]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add option to disable Extended Master Secret
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
fe5d9450 25#include "internal/ktls.h"
ca0413ae 26#include "../ssl/ssl_locl.h"
2cb4b5f6 27
8614a4eb
MC		 28#ifndef OPENSSL_NO_TLS1_3
29
30static SSL_SESSION *clientpsk = NULL;
31static SSL_SESSION *serverpsk = NULL;
32static const char *pskid = "Identity";
33static const char *srvid;
34
35static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
39
40static int use_session_cb_cnt = 0;
41static int find_session_cb_cnt = 0;
42
43static SSL_SESSION *create_a_psk(SSL *ssl);
44#endif
45
2cb4b5f6
MC		 46static char *cert = NULL;
47static char *privkey = NULL;
76fd7a1d
MC		 48static char *srpvfile = NULL;
49static char *tmpfilename = NULL;
2cb4b5f6 50
cffe973c 51#define LOG_BUFFER_SIZE 2048
6acdd3e5 52static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 53static size_t server_log_buffer_index = 0;
6acdd3e5 54static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 55static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 56static int error_writing_log = 0;
57
8f8c11d8 58#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 59static const unsigned char orespder[] = "Dummy OCSP Response";
60static int ocsp_server_called = 0;
61static int ocsp_client_called = 0;
62
63static int cdummyarg = 1;
64static X509 *ocspcert = NULL;
8f8c11d8 65#endif
ba881d3b 66
84d5549e 67#define NUM_EXTRA_CERTS 40
cf72c757 68#define CLIENT_VERSION_LEN 2
84d5549e 69
f1a5939f
CB		 70/*
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
73 */
74struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
cffe973c 77 unsigned int client_early_secret_count;
f1a5939f
CB		 78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
01a2a654 82 unsigned int early_exporter_secret_count;
6329ce8f 83 unsigned int exporter_secret_count;
f1a5939f
CB		 84};
85
16afd71c
MC		 86
87static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
91};
92
93static unsigned char serverinfov2[] = {
94 0x00, 0x00, 0x00,
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
99};
100
710756a9
RS		 101static void client_keylog_callback(const SSL *ssl, const char *line)
102{
6acdd3e5
CB		 103 int line_length = strlen(line);
104
105 /* If the log doesn't fit, error out. */
710756a9
RS		 106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
6acdd3e5
CB		 108 error_writing_log = 1;
109 return;
110 }
111
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
710756a9 114 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 115}
116
710756a9
RS		 117static void server_keylog_callback(const SSL *ssl, const char *line)
118{
6acdd3e5
CB		 119 int line_length = strlen(line);
120
121 /* If the log doesn't fit, error out. */
710756a9 122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 123 TEST_info("Server log too full");
6acdd3e5
CB		 124 error_writing_log = 1;
125 return;
126 }
127
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
710756a9 130 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 131}
132
133static int compare_hex_encoded_buffer(const char *hex_encoded,
134 size_t hex_length,
135 const uint8_t *raw,
710756a9
RS		 136 size_t raw_length)
137{
138 size_t i, j;
139 char hexed[3];
6acdd3e5 140
710756a9 141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 142 return 1;
6acdd3e5 143
710756a9 144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 145 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 148 return 1;
6acdd3e5
CB		 149 }
150
151 return 0;
152}
153
154static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 155 const SSL_SESSION *session,
710756a9
RS		 156 struct sslapitest_log_counts *expected)
157{
6acdd3e5
CB		 158 char *token = NULL;
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
cffe973c 165 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
01a2a654 170 unsigned int early_exporter_secret_count = 0;
6329ce8f 171 unsigned int exporter_secret_count = 0;
6acdd3e5 172
710756a9
RS		 173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
6acdd3e5 175 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 176 /*
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 178 * hex-encoded encrypted secret, then the hex-encoded pre-master
179 * secret.
180 */
710756a9 181 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 182 return 0;
710756a9 183 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 184 return 0;
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
f1a5939f
CB		 187 /*
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
191 */
192 rsa_key_exchange_count++;
6acdd3e5 193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 194 /*
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 196 * client random, then the hex-encoded master secret.
197 */
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
200 SSL3_RANDOM_SIZE);
710756a9 201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 202 return 0;
6acdd3e5 203
710756a9 204 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 205 return 0;
710756a9 206 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 207 return 0;
710756a9
RS		 208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
f1a5939f 211 return 0;
6acdd3e5 212
710756a9 213 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 214 return 0;
6acdd3e5
CB		 215 master_key_size = SSL_SESSION_get_master_key(session,
216 actual_master_key,
217 master_key_size);
710756a9 218 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 219 return 0;
710756a9
RS		 220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
221 actual_master_key,
222 master_key_size)))
f1a5939f 223 return 0;
f1a5939f 224 master_secret_count++;
cffe973c
PW		 225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 231 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 232 /*
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
237 */
cffe973c
PW		 238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
01a2a654
PW		 248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
6329ce8f
PW		 250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
f1a5939f
CB		 252
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
255 SSL3_RANDOM_SIZE);
710756a9 256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 257 return 0;
f1a5939f 258
710756a9 259 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 260 return 0;
710756a9 261 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 262 return 0;
710756a9
RS		 263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
f1a5939f 266 return 0;
6acdd3e5 267
710756a9 268 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 269 return 0;
f1a5939f
CB		 270
271 /*
272 * TODO(TLS1.3): test that application traffic secrets are what
273 * we expect */
6acdd3e5 274 } else {
710756a9 275 TEST_info("Unexpected token %s\n", token);
f1a5939f 276 return 0;
6acdd3e5 277 }
6acdd3e5
CB		 278 }
279
710756a9
RS		 280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
cffe973c
PW		 285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
710756a9
RS		 287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 294 expected->server_application_secret_count)
01a2a654
PW		 295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
6329ce8f
PW		 297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
710756a9
RS		 299 return 0;
300 return 1;
6acdd3e5
CB		 301}
302
c423ecaa 303#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 304static int test_keylog(void)
305{
6acdd3e5
CB		 306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
308 int testresult = 0;
f1a5939f 309 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 310
311 /* Clean up logging space */
710756a9
RS		 312 memset(client_log_buffer, 0, sizeof(client_log_buffer));
313 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 314 client_log_buffer_index = 0;
315 server_log_buffer_index = 0;
316 error_writing_log = 0;
317
710756a9
RS		 318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS_client_method(),
5c587fb6 320 TLS1_VERSION, 0,
710756a9 321 &sctx, &cctx, cert, privkey)))
6acdd3e5 322 return 0;
6acdd3e5
CB		 323
324 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
325 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
326 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327
f0deb4d3 328 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 330 goto end;
f0deb4d3 331
cf10df81
RS		 332 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
333 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 334 goto end;
6acdd3e5 335 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
337 == client_keylog_callback))
6acdd3e5 338 goto end;
710756a9 339 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 340 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
341 == server_keylog_callback))
6acdd3e5 342 goto end;
6acdd3e5 343
710756a9
RS		 344 /* Now do a handshake and check that the logs have been written to. */
345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
346 &clientssl, NULL, NULL))
347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 SSL_ERROR_NONE))
349 || !TEST_false(error_writing_log)
350 || !TEST_int_gt(client_log_buffer_index, 0)
351 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 352 goto end;
6acdd3e5 353
f1a5939f
CB		 354 /*
355 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 356 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 357 * data we expect. For both client and server, we expect to see one master
358 * secret. The client should also see a RSA key exchange.
6acdd3e5 359 */
f1a5939f
CB		 360 expected.rsa_key_exchange_count = 1;
361 expected.master_secret_count = 1;
710756a9
RS		 362 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
363 SSL_get_session(clientssl), &expected)))
6acdd3e5 364 goto end;
f1a5939f
CB		 365
366 expected.rsa_key_exchange_count = 0;
710756a9
RS		 367 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
368 SSL_get_session(serverssl), &expected)))
6acdd3e5 369 goto end;
6acdd3e5
CB		 370
371 testresult = 1;
372
373end:
374 SSL_free(serverssl);
375 SSL_free(clientssl);
376 SSL_CTX_free(sctx);
377 SSL_CTX_free(cctx);
378
379 return testresult;
380}
c423ecaa 381#endif
6acdd3e5
CB		 382
383#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 384static int test_keylog_no_master_key(void)
385{
6acdd3e5
CB		 386 SSL_CTX *cctx = NULL, *sctx = NULL;
387 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 388 SSL_SESSION *sess = NULL;
6acdd3e5 389 int testresult = 0;
f1a5939f 390 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 391 unsigned char buf[1];
392 size_t readbytes, written;
6acdd3e5
CB		 393
394 /* Clean up logging space */
710756a9
RS		 395 memset(client_log_buffer, 0, sizeof(client_log_buffer));
396 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 397 client_log_buffer_index = 0;
398 server_log_buffer_index = 0;
399 error_writing_log = 0;
400
7d7f6834 401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 402 TLS1_VERSION, 0,
cffe973c
PW		 403 &sctx, &cctx, cert, privkey))
404 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 405 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 406 return 0;
6acdd3e5 407
cf10df81
RS		 408 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
409 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 410 goto end;
6acdd3e5
CB		 411
412 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
414 == client_keylog_callback))
6acdd3e5 415 goto end;
6acdd3e5 416
710756a9 417 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 418 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
419 == server_keylog_callback))
6acdd3e5 420 goto end;
6acdd3e5 421
710756a9
RS		 422 /* Now do a handshake and check that the logs have been written to. */
423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
424 &clientssl, NULL, NULL))
425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 SSL_ERROR_NONE))
427 || !TEST_false(error_writing_log))
6acdd3e5 428 goto end;
6acdd3e5 429
f1a5939f
CB		 430 /*
431 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 432 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 433 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 434 */
f1a5939f
CB		 435 expected.client_handshake_secret_count = 1;
436 expected.server_handshake_secret_count = 1;
437 expected.client_application_secret_count = 1;
438 expected.server_application_secret_count = 1;
6329ce8f 439 expected.exporter_secret_count = 1;
710756a9
RS		 440 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
441 SSL_get_session(clientssl), &expected))
442 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
443 SSL_get_session(serverssl),
444 &expected)))
6acdd3e5 445 goto end;
6acdd3e5 446
cffe973c
PW		 447 /* Terminate old session and resume with early data. */
448 sess = SSL_get1_session(clientssl);
449 SSL_shutdown(clientssl);
450 SSL_shutdown(serverssl);
451 SSL_free(serverssl);
452 SSL_free(clientssl);
453 serverssl = clientssl = NULL;
454
455 /* Reset key log */
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
460
461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_true(SSL_set_session(clientssl, sess))
464 /* Here writing 0 length early data is enough. */
465 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
466 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 &readbytes),
468 SSL_READ_EARLY_DATA_ERROR)
469 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
470 SSL_EARLY_DATA_ACCEPTED)
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_true(SSL_session_reused(clientssl)))
474 goto end;
475
476 /* In addition to the previous entries, expect early secrets. */
477 expected.client_early_secret_count = 1;
01a2a654 478 expected.early_exporter_secret_count = 1;
cffe973c
PW		 479 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
480 SSL_get_session(clientssl), &expected))
481 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
482 SSL_get_session(serverssl),
483 &expected)))
484 goto end;
485
6acdd3e5
CB		 486 testresult = 1;
487
488end:
cffe973c 489 SSL_SESSION_free(sess);
6acdd3e5
CB		 490 SSL_free(serverssl);
491 SSL_free(clientssl);
492 SSL_CTX_free(sctx);
493 SSL_CTX_free(cctx);
494
495 return testresult;
496}
497#endif
498
e9ee6536 499#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 500static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 501{
502 int *ctr = arg;
503 const unsigned char *p;
8ea404fb 504 int *exts;
2afaee51
BK		 505 /* We only configure two ciphers, but the SCSV is added automatically. */
506#ifdef OPENSSL_NO_EC
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508#else
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
510 0x2c, 0x00, 0xff};
511#endif
8ea404fb
BK		 512 const int expected_extensions[] = {
513#ifndef OPENSSL_NO_EC
514 11, 10,
515#endif
10ed1b72 516 35, 22, 23, 13};
2afaee51
BK		 517 size_t len;
518
519 /* Make sure we can defer processing and get called back. */
520 if ((*ctr)++ == 0)
f1b97da1 521 return SSL_CLIENT_HELLO_RETRY;
2afaee51 522
a9c0d8be 523 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 524 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 525 || !TEST_size_t_eq(
526 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 527 || !TEST_int_eq(*p, 0))
f1b97da1 528 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 529 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 530 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 531 if (len != OSSL_NELEM(expected_extensions) ||
532 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 533 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 534 OPENSSL_free(exts);
f1b97da1 535 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 536 }
537 OPENSSL_free(exts);
f1b97da1 538 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 539}
540
a9c0d8be 541static int test_client_hello_cb(void)
710756a9 542{
2afaee51
BK		 543 SSL_CTX *cctx = NULL, *sctx = NULL;
544 SSL *clientssl = NULL, *serverssl = NULL;
545 int testctr = 0, testresult = 0;
546
7d7f6834 547 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 548 TLS1_VERSION, 0,
7d7f6834 549 &sctx, &cctx, cert, privkey)))
2afaee51 550 goto end;
a9c0d8be 551 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 552
2afaee51
BK		 553 /* The gimpy cipher list we configure can't do TLS 1.3. */
554 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 555
710756a9
RS		 556 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
557 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
559 &clientssl, NULL, NULL))
560 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 561 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 562 /*
563 * Passing a -1 literal is a hack since
564 * the real value was lost.
565 * */
a9c0d8be
DB		 566 || !TEST_int_eq(SSL_get_error(serverssl, -1),
567 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
569 SSL_ERROR_NONE)))
2afaee51 570 goto end;
2afaee51
BK		 571
572 testresult = 1;
573
088dfa13
TS		 574end:
575 SSL_free(serverssl);
576 SSL_free(clientssl);
577 SSL_CTX_free(sctx);
578 SSL_CTX_free(cctx);
579
580 return testresult;
581}
582
583static int test_no_ems(void)
584{
585 SSL_CTX *cctx = NULL, *sctx = NULL;
586 SSL *clientssl = NULL, *serverssl = NULL;
587 int testresult = 0;
588
589 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
590 TLS1_VERSION, TLS1_2_VERSION,
591 &sctx, &cctx, cert, privkey)) {
592 printf("Unable to create SSL_CTX pair\n");
593 goto end;
594 }
595
596 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
597
598 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
599 printf("Unable to create SSL objects\n");
600 goto end;
601 }
602
603 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
604 printf("Creating SSL connection failed\n");
605 goto end;
606 }
607
608 if (SSL_get_extms_support(serverssl)) {
609 printf("Server reports Extended Master Secret support\n");
610 goto end;
611 }
612
613 if (SSL_get_extms_support(clientssl)) {
614 printf("Client reports Extended Master Secret support\n");
615 goto end;
616 }
617 testresult = 1;
618
2afaee51
BK		 619end:
620 SSL_free(serverssl);
621 SSL_free(clientssl);
622 SSL_CTX_free(sctx);
623 SSL_CTX_free(cctx);
624
625 return testresult;
626}
e9ee6536 627#endif
2afaee51 628
84d5549e 629static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 630 const SSL_METHOD *cmeth,
631 int min_version, int max_version,
632 int read_ahead)
84d5549e
MC		 633{
634 SSL_CTX *cctx = NULL, *sctx = NULL;
635 SSL *clientssl = NULL, *serverssl = NULL;
636 int testresult = 0;
637 int i;
710756a9 638 BIO *certbio = NULL;
84d5549e
MC		 639 X509 *chaincert = NULL;
640 int certlen;
641
710756a9 642 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 643 goto end;
84d5549e 644 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 645 BIO_free(certbio);
646 certbio = NULL;
710756a9 647 if (!TEST_ptr(chaincert))
fa454945 648 goto end;
84d5549e 649
7d7f6834
RL		 650 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
651 &sctx, &cctx, cert, privkey)))
84d5549e 652 goto end;
84d5549e 653
710756a9 654 if (read_ahead) {
7856332e
MC		 655 /*
656 * Test that read_ahead works correctly when dealing with large
657 * records
658 */
659 SSL_CTX_set_read_ahead(cctx, 1);
660 }
661
84d5549e
MC		 662 /*
663 * We assume the supplied certificate is big enough so that if we add
664 * NUM_EXTRA_CERTS it will make the overall message large enough. The
665 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 666 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
667 * test we need to have a message larger than that.
84d5549e
MC		 668 */
669 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 670 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
671 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 672 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 673 if (!X509_up_ref(chaincert))
84d5549e 674 goto end;
84d5549e 675 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 676 X509_free(chaincert);
677 goto end;
678 }
679 }
680
710756a9
RS		 681 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
682 NULL, NULL))
683 || !TEST_true(create_ssl_connection(serverssl, clientssl,
684 SSL_ERROR_NONE)))
84d5549e 685 goto end;
84d5549e 686
4bf08600
MC		 687 /*
688 * Calling SSL_clear() first is not required but this tests that SSL_clear()
689 * doesn't leak (when using enable-crypto-mdebug).
690 */
710756a9 691 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 692 goto end;
84d5549e 693
4bf08600 694 testresult = 1;
84d5549e
MC		 695 end:
696 X509_free(chaincert);
697 SSL_free(serverssl);
698 SSL_free(clientssl);
699 SSL_CTX_free(sctx);
700 SSL_CTX_free(cctx);
701
702 return testresult;
703}
704
5e9072ed
MC		 705#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
706 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 707
708/* sock must be connected */
709static int ktls_chk_platform(int sock)
710{
711 if (!ktls_enable(sock))
712 return 0;
713 return 1;
714}
715
716static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
717{
718 static char count = 1;
719 unsigned char cbuf[16000] = {0};
720 unsigned char sbuf[16000];
721 size_t err = 0;
722 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
723 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
724 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
725 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
726 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
727 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
728
729 cbuf[0] = count++;
730 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
731 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
732 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
733 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
734 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
735 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
736
737 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
738 goto end;
739
740 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
741 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
742 goto end;
743 }
744 }
745
746 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
747 goto end;
748
749 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
750 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
751 goto end;
752 }
753 }
754
755 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
756 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
757 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
758 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
759 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
760 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
761
762 /* verify the payload */
763 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
764 goto end;
765
766 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
767 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
768 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
769 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
770 goto end;
771 } else {
772 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
773 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
774 goto end;
775 }
776
777 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
778 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
779 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
780 goto end;
781 } else {
782 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
783 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
784 goto end;
785 }
786
787 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
788 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
789 goto end;
790
791 return 1;
792end:
793 return 0;
794}
795
796static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
797{
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0;
801 int cfd, sfd;
802
803 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
804 goto end;
805
806 /* Skip this test if the platform does not support ktls */
807 if (!ktls_chk_platform(cfd))
808 return 1;
809
810 /* Create a session based on SHA-256 */
811 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
812 TLS_client_method(),
813 TLS1_2_VERSION, TLS1_2_VERSION,
814 &sctx, &cctx, cert, privkey))
815 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
816 "AES128-GCM-SHA256"))
817 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
818 &clientssl, sfd, cfd)))
819 goto end;
820
821 if (!cis_ktls_tx) {
822 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
823 goto end;
824 }
825
826 if (!sis_ktls_tx) {
827 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
828 goto end;
829 }
830
831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
832 SSL_ERROR_NONE)))
833 goto end;
834
835 if (!cis_ktls_tx) {
836 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
837 goto end;
838 } else {
839 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
840 goto end;
841 }
842
843 if (!sis_ktls_tx) {
844 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
845 goto end;
846 } else {
847 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
848 goto end;
849 }
850
851 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
852 goto end;
853
854 testresult = 1;
855end:
856 if (clientssl) {
857 SSL_shutdown(clientssl);
858 SSL_free(clientssl);
859 }
860 if (serverssl) {
861 SSL_shutdown(serverssl);
862 SSL_free(serverssl);
863 }
864 SSL_CTX_free(sctx);
865 SSL_CTX_free(cctx);
866 serverssl = clientssl = NULL;
867 return testresult;
868}
869
870static int test_ktls_client_server(void)
871{
872 return execute_test_ktls(1, 1);
873}
874
875static int test_ktls_no_client_server(void)
876{
877 return execute_test_ktls(0, 1);
878}
879
880static int test_ktls_client_no_server(void)
881{
882 return execute_test_ktls(1, 0);
883}
884
885static int test_ktls_no_client_no_server(void)
886{
887 return execute_test_ktls(0, 0);
888}
889
890#endif
891
84d5549e
MC		 892static int test_large_message_tls(void)
893{
7856332e 894 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 895 TLS1_VERSION, 0, 0);
7856332e
MC		 896}
897
898static int test_large_message_tls_read_ahead(void)
899{
900 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 901 TLS1_VERSION, 0, 1);
84d5549e
MC		 902}
903
55386bef 904#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 905static int test_large_message_dtls(void)
906{
7856332e
MC		 907 /*
908 * read_ahead is not relevant to DTLS because DTLS always acts as if
909 * read_ahead is set.
910 */
84d5549e 911 return execute_test_large_message(DTLS_server_method(),
7d7f6834 912 DTLS_client_method(),
5c587fb6 913 DTLS1_VERSION, 0, 0);
84d5549e 914}
55386bef 915#endif
84d5549e 916
8f8c11d8 917#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 918static int ocsp_server_cb(SSL *s, void *arg)
919{
920 int *argi = (int *)arg;
710756a9 921 unsigned char *copy = NULL;
ba881d3b
MC		 922 STACK_OF(OCSP_RESPID) *ids = NULL;
923 OCSP_RESPID *id = NULL;
924
925 if (*argi == 2) {
926 /* In this test we are expecting exactly 1 OCSP_RESPID */
927 SSL_get_tlsext_status_ids(s, &ids);
928 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
929 return SSL_TLSEXT_ERR_ALERT_FATAL;
930
931 id = sk_OCSP_RESPID_value(ids, 0);
932 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
933 return SSL_TLSEXT_ERR_ALERT_FATAL;
934 } else if (*argi != 1) {
935 return SSL_TLSEXT_ERR_ALERT_FATAL;
936 }
937
710756a9 938 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 939 return SSL_TLSEXT_ERR_ALERT_FATAL;
940
710756a9 941 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 942 ocsp_server_called = 1;
ba881d3b
MC		 943 return SSL_TLSEXT_ERR_OK;
944}
945
946static int ocsp_client_cb(SSL *s, void *arg)
947{
948 int *argi = (int *)arg;
949 const unsigned char *respderin;
950 size_t len;
951
952 if (*argi != 1 && *argi != 2)
953 return 0;
954
955 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 956 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 957 return 0;
958
959 ocsp_client_called = 1;
ba881d3b
MC		 960 return 1;
961}
962
2cb4b5f6
MC		 963static int test_tlsext_status_type(void)
964{
ba881d3b
MC		 965 SSL_CTX *cctx = NULL, *sctx = NULL;
966 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 967 int testresult = 0;
ba881d3b
MC		 968 STACK_OF(OCSP_RESPID) *ids = NULL;
969 OCSP_RESPID *id = NULL;
970 BIO *certbio = NULL;
2cb4b5f6 971
7d7f6834 972 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 973 TLS1_VERSION, 0,
7d7f6834 974 &sctx, &cctx, cert, privkey))
ba881d3b 975 return 0;
2cb4b5f6 976
710756a9 977 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 978 goto end;
2cb4b5f6 979
ba881d3b 980 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 981
ba881d3b 982 clientssl = SSL_new(cctx);
710756a9
RS		 983 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
984 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
985 TLSEXT_STATUSTYPE_ocsp))
986 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
987 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 988 goto end;
2cb4b5f6 989
ba881d3b
MC		 990 SSL_free(clientssl);
991 clientssl = NULL;
2cb4b5f6 992
710756a9
RS		 993 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
994 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 995 goto end;
2cb4b5f6 996
ba881d3b 997 clientssl = SSL_new(cctx);
710756a9 998 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 999 goto end;
ba881d3b
MC		 1000 SSL_free(clientssl);
1001 clientssl = NULL;
1002
1003 /*
1004 * Now actually do a handshake and check OCSP information is exchanged and
1005 * the callbacks get called
1006 */
ba881d3b
MC		 1007 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1008 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1009 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1010 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1012 &clientssl, NULL, NULL))
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1014 SSL_ERROR_NONE))
1015 || !TEST_true(ocsp_client_called)
1016 || !TEST_true(ocsp_server_called))
ba881d3b 1017 goto end;
ba881d3b
MC		 1018 SSL_free(serverssl);
1019 SSL_free(clientssl);
1020 serverssl = NULL;
1021 clientssl = NULL;
1022
1023 /* Try again but this time force the server side callback to fail */
1024 ocsp_client_called = 0;
1025 ocsp_server_called = 0;
1026 cdummyarg = 0;
710756a9
RS		 1027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1028 &clientssl, NULL, NULL))
1029 /* This should fail because the callback will fail */
1030 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1031 SSL_ERROR_NONE))
1032 || !TEST_false(ocsp_client_called)
1033 || !TEST_false(ocsp_server_called))
ba881d3b 1034 goto end;
ba881d3b
MC		 1035 SSL_free(serverssl);
1036 SSL_free(clientssl);
1037 serverssl = NULL;
1038 clientssl = NULL;
1039
1040 /*
1041 * This time we'll get the client to send an OCSP_RESPID that it will
1042 * accept.
1043 */
1044 ocsp_client_called = 0;
1045 ocsp_server_called = 0;
1046 cdummyarg = 2;
710756a9
RS		 1047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1048 &clientssl, NULL, NULL)))
ba881d3b 1049 goto end;
ba881d3b
MC		 1050
1051 /*
1052 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1053 * specific one. We'll use the server cert.
ba881d3b 1054 */
710756a9
RS		 1055 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1056 || !TEST_ptr(id = OCSP_RESPID_new())
1057 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1058 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1059 NULL, NULL, NULL))
1060 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1061 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1062 goto end;
ba881d3b
MC		 1063 id = NULL;
1064 SSL_set_tlsext_status_ids(clientssl, ids);
1065 /* Control has been transferred */
1066 ids = NULL;
1067
1068 BIO_free(certbio);
1069 certbio = NULL;
1070
710756a9
RS		 1071 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1072 SSL_ERROR_NONE))
1073 || !TEST_true(ocsp_client_called)
1074 || !TEST_true(ocsp_server_called))
ba881d3b 1075 goto end;
ba881d3b 1076
2cb4b5f6
MC		 1077 testresult = 1;
1078
1079 end:
ba881d3b
MC		 1080 SSL_free(serverssl);
1081 SSL_free(clientssl);
1082 SSL_CTX_free(sctx);
1083 SSL_CTX_free(cctx);
1084 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1085 OCSP_RESPID_free(id);
1086 BIO_free(certbio);
1087 X509_free(ocspcert);
1088 ocspcert = NULL;
2cb4b5f6
MC		 1089
1090 return testresult;
1091}
8f8c11d8 1092#endif
2cb4b5f6 1093
bf208d95 1094#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1095static int new_called, remove_called, get_called;
eaa776da 1096
eaa776da
MC		 1097static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1098{
1099 new_called++;
c0537ebd
MC		 1100 /*
1101 * sess has been up-refed for us, but we don't actually need it so free it
1102 * immediately.
1103 */
1104 SSL_SESSION_free(sess);
eaa776da
MC		 1105 return 1;
1106}
1107
1108static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1109{
1110 remove_called++;
1111}
1112
7a301f08
MC		 1113static SSL_SESSION *get_sess_val = NULL;
1114
1115static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1116 int *copy)
1117{
0afca811 1118 get_called++;
7a301f08
MC		 1119 *copy = 1;
1120 return get_sess_val;
1121}
1122
7a301f08
MC		 1123static int execute_test_session(int maxprot, int use_int_cache,
1124 int use_ext_cache)
2cb4b5f6
MC		 1125{
1126 SSL_CTX *sctx = NULL, *cctx = NULL;
1127 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1128 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1129# ifndef OPENSSL_NO_TLS1_1
eaa776da 1130 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1131# endif
2cb4b5f6 1132 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1133 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1134
7e885b7b
P		 1135 new_called = remove_called = 0;
1136
36ff232c
MC		 1137 /* TLSv1.3 sends 2 NewSessionTickets */
1138 if (maxprot == TLS1_3_VERSION)
1139 numnewsesstick = 2;
1140
7d7f6834 1141 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1142 TLS1_VERSION, 0,
7d7f6834 1143 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1144 return 0;
2cb4b5f6 1145
7a301f08
MC		 1146 /*
1147 * Only allow the max protocol version so we can force a connection failure
1148 * later
1149 */
1150 SSL_CTX_set_min_proto_version(cctx, maxprot);
1151 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1152
1153 /* Set up session cache */
7e885b7b 1154 if (use_ext_cache) {
eaa776da
MC		 1155 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1156 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1157 }
7e885b7b 1158 if (use_int_cache) {
eaa776da
MC		 1159 /* Also covers instance where both are set */
1160 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1161 } else {
1162 SSL_CTX_set_session_cache_mode(cctx,
1163 SSL_SESS_CACHE_CLIENT
1164 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1165 }
2cb4b5f6 1166
710756a9
RS		 1167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1168 NULL, NULL))
1169 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1170 SSL_ERROR_NONE))
1171 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1172 goto end;
2cb4b5f6 1173
710756a9 1174 /* Should fail because it should already be in the cache */
7e885b7b 1175 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1176 goto end;
7a301f08 1177 if (use_ext_cache
36ff232c
MC		 1178 && (!TEST_int_eq(new_called, numnewsesstick)
1179
1180 || !TEST_int_eq(remove_called, 0)))
b4982125 1181 goto end;
b4982125 1182
c0537ebd
MC		 1183 new_called = remove_called = 0;
1184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1185 &clientssl2, NULL, NULL))
1186 || !TEST_true(SSL_set_session(clientssl2, sess1))
1187 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1188 SSL_ERROR_NONE))
1189 || !TEST_true(SSL_session_reused(clientssl2)))
1190 goto end;
1191
7a301f08
MC		 1192 if (maxprot == TLS1_3_VERSION) {
1193 /*
1194 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1195 * resumed. Since we attempted a resume we should also have removed the
1196 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1197 */
1198 if (use_ext_cache
1199 && (!TEST_int_eq(new_called, 1)
4cb00457 1200 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1201 goto end;
1202 } else {
1203 /*
1204 * In TLSv1.2 we expect to have resumed so no sessions added or
1205 * removed.
1206 */
1207 if (use_ext_cache
1208 && (!TEST_int_eq(new_called, 0)
1209 || !TEST_int_eq(remove_called, 0)))
1210 goto end;
1211 }
c0537ebd
MC		 1212
1213 SSL_SESSION_free(sess1);
1214 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1215 goto end;
1216 shutdown_ssl_connection(serverssl2, clientssl2);
1217 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1218
1219 new_called = remove_called = 0;
710756a9
RS		 1220 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1221 &clientssl2, NULL, NULL))
1222 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1223 SSL_ERROR_NONE)))
2cb4b5f6 1224 goto end;
2cb4b5f6 1225
710756a9 1226 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1227 goto end;
2cb4b5f6 1228
7a301f08 1229 if (use_ext_cache
36ff232c
MC		 1230 && (!TEST_int_eq(new_called, numnewsesstick)
1231 || !TEST_int_eq(remove_called, 0)))
eaa776da 1232 goto end;
eaa776da 1233
c0537ebd 1234 new_called = remove_called = 0;
2cb4b5f6 1235 /*
710756a9
RS		 1236 * This should clear sess2 from the cache because it is a "bad" session.
1237 * See SSL_set_session() documentation.
2cb4b5f6 1238 */
710756a9 1239 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1240 goto end;
7a301f08
MC		 1241 if (use_ext_cache
1242 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1243 goto end;
710756a9 1244 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1245 goto end;
2cb4b5f6 1246
7e885b7b 1247 if (use_int_cache) {
710756a9
RS		 1248 /* Should succeeded because it should not already be in the cache */
1249 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1250 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1251 goto end;
eaa776da
MC		 1252 }
1253
c0537ebd 1254 new_called = remove_called = 0;
eaa776da 1255 /* This shouldn't be in the cache so should fail */
710756a9 1256 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1257 goto end;
2cb4b5f6 1258
7a301f08
MC		 1259 if (use_ext_cache
1260 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1261 goto end;
2cb4b5f6 1262
bf208d95 1263# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1264 new_called = remove_called = 0;
eaa776da
MC		 1265 /* Force a connection failure */
1266 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1268 &clientssl3, NULL, NULL))
1269 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1270 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1271 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1272 SSL_ERROR_NONE)))
eaa776da 1273 goto end;
b4982125 1274
eaa776da 1275 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1276 if (use_ext_cache
1277 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1278 goto end;
2cb4b5f6 1279
710756a9 1280 /* Should succeed because it should not already be in the cache */
7e885b7b 1281 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1282 goto end;
bf208d95 1283# endif
eaa776da 1284
7a301f08
MC		 1285 /* Now do some tests for server side caching */
1286 if (use_ext_cache) {
1287 SSL_CTX_sess_set_new_cb(cctx, NULL);
1288 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1289 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1290 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1291 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1292 get_sess_val = NULL;
1293 }
1294
1295 SSL_CTX_set_session_cache_mode(cctx, 0);
1296 /* Internal caching is the default on the server side */
1297 if (!use_int_cache)
1298 SSL_CTX_set_session_cache_mode(sctx,
1299 SSL_SESS_CACHE_SERVER
1300 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1301
1302 SSL_free(serverssl1);
1303 SSL_free(clientssl1);
1304 serverssl1 = clientssl1 = NULL;
1305 SSL_free(serverssl2);
1306 SSL_free(clientssl2);
1307 serverssl2 = clientssl2 = NULL;
1308 SSL_SESSION_free(sess1);
1309 sess1 = NULL;
1310 SSL_SESSION_free(sess2);
1311 sess2 = NULL;
1312
1313 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1314 if (maxprot == TLS1_2_VERSION)
1315 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1316 new_called = remove_called = get_called = 0;
7a301f08
MC		 1317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1318 NULL, NULL))
1319 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1320 SSL_ERROR_NONE))
1321 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1322 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1323 goto end;
1324
ee94ec2e
MC		 1325 if (use_int_cache) {
1326 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1327 /*
1328 * In TLSv1.3 it should not have been added to the internal cache,
1329 * except in the case where we also have an external cache (in that
1330 * case it gets added to the cache in order to generate remove
1331 * events after timeout).
1332 */
1333 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1334 goto end;
1335 } else {
1336 /* Should fail because it should already be in the cache */
1337 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1338 goto end;
1339 }
1340 }
7a301f08
MC		 1341
1342 if (use_ext_cache) {
1343 SSL_SESSION *tmp = sess2;
1344
36ff232c 1345 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1346 || !TEST_int_eq(remove_called, 0)
1347 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1348 goto end;
1349 /*
1350 * Delete the session from the internal cache to force a lookup from
1351 * the external cache. We take a copy first because
1352 * SSL_CTX_remove_session() also marks the session as non-resumable.
1353 */
ee94ec2e 1354 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1355 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1356 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1357 goto end;
1358 SSL_SESSION_free(sess2);
1359 }
7a301f08
MC		 1360 sess2 = tmp;
1361 }
1362
0afca811 1363 new_called = remove_called = get_called = 0;
7a301f08
MC		 1364 get_sess_val = sess2;
1365 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1366 &clientssl2, NULL, NULL))
1367 || !TEST_true(SSL_set_session(clientssl2, sess1))
1368 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1369 SSL_ERROR_NONE))
1370 || !TEST_true(SSL_session_reused(clientssl2)))
1371 goto end;
1372
0afca811 1373 if (use_ext_cache) {
32305f88 1374 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1375 goto end;
1376
1377 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1378 if (!TEST_int_eq(new_called, 1)
1379 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1380 goto end;
1381 } else {
32305f88
MC		 1382 if (!TEST_int_eq(new_called, 0)
1383 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1384 goto end;
1385 }
1386 }
7a301f08 1387
2cb4b5f6 1388 testresult = 1;
eaa776da 1389
2cb4b5f6
MC		 1390 end:
1391 SSL_free(serverssl1);
1392 SSL_free(clientssl1);
1393 SSL_free(serverssl2);
1394 SSL_free(clientssl2);
bf208d95 1395# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1396 SSL_free(serverssl3);
1397 SSL_free(clientssl3);
bf208d95 1398# endif
2cb4b5f6
MC		 1399 SSL_SESSION_free(sess1);
1400 SSL_SESSION_free(sess2);
1401 SSL_CTX_free(sctx);
1402 SSL_CTX_free(cctx);
1403
1404 return testresult;
1405}
bf208d95 1406#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1407
7fb4c820
MC		 1408static int test_session_with_only_int_cache(void)
1409{
7a301f08
MC		 1410#ifndef OPENSSL_NO_TLS1_3
1411 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1412 return 0;
1413#endif
1414
1415#ifndef OPENSSL_NO_TLS1_2
1416 return execute_test_session(TLS1_2_VERSION, 1, 0);
1417#else
1418 return 1;
1419#endif
eaa776da
MC		 1420}
1421
7fb4c820
MC		 1422static int test_session_with_only_ext_cache(void)
1423{
7a301f08
MC		 1424#ifndef OPENSSL_NO_TLS1_3
1425 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1426 return 0;
1427#endif
1428
1429#ifndef OPENSSL_NO_TLS1_2
1430 return execute_test_session(TLS1_2_VERSION, 0, 1);
1431#else
1432 return 1;
1433#endif
eaa776da
MC		 1434}
1435
7fb4c820
MC		 1436static int test_session_with_both_cache(void)
1437{
7a301f08
MC		 1438#ifndef OPENSSL_NO_TLS1_3
1439 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1440 return 0;
1441#endif
1442
1443#ifndef OPENSSL_NO_TLS1_2
1444 return execute_test_session(TLS1_2_VERSION, 1, 1);
1445#else
1446 return 1;
1447#endif
eaa776da
MC		 1448}
1449
04225915 1450#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1451static SSL_SESSION *sesscache[6];
1452static int do_cache;
36ff232c
MC		 1453
1454static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1455{
c22365b3
MC		 1456 if (do_cache) {
1457 sesscache[new_called] = sess;
1458 } else {
1459 /* We don't need the reference to the session, so free it */
1460 SSL_SESSION_free(sess);
1461 }
1462 new_called++;
1463
1464 return 1;
1465}
1466
1467static int post_handshake_verify(SSL *sssl, SSL *cssl)
1468{
1469 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1470 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1471 return 0;
1472
1473 /* Start handshake on the server and client */
1474 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1475 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1476 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1477 || !TEST_true(create_ssl_connection(sssl, cssl,
1478 SSL_ERROR_NONE)))
1479 return 0;
36ff232c
MC		 1480
1481 return 1;
1482}
1483
fbe9dafd 1484static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1485 SSL_CTX **cctx)
1486{
1487 int sess_id_ctx = 1;
1488
1489 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1490 TLS1_VERSION, 0, sctx,
03cdf559
MC		 1491 cctx, cert, privkey))
1492 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1493 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1494 (void *)&sess_id_ctx,
1495 sizeof(sess_id_ctx))))
1496 return 0;
1497
1498 if (stateful)
1499 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1500
1501 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1502 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1503 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1504
1505 return 1;
1506}
1507
1508static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1509{
1510 SSL *serverssl = NULL, *clientssl = NULL;
1511 int i;
1512
1513 /* Test that we can resume with all the tickets we got given */
1514 for (i = 0; i < idx * 2; i++) {
1515 new_called = 0;
1516 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1517 &clientssl, NULL, NULL))
1518 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1519 goto end;
1520
32097b33 1521 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1522
1523 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1524 SSL_ERROR_NONE)))
1525 goto end;
1526
1527 /*
1528 * Following a successful resumption we only get 1 ticket. After a
1529 * failed one we should get idx tickets.
1530 */
1531 if (succ) {
1532 if (!TEST_true(SSL_session_reused(clientssl))
1533 || !TEST_int_eq(new_called, 1))
1534 goto end;
1535 } else {
1536 if (!TEST_false(SSL_session_reused(clientssl))
1537 || !TEST_int_eq(new_called, idx))
1538 goto end;
1539 }
1540
1541 new_called = 0;
1542 /* After a post-handshake authentication we should get 1 new ticket */
1543 if (succ
1544 && (!post_handshake_verify(serverssl, clientssl)
1545 || !TEST_int_eq(new_called, 1)))
1546 goto end;
1547
1548 SSL_shutdown(clientssl);
1549 SSL_shutdown(serverssl);
1550 SSL_free(serverssl);
1551 SSL_free(clientssl);
1552 serverssl = clientssl = NULL;
1553 SSL_SESSION_free(sesscache[i]);
1554 sesscache[i] = NULL;
1555 }
1556
1557 return 1;
1558
1559 end:
1560 SSL_free(clientssl);
1561 SSL_free(serverssl);
1562 return 0;
1563}
1564
04d7814a 1565static int test_tickets(int stateful, int idx)
36ff232c
MC		 1566{
1567 SSL_CTX *sctx = NULL, *cctx = NULL;
1568 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1569 int testresult = 0;
36ff232c
MC		 1570 size_t j;
1571
1572 /* idx is the test number, but also the number of tickets we want */
1573
1574 new_called = 0;
c22365b3 1575 do_cache = 1;
36ff232c 1576
fbe9dafd 1577 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1578 goto end;
1579
03cdf559
MC		 1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1581 &clientssl, NULL, NULL)))
1582 goto end;
1583
1584 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1585 SSL_ERROR_NONE))
1586 /* Check we got the number of tickets we were expecting */
1587 || !TEST_int_eq(idx, new_called))
1588 goto end;
04d7814a 1589
03cdf559
MC		 1590 SSL_shutdown(clientssl);
1591 SSL_shutdown(serverssl);
1592 SSL_free(serverssl);
1593 SSL_free(clientssl);
1594 SSL_CTX_free(sctx);
1595 SSL_CTX_free(cctx);
1596 clientssl = serverssl = NULL;
1597 sctx = cctx = NULL;
1598
1599 /*
1600 * Now we try to resume with the tickets we previously created. The
1601 * resumption attempt is expected to fail (because we're now using a new
1602 * SSL_CTX). We should see idx number of tickets issued again.
1603 */
1604
1605 /* Stop caching sessions - just count them */
1606 do_cache = 0;
1607
fbe9dafd 1608 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1609 goto end;
1610
1611 if (!check_resumption(idx, sctx, cctx, 0))
1612 goto end;
1613
1614 /* Start again with caching sessions */
1615 new_called = 0;
1616 do_cache = 1;
fbe9dafd
MC		 1617 SSL_CTX_free(sctx);
1618 SSL_CTX_free(cctx);
1619 sctx = cctx = NULL;
03cdf559 1620
fbe9dafd 1621 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1622 goto end;
36ff232c
MC		 1623
1624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1625 &clientssl, NULL, NULL)))
1626 goto end;
1627
32097b33 1628 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1629
1630 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1631 SSL_ERROR_NONE))
1632 /* Check we got the number of tickets we were expecting */
1633 || !TEST_int_eq(idx, new_called))
1634 goto end;
1635
1636 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1637 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1638 || !TEST_int_eq(idx * 2, new_called))
1639 goto end;
1640
36ff232c
MC		 1641 SSL_shutdown(clientssl);
1642 SSL_shutdown(serverssl);
1643 SSL_free(serverssl);
1644 SSL_free(clientssl);
1645 serverssl = clientssl = NULL;
1646
c22365b3
MC		 1647 /* Stop caching sessions - just count them */
1648 do_cache = 0;
1649
03cdf559
MC		 1650 /*
1651 * Check we can resume with all the tickets we created. This time around the
1652 * resumptions should all be successful.
1653 */
1654 if (!check_resumption(idx, sctx, cctx, 1))
1655 goto end;
36ff232c
MC		 1656
1657 testresult = 1;
1658
1659 end:
1660 SSL_free(serverssl);
1661 SSL_free(clientssl);
c22365b3 1662 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1663 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1664 sesscache[j] = NULL;
1665 }
36ff232c
MC		 1666 SSL_CTX_free(sctx);
1667 SSL_CTX_free(cctx);
1668
1669 return testresult;
1670}
04d7814a
MC		 1671
1672static int test_stateless_tickets(int idx)
1673{
1674 return test_tickets(0, idx);
1675}
1676
1677static int test_stateful_tickets(int idx)
1678{
1679 return test_tickets(1, idx);
1680}
8614a4eb
MC		 1681
1682static int test_psk_tickets(void)
1683{
1684 SSL_CTX *sctx = NULL, *cctx = NULL;
1685 SSL *serverssl = NULL, *clientssl = NULL;
1686 int testresult = 0;
1687 int sess_id_ctx = 1;
1688
1689 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1690 TLS1_VERSION, 0, &sctx,
8614a4eb
MC		 1691 &cctx, NULL, NULL))
1692 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1693 (void *)&sess_id_ctx,
1694 sizeof(sess_id_ctx))))
1695 goto end;
1696
1697 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1698 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1699 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1700 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1701 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1702 use_session_cb_cnt = 0;
1703 find_session_cb_cnt = 0;
1704 srvid = pskid;
1705 new_called = 0;
1706
1707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1708 NULL, NULL)))
1709 goto end;
1710 clientpsk = serverpsk = create_a_psk(clientssl);
1711 if (!TEST_ptr(clientpsk))
1712 goto end;
1713 SSL_SESSION_up_ref(clientpsk);
1714
1715 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1716 SSL_ERROR_NONE))
1717 || !TEST_int_eq(1, find_session_cb_cnt)
1718 || !TEST_int_eq(1, use_session_cb_cnt)
1719 /* We should always get 1 ticket when using external PSK */
1720 || !TEST_int_eq(1, new_called))
1721 goto end;
1722
1723 testresult = 1;
1724
1725 end:
1726 SSL_free(serverssl);
1727 SSL_free(clientssl);
1728 SSL_CTX_free(sctx);
1729 SSL_CTX_free(cctx);
1730 SSL_SESSION_free(clientpsk);
1731 SSL_SESSION_free(serverpsk);
1732 clientpsk = serverpsk = NULL;
1733
1734 return testresult;
1735}
04225915 1736#endif
36ff232c 1737
7d4488bb
MC		 1738#define USE_NULL 0
1739#define USE_BIO_1 1
1740#define USE_BIO_2 2
1741#define USE_DEFAULT 3
1742
1743#define CONNTYPE_CONNECTION_SUCCESS 0
1744#define CONNTYPE_CONNECTION_FAIL 1
1745#define CONNTYPE_NO_CONNECTION 2
1746
1747#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1748#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1749#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1750# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1751#else
1752# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1753#endif
1754
7d4488bb
MC		 1755#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1756 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1757 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1758
1759static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1760{
1761 switch (type) {
1762 case USE_NULL:
1763 *res = NULL;
1764 break;
1765 case USE_BIO_1:
1766 *res = bio1;
1767 break;
1768 case USE_BIO_2:
1769 *res = bio2;
1770 break;
1771 }
1772}
1773
7d4488bb
MC		 1774
1775/*
1776 * Tests calls to SSL_set_bio() under various conditions.
1777 *
1778 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1779 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1780 * then do more tests where we create a successful connection first using our
1781 * standard connection setup functions, and then call SSL_set_bio() with
1782 * various combinations of valid BIOs or NULL. We then repeat these tests
1783 * following a failed connection. In this last case we are looking to check that
1784 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1785 */
7fb4c820
MC		 1786static int test_ssl_set_bio(int idx)
1787{
7d4488bb 1788 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1789 BIO *bio1 = NULL;
1790 BIO *bio2 = NULL;
0fae8150 1791 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1792 SSL *serverssl = NULL, *clientssl = NULL;
1793 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1794 int testresult = 0;
1795
7d4488bb
MC		 1796 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1797 initrbio = idx % 3;
1798 idx /= 3;
1799 initwbio = idx % 3;
1800 idx /= 3;
1801 newrbio = idx % 3;
1802 idx /= 3;
1803 newwbio = idx % 3;
1804 conntype = CONNTYPE_NO_CONNECTION;
1805 } else {
1806 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1807 initrbio = initwbio = USE_DEFAULT;
1808 newrbio = idx % 2;
1809 idx /= 2;
1810 newwbio = idx % 2;
1811 idx /= 2;
1812 conntype = idx % 2;
1813 }
710756a9 1814
7d4488bb 1815 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1816 TLS1_VERSION, 0,
7d4488bb
MC		 1817 &sctx, &cctx, cert, privkey)))
1818 goto end;
1819
1820 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1821 /*
1822 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1823 * because we reduced the number of tests in the definition of
1824 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1825 * mismatched protocol versions we will force a connection failure.
1826 */
1827 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1828 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1829 }
1830
1831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1832 NULL, NULL)))
710756a9 1833 goto end;
7fb4c820 1834
710756a9
RS		 1835 if (initrbio == USE_BIO_1
1836 || initwbio == USE_BIO_1
1837 || newrbio == USE_BIO_1
7fb4c820 1838 || newwbio == USE_BIO_1) {
710756a9 1839 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1840 goto end;
7fb4c820
MC		 1841 }
1842
710756a9
RS		 1843 if (initrbio == USE_BIO_2
1844 || initwbio == USE_BIO_2
1845 || newrbio == USE_BIO_2
7fb4c820 1846 || newwbio == USE_BIO_2) {
710756a9 1847 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1848 goto end;
7fb4c820
MC		 1849 }
1850
7d4488bb
MC		 1851 if (initrbio != USE_DEFAULT) {
1852 setupbio(&irbio, bio1, bio2, initrbio);
1853 setupbio(&iwbio, bio1, bio2, initwbio);
1854 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1855
7d4488bb
MC		 1856 /*
1857 * We want to maintain our own refs to these BIO, so do an up ref for
1858 * each BIO that will have ownership transferred in the SSL_set_bio()
1859 * call
1860 */
1861 if (irbio != NULL)
1862 BIO_up_ref(irbio);
1863 if (iwbio != NULL && iwbio != irbio)
1864 BIO_up_ref(iwbio);
1865 }
7fb4c820 1866
7d4488bb
MC		 1867 if (conntype != CONNTYPE_NO_CONNECTION
1868 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1869 SSL_ERROR_NONE)
1870 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1871 goto end;
7fb4c820
MC		 1872
1873 setupbio(&nrbio, bio1, bio2, newrbio);
1874 setupbio(&nwbio, bio1, bio2, newwbio);
1875
1876 /*
1877 * We will (maybe) transfer ownership again so do more up refs.
1878 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1879 * already been set!
1880 */
710756a9
RS		 1881 if (nrbio != NULL
1882 && nrbio != irbio
1883 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1884 BIO_up_ref(nrbio);
710756a9
RS		 1885 if (nwbio != NULL
1886 && nwbio != nrbio
1887 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1888 BIO_up_ref(nwbio);
1889
7d4488bb 1890 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1891
1892 testresult = 1;
1893
1894 end:
7fb4c820
MC		 1895 BIO_free(bio1);
1896 BIO_free(bio2);
710756a9 1897
7fb4c820
MC		 1898 /*
1899 * This test is checking that the ref counting for SSL_set_bio is correct.
1900 * If we get here and we did too many frees then we will fail in the above
1901 * functions. If we haven't done enough then this will only be detected in
1902 * a crypto-mdebug build
1903 */
7d4488bb
MC		 1904 SSL_free(serverssl);
1905 SSL_free(clientssl);
1906 SSL_CTX_free(sctx);
1907 SSL_CTX_free(cctx);
7fb4c820
MC		 1908 return testresult;
1909}
1910
7e885b7b 1911typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1912
7e885b7b 1913static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1914{
1915 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1916 SSL_CTX *ctx;
9a716987
MC		 1917 SSL *ssl = NULL;
1918 int testresult = 0;
1919
710756a9
RS		 1920 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1921 || !TEST_ptr(ssl = SSL_new(ctx))
1922 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1923 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1924 goto end;
9a716987
MC		 1925
1926 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1927
1928 /*
1929 * If anything goes wrong here then we could leak memory, so this will
1930 * be caught in a crypto-mdebug build
1931 */
1932 BIO_push(sslbio, membio1);
1933
69687aa8 1934 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1935 if (change_bio != NO_BIO_CHANGE) {
710756a9 1936 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1937 goto end;
7e885b7b 1938 if (change_bio == CHANGE_RBIO)
65e2d672 1939 SSL_set0_rbio(ssl, membio2);
9a716987 1940 else
65e2d672 1941 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1942 }
1943 ssl = NULL;
1944
7e885b7b 1945 if (pop_ssl)
9a716987
MC		 1946 BIO_pop(sslbio);
1947 else
1948 BIO_pop(membio1);
1949
1950 testresult = 1;
1951 end:
1952 BIO_free(membio1);
1953 BIO_free(sslbio);
1954 SSL_free(ssl);
1955 SSL_CTX_free(ctx);
1956
1957 return testresult;
1958}
1959
1960static int test_ssl_bio_pop_next_bio(void)
1961{
7e885b7b 1962 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1963}
1964
1965static int test_ssl_bio_pop_ssl_bio(void)
1966{
7e885b7b 1967 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1968}
1969
1970static int test_ssl_bio_change_rbio(void)
1971{
7e885b7b 1972 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1973}
1974
1975static int test_ssl_bio_change_wbio(void)
1976{
7e885b7b 1977 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1978}
1979
c423ecaa 1980#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1981typedef struct {
1982 /* The list of sig algs */
1983 const int *list;
1984 /* The length of the list */
1985 size_t listlen;
1986 /* A sigalgs list in string format */
1987 const char *liststr;
1988 /* Whether setting the list should succeed */
1989 int valid;
1990 /* Whether creating a connection with the list should succeed */
1991 int connsuccess;
1992} sigalgs_list;
1993
1994static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1995# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1996static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1997static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1998# endif
f1b25aae
MC		 1999static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2000static const int invalidlist2[] = {NID_sha256, NID_undef};
2001static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2002static const int invalidlist4[] = {NID_sha256};
2003static const sigalgs_list testsigalgs[] = {
2004 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2005# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2006 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2007 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2008# endif
f1b25aae 2009 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2010# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2011 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2012 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2013# endif
f1b25aae
MC		 2014 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2015 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2016 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2017 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2018 {NULL, 0, "RSA", 0, 0},
2019 {NULL, 0, "SHA256", 0, 0},
2020 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2021 {NULL, 0, "Invalid", 0, 0}
2022};
f1b25aae
MC		 2023
2024static int test_set_sigalgs(int idx)
2025{
2026 SSL_CTX *cctx = NULL, *sctx = NULL;
2027 SSL *clientssl = NULL, *serverssl = NULL;
2028 int testresult = 0;
2029 const sigalgs_list *curr;
2030 int testctx;
2031
2032 /* Should never happen */
710756a9 2033 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2034 return 0;
2035
2036 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2037 curr = testctx ? &testsigalgs[idx]
2038 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2039
7d7f6834 2040 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2041 TLS1_VERSION, 0,
7d7f6834 2042 &sctx, &cctx, cert, privkey)))
f1b25aae 2043 return 0;
f1b25aae 2044
d2e491f2
MC		 2045 /*
2046 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2047 * for TLSv1.2 for now until we add a new API.
2048 */
2049 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2050
f1b25aae
MC		 2051 if (testctx) {
2052 int ret;
710756a9 2053
f1b25aae
MC		 2054 if (curr->list != NULL)
2055 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2056 else
2057 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2058
2059 if (!ret) {
2060 if (curr->valid)
710756a9 2061 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2062 else
2063 testresult = 1;
2064 goto end;
2065 }
2066 if (!curr->valid) {
710756a9 2067 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2068 goto end;
2069 }
2070 }
2071
710756a9
RS		 2072 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2073 &clientssl, NULL, NULL)))
f1b25aae 2074 goto end;
f1b25aae
MC		 2075
2076 if (!testctx) {
2077 int ret;
2078
2079 if (curr->list != NULL)
2080 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2081 else
2082 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2083 if (!ret) {
2084 if (curr->valid)
710756a9 2085 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2086 else
2087 testresult = 1;
2088 goto end;
2089 }
710756a9 2090 if (!curr->valid)
f1b25aae 2091 goto end;
f1b25aae
MC		 2092 }
2093
710756a9
RS		 2094 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2095 SSL_ERROR_NONE),
2096 curr->connsuccess))
f1b25aae 2097 goto end;
f1b25aae
MC		 2098
2099 testresult = 1;
2100
2101 end:
2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2104 SSL_CTX_free(sctx);
2105 SSL_CTX_free(cctx);
2106
2107 return testresult;
2108}
c423ecaa 2109#endif
f1b25aae 2110
fff202e5 2111#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2112static int psk_client_cb_cnt = 0;
2113static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2114
2115static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2116 size_t *idlen, SSL_SESSION **sess)
2117{
2118 switch (++use_session_cb_cnt) {
2119 case 1:
2120 /* The first call should always have a NULL md */
2121 if (md != NULL)
2122 return 0;
2123 break;
2124
2125 case 2:
2126 /* The second call should always have an md */
2127 if (md == NULL)
2128 return 0;
2129 break;
2130
2131 default:
2132 /* We should only be called a maximum of twice */
2133 return 0;
2134 }
2135
57dee9bb
MC		 2136 if (clientpsk != NULL)
2137 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2138
57dee9bb 2139 *sess = clientpsk;
02a3ed5a
MC		 2140 *id = (const unsigned char *)pskid;
2141 *idlen = strlen(pskid);
2142
2143 return 1;
2144}
2145
c2b290c3 2146#ifndef OPENSSL_NO_PSK
532f9578
MC		 2147static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2148 unsigned int max_id_len,
2149 unsigned char *psk,
2150 unsigned int max_psk_len)
2151{
2152 unsigned int psklen = 0;
2153
2154 psk_client_cb_cnt++;
2155
2156 if (strlen(pskid) + 1 > max_id_len)
2157 return 0;
2158
2159 /* We should only ever be called a maximum of twice per connection */
2160 if (psk_client_cb_cnt > 2)
2161 return 0;
2162
2163 if (clientpsk == NULL)
2164 return 0;
2165
2166 /* We'll reuse the PSK we set up for TLSv1.3 */
2167 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2168 return 0;
2169 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2170 strncpy(id, pskid, max_id_len);
2171
2172 return psklen;
2173}
c2b290c3 2174#endif /* OPENSSL_NO_PSK */
532f9578 2175
02a3ed5a
MC		 2176static int find_session_cb(SSL *ssl, const unsigned char *identity,
2177 size_t identity_len, SSL_SESSION **sess)
2178{
2179 find_session_cb_cnt++;
2180
2181 /* We should only ever be called a maximum of twice per connection */
2182 if (find_session_cb_cnt > 2)
2183 return 0;
2184
57dee9bb 2185 if (serverpsk == NULL)
02a3ed5a
MC		 2186 return 0;
2187
2188 /* Identity should match that set by the client */
2189 if (strlen(srvid) != identity_len
2190 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2191 /* No PSK found, continue but without a PSK */
2192 *sess = NULL;
2193 return 1;
2194 }
2195
57dee9bb
MC		 2196 SSL_SESSION_up_ref(serverpsk);
2197 *sess = serverpsk;
02a3ed5a
MC		 2198
2199 return 1;
2200}
2201
c2b290c3 2202#ifndef OPENSSL_NO_PSK
532f9578
MC		 2203static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2204 unsigned char *psk, unsigned int max_psk_len)
2205{
2206 unsigned int psklen = 0;
2207
2208 psk_server_cb_cnt++;
2209
2210 /* We should only ever be called a maximum of twice per connection */
2211 if (find_session_cb_cnt > 2)
2212 return 0;
2213
2214 if (serverpsk == NULL)
2215 return 0;
2216
2217 /* Identity should match that set by the client */
2218 if (strcmp(srvid, identity) != 0) {
2219 return 0;
2220 }
2221
2222 /* We'll reuse the PSK we set up for TLSv1.3 */
2223 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2224 return 0;
2225 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2226
2227 return psklen;
2228}
c2b290c3 2229#endif /* OPENSSL_NO_PSK */
532f9578 2230
5f982038
MC		 2231#define MSG1 "Hello"
2232#define MSG2 "World."
2233#define MSG3 "This"
2234#define MSG4 "is"
2235#define MSG5 "a"
90049cea
MC		 2236#define MSG6 "test"
2237#define MSG7 "message."
5f982038 2238
02a3ed5a 2239#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2240#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2241
8614a4eb
MC		 2242
2243static SSL_SESSION *create_a_psk(SSL *ssl)
2244{
2245 const SSL_CIPHER *cipher = NULL;
2246 const unsigned char key[] = {
2247 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2248 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2249 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2250 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2251 0x2c, 0x2d, 0x2e, 0x2f
2252 };
2253 SSL_SESSION *sess = NULL;
2254
2255 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2256 sess = SSL_SESSION_new();
2257 if (!TEST_ptr(sess)
2258 || !TEST_ptr(cipher)
2259 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2260 sizeof(key)))
2261 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2262 || !TEST_true(
2263 SSL_SESSION_set_protocol_version(sess,
2264 TLS1_3_VERSION))) {
2265 SSL_SESSION_free(sess);
2266 return NULL;
2267 }
2268 return sess;
2269}
2270
5f982038
MC		 2271/*
2272 * Helper method to setup objects for early data test. Caller frees objects on
2273 * error.
2274 */
2275static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2276 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2277{
5a421415
MC		 2278 if (*sctx == NULL
2279 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2280 TLS_client_method(),
5c587fb6 2281 TLS1_VERSION, 0,
5a421415
MC		 2282 sctx, cctx, cert, privkey)))
2283 return 0;
2284
2285 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2286 return 0;
5f982038 2287
02a3ed5a
MC		 2288 if (idx == 1) {
2289 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2290 SSL_CTX_set_read_ahead(*cctx, 1);
2291 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2292 } else if (idx == 2) {
2293 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2294 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2295 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2296 use_session_cb_cnt = 0;
2297 find_session_cb_cnt = 0;
2298 srvid = pskid;
3cb47b4e
MC		 2299 }
2300
710756a9 2301 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2302 NULL, NULL)))
2303 return 0;
2304
141e4709
MC		 2305 /*
2306 * For one of the run throughs (doesn't matter which one), we'll try sending
2307 * some SNI data in the initial ClientHello. This will be ignored (because
2308 * there is no SNI cb set up by the server), so it should not impact
2309 * early_data.
2310 */
2311 if (idx == 1
2312 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2313 return 0;
2314
02a3ed5a 2315 if (idx == 2) {
8614a4eb 2316 clientpsk = create_a_psk(*clientssl);
57dee9bb 2317 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2318 /*
2319 * We just choose an arbitrary value for max_early_data which
2320 * should be big enough for testing purposes.
2321 */
57dee9bb
MC		 2322 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2323 0x100))
2324 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2325 SSL_SESSION_free(clientpsk);
2326 clientpsk = NULL;
02a3ed5a
MC		 2327 return 0;
2328 }
57dee9bb 2329 serverpsk = clientpsk;
02a3ed5a 2330
c20e3b28
MC		 2331 if (sess != NULL) {
2332 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2333 SSL_SESSION_free(clientpsk);
2334 SSL_SESSION_free(serverpsk);
2335 clientpsk = serverpsk = NULL;
2336 return 0;
2337 }
57dee9bb 2338 *sess = clientpsk;
c20e3b28 2339 }
02a3ed5a
MC		 2340 return 1;
2341 }
2342
2343 if (sess == NULL)
2344 return 1;
2345
2346 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2347 SSL_ERROR_NONE)))
5f982038 2348 return 0;
5f982038
MC		 2349
2350 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2351 SSL_shutdown(*clientssl);
2352 SSL_shutdown(*serverssl);
5f982038
MC		 2353 SSL_free(*serverssl);
2354 SSL_free(*clientssl);
2355 *serverssl = *clientssl = NULL;
2356
710756a9
RS		 2357 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2358 clientssl, NULL, NULL))
2359 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2360 return 0;
5f982038
MC		 2361
2362 return 1;
2363}
2364
3cb47b4e 2365static int test_early_data_read_write(int idx)
5f982038
MC		 2366{
2367 SSL_CTX *cctx = NULL, *sctx = NULL;
2368 SSL *clientssl = NULL, *serverssl = NULL;
2369 int testresult = 0;
2370 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2371 unsigned char buf[20], data[1024];
2372 size_t readbytes, written, eoedlen, rawread, rawwritten;
2373 BIO *rbio;
5f982038 2374
710756a9
RS		 2375 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2376 &serverssl, &sess, idx)))
5f982038
MC		 2377 goto end;
2378
2379 /* Write and read some early data */
710756a9
RS		 2380 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2381 &written))
2382 || !TEST_size_t_eq(written, strlen(MSG1))
2383 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2384 sizeof(buf), &readbytes),
2385 SSL_READ_EARLY_DATA_SUCCESS)
2386 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2387 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2388 SSL_EARLY_DATA_ACCEPTED))
5f982038 2389 goto end;
5f982038
MC		 2390
2391 /*
09f28874 2392 * Server should be able to write data, and client should be able to
5f982038
MC		 2393 * read it.
2394 */
710756a9
RS		 2395 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2396 &written))
2397 || !TEST_size_t_eq(written, strlen(MSG2))
2398 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2399 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2400 goto end;
5f982038
MC		 2401
2402 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2403 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2404 &written))
2405 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2406 goto end;
5f982038 2407
09f28874 2408 /* Server should still be able read early data after writing data */
710756a9
RS		 2409 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2410 &readbytes),
2411 SSL_READ_EARLY_DATA_SUCCESS)
2412 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2413 goto end;
5f982038 2414
09f28874 2415 /* Write more data from server and read it from client */
710756a9
RS		 2416 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2417 &written))
2418 || !TEST_size_t_eq(written, strlen(MSG4))
2419 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2420 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2421 goto end;
5f982038
MC		 2422
2423 /*
2424 * If client writes normal data it should mean writing early data is no
2425 * longer possible.
2426 */
710756a9
RS		 2427 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2428 || !TEST_size_t_eq(written, strlen(MSG5))
2429 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2430 SSL_EARLY_DATA_ACCEPTED))
5f982038 2431 goto end;
5f982038 2432
9b5c865d
MC		 2433 /*
2434 * At this point the client has written EndOfEarlyData, ClientFinished and
2435 * normal (fully protected) data. We are going to cause a delay between the
2436 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2437 * in the read BIO, and then just put back the EndOfEarlyData message.
2438 */
2439 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2440 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2441 || !TEST_size_t_lt(rawread, sizeof(data))
2442 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2443 goto end;
710756a9 2444
9b5c865d
MC		 2445 /* Record length is in the 4th and 5th bytes of the record header */
2446 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2447 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2448 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2449 goto end;
9b5c865d 2450
5f982038 2451 /* Server should be told that there is no more early data */
710756a9
RS		 2452 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2453 &readbytes),
2454 SSL_READ_EARLY_DATA_FINISH)
2455 || !TEST_size_t_eq(readbytes, 0))
5f982038 2456 goto end;
5f982038 2457
9b5c865d
MC		 2458 /*
2459 * Server has not finished init yet, so should still be able to write early
2460 * data.
2461 */
710756a9
RS		 2462 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2463 &written))
2464 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2465 goto end;
9b5c865d 2466
f8a303fa 2467 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2468 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2469 &rawwritten))
2470 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2471 goto end;
f8a303fa 2472
5f982038 2473 /* Server should be able to read normal data */
710756a9
RS		 2474 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2475 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2476 goto end;
5f982038 2477
09f28874 2478 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2479 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2480 &written)))
5f982038 2481 goto end;
5f982038 2482 ERR_clear_error();
710756a9
RS		 2483 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2484 &readbytes),
2485 SSL_READ_EARLY_DATA_ERROR))
5f982038 2486 goto end;
5f982038
MC		 2487 ERR_clear_error();
2488
9b5c865d 2489 /* Client should be able to read the data sent by the server */
710756a9
RS		 2490 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2491 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2492 goto end;
710756a9 2493
f8a303fa 2494 /*
36ff232c
MC		 2495 * Make sure we process the two NewSessionTickets. These arrive
2496 * post-handshake. We attempt reads which we do not expect to return any
2497 * data.
f8a303fa 2498 */
36ff232c
MC		 2499 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2500 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2501 &readbytes)))
f8a303fa 2502 goto end;
5f982038 2503
90049cea 2504 /* Server should be able to write normal data */
710756a9
RS		 2505 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2506 || !TEST_size_t_eq(written, strlen(MSG7))
2507 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2508 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2509 goto end;
90049cea 2510
c20e3b28 2511 SSL_SESSION_free(sess);
5f982038 2512 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2513 use_session_cb_cnt = 0;
2514 find_session_cb_cnt = 0;
5f982038
MC		 2515
2516 SSL_shutdown(clientssl);
2517 SSL_shutdown(serverssl);
5f982038
MC		 2518 SSL_free(serverssl);
2519 SSL_free(clientssl);
2520 serverssl = clientssl = NULL;
710756a9
RS		 2521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2522 &clientssl, NULL, NULL))
2523 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2524 goto end;
5f982038
MC		 2525
2526 /* Write and read some early data */
710756a9
RS		 2527 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2528 &written))
2529 || !TEST_size_t_eq(written, strlen(MSG1))
2530 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2531 &readbytes),
2532 SSL_READ_EARLY_DATA_SUCCESS)
2533 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2534 goto end;
5f982038 2535
710756a9
RS		 2536 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2537 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2538 goto end;
5f982038 2539
09f28874 2540 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2541 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2542 &written)))
5f982038 2543 goto end;
5f982038 2544 ERR_clear_error();
710756a9
RS		 2545 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2546 &readbytes),
2547 SSL_READ_EARLY_DATA_ERROR))
5f982038 2548 goto end;
5f982038
MC		 2549 ERR_clear_error();
2550
2551 /* Client and server should be able to write/read normal data */
710756a9
RS		 2552 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2553 || !TEST_size_t_eq(written, strlen(MSG5))
2554 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2555 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2556 goto end;
5f982038
MC		 2557
2558 testresult = 1;
2559
2560 end:
c20e3b28 2561 SSL_SESSION_free(sess);
57dee9bb
MC		 2562 SSL_SESSION_free(clientpsk);
2563 SSL_SESSION_free(serverpsk);
2564 clientpsk = serverpsk = NULL;
5f982038
MC		 2565 SSL_free(serverssl);
2566 SSL_free(clientssl);
2567 SSL_CTX_free(sctx);
2568 SSL_CTX_free(cctx);
5f982038
MC		 2569 return testresult;
2570}
2571
5a421415
MC		 2572static int allow_ed_cb_called = 0;
2573
2574static int allow_early_data_cb(SSL *s, void *arg)
2575{
2576 int *usecb = (int *)arg;
2577
2578 allow_ed_cb_called++;
2579
2580 if (*usecb == 1)
2581 return 0;
2582
2583 return 1;
2584}
2585
2586/*
2587 * idx == 0: Standard early_data setup
2588 * idx == 1: early_data setup using read_ahead
2589 * usecb == 0: Don't use a custom early data callback
2590 * usecb == 1: Use a custom early data callback and reject the early data
2591 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2592 * confopt == 0: Configure anti-replay directly
2593 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2594 */
3bb5e5b0 2595static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2596{
2597 SSL_CTX *cctx = NULL, *sctx = NULL;
2598 SSL *clientssl = NULL, *serverssl = NULL;
2599 int testresult = 0;
2600 SSL_SESSION *sess = NULL;
5a421415
MC		 2601 size_t readbytes, written;
2602 unsigned char buf[20];
2603
2604 allow_ed_cb_called = 0;
2605
2606 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2607 TLS1_VERSION, 0, &sctx,
5a421415
MC		 2608 &cctx, cert, privkey)))
2609 return 0;
2610
2611 if (usecb > 0) {
3bb5e5b0
MC		 2612 if (confopt == 0) {
2613 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2614 } else {
2615 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2616
2617 if (!TEST_ptr(confctx))
2618 goto end;
2619 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2620 | SSL_CONF_FLAG_SERVER);
2621 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2622 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2623 2)) {
2624 SSL_CONF_CTX_free(confctx);
2625 goto end;
2626 }
2627 SSL_CONF_CTX_free(confctx);
2628 }
5a421415
MC		 2629 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2630 }
78fb5374
MC		 2631
2632 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2633 &serverssl, &sess, idx)))
2634 goto end;
2635
2636 /*
2637 * The server is configured to accept early data. Create a connection to
2638 * "use up" the ticket
2639 */
2640 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2641 || !TEST_true(SSL_session_reused(clientssl)))
2642 goto end;
2643
2644 SSL_shutdown(clientssl);
2645 SSL_shutdown(serverssl);
2646 SSL_free(serverssl);
2647 SSL_free(clientssl);
2648 serverssl = clientssl = NULL;
2649
2650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2651 &clientssl, NULL, NULL))
5a421415
MC		 2652 || !TEST_true(SSL_set_session(clientssl, sess)))
2653 goto end;
2654
2655 /* Write and read some early data */
2656 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2657 &written))
2658 || !TEST_size_t_eq(written, strlen(MSG1)))
2659 goto end;
2660
2661 if (usecb <= 1) {
2662 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2663 &readbytes),
2664 SSL_READ_EARLY_DATA_FINISH)
2665 /*
2666 * The ticket was reused, so the we should have rejected the
2667 * early data
2668 */
2669 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2670 SSL_EARLY_DATA_REJECTED))
2671 goto end;
2672 } else {
2673 /* In this case the callback decides to accept the early data */
2674 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2675 &readbytes),
2676 SSL_READ_EARLY_DATA_SUCCESS)
2677 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2678 /*
2679 * Server will have sent its flight so client can now send
2680 * end of early data and complete its half of the handshake
2681 */
2682 || !TEST_int_gt(SSL_connect(clientssl), 0)
2683 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2684 &readbytes),
2685 SSL_READ_EARLY_DATA_FINISH)
2686 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2687 SSL_EARLY_DATA_ACCEPTED))
2688 goto end;
2689 }
2690
2691 /* Complete the connection */
2692 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2693 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2694 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2695 goto end;
2696
2697 testresult = 1;
2698
2699 end:
c20e3b28 2700 SSL_SESSION_free(sess);
78fb5374
MC		 2701 SSL_SESSION_free(clientpsk);
2702 SSL_SESSION_free(serverpsk);
2703 clientpsk = serverpsk = NULL;
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 SSL_CTX_free(sctx);
2707 SSL_CTX_free(cctx);
2708 return testresult;
2709}
2710
5a421415
MC		 2711static int test_early_data_replay(int idx)
2712{
3bb5e5b0 2713 int ret = 1, usecb, confopt;
5a421415 2714
3bb5e5b0
MC		 2715 for (usecb = 0; usecb < 3; usecb++) {
2716 for (confopt = 0; confopt < 2; confopt++)
2717 ret &= test_early_data_replay_int(idx, usecb, confopt);
2718 }
5a421415
MC		 2719
2720 return ret;
2721}
2722
710756a9 2723/*
6b84e6bf
MC		 2724 * Helper function to test that a server attempting to read early data can
2725 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2726 * testtype: 0 == No HRR
2727 * testtype: 1 == HRR
0efa0ba4
MC		 2728 * testtype: 2 == HRR, invalid early_data sent after HRR
2729 * testtype: 3 == recv_max_early_data set to 0
710756a9 2730 */
0d1b7789 2731static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2732{
2733 SSL_CTX *cctx = NULL, *sctx = NULL;
2734 SSL *clientssl = NULL, *serverssl = NULL;
2735 int testresult = 0;
018fcbec 2736 SSL_SESSION *sess = NULL;
5f982038
MC		 2737 unsigned char buf[20];
2738 size_t readbytes, written;
2739
710756a9
RS		 2740 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2741 &serverssl, &sess, idx)))
5f982038
MC		 2742 goto end;
2743
0efa0ba4 2744 if (testtype == 1 || testtype == 2) {
6b84e6bf
MC		 2745 /* Force an HRR to occur */
2746 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2747 goto end;
02a3ed5a
MC		 2748 } else if (idx == 2) {
2749 /*
2750 * We force early_data rejection by ensuring the PSK identity is
2751 * unrecognised
2752 */
2753 srvid = "Dummy Identity";
6b84e6bf
MC		 2754 } else {
2755 /*
2756 * Deliberately corrupt the creation time. We take 20 seconds off the
2757 * time. It could be any value as long as it is not within tolerance.
2758 * This should mean the ticket is rejected.
2759 */
5d99881e 2760 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2761 goto end;
2762 }
5f982038 2763
0efa0ba4 2764 if (testtype == 3
0d1b7789
MC		 2765 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2766 goto end;
2767
5f982038 2768 /* Write some early data */
710756a9
RS		 2769 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2770 &written))
2771 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2772 goto end;
5f982038 2773
0d1b7789 2774 /* Server should reject the early data */
710756a9
RS		 2775 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2776 &readbytes),
2777 SSL_READ_EARLY_DATA_FINISH)
2778 || !TEST_size_t_eq(readbytes, 0)
2779 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2780 SSL_EARLY_DATA_REJECTED))
5f982038 2781 goto end;
5f982038 2782
0efa0ba4
MC		 2783 switch (testtype) {
2784 case 0:
2785 /* Nothing to do */
2786 break;
2787
2788 case 1:
6b84e6bf
MC		 2789 /*
2790 * Finish off the handshake. We perform the same writes and reads as
2791 * further down but we expect them to fail due to the incomplete
2792 * handshake.
2793 */
2794 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2795 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2796 &readbytes)))
2797 goto end;
0efa0ba4
MC		 2798 break;
2799
2800 case 2:
2801 {
2802 BIO *wbio = SSL_get_wbio(clientssl);
2803 /* A record that will appear as bad early_data */
2804 const unsigned char bad_early_data[] = {
2805 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2806 };
2807
2808 /*
2809 * We force the client to attempt a write. This will fail because
2810 * we're still in the handshake. It will cause the second
2811 * ClientHello to be sent.
2812 */
2813 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2814 &written)))
2815 goto end;
2816
2817 /*
2818 * Inject some early_data after the second ClientHello. This should
2819 * cause the server to fail
2820 */
2821 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2822 sizeof(bad_early_data), &written)))
2823 goto end;
2824 }
2825 /* fallthrough */
2826
2827 case 3:
0d1b7789 2828 /*
0efa0ba4
MC		 2829 * This client has sent more early_data than we are willing to skip
2830 * (case 3) or sent invalid early_data (case 2) so the connection should
2831 * abort.
0d1b7789
MC		 2832 */
2833 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2834 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2835 goto end;
2836
2837 /* Connection has failed - nothing more to do */
2838 testresult = 1;
2839 goto end;
0efa0ba4
MC		 2840
2841 default:
2842 TEST_error("Invalid test type");
2843 goto end;
6b84e6bf
MC		 2844 }
2845
0d1b7789
MC		 2846 /*
2847 * Should be able to send normal data despite rejection of early data. The
2848 * early_data should be skipped.
2849 */
710756a9
RS		 2850 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2851 || !TEST_size_t_eq(written, strlen(MSG2))
2852 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2853 SSL_EARLY_DATA_REJECTED)
2854 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2855 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2856 goto end;
5f982038
MC		 2857
2858 testresult = 1;
2859
2860 end:
c20e3b28 2861 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2862 SSL_SESSION_free(serverpsk);
2863 clientpsk = serverpsk = NULL;
5f982038
MC		 2864 SSL_SESSION_free(sess);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 SSL_CTX_free(sctx);
2868 SSL_CTX_free(cctx);
5f982038
MC		 2869 return testresult;
2870}
2871
6b84e6bf
MC		 2872/*
2873 * Test that a server attempting to read early data can handle a connection
2874 * from a client where the early data is not acceptable.
2875 */
2876static int test_early_data_skip(int idx)
2877{
2878 return early_data_skip_helper(0, idx);
2879}
2880
2881/*
2882 * Test that a server attempting to read early data can handle a connection
2883 * from a client where an HRR occurs.
2884 */
2885static int test_early_data_skip_hrr(int idx)
2886{
2887 return early_data_skip_helper(1, idx);
2888}
2889
0efa0ba4
MC		 2890/*
2891 * Test that a server attempting to read early data can handle a connection
2892 * from a client where an HRR occurs and correctly fails if early_data is sent
2893 * after the HRR
2894 */
2895static int test_early_data_skip_hrr_fail(int idx)
2896{
2897 return early_data_skip_helper(2, idx);
2898}
2899
0d1b7789
MC		 2900/*
2901 * Test that a server attempting to read early data will abort if it tries to
2902 * skip over too much.
2903 */
2904static int test_early_data_skip_abort(int idx)
2905{
0efa0ba4 2906 return early_data_skip_helper(3, idx);
0d1b7789
MC		 2907}
2908
710756a9
RS		 2909/*
2910 * Test that a server attempting to read early data can handle a connection
2911 * from a client that doesn't send any.
2912 */
3cb47b4e 2913static int test_early_data_not_sent(int idx)
5f982038
MC		 2914{
2915 SSL_CTX *cctx = NULL, *sctx = NULL;
2916 SSL *clientssl = NULL, *serverssl = NULL;
2917 int testresult = 0;
018fcbec 2918 SSL_SESSION *sess = NULL;
5f982038
MC		 2919 unsigned char buf[20];
2920 size_t readbytes, written;
2921
710756a9
RS		 2922 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2923 &serverssl, &sess, idx)))
5f982038
MC		 2924 goto end;
2925
2926 /* Write some data - should block due to handshake with server */
2927 SSL_set_connect_state(clientssl);
710756a9 2928 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2929 goto end;
5f982038
MC		 2930
2931 /* Server should detect that early data has not been sent */
710756a9
RS		 2932 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2933 &readbytes),
2934 SSL_READ_EARLY_DATA_FINISH)
2935 || !TEST_size_t_eq(readbytes, 0)
2936 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2937 SSL_EARLY_DATA_NOT_SENT)
2938 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2939 SSL_EARLY_DATA_NOT_SENT))
5f982038 2940 goto end;
5f982038
MC		 2941
2942 /* Continue writing the message we started earlier */
710756a9
RS		 2943 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2944 || !TEST_size_t_eq(written, strlen(MSG1))
2945 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2946 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2947 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2948 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2949 goto end;
5f982038 2950
710756a9
RS		 2951 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2952 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2953 goto end;
5f982038
MC		 2954
2955 testresult = 1;
2956
2957 end:
5f982038 2958 SSL_SESSION_free(sess);
c20e3b28 2959 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2960 SSL_SESSION_free(serverpsk);
2961 clientpsk = serverpsk = NULL;
5f982038
MC		 2962 SSL_free(serverssl);
2963 SSL_free(clientssl);
2964 SSL_CTX_free(sctx);
2965 SSL_CTX_free(cctx);
5f982038
MC		 2966 return testresult;
2967}
2968
976e5323
MC		 2969static int hostname_cb(SSL *s, int *al, void *arg)
2970{
2971 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2972
281bf233 2973 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2974 return SSL_TLSEXT_ERR_OK;
2975
2976 return SSL_TLSEXT_ERR_NOACK;
2977}
2978
2979static const char *servalpn;
2980
c7558d5b
PY		 2981static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2982 unsigned char *outlen, const unsigned char *in,
2983 unsigned int inlen, void *arg)
976e5323 2984{
c7558d5b 2985 unsigned int protlen = 0;
976e5323
MC		 2986 const unsigned char *prot;
2987
c7558d5b
PY		 2988 for (prot = in; prot < in + inlen; prot += protlen) {
2989 protlen = *prot++;
5d99881e 2990 if (in + inlen < prot + protlen)
976e5323
MC		 2991 return SSL_TLSEXT_ERR_NOACK;
2992
2993 if (protlen == strlen(servalpn)
0bd42fde 2994 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2995 *out = prot;
2996 *outlen = protlen;
2997 return SSL_TLSEXT_ERR_OK;
2998 }
2999 }
3000
3001 return SSL_TLSEXT_ERR_NOACK;
3002}
3003
57dee9bb 3004/* Test that a PSK can be used to send early_data */
976e5323
MC		 3005static int test_early_data_psk(int idx)
3006{
3007 SSL_CTX *cctx = NULL, *sctx = NULL;
3008 SSL *clientssl = NULL, *serverssl = NULL;
3009 int testresult = 0;
3010 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3011 unsigned char alpnlist[] = {
3012 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3013 'l', 'p', 'n'
3014 };
3015#define GOODALPNLEN 9
3016#define BADALPNLEN 8
3017#define GOODALPN (alpnlist)
3018#define BADALPN (alpnlist + GOODALPNLEN)
3019 int err = 0;
976e5323
MC		 3020 unsigned char buf[20];
3021 size_t readbytes, written;
57dee9bb 3022 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3023 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3024
3025 /* We always set this up with a final parameter of "2" for PSK */
3026 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3027 &serverssl, &sess, 2)))
3028 goto end;
3029
976e5323
MC		 3030 servalpn = "goodalpn";
3031
57dee9bb
MC		 3032 /*
3033 * Note: There is no test for inconsistent SNI with late client detection.
3034 * This is because servers do not acknowledge SNI even if they are using
3035 * it in a resumption handshake - so it is not actually possible for a
3036 * client to detect a problem.
3037 */
976e5323
MC		 3038 switch (idx) {
3039 case 0:
57dee9bb 3040 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3041 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3042 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3043 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3044 goto end;
3045 break;
3046
3047 case 1:
57dee9bb 3048 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3049 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3050 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3051 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3052 GOODALPNLEN))
3053 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3054 BADALPNLEN)))
976e5323
MC		 3055 goto end;
3056 break;
3057
3058 case 2:
3059 /*
3060 * Set invalid protocol version. Technically this affects PSKs without
3061 * early_data too, but we test it here because it is similar to the
3062 * SNI/ALPN consistency tests.
3063 */
3064 err = SSL_R_BAD_PSK;
3065 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3066 goto end;
3067 break;
3068
3069 case 3:
3070 /*
3071 * Set inconsistent SNI (server detected). In this case the connection
3072 * will succeed but reject early_data.
3073 */
281bf233
MC		 3074 SSL_SESSION_free(serverpsk);
3075 serverpsk = SSL_SESSION_dup(clientpsk);
3076 if (!TEST_ptr(serverpsk)
3077 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3078 goto end;
976e5323
MC		 3079 edstatus = SSL_EARLY_DATA_REJECTED;
3080 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3081 /* Fall through */
3082 case 4:
3083 /* Set consistent SNI */
976e5323
MC		 3084 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3085 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3086 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3087 hostname_cb)))
3088 goto end;
3089 break;
3090
3091 case 5:
3092 /*
3093 * Set inconsistent ALPN (server detected). In this case the connection
3094 * will succeed but reject early_data.
3095 */
3096 servalpn = "badalpn";
3097 edstatus = SSL_EARLY_DATA_REJECTED;
3098 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3099 /* Fall through */
3100 case 6:
976e5323 3101 /*
57dee9bb 3102 * Set consistent ALPN.
976e5323
MC		 3103 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3104 * accepts a list of protos (each one length prefixed).
3105 * SSL_set1_alpn_selected accepts a single protocol (not length
3106 * prefixed)
3107 */
57dee9bb
MC		 3108 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3109 GOODALPNLEN - 1))
3110 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3111 GOODALPNLEN)))
976e5323
MC		 3112 goto end;
3113
3114 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3115 break;
3116
57dee9bb
MC		 3117 case 7:
3118 /* Set inconsistent ALPN (late client detection) */
3119 SSL_SESSION_free(serverpsk);
3120 serverpsk = SSL_SESSION_dup(clientpsk);
3121 if (!TEST_ptr(serverpsk)
3122 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3123 BADALPN + 1,
3124 BADALPNLEN - 1))
3125 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3126 GOODALPN + 1,
3127 GOODALPNLEN - 1))
3128 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3129 sizeof(alpnlist))))
3130 goto end;
3131 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3132 edstatus = SSL_EARLY_DATA_ACCEPTED;
3133 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3134 /* SSL_connect() call should fail */
3135 connectres = -1;
3136 break;
3137
976e5323
MC		 3138 default:
3139 TEST_error("Bad test index");
3140 goto end;
3141 }
3142
3143 SSL_set_connect_state(clientssl);
3144 if (err != 0) {
3145 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3146 &written))
3147 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3148 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3149 goto end;
3150 } else {
3151 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3152 &written)))
3153 goto end;
3154
3155 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3156 &readbytes), readearlyres)
976e5323
MC		 3157 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3158 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3159 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3160 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3161 goto end;
3162 }
3163
3164 testresult = 1;
3165
3166 end:
c20e3b28 3167 SSL_SESSION_free(sess);
57dee9bb
MC		 3168 SSL_SESSION_free(clientpsk);
3169 SSL_SESSION_free(serverpsk);
3170 clientpsk = serverpsk = NULL;
976e5323
MC		 3171 SSL_free(serverssl);
3172 SSL_free(clientssl);
3173 SSL_CTX_free(sctx);
3174 SSL_CTX_free(cctx);
3175 return testresult;
3176}
3177
710756a9
RS		 3178/*
3179 * Test that a server that doesn't try to read early data can handle a
3180 * client sending some.
3181 */
3cb47b4e 3182static int test_early_data_not_expected(int idx)
5f982038
MC		 3183{
3184 SSL_CTX *cctx = NULL, *sctx = NULL;
3185 SSL *clientssl = NULL, *serverssl = NULL;
3186 int testresult = 0;
018fcbec 3187 SSL_SESSION *sess = NULL;
5f982038
MC		 3188 unsigned char buf[20];
3189 size_t readbytes, written;
3190
710756a9
RS		 3191 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3192 &serverssl, &sess, idx)))
5f982038
MC		 3193 goto end;
3194
3195 /* Write some early data */
710756a9
RS		 3196 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3197 &written)))
5f982038 3198 goto end;
5f982038
MC		 3199
3200 /*
3201 * Server should skip over early data and then block waiting for client to
3202 * continue handshake
3203 */
710756a9
RS		 3204 if (!TEST_int_le(SSL_accept(serverssl), 0)
3205 || !TEST_int_gt(SSL_connect(clientssl), 0)
3206 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3207 SSL_EARLY_DATA_REJECTED)
3208 || !TEST_int_gt(SSL_accept(serverssl), 0)
3209 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3210 SSL_EARLY_DATA_REJECTED))
5f982038 3211 goto end;
5f982038
MC		 3212
3213 /* Send some normal data from client to server */
710756a9
RS		 3214 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3215 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3216 goto end;
5f982038 3217
710756a9
RS		 3218 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3219 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3220 goto end;
5f982038
MC		 3221
3222 testresult = 1;
3223
3224 end:
5f982038 3225 SSL_SESSION_free(sess);
c20e3b28 3226 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3227 SSL_SESSION_free(serverpsk);
3228 clientpsk = serverpsk = NULL;
5f982038
MC		 3229 SSL_free(serverssl);
3230 SSL_free(clientssl);
3231 SSL_CTX_free(sctx);
3232 SSL_CTX_free(cctx);
5f982038
MC		 3233 return testresult;
3234}
3235
3236
3237# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3238/*
3239 * Test that a server attempting to read early data can handle a connection
3240 * from a TLSv1.2 client.
3241 */
3cb47b4e 3242static int test_early_data_tls1_2(int idx)
5f982038
MC		 3243{
3244 SSL_CTX *cctx = NULL, *sctx = NULL;
3245 SSL *clientssl = NULL, *serverssl = NULL;
3246 int testresult = 0;
3247 unsigned char buf[20];
3248 size_t readbytes, written;
3249
02a3ed5a
MC		 3250 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3251 &serverssl, NULL, idx)))
5f982038 3252 goto end;
5f982038
MC		 3253
3254 /* Write some data - should block due to handshake with server */
3255 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3256 SSL_set_connect_state(clientssl);
710756a9 3257 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3258 goto end;
5f982038
MC		 3259
3260 /*
3261 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3262 * messages from client after ServerDone. Then SSL_read_early_data should
3263 * finish and detect that early data has not been sent
5f982038 3264 */
710756a9
RS		 3265 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3266 &readbytes),
3267 SSL_READ_EARLY_DATA_ERROR))
5f982038 3268 goto end;
5f982038
MC		 3269
3270 /*
3271 * Continue writing the message we started earlier. Will still block waiting
3272 * for the CCS/Finished from server
3273 */
710756a9
RS		 3274 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3275 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3276 &readbytes),
3277 SSL_READ_EARLY_DATA_FINISH)
3278 || !TEST_size_t_eq(readbytes, 0)
3279 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3280 SSL_EARLY_DATA_NOT_SENT))
5f982038 3281 goto end;
5f982038
MC		 3282
3283 /* Continue writing the message we started earlier */
710756a9
RS		 3284 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3285 || !TEST_size_t_eq(written, strlen(MSG1))
3286 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3287 SSL_EARLY_DATA_NOT_SENT)
3288 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3289 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3290 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3291 || !TEST_size_t_eq(written, strlen(MSG2))
3292 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3293 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3294 goto end;
5f982038
MC		 3295
3296 testresult = 1;
3297
3298 end:
57dee9bb
MC		 3299 SSL_SESSION_free(clientpsk);
3300 SSL_SESSION_free(serverpsk);
3301 clientpsk = serverpsk = NULL;
5f982038
MC		 3302 SSL_free(serverssl);
3303 SSL_free(clientssl);
3304 SSL_CTX_free(sctx);
3305 SSL_CTX_free(cctx);
3306
3307 return testresult;
3308}
ca0413ae
MC		 3309# endif /* OPENSSL_NO_TLS1_2 */
3310
034cb87b
MC		 3311/*
3312 * Test configuring the TLSv1.3 ciphersuites
3313 *
3314 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3315 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3316 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3317 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3318 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3319 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3320 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3321 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3322 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3323 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3324 */
3325static int test_set_ciphersuite(int idx)
3326{
3327 SSL_CTX *cctx = NULL, *sctx = NULL;
3328 SSL *clientssl = NULL, *serverssl = NULL;
3329 int testresult = 0;
3330
3331 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3332 TLS1_VERSION, 0,
034cb87b
MC		 3333 &sctx, &cctx, cert, privkey))
3334 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3335 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3336 goto end;
3337
3338 if (idx >=4 && idx <= 7) {
3339 /* SSL_CTX explicit cipher list */
3340 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3341 goto end;
3342 }
3343
3344 if (idx == 0 || idx == 4) {
3345 /* Default ciphersuite */
3346 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3347 "TLS_AES_128_GCM_SHA256")))
3348 goto end;
3349 } else if (idx == 1 || idx == 5) {
3350 /* Non default ciphersuite */
3351 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3352 "TLS_AES_128_CCM_SHA256")))
3353 goto end;
3354 }
3355
3356 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3357 &clientssl, NULL, NULL)))
3358 goto end;
3359
3360 if (idx == 8 || idx == 9) {
3361 /* SSL explicit cipher list */
3362 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3363 goto end;
3364 }
3365
3366 if (idx == 2 || idx == 6 || idx == 8) {
3367 /* Default ciphersuite */
3368 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3369 "TLS_AES_128_GCM_SHA256")))
3370 goto end;
3371 } else if (idx == 3 || idx == 7 || idx == 9) {
3372 /* Non default ciphersuite */
3373 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3374 "TLS_AES_128_CCM_SHA256")))
3375 goto end;
3376 }
3377
3378 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3379 goto end;
3380
3381 testresult = 1;
3382
3383 end:
3384 SSL_free(serverssl);
3385 SSL_free(clientssl);
3386 SSL_CTX_free(sctx);
3387 SSL_CTX_free(cctx);
3388
3389 return testresult;
3390}
3391
ca0413ae
MC		 3392static int test_ciphersuite_change(void)
3393{
3394 SSL_CTX *cctx = NULL, *sctx = NULL;
3395 SSL *clientssl = NULL, *serverssl = NULL;
3396 SSL_SESSION *clntsess = NULL;
3397 int testresult = 0;
3398 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3399
3400 /* Create a session based on SHA-256 */
7d7f6834 3401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3402 TLS1_VERSION, 0,
7d7f6834 3403 &sctx, &cctx, cert, privkey))
f865b081
MC		 3404 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3405 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3406 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3407 &clientssl, NULL, NULL))
3408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3409 SSL_ERROR_NONE)))
3410 goto end;
3411
3412 clntsess = SSL_get1_session(clientssl);
3413 /* Save for later */
3414 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3415 SSL_shutdown(clientssl);
3416 SSL_shutdown(serverssl);
3417 SSL_free(serverssl);
3418 SSL_free(clientssl);
3419 serverssl = clientssl = NULL;
3420
71cff963 3421# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3422 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3423 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3424 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3425 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3426 NULL, NULL))
3427 || !TEST_true(SSL_set_session(clientssl, clntsess))
3428 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3429 SSL_ERROR_NONE))
3430 || !TEST_true(SSL_session_reused(clientssl)))
3431 goto end;
3432
3433 SSL_SESSION_free(clntsess);
3434 clntsess = SSL_get1_session(clientssl);
3435 SSL_shutdown(clientssl);
3436 SSL_shutdown(serverssl);
3437 SSL_free(serverssl);
3438 SSL_free(clientssl);
3439 serverssl = clientssl = NULL;
71cff963 3440# endif
ca0413ae
MC		 3441
3442 /*
3443 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3444 * succeeds but does not resume.
ca0413ae 3445 */
f865b081 3446 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3447 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3448 NULL, NULL))
3449 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3450 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3451 SSL_ERROR_SSL))
0de6d66d 3452 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3453 goto end;
3454
3455 SSL_SESSION_free(clntsess);
3456 clntsess = NULL;
3457 SSL_shutdown(clientssl);
3458 SSL_shutdown(serverssl);
3459 SSL_free(serverssl);
3460 SSL_free(clientssl);
3461 serverssl = clientssl = NULL;
3462
3463 /* Create a session based on SHA384 */
f865b081 3464 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3466 &clientssl, NULL, NULL))
3467 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3468 SSL_ERROR_NONE)))
3469 goto end;
3470
3471 clntsess = SSL_get1_session(clientssl);
3472 SSL_shutdown(clientssl);
3473 SSL_shutdown(serverssl);
3474 SSL_free(serverssl);
3475 SSL_free(clientssl);
3476 serverssl = clientssl = NULL;
3477
f865b081
MC		 3478 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3479 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3480 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3481 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3482 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3483 NULL, NULL))
3484 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3485 /*
3486 * We use SSL_ERROR_WANT_READ below so that we can pause the
3487 * connection after the initial ClientHello has been sent to
3488 * enable us to make some session changes.
3489 */
ca0413ae
MC		 3490 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3491 SSL_ERROR_WANT_READ)))
3492 goto end;
3493
3494 /* Trick the client into thinking this session is for a different digest */
3495 clntsess->cipher = aes_128_gcm_sha256;
3496 clntsess->cipher_id = clntsess->cipher->id;
3497
3498 /*
3b0e88d3
MC		 3499 * Continue the previously started connection. Server has selected a SHA-384
3500 * ciphersuite, but client thinks the session is for SHA-256, so it should
3501 * bail out.
ca0413ae
MC		 3502 */
3503 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3504 SSL_ERROR_SSL))
3505 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3506 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3507 goto end;
3508
3509 testresult = 1;
3510
3511 end:
3512 SSL_SESSION_free(clntsess);
3513 SSL_free(serverssl);
3514 SSL_free(clientssl);
3515 SSL_CTX_free(sctx);
3516 SSL_CTX_free(cctx);
3517
3518 return testresult;
3519}
3520
0d8da779
MC		 3521/*
3522 * Test TLSv1.3 PSKs
3523 * Test 0 = Test new style callbacks
3524 * Test 1 = Test both new and old style callbacks
3525 * Test 2 = Test old style callbacks
3526 * Test 3 = Test old style callbacks with no certificate
3527 */
532f9578 3528static int test_tls13_psk(int idx)
ca8c71ba
MC		 3529{
3530 SSL_CTX *sctx = NULL, *cctx = NULL;
3531 SSL *serverssl = NULL, *clientssl = NULL;
3532 const SSL_CIPHER *cipher = NULL;
3533 const unsigned char key[] = {
3534 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3535 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3536 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3537 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3538 };
3539 int testresult = 0;
3540
7d7f6834 3541 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3542 TLS1_VERSION, 0,
0d8da779
MC		 3543 &sctx, &cctx, idx == 3 ? NULL : cert,
3544 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3545 goto end;
3546
0d8da779
MC		 3547 if (idx != 3) {
3548 /*
3549 * We use a ciphersuite with SHA256 to ease testing old style PSK
3550 * callbacks which will always default to SHA256. This should not be
3551 * necessary if we have no cert/priv key. In that case the server should
3552 * prefer SHA256 automatically.
3553 */
3554 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3555 "TLS_AES_128_GCM_SHA256")))
3556 goto end;
3557 }
532f9578
MC		 3558
3559 /*
3560 * Test 0: New style callbacks only
3561 * Test 1: New and old style callbacks (only the new ones should be used)
3562 * Test 2: Old style callbacks only
3563 */
3564 if (idx == 0 || idx == 1) {
3565 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3566 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3567 }
c2b290c3 3568#ifndef OPENSSL_NO_PSK
0d8da779 3569 if (idx >= 1) {
532f9578
MC		 3570 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3571 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3572 }
c2b290c3 3573#endif
ca8c71ba 3574 srvid = pskid;
02a3ed5a
MC		 3575 use_session_cb_cnt = 0;
3576 find_session_cb_cnt = 0;
532f9578
MC		 3577 psk_client_cb_cnt = 0;
3578 psk_server_cb_cnt = 0;
ca8c71ba 3579
0d8da779
MC		 3580 if (idx != 3) {
3581 /*
3582 * Check we can create a connection if callback decides not to send a
3583 * PSK
3584 */
3585 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3586 NULL, NULL))
3587 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3588 SSL_ERROR_NONE))
3589 || !TEST_false(SSL_session_reused(clientssl))
3590 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3591 goto end;
532f9578 3592
0d8da779
MC		 3593 if (idx == 0 || idx == 1) {
3594 if (!TEST_true(use_session_cb_cnt == 1)
3595 || !TEST_true(find_session_cb_cnt == 0)
3596 /*
3597 * If no old style callback then below should be 0
3598 * otherwise 1
3599 */
3600 || !TEST_true(psk_client_cb_cnt == idx)
3601 || !TEST_true(psk_server_cb_cnt == 0))
3602 goto end;
3603 } else {
3604 if (!TEST_true(use_session_cb_cnt == 0)
3605 || !TEST_true(find_session_cb_cnt == 0)
3606 || !TEST_true(psk_client_cb_cnt == 1)
3607 || !TEST_true(psk_server_cb_cnt == 0))
3608 goto end;
3609 }
3610
3611 shutdown_ssl_connection(serverssl, clientssl);
3612 serverssl = clientssl = NULL;
3613 use_session_cb_cnt = psk_client_cb_cnt = 0;
3614 }
ca8c71ba
MC		 3615
3616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3617 NULL, NULL)))
3618 goto end;
3619
3620 /* Create the PSK */
532f9578 3621 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3622 clientpsk = SSL_SESSION_new();
3623 if (!TEST_ptr(clientpsk)
ca8c71ba 3624 || !TEST_ptr(cipher)
57dee9bb
MC		 3625 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3626 sizeof(key)))
3627 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3628 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3629 TLS1_3_VERSION))
3630 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3631 goto end;
57dee9bb 3632 serverpsk = clientpsk;
ca8c71ba
MC		 3633
3634 /* Check we can create a connection and the PSK is used */
3635 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3636 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3637 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3638 goto end;
3639
532f9578
MC		 3640 if (idx == 0 || idx == 1) {
3641 if (!TEST_true(use_session_cb_cnt == 1)
3642 || !TEST_true(find_session_cb_cnt == 1)
3643 || !TEST_true(psk_client_cb_cnt == 0)
3644 || !TEST_true(psk_server_cb_cnt == 0))
3645 goto end;
3646 } else {
3647 if (!TEST_true(use_session_cb_cnt == 0)
3648 || !TEST_true(find_session_cb_cnt == 0)
3649 || !TEST_true(psk_client_cb_cnt == 1)
3650 || !TEST_true(psk_server_cb_cnt == 1))
3651 goto end;
3652 }
3653
ca8c71ba
MC		 3654 shutdown_ssl_connection(serverssl, clientssl);
3655 serverssl = clientssl = NULL;
3656 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3657 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3658
3659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3660 NULL, NULL)))
3661 goto end;
3662
3663 /* Force an HRR */
3664 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3665 goto end;
3666
3667 /*
3668 * Check we can create a connection, the PSK is used and the callbacks are
3669 * called twice.
3670 */
3671 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3672 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3673 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3674 goto end;
3675
532f9578
MC		 3676 if (idx == 0 || idx == 1) {
3677 if (!TEST_true(use_session_cb_cnt == 2)
3678 || !TEST_true(find_session_cb_cnt == 2)
3679 || !TEST_true(psk_client_cb_cnt == 0)
3680 || !TEST_true(psk_server_cb_cnt == 0))
3681 goto end;
3682 } else {
3683 if (!TEST_true(use_session_cb_cnt == 0)
3684 || !TEST_true(find_session_cb_cnt == 0)
3685 || !TEST_true(psk_client_cb_cnt == 2)
3686 || !TEST_true(psk_server_cb_cnt == 2))
3687 goto end;
3688 }
3689
ca8c71ba
MC		 3690 shutdown_ssl_connection(serverssl, clientssl);
3691 serverssl = clientssl = NULL;
3692 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3693 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3694
0d8da779
MC		 3695 if (idx != 3) {
3696 /*
3697 * Check that if the server rejects the PSK we can still connect, but with
3698 * a full handshake
3699 */
3700 srvid = "Dummy Identity";
3701 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3702 NULL, NULL))
3703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3704 SSL_ERROR_NONE))
3705 || !TEST_false(SSL_session_reused(clientssl))
3706 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3707 goto end;
532f9578 3708
0d8da779
MC		 3709 if (idx == 0 || idx == 1) {
3710 if (!TEST_true(use_session_cb_cnt == 1)
3711 || !TEST_true(find_session_cb_cnt == 1)
3712 || !TEST_true(psk_client_cb_cnt == 0)
3713 /*
3714 * If no old style callback then below should be 0
3715 * otherwise 1
3716 */
3717 || !TEST_true(psk_server_cb_cnt == idx))
3718 goto end;
3719 } else {
3720 if (!TEST_true(use_session_cb_cnt == 0)
3721 || !TEST_true(find_session_cb_cnt == 0)
3722 || !TEST_true(psk_client_cb_cnt == 1)
3723 || !TEST_true(psk_server_cb_cnt == 1))
3724 goto end;
3725 }
3726
3727 shutdown_ssl_connection(serverssl, clientssl);
3728 serverssl = clientssl = NULL;
3729 }
ca8c71ba
MC		 3730 testresult = 1;
3731
3732 end:
57dee9bb
MC		 3733 SSL_SESSION_free(clientpsk);
3734 SSL_SESSION_free(serverpsk);
3735 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3736 SSL_free(serverssl);
3737 SSL_free(clientssl);
3738 SSL_CTX_free(sctx);
3739 SSL_CTX_free(cctx);
3740 return testresult;
3741}
3742
c7b8ff25
MC		 3743static unsigned char cookie_magic_value[] = "cookie magic";
3744
3745static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3746 unsigned int *cookie_len)
3747{
3748 /*
3749 * Not suitable as a real cookie generation function but good enough for
3750 * testing!
3751 */
97ea1e7f
MC		 3752 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3753 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3754
3755 return 1;
3756}
3757
3758static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3759 unsigned int cookie_len)
3760{
97ea1e7f 3761 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3762 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3763 return 1;
3764
3765 return 0;
3766}
3767
3fa2812f
BS		 3768static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3769 size_t *cookie_len)
3770{
3771 unsigned int temp;
3772 int res = generate_cookie_callback(ssl, cookie, &temp);
3773 *cookie_len = temp;
3774 return res;
3775}
3776
3777static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3778 size_t cookie_len)
3779{
3780 return verify_cookie_callback(ssl, cookie, cookie_len);
3781}
3782
c7b8ff25
MC		 3783static int test_stateless(void)
3784{
3785 SSL_CTX *sctx = NULL, *cctx = NULL;
3786 SSL *serverssl = NULL, *clientssl = NULL;
3787 int testresult = 0;
3788
7d7f6834 3789 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3790 TLS1_VERSION, 0,
7d7f6834 3791 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3792 goto end;
3793
e440f513
MC		 3794 /* The arrival of CCS messages can confuse the test */
3795 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3796
3797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3798 NULL, NULL))
3799 /* Send the first ClientHello */
3800 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3801 SSL_ERROR_WANT_READ))
3802 /*
3803 * This should fail with a -1 return because we have no callbacks
3804 * set up
3805 */
3806 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3807 goto end;
3808
3809 /* Fatal error so abandon the connection from this client */
3810 SSL_free(clientssl);
3811 clientssl = NULL;
3812
c7b8ff25 3813 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3814 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3815 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3816
e440f513
MC		 3817 /*
3818 * Create a new connection from the client (we can reuse the server SSL
3819 * object).
3820 */
c7b8ff25
MC		 3821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3822 NULL, NULL))
3823 /* Send the first ClientHello */
3824 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3825 SSL_ERROR_WANT_READ))
3826 /* This should fail because there is no cookie */
e440f513 3827 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3828 goto end;
3829
3830 /* Abandon the connection from this client */
3831 SSL_free(clientssl);
3832 clientssl = NULL;
3833
3834 /*
3835 * Now create a connection from a new client but with the same server SSL
3836 * object
3837 */
3838 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3839 NULL, NULL))
3840 /* Send the first ClientHello */
3841 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3842 SSL_ERROR_WANT_READ))
3843 /* This should fail because there is no cookie */
e440f513 3844 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3845 /* Send the second ClientHello */
3846 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3847 SSL_ERROR_WANT_READ))
3848 /* This should succeed because a cookie is now present */
e440f513 3849 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3850 /* Complete the connection */
3851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3852 SSL_ERROR_NONE)))
3853 goto end;
3854
3855 shutdown_ssl_connection(serverssl, clientssl);
3856 serverssl = clientssl = NULL;
3857 testresult = 1;
3858
3859 end:
3860 SSL_free(serverssl);
3861 SSL_free(clientssl);
3862 SSL_CTX_free(sctx);
3863 SSL_CTX_free(cctx);
3864 return testresult;
3865
3866}
ca0413ae 3867#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3868
a37008d9
MC		 3869static int clntaddoldcb = 0;
3870static int clntparseoldcb = 0;
3871static int srvaddoldcb = 0;
3872static int srvparseoldcb = 0;
3873static int clntaddnewcb = 0;
3874static int clntparsenewcb = 0;
3875static int srvaddnewcb = 0;
3876static int srvparsenewcb = 0;
bb01ef3f 3877static int snicb = 0;
a37008d9
MC		 3878
3879#define TEST_EXT_TYPE1 0xff00
3880
3881static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3882 size_t *outlen, int *al, void *add_arg)
3883{
3884 int *server = (int *)add_arg;
3885 unsigned char *data;
3886
3887 if (SSL_is_server(s))
3888 srvaddoldcb++;
3889 else
3890 clntaddoldcb++;
3891
710756a9
RS		 3892 if (*server != SSL_is_server(s)
3893 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3894 return -1;
3895
3896 *data = 1;
3897 *out = data;
3898 *outlen = sizeof(char);
a37008d9
MC		 3899 return 1;
3900}
3901
3902static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3903 void *add_arg)
3904{
3905 OPENSSL_free((unsigned char *)out);
3906}
3907
3908static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3909 size_t inlen, int *al, void *parse_arg)
3910{
3911 int *server = (int *)parse_arg;
3912
3913 if (SSL_is_server(s))
3914 srvparseoldcb++;
3915 else
3916 clntparseoldcb++;
3917
710756a9
RS		 3918 if (*server != SSL_is_server(s)
3919 || inlen != sizeof(char)
3920 || *in != 1)
a37008d9
MC		 3921 return -1;
3922
3923 return 1;
3924}
3925
3926static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3927 const unsigned char **out, size_t *outlen, X509 *x,
3928 size_t chainidx, int *al, void *add_arg)
3929{
3930 int *server = (int *)add_arg;
3931 unsigned char *data;
3932
3933 if (SSL_is_server(s))
3934 srvaddnewcb++;
3935 else
3936 clntaddnewcb++;
3937
710756a9
RS		 3938 if (*server != SSL_is_server(s)
3939 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3940 return -1;
3941
3942 *data = 1;
3943 *out = data;
710756a9 3944 *outlen = sizeof(*data);
a37008d9
MC		 3945 return 1;
3946}
3947
3948static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3949 const unsigned char *out, void *add_arg)
3950{
3951 OPENSSL_free((unsigned char *)out);
3952}
3953
3954static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3955 const unsigned char *in, size_t inlen, X509 *x,
3956 size_t chainidx, int *al, void *parse_arg)
3957{
3958 int *server = (int *)parse_arg;
3959
3960 if (SSL_is_server(s))
3961 srvparsenewcb++;
3962 else
3963 clntparsenewcb++;
3964
710756a9
RS		 3965 if (*server != SSL_is_server(s)
3966 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3967 return -1;
3968
3969 return 1;
3970}
bb01ef3f
MC		 3971
3972static int sni_cb(SSL *s, int *al, void *arg)
3973{
3974 SSL_CTX *ctx = (SSL_CTX *)arg;
3975
3976 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3977 *al = SSL_AD_INTERNAL_ERROR;
3978 return SSL_TLSEXT_ERR_ALERT_FATAL;
3979 }
3980 snicb++;
3981 return SSL_TLSEXT_ERR_OK;
3982}
3983
a37008d9
MC		 3984/*
3985 * Custom call back tests.
3986 * Test 0: Old style callbacks in TLSv1.2
3987 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3988 * Test 2: New style callbacks in TLSv1.2 with SNI
3989 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3990 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3991 */
710756a9
RS		 3992static int test_custom_exts(int tst)
3993{
bb01ef3f 3994 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3995 SSL *clientssl = NULL, *serverssl = NULL;
3996 int testresult = 0;
3997 static int server = 1;
3998 static int client = 0;
3999 SSL_SESSION *sess = NULL;
4000 unsigned int context;
4001
c423ecaa
MC		 4002#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4003 /* Skip tests for TLSv1.2 and below in this case */
4004 if (tst < 3)
4005 return 1;
4006#endif
4007
a37008d9
MC		 4008 /* Reset callback counters */
4009 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4010 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4011 snicb = 0;
a37008d9 4012
7d7f6834 4013 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4014 TLS1_VERSION, 0,
7d7f6834 4015 &sctx, &cctx, cert, privkey)))
710756a9 4016 goto end;
a37008d9 4017
bb01ef3f 4018 if (tst == 2
7d7f6834 4019 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
5c587fb6 4020 TLS1_VERSION, 0,
7d7f6834 4021 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4022 goto end;
4023
4024
4025 if (tst < 3) {
a37008d9
MC		 4026 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4027 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4028 if (sctx2 != NULL)
4029 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4030 }
4031
bb01ef3f 4032 if (tst == 4) {
710756a9
RS		 4033 context = SSL_EXT_CLIENT_HELLO
4034 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4035 | SSL_EXT_TLS1_3_SERVER_HELLO
4036 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4037 | SSL_EXT_TLS1_3_CERTIFICATE
4038 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4039 } else {
710756a9
RS		 4040 context = SSL_EXT_CLIENT_HELLO
4041 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4042 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4043 }
4044
4045 /* Create a client side custom extension */
4046 if (tst == 0) {
710756a9
RS		 4047 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4048 old_add_cb, old_free_cb,
4049 &client, old_parse_cb,
4050 &client)))
4051 goto end;
a37008d9 4052 } else {
710756a9
RS		 4053 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4054 new_add_cb, new_free_cb,
4055 &client, new_parse_cb, &client)))
4056 goto end;
a37008d9
MC		 4057 }
4058
4059 /* Should not be able to add duplicates */
710756a9
RS		 4060 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4061 old_add_cb, old_free_cb,
4062 &client, old_parse_cb,
4063 &client))
4064 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4065 context, new_add_cb,
4066 new_free_cb, &client,
4067 new_parse_cb, &client)))
4068 goto end;
a37008d9
MC		 4069
4070 /* Create a server side custom extension */
4071 if (tst == 0) {
710756a9
RS		 4072 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4073 old_add_cb, old_free_cb,
4074 &server, old_parse_cb,
4075 &server)))
4076 goto end;
a37008d9 4077 } else {
710756a9
RS		 4078 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4079 new_add_cb, new_free_cb,
4080 &server, new_parse_cb, &server)))
4081 goto end;
bb01ef3f
MC		 4082 if (sctx2 != NULL
4083 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4084 context, new_add_cb,
4085 new_free_cb, &server,
4086 new_parse_cb, &server)))
4087 goto end;
a37008d9
MC		 4088 }
4089
4090 /* Should not be able to add duplicates */
710756a9
RS		 4091 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4092 old_add_cb, old_free_cb,
4093 &server, old_parse_cb,
4094 &server))
4095 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4096 context, new_add_cb,
4097 new_free_cb, &server,
4098 new_parse_cb, &server)))
a37008d9 4099 goto end;
a37008d9 4100
bb01ef3f
MC		 4101 if (tst == 2) {
4102 /* Set up SNI */
4103 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4104 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4105 goto end;
4106 }
4107
710756a9
RS		 4108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4109 &clientssl, NULL, NULL))
4110 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4111 SSL_ERROR_NONE)))
a37008d9 4112 goto end;
a37008d9
MC		 4113
4114 if (tst == 0) {
710756a9
RS		 4115 if (clntaddoldcb != 1
4116 || clntparseoldcb != 1
4117 || srvaddoldcb != 1
4118 || srvparseoldcb != 1)
a37008d9 4119 goto end;
bb01ef3f 4120 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4121 if (clntaddnewcb != 1
4122 || clntparsenewcb != 1
4123 || srvaddnewcb != 1
bb01ef3f
MC		 4124 || srvparsenewcb != 1
4125 || (tst != 2 && snicb != 0)
4126 || (tst == 2 && snicb != 1))
a37008d9 4127 goto end;
a37008d9 4128 } else {
36ff232c 4129 /* In this case there 2 NewSessionTicket messages created */
710756a9 4130 if (clntaddnewcb != 1
36ff232c
MC		 4131 || clntparsenewcb != 5
4132 || srvaddnewcb != 5
710756a9 4133 || srvparsenewcb != 1)
a37008d9 4134 goto end;
a37008d9
MC		 4135 }
4136
4137 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4138 SSL_shutdown(clientssl);
4139 SSL_shutdown(serverssl);
a37008d9
MC		 4140 SSL_free(serverssl);
4141 SSL_free(clientssl);
4142 serverssl = clientssl = NULL;
4143
bb01ef3f
MC		 4144 if (tst == 3) {
4145 /* We don't bother with the resumption aspects for this test */
4146 testresult = 1;
4147 goto end;
4148 }
4149
710756a9
RS		 4150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4151 NULL, NULL))
4152 || !TEST_true(SSL_set_session(clientssl, sess))
4153 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4154 SSL_ERROR_NONE)))
a37008d9 4155 goto end;
a37008d9
MC		 4156
4157 /*
4158 * For a resumed session we expect to add the ClientHello extension. For the
4159 * old style callbacks we ignore it on the server side because they set
4160 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4161 * them.
4162 */
4163 if (tst == 0) {
710756a9
RS		 4164 if (clntaddoldcb != 2
4165 || clntparseoldcb != 1
4166 || srvaddoldcb != 1
4167 || srvparseoldcb != 1)
a37008d9 4168 goto end;
bb01ef3f 4169 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4170 if (clntaddnewcb != 2
4171 || clntparsenewcb != 2
4172 || srvaddnewcb != 2
4173 || srvparsenewcb != 2)
a37008d9 4174 goto end;
a37008d9 4175 } else {
36ff232c
MC		 4176 /*
4177 * No Certificate message extensions in the resumption handshake,
4178 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4179 */
710756a9 4180 if (clntaddnewcb != 2
36ff232c
MC		 4181 || clntparsenewcb != 8
4182 || srvaddnewcb != 8
710756a9 4183 || srvparsenewcb != 2)
a37008d9 4184 goto end;
a37008d9
MC		 4185 }
4186
4187 testresult = 1;
4188
4189end:
4190 SSL_SESSION_free(sess);
4191 SSL_free(serverssl);
4192 SSL_free(clientssl);
bb01ef3f 4193 SSL_CTX_free(sctx2);
a37008d9
MC		 4194 SSL_CTX_free(sctx);
4195 SSL_CTX_free(cctx);
a37008d9
MC		 4196 return testresult;
4197}
4198
16afd71c
MC		 4199/*
4200 * Test loading of serverinfo data in various formats. test_sslmessages actually
4201 * tests to make sure the extensions appear in the handshake
4202 */
4203static int test_serverinfo(int tst)
4204{
4205 unsigned int version;
4206 unsigned char *sibuf;
4207 size_t sibuflen;
4208 int ret, expected, testresult = 0;
4209 SSL_CTX *ctx;
4210
4211 ctx = SSL_CTX_new(TLS_method());
4212 if (!TEST_ptr(ctx))
4213 goto end;
4214
4215 if ((tst & 0x01) == 0x01)
4216 version = SSL_SERVERINFOV2;
4217 else
4218 version = SSL_SERVERINFOV1;
4219
4220 if ((tst & 0x02) == 0x02) {
4221 sibuf = serverinfov2;
4222 sibuflen = sizeof(serverinfov2);
4223 expected = (version == SSL_SERVERINFOV2);
4224 } else {
4225 sibuf = serverinfov1;
4226 sibuflen = sizeof(serverinfov1);
4227 expected = (version == SSL_SERVERINFOV1);
4228 }
4229
4230 if ((tst & 0x04) == 0x04) {
4231 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4232 } else {
4233 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4234
4235 /*
4236 * The version variable is irrelevant in this case - it's what is in the
4237 * buffer that matters
4238 */
4239 if ((tst & 0x02) == 0x02)
4240 expected = 0;
4241 else
4242 expected = 1;
4243 }
4244
4245 if (!TEST_true(ret == expected))
4246 goto end;
4247
4248 testresult = 1;
4249
4250 end:
4251 SSL_CTX_free(ctx);
4252
4253 return testresult;
4254}
4255
2197d1df
MC		 4256/*
4257 * Test that SSL_export_keying_material() produces expected results. There are
4258 * no test vectors so all we do is test that both sides of the communication
4259 * produce the same results for different protocol versions.
4260 */
0fb2815b
MC		 4261#define SMALL_LABEL_LEN 10
4262#define LONG_LABEL_LEN 249
2197d1df
MC		 4263static int test_export_key_mat(int tst)
4264{
a599574b 4265 int testresult = 0;
2197d1df
MC		 4266 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4267 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4268 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4269 const unsigned char context[] = "context";
4270 const unsigned char *emptycontext = NULL;
4271 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4272 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4273 size_t labellen;
a599574b
MC		 4274 const int protocols[] = {
4275 TLS1_VERSION,
4276 TLS1_1_VERSION,
4277 TLS1_2_VERSION,
0fb2815b
MC		 4278 TLS1_3_VERSION,
4279 TLS1_3_VERSION,
a599574b
MC		 4280 TLS1_3_VERSION
4281 };
2197d1df
MC		 4282
4283#ifdef OPENSSL_NO_TLS1
4284 if (tst == 0)
4285 return 1;
4286#endif
4287#ifdef OPENSSL_NO_TLS1_1
4288 if (tst == 1)
4289 return 1;
4290#endif
4291#ifdef OPENSSL_NO_TLS1_2
4292 if (tst == 2)
4293 return 1;
4294#endif
4295#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4296 if (tst >= 3)
2197d1df
MC		 4297 return 1;
4298#endif
7d7f6834 4299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4300 TLS1_VERSION, 0,
7d7f6834 4301 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4302 goto end;
4303
a599574b
MC		 4304 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4305 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4306 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4307
4308 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4309 NULL))
4310 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4311 SSL_ERROR_NONE)))
4312 goto end;
4313
0fb2815b
MC		 4314 if (tst == 5) {
4315 /*
4316 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4317 * go over that.
4318 */
4319 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4320 sizeof(ckeymat1), label,
4321 LONG_LABEL_LEN + 1, context,
4322 sizeof(context) - 1, 1), 0))
4323 goto end;
4324
4325 testresult = 1;
4326 goto end;
4327 } else if (tst == 4) {
4328 labellen = LONG_LABEL_LEN;
4329 } else {
4330 labellen = SMALL_LABEL_LEN;
4331 }
4332
2197d1df
MC		 4333 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4334 sizeof(ckeymat1), label,
0fb2815b 4335 labellen, context,
2197d1df
MC		 4336 sizeof(context) - 1, 1), 1)
4337 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4338 sizeof(ckeymat2), label,
0fb2815b 4339 labellen,
2197d1df
MC		 4340 emptycontext,
4341 0, 1), 1)
4342 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4343 sizeof(ckeymat3), label,
0fb2815b 4344 labellen,
2197d1df
MC		 4345 NULL, 0, 0), 1)
4346 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4347 sizeof(skeymat1), label,
0fb2815b 4348 labellen,
2197d1df
MC		 4349 context,
4350 sizeof(context) -1, 1),
4351 1)
4352 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4353 sizeof(skeymat2), label,
0fb2815b 4354 labellen,
2197d1df
MC		 4355 emptycontext,
4356 0, 1), 1)
4357 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4358 sizeof(skeymat3), label,
0fb2815b 4359 labellen,
2197d1df
MC		 4360 NULL, 0, 0), 1)
4361 /*
4362 * Check that both sides created the same key material with the
4363 * same context.
4364 */
4365 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4366 sizeof(skeymat1))
4367 /*
4368 * Check that both sides created the same key material with an
4369 * empty context.
4370 */
4371 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4372 sizeof(skeymat2))
4373 /*
4374 * Check that both sides created the same key material without a
4375 * context.
4376 */
4377 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4378 sizeof(skeymat3))
4379 /* Different contexts should produce different results */
4380 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4381 sizeof(ckeymat2)))
4382 goto end;
4383
4384 /*
4385 * Check that an empty context and no context produce different results in
4386 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4387 */
0fb2815b 4388 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 4389 sizeof(ckeymat3)))
0fb2815b
MC		 4390 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4391 sizeof(ckeymat3))))
2197d1df
MC		 4392 goto end;
4393
4394 testresult = 1;
4395
4396 end:
4397 SSL_free(serverssl);
4398 SSL_free(clientssl);
4399 SSL_CTX_free(sctx2);
4400 SSL_CTX_free(sctx);
4401 SSL_CTX_free(cctx);
4402
4403 return testresult;
4404}
4405
b38ede80
TT		 4406#ifndef OPENSSL_NO_TLS1_3
4407/*
4408 * Test that SSL_export_keying_material_early() produces expected
4409 * results. There are no test vectors so all we do is test that both
4410 * sides of the communication produce the same results for different
4411 * protocol versions.
4412 */
4413static int test_export_key_mat_early(int idx)
4414{
4415 static const char label[] = "test label";
4416 static const unsigned char context[] = "context";
4417 int testresult = 0;
4418 SSL_CTX *cctx = NULL, *sctx = NULL;
4419 SSL *clientssl = NULL, *serverssl = NULL;
4420 SSL_SESSION *sess = NULL;
4421 const unsigned char *emptycontext = NULL;
4422 unsigned char ckeymat1[80], ckeymat2[80];
4423 unsigned char skeymat1[80], skeymat2[80];
4424 unsigned char buf[1];
4425 size_t readbytes, written;
4426
4427 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4428 &sess, idx)))
4429 goto end;
4430
4431 /* Here writing 0 length early data is enough. */
4432 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4433 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4434 &readbytes),
4435 SSL_READ_EARLY_DATA_ERROR)
4436 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4437 SSL_EARLY_DATA_ACCEPTED))
4438 goto end;
4439
4440 if (!TEST_int_eq(SSL_export_keying_material_early(
4441 clientssl, ckeymat1, sizeof(ckeymat1), label,
4442 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4443 || !TEST_int_eq(SSL_export_keying_material_early(
4444 clientssl, ckeymat2, sizeof(ckeymat2), label,
4445 sizeof(label) - 1, emptycontext, 0), 1)
4446 || !TEST_int_eq(SSL_export_keying_material_early(
4447 serverssl, skeymat1, sizeof(skeymat1), label,
4448 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4449 || !TEST_int_eq(SSL_export_keying_material_early(
4450 serverssl, skeymat2, sizeof(skeymat2), label,
4451 sizeof(label) - 1, emptycontext, 0), 1)
4452 /*
4453 * Check that both sides created the same key material with the
4454 * same context.
4455 */
4456 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4457 sizeof(skeymat1))
4458 /*
4459 * Check that both sides created the same key material with an
4460 * empty context.
4461 */
4462 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4463 sizeof(skeymat2))
4464 /* Different contexts should produce different results */
4465 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4466 sizeof(ckeymat2)))
4467 goto end;
4468
4469 testresult = 1;
4470
4471 end:
c20e3b28 4472 SSL_SESSION_free(sess);
b38ede80
TT		 4473 SSL_SESSION_free(clientpsk);
4474 SSL_SESSION_free(serverpsk);
34ff74eb 4475 clientpsk = serverpsk = NULL;
b38ede80
TT		 4476 SSL_free(serverssl);
4477 SSL_free(clientssl);
4478 SSL_CTX_free(sctx);
4479 SSL_CTX_free(cctx);
4480
4481 return testresult;
4482}
4483#endif /* OPENSSL_NO_TLS1_3 */
4484
e11b6aa4
MC		 4485static int test_ssl_clear(int idx)
4486{
4487 SSL_CTX *cctx = NULL, *sctx = NULL;
4488 SSL *clientssl = NULL, *serverssl = NULL;
4489 int testresult = 0;
4490
4491#ifdef OPENSSL_NO_TLS1_2
4492 if (idx == 1)
4493 return 1;
4494#endif
4495
4496 /* Create an initial connection */
7d7f6834 4497 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4498 TLS1_VERSION, 0,
7d7f6834 4499 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 4500 || (idx == 1
4501 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4502 TLS1_2_VERSION)))
4503 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4504 &clientssl, NULL, NULL))
4505 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4506 SSL_ERROR_NONE)))
4507 goto end;
4508
4509 SSL_shutdown(clientssl);
4510 SSL_shutdown(serverssl);
4511 SSL_free(serverssl);
4512 serverssl = NULL;
4513
4514 /* Clear clientssl - we're going to reuse the object */
4515 if (!TEST_true(SSL_clear(clientssl)))
4516 goto end;
4517
4518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4519 NULL, NULL))
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4521 SSL_ERROR_NONE))
4522 || !TEST_true(SSL_session_reused(clientssl)))
4523 goto end;
4524
4525 SSL_shutdown(clientssl);
4526 SSL_shutdown(serverssl);
4527
4528 testresult = 1;
4529
4530 end:
4531 SSL_free(serverssl);
4532 SSL_free(clientssl);
4533 SSL_CTX_free(sctx);
4534 SSL_CTX_free(cctx);
4535
4536 return testresult;
4537}
4538
cf72c757
F		 4539/* Parse CH and retrieve any MFL extension value if present */
4540static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4541{
4542 long len;
4543 unsigned char *data;
4544 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4545 unsigned int MFL_code = 0, type = 0;
4546
4547 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4548 goto end;
4549
4550 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4551 /* Skip the record header */
4552 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4553 /* Skip the handshake message header */
4554 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4555 /* Skip client version and random */
4556 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4557 + SSL3_RANDOM_SIZE))
4558 /* Skip session id */
4559 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4560 /* Skip ciphers */
4561 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4562 /* Skip compression */
4563 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4564 /* Extensions len */
4565 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4566 goto end;
4567
4568 /* Loop through all extensions */
4569 while (PACKET_remaining(&pkt2)) {
4570 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4571 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4572 goto end;
4573
4574 if (type == TLSEXT_TYPE_max_fragment_length) {
4575 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4576 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4577 goto end;
4578
4579 *mfl_codemfl_code = MFL_code;
4580 return 1;
4581 }
4582 }
4583
4584 end:
4585 return 0;
4586}
4587
4588/* Maximum-Fragment-Length TLS extension mode to test */
4589static const unsigned char max_fragment_len_test[] = {
4590 TLSEXT_max_fragment_length_512,
4591 TLSEXT_max_fragment_length_1024,
4592 TLSEXT_max_fragment_length_2048,
4593 TLSEXT_max_fragment_length_4096
4594};
4595
4596static int test_max_fragment_len_ext(int idx_tst)
4597{
4598 SSL_CTX *ctx;
4599 SSL *con = NULL;
4600 int testresult = 0, MFL_mode = 0;
4601 BIO *rbio, *wbio;
4602
4603 ctx = SSL_CTX_new(TLS_method());
4604 if (!TEST_ptr(ctx))
4605 goto end;
4606
4607 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4608 ctx, max_fragment_len_test[idx_tst])))
4609 goto end;
4610
4611 con = SSL_new(ctx);
4612 if (!TEST_ptr(con))
4613 goto end;
4614
4615 rbio = BIO_new(BIO_s_mem());
4616 wbio = BIO_new(BIO_s_mem());
4617 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4618 BIO_free(rbio);
4619 BIO_free(wbio);
4620 goto end;
4621 }
4622
4623 SSL_set_bio(con, rbio, wbio);
4624 SSL_set_connect_state(con);
4625
4626 if (!TEST_int_le(SSL_connect(con), 0)) {
4627 /* This shouldn't succeed because we don't have a server! */
4628 goto end;
4629 }
4630
4631 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4632 /* no MFL in client hello */
4633 goto end;
4634 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4635 goto end;
4636
4637 testresult = 1;
4638
4639end:
4640 SSL_free(con);
4641 SSL_CTX_free(ctx);
4642
4643 return testresult;
4644}
4645
9d75dce3
TS		 4646#ifndef OPENSSL_NO_TLS1_3
4647static int test_pha_key_update(void)
4648{
4649 SSL_CTX *cctx = NULL, *sctx = NULL;
4650 SSL *clientssl = NULL, *serverssl = NULL;
4651 int testresult = 0;
4652
7d7f6834 4653 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4654 TLS1_VERSION, 0,
9d75dce3
TS		 4655 &sctx, &cctx, cert, privkey)))
4656 return 0;
4657
4658 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4659 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4660 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4661 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4662 goto end;
4663
e97be718 4664 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 4665
4666 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4667 NULL, NULL)))
4668 goto end;
4669
9d75dce3
TS		 4670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4671 SSL_ERROR_NONE)))
4672 goto end;
4673
4674 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4675 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4676 goto end;
4677
4678 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4679 goto end;
4680
4681 /* Start handshake on the server */
4682 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4683 goto end;
4684
4685 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4686 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4687 SSL_ERROR_NONE)))
4688 goto end;
4689
4690 SSL_shutdown(clientssl);
4691 SSL_shutdown(serverssl);
4692
4693 testresult = 1;
4694
4695 end:
4696 SSL_free(serverssl);
4697 SSL_free(clientssl);
4698 SSL_CTX_free(sctx);
4699 SSL_CTX_free(cctx);
4700 return testresult;
4701}
4702#endif
4703
76fd7a1d
MC		 4704#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4705
4706static SRP_VBASE *vbase = NULL;
4707
4708static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4709{
4710 int ret = SSL3_AL_FATAL;
4711 char *username;
4712 SRP_user_pwd *user = NULL;
4713
4714 username = SSL_get_srp_username(s);
4715 if (username == NULL) {
4716 *ad = SSL_AD_INTERNAL_ERROR;
4717 goto err;
4718 }
4719
4720 user = SRP_VBASE_get1_by_user(vbase, username);
4721 if (user == NULL) {
4722 *ad = SSL_AD_INTERNAL_ERROR;
4723 goto err;
4724 }
4725
4726 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4727 user->info) <= 0) {
4728 *ad = SSL_AD_INTERNAL_ERROR;
4729 goto err;
4730 }
4731
4732 ret = 0;
4733
4734 err:
4735 SRP_user_pwd_free(user);
4736 return ret;
4737}
4738
4739static int create_new_vfile(char *userid, char *password, const char *filename)
4740{
4741 char *gNid = NULL;
4742 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4743 TXT_DB *db = NULL;
4744 int ret = 0;
4745 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4746 size_t i;
4747
4748 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4749 goto end;
4750
4751 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4752 &row[DB_srpverifier], NULL, NULL);
4753 if (!TEST_ptr(gNid))
4754 goto end;
4755
4756 /*
4757 * The only way to create an empty TXT_DB is to provide a BIO with no data
4758 * in it!
4759 */
4760 db = TXT_DB_read(dummy, DB_NUMBER);
4761 if (!TEST_ptr(db))
4762 goto end;
4763
4764 out = BIO_new_file(filename, "w");
4765 if (!TEST_ptr(out))
4766 goto end;
4767
4768 row[DB_srpid] = OPENSSL_strdup(userid);
4769 row[DB_srptype] = OPENSSL_strdup("V");
4770 row[DB_srpgN] = OPENSSL_strdup(gNid);
4771
4772 if (!TEST_ptr(row[DB_srpid])
4773 || !TEST_ptr(row[DB_srptype])
4774 || !TEST_ptr(row[DB_srpgN])
4775 || !TEST_true(TXT_DB_insert(db, row)))
4776 goto end;
4777
4778 row = NULL;
4779
4780 if (!TXT_DB_write(out, db))
4781 goto end;
4782
4783 ret = 1;
4784 end:
4785 if (row != NULL) {
4786 for (i = 0; i < DB_NUMBER; i++)
4787 OPENSSL_free(row[i]);
4788 }
4789 OPENSSL_free(row);
4790 BIO_free(dummy);
4791 BIO_free(out);
4792 TXT_DB_free(db);
4793
4794 return ret;
4795}
4796
4797static int create_new_vbase(char *userid, char *password)
4798{
4799 BIGNUM *verifier = NULL, *salt = NULL;
4800 const SRP_gN *lgN = NULL;
4801 SRP_user_pwd *user_pwd = NULL;
4802 int ret = 0;
4803
4804 lgN = SRP_get_default_gN(NULL);
4805 if (!TEST_ptr(lgN))
4806 goto end;
4807
4808 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4809 lgN->N, lgN->g)))
4810 goto end;
4811
4812 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4813 if (!TEST_ptr(user_pwd))
4814 goto end;
4815
4816 user_pwd->N = lgN->N;
4817 user_pwd->g = lgN->g;
4818 user_pwd->id = OPENSSL_strdup(userid);
4819 if (!TEST_ptr(user_pwd->id))
4820 goto end;
4821
4822 user_pwd->v = verifier;
4823 user_pwd->s = salt;
4824 verifier = salt = NULL;
4825
4826 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4827 goto end;
4828 user_pwd = NULL;
4829
4830 ret = 1;
4831end:
4832 SRP_user_pwd_free(user_pwd);
4833 BN_free(salt);
4834 BN_free(verifier);
4835
4836 return ret;
4837}
4838
4839/*
4840 * SRP tests
4841 *
4842 * Test 0: Simple successful SRP connection, new vbase
4843 * Test 1: Connection failure due to bad password, new vbase
4844 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4845 * Test 3: Connection failure due to bad password, vbase loaded from existing
4846 * file
4847 * Test 4: Simple successful SRP connection, vbase loaded from new file
4848 * Test 5: Connection failure due to bad password, vbase loaded from new file
4849 */
4850static int test_srp(int tst)
4851{
4852 char *userid = "test", *password = "password", *tstsrpfile;
4853 SSL_CTX *cctx = NULL, *sctx = NULL;
4854 SSL *clientssl = NULL, *serverssl = NULL;
4855 int ret, testresult = 0;
4856
4857 vbase = SRP_VBASE_new(NULL);
4858 if (!TEST_ptr(vbase))
4859 goto end;
4860
4861 if (tst == 0 || tst == 1) {
4862 if (!TEST_true(create_new_vbase(userid, password)))
4863 goto end;
4864 } else {
4865 if (tst == 4 || tst == 5) {
4866 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4867 goto end;
4868 tstsrpfile = tmpfilename;
4869 } else {
4870 tstsrpfile = srpvfile;
4871 }
4872 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4873 goto end;
4874 }
4875
4876 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4877 TLS1_VERSION, 0,
76fd7a1d
MC		 4878 &sctx, &cctx, cert, privkey)))
4879 goto end;
4880
4881 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4882 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4883 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4884 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4885 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4886 goto end;
4887
4888 if (tst % 2 == 1) {
4889 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4890 goto end;
4891 } else {
4892 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4893 goto end;
4894 }
4895
4896 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4897 NULL, NULL)))
4898 goto end;
4899
4900 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4901 if (ret) {
4902 if (!TEST_true(tst % 2 == 0))
4903 goto end;
4904 } else {
4905 if (!TEST_true(tst % 2 == 1))
4906 goto end;
4907 }
4908
4909 testresult = 1;
4910
4911 end:
4912 SRP_VBASE_free(vbase);
4913 vbase = NULL;
4914 SSL_free(serverssl);
4915 SSL_free(clientssl);
4916 SSL_CTX_free(sctx);
4917 SSL_CTX_free(cctx);
4918
4919 return testresult;
4920}
4921#endif
4922
5718fe45
MC		 4923static int info_cb_failed = 0;
4924static int info_cb_offset = 0;
4925static int info_cb_this_state = -1;
4926
4927static struct info_cb_states_st {
4928 int where;
4929 const char *statestr;
4930} info_cb_states[][60] = {
4931 {
4932 /* TLSv1.2 server followed by resumption */
4933 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4934 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4935 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4936 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4937 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4938 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4939 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4940 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4941 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4942 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4943 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4944 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4945 {SSL_CB_EXIT, NULL}, {0, NULL},
4946 }, {
4947 /* TLSv1.2 client followed by resumption */
4948 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4949 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4950 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4951 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4952 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4953 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4954 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4955 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4956 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4957 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4958 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4959 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4960 }, {
4961 /* TLSv1.3 server followed by resumption */
4962 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4963 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4964 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4965 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4966 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 4967 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
4968 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4969 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4970 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4971 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4972 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
4973 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4974 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4975 }, {
4976 /* TLSv1.3 client followed by resumption */
4977 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4978 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4979 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4980 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4981 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 4982 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
4983 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
4984 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4985 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4986 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4987 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4988 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4989 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 4990 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4991 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4992 }, {
4993 /* TLSv1.3 server, early_data */
4994 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4995 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4996 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4997 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4998 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4999 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5000 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5001 {SSL_CB_EXIT, NULL}, {0, NULL},
5002 }, {
5003 /* TLSv1.3 client, early_data */
5004 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5005 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5006 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5007 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5008 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5009 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5010 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5011 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5012 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5013 }, {
5014 {0, NULL},
5015 }
5016};
5017
5018static void sslapi_info_callback(const SSL *s, int where, int ret)
5019{
5020 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5021
5022 /* We do not ever expect a connection to fail in this test */
5023 if (!TEST_false(ret == 0)) {
5024 info_cb_failed = 1;
5025 return;
5026 }
5027
5028 /*
5029 * Do some sanity checks. We never expect these things to happen in this
5030 * test
5031 */
5032 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5033 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5034 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5035 info_cb_failed = 1;
5036 return;
5037 }
5038
5039 /* Now check we're in the right state */
5040 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5041 info_cb_failed = 1;
5042 return;
5043 }
5044 if ((where & SSL_CB_LOOP) != 0
5045 && !TEST_int_eq(strcmp(SSL_state_string(s),
5046 state[info_cb_this_state].statestr), 0)) {
5047 info_cb_failed = 1;
5048 return;
5049 }
033c181b 5050
4af5836b
MC		 5051 /*
5052 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5053 */
5054 if ((where & SSL_CB_HANDSHAKE_DONE)
5055 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5056 info_cb_failed = 1;
5057 return;
5058 }
5718fe45
MC		 5059}
5060
5061/*
5062 * Test the info callback gets called when we expect it to.
5063 *
5064 * Test 0: TLSv1.2, server
5065 * Test 1: TLSv1.2, client
5066 * Test 2: TLSv1.3, server
5067 * Test 3: TLSv1.3, client
5068 * Test 4: TLSv1.3, server, early_data
5069 * Test 5: TLSv1.3, client, early_data
5070 */
5071static int test_info_callback(int tst)
5072{
5073 SSL_CTX *cctx = NULL, *sctx = NULL;
5074 SSL *clientssl = NULL, *serverssl = NULL;
5075 SSL_SESSION *clntsess = NULL;
5076 int testresult = 0;
5077 int tlsvers;
5078
5079 if (tst < 2) {
1aac20f5
MC		 5080/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5081#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5082 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5083 tlsvers = TLS1_2_VERSION;
5084#else
5085 return 1;
5086#endif
5087 } else {
5088#ifndef OPENSSL_NO_TLS1_3
5089 tlsvers = TLS1_3_VERSION;
5090#else
5091 return 1;
5092#endif
5093 }
5094
5095 /* Reset globals */
5096 info_cb_failed = 0;
5097 info_cb_this_state = -1;
5098 info_cb_offset = tst;
5099
6e07834c 5100#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5101 if (tst >= 4) {
5102 SSL_SESSION *sess = NULL;
5103 size_t written, readbytes;
5104 unsigned char buf[80];
5105
5106 /* early_data tests */
5107 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5108 &serverssl, &sess, 0)))
5109 goto end;
5110
5111 /* We don't actually need this reference */
5112 SSL_SESSION_free(sess);
5113
5114 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5115 sslapi_info_callback);
5116
5117 /* Write and read some early data and then complete the connection */
5118 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5119 &written))
5120 || !TEST_size_t_eq(written, strlen(MSG1))
5121 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5122 sizeof(buf), &readbytes),
5123 SSL_READ_EARLY_DATA_SUCCESS)
5124 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5125 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5126 SSL_EARLY_DATA_ACCEPTED)
5127 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5128 SSL_ERROR_NONE))
5129 || !TEST_false(info_cb_failed))
5130 goto end;
5131
5132 testresult = 1;
5133 goto end;
5134 }
6e07834c 5135#endif
5718fe45
MC		 5136
5137 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5138 TLS_client_method(),
5139 tlsvers, tlsvers, &sctx, &cctx, cert,
5140 privkey)))
5141 goto end;
5142
5143 /*
5144 * For even numbered tests we check the server callbacks. For odd numbers we
5145 * check the client.
5146 */
5147 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5148 sslapi_info_callback);
5149
5150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5151 &clientssl, NULL, NULL))
5152 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5153 SSL_ERROR_NONE))
5154 || !TEST_false(info_cb_failed))
5155 goto end;
5156
5157
5158
5159 clntsess = SSL_get1_session(clientssl);
5160 SSL_shutdown(clientssl);
5161 SSL_shutdown(serverssl);
5162 SSL_free(serverssl);
5163 SSL_free(clientssl);
5164 serverssl = clientssl = NULL;
5165
5166 /* Now do a resumption */
5167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5168 NULL))
5169 || !TEST_true(SSL_set_session(clientssl, clntsess))
5170 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5171 SSL_ERROR_NONE))
5172 || !TEST_true(SSL_session_reused(clientssl))
5173 || !TEST_false(info_cb_failed))
5174 goto end;
5175
5176 testresult = 1;
5177
5178 end:
5179 SSL_free(serverssl);
5180 SSL_free(clientssl);
5181 SSL_SESSION_free(clntsess);
5182 SSL_CTX_free(sctx);
5183 SSL_CTX_free(cctx);
5184 return testresult;
5185}
5186
4a432af8
MC		 5187static int test_ssl_pending(int tst)
5188{
5189 SSL_CTX *cctx = NULL, *sctx = NULL;
5190 SSL *clientssl = NULL, *serverssl = NULL;
5191 int testresult = 0;
5192 char msg[] = "A test message";
5193 char buf[5];
5194 size_t written, readbytes;
5195
5196 if (tst == 0) {
5197 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5198 TLS_client_method(),
5c587fb6 5199 TLS1_VERSION, 0,
4a432af8
MC		 5200 &sctx, &cctx, cert, privkey)))
5201 goto end;
5202 } else {
5203#ifndef OPENSSL_NO_DTLS
5204 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5205 DTLS_client_method(),
5c587fb6 5206 DTLS1_VERSION, 0,
4a432af8
MC		 5207 &sctx, &cctx, cert, privkey)))
5208 goto end;
5209#else
5210 return 1;
5211#endif
5212 }
5213
5214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5215 NULL, NULL))
5216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5217 SSL_ERROR_NONE)))
5218 goto end;
5219
e8251092
MC		 5220 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5221 || !TEST_false(SSL_has_pending(clientssl))
5222 || !TEST_int_eq(SSL_pending(serverssl), 0)
5223 || !TEST_false(SSL_has_pending(serverssl))
5224 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 5225 || !TEST_size_t_eq(written, sizeof(msg))
5226 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5227 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 5228 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5229 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 5230 goto end;
5231
5232 testresult = 1;
5233
5234 end:
5235 SSL_free(serverssl);
5236 SSL_free(clientssl);
5237 SSL_CTX_free(sctx);
5238 SSL_CTX_free(cctx);
5239
5240 return testresult;
5241}
5242
e401389a
MC		 5243static struct {
5244 unsigned int maxprot;
5245 const char *clntciphers;
5246 const char *clnttls13ciphers;
5247 const char *srvrciphers;
5248 const char *srvrtls13ciphers;
5249 const char *shared;
5250} shared_ciphers_data[] = {
60155b9a
MC		 5251/*
5252 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5253 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5254 */
5255#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 5256 {
5257 TLS1_2_VERSION,
5258 "AES128-SHA:AES256-SHA",
5259 NULL,
5260 "AES256-SHA:DHE-RSA-AES128-SHA",
5261 NULL,
5262 "AES256-SHA"
5263 },
5264 {
5265 TLS1_2_VERSION,
5266 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5267 NULL,
5268 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5269 NULL,
5270 "AES128-SHA:AES256-SHA"
5271 },
5272 {
5273 TLS1_2_VERSION,
5274 "AES128-SHA:AES256-SHA",
5275 NULL,
5276 "AES128-SHA:DHE-RSA-AES128-SHA",
5277 NULL,
5278 "AES128-SHA"
5279 },
60155b9a
MC		 5280#endif
5281/*
5282 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5283 * enabled.
5284 */
5285#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5286 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 5287 {
5288 TLS1_3_VERSION,
5289 "AES128-SHA:AES256-SHA",
5290 NULL,
5291 "AES256-SHA:AES128-SHA256",
5292 NULL,
5293 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5294 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5295 },
60155b9a
MC		 5296#endif
5297#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 5298 {
5299 TLS1_3_VERSION,
5300 "AES128-SHA",
5301 "TLS_AES_256_GCM_SHA384",
5302 "AES256-SHA",
5303 "TLS_AES_256_GCM_SHA384",
5304 "TLS_AES_256_GCM_SHA384"
5305 },
5306#endif
5307};
5308
5309static int test_ssl_get_shared_ciphers(int tst)
5310{
5311 SSL_CTX *cctx = NULL, *sctx = NULL;
5312 SSL *clientssl = NULL, *serverssl = NULL;
5313 int testresult = 0;
5314 char buf[1024];
5315
5316 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5317 TLS_client_method(),
5318 TLS1_VERSION,
5319 shared_ciphers_data[tst].maxprot,
5320 &sctx, &cctx, cert, privkey)))
5321 goto end;
5322
5323 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5324 shared_ciphers_data[tst].clntciphers))
5325 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5326 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5327 shared_ciphers_data[tst].clnttls13ciphers)))
5328 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5329 shared_ciphers_data[tst].srvrciphers))
5330 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5331 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5332 shared_ciphers_data[tst].srvrtls13ciphers))))
5333 goto end;
5334
5335
5336 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5337 NULL, NULL))
5338 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5339 SSL_ERROR_NONE)))
5340 goto end;
5341
5342 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5343 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5344 TEST_info("Shared ciphers are: %s\n", buf);
5345 goto end;
5346 }
5347
5348 testresult = 1;
5349
5350 end:
5351 SSL_free(serverssl);
5352 SSL_free(clientssl);
5353 SSL_CTX_free(sctx);
5354 SSL_CTX_free(cctx);
5355
5356 return testresult;
5357}
5358
d0191fe0 5359static const char *appdata = "Hello World";
61fb5923
MC		 5360static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5361static int tick_key_renew = 0;
5362static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 5363
5364static int gen_tick_cb(SSL *s, void *arg)
5365{
5366 gen_tick_called = 1;
5367
5368 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5369 strlen(appdata));
5370}
5371
5372static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5373 const unsigned char *keyname,
5374 size_t keyname_length,
61fb5923
MC		 5375 SSL_TICKET_STATUS status,
5376 void *arg)
d0191fe0
MC		 5377{
5378 void *tickdata;
5379 size_t tickdlen;
5380
5381 dec_tick_called = 1;
5382
61fb5923
MC		 5383 if (status == SSL_TICKET_EMPTY)
5384 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 5385
61fb5923
MC		 5386 if (!TEST_true(status == SSL_TICKET_SUCCESS
5387 || status == SSL_TICKET_SUCCESS_RENEW))
5388 return SSL_TICKET_RETURN_ABORT;
5389
5390 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5391 &tickdlen))
d0191fe0
MC		 5392 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5393 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 5394 return SSL_TICKET_RETURN_ABORT;
d0191fe0 5395
61fb5923
MC		 5396 if (tick_key_cb_called) {
5397 /* Don't change what the ticket key callback wanted to do */
5398 switch (status) {
5399 case SSL_TICKET_NO_DECRYPT:
5400 return SSL_TICKET_RETURN_IGNORE_RENEW;
5401
5402 case SSL_TICKET_SUCCESS:
5403 return SSL_TICKET_RETURN_USE;
d0191fe0 5404
61fb5923
MC		 5405 case SSL_TICKET_SUCCESS_RENEW:
5406 return SSL_TICKET_RETURN_USE_RENEW;
5407
5408 default:
5409 return SSL_TICKET_RETURN_ABORT;
5410 }
5411 }
5412 return tick_dec_ret;
5413
5414}
d0191fe0
MC		 5415
5416static int tick_key_cb(SSL *s, unsigned char key_name[16],
5417 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5418 HMAC_CTX *hctx, int enc)
5419{
5420 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5421 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5422
61fb5923 5423 tick_key_cb_called = 1;
d0191fe0
MC		 5424 memset(iv, 0, AES_BLOCK_SIZE);
5425 memset(key_name, 0, 16);
5426 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5427 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5428 EVP_sha256(), NULL))
5429 return -1;
5430
61fb5923 5431 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 5432}
5433
5434/*
5435 * Test the various ticket callbacks
61fb5923
MC		 5436 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5437 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5438 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5439 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5440 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5441 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5442 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5443 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5444 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5445 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5446 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5447 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 5448 */
5449static int test_ticket_callbacks(int tst)
5450{
5451 SSL_CTX *cctx = NULL, *sctx = NULL;
5452 SSL *clientssl = NULL, *serverssl = NULL;
5453 SSL_SESSION *clntsess = NULL;
5454 int testresult = 0;
5455
5456#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 5457 if (tst % 2 == 0)
d0191fe0
MC		 5458 return 1;
5459#endif
5460#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 5461 if (tst % 2 == 1)
d0191fe0
MC		 5462 return 1;
5463#endif
5464
61fb5923 5465 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 5466
5467 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 5468 if (tst == 10 || tst == 11)
5469 tick_key_renew = 1;
d0191fe0 5470 else
61fb5923
MC		 5471 tick_key_renew = 0;
5472
5473 /* Which tests the decrypt ticket callback should request renewal for */
5474 switch (tst) {
5475 case 0:
5476 case 1:
5477 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5478 break;
5479
5480 case 2:
5481 case 3:
5482 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5483 break;
5484
5485 case 4:
5486 case 5:
5487 tick_dec_ret = SSL_TICKET_RETURN_USE;
5488 break;
5489
5490 case 6:
5491 case 7:
5492 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5493 break;
5494
5495 default:
5496 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5497 }
d0191fe0
MC		 5498
5499 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5500 TLS_client_method(),
5501 TLS1_VERSION,
61fb5923
MC		 5502 ((tst % 2) == 0) ? TLS1_2_VERSION
5503 : TLS1_3_VERSION,
d0191fe0
MC		 5504 &sctx, &cctx, cert, privkey)))
5505 goto end;
5506
61fb5923
MC		 5507 /*
5508 * We only want sessions to resume from tickets - not the session cache. So
5509 * switch the cache off.
5510 */
5511 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5512 goto end;
5513
d0191fe0
MC		 5514 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5515 NULL)))
5516 goto end;
5517
61fb5923 5518 if (tst >= 8
d0191fe0
MC		 5519 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5520 goto end;
5521
5522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5523 NULL, NULL))
5524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5525 SSL_ERROR_NONE)))
5526 goto end;
5527
61fb5923
MC		 5528 /*
5529 * The decrypt ticket key callback in TLSv1.2 should be called even though
5530 * we have no ticket yet, because it gets called with a status of
5531 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5532 * actually send any ticket data). This does not happen in TLSv1.3 because
5533 * it is not valid to send empty ticket data in TLSv1.3.
5534 */
d0191fe0 5535 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5536 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5537 goto end;
5538
5539 gen_tick_called = dec_tick_called = 0;
5540
5541 clntsess = SSL_get1_session(clientssl);
5542 SSL_shutdown(clientssl);
5543 SSL_shutdown(serverssl);
5544 SSL_free(serverssl);
5545 SSL_free(clientssl);
5546 serverssl = clientssl = NULL;
5547
5548 /* Now do a resumption */
5549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5550 NULL))
5551 || !TEST_true(SSL_set_session(clientssl, clntsess))
5552 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5553 SSL_ERROR_NONE)))
d0191fe0
MC		 5554 goto end;
5555
61fb5923
MC		 5556 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5557 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5558 if (!TEST_false(SSL_session_reused(clientssl)))
5559 goto end;
5560 } else {
5561 if (!TEST_true(SSL_session_reused(clientssl)))
5562 goto end;
5563 }
5564
d0191fe0 5565 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5566 (tick_key_renew
5567 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5568 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5569 ? 1 : 0)
d0191fe0
MC		 5570 || !TEST_int_eq(dec_tick_called, 1))
5571 goto end;
5572
5573 testresult = 1;
5574
5575 end:
5576 SSL_SESSION_free(clntsess);
5577 SSL_free(serverssl);
5578 SSL_free(clientssl);
5579 SSL_CTX_free(sctx);
5580 SSL_CTX_free(cctx);
5581
5582 return testresult;
5583}
5584
c748834f
MC		 5585/*
5586 * Test bi-directional shutdown.
5587 * Test 0: TLSv1.2
5588 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5589 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5590 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 5591 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5592 * sends key update, client reads it
57d7b988
MC		 5593 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5594 * sends CertificateRequest, client reads and ignores it
5595 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 5596 * doesn't read it
5597 */
5598static int test_shutdown(int tst)
5599{
5600 SSL_CTX *cctx = NULL, *sctx = NULL;
5601 SSL *clientssl = NULL, *serverssl = NULL;
5602 int testresult = 0;
5603 char msg[] = "A test message";
5604 char buf[80];
5605 size_t written, readbytes;
80eff008 5606 SSL_SESSION *sess;
c748834f
MC		 5607
5608#ifdef OPENSSL_NO_TLS1_2
a97d19f7 5609 if (tst <= 1)
c748834f
MC		 5610 return 1;
5611#endif
5612#ifdef OPENSSL_NO_TLS1_3
a97d19f7 5613 if (tst >= 2)
c748834f
MC		 5614 return 1;
5615#endif
5616
5617 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5618 TLS_client_method(),
5619 TLS1_VERSION,
5620 (tst <= 1) ? TLS1_2_VERSION
5621 : TLS1_3_VERSION,
57d7b988
MC		 5622 &sctx, &cctx, cert, privkey)))
5623 goto end;
5624
5625 if (tst == 5)
5626 SSL_CTX_set_post_handshake_auth(cctx, 1);
5627
5628 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 5629 NULL, NULL)))
5630 goto end;
5631
5632 if (tst == 3) {
5633 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 5634 SSL_ERROR_NONE, 1))
80eff008
KR		 5635 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5636 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 5637 goto end;
5638 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 5639 SSL_ERROR_NONE))
5640 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5641 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 5642 goto end;
5643 }
5644
5645 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5646 goto end;
5647
5648 if (tst >= 4) {
5649 /*
5650 * Reading on the server after the client has sent close_notify should
5651 * fail and provide SSL_ERROR_ZERO_RETURN
5652 */
5653 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5654 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5655 SSL_ERROR_ZERO_RETURN)
5656 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5657 SSL_RECEIVED_SHUTDOWN)
5658 /*
5659 * Even though we're shutdown on receive we should still be
5660 * able to write.
5661 */
80eff008
KR		 5662 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5663 goto end;
57d7b988
MC		 5664 if (tst == 4
5665 && !TEST_true(SSL_key_update(serverssl,
5666 SSL_KEY_UPDATE_REQUESTED)))
5667 goto end;
5668 if (tst == 5) {
5669 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5670 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5671 goto end;
5672 }
5673 if ((tst == 4 || tst == 5)
5674 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 5675 goto end;
5676 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 5677 goto end;
57d7b988 5678 if (tst == 4 || tst == 5) {
80eff008 5679 /* Should still be able to read data from server */
c748834f 5680 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 5681 &readbytes))
5682 || !TEST_size_t_eq(readbytes, sizeof(msg))
5683 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5684 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5685 &readbytes))
c748834f
MC		 5686 || !TEST_size_t_eq(readbytes, sizeof(msg))
5687 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5688 goto end;
5689 }
5690 }
5691
5692 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5693 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5694 goto end;
5695
5696 if (tst < 4) {
5697 /*
5698 * For these tests the client has sent close_notify but it has not yet
5699 * been received by the server. The server has not sent close_notify
5700 * yet.
5701 */
5702 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5703 /*
5704 * Writing on the server after sending close_notify shouldn't
5705 * be possible.
5706 */
5707 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 5708 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 5709 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5710 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 5711 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5712 goto end;
57d7b988 5713 } else if (tst == 4 || tst == 5) {
c748834f
MC		 5714 /*
5715 * In this test the client has sent close_notify and it has been
5716 * received by the server which has responded with a close_notify. The
358ffa05 5717 * client needs to read the close_notify sent by the server.
c748834f 5718 */
80eff008
KR		 5719 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5720 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5721 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 5722 goto end;
358ffa05
MC		 5723 } else {
5724 /*
57d7b988 5725 * tst == 6
358ffa05
MC		 5726 *
5727 * The client has sent close_notify and is expecting a close_notify
5728 * back, but instead there is application data first. The shutdown
5729 * should fail with a fatal error.
5730 */
5731 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5732 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5733 goto end;
c748834f
MC		 5734 }
5735
5736 testresult = 1;
5737
5738 end:
5739 SSL_free(serverssl);
5740 SSL_free(clientssl);
5741 SSL_CTX_free(sctx);
5742 SSL_CTX_free(cctx);
5743
5744 return testresult;
5745}
5746
7f1d923a 5747#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 5748static int cert_cb_cnt;
5749
5750static int cert_cb(SSL *s, void *arg)
5751{
5752 SSL_CTX *ctx = (SSL_CTX *)arg;
5753
5754 if (cert_cb_cnt == 0) {
5755 /* Suspend the handshake */
5756 cert_cb_cnt++;
5757 return -1;
5758 } else if (cert_cb_cnt == 1) {
5759 /*
5760 * Update the SSL_CTX, set the certificate and private key and then
5761 * continue the handshake normally.
5762 */
5763 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5764 return 0;
5765
5766 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5767 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5768 SSL_FILETYPE_PEM))
5769 || !TEST_true(SSL_check_private_key(s)))
5770 return 0;
5771 cert_cb_cnt++;
5772 return 1;
5773 }
5774
5775 /* Abort the handshake */
5776 return 0;
5777}
5778
5779/*
5780 * Test the certificate callback.
5781 * Test 0: Callback fails
5782 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5783 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5784 */
5785static int test_cert_cb_int(int prot, int tst)
5786{
5787 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5788 SSL *clientssl = NULL, *serverssl = NULL;
5789 int testresult = 0, ret;
5790
5791 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5792 TLS_client_method(),
5793 TLS1_VERSION,
5794 prot,
5795 &sctx, &cctx, NULL, NULL)))
5796 goto end;
5797
5798 if (tst == 0)
5799 cert_cb_cnt = -1;
5800 else
5801 cert_cb_cnt = 0;
5802 if (tst == 2)
5803 snictx = SSL_CTX_new(TLS_server_method());
5804 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5805
5806 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5807 NULL, NULL)))
5808 goto end;
5809
5810 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5811 if (!TEST_true(tst == 0 ? !ret : ret)
5812 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5813 goto end;
5814 }
5815
5816 testresult = 1;
5817
5818 end:
5819 SSL_free(serverssl);
5820 SSL_free(clientssl);
5821 SSL_CTX_free(sctx);
5822 SSL_CTX_free(cctx);
5823 SSL_CTX_free(snictx);
5824
5825 return testresult;
5826}
7f1d923a 5827#endif
cd6fe29f
MC		 5828
5829static int test_cert_cb(int tst)
5830{
5831 int testresult = 1;
5832
5833#ifndef OPENSSL_NO_TLS1_2
5834 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5835#endif
7f1d923a 5836#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 5837 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5838#endif
5839
5840 return testresult;
5841}
5842
6e46c065
MC		 5843static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5844{
5845 X509 *xcert, *peer;
5846 EVP_PKEY *privpkey;
5847 BIO *in = NULL;
5848
5849 /* Check that SSL_get_peer_certificate() returns something sensible */
5850 peer = SSL_get_peer_certificate(ssl);
5851 if (!TEST_ptr(peer))
5852 return 0;
5853 X509_free(peer);
5854
5855 in = BIO_new_file(cert, "r");
5856 if (!TEST_ptr(in))
5857 return 0;
5858
5859 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5860 BIO_free(in);
5861 if (!TEST_ptr(xcert))
5862 return 0;
5863
5864 in = BIO_new_file(privkey, "r");
5865 if (!TEST_ptr(in)) {
5866 X509_free(xcert);
5867 return 0;
5868 }
5869
5870 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5871 BIO_free(in);
5872 if (!TEST_ptr(privpkey)) {
5873 X509_free(xcert);
5874 return 0;
5875 }
5876
5877 *x509 = xcert;
5878 *pkey = privpkey;
5879
5880 return 1;
5881}
5882
5883static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5884{
5885 return 1;
5886}
5887
5888static int test_client_cert_cb(int tst)
5889{
5890 SSL_CTX *cctx = NULL, *sctx = NULL;
5891 SSL *clientssl = NULL, *serverssl = NULL;
5892 int testresult = 0;
5893
5894#ifdef OPENSSL_NO_TLS1_2
5895 if (tst == 0)
5896 return 1;
5897#endif
5898#ifdef OPENSSL_NO_TLS1_3
5899 if (tst == 1)
5900 return 1;
5901#endif
5902
5903 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5904 TLS_client_method(),
5905 TLS1_VERSION,
5906 tst == 0 ? TLS1_2_VERSION
5907 : TLS1_3_VERSION,
5908 &sctx, &cctx, cert, privkey)))
5909 goto end;
5910
5911 /*
5912 * Test that setting a client_cert_cb results in a client certificate being
5913 * sent.
5914 */
5915 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5916 SSL_CTX_set_verify(sctx,
5917 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5918 verify_cb);
fb8c8359
MC		 5919
5920 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5921 NULL, NULL))
5922 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5923 SSL_ERROR_NONE)))
5924 goto end;
5925
5926 testresult = 1;
5927
5928 end:
5929 SSL_free(serverssl);
5930 SSL_free(clientssl);
5931 SSL_CTX_free(sctx);
5932 SSL_CTX_free(cctx);
5933
5934 return testresult;
5935}
5936
5937#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5938/*
5939 * Test setting certificate authorities on both client and server.
5940 *
5941 * Test 0: SSL_CTX_set0_CA_list() only
5942 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5943 * Test 2: Only SSL_CTX_set_client_CA_list()
5944 */
5945static int test_ca_names_int(int prot, int tst)
5946{
5947 SSL_CTX *cctx = NULL, *sctx = NULL;
5948 SSL *clientssl = NULL, *serverssl = NULL;
5949 int testresult = 0;
5950 size_t i;
5951 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5952 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5953 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5954 const STACK_OF(X509_NAME) *sktmp = NULL;
5955
5956 for (i = 0; i < OSSL_NELEM(name); i++) {
5957 name[i] = X509_NAME_new();
5958 if (!TEST_ptr(name[i])
5959 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5960 MBSTRING_ASC,
5961 (unsigned char *)
5962 strnames[i],
5963 -1, -1, 0)))
5964 goto end;
5965 }
5966
5967 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5968 TLS_client_method(),
5969 TLS1_VERSION,
5970 prot,
5971 &sctx, &cctx, cert, privkey)))
5972 goto end;
5973
5974 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5975
5976 if (tst == 0 || tst == 1) {
5977 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5978 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5979 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5980 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5981 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5982 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5983 goto end;
5984
5985 SSL_CTX_set0_CA_list(sctx, sk1);
5986 SSL_CTX_set0_CA_list(cctx, sk2);
5987 sk1 = sk2 = NULL;
5988 }
5989 if (tst == 1 || tst == 2) {
5990 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5991 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5992 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5993 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5994 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5995 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5996 goto end;
5997
5998 SSL_CTX_set_client_CA_list(sctx, sk1);
5999 SSL_CTX_set_client_CA_list(cctx, sk2);
6000 sk1 = sk2 = NULL;
6001 }
6002
6e46c065
MC		 6003 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6004 NULL, NULL))
6005 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6006 SSL_ERROR_NONE)))
6007 goto end;
6008
fb8c8359
MC		 6009 /*
6010 * We only expect certificate authorities to have been sent to the server
6011 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6012 */
6013 sktmp = SSL_get0_peer_CA_list(serverssl);
6014 if (prot == TLS1_3_VERSION
6015 && (tst == 0 || tst == 1)) {
6016 if (!TEST_ptr(sktmp)
6017 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6018 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6019 name[0]), 0)
6020 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6021 name[1]), 0))
6022 goto end;
6023 } else if (!TEST_ptr_null(sktmp)) {
6024 goto end;
6025 }
6026
6027 /*
6028 * In all tests we expect certificate authorities to have been sent to the
6029 * client. However, SSL_set_client_CA_list() should override
6030 * SSL_set0_CA_list()
6031 */
6032 sktmp = SSL_get0_peer_CA_list(clientssl);
6033 if (!TEST_ptr(sktmp)
6034 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6035 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6036 name[tst == 0 ? 0 : 2]), 0)
6037 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6038 name[tst == 0 ? 1 : 3]), 0))
6039 goto end;
6040
6e46c065
MC		 6041 testresult = 1;
6042
6043 end:
6044 SSL_free(serverssl);
6045 SSL_free(clientssl);
6046 SSL_CTX_free(sctx);
6047 SSL_CTX_free(cctx);
fb8c8359
MC		 6048 for (i = 0; i < OSSL_NELEM(name); i++)
6049 X509_NAME_free(name[i]);
6050 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6051 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6052
6053 return testresult;
6054}
6055#endif
6056
6057static int test_ca_names(int tst)
6058{
6059 int testresult = 1;
6060
6061#ifndef OPENSSL_NO_TLS1_2
6062 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6063#endif
6064#ifndef OPENSSL_NO_TLS1_3
6065 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6066#endif
6e46c065
MC		 6067
6068 return testresult;
6069}
6070
a43ce58f
SL		 6071
6072OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6073
ad887416 6074int setup_tests(void)
2cb4b5f6 6075{
ad887416 6076 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 6077 || !TEST_ptr(privkey = test_get_argument(1))
6078 || !TEST_ptr(srpvfile = test_get_argument(2))
6079 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 6080 return 0;
2cb4b5f6 6081
f297e4ec
RS		 6082 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6083#ifdef OPENSSL_NO_CRYPTO_MDEBUG
6084 TEST_error("not supported in this build");
6085 return 0;
6086#else
6087 int i, mcount, rcount, fcount;
6088
6089 for (i = 0; i < 4; i++)
6090 test_export_key_mat(i);
6091 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6092 test_printf_stdout("malloc %d realloc %d free %d\n",
6093 mcount, rcount, fcount);
6094 return 1;
6095#endif
6096 }
6097
5e9072ed
MC		 6098#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6099 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 6100 ADD_TEST(test_ktls_client_server);
6101 ADD_TEST(test_ktls_no_client_server);
6102 ADD_TEST(test_ktls_client_no_server);
6103 ADD_TEST(test_ktls_no_client_no_server);
6104#endif
84d5549e 6105 ADD_TEST(test_large_message_tls);
7856332e 6106 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 6107#ifndef OPENSSL_NO_DTLS
84d5549e 6108 ADD_TEST(test_large_message_dtls);
55386bef 6109#endif
8f8c11d8 6110#ifndef OPENSSL_NO_OCSP
c887104f 6111 ADD_TEST(test_tlsext_status_type);
8f8c11d8 6112#endif
eaa776da
MC		 6113 ADD_TEST(test_session_with_only_int_cache);
6114 ADD_TEST(test_session_with_only_ext_cache);
6115 ADD_TEST(test_session_with_both_cache);
36ff232c 6116#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 6117 ADD_ALL_TESTS(test_stateful_tickets, 3);
6118 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 6119 ADD_TEST(test_psk_tickets);
36ff232c 6120#endif
7fb4c820 6121 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 6122 ADD_TEST(test_ssl_bio_pop_next_bio);
6123 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6124 ADD_TEST(test_ssl_bio_change_rbio);
6125 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 6126#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 6127 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 6128 ADD_TEST(test_keylog);
c423ecaa 6129#endif
6acdd3e5
CB		 6130#ifndef OPENSSL_NO_TLS1_3
6131 ADD_TEST(test_keylog_no_master_key);
6132#endif
e9ee6536 6133#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 6134 ADD_TEST(test_client_hello_cb);
088dfa13 6135 ADD_TEST(test_no_ems);
5f982038
MC		 6136#endif
6137#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 6138 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 6139 /*
6140 * We don't do replay tests for external PSK. Replay protection isn't used
6141 * in that scenario.
6142 */
6143 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 6144 ADD_ALL_TESTS(test_early_data_skip, 3);
6145 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 6146 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 6147 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 6148 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 6149 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 6150 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 6151# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 6152 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 6153# endif
e9ee6536 6154#endif
a273157a 6155#ifndef OPENSSL_NO_TLS1_3
034cb87b 6156 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 6157 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 6158#ifdef OPENSSL_NO_PSK
6159 ADD_ALL_TESTS(test_tls13_psk, 1);
6160#else
0d8da779 6161 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 6162#endif /* OPENSSL_NO_PSK */
bb01ef3f 6163 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 6164 ADD_TEST(test_stateless);
9d75dce3 6165 ADD_TEST(test_pha_key_update);
a273157a 6166#else
bb01ef3f 6167 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 6168#endif
16afd71c 6169 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 6170 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 6171#ifndef OPENSSL_NO_TLS1_3
6172 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6173#endif
e11b6aa4 6174 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 6175 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 6176#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6177 ADD_ALL_TESTS(test_srp, 6);
6178#endif
5718fe45 6179 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 6180 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 6181 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 6182 ADD_ALL_TESTS(test_ticket_callbacks, 12);
57d7b988 6183 ADD_ALL_TESTS(test_shutdown, 7);
cd6fe29f 6184 ADD_ALL_TESTS(test_cert_cb, 3);
6e46c065 6185 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 6186 ADD_ALL_TESTS(test_ca_names, 3);
ad887416
P		 6187 return 1;
6188}
2cb4b5f6 6189
ad887416
P		 6190void cleanup_tests(void)
6191{
fa454945 6192 bio_s_mempacket_test_free();
2cb4b5f6 6193}
A mirror of the official openssl repository