEST_true(use_session_cb_cnt == 2)
5200 || !TEST_true(find_session_cb_cnt == 2)
5201 || !TEST_true(psk_client_cb_cnt == 0)
5202 || !TEST_true(psk_server_cb_cnt == 0))
5203 goto end;
5204 } else {
5205 if (!TEST_true(use_session_cb_cnt == 0)
5206 || !TEST_true(find_session_cb_cnt == 0)
5207 || !TEST_true(psk_client_cb_cnt == 2)
5208 || !TEST_true(psk_server_cb_cnt == 2))
5209 goto end;
5210 }
5211
ca8c71ba
MC		 5212 shutdown_ssl_connection(serverssl, clientssl);
5213 serverssl = clientssl = NULL;
5214 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5215 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5216
0d8da779
MC		 5217 if (idx != 3) {
5218 /*
5219 * Check that if the server rejects the PSK we can still connect, but with
5220 * a full handshake
5221 */
5222 srvid = "Dummy Identity";
5223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5224 NULL, NULL))
5225 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5226 SSL_ERROR_NONE))
5227 || !TEST_false(SSL_session_reused(clientssl))
5228 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5229 goto end;
532f9578 5230
0d8da779
MC		 5231 if (idx == 0 || idx == 1) {
5232 if (!TEST_true(use_session_cb_cnt == 1)
5233 || !TEST_true(find_session_cb_cnt == 1)
5234 || !TEST_true(psk_client_cb_cnt == 0)
5235 /*
5236 * If no old style callback then below should be 0
5237 * otherwise 1
5238 */
5239 || !TEST_true(psk_server_cb_cnt == idx))
5240 goto end;
5241 } else {
5242 if (!TEST_true(use_session_cb_cnt == 0)
5243 || !TEST_true(find_session_cb_cnt == 0)
5244 || !TEST_true(psk_client_cb_cnt == 1)
5245 || !TEST_true(psk_server_cb_cnt == 1))
5246 goto end;
5247 }
5248
5249 shutdown_ssl_connection(serverssl, clientssl);
5250 serverssl = clientssl = NULL;
5251 }
ca8c71ba
MC		 5252 testresult = 1;
5253
5254 end:
57dee9bb
MC		 5255 SSL_SESSION_free(clientpsk);
5256 SSL_SESSION_free(serverpsk);
5257 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5258 SSL_free(serverssl);
5259 SSL_free(clientssl);
5260 SSL_CTX_free(sctx);
5261 SSL_CTX_free(cctx);
5262 return testresult;
5263}
5264
c7b8ff25
MC		 5265static unsigned char cookie_magic_value[] = "cookie magic";
5266
5267static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5268 unsigned int *cookie_len)
5269{
5270 /*
5271 * Not suitable as a real cookie generation function but good enough for
5272 * testing!
5273 */
97ea1e7f
MC		 5274 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5275 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5276
5277 return 1;
5278}
5279
5280static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5281 unsigned int cookie_len)
5282{
97ea1e7f 5283 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5284 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5285 return 1;
5286
5287 return 0;
5288}
5289
3fa2812f
BS		 5290static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5291 size_t *cookie_len)
5292{
5293 unsigned int temp;
5294 int res = generate_cookie_callback(ssl, cookie, &temp);
5295 *cookie_len = temp;
5296 return res;
5297}
5298
5299static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5300 size_t cookie_len)
5301{
5302 return verify_cookie_callback(ssl, cookie, cookie_len);
5303}
5304
c7b8ff25
MC		 5305static int test_stateless(void)
5306{
5307 SSL_CTX *sctx = NULL, *cctx = NULL;
5308 SSL *serverssl = NULL, *clientssl = NULL;
5309 int testresult = 0;
5310
5e30f2fd
MC		 5311 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5312 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5313 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5314 goto end;
5315
e440f513
MC		 5316 /* The arrival of CCS messages can confuse the test */
5317 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5318
5319 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5320 NULL, NULL))
5321 /* Send the first ClientHello */
5322 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5323 SSL_ERROR_WANT_READ))
5324 /*
5325 * This should fail with a -1 return because we have no callbacks
5326 * set up
5327 */
5328 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5329 goto end;
5330
5331 /* Fatal error so abandon the connection from this client */
5332 SSL_free(clientssl);
5333 clientssl = NULL;
5334
c7b8ff25 5335 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5336 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5337 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5338
e440f513
MC		 5339 /*
5340 * Create a new connection from the client (we can reuse the server SSL
5341 * object).
5342 */
c7b8ff25
MC		 5343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5344 NULL, NULL))
5345 /* Send the first ClientHello */
5346 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5347 SSL_ERROR_WANT_READ))
5348 /* This should fail because there is no cookie */
e440f513 5349 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5350 goto end;
5351
5352 /* Abandon the connection from this client */
5353 SSL_free(clientssl);
5354 clientssl = NULL;
5355
5356 /*
5357 * Now create a connection from a new client but with the same server SSL
5358 * object
5359 */
5360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5361 NULL, NULL))
5362 /* Send the first ClientHello */
5363 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5364 SSL_ERROR_WANT_READ))
5365 /* This should fail because there is no cookie */
e440f513 5366 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5367 /* Send the second ClientHello */
5368 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5369 SSL_ERROR_WANT_READ))
5370 /* This should succeed because a cookie is now present */
e440f513 5371 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5372 /* Complete the connection */
5373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5374 SSL_ERROR_NONE)))
5375 goto end;
5376
5377 shutdown_ssl_connection(serverssl, clientssl);
5378 serverssl = clientssl = NULL;
5379 testresult = 1;
5380
5381 end:
5382 SSL_free(serverssl);
5383 SSL_free(clientssl);
5384 SSL_CTX_free(sctx);
5385 SSL_CTX_free(cctx);
5386 return testresult;
5387
5388}
a763ca11 5389#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5390
a37008d9
MC		 5391static int clntaddoldcb = 0;
5392static int clntparseoldcb = 0;
5393static int srvaddoldcb = 0;
5394static int srvparseoldcb = 0;
5395static int clntaddnewcb = 0;
5396static int clntparsenewcb = 0;
5397static int srvaddnewcb = 0;
5398static int srvparsenewcb = 0;
bb01ef3f 5399static int snicb = 0;
a37008d9
MC		 5400
5401#define TEST_EXT_TYPE1 0xff00
5402
5403static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5404 size_t *outlen, int *al, void *add_arg)
5405{
5406 int *server = (int *)add_arg;
5407 unsigned char *data;
5408
5409 if (SSL_is_server(s))
5410 srvaddoldcb++;
5411 else
5412 clntaddoldcb++;
5413
710756a9
RS		 5414 if (*server != SSL_is_server(s)
5415 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5416 return -1;
5417
5418 *data = 1;
5419 *out = data;
5420 *outlen = sizeof(char);
a37008d9
MC		 5421 return 1;
5422}
5423
5424static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5425 void *add_arg)
5426{
5427 OPENSSL_free((unsigned char *)out);
5428}
5429
5430static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5431 size_t inlen, int *al, void *parse_arg)
5432{
5433 int *server = (int *)parse_arg;
5434
5435 if (SSL_is_server(s))
5436 srvparseoldcb++;
5437 else
5438 clntparseoldcb++;
5439
710756a9
RS		 5440 if (*server != SSL_is_server(s)
5441 || inlen != sizeof(char)
5442 || *in != 1)
a37008d9
MC		 5443 return -1;
5444
5445 return 1;
5446}
5447
5448static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5449 const unsigned char **out, size_t *outlen, X509 *x,
5450 size_t chainidx, int *al, void *add_arg)
5451{
5452 int *server = (int *)add_arg;
5453 unsigned char *data;
5454
5455 if (SSL_is_server(s))
5456 srvaddnewcb++;
5457 else
5458 clntaddnewcb++;
5459
710756a9
RS		 5460 if (*server != SSL_is_server(s)
5461 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5462 return -1;
5463
5464 *data = 1;
5465 *out = data;
710756a9 5466 *outlen = sizeof(*data);
a37008d9
MC		 5467 return 1;
5468}
5469
5470static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5471 const unsigned char *out, void *add_arg)
5472{
5473 OPENSSL_free((unsigned char *)out);
5474}
5475
5476static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5477 const unsigned char *in, size_t inlen, X509 *x,
5478 size_t chainidx, int *al, void *parse_arg)
5479{
5480 int *server = (int *)parse_arg;
5481
5482 if (SSL_is_server(s))
5483 srvparsenewcb++;
5484 else
5485 clntparsenewcb++;
5486
710756a9
RS		 5487 if (*server != SSL_is_server(s)
5488 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5489 return -1;
5490
5491 return 1;
5492}
bb01ef3f
MC		 5493
5494static int sni_cb(SSL *s, int *al, void *arg)
5495{
5496 SSL_CTX *ctx = (SSL_CTX *)arg;
5497
5498 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5499 *al = SSL_AD_INTERNAL_ERROR;
5500 return SSL_TLSEXT_ERR_ALERT_FATAL;
5501 }
5502 snicb++;
5503 return SSL_TLSEXT_ERR_OK;
5504}
5505
a37008d9
MC		 5506/*
5507 * Custom call back tests.
5508 * Test 0: Old style callbacks in TLSv1.2
5509 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5510 * Test 2: New style callbacks in TLSv1.2 with SNI
5511 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5512 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5513 */
710756a9
RS		 5514static int test_custom_exts(int tst)
5515{
bb01ef3f 5516 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5517 SSL *clientssl = NULL, *serverssl = NULL;
5518 int testresult = 0;
5519 static int server = 1;
5520 static int client = 0;
5521 SSL_SESSION *sess = NULL;
5522 unsigned int context;
5523
a763ca11 5524#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5525 /* Skip tests for TLSv1.2 and below in this case */
5526 if (tst < 3)
5527 return 1;
5528#endif
5529
a37008d9
MC		 5530 /* Reset callback counters */
5531 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5532 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5533 snicb = 0;
a37008d9 5534
5e30f2fd
MC		 5535 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5536 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5537 &sctx, &cctx, cert, privkey)))
710756a9 5538 goto end;
a37008d9 5539
bb01ef3f 5540 if (tst == 2
5e30f2fd 5541 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5542 TLS1_VERSION, 0,
7d7f6834 5543 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5544 goto end;
5545
5546
5547 if (tst < 3) {
a37008d9
MC		 5548 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5549 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5550 if (sctx2 != NULL)
5551 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5552 }
5553
bb01ef3f 5554 if (tst == 4) {
710756a9
RS		 5555 context = SSL_EXT_CLIENT_HELLO
5556 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5557 | SSL_EXT_TLS1_3_SERVER_HELLO
5558 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5559 | SSL_EXT_TLS1_3_CERTIFICATE
5560 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5561 } else {
710756a9
RS		 5562 context = SSL_EXT_CLIENT_HELLO
5563 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5564 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5565 }
5566
5567 /* Create a client side custom extension */
5568 if (tst == 0) {
710756a9
RS		 5569 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5570 old_add_cb, old_free_cb,
5571 &client, old_parse_cb,
5572 &client)))
5573 goto end;
a37008d9 5574 } else {
710756a9
RS		 5575 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5576 new_add_cb, new_free_cb,
5577 &client, new_parse_cb, &client)))
5578 goto end;
a37008d9
MC		 5579 }
5580
5581 /* Should not be able to add duplicates */
710756a9
RS		 5582 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5583 old_add_cb, old_free_cb,
5584 &client, old_parse_cb,
5585 &client))
5586 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5587 context, new_add_cb,
5588 new_free_cb, &client,
5589 new_parse_cb, &client)))
5590 goto end;
a37008d9
MC		 5591
5592 /* Create a server side custom extension */
5593 if (tst == 0) {
710756a9
RS		 5594 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5595 old_add_cb, old_free_cb,
5596 &server, old_parse_cb,
5597 &server)))
5598 goto end;
a37008d9 5599 } else {
710756a9
RS		 5600 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5601 new_add_cb, new_free_cb,
5602 &server, new_parse_cb, &server)))
5603 goto end;
bb01ef3f
MC		 5604 if (sctx2 != NULL
5605 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5606 context, new_add_cb,
5607 new_free_cb, &server,
5608 new_parse_cb, &server)))
5609 goto end;
a37008d9
MC		 5610 }
5611
5612 /* Should not be able to add duplicates */
710756a9
RS		 5613 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5614 old_add_cb, old_free_cb,
5615 &server, old_parse_cb,
5616 &server))
5617 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5618 context, new_add_cb,
5619 new_free_cb, &server,
5620 new_parse_cb, &server)))
a37008d9 5621 goto end;
a37008d9 5622
bb01ef3f
MC		 5623 if (tst == 2) {
5624 /* Set up SNI */
5625 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5626 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5627 goto end;
5628 }
5629
710756a9
RS		 5630 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5631 &clientssl, NULL, NULL))
5632 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5633 SSL_ERROR_NONE)))
a37008d9 5634 goto end;
a37008d9
MC		 5635
5636 if (tst == 0) {
710756a9
RS		 5637 if (clntaddoldcb != 1
5638 || clntparseoldcb != 1
5639 || srvaddoldcb != 1
5640 || srvparseoldcb != 1)
a37008d9 5641 goto end;
bb01ef3f 5642 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5643 if (clntaddnewcb != 1
5644 || clntparsenewcb != 1
5645 || srvaddnewcb != 1
bb01ef3f
MC		 5646 || srvparsenewcb != 1
5647 || (tst != 2 && snicb != 0)
5648 || (tst == 2 && snicb != 1))
a37008d9 5649 goto end;
a37008d9 5650 } else {
36ff232c 5651 /* In this case there 2 NewSessionTicket messages created */
710756a9 5652 if (clntaddnewcb != 1
36ff232c
MC		 5653 || clntparsenewcb != 5
5654 || srvaddnewcb != 5
710756a9 5655 || srvparsenewcb != 1)
a37008d9 5656 goto end;
a37008d9
MC		 5657 }
5658
5659 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5660 SSL_shutdown(clientssl);
5661 SSL_shutdown(serverssl);
a37008d9
MC		 5662 SSL_free(serverssl);
5663 SSL_free(clientssl);
5664 serverssl = clientssl = NULL;
5665
bb01ef3f
MC		 5666 if (tst == 3) {
5667 /* We don't bother with the resumption aspects for this test */
5668 testresult = 1;
5669 goto end;
5670 }
5671
710756a9
RS		 5672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5673 NULL, NULL))
5674 || !TEST_true(SSL_set_session(clientssl, sess))
5675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5676 SSL_ERROR_NONE)))
a37008d9 5677 goto end;
a37008d9
MC		 5678
5679 /*
5680 * For a resumed session we expect to add the ClientHello extension. For the
5681 * old style callbacks we ignore it on the server side because they set
5682 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5683 * them.
5684 */
5685 if (tst == 0) {
710756a9
RS		 5686 if (clntaddoldcb != 2
5687 || clntparseoldcb != 1
5688 || srvaddoldcb != 1
5689 || srvparseoldcb != 1)
a37008d9 5690 goto end;
bb01ef3f 5691 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5692 if (clntaddnewcb != 2
5693 || clntparsenewcb != 2
5694 || srvaddnewcb != 2
5695 || srvparsenewcb != 2)
a37008d9 5696 goto end;
a37008d9 5697 } else {
36ff232c
MC		 5698 /*
5699 * No Certificate message extensions in the resumption handshake,
5700 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5701 */
710756a9 5702 if (clntaddnewcb != 2
36ff232c
MC		 5703 || clntparsenewcb != 8
5704 || srvaddnewcb != 8
710756a9 5705 || srvparsenewcb != 2)
a37008d9 5706 goto end;
a37008d9
MC		 5707 }
5708
5709 testresult = 1;
5710
5711end:
5712 SSL_SESSION_free(sess);
5713 SSL_free(serverssl);
5714 SSL_free(clientssl);
bb01ef3f 5715 SSL_CTX_free(sctx2);
a37008d9
MC		 5716 SSL_CTX_free(sctx);
5717 SSL_CTX_free(cctx);
a37008d9
MC		 5718 return testresult;
5719}
5720
16afd71c
MC		 5721/*
5722 * Test loading of serverinfo data in various formats. test_sslmessages actually
5723 * tests to make sure the extensions appear in the handshake
5724 */
5725static int test_serverinfo(int tst)
5726{
5727 unsigned int version;
5728 unsigned char *sibuf;
5729 size_t sibuflen;
5730 int ret, expected, testresult = 0;
5731 SSL_CTX *ctx;
5732
d8652be0 5733 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5734 if (!TEST_ptr(ctx))
5735 goto end;
5736
5737 if ((tst & 0x01) == 0x01)
5738 version = SSL_SERVERINFOV2;
5739 else
5740 version = SSL_SERVERINFOV1;
5741
5742 if ((tst & 0x02) == 0x02) {
5743 sibuf = serverinfov2;
5744 sibuflen = sizeof(serverinfov2);
5745 expected = (version == SSL_SERVERINFOV2);
5746 } else {
5747 sibuf = serverinfov1;
5748 sibuflen = sizeof(serverinfov1);
5749 expected = (version == SSL_SERVERINFOV1);
5750 }
5751
5752 if ((tst & 0x04) == 0x04) {
5753 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5754 } else {
5755 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5756
5757 /*
5758 * The version variable is irrelevant in this case - it's what is in the
5759 * buffer that matters
5760 */
5761 if ((tst & 0x02) == 0x02)
5762 expected = 0;
5763 else
5764 expected = 1;
5765 }
5766
5767 if (!TEST_true(ret == expected))
5768 goto end;
5769
5770 testresult = 1;
5771
5772 end:
5773 SSL_CTX_free(ctx);
5774
5775 return testresult;
5776}
5777
2197d1df
MC		 5778/*
5779 * Test that SSL_export_keying_material() produces expected results. There are
5780 * no test vectors so all we do is test that both sides of the communication
5781 * produce the same results for different protocol versions.
5782 */
0fb2815b
MC		 5783#define SMALL_LABEL_LEN 10
5784#define LONG_LABEL_LEN 249
2197d1df
MC		 5785static int test_export_key_mat(int tst)
5786{
a599574b 5787 int testresult = 0;
2197d1df
MC		 5788 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5789 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5790 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5791 const unsigned char context[] = "context";
5792 const unsigned char *emptycontext = NULL;
5793 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5794 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5795 size_t labellen;
a599574b
MC		 5796 const int protocols[] = {
5797 TLS1_VERSION,
5798 TLS1_1_VERSION,
5799 TLS1_2_VERSION,
0fb2815b
MC		 5800 TLS1_3_VERSION,
5801 TLS1_3_VERSION,
a599574b
MC		 5802 TLS1_3_VERSION
5803 };
2197d1df
MC		 5804
5805#ifdef OPENSSL_NO_TLS1
5806 if (tst == 0)
5807 return 1;
5808#endif
5809#ifdef OPENSSL_NO_TLS1_1
5810 if (tst == 1)
5811 return 1;
5812#endif
4f6c7044
MC		 5813 if (is_fips && (tst == 0 || tst == 1))
5814 return 1;
2197d1df
MC		 5815#ifdef OPENSSL_NO_TLS1_2
5816 if (tst == 2)
5817 return 1;
5818#endif
a763ca11 5819#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5820 if (tst >= 3)
2197d1df
MC		 5821 return 1;
5822#endif
5e30f2fd
MC		 5823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5824 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5825 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5826 goto end;
5827
a599574b
MC		 5828 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5829 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5830 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5831 if ((protocols[tst] < TLS1_2_VERSION) &&
5832 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5833 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5834 goto end;
2197d1df
MC		 5835
5836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5837 NULL)))
5838 goto end;
5839
5840 /*
5841 * Premature call of SSL_export_keying_material should just fail.
5842 */
5843 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5844 sizeof(ckeymat1), label,
5845 SMALL_LABEL_LEN + 1, context,
5846 sizeof(context) - 1, 1), 0))
5847 goto end;
5848
5849 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5850 SSL_ERROR_NONE)))
2197d1df
MC		 5851 goto end;
5852
0fb2815b
MC		 5853 if (tst == 5) {
5854 /*
5855 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5856 * go over that.
5857 */
5858 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5859 sizeof(ckeymat1), label,
5860 LONG_LABEL_LEN + 1, context,
5861 sizeof(context) - 1, 1), 0))
5862 goto end;
5863
5864 testresult = 1;
5865 goto end;
5866 } else if (tst == 4) {
5867 labellen = LONG_LABEL_LEN;
5868 } else {
5869 labellen = SMALL_LABEL_LEN;
5870 }
5871
2197d1df
MC		 5872 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5873 sizeof(ckeymat1), label,
0fb2815b 5874 labellen, context,
2197d1df
MC		 5875 sizeof(context) - 1, 1), 1)
5876 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5877 sizeof(ckeymat2), label,
0fb2815b 5878 labellen,
2197d1df
MC		 5879 emptycontext,
5880 0, 1), 1)
5881 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5882 sizeof(ckeymat3), label,
0fb2815b 5883 labellen,
2197d1df
MC		 5884 NULL, 0, 0), 1)
5885 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5886 sizeof(skeymat1), label,
0fb2815b 5887 labellen,
2197d1df
MC		 5888 context,
5889 sizeof(context) -1, 1),
5890 1)
5891 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5892 sizeof(skeymat2), label,
0fb2815b 5893 labellen,
2197d1df
MC		 5894 emptycontext,
5895 0, 1), 1)
5896 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5897 sizeof(skeymat3), label,
0fb2815b 5898 labellen,
2197d1df
MC		 5899 NULL, 0, 0), 1)
5900 /*
5901 * Check that both sides created the same key material with the
5902 * same context.
5903 */
5904 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5905 sizeof(skeymat1))
5906 /*
5907 * Check that both sides created the same key material with an
5908 * empty context.
5909 */
5910 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5911 sizeof(skeymat2))
5912 /*
5913 * Check that both sides created the same key material without a
5914 * context.
5915 */
5916 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5917 sizeof(skeymat3))
5918 /* Different contexts should produce different results */
5919 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5920 sizeof(ckeymat2)))
5921 goto end;
5922
5923 /*
5924 * Check that an empty context and no context produce different results in
5925 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5926 */
0fb2815b 5927 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5928 sizeof(ckeymat3)))
0fb2815b
MC		 5929 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5930 sizeof(ckeymat3))))
2197d1df
MC		 5931 goto end;
5932
5933 testresult = 1;
5934
5935 end:
5936 SSL_free(serverssl);
5937 SSL_free(clientssl);
5938 SSL_CTX_free(sctx2);
5939 SSL_CTX_free(sctx);
5940 SSL_CTX_free(cctx);
5941
5942 return testresult;
5943}
5944
a763ca11 5945#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 5946/*
5947 * Test that SSL_export_keying_material_early() produces expected
5948 * results. There are no test vectors so all we do is test that both
5949 * sides of the communication produce the same results for different
5950 * protocol versions.
5951 */
5952static int test_export_key_mat_early(int idx)
5953{
5954 static const char label[] = "test label";
5955 static const unsigned char context[] = "context";
5956 int testresult = 0;
5957 SSL_CTX *cctx = NULL, *sctx = NULL;
5958 SSL *clientssl = NULL, *serverssl = NULL;
5959 SSL_SESSION *sess = NULL;
5960 const unsigned char *emptycontext = NULL;
5961 unsigned char ckeymat1[80], ckeymat2[80];
5962 unsigned char skeymat1[80], skeymat2[80];
5963 unsigned char buf[1];
5964 size_t readbytes, written;
5965
5966 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5967 &sess, idx)))
5968 goto end;
5969
5970 /* Here writing 0 length early data is enough. */
5971 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5972 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5973 &readbytes),
5974 SSL_READ_EARLY_DATA_ERROR)
5975 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5976 SSL_EARLY_DATA_ACCEPTED))
5977 goto end;
5978
5979 if (!TEST_int_eq(SSL_export_keying_material_early(
5980 clientssl, ckeymat1, sizeof(ckeymat1), label,
5981 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5982 || !TEST_int_eq(SSL_export_keying_material_early(
5983 clientssl, ckeymat2, sizeof(ckeymat2), label,
5984 sizeof(label) - 1, emptycontext, 0), 1)
5985 || !TEST_int_eq(SSL_export_keying_material_early(
5986 serverssl, skeymat1, sizeof(skeymat1), label,
5987 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5988 || !TEST_int_eq(SSL_export_keying_material_early(
5989 serverssl, skeymat2, sizeof(skeymat2), label,
5990 sizeof(label) - 1, emptycontext, 0), 1)
5991 /*
5992 * Check that both sides created the same key material with the
5993 * same context.
5994 */
5995 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5996 sizeof(skeymat1))
5997 /*
5998 * Check that both sides created the same key material with an
5999 * empty context.
6000 */
6001 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6002 sizeof(skeymat2))
6003 /* Different contexts should produce different results */
6004 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6005 sizeof(ckeymat2)))
6006 goto end;
6007
6008 testresult = 1;
6009
6010 end:
c20e3b28 6011 SSL_SESSION_free(sess);
b38ede80
TT		 6012 SSL_SESSION_free(clientpsk);
6013 SSL_SESSION_free(serverpsk);
34ff74eb 6014 clientpsk = serverpsk = NULL;
b38ede80
TT		 6015 SSL_free(serverssl);
6016 SSL_free(clientssl);
6017 SSL_CTX_free(sctx);
6018 SSL_CTX_free(cctx);
6019
6020 return testresult;
6021}
3409a5ff
MC		 6022
6023#define NUM_KEY_UPDATE_MESSAGES 40
6024/*
6025 * Test KeyUpdate.
6026 */
6027static int test_key_update(void)
6028{
6029 SSL_CTX *cctx = NULL, *sctx = NULL;
6030 SSL *clientssl = NULL, *serverssl = NULL;
6031 int testresult = 0, i, j;
6032 char buf[20];
6033 static char *mess = "A test message";
6034
5e30f2fd 6035 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6036 TLS_client_method(),
6037 TLS1_3_VERSION,
6038 0,
6039 &sctx, &cctx, cert, privkey))
6040 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6041 NULL, NULL))
6042 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6043 SSL_ERROR_NONE)))
6044 goto end;
6045
6046 for (j = 0; j < 2; j++) {
6047 /* Send lots of KeyUpdate messages */
6048 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6049 if (!TEST_true(SSL_key_update(clientssl,
6050 (j == 0)
6051 ? SSL_KEY_UPDATE_NOT_REQUESTED
6052 : SSL_KEY_UPDATE_REQUESTED))
6053 || !TEST_true(SSL_do_handshake(clientssl)))
6054 goto end;
6055 }
6056
6057 /* Check that sending and receiving app data is ok */
6058 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6059 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6060 strlen(mess)))
6061 goto end;
a77b4dba
MC		 6062
6063 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6064 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6065 strlen(mess)))
6066 goto end;
3409a5ff
MC		 6067 }
6068
6069 testresult = 1;
6070
6071 end:
6072 SSL_free(serverssl);
6073 SSL_free(clientssl);
6074 SSL_CTX_free(sctx);
6075 SSL_CTX_free(cctx);
6076
6077 return testresult;
6078}
a77b4dba
MC		 6079
6080/*
6081 * Test we can handle a KeyUpdate (update requested) message while write data
6082 * is pending.
6083 * Test 0: Client sends KeyUpdate while Server is writing
6084 * Test 1: Server sends KeyUpdate while Client is writing
6085 */
6086static int test_key_update_in_write(int tst)
6087{
6088 SSL_CTX *cctx = NULL, *sctx = NULL;
6089 SSL *clientssl = NULL, *serverssl = NULL;
6090 int testresult = 0;
6091 char buf[20];
6092 static char *mess = "A test message";
6093 BIO *bretry = BIO_new(bio_s_always_retry());
6094 BIO *tmp = NULL;
6095 SSL *peerupdate = NULL, *peerwrite = NULL;
6096
6097 if (!TEST_ptr(bretry)
5e30f2fd 6098 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6099 TLS_client_method(),
6100 TLS1_3_VERSION,
6101 0,
6102 &sctx, &cctx, cert, privkey))
6103 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6104 NULL, NULL))
6105 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6106 SSL_ERROR_NONE)))
6107 goto end;
6108
6109 peerupdate = tst == 0 ? clientssl : serverssl;
6110 peerwrite = tst == 0 ? serverssl : clientssl;
6111
6112 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6113 || !TEST_true(SSL_do_handshake(peerupdate)))
6114 goto end;
6115
6116 /* Swap the writing endpoint's write BIO to force a retry */
6117 tmp = SSL_get_wbio(peerwrite);
6118 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6119 tmp = NULL;
6120 goto end;
6121 }
6122 SSL_set0_wbio(peerwrite, bretry);
6123 bretry = NULL;
6124
6125 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6126 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6127 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6128 goto end;
6129
6130 /* Reinstate the original writing endpoint's write BIO */
6131 SSL_set0_wbio(peerwrite, tmp);
6132 tmp = NULL;
6133
6134 /* Now read some data - we will read the key update */
6135 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6136 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6137 goto end;
6138
6139 /*
6140 * Complete the write we started previously and read it from the other
6141 * endpoint
6142 */
6143 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6144 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6145 goto end;
6146
6147 /* Write more data to ensure we send the KeyUpdate message back */
6148 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6149 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6150 goto end;
6151
6152 testresult = 1;
6153
6154 end:
6155 SSL_free(serverssl);
6156 SSL_free(clientssl);
6157 SSL_CTX_free(sctx);
6158 SSL_CTX_free(cctx);
6159 BIO_free(bretry);
6160 BIO_free(tmp);
6161
6162 return testresult;
6163}
a763ca11 6164#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6165
e11b6aa4
MC		 6166static int test_ssl_clear(int idx)
6167{
6168 SSL_CTX *cctx = NULL, *sctx = NULL;
6169 SSL *clientssl = NULL, *serverssl = NULL;
6170 int testresult = 0;
6171
6172#ifdef OPENSSL_NO_TLS1_2
6173 if (idx == 1)
6174 return 1;
6175#endif
6176
6177 /* Create an initial connection */
5e30f2fd
MC		 6178 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6179 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6180 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6181 || (idx == 1
6182 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6183 TLS1_2_VERSION)))
6184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6185 &clientssl, NULL, NULL))
6186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6187 SSL_ERROR_NONE)))
6188 goto end;
6189
6190 SSL_shutdown(clientssl);
6191 SSL_shutdown(serverssl);
6192 SSL_free(serverssl);
6193 serverssl = NULL;
6194
6195 /* Clear clientssl - we're going to reuse the object */
6196 if (!TEST_true(SSL_clear(clientssl)))
6197 goto end;
6198
6199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6200 NULL, NULL))
6201 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6202 SSL_ERROR_NONE))
6203 || !TEST_true(SSL_session_reused(clientssl)))
6204 goto end;
6205
6206 SSL_shutdown(clientssl);
6207 SSL_shutdown(serverssl);
6208
6209 testresult = 1;
6210
6211 end:
6212 SSL_free(serverssl);
6213 SSL_free(clientssl);
6214 SSL_CTX_free(sctx);
6215 SSL_CTX_free(cctx);
6216
6217 return testresult;
6218}
6219
cf72c757
F		 6220/* Parse CH and retrieve any MFL extension value if present */
6221static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6222{
6223 long len;
6224 unsigned char *data;
72962d02 6225 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6226 unsigned int MFL_code = 0, type = 0;
6227
6228 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6229 goto end;
6230
72962d02
P		 6231 memset(&pkt, 0, sizeof(pkt));
6232 memset(&pkt2, 0, sizeof(pkt2));
6233 memset(&pkt3, 0, sizeof(pkt3));
6234
9ba18520
P		 6235 if (!TEST_long_gt(len, 0)
6236 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
cf72c757
F		 6237 /* Skip the record header */
6238 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6239 /* Skip the handshake message header */
6240 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6241 /* Skip client version and random */
6242 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6243 + SSL3_RANDOM_SIZE))
6244 /* Skip session id */
6245 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6246 /* Skip ciphers */
6247 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6248 /* Skip compression */
6249 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6250 /* Extensions len */
6251 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6252 goto end;
6253
6254 /* Loop through all extensions */
6255 while (PACKET_remaining(&pkt2)) {
6256 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6257 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6258 goto end;
6259
6260 if (type == TLSEXT_TYPE_max_fragment_length) {
6261 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6262 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6263 goto end;
6264
6265 *mfl_codemfl_code = MFL_code;
6266 return 1;
6267 }
6268 }
6269
6270 end:
6271 return 0;
6272}
6273
6274/* Maximum-Fragment-Length TLS extension mode to test */
6275static const unsigned char max_fragment_len_test[] = {
6276 TLSEXT_max_fragment_length_512,
6277 TLSEXT_max_fragment_length_1024,
6278 TLSEXT_max_fragment_length_2048,
6279 TLSEXT_max_fragment_length_4096
6280};
6281
6282static int test_max_fragment_len_ext(int idx_tst)
6283{
a763ca11 6284 SSL_CTX *ctx = NULL;
cf72c757
F		 6285 SSL *con = NULL;
6286 int testresult = 0, MFL_mode = 0;
6287 BIO *rbio, *wbio;
6288
a763ca11
MC		 6289 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6290 TLS1_VERSION, 0, NULL, &ctx, NULL,
6291 NULL)))
6292 return 0;
cf72c757
F		 6293
6294 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6295 ctx, max_fragment_len_test[idx_tst])))
6296 goto end;
6297
6298 con = SSL_new(ctx);
6299 if (!TEST_ptr(con))
6300 goto end;
6301
6302 rbio = BIO_new(BIO_s_mem());
6303 wbio = BIO_new(BIO_s_mem());
6304 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6305 BIO_free(rbio);
6306 BIO_free(wbio);
6307 goto end;
6308 }
6309
6310 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6311
6312 if (!TEST_int_le(SSL_connect(con), 0)) {
6313 /* This shouldn't succeed because we don't have a server! */
6314 goto end;
6315 }
6316
6317 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6318 /* no MFL in client hello */
6319 goto end;
6320 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6321 goto end;
6322
6323 testresult = 1;
6324
6325end:
6326 SSL_free(con);
6327 SSL_CTX_free(ctx);
6328
6329 return testresult;
6330}
6331
a763ca11 6332#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6333static int test_pha_key_update(void)
6334{
6335 SSL_CTX *cctx = NULL, *sctx = NULL;
6336 SSL *clientssl = NULL, *serverssl = NULL;
6337 int testresult = 0;
6338
5e30f2fd
MC		 6339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6340 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6341 &sctx, &cctx, cert, privkey)))
6342 return 0;
6343
6344 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6345 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6346 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6347 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6348 goto end;
6349
e97be718 6350 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6351
6352 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6353 NULL, NULL)))
6354 goto end;
6355
9d75dce3
TS		 6356 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6357 SSL_ERROR_NONE)))
6358 goto end;
6359
6360 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6361 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6362 goto end;
6363
6364 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6365 goto end;
6366
6367 /* Start handshake on the server */
6368 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6369 goto end;
6370
6371 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6372 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6373 SSL_ERROR_NONE)))
6374 goto end;
6375
6376 SSL_shutdown(clientssl);
6377 SSL_shutdown(serverssl);
6378
6379 testresult = 1;
6380
6381 end:
6382 SSL_free(serverssl);
6383 SSL_free(clientssl);
6384 SSL_CTX_free(sctx);
6385 SSL_CTX_free(cctx);
6386 return testresult;
6387}
6388#endif
6389
76fd7a1d
MC		 6390#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6391
6392static SRP_VBASE *vbase = NULL;
6393
6394static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6395{
6396 int ret = SSL3_AL_FATAL;
6397 char *username;
6398 SRP_user_pwd *user = NULL;
6399
6400 username = SSL_get_srp_username(s);
6401 if (username == NULL) {
6402 *ad = SSL_AD_INTERNAL_ERROR;
6403 goto err;
6404 }
6405
6406 user = SRP_VBASE_get1_by_user(vbase, username);
6407 if (user == NULL) {
6408 *ad = SSL_AD_INTERNAL_ERROR;
6409 goto err;
6410 }
6411
6412 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6413 user->info) <= 0) {
6414 *ad = SSL_AD_INTERNAL_ERROR;
6415 goto err;
6416 }
6417
6418 ret = 0;
6419
6420 err:
6421 SRP_user_pwd_free(user);
6422 return ret;
6423}
6424
6425static int create_new_vfile(char *userid, char *password, const char *filename)
6426{
6427 char *gNid = NULL;
6428 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6429 TXT_DB *db = NULL;
6430 int ret = 0;
6431 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6432 size_t i;
6433
6434 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6435 goto end;
6436
20c00d0a 6437 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6438 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6439 if (!TEST_ptr(gNid))
6440 goto end;
6441
6442 /*
6443 * The only way to create an empty TXT_DB is to provide a BIO with no data
6444 * in it!
6445 */
6446 db = TXT_DB_read(dummy, DB_NUMBER);
6447 if (!TEST_ptr(db))
6448 goto end;
6449
6450 out = BIO_new_file(filename, "w");
6451 if (!TEST_ptr(out))
6452 goto end;
6453
6454 row[DB_srpid] = OPENSSL_strdup(userid);
6455 row[DB_srptype] = OPENSSL_strdup("V");
6456 row[DB_srpgN] = OPENSSL_strdup(gNid);
6457
6458 if (!TEST_ptr(row[DB_srpid])
6459 || !TEST_ptr(row[DB_srptype])
6460 || !TEST_ptr(row[DB_srpgN])
6461 || !TEST_true(TXT_DB_insert(db, row)))
6462 goto end;
6463
6464 row = NULL;
6465
6466 if (!TXT_DB_write(out, db))
6467 goto end;
6468
6469 ret = 1;
6470 end:
6471 if (row != NULL) {
6472 for (i = 0; i < DB_NUMBER; i++)
6473 OPENSSL_free(row[i]);
6474 }
6475 OPENSSL_free(row);
6476 BIO_free(dummy);
6477 BIO_free(out);
6478 TXT_DB_free(db);
6479
6480 return ret;
6481}
6482
6483static int create_new_vbase(char *userid, char *password)
6484{
6485 BIGNUM *verifier = NULL, *salt = NULL;
6486 const SRP_gN *lgN = NULL;
6487 SRP_user_pwd *user_pwd = NULL;
6488 int ret = 0;
6489
6490 lgN = SRP_get_default_gN(NULL);
6491 if (!TEST_ptr(lgN))
6492 goto end;
6493
20c00d0a 6494 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6495 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6496 goto end;
6497
6498 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6499 if (!TEST_ptr(user_pwd))
6500 goto end;
6501
6502 user_pwd->N = lgN->N;
6503 user_pwd->g = lgN->g;
6504 user_pwd->id = OPENSSL_strdup(userid);
6505 if (!TEST_ptr(user_pwd->id))
6506 goto end;
6507
6508 user_pwd->v = verifier;
6509 user_pwd->s = salt;
6510 verifier = salt = NULL;
6511
6512 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6513 goto end;
6514 user_pwd = NULL;
6515
6516 ret = 1;
6517end:
6518 SRP_user_pwd_free(user_pwd);
6519 BN_free(salt);
6520 BN_free(verifier);
6521
6522 return ret;
6523}
6524
6525/*
6526 * SRP tests
6527 *
6528 * Test 0: Simple successful SRP connection, new vbase
6529 * Test 1: Connection failure due to bad password, new vbase
6530 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6531 * Test 3: Connection failure due to bad password, vbase loaded from existing
6532 * file
6533 * Test 4: Simple successful SRP connection, vbase loaded from new file
6534 * Test 5: Connection failure due to bad password, vbase loaded from new file
6535 */
6536static int test_srp(int tst)
6537{
6538 char *userid = "test", *password = "password", *tstsrpfile;
6539 SSL_CTX *cctx = NULL, *sctx = NULL;
6540 SSL *clientssl = NULL, *serverssl = NULL;
6541 int ret, testresult = 0;
6542
6543 vbase = SRP_VBASE_new(NULL);
6544 if (!TEST_ptr(vbase))
6545 goto end;
6546
6547 if (tst == 0 || tst == 1) {
6548 if (!TEST_true(create_new_vbase(userid, password)))
6549 goto end;
6550 } else {
6551 if (tst == 4 || tst == 5) {
6552 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6553 goto end;
6554 tstsrpfile = tmpfilename;
6555 } else {
6556 tstsrpfile = srpvfile;
6557 }
6558 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6559 goto end;
6560 }
6561
5e30f2fd
MC		 6562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6563 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6564 &sctx, &cctx, cert, privkey)))
6565 goto end;
6566
6567 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6568 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6569 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6570 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6571 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6572 goto end;
6573
6574 if (tst % 2 == 1) {
6575 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6576 goto end;
6577 } else {
6578 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6579 goto end;
6580 }
6581
6582 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6583 NULL, NULL)))
6584 goto end;
6585
6586 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6587 if (ret) {
6588 if (!TEST_true(tst % 2 == 0))
6589 goto end;
6590 } else {
6591 if (!TEST_true(tst % 2 == 1))
6592 goto end;
6593 }
6594
6595 testresult = 1;
6596
6597 end:
6598 SRP_VBASE_free(vbase);
6599 vbase = NULL;
6600 SSL_free(serverssl);
6601 SSL_free(clientssl);
6602 SSL_CTX_free(sctx);
6603 SSL_CTX_free(cctx);
6604
6605 return testresult;
6606}
6607#endif
6608
5718fe45
MC		 6609static int info_cb_failed = 0;
6610static int info_cb_offset = 0;
6611static int info_cb_this_state = -1;
6612
6613static struct info_cb_states_st {
6614 int where;
6615 const char *statestr;
6616} info_cb_states[][60] = {
6617 {
6618 /* TLSv1.2 server followed by resumption */
6619 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6620 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6621 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6622 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6623 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6624 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6625 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6626 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6627 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6628 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6629 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6630 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6631 {SSL_CB_EXIT, NULL}, {0, NULL},
6632 }, {
6633 /* TLSv1.2 client followed by resumption */
6634 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6635 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6636 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6637 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6638 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6639 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6640 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6641 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6642 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6643 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6644 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6645 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6646 }, {
6647 /* TLSv1.3 server followed by resumption */
6648 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6649 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6650 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6651 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6652 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6653 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6654 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6655 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6656 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6657 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6658 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6659 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6660 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6661 }, {
6662 /* TLSv1.3 client followed by resumption */
6663 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6664 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6665 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6666 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6667 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6668 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6669 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6670 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6671 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6672 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6673 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6674 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6675 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6676 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6677 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6678 }, {
6679 /* TLSv1.3 server, early_data */
6680 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6681 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6682 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6683 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6684 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6685 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6686 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6687 {SSL_CB_EXIT, NULL}, {0, NULL},
6688 }, {
6689 /* TLSv1.3 client, early_data */
6690 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6691 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6692 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6693 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6694 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6695 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6696 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6697 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6698 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6699 }, {
6700 {0, NULL},
6701 }
6702};
6703
6704static void sslapi_info_callback(const SSL *s, int where, int ret)
6705{
6706 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6707
6708 /* We do not ever expect a connection to fail in this test */
6709 if (!TEST_false(ret == 0)) {
6710 info_cb_failed = 1;
6711 return;
6712 }
6713
6714 /*
6715 * Do some sanity checks. We never expect these things to happen in this
6716 * test
6717 */
6718 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6719 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6720 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6721 info_cb_failed = 1;
6722 return;
6723 }
6724
6725 /* Now check we're in the right state */
6726 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6727 info_cb_failed = 1;
6728 return;
6729 }
6730 if ((where & SSL_CB_LOOP) != 0
6731 && !TEST_int_eq(strcmp(SSL_state_string(s),
6732 state[info_cb_this_state].statestr), 0)) {
6733 info_cb_failed = 1;
6734 return;
6735 }
033c181b 6736
4af5836b
MC		 6737 /*
6738 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6739 */
6740 if ((where & SSL_CB_HANDSHAKE_DONE)
6741 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6742 info_cb_failed = 1;
6743 return;
6744 }
5718fe45
MC		 6745}
6746
6747/*
6748 * Test the info callback gets called when we expect it to.
6749 *
6750 * Test 0: TLSv1.2, server
6751 * Test 1: TLSv1.2, client
6752 * Test 2: TLSv1.3, server
6753 * Test 3: TLSv1.3, client
6754 * Test 4: TLSv1.3, server, early_data
6755 * Test 5: TLSv1.3, client, early_data
6756 */
6757static int test_info_callback(int tst)
6758{
6759 SSL_CTX *cctx = NULL, *sctx = NULL;
6760 SSL *clientssl = NULL, *serverssl = NULL;
6761 SSL_SESSION *clntsess = NULL;
6762 int testresult = 0;
6763 int tlsvers;
6764
6765 if (tst < 2) {
1aac20f5
MC		 6766/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6767#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6768 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6769 tlsvers = TLS1_2_VERSION;
6770#else
6771 return 1;
6772#endif
6773 } else {
a763ca11 6774#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6775 tlsvers = TLS1_3_VERSION;
6776#else
6777 return 1;
6778#endif
6779 }
6780
6781 /* Reset globals */
6782 info_cb_failed = 0;
6783 info_cb_this_state = -1;
6784 info_cb_offset = tst;
6785
a763ca11 6786#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6787 if (tst >= 4) {
6788 SSL_SESSION *sess = NULL;
6789 size_t written, readbytes;
6790 unsigned char buf[80];
6791
6792 /* early_data tests */
6793 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6794 &serverssl, &sess, 0)))
6795 goto end;
6796
6797 /* We don't actually need this reference */
6798 SSL_SESSION_free(sess);
6799
6800 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6801 sslapi_info_callback);
6802
6803 /* Write and read some early data and then complete the connection */
6804 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6805 &written))
6806 || !TEST_size_t_eq(written, strlen(MSG1))
6807 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6808 sizeof(buf), &readbytes),
6809 SSL_READ_EARLY_DATA_SUCCESS)
6810 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6811 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6812 SSL_EARLY_DATA_ACCEPTED)
6813 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6814 SSL_ERROR_NONE))
6815 || !TEST_false(info_cb_failed))
6816 goto end;
6817
6818 testresult = 1;
6819 goto end;
6820 }
6e07834c 6821#endif
5718fe45 6822
5e30f2fd 6823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6824 TLS_client_method(),
6825 tlsvers, tlsvers, &sctx, &cctx, cert,
6826 privkey)))
6827 goto end;
6828
33c39a06
MC		 6829 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6830 goto end;
6831
5718fe45
MC		 6832 /*
6833 * For even numbered tests we check the server callbacks. For odd numbers we
6834 * check the client.
6835 */
6836 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6837 sslapi_info_callback);
6838
6839 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6840 &clientssl, NULL, NULL))
6841 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6842 SSL_ERROR_NONE))
6843 || !TEST_false(info_cb_failed))
6844 goto end;
6845
6846
6847
6848 clntsess = SSL_get1_session(clientssl);
6849 SSL_shutdown(clientssl);
6850 SSL_shutdown(serverssl);
6851 SSL_free(serverssl);
6852 SSL_free(clientssl);
6853 serverssl = clientssl = NULL;
6854
6855 /* Now do a resumption */
6856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6857 NULL))
6858 || !TEST_true(SSL_set_session(clientssl, clntsess))
6859 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6860 SSL_ERROR_NONE))
6861 || !TEST_true(SSL_session_reused(clientssl))
6862 || !TEST_false(info_cb_failed))
6863 goto end;
6864
6865 testresult = 1;
6866
6867 end:
6868 SSL_free(serverssl);
6869 SSL_free(clientssl);
6870 SSL_SESSION_free(clntsess);
6871 SSL_CTX_free(sctx);
6872 SSL_CTX_free(cctx);
6873 return testresult;
6874}
6875
4a432af8
MC		 6876static int test_ssl_pending(int tst)
6877{
6878 SSL_CTX *cctx = NULL, *sctx = NULL;
6879 SSL *clientssl = NULL, *serverssl = NULL;
6880 int testresult = 0;
6881 char msg[] = "A test message";
6882 char buf[5];
6883 size_t written, readbytes;
6884
6885 if (tst == 0) {
5e30f2fd 6886 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6887 TLS_client_method(),
5c587fb6 6888 TLS1_VERSION, 0,
4a432af8
MC		 6889 &sctx, &cctx, cert, privkey)))
6890 goto end;
6891 } else {
6892#ifndef OPENSSL_NO_DTLS
5e30f2fd 6893 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6894 DTLS_client_method(),
5c587fb6 6895 DTLS1_VERSION, 0,
4a432af8
MC		 6896 &sctx, &cctx, cert, privkey)))
6897 goto end;
8ce390e1
MC		 6898
6899# ifdef OPENSSL_NO_DTLS1_2
6900 /* Not supported in the FIPS provider */
6901 if (is_fips) {
6902 testresult = 1;
6903 goto end;
6904 };
6905 /*
6906 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
6907 * level 0
6908 */
6909 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
6910 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
6911 "DEFAULT:@SECLEVEL=0")))
6912 goto end;
6913# endif
4a432af8
MC		 6914#else
6915 return 1;
6916#endif
6917 }
6918
6919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6920 NULL, NULL))
6921 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6922 SSL_ERROR_NONE)))
6923 goto end;
6924
e8251092
MC		 6925 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6926 || !TEST_false(SSL_has_pending(clientssl))
6927 || !TEST_int_eq(SSL_pending(serverssl), 0)
6928 || !TEST_false(SSL_has_pending(serverssl))
6929 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6930 || !TEST_size_t_eq(written, sizeof(msg))
6931 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6932 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6933 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6934 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6935 goto end;
6936
6937 testresult = 1;
6938
6939 end:
6940 SSL_free(serverssl);
6941 SSL_free(clientssl);
6942 SSL_CTX_free(sctx);
6943 SSL_CTX_free(cctx);
6944
6945 return testresult;
6946}
6947
e401389a
MC		 6948static struct {
6949 unsigned int maxprot;
6950 const char *clntciphers;
6951 const char *clnttls13ciphers;
6952 const char *srvrciphers;
6953 const char *srvrtls13ciphers;
6954 const char *shared;
a96e6c34 6955 const char *fipsshared;
e401389a 6956} shared_ciphers_data[] = {
60155b9a
MC		 6957/*
6958 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6959 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6960 */
a763ca11 6961#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6962 {
6963 TLS1_2_VERSION,
6964 "AES128-SHA:AES256-SHA",
6965 NULL,
6966 "AES256-SHA:DHE-RSA-AES128-SHA",
6967 NULL,
a96e6c34 6968 "AES256-SHA",
e401389a
MC		 6969 "AES256-SHA"
6970 },
a96e6c34
MC		 6971# if !defined(OPENSSL_NO_CHACHA) \
6972 && !defined(OPENSSL_NO_POLY1305) \
6973 && !defined(OPENSSL_NO_EC)
6974 {
6975 TLS1_2_VERSION,
6976 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6977 NULL,
6978 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6979 NULL,
6980 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6981 "AES128-SHA"
6982 },
6983# endif
e401389a
MC		 6984 {
6985 TLS1_2_VERSION,
6986 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6987 NULL,
6988 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6989 NULL,
a96e6c34 6990 "AES128-SHA:AES256-SHA",
e401389a
MC		 6991 "AES128-SHA:AES256-SHA"
6992 },
6993 {
6994 TLS1_2_VERSION,
6995 "AES128-SHA:AES256-SHA",
6996 NULL,
6997 "AES128-SHA:DHE-RSA-AES128-SHA",
6998 NULL,
a96e6c34 6999 "AES128-SHA",
e401389a
MC		 7000 "AES128-SHA"
7001 },
60155b9a
MC		 7002#endif
7003/*
7004 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7005 * enabled.
7006 */
a763ca11 7007#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7008 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7009 {
7010 TLS1_3_VERSION,
7011 "AES128-SHA:AES256-SHA",
7012 NULL,
7013 "AES256-SHA:AES128-SHA256",
7014 NULL,
7015 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7016 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7017 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7018 },
60155b9a 7019#endif
a763ca11 7020#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7021 {
7022 TLS1_3_VERSION,
7023 "AES128-SHA",
7024 "TLS_AES_256_GCM_SHA384",
7025 "AES256-SHA",
7026 "TLS_AES_256_GCM_SHA384",
a96e6c34 7027 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7028 "TLS_AES_256_GCM_SHA384"
7029 },
7030#endif
7031};
7032
a96e6c34 7033static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7034{
7035 SSL_CTX *cctx = NULL, *sctx = NULL;
7036 SSL *clientssl = NULL, *serverssl = NULL;
7037 int testresult = 0;
7038 char buf[1024];
b4250010 7039 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7040
7041 if (!TEST_ptr(tmplibctx))
7042 goto end;
7043
7044 /*
7045 * Regardless of whether we're testing with the FIPS provider loaded into
7046 * libctx, we want one peer to always use the full set of ciphersuites
7047 * available. Therefore we use a separate libctx with the default provider
7048 * loaded into it. We run the same tests twice - once with the client side
7049 * having the full set of ciphersuites and once with the server side.
7050 */
7051 if (clnt) {
d8652be0 7052 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7053 if (!TEST_ptr(cctx))
7054 goto end;
7055 } else {
d8652be0 7056 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7057 if (!TEST_ptr(sctx))
7058 goto end;
7059 }
e401389a 7060
5e30f2fd 7061 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7062 TLS_client_method(),
7063 TLS1_VERSION,
7064 shared_ciphers_data[tst].maxprot,
7065 &sctx, &cctx, cert, privkey)))
7066 goto end;
7067
7068 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7069 shared_ciphers_data[tst].clntciphers))
7070 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7071 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7072 shared_ciphers_data[tst].clnttls13ciphers)))
7073 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7074 shared_ciphers_data[tst].srvrciphers))
7075 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7076 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7077 shared_ciphers_data[tst].srvrtls13ciphers))))
7078 goto end;
7079
7080
7081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7082 NULL, NULL))
7083 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7084 SSL_ERROR_NONE)))
7085 goto end;
7086
7087 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7088 || !TEST_int_eq(strcmp(buf,
7089 is_fips
7090 ? shared_ciphers_data[tst].fipsshared
7091 : shared_ciphers_data[tst].shared),
7092 0)) {
e401389a
MC		 7093 TEST_info("Shared ciphers are: %s\n", buf);
7094 goto end;
7095 }
7096
7097 testresult = 1;
7098
7099 end:
7100 SSL_free(serverssl);
7101 SSL_free(clientssl);
7102 SSL_CTX_free(sctx);
7103 SSL_CTX_free(cctx);
b4250010 7104 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7105
7106 return testresult;
7107}
7108
a96e6c34
MC		 7109static int test_ssl_get_shared_ciphers(int tst)
7110{
7111 return int_test_ssl_get_shared_ciphers(tst, 0)
7112 && int_test_ssl_get_shared_ciphers(tst, 1);
7113}
7114
7115
d0191fe0 7116static const char *appdata = "Hello World";
61fb5923
MC		 7117static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7118static int tick_key_renew = 0;
7119static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7120
7121static int gen_tick_cb(SSL *s, void *arg)
7122{
7123 gen_tick_called = 1;
7124
7125 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7126 strlen(appdata));
7127}
7128
7129static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7130 const unsigned char *keyname,
7131 size_t keyname_length,
61fb5923
MC		 7132 SSL_TICKET_STATUS status,
7133 void *arg)
d0191fe0
MC		 7134{
7135 void *tickdata;
7136 size_t tickdlen;
7137
7138 dec_tick_called = 1;
7139
61fb5923
MC		 7140 if (status == SSL_TICKET_EMPTY)
7141 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7142
61fb5923
MC		 7143 if (!TEST_true(status == SSL_TICKET_SUCCESS
7144 || status == SSL_TICKET_SUCCESS_RENEW))
7145 return SSL_TICKET_RETURN_ABORT;
7146
7147 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7148 &tickdlen))
d0191fe0
MC		 7149 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7150 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7151 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7152
61fb5923
MC		 7153 if (tick_key_cb_called) {
7154 /* Don't change what the ticket key callback wanted to do */
7155 switch (status) {
7156 case SSL_TICKET_NO_DECRYPT:
7157 return SSL_TICKET_RETURN_IGNORE_RENEW;
7158
7159 case SSL_TICKET_SUCCESS:
7160 return SSL_TICKET_RETURN_USE;
d0191fe0 7161
61fb5923
MC		 7162 case SSL_TICKET_SUCCESS_RENEW:
7163 return SSL_TICKET_RETURN_USE_RENEW;
7164
7165 default:
7166 return SSL_TICKET_RETURN_ABORT;
7167 }
7168 }
7169 return tick_dec_ret;
7170
7171}
d0191fe0 7172
a76ce286 7173#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7174static int tick_key_cb(SSL *s, unsigned char key_name[16],
7175 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7176 HMAC_CTX *hctx, int enc)
7177{
7178 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7179 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7180 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7181 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7182 int ret;
d0191fe0 7183
61fb5923 7184 tick_key_cb_called = 1;
d0191fe0
MC		 7185 memset(iv, 0, AES_BLOCK_SIZE);
7186 memset(key_name, 0, 16);
5e30f2fd
MC		 7187 if (aes128cbc == NULL
7188 || sha256 == NULL
7189 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7190 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7191 NULL))
7192 ret = -1;
7193 else
7194 ret = tick_key_renew ? 2 : 1;
d0191fe0 7195
5e30f2fd
MC		 7196 EVP_CIPHER_free(aes128cbc);
7197 EVP_MD_free(sha256);
7198
7199 return ret;
d0191fe0 7200}
a76ce286
P		 7201#endif
7202
7203static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7204 unsigned char iv[EVP_MAX_IV_LENGTH],
7205 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7206{
7207 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7208 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7209 OSSL_PARAM params[2];
5e30f2fd
MC		 7210 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7211 int ret;
a76ce286
P		 7212
7213 tick_key_cb_called = 1;
7214 memset(iv, 0, AES_BLOCK_SIZE);
7215 memset(key_name, 0, 16);
7216 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7217 "SHA256", 0);
77e4ae58 7218 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7219 if (aes128cbc == NULL
7220 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7221 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7222 params))
5e30f2fd
MC		 7223 ret = -1;
7224 else
7225 ret = tick_key_renew ? 2 : 1;
7226
7227 EVP_CIPHER_free(aes128cbc);
a76ce286 7228
5e30f2fd 7229 return ret;
a76ce286 7230}
d0191fe0
MC		 7231
7232/*
7233 * Test the various ticket callbacks
61fb5923
MC		 7234 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7235 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7236 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7237 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7238 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7239 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7240 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7241 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7242 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7243 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7244 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7245 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7246 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7247 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7248 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7249 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7250 */
7251static int test_ticket_callbacks(int tst)
7252{
7253 SSL_CTX *cctx = NULL, *sctx = NULL;
7254 SSL *clientssl = NULL, *serverssl = NULL;
7255 SSL_SESSION *clntsess = NULL;
7256 int testresult = 0;
7257
7258#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7259 if (tst % 2 == 0)
d0191fe0
MC		 7260 return 1;
7261#endif
a763ca11 7262#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7263 if (tst % 2 == 1)
d0191fe0
MC		 7264 return 1;
7265#endif
a76ce286
P		 7266#ifdef OPENSSL_NO_DEPRECATED_3_0
7267 if (tst >= 8 && tst <= 11)
7268 return 1;
7269#endif
d0191fe0 7270
61fb5923 7271 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7272
7273 /* Which tests the ticket key callback should request renewal for */
a76ce286 7274 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7275 tick_key_renew = 1;
d0191fe0 7276 else
61fb5923
MC		 7277 tick_key_renew = 0;
7278
7279 /* Which tests the decrypt ticket callback should request renewal for */
7280 switch (tst) {
7281 case 0:
7282 case 1:
7283 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7284 break;
7285
7286 case 2:
7287 case 3:
7288 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7289 break;
7290
7291 case 4:
7292 case 5:
7293 tick_dec_ret = SSL_TICKET_RETURN_USE;
7294 break;
7295
7296 case 6:
7297 case 7:
7298 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7299 break;
7300
7301 default:
7302 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7303 }
d0191fe0 7304
5e30f2fd 7305 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7306 TLS_client_method(),
7307 TLS1_VERSION,
61fb5923
MC		 7308 ((tst % 2) == 0) ? TLS1_2_VERSION
7309 : TLS1_3_VERSION,
d0191fe0
MC		 7310 &sctx, &cctx, cert, privkey)))
7311 goto end;
7312
61fb5923
MC		 7313 /*
7314 * We only want sessions to resume from tickets - not the session cache. So
7315 * switch the cache off.
7316 */
7317 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7318 goto end;
7319
d0191fe0
MC		 7320 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7321 NULL)))
7322 goto end;
7323
a76ce286
P		 7324 if (tst >= 12) {
7325 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7326 goto end;
7327#ifndef OPENSSL_NO_DEPRECATED_3_0
7328 } else if (tst >= 8) {
7329 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7330 goto end;
7331#endif
7332 }
d0191fe0
MC		 7333
7334 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7335 NULL, NULL))
7336 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7337 SSL_ERROR_NONE)))
7338 goto end;
7339
61fb5923
MC		 7340 /*
7341 * The decrypt ticket key callback in TLSv1.2 should be called even though
7342 * we have no ticket yet, because it gets called with a status of
7343 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7344 * actually send any ticket data). This does not happen in TLSv1.3 because
7345 * it is not valid to send empty ticket data in TLSv1.3.
7346 */
d0191fe0 7347 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7348 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7349 goto end;
7350
7351 gen_tick_called = dec_tick_called = 0;
7352
7353 clntsess = SSL_get1_session(clientssl);
7354 SSL_shutdown(clientssl);
7355 SSL_shutdown(serverssl);
7356 SSL_free(serverssl);
7357 SSL_free(clientssl);
7358 serverssl = clientssl = NULL;
7359
7360 /* Now do a resumption */
7361 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7362 NULL))
7363 || !TEST_true(SSL_set_session(clientssl, clntsess))
7364 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7365 SSL_ERROR_NONE)))
d0191fe0
MC		 7366 goto end;
7367
61fb5923
MC		 7368 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7369 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7370 if (!TEST_false(SSL_session_reused(clientssl)))
7371 goto end;
7372 } else {
7373 if (!TEST_true(SSL_session_reused(clientssl)))
7374 goto end;
7375 }
7376
d0191fe0 7377 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7378 (tick_key_renew
7379 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7380 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7381 ? 1 : 0)
d0191fe0
MC		 7382 || !TEST_int_eq(dec_tick_called, 1))
7383 goto end;
7384
7385 testresult = 1;
7386
7387 end:
7388 SSL_SESSION_free(clntsess);
7389 SSL_free(serverssl);
7390 SSL_free(clientssl);
7391 SSL_CTX_free(sctx);
7392 SSL_CTX_free(cctx);
7393
7394 return testresult;
7395}
7396
e638112e
DB		 7397/*
7398 * Test incorrect shutdown.
7399 * Test 0: client does not shutdown properly,
7400 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7401 * server should get SSL_ERROR_SSL
7402 * Test 1: client does not shutdown properly,
7403 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7404 * server should get SSL_ERROR_ZERO_RETURN
7405 */
7406static int test_incorrect_shutdown(int tst)
7407{
7408 SSL_CTX *cctx = NULL, *sctx = NULL;
7409 SSL *clientssl = NULL, *serverssl = NULL;
7410 int testresult = 0;
7411 char buf[80];
7412 BIO *c2s;
7413
7414 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7415 TLS_client_method(), 0, 0,
7416 &sctx, &cctx, cert, privkey)))
7417 goto end;
7418
7419 if (tst == 1)
7420 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7421
7422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7423 NULL, NULL)))
7424 goto end;
7425
7426 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7427 SSL_ERROR_NONE)))
7428 goto end;
7429
7430 c2s = SSL_get_rbio(serverssl);
7431 BIO_set_mem_eof_return(c2s, 0);
7432
7433 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7434 goto end;
7435
7436 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7437 goto end;
7438 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7439 goto end;
7440
7441 testresult = 1;
7442
7443 end:
7444 SSL_free(serverssl);
7445 SSL_free(clientssl);
7446 SSL_CTX_free(sctx);
7447 SSL_CTX_free(cctx);
7448
7449 return testresult;
7450}
7451
c748834f
MC		 7452/*
7453 * Test bi-directional shutdown.
7454 * Test 0: TLSv1.2
7455 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7456 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7457 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7458 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7459 * sends key update, client reads it
57d7b988
MC		 7460 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7461 * sends CertificateRequest, client reads and ignores it
7462 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7463 * doesn't read it
7464 */
7465static int test_shutdown(int tst)
7466{
7467 SSL_CTX *cctx = NULL, *sctx = NULL;
7468 SSL *clientssl = NULL, *serverssl = NULL;
7469 int testresult = 0;
7470 char msg[] = "A test message";
7471 char buf[80];
7472 size_t written, readbytes;
80eff008 7473 SSL_SESSION *sess;
c748834f
MC		 7474
7475#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7476 if (tst <= 1)
c748834f
MC		 7477 return 1;
7478#endif
a763ca11 7479#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7480 if (tst >= 2)
c748834f
MC		 7481 return 1;
7482#endif
7483
5e30f2fd 7484 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7485 TLS_client_method(),
7486 TLS1_VERSION,
7487 (tst <= 1) ? TLS1_2_VERSION
7488 : TLS1_3_VERSION,
57d7b988
MC		 7489 &sctx, &cctx, cert, privkey)))
7490 goto end;
7491
7492 if (tst == 5)
7493 SSL_CTX_set_post_handshake_auth(cctx, 1);
7494
7495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7496 NULL, NULL)))
7497 goto end;
7498
7499 if (tst == 3) {
7500 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7501 SSL_ERROR_NONE, 1))
80eff008
KR		 7502 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7503 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7504 goto end;
7505 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7506 SSL_ERROR_NONE))
7507 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7508 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7509 goto end;
7510 }
7511
7512 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7513 goto end;
7514
7515 if (tst >= 4) {
7516 /*
7517 * Reading on the server after the client has sent close_notify should
7518 * fail and provide SSL_ERROR_ZERO_RETURN
7519 */
7520 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7521 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7522 SSL_ERROR_ZERO_RETURN)
7523 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7524 SSL_RECEIVED_SHUTDOWN)
7525 /*
7526 * Even though we're shutdown on receive we should still be
7527 * able to write.
7528 */
80eff008
KR		 7529 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7530 goto end;
57d7b988
MC		 7531 if (tst == 4
7532 && !TEST_true(SSL_key_update(serverssl,
7533 SSL_KEY_UPDATE_REQUESTED)))
7534 goto end;
7535 if (tst == 5) {
7536 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7537 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7538 goto end;
7539 }
7540 if ((tst == 4 || tst == 5)
7541 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7542 goto end;
7543 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7544 goto end;
57d7b988 7545 if (tst == 4 || tst == 5) {
80eff008 7546 /* Should still be able to read data from server */
c748834f 7547 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7548 &readbytes))
7549 || !TEST_size_t_eq(readbytes, sizeof(msg))
7550 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7551 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7552 &readbytes))
c748834f
MC		 7553 || !TEST_size_t_eq(readbytes, sizeof(msg))
7554 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7555 goto end;
7556 }
7557 }
7558
7559 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7560 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7561 goto end;
7562
7563 if (tst < 4) {
7564 /*
7565 * For these tests the client has sent close_notify but it has not yet
7566 * been received by the server. The server has not sent close_notify
7567 * yet.
7568 */
7569 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7570 /*
7571 * Writing on the server after sending close_notify shouldn't
7572 * be possible.
7573 */
7574 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7575 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7576 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7577 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7578 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7579 goto end;
57d7b988 7580 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7581 /*
7582 * In this test the client has sent close_notify and it has been
7583 * received by the server which has responded with a close_notify. The
358ffa05 7584 * client needs to read the close_notify sent by the server.
c748834f 7585 */
80eff008
KR		 7586 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7587 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7588 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7589 goto end;
358ffa05
MC		 7590 } else {
7591 /*
57d7b988 7592 * tst == 6
358ffa05
MC		 7593 *
7594 * The client has sent close_notify and is expecting a close_notify
7595 * back, but instead there is application data first. The shutdown
7596 * should fail with a fatal error.
7597 */
7598 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7599 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7600 goto end;
c748834f
MC		 7601 }
7602
7603 testresult = 1;
7604
7605 end:
7606 SSL_free(serverssl);
7607 SSL_free(clientssl);
7608 SSL_CTX_free(sctx);
7609 SSL_CTX_free(cctx);
7610
7611 return testresult;
7612}
7613
a763ca11 7614#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7615static int cert_cb_cnt;
7616
7617static int cert_cb(SSL *s, void *arg)
7618{
7619 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7620 BIO *in = NULL;
7621 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7622 X509 *x509 = NULL, *rootx = NULL;
7623 STACK_OF(X509) *chain = NULL;
7624 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7625 int ret = 0;
cd6fe29f
MC		 7626
7627 if (cert_cb_cnt == 0) {
7628 /* Suspend the handshake */
7629 cert_cb_cnt++;
7630 return -1;
7631 } else if (cert_cb_cnt == 1) {
7632 /*
7633 * Update the SSL_CTX, set the certificate and private key and then
7634 * continue the handshake normally.
7635 */
7636 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7637 return 0;
7638
7639 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7640 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7641 SSL_FILETYPE_PEM))
7642 || !TEST_true(SSL_check_private_key(s)))
7643 return 0;
7644 cert_cb_cnt++;
7645 return 1;
7cb8fb07
BK		 7646 } else if (cert_cb_cnt == 3) {
7647 int rv;
1a2a3a42
MC		 7648
7649 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7650 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7651 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7652 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7653 goto out;
7654 chain = sk_X509_new_null();
7655 if (!TEST_ptr(chain))
7656 goto out;
7cb8fb07 7657 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7658 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7659 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7660 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7661 || !TEST_true(sk_X509_push(chain, rootx)))
7662 goto out;
7663 rootx = NULL;
7664 BIO_free(in);
7665 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7666 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7667 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7668 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7669 goto out;
7670 BIO_free(in);
7671 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7672 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7673 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7674 NULL, NULL,
7675 libctx, NULL)))
7cb8fb07 7676 goto out;
1a2a3a42 7677 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7678 /*
7679 * If the cert doesn't show as valid here (e.g., because we don't
7680 * have any shared sigalgs), then we will not set it, and there will
7681 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7682 * will cause tls_choose_sigalgs() to fail the connection.
7683 */
1a2a3a42
MC		 7684 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7685 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7686 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7687 goto out;
7688 }
1a2a3a42
MC		 7689
7690 ret = 1;
cd6fe29f
MC		 7691 }
7692
7693 /* Abort the handshake */
7cb8fb07 7694 out:
1a2a3a42
MC		 7695 OPENSSL_free(ecdsacert);
7696 OPENSSL_free(ecdsakey);
7697 OPENSSL_free(rootfile);
7cb8fb07
BK		 7698 BIO_free(in);
7699 EVP_PKEY_free(pkey);
7700 X509_free(x509);
1a2a3a42
MC		 7701 X509_free(rootx);
7702 sk_X509_pop_free(chain, X509_free);
7703 return ret;
cd6fe29f
MC		 7704}
7705
7706/*
7707 * Test the certificate callback.
7708 * Test 0: Callback fails
7709 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7710 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7711 * Test 3: Success - Call SSL_check_chain from the callback
7712 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7713 * chain
7714 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7715 */
7716static int test_cert_cb_int(int prot, int tst)
7717{
7718 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7719 SSL *clientssl = NULL, *serverssl = NULL;
7720 int testresult = 0, ret;
7721
1a2a3a42
MC		 7722#ifdef OPENSSL_NO_EC
7723 /* We use an EC cert in these tests, so we skip in a no-ec build */
7724 if (tst >= 3)
7725 return 1;
7726#endif
7727
5e30f2fd 7728 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7729 TLS_client_method(),
7730 TLS1_VERSION,
7731 prot,
7732 &sctx, &cctx, NULL, NULL)))
7733 goto end;
7734
7735 if (tst == 0)
7736 cert_cb_cnt = -1;
1a2a3a42 7737 else if (tst >= 3)
7cb8fb07 7738 cert_cb_cnt = 3;
cd6fe29f
MC		 7739 else
7740 cert_cb_cnt = 0;
1a2a3a42 7741
cd6fe29f
MC		 7742 if (tst == 2)
7743 snictx = SSL_CTX_new(TLS_server_method());
7744 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7745
7746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7747 NULL, NULL)))
7748 goto end;
7749
1a2a3a42
MC		 7750 if (tst == 4) {
7751 /*
7752 * We cause SSL_check_chain() to fail by specifying sig_algs that
7753 * the chain doesn't meet (the root uses an RSA cert)
7754 */
7755 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7756 "ecdsa_secp256r1_sha256")))
7757 goto end;
7758 } else if (tst == 5) {
7759 /*
7760 * We cause SSL_check_chain() to fail by specifying sig_algs that
7761 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7762 */
7763 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7764 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7765 goto end;
7766 }
7767
cd6fe29f 7768 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7769 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7770 || (tst > 0
7771 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7772 goto end;
7773 }
7774
7775 testresult = 1;
7776
7777 end:
7778 SSL_free(serverssl);
7779 SSL_free(clientssl);
7780 SSL_CTX_free(sctx);
7781 SSL_CTX_free(cctx);
7782 SSL_CTX_free(snictx);
7783
7784 return testresult;
7785}
7f1d923a 7786#endif
cd6fe29f
MC		 7787
7788static int test_cert_cb(int tst)
7789{
7790 int testresult = 1;
7791
7792#ifndef OPENSSL_NO_TLS1_2
7793 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7794#endif
a763ca11 7795#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 7796 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7797#endif
7798
7799 return testresult;
7800}
7801
6e46c065
MC		 7802static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7803{
8c2bfd25 7804 X509 *xcert;
6e46c065
MC		 7805 EVP_PKEY *privpkey;
7806 BIO *in = NULL;
6725682d 7807 BIO *priv_in = NULL;
6e46c065 7808
8c2bfd25
TS		 7809 /* Check that SSL_get0_peer_certificate() returns something sensible */
7810 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7811 return 0;
6e46c065
MC		 7812
7813 in = BIO_new_file(cert, "r");
7814 if (!TEST_ptr(in))
7815 return 0;
7816
d8652be0 7817 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7818 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7819 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7820 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7821 NULL, NULL,
7822 libctx, NULL)))
6725682d 7823 goto err;
6e46c065
MC		 7824
7825 *x509 = xcert;
7826 *pkey = privpkey;
7827
6725682d
SL		 7828 BIO_free(in);
7829 BIO_free(priv_in);
6e46c065 7830 return 1;
6725682d
SL		 7831err:
7832 X509_free(xcert);
7833 BIO_free(in);
7834 BIO_free(priv_in);
7835 return 0;
6e46c065
MC		 7836}
7837
7838static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7839{
7840 return 1;
7841}
7842
7843static int test_client_cert_cb(int tst)
7844{
7845 SSL_CTX *cctx = NULL, *sctx = NULL;
7846 SSL *clientssl = NULL, *serverssl = NULL;
7847 int testresult = 0;
7848
7849#ifdef OPENSSL_NO_TLS1_2
7850 if (tst == 0)
7851 return 1;
7852#endif
a763ca11 7853#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 7854 if (tst == 1)
7855 return 1;
7856#endif
7857
5e30f2fd 7858 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7859 TLS_client_method(),
7860 TLS1_VERSION,
7861 tst == 0 ? TLS1_2_VERSION
7862 : TLS1_3_VERSION,
7863 &sctx, &cctx, cert, privkey)))
7864 goto end;
7865
7866 /*
7867 * Test that setting a client_cert_cb results in a client certificate being
7868 * sent.
7869 */
7870 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7871 SSL_CTX_set_verify(sctx,
7872 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7873 verify_cb);
fb8c8359
MC		 7874
7875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7876 NULL, NULL))
7877 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7878 SSL_ERROR_NONE)))
7879 goto end;
7880
7881 testresult = 1;
7882
7883 end:
7884 SSL_free(serverssl);
7885 SSL_free(clientssl);
7886 SSL_CTX_free(sctx);
7887 SSL_CTX_free(cctx);
7888
7889 return testresult;
7890}
7891
a763ca11 7892#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 7893/*
7894 * Test setting certificate authorities on both client and server.
7895 *
7896 * Test 0: SSL_CTX_set0_CA_list() only
7897 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7898 * Test 2: Only SSL_CTX_set_client_CA_list()
7899 */
7900static int test_ca_names_int(int prot, int tst)
7901{
7902 SSL_CTX *cctx = NULL, *sctx = NULL;
7903 SSL *clientssl = NULL, *serverssl = NULL;
7904 int testresult = 0;
7905 size_t i;
7906 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7907 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7908 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7909 const STACK_OF(X509_NAME) *sktmp = NULL;
7910
7911 for (i = 0; i < OSSL_NELEM(name); i++) {
7912 name[i] = X509_NAME_new();
7913 if (!TEST_ptr(name[i])
7914 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7915 MBSTRING_ASC,
7916 (unsigned char *)
7917 strnames[i],
7918 -1, -1, 0)))
7919 goto end;
7920 }
7921
5e30f2fd 7922 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7923 TLS_client_method(),
7924 TLS1_VERSION,
7925 prot,
7926 &sctx, &cctx, cert, privkey)))
7927 goto end;
7928
7929 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7930
7931 if (tst == 0 || tst == 1) {
7932 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7933 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7934 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7935 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7936 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7937 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7938 goto end;
7939
7940 SSL_CTX_set0_CA_list(sctx, sk1);
7941 SSL_CTX_set0_CA_list(cctx, sk2);
7942 sk1 = sk2 = NULL;
7943 }
7944 if (tst == 1 || tst == 2) {
7945 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7946 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7947 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7948 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7949 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7950 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7951 goto end;
7952
7953 SSL_CTX_set_client_CA_list(sctx, sk1);
7954 SSL_CTX_set_client_CA_list(cctx, sk2);
7955 sk1 = sk2 = NULL;
7956 }
7957
6e46c065
MC		 7958 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7959 NULL, NULL))
7960 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7961 SSL_ERROR_NONE)))
7962 goto end;
7963
fb8c8359
MC		 7964 /*
7965 * We only expect certificate authorities to have been sent to the server
7966 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7967 */
7968 sktmp = SSL_get0_peer_CA_list(serverssl);
7969 if (prot == TLS1_3_VERSION
7970 && (tst == 0 || tst == 1)) {
7971 if (!TEST_ptr(sktmp)
7972 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7973 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7974 name[0]), 0)
7975 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7976 name[1]), 0))
7977 goto end;
7978 } else if (!TEST_ptr_null(sktmp)) {
7979 goto end;
7980 }
7981
7982 /*
7983 * In all tests we expect certificate authorities to have been sent to the
7984 * client. However, SSL_set_client_CA_list() should override
7985 * SSL_set0_CA_list()
7986 */
7987 sktmp = SSL_get0_peer_CA_list(clientssl);
7988 if (!TEST_ptr(sktmp)
7989 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7990 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7991 name[tst == 0 ? 0 : 2]), 0)
7992 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7993 name[tst == 0 ? 1 : 3]), 0))
7994 goto end;
7995
6e46c065
MC		 7996 testresult = 1;
7997
7998 end:
7999 SSL_free(serverssl);
8000 SSL_free(clientssl);
8001 SSL_CTX_free(sctx);
8002 SSL_CTX_free(cctx);
fb8c8359
MC		 8003 for (i = 0; i < OSSL_NELEM(name); i++)
8004 X509_NAME_free(name[i]);
8005 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8006 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8007
8008 return testresult;
8009}
8010#endif
8011
8012static int test_ca_names(int tst)
8013{
8014 int testresult = 1;
8015
8016#ifndef OPENSSL_NO_TLS1_2
8017 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8018#endif
a763ca11 8019#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8020 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8021#endif
6e46c065
MC		 8022
8023 return testresult;
8024}
8025
0d2bfe52
SL		 8026#ifndef OPENSSL_NO_TLS1_2
8027static const char *multiblock_cipherlist_data[]=
8028{
8029 "AES128-SHA",
8030 "AES128-SHA256",
8031 "AES256-SHA",
8032 "AES256-SHA256",
8033};
8034
8035/* Reduce the fragment size - so the multiblock test buffer can be small */
8036# define MULTIBLOCK_FRAGSIZE 512
8037
8038static int test_multiblock_write(int test_index)
8039{
8040 static const char *fetchable_ciphers[]=
8041 {
8042 "AES-128-CBC-HMAC-SHA1",
8043 "AES-128-CBC-HMAC-SHA256",
8044 "AES-256-CBC-HMAC-SHA1",
8045 "AES-256-CBC-HMAC-SHA256"
8046 };
8047 const char *cipherlist = multiblock_cipherlist_data[test_index];
8048 const SSL_METHOD *smeth = TLS_server_method();
8049 const SSL_METHOD *cmeth = TLS_client_method();
8050 int min_version = TLS1_VERSION;
8051 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8052 SSL_CTX *cctx = NULL, *sctx = NULL;
8053 SSL *clientssl = NULL, *serverssl = NULL;
8054 int testresult = 0;
8055
8056 /*
8057 * Choose a buffer large enough to perform a multi-block operation
8058 * i.e: write_len >= 4 * frag_size
8059 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8060 */
8061 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8062 unsigned char buf[sizeof(msg)], *p = buf;
8063 size_t readbytes, written, len;
8064 EVP_CIPHER *ciph = NULL;
8065
8066 /*
8067 * Check if the cipher exists before attempting to use it since it only has
8068 * a hardware specific implementation.
8069 */
8070 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8071 if (ciph == NULL) {
8072 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8073 return 1;
8074 }
8075 EVP_CIPHER_free(ciph);
8076
8077 /* Set up a buffer with some data that will be sent to the client */
8078 RAND_bytes(msg, sizeof(msg));
8079
5e30f2fd
MC		 8080 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8081 max_version, &sctx, &cctx, cert,
8082 privkey)))
0d2bfe52
SL		 8083 goto end;
8084
8085 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8086 goto end;
8087
8088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8089 NULL, NULL)))
8090 goto end;
8091
8092 /* settings to force it to use AES-CBC-HMAC_SHA */
8093 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8094 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8095 goto end;
8096
8097 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8098 goto end;
8099
8100 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8101 || !TEST_size_t_eq(written, sizeof(msg)))
8102 goto end;
8103
8104 len = written;
8105 while (len > 0) {
8106 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8107 goto end;
8108 p += readbytes;
8109 len -= readbytes;
8110 }
8111 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8112 goto end;
8113
8114 testresult = 1;
8115end:
8116 SSL_free(serverssl);
8117 SSL_free(clientssl);
8118 SSL_CTX_free(sctx);
8119 SSL_CTX_free(cctx);
8120
8121 return testresult;
8122}
8123#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8124
49ef3d07
MC		 8125/*
8126 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8127 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8128 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8129 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8130 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8131 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8132 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8133 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8134 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8135 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8136 */
8137static int test_servername(int tst)
8138{
8139 SSL_CTX *cctx = NULL, *sctx = NULL;
8140 SSL *clientssl = NULL, *serverssl = NULL;
8141 int testresult = 0;
8142 SSL_SESSION *sess = NULL;
8143 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8144
8145#ifdef OPENSSL_NO_TLS1_2
8146 if (tst <= 4)
8147 return 1;
8148#endif
a763ca11 8149#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8150 if (tst >= 5)
8151 return 1;
8152#endif
8153
5e30f2fd 8154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8155 TLS_client_method(),
8156 TLS1_VERSION,
8157 (tst <= 4) ? TLS1_2_VERSION
8158 : TLS1_3_VERSION,
8159 &sctx, &cctx, cert, privkey))
8160 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8161 NULL, NULL)))
8162 goto end;
8163
8164 if (tst != 1 && tst != 6) {
8165 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8166 hostname_cb)))
8167 goto end;
8168 }
8169
8170 if (tst != 3 && tst != 8) {
8171 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8172 goto end;
8173 sexpectedhost = cexpectedhost = "goodhost";
8174 }
8175
8176 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8177 goto end;
8178
8179 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8180 cexpectedhost)
8181 || !TEST_str_eq(SSL_get_servername(serverssl,
8182 TLSEXT_NAMETYPE_host_name),
8183 sexpectedhost))
8184 goto end;
8185
8186 /* Now repeat with a resumption handshake */
8187
8188 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8189 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8190 || !TEST_true(SSL_SESSION_is_resumable(sess))
8191 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8192 goto end;
8193
8194 SSL_free(clientssl);
8195 SSL_free(serverssl);
8196 clientssl = serverssl = NULL;
8197
8198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8199 NULL)))
8200 goto end;
8201
8202 if (!TEST_true(SSL_set_session(clientssl, sess)))
8203 goto end;
8204
8205 sexpectedhost = cexpectedhost = "goodhost";
8206 if (tst == 2 || tst == 7) {
8207 /* Set an inconsistent hostname */
8208 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8209 goto end;
8210 /*
8211 * In TLSv1.2 we expect the hostname from the original handshake, in
8212 * TLSv1.3 we expect the hostname from this handshake
8213 */
8214 if (tst == 7)
8215 sexpectedhost = cexpectedhost = "altgoodhost";
8216
8217 if (!TEST_str_eq(SSL_get_servername(clientssl,
8218 TLSEXT_NAMETYPE_host_name),
8219 "altgoodhost"))
8220 goto end;
8221 } else if (tst == 4 || tst == 9) {
8222 /*
8223 * A TLSv1.3 session does not associate a session with a servername,
8224 * but a TLSv1.2 session does.
8225 */
8226 if (tst == 9)
8227 sexpectedhost = cexpectedhost = NULL;
8228
8229 if (!TEST_str_eq(SSL_get_servername(clientssl,
8230 TLSEXT_NAMETYPE_host_name),
8231 cexpectedhost))
8232 goto end;
8233 } else {
8234 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8235 goto end;
8236 /*
8237 * In a TLSv1.2 resumption where the hostname was not acknowledged
8238 * we expect the hostname on the server to be empty. On the client we
8239 * return what was requested in this case.
8240 *
8241 * Similarly if the client didn't set a hostname on an original TLSv1.2
8242 * session but is now, the server hostname will be empty, but the client
8243 * is as we set it.
8244 */
8245 if (tst == 1 || tst == 3)
8246 sexpectedhost = NULL;
8247
8248 if (!TEST_str_eq(SSL_get_servername(clientssl,
8249 TLSEXT_NAMETYPE_host_name),
8250 "goodhost"))
8251 goto end;
8252 }
8253
8254 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8255 goto end;
8256
8257 if (!TEST_true(SSL_session_reused(clientssl))
8258 || !TEST_true(SSL_session_reused(serverssl))
8259 || !TEST_str_eq(SSL_get_servername(clientssl,
8260 TLSEXT_NAMETYPE_host_name),
8261 cexpectedhost)
8262 || !TEST_str_eq(SSL_get_servername(serverssl,
8263 TLSEXT_NAMETYPE_host_name),
8264 sexpectedhost))
8265 goto end;
8266
8267 testresult = 1;
8268
8269 end:
8270 SSL_SESSION_free(sess);
8271 SSL_free(serverssl);
8272 SSL_free(clientssl);
8273 SSL_CTX_free(sctx);
8274 SSL_CTX_free(cctx);
8275
8276 return testresult;
8277}
8278
b1fdbc68 8279#if !defined(OPENSSL_NO_EC) \
a763ca11 8280 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8281/*
8282 * Test that if signature algorithms are not available, then we do not offer or
8283 * accept them.
8284 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8285 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8286 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8287 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8288 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8289 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8290 */
8291static int test_sigalgs_available(int idx)
8292{
8293 SSL_CTX *cctx = NULL, *sctx = NULL;
8294 SSL *clientssl = NULL, *serverssl = NULL;
8295 int testresult = 0;
b4250010
DMSP		 8296 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8297 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8298 OSSL_PROVIDER *filterprov = NULL;
8299 int sig, hash;
8300
8301 if (!TEST_ptr(tmpctx))
8302 goto end;
8303
8304 if (idx != 0 && idx != 3) {
8305 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8306 filter_provider_init)))
8307 goto end;
8308
8309 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8310 if (!TEST_ptr(filterprov))
8311 goto end;
8312
8313 if (idx < 3) {
8314 /*
8315 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8316 * or accepted for the peer that uses this libctx. Note that libssl
8317 * *requires* SHA2-256 to be available so we cannot disable that. We
8318 * also need SHA1 for our certificate.
8319 */
8320 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8321 "SHA2-256:SHA1")))
8322 goto end;
8323 } else {
8324 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8325 "ECDSA"))
8326 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8327 "EC:X25519:X448")))
8328 goto end;
8329 }
8330
8331 if (idx == 1 || idx == 4)
8332 clientctx = tmpctx;
8333 else
8334 serverctx = tmpctx;
8335 }
8336
d8652be0
MC		 8337 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8338 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8339 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8340 goto end;
b3842539 8341
b4c4a2c6
TM		 8342 if (idx != 5) {
8343 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8344 TLS_client_method(),
8345 TLS1_VERSION,
8346 0,
8347 &sctx, &cctx, cert, privkey)))
8348 goto end;
8349 } else {
8350 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8351 TLS_client_method(),
8352 TLS1_VERSION,
8353 0,
8354 &sctx, &cctx, cert2, privkey2)))
8355 goto end;
8356 }
b3842539 8357
b1fdbc68
MC		 8358 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8359 if (idx < 4) {
8360 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8361 "ECDHE-RSA-AES128-GCM-SHA256")))
8362 goto end;
8363 } else {
8364 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8365 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8366 goto end;
8367 }
8368
b3842539
MC		 8369 if (idx < 3) {
8370 if (!SSL_CTX_set1_sigalgs_list(cctx,
8371 "rsa_pss_rsae_sha384"
8372 ":rsa_pss_rsae_sha256")
8373 || !SSL_CTX_set1_sigalgs_list(sctx,
8374 "rsa_pss_rsae_sha384"
8375 ":rsa_pss_rsae_sha256"))
8376 goto end;
8377 } else {
8378 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8379 || !SSL_CTX_set1_sigalgs_list(sctx,
8380 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8381 goto end;
8382 }
8383
b4c4a2c6
TM		 8384 if (idx != 5
8385 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8386 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8387 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8388 privkey2,
8389 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8390 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8391 goto end;
8392
8393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8394 NULL, NULL)))
b3842539
MC		 8395 goto end;
8396
8397 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8398 goto end;
8399
8400 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8401 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8402 NULL, NULL),
8403 (idx == 0 || idx == 3) ? 2 : 1))
8404 goto end;
8405
8406 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8407 goto end;
8408
8409 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8410 : NID_rsassaPss))
8411 goto end;
8412
b0001d0c 8413 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8414
8415 end:
8416 SSL_free(serverssl);
8417 SSL_free(clientssl);
8418 SSL_CTX_free(sctx);
8419 SSL_CTX_free(cctx);
8420 OSSL_PROVIDER_unload(filterprov);
b4250010 8421 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8422
8423 return testresult;
8424}
b1fdbc68
MC		 8425#endif /*
8426 * !defined(OPENSSL_NO_EC) \
a763ca11 8427 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8428 */
b3842539 8429
0c13cdf8 8430#ifndef OPENSSL_NO_TLS1_3
a763ca11 8431/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8432static int test_pluggable_group(int idx)
0c13cdf8
MC		 8433{
8434 SSL_CTX *cctx = NULL, *sctx = NULL;
8435 SSL *clientssl = NULL, *serverssl = NULL;
8436 int testresult = 0;
8437 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8438 /* Check that we are not impacted by a provider without any groups */
8439 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8440 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8441
5ae54dba 8442 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8443 goto end;
8444
5ae54dba
MC		 8445 if (legacyprov == NULL) {
8446 /*
8447 * In this case we assume we've been built with "no-legacy" and skip
8448 * this test (there is no OPENSSL_NO_LEGACY)
8449 */
8450 testresult = 1;
8451 goto end;
8452 }
8453
0c13cdf8
MC		 8454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8455 TLS_client_method(),
8456 TLS1_3_VERSION,
8457 TLS1_3_VERSION,
8458 &sctx, &cctx, cert, privkey))
8459 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8460 NULL, NULL)))
8461 goto end;
8462
c8e3a4c6
NT		 8463 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8464 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8465 goto end;
8466
8467 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8468 goto end;
8469
becbacd7
MB		 8470 if (!TEST_str_eq(group_name,
8471 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8472 goto end;
8473
0c13cdf8
MC		 8474 testresult = 1;
8475
8476 end:
8477 SSL_free(serverssl);
8478 SSL_free(clientssl);
8479 SSL_CTX_free(sctx);
8480 SSL_CTX_free(cctx);
8481 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8482 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8483
8484 return testresult;
8485}
8486#endif
b3842539 8487
49a36a52
MC		 8488#ifndef OPENSSL_NO_TLS1_2
8489static int test_ssl_dup(void)
8490{
8491 SSL_CTX *cctx = NULL, *sctx = NULL;
8492 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8493 int testresult = 0;
8494 BIO *rbio = NULL, *wbio = NULL;
8495
8496 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8497 TLS_client_method(),
8498 0,
8499 0,
8500 &sctx, &cctx, cert, privkey)))
8501 goto end;
8502
8503 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8504 NULL, NULL)))
8505 goto end;
8506
8507 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8508 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8509 goto end;
8510
8511 client2ssl = SSL_dup(clientssl);
8512 rbio = SSL_get_rbio(clientssl);
8513 if (!TEST_ptr(rbio)
8514 || !TEST_true(BIO_up_ref(rbio)))
8515 goto end;
8516 SSL_set0_rbio(client2ssl, rbio);
8517 rbio = NULL;
8518
8519 wbio = SSL_get_wbio(clientssl);
8520 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8521 goto end;
8522 SSL_set0_wbio(client2ssl, wbio);
8523 rbio = NULL;
8524
8525 if (!TEST_ptr(client2ssl)
8526 /* Handshake not started so pointers should be different */
8527 || !TEST_ptr_ne(clientssl, client2ssl))
8528 goto end;
8529
8530 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8531 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8532 goto end;
8533
8534 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8535 goto end;
8536
8537 SSL_free(clientssl);
8538 clientssl = SSL_dup(client2ssl);
8539 if (!TEST_ptr(clientssl)
8540 /* Handshake has finished so pointers should be the same */
8541 || !TEST_ptr_eq(clientssl, client2ssl))
8542 goto end;
8543
8544 testresult = 1;
8545
8546 end:
8547 SSL_free(serverssl);
8548 SSL_free(clientssl);
8549 SSL_free(client2ssl);
8550 SSL_CTX_free(sctx);
8551 SSL_CTX_free(cctx);
8552
8553 return testresult;
8554}
33c39a06
MC		 8555
8556# ifndef OPENSSL_NO_DH
8557
8558static EVP_PKEY *tmp_dh_params = NULL;
8559
8560/* Helper function for the test_set_tmp_dh() tests */
8561static EVP_PKEY *get_tmp_dh_params(void)
8562{
8563 if (tmp_dh_params == NULL) {
8564 BIGNUM *p = NULL;
8565 OSSL_PARAM_BLD *tmpl = NULL;
8566 EVP_PKEY_CTX *pctx = NULL;
8567 OSSL_PARAM *params = NULL;
8568 EVP_PKEY *dhpkey = NULL;
8569
8570 p = BN_get_rfc3526_prime_2048(NULL);
8571 if (!TEST_ptr(p))
8572 goto end;
8573
8574 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8575 if (!TEST_ptr(pctx)
2db985b7 8576 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
33c39a06
MC		 8577 goto end;
8578
8579 tmpl = OSSL_PARAM_BLD_new();
8580 if (!TEST_ptr(tmpl)
8581 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8582 OSSL_PKEY_PARAM_FFC_P,
8583 p))
8584 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8585 OSSL_PKEY_PARAM_FFC_G,
8586 2)))
8587 goto end;
8588
8589 params = OSSL_PARAM_BLD_to_param(tmpl);
8590 if (!TEST_ptr(params)
2db985b7
SL		 8591 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8592 EVP_PKEY_KEY_PARAMETERS, params)))
33c39a06
MC		 8593 goto end;
8594
8595 tmp_dh_params = dhpkey;
8596 end:
8597 BN_free(p);
8598 EVP_PKEY_CTX_free(pctx);
8599 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 8600 OSSL_PARAM_free(params);
33c39a06
MC		 8601 }
8602
f1619160 8603 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 8604 return NULL;
8605
8606 return tmp_dh_params;
8607}
8608
39f3427d 8609# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 8610/* Callback used by test_set_tmp_dh() */
8611static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8612{
8613 EVP_PKEY *dhpkey = get_tmp_dh_params();
8614 DH *ret = NULL;
8615
8616 if (!TEST_ptr(dhpkey))
8617 return NULL;
8618
7bc0fdd3
MC		 8619 /*
8620 * libssl does not free the returned DH, so we free it now knowing that even
8621 * after we free dhpkey, there will still be a reference to the owning
8622 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8623 * of time we need it for.
8624 */
8625 ret = EVP_PKEY_get1_DH(dhpkey);
8626 DH_free(ret);
33c39a06
MC		 8627
8628 EVP_PKEY_free(dhpkey);
8629
8630 return ret;
8631}
8632# endif
8633
8634/*
8635 * Test the various methods for setting temporary DH parameters
8636 *
8637 * Test 0: Default (no auto) setting
8638 * Test 1: Explicit SSL_CTX auto off
8639 * Test 2: Explicit SSL auto off
8640 * Test 3: Explicit SSL_CTX auto on
8641 * Test 4: Explicit SSL auto on
8642 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8643 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8644 *
8645 * The following are testing deprecated APIs, so we only run them if available
8646 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8647 * Test 8: Explicit SSL auto off, custom DH params via DH
8648 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8649 * Test 10: Explicit SSL auto off, custom DH params via callback
8650 */
8651static int test_set_tmp_dh(int idx)
8652{
8653 SSL_CTX *cctx = NULL, *sctx = NULL;
8654 SSL *clientssl = NULL, *serverssl = NULL;
8655 int testresult = 0;
8656 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8657 int expected = (idx <= 2) ? 0 : 1;
8658 EVP_PKEY *dhpkey = NULL;
8659# ifndef OPENSSL_NO_DEPRECATED_3_0
8660 DH *dh = NULL;
8661# else
8662
8663 if (idx >= 7)
8664 return 1;
8665# endif
8666
8667 if (idx >= 5 && idx <= 8) {
8668 dhpkey = get_tmp_dh_params();
8669 if (!TEST_ptr(dhpkey))
8670 goto end;
8671 }
8672# ifndef OPENSSL_NO_DEPRECATED_3_0
8673 if (idx == 7 || idx == 8) {
7bc0fdd3 8674 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 8675 if (!TEST_ptr(dh))
8676 goto end;
8677 }
8678# endif
8679
8680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8681 TLS_client_method(),
8682 0,
8683 0,
8684 &sctx, &cctx, cert, privkey)))
8685 goto end;
8686
8687 if ((idx & 1) == 1) {
8688 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8689 goto end;
8690 }
8691
8692 if (idx == 5) {
8693 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8694 goto end;
8695 dhpkey = NULL;
8696 }
8697# ifndef OPENSSL_NO_DEPRECATED_3_0
8698 else if (idx == 7) {
8699 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8700 goto end;
8701 } else if (idx == 9) {
8702 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8703 }
8704# endif
8705
8706 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8707 NULL, NULL)))
8708 goto end;
8709
8710 if ((idx & 1) == 0 && idx != 0) {
8711 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8712 goto end;
8713 }
8714 if (idx == 6) {
8715 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8716 goto end;
8717 dhpkey = NULL;
8718 }
8719# ifndef OPENSSL_NO_DEPRECATED_3_0
8720 else if (idx == 8) {
8721 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8722 goto end;
8723 } else if (idx == 10) {
8724 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8725 }
8726# endif
8727
8728 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8729 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8730 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8731 goto end;
8732
8733 /*
8734 * If autoon then we should succeed. Otherwise we expect failure because
8735 * there are no parameters
8736 */
8737 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8738 SSL_ERROR_NONE), expected))
8739 goto end;
8740
8741 testresult = 1;
8742
8743 end:
7bc0fdd3
MC		 8744# ifndef OPENSSL_NO_DEPRECATED_3_0
8745 DH_free(dh);
8746# endif
33c39a06
MC		 8747 SSL_free(serverssl);
8748 SSL_free(clientssl);
8749 SSL_CTX_free(sctx);
8750 SSL_CTX_free(cctx);
8751 EVP_PKEY_free(dhpkey);
8752
8753 return testresult;
8754}
3105d846
MC		 8755
8756/*
8757 * Test the auto DH keys are appropriately sized
8758 */
8759static int test_dh_auto(int idx)
8760{
8761 SSL_CTX *cctx = NULL, *sctx = NULL;
8762 SSL *clientssl = NULL, *serverssl = NULL;
8763 int testresult = 0;
8764 EVP_PKEY *tmpkey = NULL;
8765 char *thiscert = NULL, *thiskey = NULL;
8766 size_t expdhsize = 0;
8767 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8768
8769 switch (idx) {
8770 case 0:
8771 /* The FIPS provider doesn't support this DH size - so we ignore it */
8772 if (is_fips)
8773 return 1;
8774 thiscert = cert1024;
8775 thiskey = privkey1024;
8776 expdhsize = 1024;
8777 break;
8778 case 1:
8779 /* 2048 bit prime */
8780 thiscert = cert;
8781 thiskey = privkey;
8782 expdhsize = 2048;
8783 break;
8784 case 2:
8785 thiscert = cert3072;
8786 thiskey = privkey3072;
8787 expdhsize = 3072;
8788 break;
8789 case 3:
8790 thiscert = cert4096;
8791 thiskey = privkey4096;
8792 expdhsize = 4096;
8793 break;
8794 case 4:
8795 thiscert = cert8192;
8796 thiskey = privkey8192;
8797 expdhsize = 8192;
8798 break;
8799 /* No certificate cases */
8800 case 5:
8801 /* The FIPS provider doesn't support this DH size - so we ignore it */
8802 if (is_fips)
8803 return 1;
8804 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8805 expdhsize = 1024;
8806 break;
8807 case 6:
8808 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8809 expdhsize = 3072;
8810 break;
8811 default:
8812 TEST_error("Invalid text index");
8813 goto end;
8814 }
8815
8816 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8817 TLS_client_method(),
8818 0,
8819 0,
8820 &sctx, &cctx, thiscert, thiskey)))
8821 goto end;
8822
8823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8824 NULL, NULL)))
8825 goto end;
8826
8827 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8828 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8829 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8830 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8831 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8832 goto end;
8833
8834 /*
8835 * Send the server's first flight. At this point the server has created the
8836 * temporary DH key but hasn't finished using it yet. Once used it is
8837 * removed, so we cannot test it.
8838 */
8839 if (!TEST_int_le(SSL_connect(clientssl), 0)
8840 || !TEST_int_le(SSL_accept(serverssl), 0))
8841 goto end;
8842
8843 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8844 goto end;
ed576acd 8845 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 8846 goto end;
8847
8848 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8849 goto end;
8850
8851 testresult = 1;
8852
8853 end:
8854 SSL_free(serverssl);
8855 SSL_free(clientssl);
8856 SSL_CTX_free(sctx);
8857 SSL_CTX_free(cctx);
8858 EVP_PKEY_free(tmpkey);
8859
8860 return testresult;
8861
8862}
33c39a06
MC		 8863# endif /* OPENSSL_NO_DH */
8864#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8865
a763ca11 8866#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 8867/*
8868 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8869 * that it works even without a certificate configured for the original
8870 * SSL_CTX
8871 */
8872static int test_sni_tls13(void)
8873{
8874 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8875 SSL *clientssl = NULL, *serverssl = NULL;
8876 int testresult = 0;
8877
8878 /* Reset callback counter */
8879 snicb = 0;
8880
8881 /* Create an initial SSL_CTX with no certificate configured */
8882 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8883 if (!TEST_ptr(sctx))
8884 goto end;
8885 /* Require TLSv1.3 as a minimum */
8886 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8887 TLS_client_method(), TLS1_3_VERSION, 0,
8888 &sctx2, &cctx, cert, privkey)))
8889 goto end;
8890
8891 /* Set up SNI */
8892 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8893 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8894 goto end;
8895
8896 /*
8897 * Connection should still succeed because the final SSL_CTX has the right
8898 * certificates configured.
8899 */
8900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8901 &clientssl, NULL, NULL))
8902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8903 SSL_ERROR_NONE)))
8904 goto end;
8905
8906 /* We should have had the SNI callback called exactly once */
8907 if (!TEST_int_eq(snicb, 1))
8908 goto end;
8909
8910 testresult = 1;
8911
8912end:
8913 SSL_free(serverssl);
8914 SSL_free(clientssl);
8915 SSL_CTX_free(sctx2);
8916 SSL_CTX_free(sctx);
8917 SSL_CTX_free(cctx);
8918 return testresult;
8919}
8920#endif
feba11cf
TS		 8921/*
8922 * Test that setting an ALPN does not violate RFC
8923 */
8924static int test_set_alpn(void)
8925{
8926 SSL_CTX *ctx = NULL;
8927 SSL *ssl = NULL;
8928 int testresult = 0;
8929
8930 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
8931 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
8932 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
8933 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
8934 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
8935 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
8936
8937 /* Create an initial SSL_CTX with no certificate configured */
8938 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8939 if (!TEST_ptr(ctx))
8940 goto end;
8941
8942 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
8943 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
8944 goto end;
8945 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
8946 goto end;
8947 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
8948 goto end;
8949 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
8950 goto end;
8951 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
8952 goto end;
8953 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
8954 goto end;
8955 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
8956 goto end;
8957 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
8958 goto end;
8959 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
8960 goto end;
8961
8962 ssl = SSL_new(ctx);
8963 if (!TEST_ptr(ssl))
8964 goto end;
8965
8966 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
8967 goto end;
8968 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
8969 goto end;
8970 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
8971 goto end;
8972 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
8973 goto end;
8974 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
8975 goto end;
8976 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
8977 goto end;
8978 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
8979 goto end;
8980 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
8981 goto end;
8982 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
8983 goto end;
8984
8985 testresult = 1;
8986
8987end:
8988 SSL_free(ssl);
8989 SSL_CTX_free(ctx);
8990 return testresult;
8991}
6582661f 8992
dfccfde0
CH		 8993static int test_inherit_verify_param(void)
8994{
8995 int testresult = 0;
8996
8997 SSL_CTX *ctx = NULL;
8998 X509_VERIFY_PARAM *cp = NULL;
8999 SSL *ssl = NULL;
9000 X509_VERIFY_PARAM *sp = NULL;
9001 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9002
9003 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9004 if (!TEST_ptr(ctx))
9005 goto end;
9006
9007 cp = SSL_CTX_get0_param(ctx);
9008 if (!TEST_ptr(cp))
9009 goto end;
9010 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9011 goto end;
9012
9013 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9014
9015 ssl = SSL_new(ctx);
9016 if (!TEST_ptr(ssl))
9017 goto end;
9018
9019 sp = SSL_get0_param(ssl);
9020 if (!TEST_ptr(sp))
9021 goto end;
9022 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9023 goto end;
9024
9025 testresult = 1;
9026
9027 end:
9028 SSL_free(ssl);
9029 SSL_CTX_free(ctx);
9030
9031 return testresult;
9032}
9033
5e30f2fd 9034OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 9035
ad887416 9036int setup_tests(void)
2cb4b5f6 9037{
5e30f2fd
MC		 9038 char *modulename;
9039 char *configfile;
9040
b4250010 9041 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9042 if (!TEST_ptr(libctx))
9043 return 0;
9044
9045 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9046
9047 /*
9048 * Verify that the default and fips providers in the default libctx are not
9049 * available
9050 */
9051 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9052 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9053 return 0;
9054
8d242823
MC		 9055 if (!test_skip_common_options()) {
9056 TEST_error("Error parsing test options\n");
9057 return 0;
9058 }
9059
1a2a3a42
MC		 9060 if (!TEST_ptr(certsdir = test_get_argument(0))
9061 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9062 || !TEST_ptr(tmpfilename = test_get_argument(2))
9063 || !TEST_ptr(modulename = test_get_argument(3))
9064 || !TEST_ptr(configfile = test_get_argument(4)))
9065 return 0;
9066
b4250010 9067 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9068 return 0;
9069
9070 /* Check we have the expected provider available */
9071 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9072 return 0;
9073
9074 /* Check the default provider is not available */
9075 if (strcmp(modulename, "default") != 0
9076 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9077 return 0;
2cb4b5f6 9078
4f6c7044
MC		 9079 if (strcmp(modulename, "fips") == 0)
9080 is_fips = 1;
9081
0c13cdf8
MC		 9082 /*
9083 * We add, but don't load the test "tls-provider". We'll load it when we
9084 * need it.
9085 */
9086 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9087 tls_provider_init)))
9088 return 0;
9089
9090
f297e4ec
RS		 9091 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9092#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9093 TEST_error("not supported in this build");
9094 return 0;
9095#else
9096 int i, mcount, rcount, fcount;
9097
9098 for (i = 0; i < 4; i++)
9099 test_export_key_mat(i);
9100 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9101 test_printf_stdout("malloc %d realloc %d free %d\n",
9102 mcount, rcount, fcount);
9103 return 1;
9104#endif
9105 }
9106
1a2a3a42
MC		 9107 cert = test_mk_file_path(certsdir, "servercert.pem");
9108 if (cert == NULL)
b3842539 9109 goto err;
1a2a3a42
MC		 9110
9111 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9112 if (privkey == NULL)
9113 goto err;
9114
9115 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9116 if (cert2 == NULL)
9117 goto err;
9118
9119 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9120 if (privkey2 == NULL)
9121 goto err;
1a2a3a42 9122
3105d846
MC		 9123 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9124 if (cert1024 == NULL)
9125 goto err;
9126
9127 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9128 if (privkey1024 == NULL)
9129 goto err;
9130
9131 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9132 if (cert3072 == NULL)
9133 goto err;
9134
9135 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9136 if (privkey3072 == NULL)
9137 goto err;
9138
9139 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9140 if (cert4096 == NULL)
9141 goto err;
9142
9143 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9144 if (privkey4096 == NULL)
9145 goto err;
9146
9147 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9148 if (cert8192 == NULL)
9149 goto err;
9150
9151 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9152 if (privkey8192 == NULL)
9153 goto err;
9154
da4db160 9155#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 9156# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
a3a54179 9157 ADD_ALL_TESTS(test_ktls, 8);
da4db160 9158 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 9159# endif
fe5d9450 9160#endif
84d5549e 9161 ADD_TEST(test_large_message_tls);
7856332e 9162 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 9163#ifndef OPENSSL_NO_DTLS
84d5549e 9164 ADD_TEST(test_large_message_dtls);
55386bef 9165#endif
163b8016 9166 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 9167#ifndef OPENSSL_NO_OCSP
c887104f 9168 ADD_TEST(test_tlsext_status_type);
8f8c11d8 9169#endif
eaa776da
MC		 9170 ADD_TEST(test_session_with_only_int_cache);
9171 ADD_TEST(test_session_with_only_ext_cache);
9172 ADD_TEST(test_session_with_both_cache);
90fc2c26 9173 ADD_TEST(test_session_wo_ca_names);
a763ca11 9174#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 9175 ADD_ALL_TESTS(test_stateful_tickets, 3);
9176 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 9177 ADD_TEST(test_psk_tickets);
f0049b86 9178 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 9179#endif
7fb4c820 9180 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 9181 ADD_TEST(test_ssl_bio_pop_next_bio);
9182 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9183 ADD_TEST(test_ssl_bio_change_rbio);
9184 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 9185#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 9186 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 9187 ADD_TEST(test_keylog);
c423ecaa 9188#endif
a763ca11 9189#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 9190 ADD_TEST(test_keylog_no_master_key);
9191#endif
0c3eb279 9192 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 9193 ADD_TEST(test_ssl_build_cert_chain);
9194 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 9195#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 9196 ADD_TEST(test_client_hello_cb);
088dfa13 9197 ADD_TEST(test_no_ems);
3cd14e5e 9198 ADD_TEST(test_ccs_change_cipher);
5f982038 9199#endif
a763ca11 9200#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 9201 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 9202 /*
9203 * We don't do replay tests for external PSK. Replay protection isn't used
9204 * in that scenario.
9205 */
9206 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 9207 ADD_ALL_TESTS(test_early_data_skip, 3);
9208 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 9209 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 9210 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 9211 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 9212 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 9213 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 9214 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 9215# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 9216 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 9217# endif
e9ee6536 9218#endif
a763ca11 9219#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 9220 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 9221 ADD_TEST(test_ciphersuite_change);
5bf2eade 9222 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9223# ifdef OPENSSL_NO_PSK
c2b290c3 9224 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 9225# else
0d8da779 9226 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 9227# endif /* OPENSSL_NO_PSK */
9228# ifndef OPENSSL_NO_TLS1_2
9229 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 9230 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 9231# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9232 ADD_ALL_TESTS(test_negotiated_group,
9233 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9234 + OSSL_NELEM(ffdhe_kexch_groups)));
9235# endif
5bf2eade 9236# else
9237 /* Test with only TLSv1.3 versions */
9238 ADD_ALL_TESTS(test_key_exchange, 12);
9239# endif
bb01ef3f 9240 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 9241 ADD_TEST(test_stateless);
9d75dce3 9242 ADD_TEST(test_pha_key_update);
a273157a 9243#else
bb01ef3f 9244 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 9245#endif
16afd71c 9246 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 9247 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 9248#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 9249 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 9250 ADD_TEST(test_key_update);
a77b4dba 9251 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 9252#endif
e11b6aa4 9253 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 9254 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 9255#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9256 ADD_ALL_TESTS(test_srp, 6);
9257#endif
5718fe45 9258 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 9259 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 9260 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 9261 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 9262 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 9263 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 9264 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 9265 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 9266 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 9267#ifndef OPENSSL_NO_TLS1_2
9268 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9269#endif
49ef3d07 9270 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 9271#if !defined(OPENSSL_NO_EC) \
a763ca11 9272 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 9273 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 9274#endif
9275#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 9276 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 9277#endif
9278#ifndef OPENSSL_NO_TLS1_2
9279 ADD_TEST(test_ssl_dup);
33c39a06
MC		 9280# ifndef OPENSSL_NO_DH
9281 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 9282 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 9283# endif
6582661f 9284#endif
a763ca11 9285#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 9286 ADD_TEST(test_sni_tls13);
b3842539 9287#endif
dfccfde0 9288 ADD_TEST(test_inherit_verify_param);
feba11cf 9289 ADD_TEST(test_set_alpn);
ad887416 9290 return 1;
b3842539
MC		 9291
9292 err:
9293 OPENSSL_free(cert);
9294 OPENSSL_free(privkey);
9295 OPENSSL_free(cert2);
9296 OPENSSL_free(privkey2);
9297 return 0;
ad887416 9298}
2cb4b5f6 9299
ad887416
P		 9300void cleanup_tests(void)
9301{
8778f0eb 9302# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 9303 EVP_PKEY_free(tmp_dh_params);
9304#endif
1a2a3a42
MC		 9305 OPENSSL_free(cert);
9306 OPENSSL_free(privkey);
b3842539
MC		 9307 OPENSSL_free(cert2);
9308 OPENSSL_free(privkey2);
3105d846
MC		 9309 OPENSSL_free(cert1024);
9310 OPENSSL_free(privkey1024);
9311 OPENSSL_free(cert3072);
9312 OPENSSL_free(privkey3072);
9313 OPENSSL_free(cert4096);
9314 OPENSSL_free(privkey4096);
9315 OPENSSL_free(cert8192);
9316 OPENSSL_free(privkey8192);
fa454945 9317 bio_s_mempacket_test_free();
a77b4dba 9318 bio_s_always_retry_free();
5e30f2fd 9319 OSSL_PROVIDER_unload(defctxnull);
b4250010 9320 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 9321}
A mirror of the official openssl repository