]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove MAC cruft
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
7c3a7561 10#include <stdio.h>
ba881d3b
MC		 11#include <string.h>
12
2cb4b5f6
MC		 13#include <openssl/opensslconf.h>
14#include <openssl/bio.h>
15#include <openssl/crypto.h>
16#include <openssl/ssl.h>
ba881d3b 17#include <openssl/ocsp.h>
76fd7a1d
MC		 18#include <openssl/srp.h>
19#include <openssl/txt_db.h>
d0191fe0 20#include <openssl/aes.h>
7c3a7561 21#include <openssl/rand.h>
2cb4b5f6
MC		 22
23#include "ssltestlib.h"
c887104f 24#include "testutil.h"
f297e4ec 25#include "testutil/output.h"
176db6dc 26#include "internal/nelem.h"
fe5d9450 27#include "internal/ktls.h"
ca0413ae 28#include "../ssl/ssl_locl.h"
2cb4b5f6 29
8614a4eb
MC		 30#ifndef OPENSSL_NO_TLS1_3
31
32static SSL_SESSION *clientpsk = NULL;
33static SSL_SESSION *serverpsk = NULL;
34static const char *pskid = "Identity";
35static const char *srvid;
36
37static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
38 size_t *idlen, SSL_SESSION **sess);
39static int find_session_cb(SSL *ssl, const unsigned char *identity,
40 size_t identity_len, SSL_SESSION **sess);
41
42static int use_session_cb_cnt = 0;
43static int find_session_cb_cnt = 0;
44
45static SSL_SESSION *create_a_psk(SSL *ssl);
46#endif
47
1a2a3a42 48static char *certsdir = NULL;
2cb4b5f6
MC		 49static char *cert = NULL;
50static char *privkey = NULL;
76fd7a1d
MC		 51static char *srpvfile = NULL;
52static char *tmpfilename = NULL;
2cb4b5f6 53
cffe973c 54#define LOG_BUFFER_SIZE 2048
6acdd3e5 55static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 56static size_t server_log_buffer_index = 0;
6acdd3e5 57static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 58static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 59static int error_writing_log = 0;
60
8f8c11d8 61#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 62static const unsigned char orespder[] = "Dummy OCSP Response";
63static int ocsp_server_called = 0;
64static int ocsp_client_called = 0;
65
66static int cdummyarg = 1;
67static X509 *ocspcert = NULL;
8f8c11d8 68#endif
ba881d3b 69
84d5549e 70#define NUM_EXTRA_CERTS 40
cf72c757 71#define CLIENT_VERSION_LEN 2
84d5549e 72
f1a5939f
CB		 73/*
74 * This structure is used to validate that the correct number of log messages
75 * of various types are emitted when emitting secret logs.
76 */
77struct sslapitest_log_counts {
78 unsigned int rsa_key_exchange_count;
79 unsigned int master_secret_count;
cffe973c 80 unsigned int client_early_secret_count;
f1a5939f
CB		 81 unsigned int client_handshake_secret_count;
82 unsigned int server_handshake_secret_count;
83 unsigned int client_application_secret_count;
84 unsigned int server_application_secret_count;
01a2a654 85 unsigned int early_exporter_secret_count;
6329ce8f 86 unsigned int exporter_secret_count;
f1a5939f
CB		 87};
88
16afd71c
MC		 89
90static unsigned char serverinfov1[] = {
91 0xff, 0xff, /* Dummy extension type */
92 0x00, 0x01, /* Extension length is 1 byte */
93 0xff /* Dummy extension data */
94};
95
96static unsigned char serverinfov2[] = {
97 0x00, 0x00, 0x00,
98 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
99 0xff, 0xff, /* Dummy extension type */
100 0x00, 0x01, /* Extension length is 1 byte */
101 0xff /* Dummy extension data */
102};
103
710756a9
RS		 104static void client_keylog_callback(const SSL *ssl, const char *line)
105{
6acdd3e5
CB		 106 int line_length = strlen(line);
107
108 /* If the log doesn't fit, error out. */
710756a9
RS		 109 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
110 TEST_info("Client log too full");
6acdd3e5
CB		 111 error_writing_log = 1;
112 return;
113 }
114
115 strcat(client_log_buffer, line);
116 client_log_buffer_index += line_length;
710756a9 117 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 118}
119
710756a9
RS		 120static void server_keylog_callback(const SSL *ssl, const char *line)
121{
6acdd3e5
CB		 122 int line_length = strlen(line);
123
124 /* If the log doesn't fit, error out. */
710756a9 125 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 126 TEST_info("Server log too full");
6acdd3e5
CB		 127 error_writing_log = 1;
128 return;
129 }
130
131 strcat(server_log_buffer, line);
132 server_log_buffer_index += line_length;
710756a9 133 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 134}
135
136static int compare_hex_encoded_buffer(const char *hex_encoded,
137 size_t hex_length,
138 const uint8_t *raw,
710756a9
RS		 139 size_t raw_length)
140{
141 size_t i, j;
142 char hexed[3];
6acdd3e5 143
710756a9 144 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 145 return 1;
6acdd3e5 146
710756a9 147 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 148 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 149 if (!TEST_int_eq(hexed[0], hex_encoded[j])
150 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 151 return 1;
6acdd3e5
CB		 152 }
153
154 return 0;
155}
156
157static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 158 const SSL_SESSION *session,
710756a9
RS		 159 struct sslapitest_log_counts *expected)
160{
6acdd3e5
CB		 161 char *token = NULL;
162 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
163 size_t client_random_size = SSL3_RANDOM_SIZE;
164 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
165 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 166 unsigned int rsa_key_exchange_count = 0;
167 unsigned int master_secret_count = 0;
cffe973c 168 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 169 unsigned int client_handshake_secret_count = 0;
170 unsigned int server_handshake_secret_count = 0;
171 unsigned int client_application_secret_count = 0;
172 unsigned int server_application_secret_count = 0;
01a2a654 173 unsigned int early_exporter_secret_count = 0;
6329ce8f 174 unsigned int exporter_secret_count = 0;
6acdd3e5 175
710756a9
RS		 176 for (token = strtok(buffer, " \n"); token != NULL;
177 token = strtok(NULL, " \n")) {
6acdd3e5 178 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 179 /*
180 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 181 * hex-encoded encrypted secret, then the hex-encoded pre-master
182 * secret.
183 */
710756a9 184 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 185 return 0;
710756a9 186 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 187 return 0;
710756a9 188 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 189 return 0;
f1a5939f
CB		 190 /*
191 * We can't sensibly check the log because the premaster secret is
192 * transient, and OpenSSL doesn't keep hold of it once the master
193 * secret is generated.
194 */
195 rsa_key_exchange_count++;
6acdd3e5 196 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 197 /*
198 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 199 * client random, then the hex-encoded master secret.
200 */
201 client_random_size = SSL_get_client_random(ssl,
202 actual_client_random,
203 SSL3_RANDOM_SIZE);
710756a9 204 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 205 return 0;
6acdd3e5 206
710756a9 207 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 208 return 0;
710756a9 209 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 210 return 0;
710756a9
RS		 211 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
212 actual_client_random,
213 client_random_size)))
f1a5939f 214 return 0;
6acdd3e5 215
710756a9 216 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 217 return 0;
6acdd3e5
CB		 218 master_key_size = SSL_SESSION_get_master_key(session,
219 actual_master_key,
220 master_key_size);
710756a9 221 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 222 return 0;
710756a9
RS		 223 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
224 actual_master_key,
225 master_key_size)))
f1a5939f 226 return 0;
f1a5939f 227 master_secret_count++;
cffe973c
PW		 228 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
229 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 230 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
231 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 232 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 233 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 234 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 235 /*
236 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
237 * client random, and then the hex-encoded secret. In this case,
238 * we treat all of these secrets identically and then just
239 * distinguish between them when counting what we saw.
240 */
cffe973c
PW		 241 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
242 client_early_secret_count++;
243 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 244 client_handshake_secret_count++;
245 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
246 server_handshake_secret_count++;
247 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
248 client_application_secret_count++;
249 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
250 server_application_secret_count++;
01a2a654
PW		 251 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
252 early_exporter_secret_count++;
6329ce8f
PW		 253 else if (strcmp(token, "EXPORTER_SECRET") == 0)
254 exporter_secret_count++;
f1a5939f
CB		 255
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
710756a9 259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 260 return 0;
f1a5939f 261
710756a9 262 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 263 return 0;
710756a9 264 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 265 return 0;
710756a9
RS		 266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
f1a5939f 269 return 0;
6acdd3e5 270
710756a9 271 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 272 return 0;
f1a5939f
CB		 273
274 /*
275 * TODO(TLS1.3): test that application traffic secrets are what
276 * we expect */
6acdd3e5 277 } else {
710756a9 278 TEST_info("Unexpected token %s\n", token);
f1a5939f 279 return 0;
6acdd3e5 280 }
6acdd3e5
CB		 281 }
282
710756a9
RS		 283 /* Got what we expected? */
284 if (!TEST_size_t_eq(rsa_key_exchange_count,
285 expected->rsa_key_exchange_count)
286 || !TEST_size_t_eq(master_secret_count,
287 expected->master_secret_count)
cffe973c
PW		 288 || !TEST_size_t_eq(client_early_secret_count,
289 expected->client_early_secret_count)
710756a9
RS		 290 || !TEST_size_t_eq(client_handshake_secret_count,
291 expected->client_handshake_secret_count)
292 || !TEST_size_t_eq(server_handshake_secret_count,
293 expected->server_handshake_secret_count)
294 || !TEST_size_t_eq(client_application_secret_count,
295 expected->client_application_secret_count)
296 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 297 expected->server_application_secret_count)
01a2a654
PW		 298 || !TEST_size_t_eq(early_exporter_secret_count,
299 expected->early_exporter_secret_count)
6329ce8f
PW		 300 || !TEST_size_t_eq(exporter_secret_count,
301 expected->exporter_secret_count))
710756a9
RS		 302 return 0;
303 return 1;
6acdd3e5
CB		 304}
305
c423ecaa 306#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 307static int test_keylog(void)
308{
6acdd3e5
CB		 309 SSL_CTX *cctx = NULL, *sctx = NULL;
310 SSL *clientssl = NULL, *serverssl = NULL;
311 int testresult = 0;
6fc1e624 312 struct sslapitest_log_counts expected;
6acdd3e5
CB		 313
314 /* Clean up logging space */
6fc1e624 315 memset(&expected, 0, sizeof(expected));
710756a9
RS		 316 memset(client_log_buffer, 0, sizeof(client_log_buffer));
317 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 318 client_log_buffer_index = 0;
319 server_log_buffer_index = 0;
320 error_writing_log = 0;
321
710756a9
RS		 322 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
323 TLS_client_method(),
5c587fb6 324 TLS1_VERSION, 0,
710756a9 325 &sctx, &cctx, cert, privkey)))
6acdd3e5 326 return 0;
6acdd3e5
CB		 327
328 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
329 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
330 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
331
f0deb4d3 332 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 333 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 334 goto end;
f0deb4d3 335
cf10df81
RS		 336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
337 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 338 goto end;
6acdd3e5 339 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 340 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
341 == client_keylog_callback))
6acdd3e5 342 goto end;
710756a9 343 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 344 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
345 == server_keylog_callback))
6acdd3e5 346 goto end;
6acdd3e5 347
710756a9
RS		 348 /* Now do a handshake and check that the logs have been written to. */
349 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
350 &clientssl, NULL, NULL))
351 || !TEST_true(create_ssl_connection(serverssl, clientssl,
352 SSL_ERROR_NONE))
353 || !TEST_false(error_writing_log)
354 || !TEST_int_gt(client_log_buffer_index, 0)
355 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 356 goto end;
6acdd3e5 357
f1a5939f
CB		 358 /*
359 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 360 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 361 * data we expect. For both client and server, we expect to see one master
362 * secret. The client should also see a RSA key exchange.
6acdd3e5 363 */
f1a5939f
CB		 364 expected.rsa_key_exchange_count = 1;
365 expected.master_secret_count = 1;
710756a9
RS		 366 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
367 SSL_get_session(clientssl), &expected)))
6acdd3e5 368 goto end;
f1a5939f
CB		 369
370 expected.rsa_key_exchange_count = 0;
710756a9
RS		 371 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
372 SSL_get_session(serverssl), &expected)))
6acdd3e5 373 goto end;
6acdd3e5
CB		 374
375 testresult = 1;
376
377end:
378 SSL_free(serverssl);
379 SSL_free(clientssl);
380 SSL_CTX_free(sctx);
381 SSL_CTX_free(cctx);
382
383 return testresult;
384}
c423ecaa 385#endif
6acdd3e5
CB		 386
387#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 388static int test_keylog_no_master_key(void)
389{
6acdd3e5
CB		 390 SSL_CTX *cctx = NULL, *sctx = NULL;
391 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 392 SSL_SESSION *sess = NULL;
6acdd3e5 393 int testresult = 0;
6fc1e624 394 struct sslapitest_log_counts expected;
cffe973c
PW		 395 unsigned char buf[1];
396 size_t readbytes, written;
6acdd3e5
CB		 397
398 /* Clean up logging space */
6fc1e624 399 memset(&expected, 0, sizeof(expected));
710756a9
RS		 400 memset(client_log_buffer, 0, sizeof(client_log_buffer));
401 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 402 client_log_buffer_index = 0;
403 server_log_buffer_index = 0;
404 error_writing_log = 0;
405
7d7f6834 406 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 407 TLS1_VERSION, 0,
cffe973c
PW		 408 &sctx, &cctx, cert, privkey))
409 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 410 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 411 return 0;
6acdd3e5 412
cf10df81
RS		 413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
414 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 415 goto end;
6acdd3e5
CB		 416
417 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 418 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
419 == client_keylog_callback))
6acdd3e5 420 goto end;
6acdd3e5 421
710756a9 422 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 423 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
424 == server_keylog_callback))
6acdd3e5 425 goto end;
6acdd3e5 426
710756a9
RS		 427 /* Now do a handshake and check that the logs have been written to. */
428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
429 &clientssl, NULL, NULL))
430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
431 SSL_ERROR_NONE))
432 || !TEST_false(error_writing_log))
6acdd3e5 433 goto end;
6acdd3e5 434
f1a5939f
CB		 435 /*
436 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 437 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 438 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 439 */
f1a5939f
CB		 440 expected.client_handshake_secret_count = 1;
441 expected.server_handshake_secret_count = 1;
442 expected.client_application_secret_count = 1;
443 expected.server_application_secret_count = 1;
6329ce8f 444 expected.exporter_secret_count = 1;
710756a9
RS		 445 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
446 SSL_get_session(clientssl), &expected))
447 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
448 SSL_get_session(serverssl),
449 &expected)))
6acdd3e5 450 goto end;
6acdd3e5 451
cffe973c
PW		 452 /* Terminate old session and resume with early data. */
453 sess = SSL_get1_session(clientssl);
454 SSL_shutdown(clientssl);
455 SSL_shutdown(serverssl);
456 SSL_free(serverssl);
457 SSL_free(clientssl);
458 serverssl = clientssl = NULL;
459
460 /* Reset key log */
461 memset(client_log_buffer, 0, sizeof(client_log_buffer));
462 memset(server_log_buffer, 0, sizeof(server_log_buffer));
463 client_log_buffer_index = 0;
464 server_log_buffer_index = 0;
465
466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
467 &clientssl, NULL, NULL))
468 || !TEST_true(SSL_set_session(clientssl, sess))
469 /* Here writing 0 length early data is enough. */
470 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
471 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
472 &readbytes),
473 SSL_READ_EARLY_DATA_ERROR)
474 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
475 SSL_EARLY_DATA_ACCEPTED)
476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
477 SSL_ERROR_NONE))
478 || !TEST_true(SSL_session_reused(clientssl)))
479 goto end;
480
481 /* In addition to the previous entries, expect early secrets. */
482 expected.client_early_secret_count = 1;
01a2a654 483 expected.early_exporter_secret_count = 1;
cffe973c
PW		 484 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
485 SSL_get_session(clientssl), &expected))
486 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
487 SSL_get_session(serverssl),
488 &expected)))
489 goto end;
490
6acdd3e5
CB		 491 testresult = 1;
492
493end:
cffe973c 494 SSL_SESSION_free(sess);
6acdd3e5
CB		 495 SSL_free(serverssl);
496 SSL_free(clientssl);
497 SSL_CTX_free(sctx);
498 SSL_CTX_free(cctx);
499
500 return testresult;
501}
502#endif
503
e9ee6536 504#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 505static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 506{
507 int *ctr = arg;
508 const unsigned char *p;
8ea404fb 509 int *exts;
2afaee51
BK		 510 /* We only configure two ciphers, but the SCSV is added automatically. */
511#ifdef OPENSSL_NO_EC
512 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
513#else
514 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
515 0x2c, 0x00, 0xff};
516#endif
8ea404fb
BK		 517 const int expected_extensions[] = {
518#ifndef OPENSSL_NO_EC
519 11, 10,
520#endif
10ed1b72 521 35, 22, 23, 13};
2afaee51
BK		 522 size_t len;
523
524 /* Make sure we can defer processing and get called back. */
525 if ((*ctr)++ == 0)
f1b97da1 526 return SSL_CLIENT_HELLO_RETRY;
2afaee51 527
a9c0d8be 528 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 529 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 530 || !TEST_size_t_eq(
531 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 532 || !TEST_int_eq(*p, 0))
f1b97da1 533 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 534 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 535 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 536 if (len != OSSL_NELEM(expected_extensions) ||
537 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 538 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 539 OPENSSL_free(exts);
f1b97da1 540 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 541 }
542 OPENSSL_free(exts);
f1b97da1 543 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 544}
545
a9c0d8be 546static int test_client_hello_cb(void)
710756a9 547{
2afaee51
BK		 548 SSL_CTX *cctx = NULL, *sctx = NULL;
549 SSL *clientssl = NULL, *serverssl = NULL;
550 int testctr = 0, testresult = 0;
551
7d7f6834 552 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 553 TLS1_VERSION, 0,
7d7f6834 554 &sctx, &cctx, cert, privkey)))
2afaee51 555 goto end;
a9c0d8be 556 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 557
2afaee51
BK		 558 /* The gimpy cipher list we configure can't do TLS 1.3. */
559 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 560
710756a9
RS		 561 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
562 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
563 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
564 &clientssl, NULL, NULL))
565 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 566 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 567 /*
568 * Passing a -1 literal is a hack since
569 * the real value was lost.
570 * */
a9c0d8be
DB		 571 || !TEST_int_eq(SSL_get_error(serverssl, -1),
572 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
574 SSL_ERROR_NONE)))
2afaee51 575 goto end;
2afaee51
BK		 576
577 testresult = 1;
578
088dfa13
TS		 579end:
580 SSL_free(serverssl);
581 SSL_free(clientssl);
582 SSL_CTX_free(sctx);
583 SSL_CTX_free(cctx);
584
585 return testresult;
586}
587
588static int test_no_ems(void)
589{
590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testresult = 0;
593
594 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
595 TLS1_VERSION, TLS1_2_VERSION,
596 &sctx, &cctx, cert, privkey)) {
597 printf("Unable to create SSL_CTX pair\n");
598 goto end;
599 }
600
601 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
602
603 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
604 printf("Unable to create SSL objects\n");
605 goto end;
606 }
607
608 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
609 printf("Creating SSL connection failed\n");
610 goto end;
611 }
612
613 if (SSL_get_extms_support(serverssl)) {
614 printf("Server reports Extended Master Secret support\n");
615 goto end;
616 }
617
618 if (SSL_get_extms_support(clientssl)) {
619 printf("Client reports Extended Master Secret support\n");
620 goto end;
621 }
622 testresult = 1;
623
2afaee51
BK		 624end:
625 SSL_free(serverssl);
626 SSL_free(clientssl);
627 SSL_CTX_free(sctx);
628 SSL_CTX_free(cctx);
629
630 return testresult;
631}
e9ee6536 632#endif
2afaee51 633
84d5549e 634static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 635 const SSL_METHOD *cmeth,
636 int min_version, int max_version,
637 int read_ahead)
84d5549e
MC		 638{
639 SSL_CTX *cctx = NULL, *sctx = NULL;
640 SSL *clientssl = NULL, *serverssl = NULL;
641 int testresult = 0;
642 int i;
710756a9 643 BIO *certbio = NULL;
84d5549e
MC		 644 X509 *chaincert = NULL;
645 int certlen;
646
710756a9 647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 648 goto end;
84d5549e 649 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 650 BIO_free(certbio);
651 certbio = NULL;
710756a9 652 if (!TEST_ptr(chaincert))
fa454945 653 goto end;
84d5549e 654
7d7f6834
RL		 655 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
656 &sctx, &cctx, cert, privkey)))
84d5549e 657 goto end;
84d5549e 658
710756a9 659 if (read_ahead) {
7856332e
MC		 660 /*
661 * Test that read_ahead works correctly when dealing with large
662 * records
663 */
664 SSL_CTX_set_read_ahead(cctx, 1);
665 }
666
84d5549e
MC		 667 /*
668 * We assume the supplied certificate is big enough so that if we add
669 * NUM_EXTRA_CERTS it will make the overall message large enough. The
670 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 671 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
672 * test we need to have a message larger than that.
84d5549e
MC		 673 */
674 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 675 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
676 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 677 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 678 if (!X509_up_ref(chaincert))
84d5549e 679 goto end;
84d5549e 680 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 681 X509_free(chaincert);
682 goto end;
683 }
684 }
685
710756a9
RS		 686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
687 NULL, NULL))
688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
689 SSL_ERROR_NONE)))
84d5549e 690 goto end;
84d5549e 691
4bf08600
MC		 692 /*
693 * Calling SSL_clear() first is not required but this tests that SSL_clear()
694 * doesn't leak (when using enable-crypto-mdebug).
695 */
710756a9 696 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 697 goto end;
84d5549e 698
4bf08600 699 testresult = 1;
84d5549e
MC		 700 end:
701 X509_free(chaincert);
702 SSL_free(serverssl);
703 SSL_free(clientssl);
704 SSL_CTX_free(sctx);
705 SSL_CTX_free(cctx);
706
707 return testresult;
708}
709
5e9072ed
MC		 710#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
711 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 712
713/* sock must be connected */
714static int ktls_chk_platform(int sock)
715{
716 if (!ktls_enable(sock))
717 return 0;
718 return 1;
719}
720
721static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
722{
723 static char count = 1;
724 unsigned char cbuf[16000] = {0};
725 unsigned char sbuf[16000];
726 size_t err = 0;
727 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
2fab79af
BP		 729 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
730 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
fe5d9450
BP		 731 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
732 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
733 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
734 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
735
736 cbuf[0] = count++;
737 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
738 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 739 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
740 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 741 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
742 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
743 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
744 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
745
746 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
747 goto end;
748
749 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
750 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
751 goto end;
752 }
753 }
754
755 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
756 goto end;
757
758 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
759 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
760 goto end;
761 }
762 }
763
764 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
765 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 766 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
767 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 768 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
769 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
770 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
771 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
772
773 /* verify the payload */
774 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
775 goto end;
776
777 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
778 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
779 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
780 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
781 goto end;
782 } else {
783 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
784 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
785 goto end;
786 }
787
788 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
789 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
790 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
791 goto end;
792 } else {
793 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
794 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
795 goto end;
796 }
797
2fab79af
BP		 798 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
799 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
800 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
801 goto end;
802 } else {
803 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
804 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
805 goto end;
806 }
807
808 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
809 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
810 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
811 goto end;
812 } else {
813 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
814 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
815 goto end;
816 }
fe5d9450
BP		 817
818 return 1;
819end:
820 return 0;
821}
822
2fab79af
BP		 823static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
824 int sis_ktls_tx, int sis_ktls_rx)
fe5d9450
BP		 825{
826 SSL_CTX *cctx = NULL, *sctx = NULL;
827 SSL *clientssl = NULL, *serverssl = NULL;
828 int testresult = 0;
829 int cfd, sfd;
830
831 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
832 goto end;
833
834 /* Skip this test if the platform does not support ktls */
835 if (!ktls_chk_platform(cfd))
836 return 1;
837
838 /* Create a session based on SHA-256 */
839 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
840 TLS_client_method(),
841 TLS1_2_VERSION, TLS1_2_VERSION,
842 &sctx, &cctx, cert, privkey))
843 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
844 "AES128-GCM-SHA256"))
845 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
846 &clientssl, sfd, cfd)))
847 goto end;
848
849 if (!cis_ktls_tx) {
850 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
851 goto end;
852 }
853
854 if (!sis_ktls_tx) {
855 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
856 goto end;
857 }
858
2fab79af
BP		 859 if (!cis_ktls_rx) {
860 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
861 goto end;
862 }
863
864 if (!sis_ktls_rx) {
865 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
866 goto end;
867 }
868
fe5d9450
BP		 869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
870 SSL_ERROR_NONE)))
871 goto end;
872
873 if (!cis_ktls_tx) {
874 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
875 goto end;
876 } else {
877 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
878 goto end;
879 }
880
881 if (!sis_ktls_tx) {
882 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
883 goto end;
884 } else {
885 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
886 goto end;
887 }
888
2fab79af
BP		 889 if (!cis_ktls_rx) {
890 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
891 goto end;
892 } else {
893 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
894 goto end;
895 }
896
897 if (!sis_ktls_rx) {
898 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
899 goto end;
900 } else {
901 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
902 goto end;
903 }
904
fe5d9450
BP		 905 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
906 goto end;
907
908 testresult = 1;
909end:
910 if (clientssl) {
911 SSL_shutdown(clientssl);
912 SSL_free(clientssl);
913 }
914 if (serverssl) {
915 SSL_shutdown(serverssl);
916 SSL_free(serverssl);
917 }
918 SSL_CTX_free(sctx);
919 SSL_CTX_free(cctx);
920 serverssl = clientssl = NULL;
921 return testresult;
922}
923
7c3a7561
BP		 924#define SENDFILE_SZ (16 * 4096)
925#define SENDFILE_CHUNK (4 * 4096)
926#define min(a,b) ((a) > (b) ? (b) : (a))
927
928static int test_ktls_sendfile(void)
929{
930 SSL_CTX *cctx = NULL, *sctx = NULL;
931 SSL *clientssl = NULL, *serverssl = NULL;
932 unsigned char *buf, *buf_dst;
933 BIO *out = NULL, *in = NULL;
934 int cfd, sfd, ffd, err;
935 ssize_t chunk_size = 0;
936 off_t chunk_off = 0;
937 int testresult = 0;
938 FILE *ffdp;
939
940 buf = OPENSSL_zalloc(SENDFILE_SZ);
941 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
942 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
943 || !TEST_true(create_test_sockets(&cfd, &sfd)))
944 goto end;
945
946 /* Skip this test if the platform does not support ktls */
947 if (!ktls_chk_platform(sfd)) {
948 testresult = 1;
949 goto end;
950 }
951
952 /* Create a session based on SHA-256 */
953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
954 TLS_client_method(),
955 TLS1_2_VERSION, TLS1_2_VERSION,
956 &sctx, &cctx, cert, privkey))
957 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
958 "AES128-GCM-SHA256"))
959 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
960 &clientssl, sfd, cfd)))
961 goto end;
962
963 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
964 SSL_ERROR_NONE))
965 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
966 goto end;
967
968 RAND_bytes(buf, SENDFILE_SZ);
969 out = BIO_new_file(tmpfilename, "wb");
970 if (!TEST_ptr(out))
971 goto end;
972
973 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
974 goto end;
975
976 BIO_free(out);
977 out = NULL;
978 in = BIO_new_file(tmpfilename, "rb");
979 BIO_get_fp(in, &ffdp);
980 ffd = fileno(ffdp);
981
982 while (chunk_off < SENDFILE_SZ) {
983 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
984 while ((err = SSL_sendfile(serverssl,
985 ffd,
986 chunk_off,
987 chunk_size,
988 0)) != chunk_size) {
989 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
990 goto end;
991 }
992 while ((err = SSL_read(clientssl,
993 buf_dst + chunk_off,
994 chunk_size)) != chunk_size) {
995 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
996 goto end;
997 }
998
999 /* verify the payload */
1000 if (!TEST_mem_eq(buf_dst + chunk_off,
1001 chunk_size,
1002 buf + chunk_off,
1003 chunk_size))
1004 goto end;
1005
1006 chunk_off += chunk_size;
1007 }
1008
1009 testresult = 1;
1010end:
1011 if (clientssl) {
1012 SSL_shutdown(clientssl);
1013 SSL_free(clientssl);
1014 }
1015 if (serverssl) {
1016 SSL_shutdown(serverssl);
1017 SSL_free(serverssl);
1018 }
1019 SSL_CTX_free(sctx);
1020 SSL_CTX_free(cctx);
1021 serverssl = clientssl = NULL;
1022 BIO_free(out);
1023 BIO_free(in);
1024 OPENSSL_free(buf);
1025 OPENSSL_free(buf_dst);
1026 return testresult;
1027}
1028
2fab79af
BP		 1029static int test_ktls_no_txrx_client_no_txrx_server(void)
1030{
1031 return execute_test_ktls(0, 0, 0, 0);
1032}
1033
1034static int test_ktls_no_rx_client_no_txrx_server(void)
1035{
1036 return execute_test_ktls(1, 0, 0, 0);
1037}
1038
1039static int test_ktls_no_tx_client_no_txrx_server(void)
1040{
1041 return execute_test_ktls(0, 1, 0, 0);
1042}
1043
1044static int test_ktls_client_no_txrx_server(void)
1045{
1046 return execute_test_ktls(1, 1, 0, 0);
1047}
1048
1049static int test_ktls_no_txrx_client_no_rx_server(void)
1050{
1051 return execute_test_ktls(0, 0, 1, 0);
1052}
1053
1054static int test_ktls_no_rx_client_no_rx_server(void)
1055{
1056 return execute_test_ktls(1, 0, 1, 0);
1057}
1058
1059static int test_ktls_no_tx_client_no_rx_server(void)
1060{
1061 return execute_test_ktls(0, 1, 1, 0);
1062}
1063
1064static int test_ktls_client_no_rx_server(void)
fe5d9450 1065{
2fab79af 1066 return execute_test_ktls(1, 1, 1, 0);
fe5d9450
BP		 1067}
1068
2fab79af 1069static int test_ktls_no_txrx_client_no_tx_server(void)
fe5d9450 1070{
2fab79af 1071 return execute_test_ktls(0, 0, 0, 1);
fe5d9450
BP		 1072}
1073
2fab79af 1074static int test_ktls_no_rx_client_no_tx_server(void)
fe5d9450 1075{
2fab79af 1076 return execute_test_ktls(1, 0, 0, 1);
fe5d9450
BP		 1077}
1078
2fab79af
BP		 1079static int test_ktls_no_tx_client_no_tx_server(void)
1080{
1081 return execute_test_ktls(0, 1, 0, 1);
1082}
1083
1084static int test_ktls_client_no_tx_server(void)
1085{
1086 return execute_test_ktls(1, 1, 0, 1);
1087}
1088
1089static int test_ktls_no_txrx_client_server(void)
1090{
1091 return execute_test_ktls(0, 0, 1, 1);
1092}
1093
1094static int test_ktls_no_rx_client_server(void)
1095{
1096 return execute_test_ktls(1, 0, 1, 1);
1097}
1098
1099static int test_ktls_no_tx_client_server(void)
1100{
1101 return execute_test_ktls(0, 1, 1, 1);
1102}
1103
1104static int test_ktls_client_server(void)
fe5d9450 1105{
2fab79af 1106 return execute_test_ktls(1, 1, 1, 1);
fe5d9450 1107}
fe5d9450
BP		 1108#endif
1109
84d5549e
MC		 1110static int test_large_message_tls(void)
1111{
7856332e 1112 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1113 TLS1_VERSION, 0, 0);
7856332e
MC		 1114}
1115
1116static int test_large_message_tls_read_ahead(void)
1117{
1118 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1119 TLS1_VERSION, 0, 1);
84d5549e
MC		 1120}
1121
55386bef 1122#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1123static int test_large_message_dtls(void)
1124{
7856332e
MC		 1125 /*
1126 * read_ahead is not relevant to DTLS because DTLS always acts as if
1127 * read_ahead is set.
1128 */
84d5549e 1129 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1130 DTLS_client_method(),
5c587fb6 1131 DTLS1_VERSION, 0, 0);
84d5549e 1132}
55386bef 1133#endif
84d5549e 1134
8f8c11d8 1135#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1136static int ocsp_server_cb(SSL *s, void *arg)
1137{
1138 int *argi = (int *)arg;
710756a9 1139 unsigned char *copy = NULL;
ba881d3b
MC		 1140 STACK_OF(OCSP_RESPID) *ids = NULL;
1141 OCSP_RESPID *id = NULL;
1142
1143 if (*argi == 2) {
1144 /* In this test we are expecting exactly 1 OCSP_RESPID */
1145 SSL_get_tlsext_status_ids(s, &ids);
1146 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1147 return SSL_TLSEXT_ERR_ALERT_FATAL;
1148
1149 id = sk_OCSP_RESPID_value(ids, 0);
1150 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
1151 return SSL_TLSEXT_ERR_ALERT_FATAL;
1152 } else if (*argi != 1) {
1153 return SSL_TLSEXT_ERR_ALERT_FATAL;
1154 }
1155
710756a9 1156 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1157 return SSL_TLSEXT_ERR_ALERT_FATAL;
1158
710756a9 1159 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1160 ocsp_server_called = 1;
ba881d3b
MC		 1161 return SSL_TLSEXT_ERR_OK;
1162}
1163
1164static int ocsp_client_cb(SSL *s, void *arg)
1165{
1166 int *argi = (int *)arg;
1167 const unsigned char *respderin;
1168 size_t len;
1169
1170 if (*argi != 1 && *argi != 2)
1171 return 0;
1172
1173 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1174 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1175 return 0;
1176
1177 ocsp_client_called = 1;
ba881d3b
MC		 1178 return 1;
1179}
1180
2cb4b5f6
MC		 1181static int test_tlsext_status_type(void)
1182{
ba881d3b
MC		 1183 SSL_CTX *cctx = NULL, *sctx = NULL;
1184 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1185 int testresult = 0;
ba881d3b
MC		 1186 STACK_OF(OCSP_RESPID) *ids = NULL;
1187 OCSP_RESPID *id = NULL;
1188 BIO *certbio = NULL;
2cb4b5f6 1189
7d7f6834 1190 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1191 TLS1_VERSION, 0,
7d7f6834 1192 &sctx, &cctx, cert, privkey))
ba881d3b 1193 return 0;
2cb4b5f6 1194
710756a9 1195 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1196 goto end;
2cb4b5f6 1197
ba881d3b 1198 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1199
ba881d3b 1200 clientssl = SSL_new(cctx);
710756a9
RS		 1201 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1202 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1203 TLSEXT_STATUSTYPE_ocsp))
1204 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1205 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1206 goto end;
2cb4b5f6 1207
ba881d3b
MC		 1208 SSL_free(clientssl);
1209 clientssl = NULL;
2cb4b5f6 1210
710756a9
RS		 1211 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1212 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1213 goto end;
2cb4b5f6 1214
ba881d3b 1215 clientssl = SSL_new(cctx);
710756a9 1216 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1217 goto end;
ba881d3b
MC		 1218 SSL_free(clientssl);
1219 clientssl = NULL;
1220
1221 /*
1222 * Now actually do a handshake and check OCSP information is exchanged and
1223 * the callbacks get called
1224 */
ba881d3b
MC		 1225 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1226 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1227 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1228 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1229 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1230 &clientssl, NULL, NULL))
1231 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1232 SSL_ERROR_NONE))
1233 || !TEST_true(ocsp_client_called)
1234 || !TEST_true(ocsp_server_called))
ba881d3b 1235 goto end;
ba881d3b
MC		 1236 SSL_free(serverssl);
1237 SSL_free(clientssl);
1238 serverssl = NULL;
1239 clientssl = NULL;
1240
1241 /* Try again but this time force the server side callback to fail */
1242 ocsp_client_called = 0;
1243 ocsp_server_called = 0;
1244 cdummyarg = 0;
710756a9
RS		 1245 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1246 &clientssl, NULL, NULL))
1247 /* This should fail because the callback will fail */
1248 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1249 SSL_ERROR_NONE))
1250 || !TEST_false(ocsp_client_called)
1251 || !TEST_false(ocsp_server_called))
ba881d3b 1252 goto end;
ba881d3b
MC		 1253 SSL_free(serverssl);
1254 SSL_free(clientssl);
1255 serverssl = NULL;
1256 clientssl = NULL;
1257
1258 /*
1259 * This time we'll get the client to send an OCSP_RESPID that it will
1260 * accept.
1261 */
1262 ocsp_client_called = 0;
1263 ocsp_server_called = 0;
1264 cdummyarg = 2;
710756a9
RS		 1265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1266 &clientssl, NULL, NULL)))
ba881d3b 1267 goto end;
ba881d3b
MC		 1268
1269 /*
1270 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1271 * specific one. We'll use the server cert.
ba881d3b 1272 */
710756a9
RS		 1273 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1274 || !TEST_ptr(id = OCSP_RESPID_new())
1275 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1276 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1277 NULL, NULL, NULL))
1278 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1279 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1280 goto end;
ba881d3b
MC		 1281 id = NULL;
1282 SSL_set_tlsext_status_ids(clientssl, ids);
1283 /* Control has been transferred */
1284 ids = NULL;
1285
1286 BIO_free(certbio);
1287 certbio = NULL;
1288
710756a9
RS		 1289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1290 SSL_ERROR_NONE))
1291 || !TEST_true(ocsp_client_called)
1292 || !TEST_true(ocsp_server_called))
ba881d3b 1293 goto end;
ba881d3b 1294
2cb4b5f6
MC		 1295 testresult = 1;
1296
1297 end:
ba881d3b
MC		 1298 SSL_free(serverssl);
1299 SSL_free(clientssl);
1300 SSL_CTX_free(sctx);
1301 SSL_CTX_free(cctx);
1302 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1303 OCSP_RESPID_free(id);
1304 BIO_free(certbio);
1305 X509_free(ocspcert);
1306 ocspcert = NULL;
2cb4b5f6
MC		 1307
1308 return testresult;
1309}
8f8c11d8 1310#endif
2cb4b5f6 1311
bf208d95 1312#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1313static int new_called, remove_called, get_called;
eaa776da 1314
eaa776da
MC		 1315static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1316{
1317 new_called++;
c0537ebd
MC		 1318 /*
1319 * sess has been up-refed for us, but we don't actually need it so free it
1320 * immediately.
1321 */
1322 SSL_SESSION_free(sess);
eaa776da
MC		 1323 return 1;
1324}
1325
1326static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1327{
1328 remove_called++;
1329}
1330
7a301f08
MC		 1331static SSL_SESSION *get_sess_val = NULL;
1332
1333static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1334 int *copy)
1335{
0afca811 1336 get_called++;
7a301f08
MC		 1337 *copy = 1;
1338 return get_sess_val;
1339}
1340
7a301f08
MC		 1341static int execute_test_session(int maxprot, int use_int_cache,
1342 int use_ext_cache)
2cb4b5f6
MC		 1343{
1344 SSL_CTX *sctx = NULL, *cctx = NULL;
1345 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1346 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1347# ifndef OPENSSL_NO_TLS1_1
eaa776da 1348 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1349# endif
2cb4b5f6 1350 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1351 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1352
7e885b7b
P		 1353 new_called = remove_called = 0;
1354
36ff232c
MC		 1355 /* TLSv1.3 sends 2 NewSessionTickets */
1356 if (maxprot == TLS1_3_VERSION)
1357 numnewsesstick = 2;
1358
7d7f6834 1359 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1360 TLS1_VERSION, 0,
7d7f6834 1361 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1362 return 0;
2cb4b5f6 1363
7a301f08
MC		 1364 /*
1365 * Only allow the max protocol version so we can force a connection failure
1366 * later
1367 */
1368 SSL_CTX_set_min_proto_version(cctx, maxprot);
1369 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1370
1371 /* Set up session cache */
7e885b7b 1372 if (use_ext_cache) {
eaa776da
MC		 1373 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1374 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1375 }
7e885b7b 1376 if (use_int_cache) {
eaa776da
MC		 1377 /* Also covers instance where both are set */
1378 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1379 } else {
1380 SSL_CTX_set_session_cache_mode(cctx,
1381 SSL_SESS_CACHE_CLIENT
1382 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1383 }
2cb4b5f6 1384
710756a9
RS		 1385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1386 NULL, NULL))
1387 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1388 SSL_ERROR_NONE))
1389 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1390 goto end;
2cb4b5f6 1391
710756a9 1392 /* Should fail because it should already be in the cache */
7e885b7b 1393 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1394 goto end;
7a301f08 1395 if (use_ext_cache
36ff232c
MC		 1396 && (!TEST_int_eq(new_called, numnewsesstick)
1397
1398 || !TEST_int_eq(remove_called, 0)))
b4982125 1399 goto end;
b4982125 1400
c0537ebd
MC		 1401 new_called = remove_called = 0;
1402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1403 &clientssl2, NULL, NULL))
1404 || !TEST_true(SSL_set_session(clientssl2, sess1))
1405 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1406 SSL_ERROR_NONE))
1407 || !TEST_true(SSL_session_reused(clientssl2)))
1408 goto end;
1409
7a301f08
MC		 1410 if (maxprot == TLS1_3_VERSION) {
1411 /*
1412 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1413 * resumed. Since we attempted a resume we should also have removed the
1414 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1415 */
1416 if (use_ext_cache
1417 && (!TEST_int_eq(new_called, 1)
4cb00457 1418 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1419 goto end;
1420 } else {
1421 /*
1422 * In TLSv1.2 we expect to have resumed so no sessions added or
1423 * removed.
1424 */
1425 if (use_ext_cache
1426 && (!TEST_int_eq(new_called, 0)
1427 || !TEST_int_eq(remove_called, 0)))
1428 goto end;
1429 }
c0537ebd
MC		 1430
1431 SSL_SESSION_free(sess1);
1432 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1433 goto end;
1434 shutdown_ssl_connection(serverssl2, clientssl2);
1435 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1436
1437 new_called = remove_called = 0;
710756a9
RS		 1438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1439 &clientssl2, NULL, NULL))
1440 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1441 SSL_ERROR_NONE)))
2cb4b5f6 1442 goto end;
2cb4b5f6 1443
710756a9 1444 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1445 goto end;
2cb4b5f6 1446
7a301f08 1447 if (use_ext_cache
36ff232c
MC		 1448 && (!TEST_int_eq(new_called, numnewsesstick)
1449 || !TEST_int_eq(remove_called, 0)))
eaa776da 1450 goto end;
eaa776da 1451
c0537ebd 1452 new_called = remove_called = 0;
2cb4b5f6 1453 /*
710756a9
RS		 1454 * This should clear sess2 from the cache because it is a "bad" session.
1455 * See SSL_set_session() documentation.
2cb4b5f6 1456 */
710756a9 1457 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1458 goto end;
7a301f08
MC		 1459 if (use_ext_cache
1460 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1461 goto end;
710756a9 1462 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1463 goto end;
2cb4b5f6 1464
7e885b7b 1465 if (use_int_cache) {
710756a9
RS		 1466 /* Should succeeded because it should not already be in the cache */
1467 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1468 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1469 goto end;
eaa776da
MC		 1470 }
1471
c0537ebd 1472 new_called = remove_called = 0;
eaa776da 1473 /* This shouldn't be in the cache so should fail */
710756a9 1474 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1475 goto end;
2cb4b5f6 1476
7a301f08
MC		 1477 if (use_ext_cache
1478 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1479 goto end;
2cb4b5f6 1480
bf208d95 1481# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1482 new_called = remove_called = 0;
eaa776da
MC		 1483 /* Force a connection failure */
1484 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1486 &clientssl3, NULL, NULL))
1487 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1488 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1489 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1490 SSL_ERROR_NONE)))
eaa776da 1491 goto end;
b4982125 1492
eaa776da 1493 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1494 if (use_ext_cache
1495 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1496 goto end;
2cb4b5f6 1497
710756a9 1498 /* Should succeed because it should not already be in the cache */
7e885b7b 1499 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1500 goto end;
bf208d95 1501# endif
eaa776da 1502
7a301f08
MC		 1503 /* Now do some tests for server side caching */
1504 if (use_ext_cache) {
1505 SSL_CTX_sess_set_new_cb(cctx, NULL);
1506 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1507 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1508 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1509 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1510 get_sess_val = NULL;
1511 }
1512
1513 SSL_CTX_set_session_cache_mode(cctx, 0);
1514 /* Internal caching is the default on the server side */
1515 if (!use_int_cache)
1516 SSL_CTX_set_session_cache_mode(sctx,
1517 SSL_SESS_CACHE_SERVER
1518 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1519
1520 SSL_free(serverssl1);
1521 SSL_free(clientssl1);
1522 serverssl1 = clientssl1 = NULL;
1523 SSL_free(serverssl2);
1524 SSL_free(clientssl2);
1525 serverssl2 = clientssl2 = NULL;
1526 SSL_SESSION_free(sess1);
1527 sess1 = NULL;
1528 SSL_SESSION_free(sess2);
1529 sess2 = NULL;
1530
1531 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1532 if (maxprot == TLS1_2_VERSION)
1533 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1534 new_called = remove_called = get_called = 0;
7a301f08
MC		 1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1536 NULL, NULL))
1537 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1538 SSL_ERROR_NONE))
1539 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1540 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1541 goto end;
1542
ee94ec2e
MC		 1543 if (use_int_cache) {
1544 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1545 /*
1546 * In TLSv1.3 it should not have been added to the internal cache,
1547 * except in the case where we also have an external cache (in that
1548 * case it gets added to the cache in order to generate remove
1549 * events after timeout).
1550 */
1551 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1552 goto end;
1553 } else {
1554 /* Should fail because it should already be in the cache */
1555 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1556 goto end;
1557 }
1558 }
7a301f08
MC		 1559
1560 if (use_ext_cache) {
1561 SSL_SESSION *tmp = sess2;
1562
36ff232c 1563 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1564 || !TEST_int_eq(remove_called, 0)
1565 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1566 goto end;
1567 /*
1568 * Delete the session from the internal cache to force a lookup from
1569 * the external cache. We take a copy first because
1570 * SSL_CTX_remove_session() also marks the session as non-resumable.
1571 */
ee94ec2e 1572 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1573 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1574 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1575 goto end;
1576 SSL_SESSION_free(sess2);
1577 }
7a301f08
MC		 1578 sess2 = tmp;
1579 }
1580
0afca811 1581 new_called = remove_called = get_called = 0;
7a301f08
MC		 1582 get_sess_val = sess2;
1583 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1584 &clientssl2, NULL, NULL))
1585 || !TEST_true(SSL_set_session(clientssl2, sess1))
1586 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1587 SSL_ERROR_NONE))
1588 || !TEST_true(SSL_session_reused(clientssl2)))
1589 goto end;
1590
0afca811 1591 if (use_ext_cache) {
32305f88 1592 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1593 goto end;
1594
1595 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1596 if (!TEST_int_eq(new_called, 1)
1597 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1598 goto end;
1599 } else {
32305f88
MC		 1600 if (!TEST_int_eq(new_called, 0)
1601 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1602 goto end;
1603 }
1604 }
7a301f08 1605
2cb4b5f6 1606 testresult = 1;
eaa776da 1607
2cb4b5f6
MC		 1608 end:
1609 SSL_free(serverssl1);
1610 SSL_free(clientssl1);
1611 SSL_free(serverssl2);
1612 SSL_free(clientssl2);
bf208d95 1613# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1614 SSL_free(serverssl3);
1615 SSL_free(clientssl3);
bf208d95 1616# endif
2cb4b5f6
MC		 1617 SSL_SESSION_free(sess1);
1618 SSL_SESSION_free(sess2);
1619 SSL_CTX_free(sctx);
1620 SSL_CTX_free(cctx);
1621
1622 return testresult;
1623}
bf208d95 1624#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1625
7fb4c820
MC		 1626static int test_session_with_only_int_cache(void)
1627{
7a301f08
MC		 1628#ifndef OPENSSL_NO_TLS1_3
1629 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1630 return 0;
1631#endif
1632
1633#ifndef OPENSSL_NO_TLS1_2
1634 return execute_test_session(TLS1_2_VERSION, 1, 0);
1635#else
1636 return 1;
1637#endif
eaa776da
MC		 1638}
1639
7fb4c820
MC		 1640static int test_session_with_only_ext_cache(void)
1641{
7a301f08
MC		 1642#ifndef OPENSSL_NO_TLS1_3
1643 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1644 return 0;
1645#endif
1646
1647#ifndef OPENSSL_NO_TLS1_2
1648 return execute_test_session(TLS1_2_VERSION, 0, 1);
1649#else
1650 return 1;
1651#endif
eaa776da
MC		 1652}
1653
7fb4c820
MC		 1654static int test_session_with_both_cache(void)
1655{
7a301f08
MC		 1656#ifndef OPENSSL_NO_TLS1_3
1657 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1658 return 0;
1659#endif
1660
1661#ifndef OPENSSL_NO_TLS1_2
1662 return execute_test_session(TLS1_2_VERSION, 1, 1);
1663#else
1664 return 1;
1665#endif
eaa776da
MC		 1666}
1667
04225915 1668#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1669static SSL_SESSION *sesscache[6];
1670static int do_cache;
36ff232c
MC		 1671
1672static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1673{
c22365b3
MC		 1674 if (do_cache) {
1675 sesscache[new_called] = sess;
1676 } else {
1677 /* We don't need the reference to the session, so free it */
1678 SSL_SESSION_free(sess);
1679 }
1680 new_called++;
1681
1682 return 1;
1683}
1684
1685static int post_handshake_verify(SSL *sssl, SSL *cssl)
1686{
1687 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1688 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1689 return 0;
1690
1691 /* Start handshake on the server and client */
1692 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1693 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1694 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1695 || !TEST_true(create_ssl_connection(sssl, cssl,
1696 SSL_ERROR_NONE)))
1697 return 0;
36ff232c
MC		 1698
1699 return 1;
1700}
1701
fbe9dafd 1702static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1703 SSL_CTX **cctx)
1704{
1705 int sess_id_ctx = 1;
1706
1707 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1708 TLS1_VERSION, 0, sctx,
03cdf559
MC		 1709 cctx, cert, privkey))
1710 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1711 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1712 (void *)&sess_id_ctx,
1713 sizeof(sess_id_ctx))))
1714 return 0;
1715
1716 if (stateful)
1717 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1718
1719 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1720 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1721 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1722
1723 return 1;
1724}
1725
1726static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1727{
1728 SSL *serverssl = NULL, *clientssl = NULL;
1729 int i;
1730
1731 /* Test that we can resume with all the tickets we got given */
1732 for (i = 0; i < idx * 2; i++) {
1733 new_called = 0;
1734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1735 &clientssl, NULL, NULL))
1736 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1737 goto end;
1738
32097b33 1739 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1740
1741 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1742 SSL_ERROR_NONE)))
1743 goto end;
1744
1745 /*
1746 * Following a successful resumption we only get 1 ticket. After a
1747 * failed one we should get idx tickets.
1748 */
1749 if (succ) {
1750 if (!TEST_true(SSL_session_reused(clientssl))
1751 || !TEST_int_eq(new_called, 1))
1752 goto end;
1753 } else {
1754 if (!TEST_false(SSL_session_reused(clientssl))
1755 || !TEST_int_eq(new_called, idx))
1756 goto end;
1757 }
1758
1759 new_called = 0;
1760 /* After a post-handshake authentication we should get 1 new ticket */
1761 if (succ
1762 && (!post_handshake_verify(serverssl, clientssl)
1763 || !TEST_int_eq(new_called, 1)))
1764 goto end;
1765
1766 SSL_shutdown(clientssl);
1767 SSL_shutdown(serverssl);
1768 SSL_free(serverssl);
1769 SSL_free(clientssl);
1770 serverssl = clientssl = NULL;
1771 SSL_SESSION_free(sesscache[i]);
1772 sesscache[i] = NULL;
1773 }
1774
1775 return 1;
1776
1777 end:
1778 SSL_free(clientssl);
1779 SSL_free(serverssl);
1780 return 0;
1781}
1782
04d7814a 1783static int test_tickets(int stateful, int idx)
36ff232c
MC		 1784{
1785 SSL_CTX *sctx = NULL, *cctx = NULL;
1786 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1787 int testresult = 0;
36ff232c
MC		 1788 size_t j;
1789
1790 /* idx is the test number, but also the number of tickets we want */
1791
1792 new_called = 0;
c22365b3 1793 do_cache = 1;
36ff232c 1794
fbe9dafd 1795 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1796 goto end;
1797
03cdf559
MC		 1798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1799 &clientssl, NULL, NULL)))
1800 goto end;
1801
1802 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1803 SSL_ERROR_NONE))
1804 /* Check we got the number of tickets we were expecting */
1805 || !TEST_int_eq(idx, new_called))
1806 goto end;
04d7814a 1807
03cdf559
MC		 1808 SSL_shutdown(clientssl);
1809 SSL_shutdown(serverssl);
1810 SSL_free(serverssl);
1811 SSL_free(clientssl);
1812 SSL_CTX_free(sctx);
1813 SSL_CTX_free(cctx);
1814 clientssl = serverssl = NULL;
1815 sctx = cctx = NULL;
1816
1817 /*
1818 * Now we try to resume with the tickets we previously created. The
1819 * resumption attempt is expected to fail (because we're now using a new
1820 * SSL_CTX). We should see idx number of tickets issued again.
1821 */
1822
1823 /* Stop caching sessions - just count them */
1824 do_cache = 0;
1825
fbe9dafd 1826 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1827 goto end;
1828
1829 if (!check_resumption(idx, sctx, cctx, 0))
1830 goto end;
1831
1832 /* Start again with caching sessions */
1833 new_called = 0;
1834 do_cache = 1;
fbe9dafd
MC		 1835 SSL_CTX_free(sctx);
1836 SSL_CTX_free(cctx);
1837 sctx = cctx = NULL;
03cdf559 1838
fbe9dafd 1839 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1840 goto end;
36ff232c
MC		 1841
1842 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1843 &clientssl, NULL, NULL)))
1844 goto end;
1845
32097b33 1846 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1847
1848 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1849 SSL_ERROR_NONE))
1850 /* Check we got the number of tickets we were expecting */
1851 || !TEST_int_eq(idx, new_called))
1852 goto end;
1853
1854 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1855 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1856 || !TEST_int_eq(idx * 2, new_called))
1857 goto end;
1858
36ff232c
MC		 1859 SSL_shutdown(clientssl);
1860 SSL_shutdown(serverssl);
1861 SSL_free(serverssl);
1862 SSL_free(clientssl);
1863 serverssl = clientssl = NULL;
1864
c22365b3
MC		 1865 /* Stop caching sessions - just count them */
1866 do_cache = 0;
1867
03cdf559
MC		 1868 /*
1869 * Check we can resume with all the tickets we created. This time around the
1870 * resumptions should all be successful.
1871 */
1872 if (!check_resumption(idx, sctx, cctx, 1))
1873 goto end;
36ff232c
MC		 1874
1875 testresult = 1;
1876
1877 end:
1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
c22365b3 1880 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1881 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1882 sesscache[j] = NULL;
1883 }
36ff232c
MC		 1884 SSL_CTX_free(sctx);
1885 SSL_CTX_free(cctx);
1886
1887 return testresult;
1888}
04d7814a
MC		 1889
1890static int test_stateless_tickets(int idx)
1891{
1892 return test_tickets(0, idx);
1893}
1894
1895static int test_stateful_tickets(int idx)
1896{
1897 return test_tickets(1, idx);
1898}
8614a4eb
MC		 1899
1900static int test_psk_tickets(void)
1901{
1902 SSL_CTX *sctx = NULL, *cctx = NULL;
1903 SSL *serverssl = NULL, *clientssl = NULL;
1904 int testresult = 0;
1905 int sess_id_ctx = 1;
1906
1907 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1908 TLS1_VERSION, 0, &sctx,
8614a4eb
MC		 1909 &cctx, NULL, NULL))
1910 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1911 (void *)&sess_id_ctx,
1912 sizeof(sess_id_ctx))))
1913 goto end;
1914
1915 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1917 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1918 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1919 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1920 use_session_cb_cnt = 0;
1921 find_session_cb_cnt = 0;
1922 srvid = pskid;
1923 new_called = 0;
1924
1925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1926 NULL, NULL)))
1927 goto end;
1928 clientpsk = serverpsk = create_a_psk(clientssl);
1929 if (!TEST_ptr(clientpsk))
1930 goto end;
1931 SSL_SESSION_up_ref(clientpsk);
1932
1933 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1934 SSL_ERROR_NONE))
1935 || !TEST_int_eq(1, find_session_cb_cnt)
1936 || !TEST_int_eq(1, use_session_cb_cnt)
1937 /* We should always get 1 ticket when using external PSK */
1938 || !TEST_int_eq(1, new_called))
1939 goto end;
1940
1941 testresult = 1;
1942
1943 end:
1944 SSL_free(serverssl);
1945 SSL_free(clientssl);
1946 SSL_CTX_free(sctx);
1947 SSL_CTX_free(cctx);
1948 SSL_SESSION_free(clientpsk);
1949 SSL_SESSION_free(serverpsk);
1950 clientpsk = serverpsk = NULL;
1951
1952 return testresult;
1953}
04225915 1954#endif
36ff232c 1955
7d4488bb
MC		 1956#define USE_NULL 0
1957#define USE_BIO_1 1
1958#define USE_BIO_2 2
1959#define USE_DEFAULT 3
1960
1961#define CONNTYPE_CONNECTION_SUCCESS 0
1962#define CONNTYPE_CONNECTION_FAIL 1
1963#define CONNTYPE_NO_CONNECTION 2
1964
1965#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1966#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1967#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1968# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1969#else
1970# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1971#endif
1972
7d4488bb
MC		 1973#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1974 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1975 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1976
1977static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1978{
1979 switch (type) {
1980 case USE_NULL:
1981 *res = NULL;
1982 break;
1983 case USE_BIO_1:
1984 *res = bio1;
1985 break;
1986 case USE_BIO_2:
1987 *res = bio2;
1988 break;
1989 }
1990}
1991
7d4488bb
MC		 1992
1993/*
1994 * Tests calls to SSL_set_bio() under various conditions.
1995 *
1996 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1997 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1998 * then do more tests where we create a successful connection first using our
1999 * standard connection setup functions, and then call SSL_set_bio() with
2000 * various combinations of valid BIOs or NULL. We then repeat these tests
2001 * following a failed connection. In this last case we are looking to check that
2002 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2003 */
7fb4c820
MC		 2004static int test_ssl_set_bio(int idx)
2005{
7d4488bb 2006 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2007 BIO *bio1 = NULL;
2008 BIO *bio2 = NULL;
0fae8150 2009 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2010 SSL *serverssl = NULL, *clientssl = NULL;
2011 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2012 int testresult = 0;
2013
7d4488bb
MC		 2014 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2015 initrbio = idx % 3;
2016 idx /= 3;
2017 initwbio = idx % 3;
2018 idx /= 3;
2019 newrbio = idx % 3;
2020 idx /= 3;
2021 newwbio = idx % 3;
2022 conntype = CONNTYPE_NO_CONNECTION;
2023 } else {
2024 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2025 initrbio = initwbio = USE_DEFAULT;
2026 newrbio = idx % 2;
2027 idx /= 2;
2028 newwbio = idx % 2;
2029 idx /= 2;
2030 conntype = idx % 2;
2031 }
710756a9 2032
7d4488bb 2033 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2034 TLS1_VERSION, 0,
7d4488bb
MC		 2035 &sctx, &cctx, cert, privkey)))
2036 goto end;
2037
2038 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2039 /*
2040 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2041 * because we reduced the number of tests in the definition of
2042 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2043 * mismatched protocol versions we will force a connection failure.
2044 */
2045 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2046 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2047 }
2048
2049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2050 NULL, NULL)))
710756a9 2051 goto end;
7fb4c820 2052
710756a9
RS		 2053 if (initrbio == USE_BIO_1
2054 || initwbio == USE_BIO_1
2055 || newrbio == USE_BIO_1
7fb4c820 2056 || newwbio == USE_BIO_1) {
710756a9 2057 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2058 goto end;
7fb4c820
MC		 2059 }
2060
710756a9
RS		 2061 if (initrbio == USE_BIO_2
2062 || initwbio == USE_BIO_2
2063 || newrbio == USE_BIO_2
7fb4c820 2064 || newwbio == USE_BIO_2) {
710756a9 2065 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2066 goto end;
7fb4c820
MC		 2067 }
2068
7d4488bb
MC		 2069 if (initrbio != USE_DEFAULT) {
2070 setupbio(&irbio, bio1, bio2, initrbio);
2071 setupbio(&iwbio, bio1, bio2, initwbio);
2072 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2073
7d4488bb
MC		 2074 /*
2075 * We want to maintain our own refs to these BIO, so do an up ref for
2076 * each BIO that will have ownership transferred in the SSL_set_bio()
2077 * call
2078 */
2079 if (irbio != NULL)
2080 BIO_up_ref(irbio);
2081 if (iwbio != NULL && iwbio != irbio)
2082 BIO_up_ref(iwbio);
2083 }
7fb4c820 2084
7d4488bb
MC		 2085 if (conntype != CONNTYPE_NO_CONNECTION
2086 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2087 SSL_ERROR_NONE)
2088 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2089 goto end;
7fb4c820
MC		 2090
2091 setupbio(&nrbio, bio1, bio2, newrbio);
2092 setupbio(&nwbio, bio1, bio2, newwbio);
2093
2094 /*
2095 * We will (maybe) transfer ownership again so do more up refs.
2096 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2097 * already been set!
2098 */
710756a9
RS		 2099 if (nrbio != NULL
2100 && nrbio != irbio
2101 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2102 BIO_up_ref(nrbio);
710756a9
RS		 2103 if (nwbio != NULL
2104 && nwbio != nrbio
2105 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2106 BIO_up_ref(nwbio);
2107
7d4488bb 2108 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2109
2110 testresult = 1;
2111
2112 end:
7fb4c820
MC		 2113 BIO_free(bio1);
2114 BIO_free(bio2);
710756a9 2115
7fb4c820
MC		 2116 /*
2117 * This test is checking that the ref counting for SSL_set_bio is correct.
2118 * If we get here and we did too many frees then we will fail in the above
2119 * functions. If we haven't done enough then this will only be detected in
2120 * a crypto-mdebug build
2121 */
7d4488bb
MC		 2122 SSL_free(serverssl);
2123 SSL_free(clientssl);
2124 SSL_CTX_free(sctx);
2125 SSL_CTX_free(cctx);
7fb4c820
MC		 2126 return testresult;
2127}
2128
7e885b7b 2129typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2130
7e885b7b 2131static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2132{
2133 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2134 SSL_CTX *ctx;
9a716987
MC		 2135 SSL *ssl = NULL;
2136 int testresult = 0;
2137
710756a9
RS		 2138 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
2139 || !TEST_ptr(ssl = SSL_new(ctx))
2140 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2141 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2142 goto end;
9a716987
MC		 2143
2144 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2145
2146 /*
2147 * If anything goes wrong here then we could leak memory, so this will
2148 * be caught in a crypto-mdebug build
2149 */
2150 BIO_push(sslbio, membio1);
2151
69687aa8 2152 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2153 if (change_bio != NO_BIO_CHANGE) {
710756a9 2154 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2155 goto end;
7e885b7b 2156 if (change_bio == CHANGE_RBIO)
65e2d672 2157 SSL_set0_rbio(ssl, membio2);
9a716987 2158 else
65e2d672 2159 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2160 }
2161 ssl = NULL;
2162
7e885b7b 2163 if (pop_ssl)
9a716987
MC		 2164 BIO_pop(sslbio);
2165 else
2166 BIO_pop(membio1);
2167
2168 testresult = 1;
2169 end:
2170 BIO_free(membio1);
2171 BIO_free(sslbio);
2172 SSL_free(ssl);
2173 SSL_CTX_free(ctx);
2174
2175 return testresult;
2176}
2177
2178static int test_ssl_bio_pop_next_bio(void)
2179{
7e885b7b 2180 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2181}
2182
2183static int test_ssl_bio_pop_ssl_bio(void)
2184{
7e885b7b 2185 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2186}
2187
2188static int test_ssl_bio_change_rbio(void)
2189{
7e885b7b 2190 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2191}
2192
2193static int test_ssl_bio_change_wbio(void)
2194{
7e885b7b 2195 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2196}
2197
c423ecaa 2198#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2199typedef struct {
2200 /* The list of sig algs */
2201 const int *list;
2202 /* The length of the list */
2203 size_t listlen;
2204 /* A sigalgs list in string format */
2205 const char *liststr;
2206 /* Whether setting the list should succeed */
2207 int valid;
2208 /* Whether creating a connection with the list should succeed */
2209 int connsuccess;
2210} sigalgs_list;
2211
2212static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2213# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2214static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2215static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2216# endif
f1b25aae
MC		 2217static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2218static const int invalidlist2[] = {NID_sha256, NID_undef};
2219static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2220static const int invalidlist4[] = {NID_sha256};
2221static const sigalgs_list testsigalgs[] = {
2222 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2223# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2224 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2225 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2226# endif
f1b25aae 2227 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2228# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2229 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2230 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2231# endif
f1b25aae
MC		 2232 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2233 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2234 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2235 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2236 {NULL, 0, "RSA", 0, 0},
2237 {NULL, 0, "SHA256", 0, 0},
2238 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2239 {NULL, 0, "Invalid", 0, 0}
2240};
f1b25aae
MC		 2241
2242static int test_set_sigalgs(int idx)
2243{
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2246 int testresult = 0;
2247 const sigalgs_list *curr;
2248 int testctx;
2249
2250 /* Should never happen */
710756a9 2251 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2252 return 0;
2253
2254 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2255 curr = testctx ? &testsigalgs[idx]
2256 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2257
7d7f6834 2258 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2259 TLS1_VERSION, 0,
7d7f6834 2260 &sctx, &cctx, cert, privkey)))
f1b25aae 2261 return 0;
f1b25aae 2262
d2e491f2
MC		 2263 /*
2264 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2265 * for TLSv1.2 for now until we add a new API.
2266 */
2267 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2268
f1b25aae
MC		 2269 if (testctx) {
2270 int ret;
710756a9 2271
f1b25aae
MC		 2272 if (curr->list != NULL)
2273 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2274 else
2275 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2276
2277 if (!ret) {
2278 if (curr->valid)
710756a9 2279 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2280 else
2281 testresult = 1;
2282 goto end;
2283 }
2284 if (!curr->valid) {
710756a9 2285 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2286 goto end;
2287 }
2288 }
2289
710756a9
RS		 2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2291 &clientssl, NULL, NULL)))
f1b25aae 2292 goto end;
f1b25aae
MC		 2293
2294 if (!testctx) {
2295 int ret;
2296
2297 if (curr->list != NULL)
2298 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2299 else
2300 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2301 if (!ret) {
2302 if (curr->valid)
710756a9 2303 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2304 else
2305 testresult = 1;
2306 goto end;
2307 }
710756a9 2308 if (!curr->valid)
f1b25aae 2309 goto end;
f1b25aae
MC		 2310 }
2311
710756a9
RS		 2312 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2313 SSL_ERROR_NONE),
2314 curr->connsuccess))
f1b25aae 2315 goto end;
f1b25aae
MC		 2316
2317 testresult = 1;
2318
2319 end:
2320 SSL_free(serverssl);
2321 SSL_free(clientssl);
2322 SSL_CTX_free(sctx);
2323 SSL_CTX_free(cctx);
2324
2325 return testresult;
2326}
c423ecaa 2327#endif
f1b25aae 2328
fff202e5 2329#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2330static int psk_client_cb_cnt = 0;
2331static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2332
2333static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2334 size_t *idlen, SSL_SESSION **sess)
2335{
2336 switch (++use_session_cb_cnt) {
2337 case 1:
2338 /* The first call should always have a NULL md */
2339 if (md != NULL)
2340 return 0;
2341 break;
2342
2343 case 2:
2344 /* The second call should always have an md */
2345 if (md == NULL)
2346 return 0;
2347 break;
2348
2349 default:
2350 /* We should only be called a maximum of twice */
2351 return 0;
2352 }
2353
57dee9bb
MC		 2354 if (clientpsk != NULL)
2355 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2356
57dee9bb 2357 *sess = clientpsk;
02a3ed5a
MC		 2358 *id = (const unsigned char *)pskid;
2359 *idlen = strlen(pskid);
2360
2361 return 1;
2362}
2363
c2b290c3 2364#ifndef OPENSSL_NO_PSK
532f9578
MC		 2365static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2366 unsigned int max_id_len,
2367 unsigned char *psk,
2368 unsigned int max_psk_len)
2369{
2370 unsigned int psklen = 0;
2371
2372 psk_client_cb_cnt++;
2373
2374 if (strlen(pskid) + 1 > max_id_len)
2375 return 0;
2376
2377 /* We should only ever be called a maximum of twice per connection */
2378 if (psk_client_cb_cnt > 2)
2379 return 0;
2380
2381 if (clientpsk == NULL)
2382 return 0;
2383
2384 /* We'll reuse the PSK we set up for TLSv1.3 */
2385 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2386 return 0;
2387 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2388 strncpy(id, pskid, max_id_len);
2389
2390 return psklen;
2391}
c2b290c3 2392#endif /* OPENSSL_NO_PSK */
532f9578 2393
02a3ed5a
MC		 2394static int find_session_cb(SSL *ssl, const unsigned char *identity,
2395 size_t identity_len, SSL_SESSION **sess)
2396{
2397 find_session_cb_cnt++;
2398
2399 /* We should only ever be called a maximum of twice per connection */
2400 if (find_session_cb_cnt > 2)
2401 return 0;
2402
57dee9bb 2403 if (serverpsk == NULL)
02a3ed5a
MC		 2404 return 0;
2405
2406 /* Identity should match that set by the client */
2407 if (strlen(srvid) != identity_len
2408 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2409 /* No PSK found, continue but without a PSK */
2410 *sess = NULL;
2411 return 1;
2412 }
2413
57dee9bb
MC		 2414 SSL_SESSION_up_ref(serverpsk);
2415 *sess = serverpsk;
02a3ed5a
MC		 2416
2417 return 1;
2418}
2419
c2b290c3 2420#ifndef OPENSSL_NO_PSK
532f9578
MC		 2421static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2422 unsigned char *psk, unsigned int max_psk_len)
2423{
2424 unsigned int psklen = 0;
2425
2426 psk_server_cb_cnt++;
2427
2428 /* We should only ever be called a maximum of twice per connection */
2429 if (find_session_cb_cnt > 2)
2430 return 0;
2431
2432 if (serverpsk == NULL)
2433 return 0;
2434
2435 /* Identity should match that set by the client */
2436 if (strcmp(srvid, identity) != 0) {
2437 return 0;
2438 }
2439
2440 /* We'll reuse the PSK we set up for TLSv1.3 */
2441 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2442 return 0;
2443 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2444
2445 return psklen;
2446}
c2b290c3 2447#endif /* OPENSSL_NO_PSK */
532f9578 2448
5f982038
MC		 2449#define MSG1 "Hello"
2450#define MSG2 "World."
2451#define MSG3 "This"
2452#define MSG4 "is"
2453#define MSG5 "a"
90049cea
MC		 2454#define MSG6 "test"
2455#define MSG7 "message."
5f982038 2456
02a3ed5a 2457#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2458#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2459
8614a4eb
MC		 2460
2461static SSL_SESSION *create_a_psk(SSL *ssl)
2462{
2463 const SSL_CIPHER *cipher = NULL;
2464 const unsigned char key[] = {
2465 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2466 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2467 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2468 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2469 0x2c, 0x2d, 0x2e, 0x2f
2470 };
2471 SSL_SESSION *sess = NULL;
2472
2473 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2474 sess = SSL_SESSION_new();
2475 if (!TEST_ptr(sess)
2476 || !TEST_ptr(cipher)
2477 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2478 sizeof(key)))
2479 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2480 || !TEST_true(
2481 SSL_SESSION_set_protocol_version(sess,
2482 TLS1_3_VERSION))) {
2483 SSL_SESSION_free(sess);
2484 return NULL;
2485 }
2486 return sess;
2487}
2488
5f982038
MC		 2489/*
2490 * Helper method to setup objects for early data test. Caller frees objects on
2491 * error.
2492 */
2493static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2494 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2495{
5a421415
MC		 2496 if (*sctx == NULL
2497 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2498 TLS_client_method(),
5c587fb6 2499 TLS1_VERSION, 0,
5a421415
MC		 2500 sctx, cctx, cert, privkey)))
2501 return 0;
2502
2503 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2504 return 0;
5f982038 2505
02a3ed5a
MC		 2506 if (idx == 1) {
2507 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2508 SSL_CTX_set_read_ahead(*cctx, 1);
2509 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2510 } else if (idx == 2) {
2511 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2512 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2513 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2514 use_session_cb_cnt = 0;
2515 find_session_cb_cnt = 0;
2516 srvid = pskid;
3cb47b4e
MC		 2517 }
2518
710756a9 2519 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2520 NULL, NULL)))
2521 return 0;
2522
141e4709
MC		 2523 /*
2524 * For one of the run throughs (doesn't matter which one), we'll try sending
2525 * some SNI data in the initial ClientHello. This will be ignored (because
2526 * there is no SNI cb set up by the server), so it should not impact
2527 * early_data.
2528 */
2529 if (idx == 1
2530 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2531 return 0;
2532
02a3ed5a 2533 if (idx == 2) {
8614a4eb 2534 clientpsk = create_a_psk(*clientssl);
57dee9bb 2535 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2536 /*
2537 * We just choose an arbitrary value for max_early_data which
2538 * should be big enough for testing purposes.
2539 */
57dee9bb
MC		 2540 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2541 0x100))
2542 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2543 SSL_SESSION_free(clientpsk);
2544 clientpsk = NULL;
02a3ed5a
MC		 2545 return 0;
2546 }
57dee9bb 2547 serverpsk = clientpsk;
02a3ed5a 2548
c20e3b28
MC		 2549 if (sess != NULL) {
2550 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
2554 return 0;
2555 }
57dee9bb 2556 *sess = clientpsk;
c20e3b28 2557 }
02a3ed5a
MC		 2558 return 1;
2559 }
2560
2561 if (sess == NULL)
2562 return 1;
2563
2564 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2565 SSL_ERROR_NONE)))
5f982038 2566 return 0;
5f982038
MC		 2567
2568 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2569 SSL_shutdown(*clientssl);
2570 SSL_shutdown(*serverssl);
5f982038
MC		 2571 SSL_free(*serverssl);
2572 SSL_free(*clientssl);
2573 *serverssl = *clientssl = NULL;
2574
710756a9
RS		 2575 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2576 clientssl, NULL, NULL))
2577 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2578 return 0;
5f982038
MC		 2579
2580 return 1;
2581}
2582
3cb47b4e 2583static int test_early_data_read_write(int idx)
5f982038
MC		 2584{
2585 SSL_CTX *cctx = NULL, *sctx = NULL;
2586 SSL *clientssl = NULL, *serverssl = NULL;
2587 int testresult = 0;
2588 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2589 unsigned char buf[20], data[1024];
2590 size_t readbytes, written, eoedlen, rawread, rawwritten;
2591 BIO *rbio;
5f982038 2592
710756a9
RS		 2593 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2594 &serverssl, &sess, idx)))
5f982038
MC		 2595 goto end;
2596
2597 /* Write and read some early data */
710756a9
RS		 2598 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2599 &written))
2600 || !TEST_size_t_eq(written, strlen(MSG1))
2601 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2602 sizeof(buf), &readbytes),
2603 SSL_READ_EARLY_DATA_SUCCESS)
2604 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2605 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2606 SSL_EARLY_DATA_ACCEPTED))
5f982038 2607 goto end;
5f982038
MC		 2608
2609 /*
09f28874 2610 * Server should be able to write data, and client should be able to
5f982038
MC		 2611 * read it.
2612 */
710756a9
RS		 2613 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2614 &written))
2615 || !TEST_size_t_eq(written, strlen(MSG2))
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2617 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2618 goto end;
5f982038
MC		 2619
2620 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2621 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2622 &written))
2623 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2624 goto end;
5f982038 2625
09f28874 2626 /* Server should still be able read early data after writing data */
710756a9
RS		 2627 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2628 &readbytes),
2629 SSL_READ_EARLY_DATA_SUCCESS)
2630 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2631 goto end;
5f982038 2632
09f28874 2633 /* Write more data from server and read it from client */
710756a9
RS		 2634 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2635 &written))
2636 || !TEST_size_t_eq(written, strlen(MSG4))
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2638 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2639 goto end;
5f982038
MC		 2640
2641 /*
2642 * If client writes normal data it should mean writing early data is no
2643 * longer possible.
2644 */
710756a9
RS		 2645 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2646 || !TEST_size_t_eq(written, strlen(MSG5))
2647 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2648 SSL_EARLY_DATA_ACCEPTED))
5f982038 2649 goto end;
5f982038 2650
9b5c865d
MC		 2651 /*
2652 * At this point the client has written EndOfEarlyData, ClientFinished and
2653 * normal (fully protected) data. We are going to cause a delay between the
2654 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2655 * in the read BIO, and then just put back the EndOfEarlyData message.
2656 */
2657 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2658 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2659 || !TEST_size_t_lt(rawread, sizeof(data))
2660 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2661 goto end;
710756a9 2662
9b5c865d
MC		 2663 /* Record length is in the 4th and 5th bytes of the record header */
2664 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2665 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2666 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2667 goto end;
9b5c865d 2668
5f982038 2669 /* Server should be told that there is no more early data */
710756a9
RS		 2670 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2671 &readbytes),
2672 SSL_READ_EARLY_DATA_FINISH)
2673 || !TEST_size_t_eq(readbytes, 0))
5f982038 2674 goto end;
5f982038 2675
9b5c865d
MC		 2676 /*
2677 * Server has not finished init yet, so should still be able to write early
2678 * data.
2679 */
710756a9
RS		 2680 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2681 &written))
2682 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2683 goto end;
9b5c865d 2684
f8a303fa 2685 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2686 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2687 &rawwritten))
2688 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2689 goto end;
f8a303fa 2690
5f982038 2691 /* Server should be able to read normal data */
710756a9
RS		 2692 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2693 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2694 goto end;
5f982038 2695
09f28874 2696 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2698 &written)))
5f982038 2699 goto end;
5f982038 2700 ERR_clear_error();
710756a9
RS		 2701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2702 &readbytes),
2703 SSL_READ_EARLY_DATA_ERROR))
5f982038 2704 goto end;
5f982038
MC		 2705 ERR_clear_error();
2706
9b5c865d 2707 /* Client should be able to read the data sent by the server */
710756a9
RS		 2708 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2710 goto end;
710756a9 2711
f8a303fa 2712 /*
36ff232c
MC		 2713 * Make sure we process the two NewSessionTickets. These arrive
2714 * post-handshake. We attempt reads which we do not expect to return any
2715 * data.
f8a303fa 2716 */
36ff232c
MC		 2717 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2718 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2719 &readbytes)))
f8a303fa 2720 goto end;
5f982038 2721
90049cea 2722 /* Server should be able to write normal data */
710756a9
RS		 2723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2724 || !TEST_size_t_eq(written, strlen(MSG7))
2725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2727 goto end;
90049cea 2728
c20e3b28 2729 SSL_SESSION_free(sess);
5f982038 2730 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2731 use_session_cb_cnt = 0;
2732 find_session_cb_cnt = 0;
5f982038
MC		 2733
2734 SSL_shutdown(clientssl);
2735 SSL_shutdown(serverssl);
5f982038
MC		 2736 SSL_free(serverssl);
2737 SSL_free(clientssl);
2738 serverssl = clientssl = NULL;
710756a9
RS		 2739 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2740 &clientssl, NULL, NULL))
2741 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2742 goto end;
5f982038
MC		 2743
2744 /* Write and read some early data */
710756a9
RS		 2745 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2746 &written))
2747 || !TEST_size_t_eq(written, strlen(MSG1))
2748 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2749 &readbytes),
2750 SSL_READ_EARLY_DATA_SUCCESS)
2751 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2752 goto end;
5f982038 2753
710756a9
RS		 2754 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2755 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2756 goto end;
5f982038 2757
09f28874 2758 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2759 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2760 &written)))
5f982038 2761 goto end;
5f982038 2762 ERR_clear_error();
710756a9
RS		 2763 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2764 &readbytes),
2765 SSL_READ_EARLY_DATA_ERROR))
5f982038 2766 goto end;
5f982038
MC		 2767 ERR_clear_error();
2768
2769 /* Client and server should be able to write/read normal data */
710756a9
RS		 2770 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2771 || !TEST_size_t_eq(written, strlen(MSG5))
2772 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2773 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2774 goto end;
5f982038
MC		 2775
2776 testresult = 1;
2777
2778 end:
c20e3b28 2779 SSL_SESSION_free(sess);
57dee9bb
MC		 2780 SSL_SESSION_free(clientpsk);
2781 SSL_SESSION_free(serverpsk);
2782 clientpsk = serverpsk = NULL;
5f982038
MC		 2783 SSL_free(serverssl);
2784 SSL_free(clientssl);
2785 SSL_CTX_free(sctx);
2786 SSL_CTX_free(cctx);
5f982038
MC		 2787 return testresult;
2788}
2789
5a421415
MC		 2790static int allow_ed_cb_called = 0;
2791
2792static int allow_early_data_cb(SSL *s, void *arg)
2793{
2794 int *usecb = (int *)arg;
2795
2796 allow_ed_cb_called++;
2797
2798 if (*usecb == 1)
2799 return 0;
2800
2801 return 1;
2802}
2803
2804/*
2805 * idx == 0: Standard early_data setup
2806 * idx == 1: early_data setup using read_ahead
2807 * usecb == 0: Don't use a custom early data callback
2808 * usecb == 1: Use a custom early data callback and reject the early data
2809 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2810 * confopt == 0: Configure anti-replay directly
2811 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2812 */
3bb5e5b0 2813static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2814{
2815 SSL_CTX *cctx = NULL, *sctx = NULL;
2816 SSL *clientssl = NULL, *serverssl = NULL;
2817 int testresult = 0;
2818 SSL_SESSION *sess = NULL;
5a421415
MC		 2819 size_t readbytes, written;
2820 unsigned char buf[20];
2821
2822 allow_ed_cb_called = 0;
2823
2824 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2825 TLS1_VERSION, 0, &sctx,
5a421415
MC		 2826 &cctx, cert, privkey)))
2827 return 0;
2828
2829 if (usecb > 0) {
3bb5e5b0
MC		 2830 if (confopt == 0) {
2831 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2832 } else {
2833 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2834
2835 if (!TEST_ptr(confctx))
2836 goto end;
2837 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2838 | SSL_CONF_FLAG_SERVER);
2839 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2840 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2841 2)) {
2842 SSL_CONF_CTX_free(confctx);
2843 goto end;
2844 }
2845 SSL_CONF_CTX_free(confctx);
2846 }
5a421415
MC		 2847 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2848 }
78fb5374
MC		 2849
2850 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2851 &serverssl, &sess, idx)))
2852 goto end;
2853
2854 /*
2855 * The server is configured to accept early data. Create a connection to
2856 * "use up" the ticket
2857 */
2858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2859 || !TEST_true(SSL_session_reused(clientssl)))
2860 goto end;
2861
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 SSL_free(serverssl);
2865 SSL_free(clientssl);
2866 serverssl = clientssl = NULL;
2867
2868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2869 &clientssl, NULL, NULL))
5a421415
MC		 2870 || !TEST_true(SSL_set_session(clientssl, sess)))
2871 goto end;
2872
2873 /* Write and read some early data */
2874 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2875 &written))
2876 || !TEST_size_t_eq(written, strlen(MSG1)))
2877 goto end;
2878
2879 if (usecb <= 1) {
2880 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2881 &readbytes),
2882 SSL_READ_EARLY_DATA_FINISH)
2883 /*
2884 * The ticket was reused, so the we should have rejected the
2885 * early data
2886 */
2887 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2888 SSL_EARLY_DATA_REJECTED))
2889 goto end;
2890 } else {
2891 /* In this case the callback decides to accept the early data */
2892 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2893 &readbytes),
2894 SSL_READ_EARLY_DATA_SUCCESS)
2895 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2896 /*
2897 * Server will have sent its flight so client can now send
2898 * end of early data and complete its half of the handshake
2899 */
2900 || !TEST_int_gt(SSL_connect(clientssl), 0)
2901 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2902 &readbytes),
2903 SSL_READ_EARLY_DATA_FINISH)
2904 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2905 SSL_EARLY_DATA_ACCEPTED))
2906 goto end;
2907 }
2908
2909 /* Complete the connection */
2910 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2911 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2912 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2913 goto end;
2914
2915 testresult = 1;
2916
2917 end:
c20e3b28 2918 SSL_SESSION_free(sess);
78fb5374
MC		 2919 SSL_SESSION_free(clientpsk);
2920 SSL_SESSION_free(serverpsk);
2921 clientpsk = serverpsk = NULL;
2922 SSL_free(serverssl);
2923 SSL_free(clientssl);
2924 SSL_CTX_free(sctx);
2925 SSL_CTX_free(cctx);
2926 return testresult;
2927}
2928
5a421415
MC		 2929static int test_early_data_replay(int idx)
2930{
3bb5e5b0 2931 int ret = 1, usecb, confopt;
5a421415 2932
3bb5e5b0
MC		 2933 for (usecb = 0; usecb < 3; usecb++) {
2934 for (confopt = 0; confopt < 2; confopt++)
2935 ret &= test_early_data_replay_int(idx, usecb, confopt);
2936 }
5a421415
MC		 2937
2938 return ret;
2939}
2940
710756a9 2941/*
6b84e6bf
MC		 2942 * Helper function to test that a server attempting to read early data can
2943 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2944 * testtype: 0 == No HRR
2945 * testtype: 1 == HRR
0efa0ba4
MC		 2946 * testtype: 2 == HRR, invalid early_data sent after HRR
2947 * testtype: 3 == recv_max_early_data set to 0
710756a9 2948 */
0d1b7789 2949static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2950{
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 int testresult = 0;
018fcbec 2954 SSL_SESSION *sess = NULL;
5f982038
MC		 2955 unsigned char buf[20];
2956 size_t readbytes, written;
2957
710756a9
RS		 2958 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2959 &serverssl, &sess, idx)))
5f982038
MC		 2960 goto end;
2961
0efa0ba4 2962 if (testtype == 1 || testtype == 2) {
6b84e6bf 2963 /* Force an HRR to occur */
dbc6268f
MC		 2964#if defined(OPENSSL_NO_EC)
2965 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
2966 goto end;
2967#else
6b84e6bf
MC		 2968 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2969 goto end;
dbc6268f 2970#endif
02a3ed5a
MC		 2971 } else if (idx == 2) {
2972 /*
2973 * We force early_data rejection by ensuring the PSK identity is
2974 * unrecognised
2975 */
2976 srvid = "Dummy Identity";
6b84e6bf
MC		 2977 } else {
2978 /*
2979 * Deliberately corrupt the creation time. We take 20 seconds off the
2980 * time. It could be any value as long as it is not within tolerance.
2981 * This should mean the ticket is rejected.
2982 */
5d99881e 2983 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2984 goto end;
2985 }
5f982038 2986
0efa0ba4 2987 if (testtype == 3
0d1b7789
MC		 2988 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2989 goto end;
2990
5f982038 2991 /* Write some early data */
710756a9
RS		 2992 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2993 &written))
2994 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2995 goto end;
5f982038 2996
0d1b7789 2997 /* Server should reject the early data */
710756a9
RS		 2998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2999 &readbytes),
3000 SSL_READ_EARLY_DATA_FINISH)
3001 || !TEST_size_t_eq(readbytes, 0)
3002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3003 SSL_EARLY_DATA_REJECTED))
5f982038 3004 goto end;
5f982038 3005
0efa0ba4
MC		 3006 switch (testtype) {
3007 case 0:
3008 /* Nothing to do */
3009 break;
3010
3011 case 1:
6b84e6bf
MC		 3012 /*
3013 * Finish off the handshake. We perform the same writes and reads as
3014 * further down but we expect them to fail due to the incomplete
3015 * handshake.
3016 */
3017 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3018 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3019 &readbytes)))
3020 goto end;
0efa0ba4
MC		 3021 break;
3022
3023 case 2:
3024 {
3025 BIO *wbio = SSL_get_wbio(clientssl);
3026 /* A record that will appear as bad early_data */
3027 const unsigned char bad_early_data[] = {
3028 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3029 };
3030
3031 /*
3032 * We force the client to attempt a write. This will fail because
3033 * we're still in the handshake. It will cause the second
3034 * ClientHello to be sent.
3035 */
3036 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3037 &written)))
3038 goto end;
3039
3040 /*
3041 * Inject some early_data after the second ClientHello. This should
3042 * cause the server to fail
3043 */
3044 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3045 sizeof(bad_early_data), &written)))
3046 goto end;
3047 }
3048 /* fallthrough */
3049
3050 case 3:
0d1b7789 3051 /*
0efa0ba4
MC		 3052 * This client has sent more early_data than we are willing to skip
3053 * (case 3) or sent invalid early_data (case 2) so the connection should
3054 * abort.
0d1b7789
MC		 3055 */
3056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3057 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3058 goto end;
3059
3060 /* Connection has failed - nothing more to do */
3061 testresult = 1;
3062 goto end;
0efa0ba4
MC		 3063
3064 default:
3065 TEST_error("Invalid test type");
3066 goto end;
6b84e6bf
MC		 3067 }
3068
0d1b7789
MC		 3069 /*
3070 * Should be able to send normal data despite rejection of early data. The
3071 * early_data should be skipped.
3072 */
710756a9
RS		 3073 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3074 || !TEST_size_t_eq(written, strlen(MSG2))
3075 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3076 SSL_EARLY_DATA_REJECTED)
3077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3078 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3079 goto end;
5f982038
MC		 3080
3081 testresult = 1;
3082
3083 end:
c20e3b28 3084 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3085 SSL_SESSION_free(serverpsk);
3086 clientpsk = serverpsk = NULL;
5f982038
MC		 3087 SSL_SESSION_free(sess);
3088 SSL_free(serverssl);
3089 SSL_free(clientssl);
3090 SSL_CTX_free(sctx);
3091 SSL_CTX_free(cctx);
5f982038
MC		 3092 return testresult;
3093}
3094
6b84e6bf
MC		 3095/*
3096 * Test that a server attempting to read early data can handle a connection
3097 * from a client where the early data is not acceptable.
3098 */
3099static int test_early_data_skip(int idx)
3100{
3101 return early_data_skip_helper(0, idx);
3102}
3103
3104/*
3105 * Test that a server attempting to read early data can handle a connection
3106 * from a client where an HRR occurs.
3107 */
3108static int test_early_data_skip_hrr(int idx)
3109{
3110 return early_data_skip_helper(1, idx);
3111}
3112
0efa0ba4
MC		 3113/*
3114 * Test that a server attempting to read early data can handle a connection
3115 * from a client where an HRR occurs and correctly fails if early_data is sent
3116 * after the HRR
3117 */
3118static int test_early_data_skip_hrr_fail(int idx)
3119{
3120 return early_data_skip_helper(2, idx);
3121}
3122
0d1b7789
MC		 3123/*
3124 * Test that a server attempting to read early data will abort if it tries to
3125 * skip over too much.
3126 */
3127static int test_early_data_skip_abort(int idx)
3128{
0efa0ba4 3129 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3130}
3131
710756a9
RS		 3132/*
3133 * Test that a server attempting to read early data can handle a connection
3134 * from a client that doesn't send any.
3135 */
3cb47b4e 3136static int test_early_data_not_sent(int idx)
5f982038
MC		 3137{
3138 SSL_CTX *cctx = NULL, *sctx = NULL;
3139 SSL *clientssl = NULL, *serverssl = NULL;
3140 int testresult = 0;
018fcbec 3141 SSL_SESSION *sess = NULL;
5f982038
MC		 3142 unsigned char buf[20];
3143 size_t readbytes, written;
3144
710756a9
RS		 3145 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3146 &serverssl, &sess, idx)))
5f982038
MC		 3147 goto end;
3148
3149 /* Write some data - should block due to handshake with server */
3150 SSL_set_connect_state(clientssl);
710756a9 3151 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3152 goto end;
5f982038
MC		 3153
3154 /* Server should detect that early data has not been sent */
710756a9
RS		 3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 &readbytes),
3157 SSL_READ_EARLY_DATA_FINISH)
3158 || !TEST_size_t_eq(readbytes, 0)
3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3160 SSL_EARLY_DATA_NOT_SENT)
3161 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3162 SSL_EARLY_DATA_NOT_SENT))
5f982038 3163 goto end;
5f982038
MC		 3164
3165 /* Continue writing the message we started earlier */
710756a9
RS		 3166 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3167 || !TEST_size_t_eq(written, strlen(MSG1))
3168 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3169 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3170 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3171 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3172 goto end;
5f982038 3173
710756a9
RS		 3174 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3175 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3176 goto end;
5f982038
MC		 3177
3178 testresult = 1;
3179
3180 end:
5f982038 3181 SSL_SESSION_free(sess);
c20e3b28 3182 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3183 SSL_SESSION_free(serverpsk);
3184 clientpsk = serverpsk = NULL;
5f982038
MC		 3185 SSL_free(serverssl);
3186 SSL_free(clientssl);
3187 SSL_CTX_free(sctx);
3188 SSL_CTX_free(cctx);
5f982038
MC		 3189 return testresult;
3190}
3191
976e5323
MC		 3192static int hostname_cb(SSL *s, int *al, void *arg)
3193{
3194 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3195
281bf233 3196 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 3197 return SSL_TLSEXT_ERR_OK;
3198
3199 return SSL_TLSEXT_ERR_NOACK;
3200}
3201
3202static const char *servalpn;
3203
c7558d5b
PY		 3204static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3205 unsigned char *outlen, const unsigned char *in,
3206 unsigned int inlen, void *arg)
976e5323 3207{
c7558d5b 3208 unsigned int protlen = 0;
976e5323
MC		 3209 const unsigned char *prot;
3210
c7558d5b
PY		 3211 for (prot = in; prot < in + inlen; prot += protlen) {
3212 protlen = *prot++;
5d99881e 3213 if (in + inlen < prot + protlen)
976e5323
MC		 3214 return SSL_TLSEXT_ERR_NOACK;
3215
3216 if (protlen == strlen(servalpn)
0bd42fde 3217 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3218 *out = prot;
3219 *outlen = protlen;
3220 return SSL_TLSEXT_ERR_OK;
3221 }
3222 }
3223
3224 return SSL_TLSEXT_ERR_NOACK;
3225}
3226
57dee9bb 3227/* Test that a PSK can be used to send early_data */
976e5323
MC		 3228static int test_early_data_psk(int idx)
3229{
3230 SSL_CTX *cctx = NULL, *sctx = NULL;
3231 SSL *clientssl = NULL, *serverssl = NULL;
3232 int testresult = 0;
3233 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3234 unsigned char alpnlist[] = {
3235 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3236 'l', 'p', 'n'
3237 };
3238#define GOODALPNLEN 9
3239#define BADALPNLEN 8
3240#define GOODALPN (alpnlist)
3241#define BADALPN (alpnlist + GOODALPNLEN)
3242 int err = 0;
976e5323
MC		 3243 unsigned char buf[20];
3244 size_t readbytes, written;
57dee9bb 3245 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3246 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3247
3248 /* We always set this up with a final parameter of "2" for PSK */
3249 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3250 &serverssl, &sess, 2)))
3251 goto end;
3252
976e5323
MC		 3253 servalpn = "goodalpn";
3254
57dee9bb
MC		 3255 /*
3256 * Note: There is no test for inconsistent SNI with late client detection.
3257 * This is because servers do not acknowledge SNI even if they are using
3258 * it in a resumption handshake - so it is not actually possible for a
3259 * client to detect a problem.
3260 */
976e5323
MC		 3261 switch (idx) {
3262 case 0:
57dee9bb 3263 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3264 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3265 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3266 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3267 goto end;
3268 break;
3269
3270 case 1:
57dee9bb 3271 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3272 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3273 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3274 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3275 GOODALPNLEN))
3276 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3277 BADALPNLEN)))
976e5323
MC		 3278 goto end;
3279 break;
3280
3281 case 2:
3282 /*
3283 * Set invalid protocol version. Technically this affects PSKs without
3284 * early_data too, but we test it here because it is similar to the
3285 * SNI/ALPN consistency tests.
3286 */
3287 err = SSL_R_BAD_PSK;
3288 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3289 goto end;
3290 break;
3291
3292 case 3:
3293 /*
3294 * Set inconsistent SNI (server detected). In this case the connection
3295 * will succeed but reject early_data.
3296 */
281bf233
MC		 3297 SSL_SESSION_free(serverpsk);
3298 serverpsk = SSL_SESSION_dup(clientpsk);
3299 if (!TEST_ptr(serverpsk)
3300 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3301 goto end;
976e5323
MC		 3302 edstatus = SSL_EARLY_DATA_REJECTED;
3303 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3304 /* Fall through */
3305 case 4:
3306 /* Set consistent SNI */
976e5323
MC		 3307 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3308 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3309 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3310 hostname_cb)))
3311 goto end;
3312 break;
3313
3314 case 5:
3315 /*
3316 * Set inconsistent ALPN (server detected). In this case the connection
3317 * will succeed but reject early_data.
3318 */
3319 servalpn = "badalpn";
3320 edstatus = SSL_EARLY_DATA_REJECTED;
3321 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3322 /* Fall through */
3323 case 6:
976e5323 3324 /*
57dee9bb 3325 * Set consistent ALPN.
976e5323
MC		 3326 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3327 * accepts a list of protos (each one length prefixed).
3328 * SSL_set1_alpn_selected accepts a single protocol (not length
3329 * prefixed)
3330 */
57dee9bb
MC		 3331 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3332 GOODALPNLEN - 1))
3333 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3334 GOODALPNLEN)))
976e5323
MC		 3335 goto end;
3336
3337 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3338 break;
3339
57dee9bb
MC		 3340 case 7:
3341 /* Set inconsistent ALPN (late client detection) */
3342 SSL_SESSION_free(serverpsk);
3343 serverpsk = SSL_SESSION_dup(clientpsk);
3344 if (!TEST_ptr(serverpsk)
3345 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3346 BADALPN + 1,
3347 BADALPNLEN - 1))
3348 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3349 GOODALPN + 1,
3350 GOODALPNLEN - 1))
3351 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3352 sizeof(alpnlist))))
3353 goto end;
3354 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3355 edstatus = SSL_EARLY_DATA_ACCEPTED;
3356 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3357 /* SSL_connect() call should fail */
3358 connectres = -1;
3359 break;
3360
976e5323
MC		 3361 default:
3362 TEST_error("Bad test index");
3363 goto end;
3364 }
3365
3366 SSL_set_connect_state(clientssl);
3367 if (err != 0) {
3368 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3369 &written))
3370 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3371 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3372 goto end;
3373 } else {
3374 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3375 &written)))
3376 goto end;
3377
3378 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3379 &readbytes), readearlyres)
976e5323
MC		 3380 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3381 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3382 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3383 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3384 goto end;
3385 }
3386
3387 testresult = 1;
3388
3389 end:
c20e3b28 3390 SSL_SESSION_free(sess);
57dee9bb
MC		 3391 SSL_SESSION_free(clientpsk);
3392 SSL_SESSION_free(serverpsk);
3393 clientpsk = serverpsk = NULL;
976e5323
MC		 3394 SSL_free(serverssl);
3395 SSL_free(clientssl);
3396 SSL_CTX_free(sctx);
3397 SSL_CTX_free(cctx);
3398 return testresult;
3399}
3400
710756a9
RS		 3401/*
3402 * Test that a server that doesn't try to read early data can handle a
3403 * client sending some.
3404 */
3cb47b4e 3405static int test_early_data_not_expected(int idx)
5f982038
MC		 3406{
3407 SSL_CTX *cctx = NULL, *sctx = NULL;
3408 SSL *clientssl = NULL, *serverssl = NULL;
3409 int testresult = 0;
018fcbec 3410 SSL_SESSION *sess = NULL;
5f982038
MC		 3411 unsigned char buf[20];
3412 size_t readbytes, written;
3413
710756a9
RS		 3414 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3415 &serverssl, &sess, idx)))
5f982038
MC		 3416 goto end;
3417
3418 /* Write some early data */
710756a9
RS		 3419 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3420 &written)))
5f982038 3421 goto end;
5f982038
MC		 3422
3423 /*
3424 * Server should skip over early data and then block waiting for client to
3425 * continue handshake
3426 */
710756a9
RS		 3427 if (!TEST_int_le(SSL_accept(serverssl), 0)
3428 || !TEST_int_gt(SSL_connect(clientssl), 0)
3429 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3430 SSL_EARLY_DATA_REJECTED)
3431 || !TEST_int_gt(SSL_accept(serverssl), 0)
3432 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3433 SSL_EARLY_DATA_REJECTED))
5f982038 3434 goto end;
5f982038
MC		 3435
3436 /* Send some normal data from client to server */
710756a9
RS		 3437 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3438 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3439 goto end;
5f982038 3440
710756a9
RS		 3441 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3443 goto end;
5f982038
MC		 3444
3445 testresult = 1;
3446
3447 end:
5f982038 3448 SSL_SESSION_free(sess);
c20e3b28 3449 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3450 SSL_SESSION_free(serverpsk);
3451 clientpsk = serverpsk = NULL;
5f982038
MC		 3452 SSL_free(serverssl);
3453 SSL_free(clientssl);
3454 SSL_CTX_free(sctx);
3455 SSL_CTX_free(cctx);
5f982038
MC		 3456 return testresult;
3457}
3458
3459
3460# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3461/*
3462 * Test that a server attempting to read early data can handle a connection
3463 * from a TLSv1.2 client.
3464 */
3cb47b4e 3465static int test_early_data_tls1_2(int idx)
5f982038
MC		 3466{
3467 SSL_CTX *cctx = NULL, *sctx = NULL;
3468 SSL *clientssl = NULL, *serverssl = NULL;
3469 int testresult = 0;
3470 unsigned char buf[20];
3471 size_t readbytes, written;
3472
02a3ed5a
MC		 3473 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3474 &serverssl, NULL, idx)))
5f982038 3475 goto end;
5f982038
MC		 3476
3477 /* Write some data - should block due to handshake with server */
3478 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3479 SSL_set_connect_state(clientssl);
710756a9 3480 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3481 goto end;
5f982038
MC		 3482
3483 /*
3484 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3485 * messages from client after ServerDone. Then SSL_read_early_data should
3486 * finish and detect that early data has not been sent
5f982038 3487 */
710756a9
RS		 3488 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3489 &readbytes),
3490 SSL_READ_EARLY_DATA_ERROR))
5f982038 3491 goto end;
5f982038
MC		 3492
3493 /*
3494 * Continue writing the message we started earlier. Will still block waiting
3495 * for the CCS/Finished from server
3496 */
710756a9
RS		 3497 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3498 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3499 &readbytes),
3500 SSL_READ_EARLY_DATA_FINISH)
3501 || !TEST_size_t_eq(readbytes, 0)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_NOT_SENT))
5f982038 3504 goto end;
5f982038
MC		 3505
3506 /* Continue writing the message we started earlier */
710756a9
RS		 3507 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3508 || !TEST_size_t_eq(written, strlen(MSG1))
3509 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3510 SSL_EARLY_DATA_NOT_SENT)
3511 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3512 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3513 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3514 || !TEST_size_t_eq(written, strlen(MSG2))
3515 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3516 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3517 goto end;
5f982038
MC		 3518
3519 testresult = 1;
3520
3521 end:
57dee9bb
MC		 3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
5f982038
MC		 3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3527 SSL_CTX_free(sctx);
3528 SSL_CTX_free(cctx);
3529
3530 return testresult;
3531}
ca0413ae
MC		 3532# endif /* OPENSSL_NO_TLS1_2 */
3533
034cb87b
MC		 3534/*
3535 * Test configuring the TLSv1.3 ciphersuites
3536 *
3537 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3538 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3539 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3540 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3541 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3542 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3543 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3544 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3545 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3546 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3547 */
3548static int test_set_ciphersuite(int idx)
3549{
3550 SSL_CTX *cctx = NULL, *sctx = NULL;
3551 SSL *clientssl = NULL, *serverssl = NULL;
3552 int testresult = 0;
3553
3554 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3555 TLS1_VERSION, 0,
034cb87b
MC		 3556 &sctx, &cctx, cert, privkey))
3557 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3558 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3559 goto end;
3560
3561 if (idx >=4 && idx <= 7) {
3562 /* SSL_CTX explicit cipher list */
3563 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3564 goto end;
3565 }
3566
3567 if (idx == 0 || idx == 4) {
3568 /* Default ciphersuite */
3569 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3570 "TLS_AES_128_GCM_SHA256")))
3571 goto end;
3572 } else if (idx == 1 || idx == 5) {
3573 /* Non default ciphersuite */
3574 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3575 "TLS_AES_128_CCM_SHA256")))
3576 goto end;
3577 }
3578
3579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3580 &clientssl, NULL, NULL)))
3581 goto end;
3582
3583 if (idx == 8 || idx == 9) {
3584 /* SSL explicit cipher list */
3585 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3586 goto end;
3587 }
3588
3589 if (idx == 2 || idx == 6 || idx == 8) {
3590 /* Default ciphersuite */
3591 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3592 "TLS_AES_128_GCM_SHA256")))
3593 goto end;
3594 } else if (idx == 3 || idx == 7 || idx == 9) {
3595 /* Non default ciphersuite */
3596 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3597 "TLS_AES_128_CCM_SHA256")))
3598 goto end;
3599 }
3600
3601 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3602 goto end;
3603
3604 testresult = 1;
3605
3606 end:
3607 SSL_free(serverssl);
3608 SSL_free(clientssl);
3609 SSL_CTX_free(sctx);
3610 SSL_CTX_free(cctx);
3611
3612 return testresult;
3613}
3614
ca0413ae
MC		 3615static int test_ciphersuite_change(void)
3616{
3617 SSL_CTX *cctx = NULL, *sctx = NULL;
3618 SSL *clientssl = NULL, *serverssl = NULL;
3619 SSL_SESSION *clntsess = NULL;
3620 int testresult = 0;
3621 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3622
3623 /* Create a session based on SHA-256 */
7d7f6834 3624 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3625 TLS1_VERSION, 0,
7d7f6834 3626 &sctx, &cctx, cert, privkey))
f865b081
MC		 3627 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3628 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3629 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3630 &clientssl, NULL, NULL))
3631 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3632 SSL_ERROR_NONE)))
3633 goto end;
3634
3635 clntsess = SSL_get1_session(clientssl);
3636 /* Save for later */
3637 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3638 SSL_shutdown(clientssl);
3639 SSL_shutdown(serverssl);
3640 SSL_free(serverssl);
3641 SSL_free(clientssl);
3642 serverssl = clientssl = NULL;
3643
71cff963 3644# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3645 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3646 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3647 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3648 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3649 NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, clntsess))
3651 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3652 SSL_ERROR_NONE))
3653 || !TEST_true(SSL_session_reused(clientssl)))
3654 goto end;
3655
3656 SSL_SESSION_free(clntsess);
3657 clntsess = SSL_get1_session(clientssl);
3658 SSL_shutdown(clientssl);
3659 SSL_shutdown(serverssl);
3660 SSL_free(serverssl);
3661 SSL_free(clientssl);
3662 serverssl = clientssl = NULL;
71cff963 3663# endif
ca0413ae
MC		 3664
3665 /*
3666 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3667 * succeeds but does not resume.
ca0413ae 3668 */
f865b081 3669 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3670 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3671 NULL, NULL))
3672 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3674 SSL_ERROR_SSL))
0de6d66d 3675 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3676 goto end;
3677
3678 SSL_SESSION_free(clntsess);
3679 clntsess = NULL;
3680 SSL_shutdown(clientssl);
3681 SSL_shutdown(serverssl);
3682 SSL_free(serverssl);
3683 SSL_free(clientssl);
3684 serverssl = clientssl = NULL;
3685
3686 /* Create a session based on SHA384 */
f865b081 3687 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3689 &clientssl, NULL, NULL))
3690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3691 SSL_ERROR_NONE)))
3692 goto end;
3693
3694 clntsess = SSL_get1_session(clientssl);
3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3700
f865b081
MC		 3701 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3702 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3703 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3704 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3705 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3706 NULL, NULL))
3707 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3708 /*
3709 * We use SSL_ERROR_WANT_READ below so that we can pause the
3710 * connection after the initial ClientHello has been sent to
3711 * enable us to make some session changes.
3712 */
ca0413ae
MC		 3713 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3714 SSL_ERROR_WANT_READ)))
3715 goto end;
3716
3717 /* Trick the client into thinking this session is for a different digest */
3718 clntsess->cipher = aes_128_gcm_sha256;
3719 clntsess->cipher_id = clntsess->cipher->id;
3720
3721 /*
3b0e88d3
MC		 3722 * Continue the previously started connection. Server has selected a SHA-384
3723 * ciphersuite, but client thinks the session is for SHA-256, so it should
3724 * bail out.
ca0413ae
MC		 3725 */
3726 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3727 SSL_ERROR_SSL))
3728 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3729 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3730 goto end;
3731
3732 testresult = 1;
3733
3734 end:
3735 SSL_SESSION_free(clntsess);
3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3738 SSL_CTX_free(sctx);
3739 SSL_CTX_free(cctx);
3740
3741 return testresult;
3742}
3743
8e63900a 3744/*
5bf2eade 3745 * Test TLSv1.3 Key exchange
3746 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3747 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3748 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3749 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3750 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3751 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3752 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3753 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3754 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3755 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3756 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3757 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3758 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3759 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 3760 */
db26ec80 3761static int test_key_exchange(int idx)
8e63900a 3762{
3763 SSL_CTX *sctx = NULL, *cctx = NULL;
3764 SSL *serverssl = NULL, *clientssl = NULL;
3765 int testresult = 0;
5bf2eade 3766# ifndef OPENSSL_NO_EC
3767 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3768 NID_secp521r1, NID_X25519, NID_X448};
3769# endif
3770# ifndef OPENSSL_NO_DH
8e63900a 3771 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3772 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 3773# endif
fb8c6db4 3774 int kexch_alg;
3775 int *kexch_groups = &kexch_alg;
3776 int kexch_groups_size = 1;
8e63900a 3777 int max_version = TLS1_3_VERSION;
8e63900a 3778
3779 switch (idx) {
5bf2eade 3780# ifndef OPENSSL_NO_EC
db26ec80 3781# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3782 case 12:
fb8c6db4 3783 max_version = TLS1_2_VERSION;
db26ec80 3784# endif
fb8c6db4 3785 /* Fall through */
3786 case 0:
3787 kexch_groups = ecdhe_kexch_groups;
3788 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3789 break;
5bf2eade 3790 case 1:
fb8c6db4 3791 kexch_alg = NID_X9_62_prime256v1;
3792 break;
5bf2eade 3793 case 2:
fb8c6db4 3794 kexch_alg = NID_secp384r1;
3795 break;
5bf2eade 3796 case 3:
fb8c6db4 3797 kexch_alg = NID_secp521r1;
3798 break;
5bf2eade 3799 case 4:
fb8c6db4 3800 kexch_alg = NID_X25519;
3801 break;
5bf2eade 3802 case 5:
fb8c6db4 3803 kexch_alg = NID_X448;
3804 break;
5bf2eade 3805# endif
3806# ifndef OPENSSL_NO_DH
db26ec80 3807# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3808 case 13:
dbc6268f 3809 max_version = TLS1_2_VERSION;
db26ec80 3810# endif
dbc6268f 3811 /* Fall through */
5bf2eade 3812 case 6:
8e63900a 3813 kexch_groups = ffdhe_kexch_groups;
3814 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3815 break;
5bf2eade 3816 case 7:
fb8c6db4 3817 kexch_alg = NID_ffdhe2048;
3818 break;
5bf2eade 3819 case 8:
fb8c6db4 3820 kexch_alg = NID_ffdhe3072;
3821 break;
5bf2eade 3822 case 9:
fb8c6db4 3823 kexch_alg = NID_ffdhe4096;
3824 break;
5bf2eade 3825 case 10:
fb8c6db4 3826 kexch_alg = NID_ffdhe6144;
3827 break;
5bf2eade 3828 case 11:
fb8c6db4 3829 kexch_alg = NID_ffdhe8192;
8e63900a 3830 break;
5bf2eade 3831# endif
6597d62b
MC		 3832 default:
3833 /* We're skipping this test */
3834 return 1;
8e63900a 3835 }
3836
3837 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3838 TLS1_VERSION, max_version,
3839 &sctx, &cctx, cert, privkey)))
3840 goto end;
3841
5bf2eade 3842 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3843 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3844 goto end;
3845
5bf2eade 3846 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3847 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3848 goto end;
3849
5bf2eade 3850 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3851 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3852 goto end;
3853
dbc6268f
MC		 3854 /*
3855 * Must include an EC ciphersuite so that we send supported groups in
3856 * TLSv1.2
3857 */
5bf2eade 3858# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 3859 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3860 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3861 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3862 goto end;
5bf2eade 3863# endif
8e63900a 3864
3865 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3866 NULL, NULL)))
3867 goto end;
3868
3869 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
3870 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
3871 goto end;
3872
5bf2eade 3873 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 3874 goto end;
8e63900a 3875
dbc6268f 3876 /*
5bf2eade 3877 * If Handshake succeeds the negotiated kexch alg should be the first one in
3878 * configured, except in the case of FFDHE groups (idx 13), which are
3879 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 3880 */
3881 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 3882 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 3883 goto end;
fb8c6db4 3884 if (max_version == TLS1_3_VERSION) {
3885 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
3886 goto end;
3887 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
3888 goto end;
3889 }
8e63900a 3890
3891 testresult = 1;
3892 end:
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3895 SSL_CTX_free(sctx);
3896 SSL_CTX_free(cctx);
3897 return testresult;
3898}
3899
5bf2eade 3900/*
3901 * Test TLSv1.3 Cipher Suite
3902 * Test 0 = Set TLS1.3 cipher on context
3903 * Test 1 = Set TLS1.3 cipher on SSL
3904 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
3905 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
3906 */
3907static int test_tls13_ciphersuite(int idx)
3908{
3909 SSL_CTX *sctx = NULL, *cctx = NULL;
3910 SSL *serverssl = NULL, *clientssl = NULL;
3911 static const char *t13_ciphers[] = {
3912 TLS1_3_RFC_AES_128_GCM_SHA256,
3913 TLS1_3_RFC_AES_256_GCM_SHA384,
3914 TLS1_3_RFC_AES_128_CCM_SHA256,
3915# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3916 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3917 TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3918# endif
3919 TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
3920 };
3921 const char *t13_cipher = NULL;
3922 const char *t12_cipher = NULL;
3923 const char *negotiated_scipher;
3924 const char *negotiated_ccipher;
3925 int set_at_ctx = 0;
3926 int set_at_ssl = 0;
3927 int testresult = 0;
3928 int max_ver;
3929 size_t i;
3930
3931 switch (idx) {
3932 case 0:
3933 set_at_ctx = 1;
3934 break;
3935 case 1:
3936 set_at_ssl = 1;
3937 break;
3938 case 2:
3939 set_at_ctx = 1;
3940 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3941 break;
3942 case 3:
3943 set_at_ssl = 1;
3944 t12_cipher = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3945 break;
3946 }
3947
3948 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
3949# ifdef OPENSSL_NO_TLS1_2
3950 if (max_ver == TLS1_2_VERSION)
3951 continue;
3952# endif
3953 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
3954 t13_cipher = t13_ciphers[i];
3955 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3956 TLS_client_method(),
3957 TLS1_VERSION, max_ver,
3958 &sctx, &cctx, cert, privkey)))
3959 goto end;
3960
3961 if (set_at_ctx) {
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
3963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
3964 goto end;
3965 if (t12_cipher != NULL) {
3966 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
3967 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
3968 t12_cipher)))
3969 goto end;
3970 }
3971 }
3972
3973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3974 &clientssl, NULL, NULL)))
3975 goto end;
3976
3977 if (set_at_ssl) {
3978 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
3979 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
3980 goto end;
3981 if (t12_cipher != NULL) {
3982 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
3983 || !TEST_true(SSL_set_cipher_list(clientssl,
3984 t12_cipher)))
3985 goto end;
3986 }
3987 }
3988
3989 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3990 SSL_ERROR_NONE)))
3991 goto end;
3992
3993 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3994 serverssl));
3995 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
3996 clientssl));
3997 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
3998 goto end;
3999
4000 /*
4001 * TEST_strn_eq is used below because t13_cipher can contain
4002 * multiple ciphersuites
4003 */
4004 if (max_ver == TLS1_3_VERSION
4005 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4006 strlen(negotiated_scipher)))
4007 goto end;
4008
4009# ifndef OPENSSL_NO_TLS1_2
4010 /* Below validation is not done when t12_cipher is NULL */
4011 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4012 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4013 goto end;
4014# endif
4015
4016 SSL_free(serverssl);
4017 serverssl = NULL;
4018 SSL_free(clientssl);
4019 clientssl = NULL;
4020 SSL_CTX_free(sctx);
4021 sctx = NULL;
4022 SSL_CTX_free(cctx);
4023 cctx = NULL;
4024 }
4025 }
4026
4027 testresult = 1;
4028 end:
4029 SSL_free(serverssl);
4030 SSL_free(clientssl);
4031 SSL_CTX_free(sctx);
4032 SSL_CTX_free(cctx);
4033 return testresult;
4034}
4035
0d8da779
MC		 4036/*
4037 * Test TLSv1.3 PSKs
4038 * Test 0 = Test new style callbacks
4039 * Test 1 = Test both new and old style callbacks
4040 * Test 2 = Test old style callbacks
4041 * Test 3 = Test old style callbacks with no certificate
4042 */
532f9578 4043static int test_tls13_psk(int idx)
ca8c71ba
MC		 4044{
4045 SSL_CTX *sctx = NULL, *cctx = NULL;
4046 SSL *serverssl = NULL, *clientssl = NULL;
4047 const SSL_CIPHER *cipher = NULL;
4048 const unsigned char key[] = {
4049 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4050 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4051 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4052 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4053 };
4054 int testresult = 0;
4055
7d7f6834 4056 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4057 TLS1_VERSION, 0,
0d8da779
MC		 4058 &sctx, &cctx, idx == 3 ? NULL : cert,
4059 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4060 goto end;
4061
0d8da779
MC		 4062 if (idx != 3) {
4063 /*
4064 * We use a ciphersuite with SHA256 to ease testing old style PSK
4065 * callbacks which will always default to SHA256. This should not be
4066 * necessary if we have no cert/priv key. In that case the server should
4067 * prefer SHA256 automatically.
4068 */
4069 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4070 "TLS_AES_128_GCM_SHA256")))
4071 goto end;
4072 }
532f9578
MC		 4073
4074 /*
4075 * Test 0: New style callbacks only
4076 * Test 1: New and old style callbacks (only the new ones should be used)
4077 * Test 2: Old style callbacks only
4078 */
4079 if (idx == 0 || idx == 1) {
4080 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4081 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4082 }
c2b290c3 4083#ifndef OPENSSL_NO_PSK
0d8da779 4084 if (idx >= 1) {
532f9578
MC		 4085 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4086 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4087 }
c2b290c3 4088#endif
ca8c71ba 4089 srvid = pskid;
02a3ed5a
MC		 4090 use_session_cb_cnt = 0;
4091 find_session_cb_cnt = 0;
532f9578
MC		 4092 psk_client_cb_cnt = 0;
4093 psk_server_cb_cnt = 0;
ca8c71ba 4094
0d8da779
MC		 4095 if (idx != 3) {
4096 /*
4097 * Check we can create a connection if callback decides not to send a
4098 * PSK
4099 */
4100 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4101 NULL, NULL))
4102 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4103 SSL_ERROR_NONE))
4104 || !TEST_false(SSL_session_reused(clientssl))
4105 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4106 goto end;
532f9578 4107
0d8da779
MC		 4108 if (idx == 0 || idx == 1) {
4109 if (!TEST_true(use_session_cb_cnt == 1)
4110 || !TEST_true(find_session_cb_cnt == 0)
4111 /*
4112 * If no old style callback then below should be 0
4113 * otherwise 1
4114 */
4115 || !TEST_true(psk_client_cb_cnt == idx)
4116 || !TEST_true(psk_server_cb_cnt == 0))
4117 goto end;
4118 } else {
4119 if (!TEST_true(use_session_cb_cnt == 0)
4120 || !TEST_true(find_session_cb_cnt == 0)
4121 || !TEST_true(psk_client_cb_cnt == 1)
4122 || !TEST_true(psk_server_cb_cnt == 0))
4123 goto end;
4124 }
4125
4126 shutdown_ssl_connection(serverssl, clientssl);
4127 serverssl = clientssl = NULL;
4128 use_session_cb_cnt = psk_client_cb_cnt = 0;
4129 }
ca8c71ba
MC		 4130
4131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4132 NULL, NULL)))
4133 goto end;
4134
4135 /* Create the PSK */
532f9578 4136 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4137 clientpsk = SSL_SESSION_new();
4138 if (!TEST_ptr(clientpsk)
ca8c71ba 4139 || !TEST_ptr(cipher)
57dee9bb
MC		 4140 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4141 sizeof(key)))
4142 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4143 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4144 TLS1_3_VERSION))
4145 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4146 goto end;
57dee9bb 4147 serverpsk = clientpsk;
ca8c71ba
MC		 4148
4149 /* Check we can create a connection and the PSK is used */
4150 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4151 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4152 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4153 goto end;
4154
532f9578
MC		 4155 if (idx == 0 || idx == 1) {
4156 if (!TEST_true(use_session_cb_cnt == 1)
4157 || !TEST_true(find_session_cb_cnt == 1)
4158 || !TEST_true(psk_client_cb_cnt == 0)
4159 || !TEST_true(psk_server_cb_cnt == 0))
4160 goto end;
4161 } else {
4162 if (!TEST_true(use_session_cb_cnt == 0)
4163 || !TEST_true(find_session_cb_cnt == 0)
4164 || !TEST_true(psk_client_cb_cnt == 1)
4165 || !TEST_true(psk_server_cb_cnt == 1))
4166 goto end;
4167 }
4168
ca8c71ba
MC		 4169 shutdown_ssl_connection(serverssl, clientssl);
4170 serverssl = clientssl = NULL;
4171 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4172 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4173
4174 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4175 NULL, NULL)))
4176 goto end;
4177
4178 /* Force an HRR */
dbc6268f
MC		 4179#if defined(OPENSSL_NO_EC)
4180 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4181 goto end;
4182#else
ca8c71ba
MC		 4183 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4184 goto end;
dbc6268f 4185#endif
ca8c71ba
MC		 4186
4187 /*
4188 * Check we can create a connection, the PSK is used and the callbacks are
4189 * called twice.
4190 */
4191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4192 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4193 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4194 goto end;
4195
532f9578
MC		 4196 if (idx == 0 || idx == 1) {
4197 if (!TEST_true(use_session_cb_cnt == 2)
4198 || !TEST_true(find_session_cb_cnt == 2)
4199 || !TEST_true(psk_client_cb_cnt == 0)
4200 || !TEST_true(psk_server_cb_cnt == 0))
4201 goto end;
4202 } else {
4203 if (!TEST_true(use_session_cb_cnt == 0)
4204 || !TEST_true(find_session_cb_cnt == 0)
4205 || !TEST_true(psk_client_cb_cnt == 2)
4206 || !TEST_true(psk_server_cb_cnt == 2))
4207 goto end;
4208 }
4209
ca8c71ba
MC		 4210 shutdown_ssl_connection(serverssl, clientssl);
4211 serverssl = clientssl = NULL;
4212 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4213 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4214
0d8da779
MC		 4215 if (idx != 3) {
4216 /*
4217 * Check that if the server rejects the PSK we can still connect, but with
4218 * a full handshake
4219 */
4220 srvid = "Dummy Identity";
4221 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4222 NULL, NULL))
4223 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4224 SSL_ERROR_NONE))
4225 || !TEST_false(SSL_session_reused(clientssl))
4226 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4227 goto end;
532f9578 4228
0d8da779
MC		 4229 if (idx == 0 || idx == 1) {
4230 if (!TEST_true(use_session_cb_cnt == 1)
4231 || !TEST_true(find_session_cb_cnt == 1)
4232 || !TEST_true(psk_client_cb_cnt == 0)
4233 /*
4234 * If no old style callback then below should be 0
4235 * otherwise 1
4236 */
4237 || !TEST_true(psk_server_cb_cnt == idx))
4238 goto end;
4239 } else {
4240 if (!TEST_true(use_session_cb_cnt == 0)
4241 || !TEST_true(find_session_cb_cnt == 0)
4242 || !TEST_true(psk_client_cb_cnt == 1)
4243 || !TEST_true(psk_server_cb_cnt == 1))
4244 goto end;
4245 }
4246
4247 shutdown_ssl_connection(serverssl, clientssl);
4248 serverssl = clientssl = NULL;
4249 }
ca8c71ba
MC		 4250 testresult = 1;
4251
4252 end:
57dee9bb
MC		 4253 SSL_SESSION_free(clientpsk);
4254 SSL_SESSION_free(serverpsk);
4255 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4256 SSL_free(serverssl);
4257 SSL_free(clientssl);
4258 SSL_CTX_free(sctx);
4259 SSL_CTX_free(cctx);
4260 return testresult;
4261}
4262
c7b8ff25
MC		 4263static unsigned char cookie_magic_value[] = "cookie magic";
4264
4265static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4266 unsigned int *cookie_len)
4267{
4268 /*
4269 * Not suitable as a real cookie generation function but good enough for
4270 * testing!
4271 */
97ea1e7f
MC		 4272 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4273 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4274
4275 return 1;
4276}
4277
4278static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4279 unsigned int cookie_len)
4280{
97ea1e7f 4281 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4282 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4283 return 1;
4284
4285 return 0;
4286}
4287
3fa2812f
BS		 4288static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4289 size_t *cookie_len)
4290{
4291 unsigned int temp;
4292 int res = generate_cookie_callback(ssl, cookie, &temp);
4293 *cookie_len = temp;
4294 return res;
4295}
4296
4297static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4298 size_t cookie_len)
4299{
4300 return verify_cookie_callback(ssl, cookie, cookie_len);
4301}
4302
c7b8ff25
MC		 4303static int test_stateless(void)
4304{
4305 SSL_CTX *sctx = NULL, *cctx = NULL;
4306 SSL *serverssl = NULL, *clientssl = NULL;
4307 int testresult = 0;
4308
7d7f6834 4309 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4310 TLS1_VERSION, 0,
7d7f6834 4311 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4312 goto end;
4313
e440f513
MC		 4314 /* The arrival of CCS messages can confuse the test */
4315 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4316
4317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4318 NULL, NULL))
4319 /* Send the first ClientHello */
4320 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4321 SSL_ERROR_WANT_READ))
4322 /*
4323 * This should fail with a -1 return because we have no callbacks
4324 * set up
4325 */
4326 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4327 goto end;
4328
4329 /* Fatal error so abandon the connection from this client */
4330 SSL_free(clientssl);
4331 clientssl = NULL;
4332
c7b8ff25 4333 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4334 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4335 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4336
e440f513
MC		 4337 /*
4338 * Create a new connection from the client (we can reuse the server SSL
4339 * object).
4340 */
c7b8ff25
MC		 4341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4342 NULL, NULL))
4343 /* Send the first ClientHello */
4344 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4345 SSL_ERROR_WANT_READ))
4346 /* This should fail because there is no cookie */
e440f513 4347 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4348 goto end;
4349
4350 /* Abandon the connection from this client */
4351 SSL_free(clientssl);
4352 clientssl = NULL;
4353
4354 /*
4355 * Now create a connection from a new client but with the same server SSL
4356 * object
4357 */
4358 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4359 NULL, NULL))
4360 /* Send the first ClientHello */
4361 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4362 SSL_ERROR_WANT_READ))
4363 /* This should fail because there is no cookie */
e440f513 4364 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4365 /* Send the second ClientHello */
4366 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4367 SSL_ERROR_WANT_READ))
4368 /* This should succeed because a cookie is now present */
e440f513 4369 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4370 /* Complete the connection */
4371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4372 SSL_ERROR_NONE)))
4373 goto end;
4374
4375 shutdown_ssl_connection(serverssl, clientssl);
4376 serverssl = clientssl = NULL;
4377 testresult = 1;
4378
4379 end:
4380 SSL_free(serverssl);
4381 SSL_free(clientssl);
4382 SSL_CTX_free(sctx);
4383 SSL_CTX_free(cctx);
4384 return testresult;
4385
4386}
ca0413ae 4387#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4388
a37008d9
MC		 4389static int clntaddoldcb = 0;
4390static int clntparseoldcb = 0;
4391static int srvaddoldcb = 0;
4392static int srvparseoldcb = 0;
4393static int clntaddnewcb = 0;
4394static int clntparsenewcb = 0;
4395static int srvaddnewcb = 0;
4396static int srvparsenewcb = 0;
bb01ef3f 4397static int snicb = 0;
a37008d9
MC		 4398
4399#define TEST_EXT_TYPE1 0xff00
4400
4401static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4402 size_t *outlen, int *al, void *add_arg)
4403{
4404 int *server = (int *)add_arg;
4405 unsigned char *data;
4406
4407 if (SSL_is_server(s))
4408 srvaddoldcb++;
4409 else
4410 clntaddoldcb++;
4411
710756a9
RS		 4412 if (*server != SSL_is_server(s)
4413 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4414 return -1;
4415
4416 *data = 1;
4417 *out = data;
4418 *outlen = sizeof(char);
a37008d9
MC		 4419 return 1;
4420}
4421
4422static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4423 void *add_arg)
4424{
4425 OPENSSL_free((unsigned char *)out);
4426}
4427
4428static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4429 size_t inlen, int *al, void *parse_arg)
4430{
4431 int *server = (int *)parse_arg;
4432
4433 if (SSL_is_server(s))
4434 srvparseoldcb++;
4435 else
4436 clntparseoldcb++;
4437
710756a9
RS		 4438 if (*server != SSL_is_server(s)
4439 || inlen != sizeof(char)
4440 || *in != 1)
a37008d9
MC		 4441 return -1;
4442
4443 return 1;
4444}
4445
4446static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4447 const unsigned char **out, size_t *outlen, X509 *x,
4448 size_t chainidx, int *al, void *add_arg)
4449{
4450 int *server = (int *)add_arg;
4451 unsigned char *data;
4452
4453 if (SSL_is_server(s))
4454 srvaddnewcb++;
4455 else
4456 clntaddnewcb++;
4457
710756a9
RS		 4458 if (*server != SSL_is_server(s)
4459 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4460 return -1;
4461
4462 *data = 1;
4463 *out = data;
710756a9 4464 *outlen = sizeof(*data);
a37008d9
MC		 4465 return 1;
4466}
4467
4468static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4469 const unsigned char *out, void *add_arg)
4470{
4471 OPENSSL_free((unsigned char *)out);
4472}
4473
4474static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4475 const unsigned char *in, size_t inlen, X509 *x,
4476 size_t chainidx, int *al, void *parse_arg)
4477{
4478 int *server = (int *)parse_arg;
4479
4480 if (SSL_is_server(s))
4481 srvparsenewcb++;
4482 else
4483 clntparsenewcb++;
4484
710756a9
RS		 4485 if (*server != SSL_is_server(s)
4486 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 4487 return -1;
4488
4489 return 1;
4490}
bb01ef3f
MC		 4491
4492static int sni_cb(SSL *s, int *al, void *arg)
4493{
4494 SSL_CTX *ctx = (SSL_CTX *)arg;
4495
4496 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4497 *al = SSL_AD_INTERNAL_ERROR;
4498 return SSL_TLSEXT_ERR_ALERT_FATAL;
4499 }
4500 snicb++;
4501 return SSL_TLSEXT_ERR_OK;
4502}
4503
a37008d9
MC		 4504/*
4505 * Custom call back tests.
4506 * Test 0: Old style callbacks in TLSv1.2
4507 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 4508 * Test 2: New style callbacks in TLSv1.2 with SNI
4509 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4510 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 4511 */
710756a9
RS		 4512static int test_custom_exts(int tst)
4513{
bb01ef3f 4514 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 4515 SSL *clientssl = NULL, *serverssl = NULL;
4516 int testresult = 0;
4517 static int server = 1;
4518 static int client = 0;
4519 SSL_SESSION *sess = NULL;
4520 unsigned int context;
4521
c423ecaa
MC		 4522#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4523 /* Skip tests for TLSv1.2 and below in this case */
4524 if (tst < 3)
4525 return 1;
4526#endif
4527
a37008d9
MC		 4528 /* Reset callback counters */
4529 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4530 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4531 snicb = 0;
a37008d9 4532
7d7f6834 4533 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4534 TLS1_VERSION, 0,
7d7f6834 4535 &sctx, &cctx, cert, privkey)))
710756a9 4536 goto end;
a37008d9 4537
bb01ef3f 4538 if (tst == 2
7d7f6834 4539 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
5c587fb6 4540 TLS1_VERSION, 0,
7d7f6834 4541 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4542 goto end;
4543
4544
4545 if (tst < 3) {
a37008d9
MC		 4546 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4547 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4548 if (sctx2 != NULL)
4549 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4550 }
4551
bb01ef3f 4552 if (tst == 4) {
710756a9
RS		 4553 context = SSL_EXT_CLIENT_HELLO
4554 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4555 | SSL_EXT_TLS1_3_SERVER_HELLO
4556 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4557 | SSL_EXT_TLS1_3_CERTIFICATE
4558 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4559 } else {
710756a9
RS		 4560 context = SSL_EXT_CLIENT_HELLO
4561 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4562 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4563 }
4564
4565 /* Create a client side custom extension */
4566 if (tst == 0) {
710756a9
RS		 4567 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4568 old_add_cb, old_free_cb,
4569 &client, old_parse_cb,
4570 &client)))
4571 goto end;
a37008d9 4572 } else {
710756a9
RS		 4573 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4574 new_add_cb, new_free_cb,
4575 &client, new_parse_cb, &client)))
4576 goto end;
a37008d9
MC		 4577 }
4578
4579 /* Should not be able to add duplicates */
710756a9
RS		 4580 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4581 old_add_cb, old_free_cb,
4582 &client, old_parse_cb,
4583 &client))
4584 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4585 context, new_add_cb,
4586 new_free_cb, &client,
4587 new_parse_cb, &client)))
4588 goto end;
a37008d9
MC		 4589
4590 /* Create a server side custom extension */
4591 if (tst == 0) {
710756a9
RS		 4592 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4593 old_add_cb, old_free_cb,
4594 &server, old_parse_cb,
4595 &server)))
4596 goto end;
a37008d9 4597 } else {
710756a9
RS		 4598 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4599 new_add_cb, new_free_cb,
4600 &server, new_parse_cb, &server)))
4601 goto end;
bb01ef3f
MC		 4602 if (sctx2 != NULL
4603 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4604 context, new_add_cb,
4605 new_free_cb, &server,
4606 new_parse_cb, &server)))
4607 goto end;
a37008d9
MC		 4608 }
4609
4610 /* Should not be able to add duplicates */
710756a9
RS		 4611 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4612 old_add_cb, old_free_cb,
4613 &server, old_parse_cb,
4614 &server))
4615 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4616 context, new_add_cb,
4617 new_free_cb, &server,
4618 new_parse_cb, &server)))
a37008d9 4619 goto end;
a37008d9 4620
bb01ef3f
MC		 4621 if (tst == 2) {
4622 /* Set up SNI */
4623 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4624 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4625 goto end;
4626 }
4627
710756a9
RS		 4628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4629 &clientssl, NULL, NULL))
4630 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4631 SSL_ERROR_NONE)))
a37008d9 4632 goto end;
a37008d9
MC		 4633
4634 if (tst == 0) {
710756a9
RS		 4635 if (clntaddoldcb != 1
4636 || clntparseoldcb != 1
4637 || srvaddoldcb != 1
4638 || srvparseoldcb != 1)
a37008d9 4639 goto end;
bb01ef3f 4640 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4641 if (clntaddnewcb != 1
4642 || clntparsenewcb != 1
4643 || srvaddnewcb != 1
bb01ef3f
MC		 4644 || srvparsenewcb != 1
4645 || (tst != 2 && snicb != 0)
4646 || (tst == 2 && snicb != 1))
a37008d9 4647 goto end;
a37008d9 4648 } else {
36ff232c 4649 /* In this case there 2 NewSessionTicket messages created */
710756a9 4650 if (clntaddnewcb != 1
36ff232c
MC		 4651 || clntparsenewcb != 5
4652 || srvaddnewcb != 5
710756a9 4653 || srvparsenewcb != 1)
a37008d9 4654 goto end;
a37008d9
MC		 4655 }
4656
4657 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4658 SSL_shutdown(clientssl);
4659 SSL_shutdown(serverssl);
a37008d9
MC		 4660 SSL_free(serverssl);
4661 SSL_free(clientssl);
4662 serverssl = clientssl = NULL;
4663
bb01ef3f
MC		 4664 if (tst == 3) {
4665 /* We don't bother with the resumption aspects for this test */
4666 testresult = 1;
4667 goto end;
4668 }
4669
710756a9
RS		 4670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4671 NULL, NULL))
4672 || !TEST_true(SSL_set_session(clientssl, sess))
4673 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4674 SSL_ERROR_NONE)))
a37008d9 4675 goto end;
a37008d9
MC		 4676
4677 /*
4678 * For a resumed session we expect to add the ClientHello extension. For the
4679 * old style callbacks we ignore it on the server side because they set
4680 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4681 * them.
4682 */
4683 if (tst == 0) {
710756a9
RS		 4684 if (clntaddoldcb != 2
4685 || clntparseoldcb != 1
4686 || srvaddoldcb != 1
4687 || srvparseoldcb != 1)
a37008d9 4688 goto end;
bb01ef3f 4689 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4690 if (clntaddnewcb != 2
4691 || clntparsenewcb != 2
4692 || srvaddnewcb != 2
4693 || srvparsenewcb != 2)
a37008d9 4694 goto end;
a37008d9 4695 } else {
36ff232c
MC		 4696 /*
4697 * No Certificate message extensions in the resumption handshake,
4698 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4699 */
710756a9 4700 if (clntaddnewcb != 2
36ff232c
MC		 4701 || clntparsenewcb != 8
4702 || srvaddnewcb != 8
710756a9 4703 || srvparsenewcb != 2)
a37008d9 4704 goto end;
a37008d9
MC		 4705 }
4706
4707 testresult = 1;
4708
4709end:
4710 SSL_SESSION_free(sess);
4711 SSL_free(serverssl);
4712 SSL_free(clientssl);
bb01ef3f 4713 SSL_CTX_free(sctx2);
a37008d9
MC		 4714 SSL_CTX_free(sctx);
4715 SSL_CTX_free(cctx);
a37008d9
MC		 4716 return testresult;
4717}
4718
16afd71c
MC		 4719/*
4720 * Test loading of serverinfo data in various formats. test_sslmessages actually
4721 * tests to make sure the extensions appear in the handshake
4722 */
4723static int test_serverinfo(int tst)
4724{
4725 unsigned int version;
4726 unsigned char *sibuf;
4727 size_t sibuflen;
4728 int ret, expected, testresult = 0;
4729 SSL_CTX *ctx;
4730
4731 ctx = SSL_CTX_new(TLS_method());
4732 if (!TEST_ptr(ctx))
4733 goto end;
4734
4735 if ((tst & 0x01) == 0x01)
4736 version = SSL_SERVERINFOV2;
4737 else
4738 version = SSL_SERVERINFOV1;
4739
4740 if ((tst & 0x02) == 0x02) {
4741 sibuf = serverinfov2;
4742 sibuflen = sizeof(serverinfov2);
4743 expected = (version == SSL_SERVERINFOV2);
4744 } else {
4745 sibuf = serverinfov1;
4746 sibuflen = sizeof(serverinfov1);
4747 expected = (version == SSL_SERVERINFOV1);
4748 }
4749
4750 if ((tst & 0x04) == 0x04) {
4751 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4752 } else {
4753 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4754
4755 /*
4756 * The version variable is irrelevant in this case - it's what is in the
4757 * buffer that matters
4758 */
4759 if ((tst & 0x02) == 0x02)
4760 expected = 0;
4761 else
4762 expected = 1;
4763 }
4764
4765 if (!TEST_true(ret == expected))
4766 goto end;
4767
4768 testresult = 1;
4769
4770 end:
4771 SSL_CTX_free(ctx);
4772
4773 return testresult;
4774}
4775
2197d1df
MC		 4776/*
4777 * Test that SSL_export_keying_material() produces expected results. There are
4778 * no test vectors so all we do is test that both sides of the communication
4779 * produce the same results for different protocol versions.
4780 */
0fb2815b
MC		 4781#define SMALL_LABEL_LEN 10
4782#define LONG_LABEL_LEN 249
2197d1df
MC		 4783static int test_export_key_mat(int tst)
4784{
a599574b 4785 int testresult = 0;
2197d1df
MC		 4786 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4787 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4788 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4789 const unsigned char context[] = "context";
4790 const unsigned char *emptycontext = NULL;
4791 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4792 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4793 size_t labellen;
a599574b
MC		 4794 const int protocols[] = {
4795 TLS1_VERSION,
4796 TLS1_1_VERSION,
4797 TLS1_2_VERSION,
0fb2815b
MC		 4798 TLS1_3_VERSION,
4799 TLS1_3_VERSION,
a599574b
MC		 4800 TLS1_3_VERSION
4801 };
2197d1df
MC		 4802
4803#ifdef OPENSSL_NO_TLS1
4804 if (tst == 0)
4805 return 1;
4806#endif
4807#ifdef OPENSSL_NO_TLS1_1
4808 if (tst == 1)
4809 return 1;
4810#endif
4811#ifdef OPENSSL_NO_TLS1_2
4812 if (tst == 2)
4813 return 1;
4814#endif
4815#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4816 if (tst >= 3)
2197d1df
MC		 4817 return 1;
4818#endif
7d7f6834 4819 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4820 TLS1_VERSION, 0,
7d7f6834 4821 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4822 goto end;
4823
a599574b
MC		 4824 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4825 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4826 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4827
4828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4829 NULL))
4830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4831 SSL_ERROR_NONE)))
4832 goto end;
4833
0fb2815b
MC		 4834 if (tst == 5) {
4835 /*
4836 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4837 * go over that.
4838 */
4839 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4840 sizeof(ckeymat1), label,
4841 LONG_LABEL_LEN + 1, context,
4842 sizeof(context) - 1, 1), 0))
4843 goto end;
4844
4845 testresult = 1;
4846 goto end;
4847 } else if (tst == 4) {
4848 labellen = LONG_LABEL_LEN;
4849 } else {
4850 labellen = SMALL_LABEL_LEN;
4851 }
4852
2197d1df
MC		 4853 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4854 sizeof(ckeymat1), label,
0fb2815b 4855 labellen, context,
2197d1df
MC		 4856 sizeof(context) - 1, 1), 1)
4857 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4858 sizeof(ckeymat2), label,
0fb2815b 4859 labellen,
2197d1df
MC		 4860 emptycontext,
4861 0, 1), 1)
4862 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4863 sizeof(ckeymat3), label,
0fb2815b 4864 labellen,
2197d1df
MC		 4865 NULL, 0, 0), 1)
4866 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4867 sizeof(skeymat1), label,
0fb2815b 4868 labellen,
2197d1df
MC		 4869 context,
4870 sizeof(context) -1, 1),
4871 1)
4872 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4873 sizeof(skeymat2), label,
0fb2815b 4874 labellen,
2197d1df
MC		 4875 emptycontext,
4876 0, 1), 1)
4877 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4878 sizeof(skeymat3), label,
0fb2815b 4879 labellen,
2197d1df
MC		 4880 NULL, 0, 0), 1)
4881 /*
4882 * Check that both sides created the same key material with the
4883 * same context.
4884 */
4885 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4886 sizeof(skeymat1))
4887 /*
4888 * Check that both sides created the same key material with an
4889 * empty context.
4890 */
4891 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4892 sizeof(skeymat2))
4893 /*
4894 * Check that both sides created the same key material without a
4895 * context.
4896 */
4897 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4898 sizeof(skeymat3))
4899 /* Different contexts should produce different results */
4900 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4901 sizeof(ckeymat2)))
4902 goto end;
4903
4904 /*
4905 * Check that an empty context and no context produce different results in
4906 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4907 */
0fb2815b 4908 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 4909 sizeof(ckeymat3)))
0fb2815b
MC		 4910 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4911 sizeof(ckeymat3))))
2197d1df
MC		 4912 goto end;
4913
4914 testresult = 1;
4915
4916 end:
4917 SSL_free(serverssl);
4918 SSL_free(clientssl);
4919 SSL_CTX_free(sctx2);
4920 SSL_CTX_free(sctx);
4921 SSL_CTX_free(cctx);
4922
4923 return testresult;
4924}
4925
b38ede80
TT		 4926#ifndef OPENSSL_NO_TLS1_3
4927/*
4928 * Test that SSL_export_keying_material_early() produces expected
4929 * results. There are no test vectors so all we do is test that both
4930 * sides of the communication produce the same results for different
4931 * protocol versions.
4932 */
4933static int test_export_key_mat_early(int idx)
4934{
4935 static const char label[] = "test label";
4936 static const unsigned char context[] = "context";
4937 int testresult = 0;
4938 SSL_CTX *cctx = NULL, *sctx = NULL;
4939 SSL *clientssl = NULL, *serverssl = NULL;
4940 SSL_SESSION *sess = NULL;
4941 const unsigned char *emptycontext = NULL;
4942 unsigned char ckeymat1[80], ckeymat2[80];
4943 unsigned char skeymat1[80], skeymat2[80];
4944 unsigned char buf[1];
4945 size_t readbytes, written;
4946
4947 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4948 &sess, idx)))
4949 goto end;
4950
4951 /* Here writing 0 length early data is enough. */
4952 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4953 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4954 &readbytes),
4955 SSL_READ_EARLY_DATA_ERROR)
4956 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4957 SSL_EARLY_DATA_ACCEPTED))
4958 goto end;
4959
4960 if (!TEST_int_eq(SSL_export_keying_material_early(
4961 clientssl, ckeymat1, sizeof(ckeymat1), label,
4962 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4963 || !TEST_int_eq(SSL_export_keying_material_early(
4964 clientssl, ckeymat2, sizeof(ckeymat2), label,
4965 sizeof(label) - 1, emptycontext, 0), 1)
4966 || !TEST_int_eq(SSL_export_keying_material_early(
4967 serverssl, skeymat1, sizeof(skeymat1), label,
4968 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4969 || !TEST_int_eq(SSL_export_keying_material_early(
4970 serverssl, skeymat2, sizeof(skeymat2), label,
4971 sizeof(label) - 1, emptycontext, 0), 1)
4972 /*
4973 * Check that both sides created the same key material with the
4974 * same context.
4975 */
4976 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4977 sizeof(skeymat1))
4978 /*
4979 * Check that both sides created the same key material with an
4980 * empty context.
4981 */
4982 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4983 sizeof(skeymat2))
4984 /* Different contexts should produce different results */
4985 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4986 sizeof(ckeymat2)))
4987 goto end;
4988
4989 testresult = 1;
4990
4991 end:
c20e3b28 4992 SSL_SESSION_free(sess);
b38ede80
TT		 4993 SSL_SESSION_free(clientpsk);
4994 SSL_SESSION_free(serverpsk);
34ff74eb 4995 clientpsk = serverpsk = NULL;
b38ede80
TT		 4996 SSL_free(serverssl);
4997 SSL_free(clientssl);
4998 SSL_CTX_free(sctx);
4999 SSL_CTX_free(cctx);
5000
5001 return testresult;
5002}
3409a5ff
MC		 5003
5004#define NUM_KEY_UPDATE_MESSAGES 40
5005/*
5006 * Test KeyUpdate.
5007 */
5008static int test_key_update(void)
5009{
5010 SSL_CTX *cctx = NULL, *sctx = NULL;
5011 SSL *clientssl = NULL, *serverssl = NULL;
5012 int testresult = 0, i, j;
5013 char buf[20];
5014 static char *mess = "A test message";
5015
5016 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5017 TLS_client_method(),
5018 TLS1_3_VERSION,
5019 0,
5020 &sctx, &cctx, cert, privkey))
5021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5022 NULL, NULL))
5023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5024 SSL_ERROR_NONE)))
5025 goto end;
5026
5027 for (j = 0; j < 2; j++) {
5028 /* Send lots of KeyUpdate messages */
5029 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5030 if (!TEST_true(SSL_key_update(clientssl,
5031 (j == 0)
5032 ? SSL_KEY_UPDATE_NOT_REQUESTED
5033 : SSL_KEY_UPDATE_REQUESTED))
5034 || !TEST_true(SSL_do_handshake(clientssl)))
5035 goto end;
5036 }
5037
5038 /* Check that sending and receiving app data is ok */
5039 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5040 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5041 strlen(mess)))
5042 goto end;
a77b4dba
MC		 5043
5044 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5045 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5046 strlen(mess)))
5047 goto end;
3409a5ff
MC		 5048 }
5049
5050 testresult = 1;
5051
5052 end:
5053 SSL_free(serverssl);
5054 SSL_free(clientssl);
5055 SSL_CTX_free(sctx);
5056 SSL_CTX_free(cctx);
5057
5058 return testresult;
5059}
a77b4dba
MC		 5060
5061/*
5062 * Test we can handle a KeyUpdate (update requested) message while write data
5063 * is pending.
5064 * Test 0: Client sends KeyUpdate while Server is writing
5065 * Test 1: Server sends KeyUpdate while Client is writing
5066 */
5067static int test_key_update_in_write(int tst)
5068{
5069 SSL_CTX *cctx = NULL, *sctx = NULL;
5070 SSL *clientssl = NULL, *serverssl = NULL;
5071 int testresult = 0;
5072 char buf[20];
5073 static char *mess = "A test message";
5074 BIO *bretry = BIO_new(bio_s_always_retry());
5075 BIO *tmp = NULL;
5076 SSL *peerupdate = NULL, *peerwrite = NULL;
5077
5078 if (!TEST_ptr(bretry)
5079 || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5080 TLS_client_method(),
5081 TLS1_3_VERSION,
5082 0,
5083 &sctx, &cctx, cert, privkey))
5084 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5085 NULL, NULL))
5086 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5087 SSL_ERROR_NONE)))
5088 goto end;
5089
5090 peerupdate = tst == 0 ? clientssl : serverssl;
5091 peerwrite = tst == 0 ? serverssl : clientssl;
5092
5093 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5094 || !TEST_true(SSL_do_handshake(peerupdate)))
5095 goto end;
5096
5097 /* Swap the writing endpoint's write BIO to force a retry */
5098 tmp = SSL_get_wbio(peerwrite);
5099 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5100 tmp = NULL;
5101 goto end;
5102 }
5103 SSL_set0_wbio(peerwrite, bretry);
5104 bretry = NULL;
5105
5106 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5107 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5108 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5109 goto end;
5110
5111 /* Reinstate the original writing endpoint's write BIO */
5112 SSL_set0_wbio(peerwrite, tmp);
5113 tmp = NULL;
5114
5115 /* Now read some data - we will read the key update */
5116 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5117 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5118 goto end;
5119
5120 /*
5121 * Complete the write we started previously and read it from the other
5122 * endpoint
5123 */
5124 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5125 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5126 goto end;
5127
5128 /* Write more data to ensure we send the KeyUpdate message back */
5129 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5130 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5131 goto end;
5132
5133 testresult = 1;
5134
5135 end:
5136 SSL_free(serverssl);
5137 SSL_free(clientssl);
5138 SSL_CTX_free(sctx);
5139 SSL_CTX_free(cctx);
5140 BIO_free(bretry);
5141 BIO_free(tmp);
5142
5143 return testresult;
5144}
b38ede80
TT		 5145#endif /* OPENSSL_NO_TLS1_3 */
5146
e11b6aa4
MC		 5147static int test_ssl_clear(int idx)
5148{
5149 SSL_CTX *cctx = NULL, *sctx = NULL;
5150 SSL *clientssl = NULL, *serverssl = NULL;
5151 int testresult = 0;
5152
5153#ifdef OPENSSL_NO_TLS1_2
5154 if (idx == 1)
5155 return 1;
5156#endif
5157
5158 /* Create an initial connection */
7d7f6834 5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5160 TLS1_VERSION, 0,
7d7f6834 5161 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5162 || (idx == 1
5163 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5164 TLS1_2_VERSION)))
5165 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5166 &clientssl, NULL, NULL))
5167 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5168 SSL_ERROR_NONE)))
5169 goto end;
5170
5171 SSL_shutdown(clientssl);
5172 SSL_shutdown(serverssl);
5173 SSL_free(serverssl);
5174 serverssl = NULL;
5175
5176 /* Clear clientssl - we're going to reuse the object */
5177 if (!TEST_true(SSL_clear(clientssl)))
5178 goto end;
5179
5180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5181 NULL, NULL))
5182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5183 SSL_ERROR_NONE))
5184 || !TEST_true(SSL_session_reused(clientssl)))
5185 goto end;
5186
5187 SSL_shutdown(clientssl);
5188 SSL_shutdown(serverssl);
5189
5190 testresult = 1;
5191
5192 end:
5193 SSL_free(serverssl);
5194 SSL_free(clientssl);
5195 SSL_CTX_free(sctx);
5196 SSL_CTX_free(cctx);
5197
5198 return testresult;
5199}
5200
cf72c757
F		 5201/* Parse CH and retrieve any MFL extension value if present */
5202static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5203{
5204 long len;
5205 unsigned char *data;
72962d02 5206 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5207 unsigned int MFL_code = 0, type = 0;
5208
5209 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5210 goto end;
5211
72962d02
P		 5212 memset(&pkt, 0, sizeof(pkt));
5213 memset(&pkt2, 0, sizeof(pkt2));
5214 memset(&pkt3, 0, sizeof(pkt3));
5215
cf72c757
F		 5216 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5217 /* Skip the record header */
5218 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5219 /* Skip the handshake message header */
5220 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5221 /* Skip client version and random */
5222 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5223 + SSL3_RANDOM_SIZE))
5224 /* Skip session id */
5225 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5226 /* Skip ciphers */
5227 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5228 /* Skip compression */
5229 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5230 /* Extensions len */
5231 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5232 goto end;
5233
5234 /* Loop through all extensions */
5235 while (PACKET_remaining(&pkt2)) {
5236 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5237 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5238 goto end;
5239
5240 if (type == TLSEXT_TYPE_max_fragment_length) {
5241 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5242 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5243 goto end;
5244
5245 *mfl_codemfl_code = MFL_code;
5246 return 1;
5247 }
5248 }
5249
5250 end:
5251 return 0;
5252}
5253
5254/* Maximum-Fragment-Length TLS extension mode to test */
5255static const unsigned char max_fragment_len_test[] = {
5256 TLSEXT_max_fragment_length_512,
5257 TLSEXT_max_fragment_length_1024,
5258 TLSEXT_max_fragment_length_2048,
5259 TLSEXT_max_fragment_length_4096
5260};
5261
5262static int test_max_fragment_len_ext(int idx_tst)
5263{
5264 SSL_CTX *ctx;
5265 SSL *con = NULL;
5266 int testresult = 0, MFL_mode = 0;
5267 BIO *rbio, *wbio;
5268
5269 ctx = SSL_CTX_new(TLS_method());
5270 if (!TEST_ptr(ctx))
5271 goto end;
5272
5273 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5274 ctx, max_fragment_len_test[idx_tst])))
5275 goto end;
5276
5277 con = SSL_new(ctx);
5278 if (!TEST_ptr(con))
5279 goto end;
5280
5281 rbio = BIO_new(BIO_s_mem());
5282 wbio = BIO_new(BIO_s_mem());
5283 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5284 BIO_free(rbio);
5285 BIO_free(wbio);
5286 goto end;
5287 }
5288
5289 SSL_set_bio(con, rbio, wbio);
5290 SSL_set_connect_state(con);
5291
5292 if (!TEST_int_le(SSL_connect(con), 0)) {
5293 /* This shouldn't succeed because we don't have a server! */
5294 goto end;
5295 }
5296
5297 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5298 /* no MFL in client hello */
5299 goto end;
5300 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5301 goto end;
5302
5303 testresult = 1;
5304
5305end:
5306 SSL_free(con);
5307 SSL_CTX_free(ctx);
5308
5309 return testresult;
5310}
5311
9d75dce3
TS		 5312#ifndef OPENSSL_NO_TLS1_3
5313static int test_pha_key_update(void)
5314{
5315 SSL_CTX *cctx = NULL, *sctx = NULL;
5316 SSL *clientssl = NULL, *serverssl = NULL;
5317 int testresult = 0;
5318
7d7f6834 5319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5320 TLS1_VERSION, 0,
9d75dce3
TS		 5321 &sctx, &cctx, cert, privkey)))
5322 return 0;
5323
5324 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5325 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5326 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5327 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5328 goto end;
5329
e97be718 5330 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5331
5332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5333 NULL, NULL)))
5334 goto end;
5335
9d75dce3
TS		 5336 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5337 SSL_ERROR_NONE)))
5338 goto end;
5339
5340 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5341 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5342 goto end;
5343
5344 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5345 goto end;
5346
5347 /* Start handshake on the server */
5348 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5349 goto end;
5350
5351 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5353 SSL_ERROR_NONE)))
5354 goto end;
5355
5356 SSL_shutdown(clientssl);
5357 SSL_shutdown(serverssl);
5358
5359 testresult = 1;
5360
5361 end:
5362 SSL_free(serverssl);
5363 SSL_free(clientssl);
5364 SSL_CTX_free(sctx);
5365 SSL_CTX_free(cctx);
5366 return testresult;
5367}
5368#endif
5369
76fd7a1d
MC		 5370#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5371
5372static SRP_VBASE *vbase = NULL;
5373
5374static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5375{
5376 int ret = SSL3_AL_FATAL;
5377 char *username;
5378 SRP_user_pwd *user = NULL;
5379
5380 username = SSL_get_srp_username(s);
5381 if (username == NULL) {
5382 *ad = SSL_AD_INTERNAL_ERROR;
5383 goto err;
5384 }
5385
5386 user = SRP_VBASE_get1_by_user(vbase, username);
5387 if (user == NULL) {
5388 *ad = SSL_AD_INTERNAL_ERROR;
5389 goto err;
5390 }
5391
5392 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5393 user->info) <= 0) {
5394 *ad = SSL_AD_INTERNAL_ERROR;
5395 goto err;
5396 }
5397
5398 ret = 0;
5399
5400 err:
5401 SRP_user_pwd_free(user);
5402 return ret;
5403}
5404
5405static int create_new_vfile(char *userid, char *password, const char *filename)
5406{
5407 char *gNid = NULL;
5408 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5409 TXT_DB *db = NULL;
5410 int ret = 0;
5411 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5412 size_t i;
5413
5414 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5415 goto end;
5416
5417 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
5418 &row[DB_srpverifier], NULL, NULL);
5419 if (!TEST_ptr(gNid))
5420 goto end;
5421
5422 /*
5423 * The only way to create an empty TXT_DB is to provide a BIO with no data
5424 * in it!
5425 */
5426 db = TXT_DB_read(dummy, DB_NUMBER);
5427 if (!TEST_ptr(db))
5428 goto end;
5429
5430 out = BIO_new_file(filename, "w");
5431 if (!TEST_ptr(out))
5432 goto end;
5433
5434 row[DB_srpid] = OPENSSL_strdup(userid);
5435 row[DB_srptype] = OPENSSL_strdup("V");
5436 row[DB_srpgN] = OPENSSL_strdup(gNid);
5437
5438 if (!TEST_ptr(row[DB_srpid])
5439 || !TEST_ptr(row[DB_srptype])
5440 || !TEST_ptr(row[DB_srpgN])
5441 || !TEST_true(TXT_DB_insert(db, row)))
5442 goto end;
5443
5444 row = NULL;
5445
5446 if (!TXT_DB_write(out, db))
5447 goto end;
5448
5449 ret = 1;
5450 end:
5451 if (row != NULL) {
5452 for (i = 0; i < DB_NUMBER; i++)
5453 OPENSSL_free(row[i]);
5454 }
5455 OPENSSL_free(row);
5456 BIO_free(dummy);
5457 BIO_free(out);
5458 TXT_DB_free(db);
5459
5460 return ret;
5461}
5462
5463static int create_new_vbase(char *userid, char *password)
5464{
5465 BIGNUM *verifier = NULL, *salt = NULL;
5466 const SRP_gN *lgN = NULL;
5467 SRP_user_pwd *user_pwd = NULL;
5468 int ret = 0;
5469
5470 lgN = SRP_get_default_gN(NULL);
5471 if (!TEST_ptr(lgN))
5472 goto end;
5473
5474 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
5475 lgN->N, lgN->g)))
5476 goto end;
5477
5478 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5479 if (!TEST_ptr(user_pwd))
5480 goto end;
5481
5482 user_pwd->N = lgN->N;
5483 user_pwd->g = lgN->g;
5484 user_pwd->id = OPENSSL_strdup(userid);
5485 if (!TEST_ptr(user_pwd->id))
5486 goto end;
5487
5488 user_pwd->v = verifier;
5489 user_pwd->s = salt;
5490 verifier = salt = NULL;
5491
5492 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5493 goto end;
5494 user_pwd = NULL;
5495
5496 ret = 1;
5497end:
5498 SRP_user_pwd_free(user_pwd);
5499 BN_free(salt);
5500 BN_free(verifier);
5501
5502 return ret;
5503}
5504
5505/*
5506 * SRP tests
5507 *
5508 * Test 0: Simple successful SRP connection, new vbase
5509 * Test 1: Connection failure due to bad password, new vbase
5510 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5511 * Test 3: Connection failure due to bad password, vbase loaded from existing
5512 * file
5513 * Test 4: Simple successful SRP connection, vbase loaded from new file
5514 * Test 5: Connection failure due to bad password, vbase loaded from new file
5515 */
5516static int test_srp(int tst)
5517{
5518 char *userid = "test", *password = "password", *tstsrpfile;
5519 SSL_CTX *cctx = NULL, *sctx = NULL;
5520 SSL *clientssl = NULL, *serverssl = NULL;
5521 int ret, testresult = 0;
5522
5523 vbase = SRP_VBASE_new(NULL);
5524 if (!TEST_ptr(vbase))
5525 goto end;
5526
5527 if (tst == 0 || tst == 1) {
5528 if (!TEST_true(create_new_vbase(userid, password)))
5529 goto end;
5530 } else {
5531 if (tst == 4 || tst == 5) {
5532 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5533 goto end;
5534 tstsrpfile = tmpfilename;
5535 } else {
5536 tstsrpfile = srpvfile;
5537 }
5538 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5539 goto end;
5540 }
5541
5542 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 5543 TLS1_VERSION, 0,
76fd7a1d
MC		 5544 &sctx, &cctx, cert, privkey)))
5545 goto end;
5546
5547 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5548 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5549 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5550 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5551 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5552 goto end;
5553
5554 if (tst % 2 == 1) {
5555 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5556 goto end;
5557 } else {
5558 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5559 goto end;
5560 }
5561
5562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5563 NULL, NULL)))
5564 goto end;
5565
5566 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5567 if (ret) {
5568 if (!TEST_true(tst % 2 == 0))
5569 goto end;
5570 } else {
5571 if (!TEST_true(tst % 2 == 1))
5572 goto end;
5573 }
5574
5575 testresult = 1;
5576
5577 end:
5578 SRP_VBASE_free(vbase);
5579 vbase = NULL;
5580 SSL_free(serverssl);
5581 SSL_free(clientssl);
5582 SSL_CTX_free(sctx);
5583 SSL_CTX_free(cctx);
5584
5585 return testresult;
5586}
5587#endif
5588
5718fe45
MC		 5589static int info_cb_failed = 0;
5590static int info_cb_offset = 0;
5591static int info_cb_this_state = -1;
5592
5593static struct info_cb_states_st {
5594 int where;
5595 const char *statestr;
5596} info_cb_states[][60] = {
5597 {
5598 /* TLSv1.2 server followed by resumption */
5599 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5600 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5601 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5602 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5603 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5604 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5605 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5606 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5607 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5608 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5609 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5610 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5611 {SSL_CB_EXIT, NULL}, {0, NULL},
5612 }, {
5613 /* TLSv1.2 client followed by resumption */
5614 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5615 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5616 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5617 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5618 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5619 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5621 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5622 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5623 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5624 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5625 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5626 }, {
5627 /* TLSv1.3 server followed by resumption */
5628 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5629 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5630 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5631 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5632 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 5633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5634 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5636 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5637 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5638 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5639 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5640 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5641 }, {
5642 /* TLSv1.3 client followed by resumption */
5643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5644 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5645 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5646 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5647 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5648 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5649 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5650 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 5651 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5652 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5653 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5654 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5655 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 5656 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5657 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5658 }, {
5659 /* TLSv1.3 server, early_data */
5660 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5661 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5662 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5663 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5664 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5665 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5666 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5667 {SSL_CB_EXIT, NULL}, {0, NULL},
5668 }, {
5669 /* TLSv1.3 client, early_data */
5670 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5672 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5673 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5674 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5675 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5676 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5677 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5678 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5679 }, {
5680 {0, NULL},
5681 }
5682};
5683
5684static void sslapi_info_callback(const SSL *s, int where, int ret)
5685{
5686 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5687
5688 /* We do not ever expect a connection to fail in this test */
5689 if (!TEST_false(ret == 0)) {
5690 info_cb_failed = 1;
5691 return;
5692 }
5693
5694 /*
5695 * Do some sanity checks. We never expect these things to happen in this
5696 * test
5697 */
5698 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5699 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5700 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5701 info_cb_failed = 1;
5702 return;
5703 }
5704
5705 /* Now check we're in the right state */
5706 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5707 info_cb_failed = 1;
5708 return;
5709 }
5710 if ((where & SSL_CB_LOOP) != 0
5711 && !TEST_int_eq(strcmp(SSL_state_string(s),
5712 state[info_cb_this_state].statestr), 0)) {
5713 info_cb_failed = 1;
5714 return;
5715 }
033c181b 5716
4af5836b
MC		 5717 /*
5718 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5719 */
5720 if ((where & SSL_CB_HANDSHAKE_DONE)
5721 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5722 info_cb_failed = 1;
5723 return;
5724 }
5718fe45
MC		 5725}
5726
5727/*
5728 * Test the info callback gets called when we expect it to.
5729 *
5730 * Test 0: TLSv1.2, server
5731 * Test 1: TLSv1.2, client
5732 * Test 2: TLSv1.3, server
5733 * Test 3: TLSv1.3, client
5734 * Test 4: TLSv1.3, server, early_data
5735 * Test 5: TLSv1.3, client, early_data
5736 */
5737static int test_info_callback(int tst)
5738{
5739 SSL_CTX *cctx = NULL, *sctx = NULL;
5740 SSL *clientssl = NULL, *serverssl = NULL;
5741 SSL_SESSION *clntsess = NULL;
5742 int testresult = 0;
5743 int tlsvers;
5744
5745 if (tst < 2) {
1aac20f5
MC		 5746/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5747#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5748 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5749 tlsvers = TLS1_2_VERSION;
5750#else
5751 return 1;
5752#endif
5753 } else {
5754#ifndef OPENSSL_NO_TLS1_3
5755 tlsvers = TLS1_3_VERSION;
5756#else
5757 return 1;
5758#endif
5759 }
5760
5761 /* Reset globals */
5762 info_cb_failed = 0;
5763 info_cb_this_state = -1;
5764 info_cb_offset = tst;
5765
6e07834c 5766#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5767 if (tst >= 4) {
5768 SSL_SESSION *sess = NULL;
5769 size_t written, readbytes;
5770 unsigned char buf[80];
5771
5772 /* early_data tests */
5773 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5774 &serverssl, &sess, 0)))
5775 goto end;
5776
5777 /* We don't actually need this reference */
5778 SSL_SESSION_free(sess);
5779
5780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5781 sslapi_info_callback);
5782
5783 /* Write and read some early data and then complete the connection */
5784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5785 &written))
5786 || !TEST_size_t_eq(written, strlen(MSG1))
5787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5788 sizeof(buf), &readbytes),
5789 SSL_READ_EARLY_DATA_SUCCESS)
5790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5792 SSL_EARLY_DATA_ACCEPTED)
5793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5794 SSL_ERROR_NONE))
5795 || !TEST_false(info_cb_failed))
5796 goto end;
5797
5798 testresult = 1;
5799 goto end;
5800 }
6e07834c 5801#endif
5718fe45
MC		 5802
5803 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5804 TLS_client_method(),
5805 tlsvers, tlsvers, &sctx, &cctx, cert,
5806 privkey)))
5807 goto end;
5808
5809 /*
5810 * For even numbered tests we check the server callbacks. For odd numbers we
5811 * check the client.
5812 */
5813 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5814 sslapi_info_callback);
5815
5816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5817 &clientssl, NULL, NULL))
5818 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5819 SSL_ERROR_NONE))
5820 || !TEST_false(info_cb_failed))
5821 goto end;
5822
5823
5824
5825 clntsess = SSL_get1_session(clientssl);
5826 SSL_shutdown(clientssl);
5827 SSL_shutdown(serverssl);
5828 SSL_free(serverssl);
5829 SSL_free(clientssl);
5830 serverssl = clientssl = NULL;
5831
5832 /* Now do a resumption */
5833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5834 NULL))
5835 || !TEST_true(SSL_set_session(clientssl, clntsess))
5836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5837 SSL_ERROR_NONE))
5838 || !TEST_true(SSL_session_reused(clientssl))
5839 || !TEST_false(info_cb_failed))
5840 goto end;
5841
5842 testresult = 1;
5843
5844 end:
5845 SSL_free(serverssl);
5846 SSL_free(clientssl);
5847 SSL_SESSION_free(clntsess);
5848 SSL_CTX_free(sctx);
5849 SSL_CTX_free(cctx);
5850 return testresult;
5851}
5852
4a432af8
MC		 5853static int test_ssl_pending(int tst)
5854{
5855 SSL_CTX *cctx = NULL, *sctx = NULL;
5856 SSL *clientssl = NULL, *serverssl = NULL;
5857 int testresult = 0;
5858 char msg[] = "A test message";
5859 char buf[5];
5860 size_t written, readbytes;
5861
5862 if (tst == 0) {
5863 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5864 TLS_client_method(),
5c587fb6 5865 TLS1_VERSION, 0,
4a432af8
MC		 5866 &sctx, &cctx, cert, privkey)))
5867 goto end;
5868 } else {
5869#ifndef OPENSSL_NO_DTLS
5870 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5871 DTLS_client_method(),
5c587fb6 5872 DTLS1_VERSION, 0,
4a432af8
MC		 5873 &sctx, &cctx, cert, privkey)))
5874 goto end;
5875#else
5876 return 1;
5877#endif
5878 }
5879
5880 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5881 NULL, NULL))
5882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5883 SSL_ERROR_NONE)))
5884 goto end;
5885
e8251092
MC		 5886 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5887 || !TEST_false(SSL_has_pending(clientssl))
5888 || !TEST_int_eq(SSL_pending(serverssl), 0)
5889 || !TEST_false(SSL_has_pending(serverssl))
5890 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 5891 || !TEST_size_t_eq(written, sizeof(msg))
5892 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5893 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 5894 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5895 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 5896 goto end;
5897
5898 testresult = 1;
5899
5900 end:
5901 SSL_free(serverssl);
5902 SSL_free(clientssl);
5903 SSL_CTX_free(sctx);
5904 SSL_CTX_free(cctx);
5905
5906 return testresult;
5907}
5908
e401389a
MC		 5909static struct {
5910 unsigned int maxprot;
5911 const char *clntciphers;
5912 const char *clnttls13ciphers;
5913 const char *srvrciphers;
5914 const char *srvrtls13ciphers;
5915 const char *shared;
5916} shared_ciphers_data[] = {
60155b9a
MC		 5917/*
5918 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5919 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5920 */
5921#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 5922 {
5923 TLS1_2_VERSION,
5924 "AES128-SHA:AES256-SHA",
5925 NULL,
5926 "AES256-SHA:DHE-RSA-AES128-SHA",
5927 NULL,
5928 "AES256-SHA"
5929 },
5930 {
5931 TLS1_2_VERSION,
5932 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5933 NULL,
5934 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5935 NULL,
5936 "AES128-SHA:AES256-SHA"
5937 },
5938 {
5939 TLS1_2_VERSION,
5940 "AES128-SHA:AES256-SHA",
5941 NULL,
5942 "AES128-SHA:DHE-RSA-AES128-SHA",
5943 NULL,
5944 "AES128-SHA"
5945 },
60155b9a
MC		 5946#endif
5947/*
5948 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5949 * enabled.
5950 */
5951#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5952 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 5953 {
5954 TLS1_3_VERSION,
5955 "AES128-SHA:AES256-SHA",
5956 NULL,
5957 "AES256-SHA:AES128-SHA256",
5958 NULL,
5959 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5960 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5961 },
60155b9a
MC		 5962#endif
5963#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 5964 {
5965 TLS1_3_VERSION,
5966 "AES128-SHA",
5967 "TLS_AES_256_GCM_SHA384",
5968 "AES256-SHA",
5969 "TLS_AES_256_GCM_SHA384",
5970 "TLS_AES_256_GCM_SHA384"
5971 },
5972#endif
5973};
5974
5975static int test_ssl_get_shared_ciphers(int tst)
5976{
5977 SSL_CTX *cctx = NULL, *sctx = NULL;
5978 SSL *clientssl = NULL, *serverssl = NULL;
5979 int testresult = 0;
5980 char buf[1024];
5981
5982 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5983 TLS_client_method(),
5984 TLS1_VERSION,
5985 shared_ciphers_data[tst].maxprot,
5986 &sctx, &cctx, cert, privkey)))
5987 goto end;
5988
5989 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5990 shared_ciphers_data[tst].clntciphers))
5991 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5992 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5993 shared_ciphers_data[tst].clnttls13ciphers)))
5994 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5995 shared_ciphers_data[tst].srvrciphers))
5996 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5997 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5998 shared_ciphers_data[tst].srvrtls13ciphers))))
5999 goto end;
6000
6001
6002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6003 NULL, NULL))
6004 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6005 SSL_ERROR_NONE)))
6006 goto end;
6007
6008 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6009 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6010 TEST_info("Shared ciphers are: %s\n", buf);
6011 goto end;
6012 }
6013
6014 testresult = 1;
6015
6016 end:
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6019 SSL_CTX_free(sctx);
6020 SSL_CTX_free(cctx);
6021
6022 return testresult;
6023}
6024
d0191fe0 6025static const char *appdata = "Hello World";
61fb5923
MC		 6026static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6027static int tick_key_renew = 0;
6028static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6029
6030static int gen_tick_cb(SSL *s, void *arg)
6031{
6032 gen_tick_called = 1;
6033
6034 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6035 strlen(appdata));
6036}
6037
6038static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6039 const unsigned char *keyname,
6040 size_t keyname_length,
61fb5923
MC		 6041 SSL_TICKET_STATUS status,
6042 void *arg)
d0191fe0
MC		 6043{
6044 void *tickdata;
6045 size_t tickdlen;
6046
6047 dec_tick_called = 1;
6048
61fb5923
MC		 6049 if (status == SSL_TICKET_EMPTY)
6050 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6051
61fb5923
MC		 6052 if (!TEST_true(status == SSL_TICKET_SUCCESS
6053 || status == SSL_TICKET_SUCCESS_RENEW))
6054 return SSL_TICKET_RETURN_ABORT;
6055
6056 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6057 &tickdlen))
d0191fe0
MC		 6058 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6059 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6060 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6061
61fb5923
MC		 6062 if (tick_key_cb_called) {
6063 /* Don't change what the ticket key callback wanted to do */
6064 switch (status) {
6065 case SSL_TICKET_NO_DECRYPT:
6066 return SSL_TICKET_RETURN_IGNORE_RENEW;
6067
6068 case SSL_TICKET_SUCCESS:
6069 return SSL_TICKET_RETURN_USE;
d0191fe0 6070
61fb5923
MC		 6071 case SSL_TICKET_SUCCESS_RENEW:
6072 return SSL_TICKET_RETURN_USE_RENEW;
6073
6074 default:
6075 return SSL_TICKET_RETURN_ABORT;
6076 }
6077 }
6078 return tick_dec_ret;
6079
6080}
d0191fe0
MC		 6081
6082static int tick_key_cb(SSL *s, unsigned char key_name[16],
6083 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6084 HMAC_CTX *hctx, int enc)
6085{
6086 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6087 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
6088
61fb5923 6089 tick_key_cb_called = 1;
d0191fe0
MC		 6090 memset(iv, 0, AES_BLOCK_SIZE);
6091 memset(key_name, 0, 16);
6092 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
6093 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6094 EVP_sha256(), NULL))
6095 return -1;
6096
61fb5923 6097 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 6098}
6099
6100/*
6101 * Test the various ticket callbacks
61fb5923
MC		 6102 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6103 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6104 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6105 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6106 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6107 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6108 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6109 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
6110 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
6111 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
6112 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
6113 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6114 */
6115static int test_ticket_callbacks(int tst)
6116{
6117 SSL_CTX *cctx = NULL, *sctx = NULL;
6118 SSL *clientssl = NULL, *serverssl = NULL;
6119 SSL_SESSION *clntsess = NULL;
6120 int testresult = 0;
6121
6122#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6123 if (tst % 2 == 0)
d0191fe0
MC		 6124 return 1;
6125#endif
6126#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6127 if (tst % 2 == 1)
d0191fe0
MC		 6128 return 1;
6129#endif
6130
61fb5923 6131 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6132
6133 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 6134 if (tst == 10 || tst == 11)
6135 tick_key_renew = 1;
d0191fe0 6136 else
61fb5923
MC		 6137 tick_key_renew = 0;
6138
6139 /* Which tests the decrypt ticket callback should request renewal for */
6140 switch (tst) {
6141 case 0:
6142 case 1:
6143 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6144 break;
6145
6146 case 2:
6147 case 3:
6148 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6149 break;
6150
6151 case 4:
6152 case 5:
6153 tick_dec_ret = SSL_TICKET_RETURN_USE;
6154 break;
6155
6156 case 6:
6157 case 7:
6158 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6159 break;
6160
6161 default:
6162 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6163 }
d0191fe0
MC		 6164
6165 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6166 TLS_client_method(),
6167 TLS1_VERSION,
61fb5923
MC		 6168 ((tst % 2) == 0) ? TLS1_2_VERSION
6169 : TLS1_3_VERSION,
d0191fe0
MC		 6170 &sctx, &cctx, cert, privkey)))
6171 goto end;
6172
61fb5923
MC		 6173 /*
6174 * We only want sessions to resume from tickets - not the session cache. So
6175 * switch the cache off.
6176 */
6177 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6178 goto end;
6179
d0191fe0
MC		 6180 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6181 NULL)))
6182 goto end;
6183
61fb5923 6184 if (tst >= 8
d0191fe0
MC		 6185 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6186 goto end;
6187
6188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6189 NULL, NULL))
6190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6191 SSL_ERROR_NONE)))
6192 goto end;
6193
61fb5923
MC		 6194 /*
6195 * The decrypt ticket key callback in TLSv1.2 should be called even though
6196 * we have no ticket yet, because it gets called with a status of
6197 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6198 * actually send any ticket data). This does not happen in TLSv1.3 because
6199 * it is not valid to send empty ticket data in TLSv1.3.
6200 */
d0191fe0 6201 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6202 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6203 goto end;
6204
6205 gen_tick_called = dec_tick_called = 0;
6206
6207 clntsess = SSL_get1_session(clientssl);
6208 SSL_shutdown(clientssl);
6209 SSL_shutdown(serverssl);
6210 SSL_free(serverssl);
6211 SSL_free(clientssl);
6212 serverssl = clientssl = NULL;
6213
6214 /* Now do a resumption */
6215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6216 NULL))
6217 || !TEST_true(SSL_set_session(clientssl, clntsess))
6218 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6219 SSL_ERROR_NONE)))
d0191fe0
MC		 6220 goto end;
6221
61fb5923
MC		 6222 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6223 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6224 if (!TEST_false(SSL_session_reused(clientssl)))
6225 goto end;
6226 } else {
6227 if (!TEST_true(SSL_session_reused(clientssl)))
6228 goto end;
6229 }
6230
d0191fe0 6231 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6232 (tick_key_renew
6233 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6234 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6235 ? 1 : 0)
d0191fe0
MC		 6236 || !TEST_int_eq(dec_tick_called, 1))
6237 goto end;
6238
6239 testresult = 1;
6240
6241 end:
6242 SSL_SESSION_free(clntsess);
6243 SSL_free(serverssl);
6244 SSL_free(clientssl);
6245 SSL_CTX_free(sctx);
6246 SSL_CTX_free(cctx);
6247
6248 return testresult;
6249}
6250
c748834f
MC		 6251/*
6252 * Test bi-directional shutdown.
6253 * Test 0: TLSv1.2
6254 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6255 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6256 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6257 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6258 * sends key update, client reads it
57d7b988
MC		 6259 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6260 * sends CertificateRequest, client reads and ignores it
6261 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6262 * doesn't read it
6263 */
6264static int test_shutdown(int tst)
6265{
6266 SSL_CTX *cctx = NULL, *sctx = NULL;
6267 SSL *clientssl = NULL, *serverssl = NULL;
6268 int testresult = 0;
6269 char msg[] = "A test message";
6270 char buf[80];
6271 size_t written, readbytes;
80eff008 6272 SSL_SESSION *sess;
c748834f
MC		 6273
6274#ifdef OPENSSL_NO_TLS1_2
a97d19f7 6275 if (tst <= 1)
c748834f
MC		 6276 return 1;
6277#endif
6278#ifdef OPENSSL_NO_TLS1_3
a97d19f7 6279 if (tst >= 2)
c748834f
MC		 6280 return 1;
6281#endif
6282
6283 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6284 TLS_client_method(),
6285 TLS1_VERSION,
6286 (tst <= 1) ? TLS1_2_VERSION
6287 : TLS1_3_VERSION,
57d7b988
MC		 6288 &sctx, &cctx, cert, privkey)))
6289 goto end;
6290
6291 if (tst == 5)
6292 SSL_CTX_set_post_handshake_auth(cctx, 1);
6293
6294 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 6295 NULL, NULL)))
6296 goto end;
6297
6298 if (tst == 3) {
6299 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 6300 SSL_ERROR_NONE, 1))
80eff008
KR		 6301 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6302 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 6303 goto end;
6304 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 6305 SSL_ERROR_NONE))
6306 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6307 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 6308 goto end;
6309 }
6310
6311 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6312 goto end;
6313
6314 if (tst >= 4) {
6315 /*
6316 * Reading on the server after the client has sent close_notify should
6317 * fail and provide SSL_ERROR_ZERO_RETURN
6318 */
6319 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6320 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6321 SSL_ERROR_ZERO_RETURN)
6322 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6323 SSL_RECEIVED_SHUTDOWN)
6324 /*
6325 * Even though we're shutdown on receive we should still be
6326 * able to write.
6327 */
80eff008
KR		 6328 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6329 goto end;
57d7b988
MC		 6330 if (tst == 4
6331 && !TEST_true(SSL_key_update(serverssl,
6332 SSL_KEY_UPDATE_REQUESTED)))
6333 goto end;
6334 if (tst == 5) {
6335 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6336 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6337 goto end;
6338 }
6339 if ((tst == 4 || tst == 5)
6340 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 6341 goto end;
6342 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 6343 goto end;
57d7b988 6344 if (tst == 4 || tst == 5) {
80eff008 6345 /* Should still be able to read data from server */
c748834f 6346 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 6347 &readbytes))
6348 || !TEST_size_t_eq(readbytes, sizeof(msg))
6349 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6351 &readbytes))
c748834f
MC		 6352 || !TEST_size_t_eq(readbytes, sizeof(msg))
6353 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6354 goto end;
6355 }
6356 }
6357
6358 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 6359 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 6360 goto end;
6361
6362 if (tst < 4) {
6363 /*
6364 * For these tests the client has sent close_notify but it has not yet
6365 * been received by the server. The server has not sent close_notify
6366 * yet.
6367 */
6368 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 6369 /*
6370 * Writing on the server after sending close_notify shouldn't
6371 * be possible.
6372 */
6373 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 6374 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 6375 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6376 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 6377 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6378 goto end;
57d7b988 6379 } else if (tst == 4 || tst == 5) {
c748834f
MC		 6380 /*
6381 * In this test the client has sent close_notify and it has been
6382 * received by the server which has responded with a close_notify. The
358ffa05 6383 * client needs to read the close_notify sent by the server.
c748834f 6384 */
80eff008
KR		 6385 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6386 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6387 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 6388 goto end;
358ffa05
MC		 6389 } else {
6390 /*
57d7b988 6391 * tst == 6
358ffa05
MC		 6392 *
6393 * The client has sent close_notify and is expecting a close_notify
6394 * back, but instead there is application data first. The shutdown
6395 * should fail with a fatal error.
6396 */
6397 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6398 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6399 goto end;
c748834f
MC		 6400 }
6401
6402 testresult = 1;
6403
6404 end:
6405 SSL_free(serverssl);
6406 SSL_free(clientssl);
6407 SSL_CTX_free(sctx);
6408 SSL_CTX_free(cctx);
6409
6410 return testresult;
6411}
6412
7f1d923a 6413#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 6414static int cert_cb_cnt;
6415
6416static int cert_cb(SSL *s, void *arg)
6417{
6418 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 6419 BIO *in = NULL;
6420 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 6421 X509 *x509 = NULL, *rootx = NULL;
6422 STACK_OF(X509) *chain = NULL;
6423 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6424 int ret = 0;
cd6fe29f
MC		 6425
6426 if (cert_cb_cnt == 0) {
6427 /* Suspend the handshake */
6428 cert_cb_cnt++;
6429 return -1;
6430 } else if (cert_cb_cnt == 1) {
6431 /*
6432 * Update the SSL_CTX, set the certificate and private key and then
6433 * continue the handshake normally.
6434 */
6435 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6436 return 0;
6437
6438 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6439 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6440 SSL_FILETYPE_PEM))
6441 || !TEST_true(SSL_check_private_key(s)))
6442 return 0;
6443 cert_cb_cnt++;
6444 return 1;
7cb8fb07
BK		 6445 } else if (cert_cb_cnt == 3) {
6446 int rv;
1a2a3a42
MC		 6447
6448 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6449 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6450 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6451 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6452 goto out;
6453 chain = sk_X509_new_null();
6454 if (!TEST_ptr(chain))
6455 goto out;
7cb8fb07 6456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 6457 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6458 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6459 || !TEST_true(sk_X509_push(chain, rootx)))
6460 goto out;
6461 rootx = NULL;
6462 BIO_free(in);
6463 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6464 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 6465 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6466 goto out;
6467 BIO_free(in);
6468 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 6469 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 6470 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6471 goto out;
1a2a3a42 6472 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 6473 /*
6474 * If the cert doesn't show as valid here (e.g., because we don't
6475 * have any shared sigalgs), then we will not set it, and there will
6476 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6477 * will cause tls_choose_sigalgs() to fail the connection.
6478 */
1a2a3a42
MC		 6479 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6480 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 6481 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6482 goto out;
6483 }
1a2a3a42
MC		 6484
6485 ret = 1;
cd6fe29f
MC		 6486 }
6487
6488 /* Abort the handshake */
7cb8fb07 6489 out:
1a2a3a42
MC		 6490 OPENSSL_free(ecdsacert);
6491 OPENSSL_free(ecdsakey);
6492 OPENSSL_free(rootfile);
7cb8fb07
BK		 6493 BIO_free(in);
6494 EVP_PKEY_free(pkey);
6495 X509_free(x509);
1a2a3a42
MC		 6496 X509_free(rootx);
6497 sk_X509_pop_free(chain, X509_free);
6498 return ret;
cd6fe29f
MC		 6499}
6500
6501/*
6502 * Test the certificate callback.
6503 * Test 0: Callback fails
6504 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6505 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 6506 * Test 3: Success - Call SSL_check_chain from the callback
6507 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6508 * chain
6509 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 6510 */
6511static int test_cert_cb_int(int prot, int tst)
6512{
6513 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6514 SSL *clientssl = NULL, *serverssl = NULL;
6515 int testresult = 0, ret;
6516
1a2a3a42
MC		 6517#ifdef OPENSSL_NO_EC
6518 /* We use an EC cert in these tests, so we skip in a no-ec build */
6519 if (tst >= 3)
6520 return 1;
6521#endif
6522
cd6fe29f
MC		 6523 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6524 TLS_client_method(),
6525 TLS1_VERSION,
6526 prot,
6527 &sctx, &cctx, NULL, NULL)))
6528 goto end;
6529
6530 if (tst == 0)
6531 cert_cb_cnt = -1;
1a2a3a42 6532 else if (tst >= 3)
7cb8fb07 6533 cert_cb_cnt = 3;
cd6fe29f
MC		 6534 else
6535 cert_cb_cnt = 0;
1a2a3a42 6536
cd6fe29f
MC		 6537 if (tst == 2)
6538 snictx = SSL_CTX_new(TLS_server_method());
6539 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6540
6541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6542 NULL, NULL)))
6543 goto end;
6544
1a2a3a42
MC		 6545 if (tst == 4) {
6546 /*
6547 * We cause SSL_check_chain() to fail by specifying sig_algs that
6548 * the chain doesn't meet (the root uses an RSA cert)
6549 */
6550 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6551 "ecdsa_secp256r1_sha256")))
6552 goto end;
6553 } else if (tst == 5) {
6554 /*
6555 * We cause SSL_check_chain() to fail by specifying sig_algs that
6556 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6557 */
6558 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6559 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6560 goto end;
6561 }
6562
cd6fe29f 6563 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 6564 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 6565 || (tst > 0
6566 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 6567 goto end;
6568 }
6569
6570 testresult = 1;
6571
6572 end:
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6575 SSL_CTX_free(sctx);
6576 SSL_CTX_free(cctx);
6577 SSL_CTX_free(snictx);
6578
6579 return testresult;
6580}
7f1d923a 6581#endif
cd6fe29f
MC		 6582
6583static int test_cert_cb(int tst)
6584{
6585 int testresult = 1;
6586
6587#ifndef OPENSSL_NO_TLS1_2
6588 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6589#endif
7f1d923a 6590#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 6591 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6592#endif
6593
6594 return testresult;
6595}
6596
6e46c065
MC		 6597static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6598{
6599 X509 *xcert, *peer;
6600 EVP_PKEY *privpkey;
6601 BIO *in = NULL;
6602
6603 /* Check that SSL_get_peer_certificate() returns something sensible */
6604 peer = SSL_get_peer_certificate(ssl);
6605 if (!TEST_ptr(peer))
6606 return 0;
6607 X509_free(peer);
6608
6609 in = BIO_new_file(cert, "r");
6610 if (!TEST_ptr(in))
6611 return 0;
6612
6613 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6614 BIO_free(in);
6615 if (!TEST_ptr(xcert))
6616 return 0;
6617
6618 in = BIO_new_file(privkey, "r");
6619 if (!TEST_ptr(in)) {
6620 X509_free(xcert);
6621 return 0;
6622 }
6623
6624 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6625 BIO_free(in);
6626 if (!TEST_ptr(privpkey)) {
6627 X509_free(xcert);
6628 return 0;
6629 }
6630
6631 *x509 = xcert;
6632 *pkey = privpkey;
6633
6634 return 1;
6635}
6636
6637static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6638{
6639 return 1;
6640}
6641
6642static int test_client_cert_cb(int tst)
6643{
6644 SSL_CTX *cctx = NULL, *sctx = NULL;
6645 SSL *clientssl = NULL, *serverssl = NULL;
6646 int testresult = 0;
6647
6648#ifdef OPENSSL_NO_TLS1_2
6649 if (tst == 0)
6650 return 1;
6651#endif
6652#ifdef OPENSSL_NO_TLS1_3
6653 if (tst == 1)
6654 return 1;
6655#endif
6656
6657 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6658 TLS_client_method(),
6659 TLS1_VERSION,
6660 tst == 0 ? TLS1_2_VERSION
6661 : TLS1_3_VERSION,
6662 &sctx, &cctx, cert, privkey)))
6663 goto end;
6664
6665 /*
6666 * Test that setting a client_cert_cb results in a client certificate being
6667 * sent.
6668 */
6669 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6670 SSL_CTX_set_verify(sctx,
6671 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6672 verify_cb);
fb8c8359
MC		 6673
6674 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6675 NULL, NULL))
6676 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6677 SSL_ERROR_NONE)))
6678 goto end;
6679
6680 testresult = 1;
6681
6682 end:
6683 SSL_free(serverssl);
6684 SSL_free(clientssl);
6685 SSL_CTX_free(sctx);
6686 SSL_CTX_free(cctx);
6687
6688 return testresult;
6689}
6690
6691#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6692/*
6693 * Test setting certificate authorities on both client and server.
6694 *
6695 * Test 0: SSL_CTX_set0_CA_list() only
6696 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6697 * Test 2: Only SSL_CTX_set_client_CA_list()
6698 */
6699static int test_ca_names_int(int prot, int tst)
6700{
6701 SSL_CTX *cctx = NULL, *sctx = NULL;
6702 SSL *clientssl = NULL, *serverssl = NULL;
6703 int testresult = 0;
6704 size_t i;
6705 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6706 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6707 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6708 const STACK_OF(X509_NAME) *sktmp = NULL;
6709
6710 for (i = 0; i < OSSL_NELEM(name); i++) {
6711 name[i] = X509_NAME_new();
6712 if (!TEST_ptr(name[i])
6713 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6714 MBSTRING_ASC,
6715 (unsigned char *)
6716 strnames[i],
6717 -1, -1, 0)))
6718 goto end;
6719 }
6720
6721 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
6722 TLS_client_method(),
6723 TLS1_VERSION,
6724 prot,
6725 &sctx, &cctx, cert, privkey)))
6726 goto end;
6727
6728 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6729
6730 if (tst == 0 || tst == 1) {
6731 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6732 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6733 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6734 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6735 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6736 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6737 goto end;
6738
6739 SSL_CTX_set0_CA_list(sctx, sk1);
6740 SSL_CTX_set0_CA_list(cctx, sk2);
6741 sk1 = sk2 = NULL;
6742 }
6743 if (tst == 1 || tst == 2) {
6744 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6745 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6746 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6747 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6748 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6749 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6750 goto end;
6751
6752 SSL_CTX_set_client_CA_list(sctx, sk1);
6753 SSL_CTX_set_client_CA_list(cctx, sk2);
6754 sk1 = sk2 = NULL;
6755 }
6756
6e46c065
MC		 6757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6758 NULL, NULL))
6759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6760 SSL_ERROR_NONE)))
6761 goto end;
6762
fb8c8359
MC		 6763 /*
6764 * We only expect certificate authorities to have been sent to the server
6765 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6766 */
6767 sktmp = SSL_get0_peer_CA_list(serverssl);
6768 if (prot == TLS1_3_VERSION
6769 && (tst == 0 || tst == 1)) {
6770 if (!TEST_ptr(sktmp)
6771 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6772 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6773 name[0]), 0)
6774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6775 name[1]), 0))
6776 goto end;
6777 } else if (!TEST_ptr_null(sktmp)) {
6778 goto end;
6779 }
6780
6781 /*
6782 * In all tests we expect certificate authorities to have been sent to the
6783 * client. However, SSL_set_client_CA_list() should override
6784 * SSL_set0_CA_list()
6785 */
6786 sktmp = SSL_get0_peer_CA_list(clientssl);
6787 if (!TEST_ptr(sktmp)
6788 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6789 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6790 name[tst == 0 ? 0 : 2]), 0)
6791 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6792 name[tst == 0 ? 1 : 3]), 0))
6793 goto end;
6794
6e46c065
MC		 6795 testresult = 1;
6796
6797 end:
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6800 SSL_CTX_free(sctx);
6801 SSL_CTX_free(cctx);
fb8c8359
MC		 6802 for (i = 0; i < OSSL_NELEM(name); i++)
6803 X509_NAME_free(name[i]);
6804 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6805 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6806
6807 return testresult;
6808}
6809#endif
6810
6811static int test_ca_names(int tst)
6812{
6813 int testresult = 1;
6814
6815#ifndef OPENSSL_NO_TLS1_2
6816 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6817#endif
6818#ifndef OPENSSL_NO_TLS1_3
6819 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6820#endif
6e46c065
MC		 6821
6822 return testresult;
6823}
6824
a43ce58f
SL		 6825
6826OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6827
ad887416 6828int setup_tests(void)
2cb4b5f6 6829{
1a2a3a42
MC		 6830 if (!TEST_ptr(certsdir = test_get_argument(0))
6831 || !TEST_ptr(srpvfile = test_get_argument(1))
6832 || !TEST_ptr(tmpfilename = test_get_argument(2)))
710756a9 6833 return 0;
2cb4b5f6 6834
f297e4ec
RS		 6835 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6836#ifdef OPENSSL_NO_CRYPTO_MDEBUG
6837 TEST_error("not supported in this build");
6838 return 0;
6839#else
6840 int i, mcount, rcount, fcount;
6841
6842 for (i = 0; i < 4; i++)
6843 test_export_key_mat(i);
6844 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6845 test_printf_stdout("malloc %d realloc %d free %d\n",
6846 mcount, rcount, fcount);
6847 return 1;
6848#endif
6849 }
6850
1a2a3a42
MC		 6851 cert = test_mk_file_path(certsdir, "servercert.pem");
6852 if (cert == NULL)
6853 return 0;
6854
6855 privkey = test_mk_file_path(certsdir, "serverkey.pem");
6856 if (privkey == NULL) {
6857 OPENSSL_free(cert);
6858 return 0;
6859 }
6860
5e9072ed
MC		 6861#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6862 && !defined(OPENSSL_NO_SOCK)
2fab79af
BP		 6863 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
6864 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
6865 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
6866 ADD_TEST(test_ktls_client_no_txrx_server);
6867 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
6868 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
6869 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
6870 ADD_TEST(test_ktls_client_no_rx_server);
6871 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
6872 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
6873 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
6874 ADD_TEST(test_ktls_client_no_tx_server);
6875 ADD_TEST(test_ktls_no_txrx_client_server);
6876 ADD_TEST(test_ktls_no_rx_client_server);
6877 ADD_TEST(test_ktls_no_tx_client_server);
fe5d9450 6878 ADD_TEST(test_ktls_client_server);
7c3a7561 6879 ADD_TEST(test_ktls_sendfile);
fe5d9450 6880#endif
84d5549e 6881 ADD_TEST(test_large_message_tls);
7856332e 6882 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 6883#ifndef OPENSSL_NO_DTLS
84d5549e 6884 ADD_TEST(test_large_message_dtls);
55386bef 6885#endif
8f8c11d8 6886#ifndef OPENSSL_NO_OCSP
c887104f 6887 ADD_TEST(test_tlsext_status_type);
8f8c11d8 6888#endif
eaa776da
MC		 6889 ADD_TEST(test_session_with_only_int_cache);
6890 ADD_TEST(test_session_with_only_ext_cache);
6891 ADD_TEST(test_session_with_both_cache);
36ff232c 6892#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 6893 ADD_ALL_TESTS(test_stateful_tickets, 3);
6894 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 6895 ADD_TEST(test_psk_tickets);
36ff232c 6896#endif
7fb4c820 6897 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 6898 ADD_TEST(test_ssl_bio_pop_next_bio);
6899 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6900 ADD_TEST(test_ssl_bio_change_rbio);
6901 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 6902#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 6903 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 6904 ADD_TEST(test_keylog);
c423ecaa 6905#endif
6acdd3e5
CB		 6906#ifndef OPENSSL_NO_TLS1_3
6907 ADD_TEST(test_keylog_no_master_key);
6908#endif
e9ee6536 6909#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 6910 ADD_TEST(test_client_hello_cb);
088dfa13 6911 ADD_TEST(test_no_ems);
5f982038
MC		 6912#endif
6913#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 6914 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 6915 /*
6916 * We don't do replay tests for external PSK. Replay protection isn't used
6917 * in that scenario.
6918 */
6919 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 6920 ADD_ALL_TESTS(test_early_data_skip, 3);
6921 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 6922 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 6923 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 6924 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 6925 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 6926 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 6927# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 6928 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 6929# endif
e9ee6536 6930#endif
a273157a 6931#ifndef OPENSSL_NO_TLS1_3
034cb87b 6932 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 6933 ADD_TEST(test_ciphersuite_change);
5bf2eade 6934 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
6935# ifdef OPENSSL_NO_PSK
c2b290c3 6936 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 6937# else
0d8da779 6938 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 6939# endif /* OPENSSL_NO_PSK */
6940# ifndef OPENSSL_NO_TLS1_2
6941 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 6942 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 6943# else
6944 /* Test with only TLSv1.3 versions */
6945 ADD_ALL_TESTS(test_key_exchange, 12);
6946# endif
bb01ef3f 6947 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 6948 ADD_TEST(test_stateless);
9d75dce3 6949 ADD_TEST(test_pha_key_update);
a273157a 6950#else
bb01ef3f 6951 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 6952#endif
16afd71c 6953 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 6954 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 6955#ifndef OPENSSL_NO_TLS1_3
6956 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 6957 ADD_TEST(test_key_update);
a77b4dba 6958 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 6959#endif
e11b6aa4 6960 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 6961 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 6962#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6963 ADD_ALL_TESTS(test_srp, 6);
6964#endif
5718fe45 6965 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 6966 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 6967 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 6968 ADD_ALL_TESTS(test_ticket_callbacks, 12);
57d7b988 6969 ADD_ALL_TESTS(test_shutdown, 7);
1a2a3a42 6970 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 6971 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 6972 ADD_ALL_TESTS(test_ca_names, 3);
ad887416
P		 6973 return 1;
6974}
2cb4b5f6 6975
ad887416
P		 6976void cleanup_tests(void)
6977{
1a2a3a42
MC		 6978 OPENSSL_free(cert);
6979 OPENSSL_free(privkey);
fa454945 6980 bio_s_mempacket_test_free();
a77b4dba 6981 bio_s_always_retry_free();
2cb4b5f6 6982}
A mirror of the official openssl repository