]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
first cut at sigalg loading
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
fe5d9450 42#include "internal/ktls.h"
706457b7 43#include "../ssl/ssl_local.h"
0755722c 44#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 45#include "filterprov.h"
2cb4b5f6 46
a763ca11
MC		 47#undef OSSL_NO_USABLE_TLS1_3
48#if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50/*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54# define OSSL_NO_USABLE_TLS1_3
55#endif
56
0c13cdf8
MC		 57/* Defined in tls-provider.c */
58int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
852c2ed2 62
b4250010 63static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 64static OSSL_PROVIDER *defctxnull = NULL;
65
a763ca11 66#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 67
68static SSL_SESSION *clientpsk = NULL;
69static SSL_SESSION *serverpsk = NULL;
70static const char *pskid = "Identity";
71static const char *srvid;
72
73static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78static int use_session_cb_cnt = 0;
79static int find_session_cb_cnt = 0;
80
81static SSL_SESSION *create_a_psk(SSL *ssl);
82#endif
83
1a2a3a42 84static char *certsdir = NULL;
2cb4b5f6
MC		 85static char *cert = NULL;
86static char *privkey = NULL;
b3842539
MC		 87static char *cert2 = NULL;
88static char *privkey2 = NULL;
3105d846
MC		 89static char *cert1024 = NULL;
90static char *privkey1024 = NULL;
91static char *cert3072 = NULL;
92static char *privkey3072 = NULL;
93static char *cert4096 = NULL;
94static char *privkey4096 = NULL;
95static char *cert8192 = NULL;
96static char *privkey8192 = NULL;
76fd7a1d
MC		 97static char *srpvfile = NULL;
98static char *tmpfilename = NULL;
b2b8d188 99static char *dhfile = NULL;
2cb4b5f6 100
4f6c7044
MC		 101static int is_fips = 0;
102
cffe973c 103#define LOG_BUFFER_SIZE 2048
6acdd3e5 104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t server_log_buffer_index = 0;
6acdd3e5 106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 107static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 108static int error_writing_log = 0;
109
8f8c11d8 110#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
8f8c11d8 117#endif
ba881d3b 118
84d5549e 119#define NUM_EXTRA_CERTS 40
cf72c757 120#define CLIENT_VERSION_LEN 2
84d5549e 121
f1a5939f
CB		 122/*
123 * This structure is used to validate that the correct number of log messages
124 * of various types are emitted when emitting secret logs.
125 */
126struct sslapitest_log_counts {
127 unsigned int rsa_key_exchange_count;
128 unsigned int master_secret_count;
cffe973c 129 unsigned int client_early_secret_count;
f1a5939f
CB		 130 unsigned int client_handshake_secret_count;
131 unsigned int server_handshake_secret_count;
132 unsigned int client_application_secret_count;
133 unsigned int server_application_secret_count;
01a2a654 134 unsigned int early_exporter_secret_count;
6329ce8f 135 unsigned int exporter_secret_count;
f1a5939f
CB		 136};
137
16afd71c 138
104a733d
MC		 139static int hostname_cb(SSL *s, int *al, void *arg)
140{
141 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
142
143 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
144 || strcmp(hostname, "altgoodhost") == 0))
145 return SSL_TLSEXT_ERR_OK;
146
147 return SSL_TLSEXT_ERR_NOACK;
148}
149
710756a9
RS		 150static void client_keylog_callback(const SSL *ssl, const char *line)
151{
6acdd3e5
CB		 152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
710756a9
RS		 155 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
156 TEST_info("Client log too full");
6acdd3e5
CB		 157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(client_log_buffer, line);
162 client_log_buffer_index += line_length;
710756a9 163 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 164}
165
710756a9
RS		 166static void server_keylog_callback(const SSL *ssl, const char *line)
167{
6acdd3e5
CB		 168 int line_length = strlen(line);
169
170 /* If the log doesn't fit, error out. */
710756a9 171 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 172 TEST_info("Server log too full");
6acdd3e5
CB		 173 error_writing_log = 1;
174 return;
175 }
176
177 strcat(server_log_buffer, line);
178 server_log_buffer_index += line_length;
710756a9 179 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 180}
181
182static int compare_hex_encoded_buffer(const char *hex_encoded,
183 size_t hex_length,
184 const uint8_t *raw,
710756a9
RS		 185 size_t raw_length)
186{
187 size_t i, j;
188 char hexed[3];
6acdd3e5 189
710756a9 190 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 191 return 1;
6acdd3e5 192
710756a9 193 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 194 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 195 if (!TEST_int_eq(hexed[0], hex_encoded[j])
196 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 197 return 1;
6acdd3e5
CB		 198 }
199
200 return 0;
201}
202
203static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 204 const SSL_SESSION *session,
710756a9
RS		 205 struct sslapitest_log_counts *expected)
206{
6acdd3e5
CB		 207 char *token = NULL;
208 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
209 size_t client_random_size = SSL3_RANDOM_SIZE;
210 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
211 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 212 unsigned int rsa_key_exchange_count = 0;
213 unsigned int master_secret_count = 0;
cffe973c 214 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 215 unsigned int client_handshake_secret_count = 0;
216 unsigned int server_handshake_secret_count = 0;
217 unsigned int client_application_secret_count = 0;
218 unsigned int server_application_secret_count = 0;
01a2a654 219 unsigned int early_exporter_secret_count = 0;
6329ce8f 220 unsigned int exporter_secret_count = 0;
6acdd3e5 221
710756a9
RS		 222 for (token = strtok(buffer, " \n"); token != NULL;
223 token = strtok(NULL, " \n")) {
6acdd3e5 224 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 225 /*
226 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 227 * hex-encoded encrypted secret, then the hex-encoded pre-master
228 * secret.
229 */
710756a9 230 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 231 return 0;
710756a9 232 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 233 return 0;
710756a9 234 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 235 return 0;
f1a5939f
CB		 236 /*
237 * We can't sensibly check the log because the premaster secret is
238 * transient, and OpenSSL doesn't keep hold of it once the master
239 * secret is generated.
240 */
241 rsa_key_exchange_count++;
6acdd3e5 242 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 243 /*
244 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 245 * client random, then the hex-encoded master secret.
246 */
247 client_random_size = SSL_get_client_random(ssl,
248 actual_client_random,
249 SSL3_RANDOM_SIZE);
710756a9 250 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 251 return 0;
6acdd3e5 252
710756a9 253 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 254 return 0;
710756a9 255 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 256 return 0;
710756a9
RS		 257 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
258 actual_client_random,
259 client_random_size)))
f1a5939f 260 return 0;
6acdd3e5 261
710756a9 262 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 263 return 0;
6acdd3e5
CB		 264 master_key_size = SSL_SESSION_get_master_key(session,
265 actual_master_key,
266 master_key_size);
710756a9 267 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 268 return 0;
710756a9
RS		 269 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
270 actual_master_key,
271 master_key_size)))
f1a5939f 272 return 0;
f1a5939f 273 master_secret_count++;
cffe973c
PW		 274 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 276 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 278 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 279 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 280 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 281 /*
282 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
283 * client random, and then the hex-encoded secret. In this case,
284 * we treat all of these secrets identically and then just
285 * distinguish between them when counting what we saw.
286 */
cffe973c
PW		 287 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
288 client_early_secret_count++;
289 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 290 client_handshake_secret_count++;
291 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
292 server_handshake_secret_count++;
293 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
294 client_application_secret_count++;
295 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
296 server_application_secret_count++;
01a2a654
PW		 297 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
298 early_exporter_secret_count++;
6329ce8f
PW		 299 else if (strcmp(token, "EXPORTER_SECRET") == 0)
300 exporter_secret_count++;
f1a5939f
CB		 301
302 client_random_size = SSL_get_client_random(ssl,
303 actual_client_random,
304 SSL3_RANDOM_SIZE);
710756a9 305 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 306 return 0;
f1a5939f 307
710756a9 308 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 309 return 0;
710756a9 310 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 311 return 0;
710756a9
RS		 312 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
313 actual_client_random,
314 client_random_size)))
f1a5939f 315 return 0;
6acdd3e5 316
710756a9 317 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 318 return 0;
6acdd3e5 319 } else {
710756a9 320 TEST_info("Unexpected token %s\n", token);
f1a5939f 321 return 0;
6acdd3e5 322 }
6acdd3e5
CB		 323 }
324
710756a9
RS		 325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
cffe973c
PW		 330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
710756a9
RS		 332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 339 expected->server_application_secret_count)
01a2a654
PW		 340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
6329ce8f
PW		 342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
710756a9
RS		 344 return 0;
345 return 1;
6acdd3e5
CB		 346}
347
a763ca11 348#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 349static int test_keylog(void)
350{
6acdd3e5
CB		 351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
6fc1e624 354 struct sslapitest_log_counts expected;
6acdd3e5
CB		 355
356 /* Clean up logging space */
6fc1e624 357 memset(&expected, 0, sizeof(expected));
710756a9
RS		 358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
5e30f2fd 364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 365 TLS_client_method(),
5c587fb6 366 TLS1_VERSION, 0,
710756a9 367 &sctx, &cctx, cert, privkey)))
6acdd3e5 368 return 0;
6acdd3e5
CB		 369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
f0deb4d3 374 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 376 goto end;
f0deb4d3 377
cf10df81
RS		 378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 380 goto end;
6acdd3e5 381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
6acdd3e5 384 goto end;
710756a9 385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
6acdd3e5 388 goto end;
6acdd3e5 389
710756a9
RS		 390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 398 goto end;
6acdd3e5 399
f1a5939f
CB		 400 /*
401 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 402 * do that by using strtok and confirming that we have more or less the
f1a5939f 403 * data we expect. For both client and server, we expect to see one master
a63fa5f7 404 * secret. The client should also see an RSA key exchange.
6acdd3e5 405 */
f1a5939f
CB		 406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
710756a9
RS		 408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
6acdd3e5 410 goto end;
f1a5939f
CB		 411
412 expected.rsa_key_exchange_count = 0;
710756a9
RS		 413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
6acdd3e5 415 goto end;
6acdd3e5
CB		 416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
c423ecaa 427#endif
6acdd3e5 428
a763ca11 429#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 430static int test_keylog_no_master_key(void)
431{
6acdd3e5
CB		 432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 434 SSL_SESSION *sess = NULL;
6acdd3e5 435 int testresult = 0;
6fc1e624 436 struct sslapitest_log_counts expected;
cffe973c
PW		 437 unsigned char buf[1];
438 size_t readbytes, written;
6acdd3e5
CB		 439
440 /* Clean up logging space */
6fc1e624 441 memset(&expected, 0, sizeof(expected));
710756a9
RS		 442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
5e30f2fd
MC		 448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 452 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 453 return 0;
6acdd3e5 454
cf10df81
RS		 455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 457 goto end;
6acdd3e5
CB		 458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
6acdd3e5 462 goto end;
6acdd3e5 463
710756a9 464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
6acdd3e5 467 goto end;
6acdd3e5 468
710756a9
RS		 469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
6acdd3e5 475 goto end;
6acdd3e5 476
f1a5939f
CB		 477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 480 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 481 */
f1a5939f
CB		 482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
6329ce8f 486 expected.exporter_secret_count = 1;
710756a9
RS		 487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
6acdd3e5 492 goto end;
6acdd3e5 493
cffe973c
PW		 494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
01a2a654 525 expected.early_exporter_secret_count = 1;
cffe973c
PW		 526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
6acdd3e5
CB		 533 testresult = 1;
534
535end:
cffe973c 536 SSL_SESSION_free(sess);
6acdd3e5
CB		 537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
0c3eb279
DDO		 546static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
547{
548 int res = X509_verify_cert(ctx);
dfb39f73
TM		 549 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
550 SSL *ssl;
551
552 /* this should not happen but check anyway */
553 if (idx < 0
554 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
555 return 0;
0c3eb279
DDO		 556
557 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
558 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 559 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
560 return SSL_set_retry_verify(ssl);
561
0c3eb279
DDO		 562 return res;
563}
564
565static int test_client_cert_verify_cb(void)
566{
567 /* server key, cert, chain, and root */
568 char *skey = test_mk_file_path(certsdir, "leaf.key");
569 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
570 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
571 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
572 char *root = test_mk_file_path(certsdir, "rootCA.pem");
573 X509 *crt1 = NULL, *crt2 = NULL;
574 STACK_OF(X509) *server_chain;
575 SSL_CTX *cctx = NULL, *sctx = NULL;
576 SSL *clientssl = NULL, *serverssl = NULL;
577 int testresult = 0;
578
579 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
580 TLS_client_method(), TLS1_VERSION, 0,
581 &sctx, &cctx, NULL, NULL)))
582 goto end;
583 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
584 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
585 SSL_FILETYPE_PEM), 1)
586 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
587 goto end;
588 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
589 goto end;
590 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
591 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
592 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
593 &clientssl, NULL, NULL)))
594 goto end;
595
596 /* attempt SSL_connect() with incomplete server chain */
597 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
598 SSL_ERROR_WANT_RETRY_VERIFY)))
599 goto end;
600
601 /* application provides intermediate certs needed to verify server cert */
602 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
603 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
604 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
605 goto end;
606 /* add certs in reverse order to demonstrate real chain building */
607 if (!TEST_true(sk_X509_push(server_chain, crt1)))
608 goto end;
609 crt1 = NULL;
610 if (!TEST_true(sk_X509_push(server_chain, crt2)))
611 goto end;
612 crt2 = NULL;
613
614 /* continue SSL_connect(), must now succeed with completed server chain */
615 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
617 goto end;
618
619 testresult = 1;
620
621end:
622 X509_free(crt1);
623 X509_free(crt2);
c38048e7
P		 624 if (clientssl != NULL) {
625 SSL_shutdown(clientssl);
626 SSL_free(clientssl);
627 }
628 if (serverssl != NULL) {
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 }
0c3eb279
DDO		 632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
4e4ae840
SL		 644static int test_ssl_build_cert_chain(void)
645{
646 int ret = 0;
647 SSL_CTX *ssl_ctx = NULL;
648 SSL *ssl = NULL;
649 char *skey = test_mk_file_path(certsdir, "leaf.key");
650 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
651
652 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
653 goto end;
654 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
655 goto end;
656 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
657 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
658 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
659 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
660 goto end;
661 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
662 | SSL_BUILD_CHAIN_FLAG_CHECK)))
663 goto end;
664 ret = 1;
665end:
666 SSL_free(ssl);
667 SSL_CTX_free(ssl_ctx);
668 OPENSSL_free(leaf_chain);
669 OPENSSL_free(skey);
670 return ret;
671}
672
c7debe81
TM		 673static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
674{
675 static const char pass[] = "testpass";
676
677 if (!TEST_int_eq(size, PEM_BUFSIZE))
678 return -1;
679
680 memcpy(buf, pass, sizeof(pass) - 1);
681 return sizeof(pass) - 1;
682}
683
4e4ae840
SL		 684static int test_ssl_ctx_build_cert_chain(void)
685{
686 int ret = 0;
687 SSL_CTX *ctx = NULL;
c7debe81 688 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 689 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
690
691 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
692 goto end;
c7debe81 693 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 694 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
695 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
696 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
697 SSL_FILETYPE_PEM), 1)
698 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
699 goto end;
700 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
701 | SSL_BUILD_CHAIN_FLAG_CHECK)))
702 goto end;
703 ret = 1;
704end:
705 SSL_CTX_free(ctx);
706 OPENSSL_free(leaf_chain);
707 OPENSSL_free(skey);
708 return ret;
709}
710
e9ee6536 711#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 712static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 713{
714 int *ctr = arg;
715 const unsigned char *p;
8ea404fb 716 int *exts;
2afaee51
BK		 717 /* We only configure two ciphers, but the SCSV is added automatically. */
718#ifdef OPENSSL_NO_EC
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
720#else
721 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722 0x2c, 0x00, 0xff};
723#endif
8ea404fb
BK		 724 const int expected_extensions[] = {
725#ifndef OPENSSL_NO_EC
726 11, 10,
727#endif
10ed1b72 728 35, 22, 23, 13};
2afaee51
BK		 729 size_t len;
730
731 /* Make sure we can defer processing and get called back. */
732 if ((*ctr)++ == 0)
f1b97da1 733 return SSL_CLIENT_HELLO_RETRY;
2afaee51 734
a9c0d8be 735 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 736 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 737 || !TEST_size_t_eq(
738 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 739 || !TEST_int_eq(*p, 0))
f1b97da1 740 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 741 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 742 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 743 if (len != OSSL_NELEM(expected_extensions) ||
744 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 745 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 746 OPENSSL_free(exts);
f1b97da1 747 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 748 }
749 OPENSSL_free(exts);
f1b97da1 750 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 751}
752
a9c0d8be 753static int test_client_hello_cb(void)
710756a9 754{
2afaee51
BK		 755 SSL_CTX *cctx = NULL, *sctx = NULL;
756 SSL *clientssl = NULL, *serverssl = NULL;
757 int testctr = 0, testresult = 0;
758
5e30f2fd
MC		 759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
760 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 761 &sctx, &cctx, cert, privkey)))
2afaee51 762 goto end;
a9c0d8be 763 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 764
2afaee51
BK		 765 /* The gimpy cipher list we configure can't do TLS 1.3. */
766 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 767
710756a9
RS		 768 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
769 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
770 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
771 &clientssl, NULL, NULL))
772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 773 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 774 /*
775 * Passing a -1 literal is a hack since
776 * the real value was lost.
777 * */
a9c0d8be
DB		 778 || !TEST_int_eq(SSL_get_error(serverssl, -1),
779 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 780 || !TEST_true(create_ssl_connection(serverssl, clientssl,
781 SSL_ERROR_NONE)))
2afaee51 782 goto end;
2afaee51
BK		 783
784 testresult = 1;
785
088dfa13
TS		 786end:
787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 SSL_CTX_free(sctx);
790 SSL_CTX_free(cctx);
791
792 return testresult;
793}
794
795static int test_no_ems(void)
796{
797 SSL_CTX *cctx = NULL, *sctx = NULL;
798 SSL *clientssl = NULL, *serverssl = NULL;
799 int testresult = 0;
800
5e30f2fd 801 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 802 TLS1_VERSION, TLS1_2_VERSION,
803 &sctx, &cctx, cert, privkey)) {
804 printf("Unable to create SSL_CTX pair\n");
805 goto end;
806 }
807
808 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
809
810 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
811 printf("Unable to create SSL objects\n");
812 goto end;
813 }
814
815 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
816 printf("Creating SSL connection failed\n");
817 goto end;
818 }
819
820 if (SSL_get_extms_support(serverssl)) {
821 printf("Server reports Extended Master Secret support\n");
822 goto end;
823 }
824
825 if (SSL_get_extms_support(clientssl)) {
826 printf("Client reports Extended Master Secret support\n");
827 goto end;
828 }
829 testresult = 1;
830
2afaee51
BK		 831end:
832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836
837 return testresult;
838}
839
3cd14e5e
BK		 840/*
841 * Very focused test to exercise a single case in the server-side state
842 * machine, when the ChangeCipherState message needs to actually change
843 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 844 * encryption to real encryption).
3cd14e5e
BK		 845 */
846static int test_ccs_change_cipher(void)
847{
848 SSL_CTX *cctx = NULL, *sctx = NULL;
849 SSL *clientssl = NULL, *serverssl = NULL;
850 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
851 int testresult = 0;
852 int i;
853 unsigned char buf;
854 size_t readbytes;
855
856 /*
e304aa87 857 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 858 * a different cipher in the second connection.
859 */
5e30f2fd 860 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 861 TLS_client_method(),
862 TLS1_VERSION, TLS1_2_VERSION,
863 &sctx, &cctx, cert, privkey))
864 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
865 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
866 NULL, NULL))
867 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
868 || !TEST_true(create_ssl_connection(serverssl, clientssl,
869 SSL_ERROR_NONE))
870 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
871 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
872 goto end;
873
874 shutdown_ssl_connection(serverssl, clientssl);
875 serverssl = clientssl = NULL;
876
877 /* Resume, preferring a different cipher. Our server will force the
878 * same cipher to be used as the initial handshake. */
879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
880 NULL, NULL))
881 || !TEST_true(SSL_set_session(clientssl, sess))
882 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
883 || !TEST_true(create_ssl_connection(serverssl, clientssl,
884 SSL_ERROR_NONE))
885 || !TEST_true(SSL_session_reused(clientssl))
886 || !TEST_true(SSL_session_reused(serverssl))
887 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
888 || !TEST_ptr_eq(sesspre, sesspost)
889 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
890 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
891 goto end;
892 shutdown_ssl_connection(serverssl, clientssl);
893 serverssl = clientssl = NULL;
894
895 /*
896 * Now create a fresh connection and try to renegotiate a different
897 * cipher on it.
898 */
b3e6d666
BK		 899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
900 NULL, NULL))
3cd14e5e
BK		 901 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
903 SSL_ERROR_NONE))
904 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
906 || !TEST_true(SSL_renegotiate(clientssl))
907 || !TEST_true(SSL_renegotiate_pending(clientssl)))
908 goto end;
909 /* Actually drive the renegotiation. */
910 for (i = 0; i < 3; i++) {
911 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
913 goto end;
914 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
915 SSL_ERROR_WANT_READ)) {
916 goto end;
917 }
918 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
919 if (!TEST_ulong_eq(readbytes, 0))
920 goto end;
921 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
922 SSL_ERROR_WANT_READ)) {
923 goto end;
924 }
925 }
926 /* sesspre and sesspost should be different since the cipher changed. */
927 if (!TEST_false(SSL_renegotiate_pending(clientssl))
928 || !TEST_false(SSL_session_reused(clientssl))
929 || !TEST_false(SSL_session_reused(serverssl))
930 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
931 || !TEST_ptr_ne(sesspre, sesspost)
932 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
933 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
934 goto end;
935
936 shutdown_ssl_connection(serverssl, clientssl);
937 serverssl = clientssl = NULL;
938
939 testresult = 1;
940
941end:
942 SSL_free(serverssl);
943 SSL_free(clientssl);
944 SSL_CTX_free(sctx);
945 SSL_CTX_free(cctx);
946 SSL_SESSION_free(sess);
947
948 return testresult;
949}
fb121631 950#endif
3cd14e5e 951
84d5549e 952static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 953 const SSL_METHOD *cmeth,
954 int min_version, int max_version,
955 int read_ahead)
84d5549e
MC		 956{
957 SSL_CTX *cctx = NULL, *sctx = NULL;
958 SSL *clientssl = NULL, *serverssl = NULL;
959 int testresult = 0;
960 int i;
710756a9 961 BIO *certbio = NULL;
84d5549e
MC		 962 X509 *chaincert = NULL;
963 int certlen;
964
710756a9 965 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 966 goto end;
6725682d 967
d8652be0 968 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 969 goto end;
970
971 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
972 goto end;
fa454945
MC		 973 BIO_free(certbio);
974 certbio = NULL;
84d5549e 975
5e30f2fd
MC		 976 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977 max_version, &sctx, &cctx, cert,
978 privkey)))
84d5549e 979 goto end;
84d5549e 980
8ce390e1
MC		 981#ifdef OPENSSL_NO_DTLS1_2
982 if (smeth == DTLS_server_method()) {
983 /*
984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985 * level 0
986 */
987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989 "DEFAULT:@SECLEVEL=0")))
990 goto end;
991 }
992#endif
993
710756a9 994 if (read_ahead) {
7856332e
MC		 995 /*
996 * Test that read_ahead works correctly when dealing with large
997 * records
998 */
999 SSL_CTX_set_read_ahead(cctx, 1);
1000 }
1001
84d5549e
MC		 1002 /*
1003 * We assume the supplied certificate is big enough so that if we add
1004 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1005 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1006 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1007 * test we need to have a message larger than that.
84d5549e
MC		 1008 */
1009 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1010 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1011 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1012 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1013 if (!X509_up_ref(chaincert))
84d5549e 1014 goto end;
84d5549e 1015 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1016 X509_free(chaincert);
1017 goto end;
1018 }
1019 }
1020
710756a9
RS		 1021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1022 NULL, NULL))
1023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1024 SSL_ERROR_NONE)))
84d5549e 1025 goto end;
84d5549e 1026
4bf08600
MC		 1027 /*
1028 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1029 * doesn't leak.
4bf08600 1030 */
710756a9 1031 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1032 goto end;
84d5549e 1033
4bf08600 1034 testresult = 1;
84d5549e 1035 end:
6725682d 1036 BIO_free(certbio);
84d5549e
MC		 1037 X509_free(chaincert);
1038 SSL_free(serverssl);
1039 SSL_free(clientssl);
1040 SSL_CTX_free(sctx);
1041 SSL_CTX_free(cctx);
1042
1043 return testresult;
1044}
1045
da4db160 1046#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1047 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1048/* sock must be connected */
1049static int ktls_chk_platform(int sock)
1050{
1051 if (!ktls_enable(sock))
1052 return 0;
1053 return 1;
1054}
1055
e1fdd526 1056static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1057{
1058 static char count = 1;
1059 unsigned char cbuf[16000] = {0};
1060 unsigned char sbuf[16000];
1061 size_t err = 0;
e1fdd526
JB		 1062 char crec_wseq_before[SEQ_NUM_SIZE];
1063 char crec_wseq_after[SEQ_NUM_SIZE];
1064 char crec_rseq_before[SEQ_NUM_SIZE];
1065 char crec_rseq_after[SEQ_NUM_SIZE];
1066 char srec_wseq_before[SEQ_NUM_SIZE];
1067 char srec_wseq_after[SEQ_NUM_SIZE];
1068 char srec_rseq_before[SEQ_NUM_SIZE];
1069 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1070 SSL_CONNECTION *clientsc, *serversc;
1071
1072 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1073 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1074 goto end;
fe5d9450
BP		 1075
1076 cbuf[0] = count++;
2c50d7fb
MC		 1077 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1078 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1079 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1080 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1081
1082 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1083 goto end;
1084
1085 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1086 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1087 goto end;
1088 }
1089 }
1090
1091 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1092 goto end;
1093
1094 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1095 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1096 goto end;
1097 }
1098 }
1099
2c50d7fb
MC		 1100 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1101 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1102 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1103 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1104
1105 /* verify the payload */
1106 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1107 goto end;
1108
e1fdd526
JB		 1109 /*
1110 * If ktls is used then kernel sequences are used instead of
1111 * OpenSSL sequences
1112 */
38b051a1 1113 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1114 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1115 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1116 goto end;
1117 } else {
e1fdd526
JB		 1118 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1119 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1120 goto end;
1121 }
1122
38b051a1 1123 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1124 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1125 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1126 goto end;
1127 } else {
e1fdd526
JB		 1128 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1129 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1130 goto end;
1131 }
1132
38b051a1 1133 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1134 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1135 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1136 goto end;
1137 } else {
e1fdd526
JB		 1138 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1139 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1140 goto end;
1141 }
1142
38b051a1 1143 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1144 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1145 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1146 goto end;
1147 } else {
e1fdd526
JB		 1148 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1149 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1150 goto end;
1151 }
fe5d9450
BP		 1152
1153 return 1;
1154end:
1155 return 0;
1156}
1157
a3a54179 1158static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1159 int tls_version, const char *cipher)
fe5d9450
BP		 1160{
1161 SSL_CTX *cctx = NULL, *sctx = NULL;
1162 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1163 int ktls_used = 0, testresult = 0;
1164 int cfd = -1, sfd = -1;
1165 int rx_supported;
38b051a1 1166 SSL_CONNECTION *clientsc, *serversc;
fe5d9450
BP		 1167
1168 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1169 goto end;
1170
1171 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1172 if (!ktls_chk_platform(cfd)) {
1173 testresult = TEST_skip("Kernel does not support KTLS");
1174 goto end;
1175 }
fe5d9450 1176
a5d8a2f8
DB		 1177 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1178 testresult = TEST_skip("CHACHA is not supported in FIPS");
1179 goto end;
1180 }
1181
fe5d9450 1182 /* Create a session based on SHA-256 */
5e30f2fd 1183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1184 TLS_client_method(),
da4db160 1185 tls_version, tls_version,
e1fdd526
JB		 1186 &sctx, &cctx, cert, privkey)))
1187 goto end;
1188
1189 if (tls_version == TLS1_3_VERSION) {
1190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1191 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1192 goto end;
1193 } else {
1194 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1195 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1196 goto end;
1197 }
1198
1199 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1200 &clientssl, sfd, cfd)))
fe5d9450
BP		 1201 goto end;
1202
38b051a1
TM		 1203 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1204 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1205 goto end;
1206
a3a54179
MC		 1207 if (cis_ktls) {
1208 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1209 goto end;
1210 }
1211
a3a54179 1212 if (sis_ktls) {
e1fdd526 1213 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1214 goto end;
1215 }
1216
e1fdd526 1217 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1218 goto end;
1219
e1fdd526
JB		 1220 /*
1221 * The running kernel may not support a given cipher suite
1222 * or direction, so just check that KTLS isn't used when it
1223 * isn't enabled.
1224 */
a3a54179 1225 if (!cis_ktls) {
38b051a1 1226 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1227 goto end;
1228 } else {
38b051a1 1229 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1230 ktls_used = 1;
fe5d9450
BP		 1231 }
1232
a3a54179 1233 if (!sis_ktls) {
38b051a1 1234 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1235 goto end;
1236 } else {
38b051a1 1237 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1238 ktls_used = 1;
fe5d9450
BP		 1239 }
1240
a3a54179 1241#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1242 rx_supported = 0;
1243#else
7c78932b 1244 rx_supported = 1;
a3a54179 1245#endif
e1fdd526 1246 if (!cis_ktls || !rx_supported) {
38b051a1 1247 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1248 goto end;
1249 } else {
38b051a1 1250 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1251 ktls_used = 1;
2fab79af
BP		 1252 }
1253
e1fdd526 1254 if (!sis_ktls || !rx_supported) {
38b051a1 1255 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1256 goto end;
1257 } else {
38b051a1 1258 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1259 ktls_used = 1;
1260 }
1261
1262 if ((cis_ktls || sis_ktls) && !ktls_used) {
1263 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1264 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1265 "TLS 1.2", cipher);
1266 goto end;
2fab79af
BP		 1267 }
1268
e1fdd526 1269 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1270 goto end;
1271
1272 testresult = 1;
1273end:
1274 if (clientssl) {
1275 SSL_shutdown(clientssl);
1276 SSL_free(clientssl);
1277 }
1278 if (serverssl) {
1279 SSL_shutdown(serverssl);
1280 SSL_free(serverssl);
1281 }
1282 SSL_CTX_free(sctx);
1283 SSL_CTX_free(cctx);
1284 serverssl = clientssl = NULL;
e1fdd526
JB		 1285 if (cfd != -1)
1286 close(cfd);
1287 if (sfd != -1)
1288 close(sfd);
fe5d9450
BP		 1289 return testresult;
1290}
1291
7c3a7561
BP		 1292#define SENDFILE_SZ (16 * 4096)
1293#define SENDFILE_CHUNK (4 * 4096)
1294#define min(a,b) ((a) > (b) ? (b) : (a))
1295
cd715b7e
MM		 1296static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1297 int zerocopy)
7c3a7561
BP		 1298{
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
e1fdd526 1303 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
38b051a1 1308 SSL_CONNECTION *serversc;
7c3a7561
BP		 1309
1310 buf = OPENSSL_zalloc(SENDFILE_SZ);
1311 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1312 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1313 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1314 goto end;
1315
1316 /* Skip this test if the platform does not support ktls */
1317 if (!ktls_chk_platform(sfd)) {
e1fdd526 1318 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1319 goto end;
1320 }
1321
a5d8a2f8
DB		 1322 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1323 testresult = TEST_skip("CHACHA is not supported in FIPS");
1324 goto end;
1325 }
1326
7c3a7561 1327 /* Create a session based on SHA-256 */
5e30f2fd 1328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1329 TLS_client_method(),
da4db160 1330 tls_version, tls_version,
e1fdd526
JB		 1331 &sctx, &cctx, cert, privkey)))
1332 goto end;
1333
1334 if (tls_version == TLS1_3_VERSION) {
1335 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1336 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1337 goto end;
1338 } else {
1339 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1340 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1341 goto end;
1342 }
1343
1344 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1345 &clientssl, sfd, cfd)))
1346 goto end;
1347
38b051a1
TM		 1348 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1349 goto end;
1350
e1fdd526 1351 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1352 goto end;
1353
cd715b7e
MM		 1354 if (zerocopy) {
1355 if (!TEST_true(SSL_set_options(serverssl,
1356 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1357 goto end;
1358 }
1359
7c3a7561 1360 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1361 SSL_ERROR_NONE)))
7c3a7561
BP		 1362 goto end;
1363
38b051a1 1364 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1365 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1366 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1367 "TLS 1.2", cipher);
1368 goto end;
1369 }
1370
c9007bda 1371 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1372 goto end;
1373
7c3a7561
BP		 1374 out = BIO_new_file(tmpfilename, "wb");
1375 if (!TEST_ptr(out))
1376 goto end;
1377
1378 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1379 goto end;
1380
1381 BIO_free(out);
1382 out = NULL;
1383 in = BIO_new_file(tmpfilename, "rb");
1384 BIO_get_fp(in, &ffdp);
1385 ffd = fileno(ffdp);
1386
1387 while (chunk_off < SENDFILE_SZ) {
1388 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1389 while ((err = SSL_sendfile(serverssl,
1390 ffd,
1391 chunk_off,
1392 chunk_size,
1393 0)) != chunk_size) {
1394 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1395 goto end;
1396 }
1397 while ((err = SSL_read(clientssl,
1398 buf_dst + chunk_off,
1399 chunk_size)) != chunk_size) {
1400 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1401 goto end;
1402 }
1403
1404 /* verify the payload */
1405 if (!TEST_mem_eq(buf_dst + chunk_off,
1406 chunk_size,
1407 buf + chunk_off,
1408 chunk_size))
1409 goto end;
1410
1411 chunk_off += chunk_size;
1412 }
1413
1414 testresult = 1;
1415end:
1416 if (clientssl) {
1417 SSL_shutdown(clientssl);
1418 SSL_free(clientssl);
1419 }
1420 if (serverssl) {
1421 SSL_shutdown(serverssl);
1422 SSL_free(serverssl);
1423 }
1424 SSL_CTX_free(sctx);
1425 SSL_CTX_free(cctx);
1426 serverssl = clientssl = NULL;
1427 BIO_free(out);
1428 BIO_free(in);
e1fdd526
JB		 1429 if (cfd != -1)
1430 close(cfd);
1431 if (sfd != -1)
1432 close(sfd);
7c3a7561
BP		 1433 OPENSSL_free(buf);
1434 OPENSSL_free(buf_dst);
1435 return testresult;
1436}
1437
e1fdd526
JB		 1438static struct ktls_test_cipher {
1439 int tls_version;
1440 const char *cipher;
1441} ktls_test_ciphers[] = {
1442# if !defined(OPENSSL_NO_TLS1_2)
1443# ifdef OPENSSL_KTLS_AES_GCM_128
1444 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1445# endif
1446# ifdef OPENSSL_KTLS_AES_CCM_128
1447 { TLS1_2_VERSION, "AES128-CCM"},
1448# endif
1449# ifdef OPENSSL_KTLS_AES_GCM_256
1450 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1451# endif
11bac1b4 1452# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1453# ifndef OPENSSL_NO_EC
11bac1b4 1454 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1455# endif
11bac1b4 1456# endif
e1fdd526
JB		 1457# endif
1458# if !defined(OSSL_NO_USABLE_TLS1_3)
1459# ifdef OPENSSL_KTLS_AES_GCM_128
1460 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1461# endif
1462# ifdef OPENSSL_KTLS_AES_CCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1464# endif
1465# ifdef OPENSSL_KTLS_AES_GCM_256
1466 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1467# endif
11bac1b4
JB		 1468# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1469 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1470# endif
e1fdd526
JB		 1471# endif
1472};
1473
1474#define NUM_KTLS_TEST_CIPHERS \
1475 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1476
da4db160
VF		 1477static int test_ktls(int test)
1478{
e1fdd526 1479 struct ktls_test_cipher *cipher;
a3a54179 1480 int cis_ktls, sis_ktls;
da4db160 1481
2cff17fd 1482 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1483 cipher = &ktls_test_ciphers[test / 4];
da4db160 1484
a3a54179
MC		 1485 cis_ktls = (test & 1) != 0;
1486 sis_ktls = (test & 2) != 0;
cd03b5dc 1487
e1fdd526
JB		 1488 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1489 cipher->cipher);
2fab79af
BP		 1490}
1491
cd715b7e 1492static int test_ktls_sendfile(int test)
fe5d9450 1493{
e1fdd526 1494 struct ktls_test_cipher *cipher;
cd715b7e 1495 int tst = test >> 1;
da4db160 1496
2cff17fd 1497 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1498 cipher = &ktls_test_ciphers[tst];
da4db160 1499
cd715b7e
MM		 1500 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1501 test & 1);
fe5d9450 1502}
fe5d9450
BP		 1503#endif
1504
84d5549e
MC		 1505static int test_large_message_tls(void)
1506{
7856332e 1507 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1508 TLS1_VERSION, 0, 0);
7856332e
MC		 1509}
1510
1511static int test_large_message_tls_read_ahead(void)
1512{
1513 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1514 TLS1_VERSION, 0, 1);
84d5549e
MC		 1515}
1516
55386bef 1517#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1518static int test_large_message_dtls(void)
1519{
8ce390e1
MC		 1520# ifdef OPENSSL_NO_DTLS1_2
1521 /* Not supported in the FIPS provider */
1522 if (is_fips)
1523 return 1;
1524# endif
7856332e
MC		 1525 /*
1526 * read_ahead is not relevant to DTLS because DTLS always acts as if
1527 * read_ahead is set.
1528 */
84d5549e 1529 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1530 DTLS_client_method(),
5c587fb6 1531 DTLS1_VERSION, 0, 0);
84d5549e 1532}
55386bef 1533#endif
84d5549e 1534
3ff0a48a
MC		 1535/*
1536 * Test we can successfully send the maximum amount of application data. We
1537 * test each protocol version individually, each with and without EtM enabled.
1538 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1539 * simpler this way. We also test all combinations with and without the
1540 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1541 * underlying buffer.
1542 */
1543static int test_large_app_data(int tst)
1544{
1545 SSL_CTX *cctx = NULL, *sctx = NULL;
1546 SSL *clientssl = NULL, *serverssl = NULL;
1547 int testresult = 0, prot;
1548 unsigned char *msg, *buf = NULL;
1549 size_t written, readbytes;
2fda45d5
MC		 1550 const SSL_METHOD *smeth = TLS_server_method();
1551 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1552
1553 switch (tst >> 2) {
1554 case 0:
1555#ifndef OSSL_NO_USABLE_TLS1_3
1556 prot = TLS1_3_VERSION;
1557 break;
1558#else
1559 return 1;
1560#endif
1561
1562 case 1:
1563#ifndef OPENSSL_NO_TLS1_2
1564 prot = TLS1_2_VERSION;
1565 break;
1566#else
1567 return 1;
1568#endif
1569
1570 case 2:
1571#ifndef OPENSSL_NO_TLS1_1
1572 prot = TLS1_1_VERSION;
1573 break;
1574#else
1575 return 1;
1576#endif
1577
1578 case 3:
1579#ifndef OPENSSL_NO_TLS1
1580 prot = TLS1_VERSION;
1581 break;
1582#else
1583 return 1;
1584#endif
1585
1586 case 4:
1587#ifndef OPENSSL_NO_SSL3
1588 prot = SSL3_VERSION;
1589 break;
1590#else
1591 return 1;
1592#endif
1593
2fda45d5
MC		 1594 case 5:
1595#ifndef OPENSSL_NO_DTLS1_2
1596 prot = DTLS1_2_VERSION;
1597 smeth = DTLS_server_method();
1598 cmeth = DTLS_client_method();
1599 break;
1600#else
1601 return 1;
1602#endif
1603
1604 case 6:
1605#ifndef OPENSSL_NO_DTLS1
1606 prot = DTLS1_VERSION;
1607 smeth = DTLS_server_method();
1608 cmeth = DTLS_client_method();
1609 break;
1610#else
1611 return 1;
1612#endif
1613
3ff0a48a
MC		 1614 default:
1615 /* Shouldn't happen */
1616 return 0;
1617 }
1618
2fda45d5 1619 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1620 return 1;
1621
1622 /* Maximal sized message of zeros */
1623 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1624 if (!TEST_ptr(msg))
1625 goto end;
1626
1627 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1628 if (!TEST_ptr(buf))
1629 goto end;
1630 /* Set whole buffer to all bits set */
1631 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1632
2fda45d5 1633 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1634 &sctx, &cctx, cert, privkey)))
1635 goto end;
1636
2fda45d5 1637 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1638 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1640 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1641 "DEFAULT:@SECLEVEL=0")))
1642 goto end;
1643 }
1644
1645 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1646 &clientssl, NULL, NULL)))
1647 goto end;
1648
1649 if ((tst & 1) != 0) {
1650 /* Setting this option gives us a minimally sized underlying buffer */
1651 if (!TEST_true(SSL_set_options(serverssl,
1652 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1653 || !TEST_true(SSL_set_options(clientssl,
1654 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1655 goto end;
1656 }
1657
1658 if ((tst & 2) != 0) {
1659 /*
1660 * Setting this option means the MAC is added before encryption
1661 * giving us a larger record for the encryption process
1662 */
1663 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1664 || !TEST_true(SSL_set_options(clientssl,
1665 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1666 goto end;
1667 }
1668
1669 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1670 goto end;
1671
1672 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1673 &written))
1674 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1675 goto end;
1676
1677 /* We provide a buffer slightly larger than what we are actually expecting */
1678 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1679 &readbytes)))
1680 goto end;
1681
1682 if (!TEST_mem_eq(msg, written, buf, readbytes))
1683 goto end;
1684
1685 testresult = 1;
1686end:
1687 OPENSSL_free(msg);
1688 OPENSSL_free(buf);
1689 SSL_free(serverssl);
1690 SSL_free(clientssl);
1691 SSL_CTX_free(sctx);
1692 SSL_CTX_free(cctx);
1693 return testresult;
1694}
1695
163b8016
ME		 1696static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1697 const SSL_METHOD *cmeth,
1698 int min_version, int max_version)
1699{
1700 size_t i;
1701 SSL_CTX *cctx = NULL, *sctx = NULL;
1702 SSL *clientssl = NULL, *serverssl = NULL;
1703 int testresult = 0;
163b8016 1704 void *zbuf;
38b051a1 1705 SSL_CONNECTION *serversc;
eddb067e 1706 TLS_RECORD *rr;
163b8016
ME		 1707
1708 static unsigned char cbuf[16000];
1709 static unsigned char sbuf[16000];
1710
1711 if (!TEST_true(create_ssl_ctx_pair(libctx,
1712 smeth, cmeth,
1713 min_version, max_version,
1714 &sctx, &cctx, cert,
1715 privkey)))
1716 goto end;
1717
8ce390e1
MC		 1718#ifdef OPENSSL_NO_DTLS1_2
1719 if (smeth == DTLS_server_method()) {
1720# ifdef OPENSSL_NO_DTLS1_2
1721 /* Not supported in the FIPS provider */
1722 if (is_fips) {
1723 testresult = 1;
1724 goto end;
1725 };
1726# endif
1727 /*
1728 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1729 * level 0
1730 */
1731 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1732 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1733 "DEFAULT:@SECLEVEL=0")))
1734 goto end;
1735 }
1736#endif
1737
163b8016
ME		 1738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1739 NULL, NULL)))
1740 goto end;
1741
1742 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1743 goto end;
1744
1745 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1746 SSL_ERROR_NONE)))
1747 goto end;
1748
1749 for (i = 0; i < sizeof(cbuf); i++) {
1750 cbuf[i] = i & 0xff;
1751 }
1752
1753 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1754 goto end;
1755
1756 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1757 goto end;
1758
1759 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1760 goto end;
1761
1762 /*
1763 * Since we called SSL_peek(), we know the data in the record
1764 * layer is a plaintext record. We can gather the pointer to check
1765 * for zeroization after SSL_read().
1766 */
38b051a1
TM		 1767 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1768 goto end;
eddb067e 1769 rr = serversc->rlayer.tlsrecs;
4030869d 1770
eddb067e
MC		 1771 zbuf = &rr->data[rr->off];
1772 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1773 goto end;
163b8016
ME		 1774
1775 /*
1776 * After SSL_peek() the plaintext must still be stored in the
1777 * record.
1778 */
1779 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1780 goto end;
1781
1782 memset(sbuf, 0, sizeof(sbuf));
1783 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1784 goto end;
1785
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 /* Check if rbuf is cleansed */
1790 memset(cbuf, 0, sizeof(cbuf));
1791 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1792 goto end;
1793
1794 testresult = 1;
1795 end:
1796 SSL_free(serverssl);
1797 SSL_free(clientssl);
1798 SSL_CTX_free(sctx);
1799 SSL_CTX_free(cctx);
1800
1801 return testresult;
1802}
1803
1804static int test_cleanse_plaintext(void)
1805{
1806#if !defined(OPENSSL_NO_TLS1_2)
1807 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1808 TLS_client_method(),
1809 TLS1_2_VERSION,
1810 TLS1_2_VERSION)))
1811 return 0;
1812
1813#endif
1814
a763ca11 1815#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1816 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1817 TLS_client_method(),
1818 TLS1_3_VERSION,
1819 TLS1_3_VERSION)))
1820 return 0;
1821#endif
1822
1823#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1824
163b8016
ME		 1825 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1826 DTLS_client_method(),
1827 DTLS1_VERSION,
1828 0)))
1829 return 0;
1830#endif
1831 return 1;
1832}
1833
8f8c11d8 1834#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1835static int ocsp_server_cb(SSL *s, void *arg)
1836{
1837 int *argi = (int *)arg;
710756a9 1838 unsigned char *copy = NULL;
ba881d3b
MC		 1839 STACK_OF(OCSP_RESPID) *ids = NULL;
1840 OCSP_RESPID *id = NULL;
1841
1842 if (*argi == 2) {
1843 /* In this test we are expecting exactly 1 OCSP_RESPID */
1844 SSL_get_tlsext_status_ids(s, &ids);
1845 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1846 return SSL_TLSEXT_ERR_ALERT_FATAL;
1847
1848 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1849 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1850 return SSL_TLSEXT_ERR_ALERT_FATAL;
1851 } else if (*argi != 1) {
1852 return SSL_TLSEXT_ERR_ALERT_FATAL;
1853 }
1854
710756a9 1855 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1856 return SSL_TLSEXT_ERR_ALERT_FATAL;
1857
711d5a2f
P		 1858 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1859 sizeof(orespder)))) {
1860 OPENSSL_free(copy);
1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 }
ba881d3b 1863 ocsp_server_called = 1;
ba881d3b
MC		 1864 return SSL_TLSEXT_ERR_OK;
1865}
1866
1867static int ocsp_client_cb(SSL *s, void *arg)
1868{
1869 int *argi = (int *)arg;
1870 const unsigned char *respderin;
1871 size_t len;
1872
1873 if (*argi != 1 && *argi != 2)
1874 return 0;
1875
1876 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1877 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1878 return 0;
1879
1880 ocsp_client_called = 1;
ba881d3b
MC		 1881 return 1;
1882}
1883
2cb4b5f6
MC		 1884static int test_tlsext_status_type(void)
1885{
ba881d3b
MC		 1886 SSL_CTX *cctx = NULL, *sctx = NULL;
1887 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1888 int testresult = 0;
ba881d3b
MC		 1889 STACK_OF(OCSP_RESPID) *ids = NULL;
1890 OCSP_RESPID *id = NULL;
1891 BIO *certbio = NULL;
2cb4b5f6 1892
5e30f2fd 1893 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1894 TLS1_VERSION, 0,
7d7f6834 1895 &sctx, &cctx, cert, privkey))
ba881d3b 1896 return 0;
2cb4b5f6 1897
710756a9 1898 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1899 goto end;
2cb4b5f6 1900
ba881d3b 1901 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1902
ba881d3b 1903 clientssl = SSL_new(cctx);
710756a9
RS		 1904 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1905 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1906 TLSEXT_STATUSTYPE_ocsp))
1907 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1908 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1909 goto end;
2cb4b5f6 1910
ba881d3b
MC		 1911 SSL_free(clientssl);
1912 clientssl = NULL;
2cb4b5f6 1913
710756a9
RS		 1914 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1915 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1916 goto end;
2cb4b5f6 1917
ba881d3b 1918 clientssl = SSL_new(cctx);
710756a9 1919 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1920 goto end;
ba881d3b
MC		 1921 SSL_free(clientssl);
1922 clientssl = NULL;
1923
1924 /*
1925 * Now actually do a handshake and check OCSP information is exchanged and
1926 * the callbacks get called
1927 */
ba881d3b
MC		 1928 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1929 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1930 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1931 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1932 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1933 &clientssl, NULL, NULL))
1934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1935 SSL_ERROR_NONE))
1936 || !TEST_true(ocsp_client_called)
1937 || !TEST_true(ocsp_server_called))
ba881d3b 1938 goto end;
ba881d3b
MC		 1939 SSL_free(serverssl);
1940 SSL_free(clientssl);
1941 serverssl = NULL;
1942 clientssl = NULL;
1943
1944 /* Try again but this time force the server side callback to fail */
1945 ocsp_client_called = 0;
1946 ocsp_server_called = 0;
1947 cdummyarg = 0;
710756a9
RS		 1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1949 &clientssl, NULL, NULL))
1950 /* This should fail because the callback will fail */
1951 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1952 SSL_ERROR_NONE))
1953 || !TEST_false(ocsp_client_called)
1954 || !TEST_false(ocsp_server_called))
ba881d3b 1955 goto end;
ba881d3b
MC		 1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 serverssl = NULL;
1959 clientssl = NULL;
1960
1961 /*
1962 * This time we'll get the client to send an OCSP_RESPID that it will
1963 * accept.
1964 */
1965 ocsp_client_called = 0;
1966 ocsp_server_called = 0;
1967 cdummyarg = 2;
710756a9
RS		 1968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1969 &clientssl, NULL, NULL)))
ba881d3b 1970 goto end;
ba881d3b
MC		 1971
1972 /*
1973 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1974 * specific one. We'll use the server cert.
ba881d3b 1975 */
710756a9
RS		 1976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1977 || !TEST_ptr(id = OCSP_RESPID_new())
1978 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1979 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1980 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1981 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1982 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1983 goto end;
ba881d3b
MC		 1984 id = NULL;
1985 SSL_set_tlsext_status_ids(clientssl, ids);
1986 /* Control has been transferred */
1987 ids = NULL;
1988
1989 BIO_free(certbio);
1990 certbio = NULL;
1991
710756a9
RS		 1992 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1993 SSL_ERROR_NONE))
1994 || !TEST_true(ocsp_client_called)
1995 || !TEST_true(ocsp_server_called))
ba881d3b 1996 goto end;
ba881d3b 1997
2cb4b5f6
MC		 1998 testresult = 1;
1999
2000 end:
ba881d3b
MC		 2001 SSL_free(serverssl);
2002 SSL_free(clientssl);
2003 SSL_CTX_free(sctx);
2004 SSL_CTX_free(cctx);
2005 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2006 OCSP_RESPID_free(id);
2007 BIO_free(certbio);
2008 X509_free(ocspcert);
2009 ocspcert = NULL;
2cb4b5f6
MC		 2010
2011 return testresult;
2012}
8f8c11d8 2013#endif
2cb4b5f6 2014
a763ca11 2015#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2016static int new_called, remove_called, get_called;
eaa776da 2017
eaa776da
MC		 2018static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2019{
2020 new_called++;
c0537ebd
MC		 2021 /*
2022 * sess has been up-refed for us, but we don't actually need it so free it
2023 * immediately.
2024 */
2025 SSL_SESSION_free(sess);
eaa776da
MC		 2026 return 1;
2027}
2028
2029static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2030{
2031 remove_called++;
2032}
2033
7a301f08
MC		 2034static SSL_SESSION *get_sess_val = NULL;
2035
2036static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2037 int *copy)
2038{
0afca811 2039 get_called++;
7a301f08
MC		 2040 *copy = 1;
2041 return get_sess_val;
2042}
2043
7a301f08 2044static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2045 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2046{
2047 SSL_CTX *sctx = NULL, *cctx = NULL;
2048 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2049 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2050# ifndef OPENSSL_NO_TLS1_1
eaa776da 2051 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2052# endif
2cb4b5f6 2053 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2054 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2055
7e885b7b
P		 2056 new_called = remove_called = 0;
2057
36ff232c
MC		 2058 /* TLSv1.3 sends 2 NewSessionTickets */
2059 if (maxprot == TLS1_3_VERSION)
2060 numnewsesstick = 2;
2061
5e30f2fd
MC		 2062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2063 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2064 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2065 return 0;
2cb4b5f6 2066
7a301f08
MC		 2067 /*
2068 * Only allow the max protocol version so we can force a connection failure
2069 * later
2070 */
2071 SSL_CTX_set_min_proto_version(cctx, maxprot);
2072 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2073
2074 /* Set up session cache */
7e885b7b 2075 if (use_ext_cache) {
eaa776da
MC		 2076 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2077 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2078 }
7e885b7b 2079 if (use_int_cache) {
eaa776da
MC		 2080 /* Also covers instance where both are set */
2081 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2082 } else {
2083 SSL_CTX_set_session_cache_mode(cctx,
2084 SSL_SESS_CACHE_CLIENT
2085 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2086 }
2cb4b5f6 2087
90fc2c26
NM		 2088 if (s_options) {
2089 SSL_CTX_set_options(sctx, s_options);
2090 }
2091
710756a9
RS		 2092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2093 NULL, NULL))
2094 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2095 SSL_ERROR_NONE))
2096 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2097 goto end;
2cb4b5f6 2098
710756a9 2099 /* Should fail because it should already be in the cache */
7e885b7b 2100 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2101 goto end;
7a301f08 2102 if (use_ext_cache
36ff232c
MC		 2103 && (!TEST_int_eq(new_called, numnewsesstick)
2104
2105 || !TEST_int_eq(remove_called, 0)))
b4982125 2106 goto end;
b4982125 2107
c0537ebd
MC		 2108 new_called = remove_called = 0;
2109 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2110 &clientssl2, NULL, NULL))
2111 || !TEST_true(SSL_set_session(clientssl2, sess1))
2112 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2113 SSL_ERROR_NONE))
2114 || !TEST_true(SSL_session_reused(clientssl2)))
2115 goto end;
2116
7a301f08
MC		 2117 if (maxprot == TLS1_3_VERSION) {
2118 /*
2119 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2120 * resumed. Since we attempted a resume we should also have removed the
2121 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2122 */
2123 if (use_ext_cache
2124 && (!TEST_int_eq(new_called, 1)
4cb00457 2125 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2126 goto end;
2127 } else {
2128 /*
2129 * In TLSv1.2 we expect to have resumed so no sessions added or
2130 * removed.
2131 */
2132 if (use_ext_cache
2133 && (!TEST_int_eq(new_called, 0)
2134 || !TEST_int_eq(remove_called, 0)))
2135 goto end;
2136 }
c0537ebd
MC		 2137
2138 SSL_SESSION_free(sess1);
2139 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2140 goto end;
2141 shutdown_ssl_connection(serverssl2, clientssl2);
2142 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2143
2144 new_called = remove_called = 0;
710756a9
RS		 2145 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2146 &clientssl2, NULL, NULL))
2147 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2148 SSL_ERROR_NONE)))
2cb4b5f6 2149 goto end;
2cb4b5f6 2150
710756a9 2151 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2152 goto end;
2cb4b5f6 2153
7a301f08 2154 if (use_ext_cache
36ff232c
MC		 2155 && (!TEST_int_eq(new_called, numnewsesstick)
2156 || !TEST_int_eq(remove_called, 0)))
eaa776da 2157 goto end;
eaa776da 2158
c0537ebd 2159 new_called = remove_called = 0;
2cb4b5f6 2160 /*
710756a9
RS		 2161 * This should clear sess2 from the cache because it is a "bad" session.
2162 * See SSL_set_session() documentation.
2cb4b5f6 2163 */
710756a9 2164 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2165 goto end;
7a301f08
MC		 2166 if (use_ext_cache
2167 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2168 goto end;
710756a9 2169 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2170 goto end;
2cb4b5f6 2171
7e885b7b 2172 if (use_int_cache) {
710756a9
RS		 2173 /* Should succeeded because it should not already be in the cache */
2174 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2175 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2176 goto end;
eaa776da
MC		 2177 }
2178
c0537ebd 2179 new_called = remove_called = 0;
eaa776da 2180 /* This shouldn't be in the cache so should fail */
710756a9 2181 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2182 goto end;
2cb4b5f6 2183
7a301f08
MC		 2184 if (use_ext_cache
2185 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2186 goto end;
2cb4b5f6 2187
bf208d95 2188# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2189 new_called = remove_called = 0;
eaa776da
MC		 2190 /* Force a connection failure */
2191 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2193 &clientssl3, NULL, NULL))
2194 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2195 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2196 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2197 SSL_ERROR_NONE)))
eaa776da 2198 goto end;
b4982125 2199
eaa776da 2200 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2201 if (use_ext_cache
2202 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2203 goto end;
2cb4b5f6 2204
710756a9 2205 /* Should succeed because it should not already be in the cache */
7e885b7b 2206 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2207 goto end;
bf208d95 2208# endif
eaa776da 2209
7a301f08
MC		 2210 /* Now do some tests for server side caching */
2211 if (use_ext_cache) {
2212 SSL_CTX_sess_set_new_cb(cctx, NULL);
2213 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2214 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2215 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2216 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2217 get_sess_val = NULL;
2218 }
2219
2220 SSL_CTX_set_session_cache_mode(cctx, 0);
2221 /* Internal caching is the default on the server side */
2222 if (!use_int_cache)
2223 SSL_CTX_set_session_cache_mode(sctx,
2224 SSL_SESS_CACHE_SERVER
2225 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2226
2227 SSL_free(serverssl1);
2228 SSL_free(clientssl1);
2229 serverssl1 = clientssl1 = NULL;
2230 SSL_free(serverssl2);
2231 SSL_free(clientssl2);
2232 serverssl2 = clientssl2 = NULL;
2233 SSL_SESSION_free(sess1);
2234 sess1 = NULL;
2235 SSL_SESSION_free(sess2);
2236 sess2 = NULL;
2237
2238 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2239 if (maxprot == TLS1_2_VERSION)
2240 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2241 new_called = remove_called = get_called = 0;
7a301f08
MC		 2242 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2243 NULL, NULL))
2244 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2245 SSL_ERROR_NONE))
2246 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2247 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2248 goto end;
2249
ee94ec2e
MC		 2250 if (use_int_cache) {
2251 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2252 /*
2253 * In TLSv1.3 it should not have been added to the internal cache,
2254 * except in the case where we also have an external cache (in that
2255 * case it gets added to the cache in order to generate remove
2256 * events after timeout).
2257 */
2258 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2259 goto end;
2260 } else {
2261 /* Should fail because it should already be in the cache */
2262 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2263 goto end;
2264 }
2265 }
7a301f08
MC		 2266
2267 if (use_ext_cache) {
2268 SSL_SESSION *tmp = sess2;
2269
36ff232c 2270 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2271 || !TEST_int_eq(remove_called, 0)
2272 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2273 goto end;
2274 /*
2275 * Delete the session from the internal cache to force a lookup from
2276 * the external cache. We take a copy first because
2277 * SSL_CTX_remove_session() also marks the session as non-resumable.
2278 */
ee94ec2e 2279 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2280 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2281 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2282 goto end;
2283 SSL_SESSION_free(sess2);
2284 }
7a301f08
MC		 2285 sess2 = tmp;
2286 }
2287
0afca811 2288 new_called = remove_called = get_called = 0;
7a301f08
MC		 2289 get_sess_val = sess2;
2290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2291 &clientssl2, NULL, NULL))
2292 || !TEST_true(SSL_set_session(clientssl2, sess1))
2293 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2294 SSL_ERROR_NONE))
2295 || !TEST_true(SSL_session_reused(clientssl2)))
2296 goto end;
2297
0afca811 2298 if (use_ext_cache) {
32305f88 2299 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2300 goto end;
2301
2302 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2303 if (!TEST_int_eq(new_called, 1)
2304 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2305 goto end;
2306 } else {
32305f88
MC		 2307 if (!TEST_int_eq(new_called, 0)
2308 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2309 goto end;
2310 }
2311 }
4842a27b
TS		 2312 /*
2313 * Make a small cache, force out all other sessions but
2314 * sess2, try to add sess1, which should succeed. Then
2315 * make sure it's there by checking the owners. Despite
2316 * the timeouts, sess1 should have kicked out sess2
2317 */
2318
2319 /* Make sess1 expire before sess2 */
2320 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2321 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2322 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2323 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2324 goto end;
2325
2326 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2327 goto end;
2328
2329 /* Don't care about results - cache should only be sess2 at end */
2330 SSL_CTX_add_session(sctx, sess1);
2331 SSL_CTX_add_session(sctx, sess2);
2332
2333 /* Now add sess1, and make sure it remains, despite timeout */
2334 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2335 || !TEST_ptr(sess1->owner)
2336 || !TEST_ptr_null(sess2->owner))
2337 goto end;
7a301f08 2338
2cb4b5f6 2339 testresult = 1;
eaa776da 2340
2cb4b5f6
MC		 2341 end:
2342 SSL_free(serverssl1);
2343 SSL_free(clientssl1);
2344 SSL_free(serverssl2);
2345 SSL_free(clientssl2);
bf208d95 2346# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2347 SSL_free(serverssl3);
2348 SSL_free(clientssl3);
bf208d95 2349# endif
2cb4b5f6
MC		 2350 SSL_SESSION_free(sess1);
2351 SSL_SESSION_free(sess2);
2352 SSL_CTX_free(sctx);
2353 SSL_CTX_free(cctx);
2354
2355 return testresult;
2356}
a763ca11 2357#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2358
7fb4c820
MC		 2359static int test_session_with_only_int_cache(void)
2360{
a763ca11 2361#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2362 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2363 return 0;
2364#endif
2365
2366#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2367 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2368#else
2369 return 1;
2370#endif
eaa776da
MC		 2371}
2372
7fb4c820
MC		 2373static int test_session_with_only_ext_cache(void)
2374{
a763ca11 2375#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2376 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2377 return 0;
2378#endif
2379
2380#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2381 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2382#else
2383 return 1;
2384#endif
eaa776da
MC		 2385}
2386
7fb4c820
MC		 2387static int test_session_with_both_cache(void)
2388{
a763ca11 2389#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2390 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2391 return 0;
2392#endif
2393
2394#ifndef OPENSSL_NO_TLS1_2
2395 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2396#else
2397 return 1;
2398#endif
2399}
2400
2401static int test_session_wo_ca_names(void)
2402{
a763ca11 2403#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2404 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2405 return 0;
2406#endif
2407
2408#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2409 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2410#else
2411 return 1;
2412#endif
eaa776da
MC		 2413}
2414
90fc2c26 2415
a763ca11 2416#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2417static SSL_SESSION *sesscache[6];
2418static int do_cache;
36ff232c
MC		 2419
2420static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2421{
c22365b3
MC		 2422 if (do_cache) {
2423 sesscache[new_called] = sess;
2424 } else {
2425 /* We don't need the reference to the session, so free it */
2426 SSL_SESSION_free(sess);
2427 }
2428 new_called++;
2429
2430 return 1;
2431}
2432
2433static int post_handshake_verify(SSL *sssl, SSL *cssl)
2434{
2435 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2436 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2437 return 0;
2438
2439 /* Start handshake on the server and client */
2440 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2441 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2442 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2443 || !TEST_true(create_ssl_connection(sssl, cssl,
2444 SSL_ERROR_NONE)))
2445 return 0;
36ff232c
MC		 2446
2447 return 1;
2448}
2449
fbe9dafd 2450static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2451 SSL_CTX **cctx)
2452{
2453 int sess_id_ctx = 1;
2454
5e30f2fd
MC		 2455 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2456 TLS_client_method(), TLS1_VERSION, 0,
2457 sctx, cctx, cert, privkey))
03cdf559
MC		 2458 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2459 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2460 (void *)&sess_id_ctx,
2461 sizeof(sess_id_ctx))))
2462 return 0;
2463
2464 if (stateful)
2465 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2466
2467 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2468 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2469 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2470
2471 return 1;
2472}
2473
2474static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2475{
2476 SSL *serverssl = NULL, *clientssl = NULL;
2477 int i;
2478
2479 /* Test that we can resume with all the tickets we got given */
2480 for (i = 0; i < idx * 2; i++) {
2481 new_called = 0;
2482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2483 &clientssl, NULL, NULL))
2484 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2485 goto end;
2486
32097b33 2487 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2488
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_NONE)))
2491 goto end;
2492
2493 /*
2494 * Following a successful resumption we only get 1 ticket. After a
2495 * failed one we should get idx tickets.
2496 */
2497 if (succ) {
2498 if (!TEST_true(SSL_session_reused(clientssl))
2499 || !TEST_int_eq(new_called, 1))
2500 goto end;
2501 } else {
2502 if (!TEST_false(SSL_session_reused(clientssl))
2503 || !TEST_int_eq(new_called, idx))
2504 goto end;
2505 }
2506
2507 new_called = 0;
2508 /* After a post-handshake authentication we should get 1 new ticket */
2509 if (succ
2510 && (!post_handshake_verify(serverssl, clientssl)
2511 || !TEST_int_eq(new_called, 1)))
2512 goto end;
2513
2514 SSL_shutdown(clientssl);
2515 SSL_shutdown(serverssl);
2516 SSL_free(serverssl);
2517 SSL_free(clientssl);
2518 serverssl = clientssl = NULL;
2519 SSL_SESSION_free(sesscache[i]);
2520 sesscache[i] = NULL;
2521 }
2522
2523 return 1;
2524
2525 end:
2526 SSL_free(clientssl);
2527 SSL_free(serverssl);
2528 return 0;
2529}
2530
04d7814a 2531static int test_tickets(int stateful, int idx)
36ff232c
MC		 2532{
2533 SSL_CTX *sctx = NULL, *cctx = NULL;
2534 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2535 int testresult = 0;
36ff232c
MC		 2536 size_t j;
2537
2538 /* idx is the test number, but also the number of tickets we want */
2539
2540 new_called = 0;
c22365b3 2541 do_cache = 1;
36ff232c 2542
fbe9dafd 2543 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2544 goto end;
2545
03cdf559
MC		 2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2547 &clientssl, NULL, NULL)))
2548 goto end;
2549
2550 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2551 SSL_ERROR_NONE))
2552 /* Check we got the number of tickets we were expecting */
2553 || !TEST_int_eq(idx, new_called))
2554 goto end;
04d7814a 2555
03cdf559
MC		 2556 SSL_shutdown(clientssl);
2557 SSL_shutdown(serverssl);
2558 SSL_free(serverssl);
2559 SSL_free(clientssl);
2560 SSL_CTX_free(sctx);
2561 SSL_CTX_free(cctx);
2562 clientssl = serverssl = NULL;
2563 sctx = cctx = NULL;
2564
2565 /*
2566 * Now we try to resume with the tickets we previously created. The
2567 * resumption attempt is expected to fail (because we're now using a new
2568 * SSL_CTX). We should see idx number of tickets issued again.
2569 */
2570
2571 /* Stop caching sessions - just count them */
2572 do_cache = 0;
2573
fbe9dafd 2574 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2575 goto end;
2576
2577 if (!check_resumption(idx, sctx, cctx, 0))
2578 goto end;
2579
2580 /* Start again with caching sessions */
2581 new_called = 0;
2582 do_cache = 1;
fbe9dafd
MC		 2583 SSL_CTX_free(sctx);
2584 SSL_CTX_free(cctx);
2585 sctx = cctx = NULL;
03cdf559 2586
fbe9dafd 2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2588 goto end;
36ff232c
MC		 2589
2590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2591 &clientssl, NULL, NULL)))
2592 goto end;
2593
32097b33 2594 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2595
2596 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2597 SSL_ERROR_NONE))
2598 /* Check we got the number of tickets we were expecting */
2599 || !TEST_int_eq(idx, new_called))
2600 goto end;
2601
2602 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2603 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2604 || !TEST_int_eq(idx * 2, new_called))
2605 goto end;
2606
36ff232c
MC		 2607 SSL_shutdown(clientssl);
2608 SSL_shutdown(serverssl);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 serverssl = clientssl = NULL;
2612
c22365b3
MC		 2613 /* Stop caching sessions - just count them */
2614 do_cache = 0;
2615
03cdf559
MC		 2616 /*
2617 * Check we can resume with all the tickets we created. This time around the
2618 * resumptions should all be successful.
2619 */
2620 if (!check_resumption(idx, sctx, cctx, 1))
2621 goto end;
36ff232c
MC		 2622
2623 testresult = 1;
2624
2625 end:
2626 SSL_free(serverssl);
2627 SSL_free(clientssl);
c22365b3 2628 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2629 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2630 sesscache[j] = NULL;
2631 }
36ff232c
MC		 2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634
2635 return testresult;
2636}
04d7814a
MC		 2637
2638static int test_stateless_tickets(int idx)
2639{
2640 return test_tickets(0, idx);
2641}
2642
2643static int test_stateful_tickets(int idx)
2644{
2645 return test_tickets(1, idx);
2646}
8614a4eb
MC		 2647
2648static int test_psk_tickets(void)
2649{
2650 SSL_CTX *sctx = NULL, *cctx = NULL;
2651 SSL *serverssl = NULL, *clientssl = NULL;
2652 int testresult = 0;
2653 int sess_id_ctx = 1;
2654
5e30f2fd
MC		 2655 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2656 TLS_client_method(), TLS1_VERSION, 0,
2657 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2658 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2659 (void *)&sess_id_ctx,
2660 sizeof(sess_id_ctx))))
2661 goto end;
2662
2663 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2665 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2666 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2667 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2668 use_session_cb_cnt = 0;
2669 find_session_cb_cnt = 0;
2670 srvid = pskid;
2671 new_called = 0;
2672
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2674 NULL, NULL)))
2675 goto end;
2676 clientpsk = serverpsk = create_a_psk(clientssl);
2677 if (!TEST_ptr(clientpsk))
2678 goto end;
2679 SSL_SESSION_up_ref(clientpsk);
2680
2681 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2682 SSL_ERROR_NONE))
2683 || !TEST_int_eq(1, find_session_cb_cnt)
2684 || !TEST_int_eq(1, use_session_cb_cnt)
2685 /* We should always get 1 ticket when using external PSK */
2686 || !TEST_int_eq(1, new_called))
2687 goto end;
2688
2689 testresult = 1;
2690
2691 end:
2692 SSL_free(serverssl);
2693 SSL_free(clientssl);
2694 SSL_CTX_free(sctx);
2695 SSL_CTX_free(cctx);
2696 SSL_SESSION_free(clientpsk);
2697 SSL_SESSION_free(serverpsk);
2698 clientpsk = serverpsk = NULL;
2699
2700 return testresult;
2701}
f0049b86
BK		 2702
2703static int test_extra_tickets(int idx)
2704{
2705 SSL_CTX *sctx = NULL, *cctx = NULL;
2706 SSL *serverssl = NULL, *clientssl = NULL;
2707 BIO *bretry = BIO_new(bio_s_always_retry());
2708 BIO *tmp = NULL;
2709 int testresult = 0;
2710 int stateful = 0;
2711 size_t nbytes;
2712 unsigned char c, buf[1];
2713
2714 new_called = 0;
2715 do_cache = 1;
2716
2717 if (idx >= 3) {
2718 idx -= 3;
2719 stateful = 1;
2720 }
2721
2722 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2723 goto end;
2724 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2725 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2726 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2727
2728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2729 &clientssl, NULL, NULL)))
2730 goto end;
2731
2732 /*
2733 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2734 * incremented by both client and server.
2735 */
2736 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2737 SSL_ERROR_NONE))
2738 /* Check we got the number of tickets we were expecting */
2739 || !TEST_int_eq(idx * 2, new_called)
2740 || !TEST_true(SSL_new_session_ticket(serverssl))
2741 || !TEST_true(SSL_new_session_ticket(serverssl))
2742 || !TEST_int_eq(idx * 2, new_called))
2743 goto end;
2744
2745 /* Now try a (real) write to actually send the tickets */
2746 c = '1';
2747 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2748 || !TEST_size_t_eq(1, nbytes)
2749 || !TEST_int_eq(idx * 2 + 2, new_called)
2750 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2751 || !TEST_int_eq(idx * 2 + 4, new_called)
2752 || !TEST_int_eq(sizeof(buf), nbytes)
2753 || !TEST_int_eq(c, buf[0])
2754 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2755 goto end;
2756
2757 /* Try with only requesting one new ticket, too */
2758 c = '2';
2759 new_called = 0;
2760 if (!TEST_true(SSL_new_session_ticket(serverssl))
2761 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2762 || !TEST_size_t_eq(sizeof(c), nbytes)
2763 || !TEST_int_eq(1, new_called)
2764 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_size_t_eq(sizeof(buf), nbytes)
2767 || !TEST_int_eq(c, buf[0]))
2768 goto end;
2769
2770 /* Do it again but use dummy writes to drive the ticket generation */
2771 c = '3';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_new_session_ticket(serverssl))
2775 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2776 || !TEST_size_t_eq(0, nbytes)
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779 || !TEST_int_eq(4, new_called))
2780 goto end;
2781
a0bbcb42
BK		 2782 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2783 c = '4';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_do_handshake(serverssl))
2788 || !TEST_int_eq(2, new_called)
2789 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2790 || !TEST_int_eq(4, new_called))
2791 goto end;
2792
f0049b86
BK		 2793 /*
2794 * Use the always-retry BIO to exercise the logic that forces ticket
2795 * generation to wait until a record boundary.
2796 */
a0bbcb42 2797 c = '5';
f0049b86
BK		 2798 new_called = 0;
2799 tmp = SSL_get_wbio(serverssl);
2800 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2801 tmp = NULL;
2802 goto end;
2803 }
2804 SSL_set0_wbio(serverssl, bretry);
2805 bretry = NULL;
2806 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2807 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2808 || !TEST_size_t_eq(nbytes, 0))
2809 goto end;
2810 /* Restore a BIO that will let the write succeed */
2811 SSL_set0_wbio(serverssl, tmp);
2812 tmp = NULL;
a0bbcb42
BK		 2813 /*
2814 * These calls should just queue the request and not send anything
2815 * even if we explicitly try to hit the state machine.
2816 */
f0049b86
BK		 2817 if (!TEST_true(SSL_new_session_ticket(serverssl))
2818 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2819 || !TEST_int_eq(0, new_called)
2820 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2821 || !TEST_int_eq(0, new_called))
2822 goto end;
2823 /* Re-do the write; still no tickets sent */
2824 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2825 || !TEST_size_t_eq(1, nbytes)
2826 || !TEST_int_eq(0, new_called)
2827 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2828 || !TEST_int_eq(0, new_called)
2829 || !TEST_int_eq(sizeof(buf), nbytes)
2830 || !TEST_int_eq(c, buf[0])
2831 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2832 goto end;
a0bbcb42
BK		 2833 /* Even trying to hit the state machine now will still not send tickets */
2834 if (!TEST_true(SSL_do_handshake(serverssl))
2835 || !TEST_int_eq(0, new_called))
2836 goto end;
f0049b86 2837 /* Now the *next* write should send the tickets */
a0bbcb42 2838 c = '6';
f0049b86
BK		 2839 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2840 || !TEST_size_t_eq(1, nbytes)
2841 || !TEST_int_eq(2, new_called)
2842 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2843 || !TEST_int_eq(4, new_called)
2844 || !TEST_int_eq(sizeof(buf), nbytes)
2845 || !TEST_int_eq(c, buf[0])
2846 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2847 goto end;
2848
2849 SSL_shutdown(clientssl);
2850 SSL_shutdown(serverssl);
2851 testresult = 1;
2852
2853 end:
2854 BIO_free(bretry);
2855 BIO_free(tmp);
2856 SSL_free(serverssl);
2857 SSL_free(clientssl);
2858 SSL_CTX_free(sctx);
2859 SSL_CTX_free(cctx);
2860 clientssl = serverssl = NULL;
2861 sctx = cctx = NULL;
2862 return testresult;
2863}
04225915 2864#endif
36ff232c 2865
7d4488bb
MC		 2866#define USE_NULL 0
2867#define USE_BIO_1 1
2868#define USE_BIO_2 2
2869#define USE_DEFAULT 3
2870
2871#define CONNTYPE_CONNECTION_SUCCESS 0
2872#define CONNTYPE_CONNECTION_FAIL 1
2873#define CONNTYPE_NO_CONNECTION 2
2874
2875#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2876#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2877#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2878# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2879#else
2880# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2881#endif
2882
7d4488bb
MC		 2883#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2884 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2885 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2886
2887static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2888{
2889 switch (type) {
2890 case USE_NULL:
2891 *res = NULL;
2892 break;
2893 case USE_BIO_1:
2894 *res = bio1;
2895 break;
2896 case USE_BIO_2:
2897 *res = bio2;
2898 break;
2899 }
2900}
2901
7d4488bb
MC		 2902
2903/*
2904 * Tests calls to SSL_set_bio() under various conditions.
2905 *
2906 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2907 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2908 * then do more tests where we create a successful connection first using our
2909 * standard connection setup functions, and then call SSL_set_bio() with
2910 * various combinations of valid BIOs or NULL. We then repeat these tests
2911 * following a failed connection. In this last case we are looking to check that
2912 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2913 */
7fb4c820
MC		 2914static int test_ssl_set_bio(int idx)
2915{
7d4488bb 2916 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2917 BIO *bio1 = NULL;
2918 BIO *bio2 = NULL;
0fae8150 2919 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2920 SSL *serverssl = NULL, *clientssl = NULL;
2921 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2922 int testresult = 0;
2923
7d4488bb
MC		 2924 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2925 initrbio = idx % 3;
2926 idx /= 3;
2927 initwbio = idx % 3;
2928 idx /= 3;
2929 newrbio = idx % 3;
2930 idx /= 3;
2931 newwbio = idx % 3;
2932 conntype = CONNTYPE_NO_CONNECTION;
2933 } else {
2934 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2935 initrbio = initwbio = USE_DEFAULT;
2936 newrbio = idx % 2;
2937 idx /= 2;
2938 newwbio = idx % 2;
2939 idx /= 2;
2940 conntype = idx % 2;
2941 }
710756a9 2942
5e30f2fd
MC		 2943 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2944 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2945 &sctx, &cctx, cert, privkey)))
2946 goto end;
2947
2948 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2949 /*
2950 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2951 * because we reduced the number of tests in the definition of
2952 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2953 * mismatched protocol versions we will force a connection failure.
2954 */
2955 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2956 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2957 }
2958
2959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2960 NULL, NULL)))
710756a9 2961 goto end;
7fb4c820 2962
710756a9
RS		 2963 if (initrbio == USE_BIO_1
2964 || initwbio == USE_BIO_1
2965 || newrbio == USE_BIO_1
7fb4c820 2966 || newwbio == USE_BIO_1) {
710756a9 2967 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2968 goto end;
7fb4c820
MC		 2969 }
2970
710756a9
RS		 2971 if (initrbio == USE_BIO_2
2972 || initwbio == USE_BIO_2
2973 || newrbio == USE_BIO_2
7fb4c820 2974 || newwbio == USE_BIO_2) {
710756a9 2975 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2976 goto end;
7fb4c820
MC		 2977 }
2978
7d4488bb
MC		 2979 if (initrbio != USE_DEFAULT) {
2980 setupbio(&irbio, bio1, bio2, initrbio);
2981 setupbio(&iwbio, bio1, bio2, initwbio);
2982 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2983
7d4488bb
MC		 2984 /*
2985 * We want to maintain our own refs to these BIO, so do an up ref for
2986 * each BIO that will have ownership transferred in the SSL_set_bio()
2987 * call
2988 */
2989 if (irbio != NULL)
2990 BIO_up_ref(irbio);
2991 if (iwbio != NULL && iwbio != irbio)
2992 BIO_up_ref(iwbio);
2993 }
7fb4c820 2994
7d4488bb
MC		 2995 if (conntype != CONNTYPE_NO_CONNECTION
2996 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2997 SSL_ERROR_NONE)
2998 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2999 goto end;
7fb4c820
MC		 3000
3001 setupbio(&nrbio, bio1, bio2, newrbio);
3002 setupbio(&nwbio, bio1, bio2, newwbio);
3003
3004 /*
3005 * We will (maybe) transfer ownership again so do more up refs.
3006 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3007 * already been set!
3008 */
710756a9
RS		 3009 if (nrbio != NULL
3010 && nrbio != irbio
3011 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3012 BIO_up_ref(nrbio);
710756a9
RS		 3013 if (nwbio != NULL
3014 && nwbio != nrbio
3015 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3016 BIO_up_ref(nwbio);
3017
7d4488bb 3018 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3019
3020 testresult = 1;
3021
3022 end:
7fb4c820
MC		 3023 BIO_free(bio1);
3024 BIO_free(bio2);
710756a9 3025
7fb4c820
MC		 3026 /*
3027 * This test is checking that the ref counting for SSL_set_bio is correct.
3028 * If we get here and we did too many frees then we will fail in the above
742ccab3 3029 * functions.
7fb4c820 3030 */
7d4488bb
MC		 3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 SSL_CTX_free(sctx);
3034 SSL_CTX_free(cctx);
7fb4c820
MC		 3035 return testresult;
3036}
3037
7e885b7b 3038typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3039
7e885b7b 3040static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3041{
3042 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3043 SSL_CTX *ctx;
9a716987
MC		 3044 SSL *ssl = NULL;
3045 int testresult = 0;
3046
d8652be0 3047 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3048 || !TEST_ptr(ssl = SSL_new(ctx))
3049 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3050 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3051 goto end;
9a716987
MC		 3052
3053 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3054
3055 /*
742ccab3 3056 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3057 */
3058 BIO_push(sslbio, membio1);
3059
69687aa8 3060 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3061 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3062 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3063 ssl = NULL;
9a716987 3064 goto end;
493e7898 3065 }
7e885b7b 3066 if (change_bio == CHANGE_RBIO)
65e2d672 3067 SSL_set0_rbio(ssl, membio2);
9a716987 3068 else
65e2d672 3069 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3070 }
3071 ssl = NULL;
3072
7e885b7b 3073 if (pop_ssl)
9a716987
MC		 3074 BIO_pop(sslbio);
3075 else
3076 BIO_pop(membio1);
3077
3078 testresult = 1;
3079 end:
3080 BIO_free(membio1);
3081 BIO_free(sslbio);
3082 SSL_free(ssl);
3083 SSL_CTX_free(ctx);
3084
3085 return testresult;
3086}
3087
3088static int test_ssl_bio_pop_next_bio(void)
3089{
7e885b7b 3090 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3091}
3092
3093static int test_ssl_bio_pop_ssl_bio(void)
3094{
7e885b7b 3095 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3096}
3097
3098static int test_ssl_bio_change_rbio(void)
3099{
7e885b7b 3100 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3101}
3102
3103static int test_ssl_bio_change_wbio(void)
3104{
7e885b7b 3105 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3106}
3107
a763ca11 3108#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3109typedef struct {
3110 /* The list of sig algs */
3111 const int *list;
3112 /* The length of the list */
3113 size_t listlen;
3114 /* A sigalgs list in string format */
3115 const char *liststr;
3116 /* Whether setting the list should succeed */
3117 int valid;
3118 /* Whether creating a connection with the list should succeed */
3119 int connsuccess;
3120} sigalgs_list;
3121
3122static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3123# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3124static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3125static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3126# endif
f1b25aae
MC		 3127static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3128static const int invalidlist2[] = {NID_sha256, NID_undef};
3129static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3130static const int invalidlist4[] = {NID_sha256};
3131static const sigalgs_list testsigalgs[] = {
3132 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3133# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3134 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3135 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3136# endif
f1b25aae 3137 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 3138# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3139 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3140 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3141# endif
f1b25aae
MC		 3142 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3143 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3144 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3145 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3146 {NULL, 0, "RSA", 0, 0},
3147 {NULL, 0, "SHA256", 0, 0},
3148 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3149 {NULL, 0, "Invalid", 0, 0}
3150};
f1b25aae
MC		 3151
3152static int test_set_sigalgs(int idx)
3153{
3154 SSL_CTX *cctx = NULL, *sctx = NULL;
3155 SSL *clientssl = NULL, *serverssl = NULL;
3156 int testresult = 0;
3157 const sigalgs_list *curr;
3158 int testctx;
3159
3160 /* Should never happen */
710756a9 3161 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3162 return 0;
3163
3164 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3165 curr = testctx ? &testsigalgs[idx]
3166 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3167
5e30f2fd
MC		 3168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3169 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3170 &sctx, &cctx, cert, privkey)))
f1b25aae 3171 return 0;
f1b25aae 3172
d2e491f2
MC		 3173 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3174
f1b25aae
MC		 3175 if (testctx) {
3176 int ret;
710756a9 3177
f1b25aae
MC		 3178 if (curr->list != NULL)
3179 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3180 else
3181 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3182
3183 if (!ret) {
3184 if (curr->valid)
710756a9 3185 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3186 else
3187 testresult = 1;
3188 goto end;
3189 }
3190 if (!curr->valid) {
710756a9 3191 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3192 goto end;
3193 }
3194 }
3195
710756a9
RS		 3196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3197 &clientssl, NULL, NULL)))
f1b25aae 3198 goto end;
f1b25aae
MC		 3199
3200 if (!testctx) {
3201 int ret;
3202
3203 if (curr->list != NULL)
3204 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3205 else
3206 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3207 if (!ret) {
3208 if (curr->valid)
710756a9 3209 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3210 else
3211 testresult = 1;
3212 goto end;
3213 }
710756a9 3214 if (!curr->valid)
f1b25aae 3215 goto end;
f1b25aae
MC		 3216 }
3217
710756a9
RS		 3218 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3219 SSL_ERROR_NONE),
3220 curr->connsuccess))
f1b25aae 3221 goto end;
f1b25aae
MC		 3222
3223 testresult = 1;
3224
3225 end:
3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230
3231 return testresult;
3232}
c423ecaa 3233#endif
f1b25aae 3234
a763ca11 3235#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3236static int psk_client_cb_cnt = 0;
3237static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3238
3239static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3240 size_t *idlen, SSL_SESSION **sess)
3241{
3242 switch (++use_session_cb_cnt) {
3243 case 1:
3244 /* The first call should always have a NULL md */
3245 if (md != NULL)
3246 return 0;
3247 break;
3248
3249 case 2:
3250 /* The second call should always have an md */
3251 if (md == NULL)
3252 return 0;
3253 break;
3254
3255 default:
3256 /* We should only be called a maximum of twice */
3257 return 0;
3258 }
3259
57dee9bb
MC		 3260 if (clientpsk != NULL)
3261 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3262
57dee9bb 3263 *sess = clientpsk;
02a3ed5a
MC		 3264 *id = (const unsigned char *)pskid;
3265 *idlen = strlen(pskid);
3266
3267 return 1;
3268}
3269
c2b290c3 3270#ifndef OPENSSL_NO_PSK
532f9578
MC		 3271static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3272 unsigned int max_id_len,
3273 unsigned char *psk,
3274 unsigned int max_psk_len)
3275{
3276 unsigned int psklen = 0;
3277
3278 psk_client_cb_cnt++;
3279
3280 if (strlen(pskid) + 1 > max_id_len)
3281 return 0;
3282
3283 /* We should only ever be called a maximum of twice per connection */
3284 if (psk_client_cb_cnt > 2)
3285 return 0;
3286
3287 if (clientpsk == NULL)
3288 return 0;
3289
3290 /* We'll reuse the PSK we set up for TLSv1.3 */
3291 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3292 return 0;
3293 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3294 strncpy(id, pskid, max_id_len);
3295
3296 return psklen;
3297}
c2b290c3 3298#endif /* OPENSSL_NO_PSK */
532f9578 3299
02a3ed5a
MC		 3300static int find_session_cb(SSL *ssl, const unsigned char *identity,
3301 size_t identity_len, SSL_SESSION **sess)
3302{
3303 find_session_cb_cnt++;
3304
3305 /* We should only ever be called a maximum of twice per connection */
3306 if (find_session_cb_cnt > 2)
3307 return 0;
3308
57dee9bb 3309 if (serverpsk == NULL)
02a3ed5a
MC		 3310 return 0;
3311
3312 /* Identity should match that set by the client */
3313 if (strlen(srvid) != identity_len
3314 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3315 /* No PSK found, continue but without a PSK */
3316 *sess = NULL;
3317 return 1;
3318 }
3319
57dee9bb
MC		 3320 SSL_SESSION_up_ref(serverpsk);
3321 *sess = serverpsk;
02a3ed5a
MC		 3322
3323 return 1;
3324}
3325
c2b290c3 3326#ifndef OPENSSL_NO_PSK
532f9578
MC		 3327static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3328 unsigned char *psk, unsigned int max_psk_len)
3329{
3330 unsigned int psklen = 0;
3331
3332 psk_server_cb_cnt++;
3333
3334 /* We should only ever be called a maximum of twice per connection */
3335 if (find_session_cb_cnt > 2)
3336 return 0;
3337
3338 if (serverpsk == NULL)
3339 return 0;
3340
3341 /* Identity should match that set by the client */
3342 if (strcmp(srvid, identity) != 0) {
3343 return 0;
3344 }
3345
3346 /* We'll reuse the PSK we set up for TLSv1.3 */
3347 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3348 return 0;
3349 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3350
3351 return psklen;
3352}
c2b290c3 3353#endif /* OPENSSL_NO_PSK */
532f9578 3354
5f982038
MC		 3355#define MSG1 "Hello"
3356#define MSG2 "World."
3357#define MSG3 "This"
3358#define MSG4 "is"
3359#define MSG5 "a"
90049cea
MC		 3360#define MSG6 "test"
3361#define MSG7 "message."
5f982038 3362
532f9578 3363#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3364#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3365#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3366#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3367#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3368
8614a4eb
MC		 3369
3370static SSL_SESSION *create_a_psk(SSL *ssl)
3371{
3372 const SSL_CIPHER *cipher = NULL;
3373 const unsigned char key[] = {
3374 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3375 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3376 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3377 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3378 0x2c, 0x2d, 0x2e, 0x2f
3379 };
3380 SSL_SESSION *sess = NULL;
3381
3382 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3383 sess = SSL_SESSION_new();
3384 if (!TEST_ptr(sess)
3385 || !TEST_ptr(cipher)
3386 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3387 sizeof(key)))
3388 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3389 || !TEST_true(
3390 SSL_SESSION_set_protocol_version(sess,
3391 TLS1_3_VERSION))) {
3392 SSL_SESSION_free(sess);
3393 return NULL;
3394 }
3395 return sess;
3396}
3397
5f982038
MC		 3398/*
3399 * Helper method to setup objects for early data test. Caller frees objects on
3400 * error.
3401 */
3402static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3403 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3404{
5a421415 3405 if (*sctx == NULL
5e30f2fd 3406 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3407 TLS_client_method(),
5c587fb6 3408 TLS1_VERSION, 0,
5a421415
MC		 3409 sctx, cctx, cert, privkey)))
3410 return 0;
3411
3412 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3413 return 0;
5f982038 3414
02a3ed5a
MC		 3415 if (idx == 1) {
3416 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3417 SSL_CTX_set_read_ahead(*cctx, 1);
3418 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3419 } else if (idx == 2) {
3420 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3422 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3423 use_session_cb_cnt = 0;
3424 find_session_cb_cnt = 0;
3425 srvid = pskid;
3cb47b4e
MC		 3426 }
3427
710756a9 3428 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3429 NULL, NULL)))
3430 return 0;
3431
141e4709
MC		 3432 /*
3433 * For one of the run throughs (doesn't matter which one), we'll try sending
3434 * some SNI data in the initial ClientHello. This will be ignored (because
3435 * there is no SNI cb set up by the server), so it should not impact
3436 * early_data.
3437 */
3438 if (idx == 1
3439 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3440 return 0;
3441
02a3ed5a 3442 if (idx == 2) {
8614a4eb 3443 clientpsk = create_a_psk(*clientssl);
57dee9bb 3444 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3445 /*
3446 * We just choose an arbitrary value for max_early_data which
3447 * should be big enough for testing purposes.
3448 */
57dee9bb
MC		 3449 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3450 0x100))
3451 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3452 SSL_SESSION_free(clientpsk);
3453 clientpsk = NULL;
02a3ed5a
MC		 3454 return 0;
3455 }
57dee9bb 3456 serverpsk = clientpsk;
02a3ed5a 3457
c20e3b28
MC		 3458 if (sess != NULL) {
3459 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 SSL_SESSION_free(serverpsk);
3462 clientpsk = serverpsk = NULL;
3463 return 0;
3464 }
57dee9bb 3465 *sess = clientpsk;
c20e3b28 3466 }
02a3ed5a
MC		 3467 return 1;
3468 }
3469
3470 if (sess == NULL)
3471 return 1;
3472
3473 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3474 SSL_ERROR_NONE)))
5f982038 3475 return 0;
5f982038
MC		 3476
3477 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3478 SSL_shutdown(*clientssl);
3479 SSL_shutdown(*serverssl);
5f982038
MC		 3480 SSL_free(*serverssl);
3481 SSL_free(*clientssl);
3482 *serverssl = *clientssl = NULL;
3483
710756a9
RS		 3484 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3485 clientssl, NULL, NULL))
3486 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3487 return 0;
5f982038
MC		 3488
3489 return 1;
3490}
3491
3cb47b4e 3492static int test_early_data_read_write(int idx)
5f982038
MC		 3493{
3494 SSL_CTX *cctx = NULL, *sctx = NULL;
3495 SSL *clientssl = NULL, *serverssl = NULL;
3496 int testresult = 0;
3497 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3498 unsigned char buf[20], data[1024];
3499 size_t readbytes, written, eoedlen, rawread, rawwritten;
3500 BIO *rbio;
5f982038 3501
710756a9
RS		 3502 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3503 &serverssl, &sess, idx)))
5f982038
MC		 3504 goto end;
3505
3506 /* Write and read some early data */
710756a9
RS		 3507 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3508 &written))
3509 || !TEST_size_t_eq(written, strlen(MSG1))
3510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3511 sizeof(buf), &readbytes),
3512 SSL_READ_EARLY_DATA_SUCCESS)
3513 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3515 SSL_EARLY_DATA_ACCEPTED))
5f982038 3516 goto end;
5f982038
MC		 3517
3518 /*
09f28874 3519 * Server should be able to write data, and client should be able to
5f982038
MC		 3520 * read it.
3521 */
710756a9
RS		 3522 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3523 &written))
3524 || !TEST_size_t_eq(written, strlen(MSG2))
3525 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3526 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3527 goto end;
5f982038
MC		 3528
3529 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3530 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3531 &written))
3532 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3533 goto end;
5f982038 3534
09f28874 3535 /* Server should still be able read early data after writing data */
710756a9
RS		 3536 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3537 &readbytes),
3538 SSL_READ_EARLY_DATA_SUCCESS)
3539 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3540 goto end;
5f982038 3541
09f28874 3542 /* Write more data from server and read it from client */
710756a9
RS		 3543 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3544 &written))
3545 || !TEST_size_t_eq(written, strlen(MSG4))
3546 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3547 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3548 goto end;
5f982038
MC		 3549
3550 /*
3551 * If client writes normal data it should mean writing early data is no
3552 * longer possible.
3553 */
710756a9
RS		 3554 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3555 || !TEST_size_t_eq(written, strlen(MSG5))
3556 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3557 SSL_EARLY_DATA_ACCEPTED))
5f982038 3558 goto end;
5f982038 3559
9b5c865d
MC		 3560 /*
3561 * At this point the client has written EndOfEarlyData, ClientFinished and
3562 * normal (fully protected) data. We are going to cause a delay between the
3563 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3564 * in the read BIO, and then just put back the EndOfEarlyData message.
3565 */
3566 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3567 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3568 || !TEST_size_t_lt(rawread, sizeof(data))
3569 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3570 goto end;
710756a9 3571
9b5c865d
MC		 3572 /* Record length is in the 4th and 5th bytes of the record header */
3573 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3574 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3575 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3576 goto end;
9b5c865d 3577
5f982038 3578 /* Server should be told that there is no more early data */
710756a9
RS		 3579 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580 &readbytes),
3581 SSL_READ_EARLY_DATA_FINISH)
3582 || !TEST_size_t_eq(readbytes, 0))
5f982038 3583 goto end;
5f982038 3584
9b5c865d
MC		 3585 /*
3586 * Server has not finished init yet, so should still be able to write early
3587 * data.
3588 */
710756a9
RS		 3589 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3590 &written))
3591 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3592 goto end;
9b5c865d 3593
f8a303fa 3594 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3595 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3596 &rawwritten))
3597 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3598 goto end;
f8a303fa 3599
5f982038 3600 /* Server should be able to read normal data */
710756a9
RS		 3601 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3602 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3603 goto end;
5f982038 3604
09f28874 3605 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3606 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3607 &written)))
5f982038 3608 goto end;
5f982038 3609 ERR_clear_error();
710756a9
RS		 3610 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3611 &readbytes),
3612 SSL_READ_EARLY_DATA_ERROR))
5f982038 3613 goto end;
5f982038
MC		 3614 ERR_clear_error();
3615
9b5c865d 3616 /* Client should be able to read the data sent by the server */
710756a9
RS		 3617 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3618 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3619 goto end;
710756a9 3620
f8a303fa 3621 /*
36ff232c
MC		 3622 * Make sure we process the two NewSessionTickets. These arrive
3623 * post-handshake. We attempt reads which we do not expect to return any
3624 * data.
f8a303fa 3625 */
36ff232c
MC		 3626 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3627 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3628 &readbytes)))
f8a303fa 3629 goto end;
5f982038 3630
90049cea 3631 /* Server should be able to write normal data */
710756a9
RS		 3632 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3633 || !TEST_size_t_eq(written, strlen(MSG7))
3634 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3635 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3636 goto end;
90049cea 3637
c20e3b28 3638 SSL_SESSION_free(sess);
5f982038 3639 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3640 use_session_cb_cnt = 0;
3641 find_session_cb_cnt = 0;
5f982038
MC		 3642
3643 SSL_shutdown(clientssl);
3644 SSL_shutdown(serverssl);
5f982038
MC		 3645 SSL_free(serverssl);
3646 SSL_free(clientssl);
3647 serverssl = clientssl = NULL;
710756a9
RS		 3648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3649 &clientssl, NULL, NULL))
3650 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3651 goto end;
5f982038
MC		 3652
3653 /* Write and read some early data */
710756a9
RS		 3654 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3655 &written))
3656 || !TEST_size_t_eq(written, strlen(MSG1))
3657 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3658 &readbytes),
3659 SSL_READ_EARLY_DATA_SUCCESS)
3660 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3661 goto end;
5f982038 3662
710756a9
RS		 3663 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3664 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3665 goto end;
5f982038 3666
09f28874 3667 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3668 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3669 &written)))
5f982038 3670 goto end;
5f982038 3671 ERR_clear_error();
710756a9
RS		 3672 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3673 &readbytes),
3674 SSL_READ_EARLY_DATA_ERROR))
5f982038 3675 goto end;
5f982038
MC		 3676 ERR_clear_error();
3677
3678 /* Client and server should be able to write/read normal data */
710756a9
RS		 3679 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3680 || !TEST_size_t_eq(written, strlen(MSG5))
3681 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3683 goto end;
5f982038
MC		 3684
3685 testresult = 1;
3686
3687 end:
c20e3b28 3688 SSL_SESSION_free(sess);
57dee9bb
MC		 3689 SSL_SESSION_free(clientpsk);
3690 SSL_SESSION_free(serverpsk);
3691 clientpsk = serverpsk = NULL;
5f982038
MC		 3692 SSL_free(serverssl);
3693 SSL_free(clientssl);
3694 SSL_CTX_free(sctx);
3695 SSL_CTX_free(cctx);
5f982038
MC		 3696 return testresult;
3697}
3698
5a421415
MC		 3699static int allow_ed_cb_called = 0;
3700
3701static int allow_early_data_cb(SSL *s, void *arg)
3702{
3703 int *usecb = (int *)arg;
3704
3705 allow_ed_cb_called++;
3706
3707 if (*usecb == 1)
3708 return 0;
3709
3710 return 1;
3711}
3712
3713/*
3714 * idx == 0: Standard early_data setup
3715 * idx == 1: early_data setup using read_ahead
3716 * usecb == 0: Don't use a custom early data callback
3717 * usecb == 1: Use a custom early data callback and reject the early data
3718 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3719 * confopt == 0: Configure anti-replay directly
3720 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3721 */
3bb5e5b0 3722static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3723{
3724 SSL_CTX *cctx = NULL, *sctx = NULL;
3725 SSL *clientssl = NULL, *serverssl = NULL;
3726 int testresult = 0;
3727 SSL_SESSION *sess = NULL;
5a421415
MC		 3728 size_t readbytes, written;
3729 unsigned char buf[20];
3730
3731 allow_ed_cb_called = 0;
3732
5e30f2fd
MC		 3733 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3734 TLS_client_method(), TLS1_VERSION, 0,
3735 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3736 return 0;
3737
3738 if (usecb > 0) {
3bb5e5b0
MC		 3739 if (confopt == 0) {
3740 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3741 } else {
3742 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3743
3744 if (!TEST_ptr(confctx))
3745 goto end;
3746 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3747 | SSL_CONF_FLAG_SERVER);
3748 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3749 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3750 2)) {
3751 SSL_CONF_CTX_free(confctx);
3752 goto end;
3753 }
3754 SSL_CONF_CTX_free(confctx);
3755 }
5a421415
MC		 3756 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3757 }
78fb5374
MC		 3758
3759 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3760 &serverssl, &sess, idx)))
3761 goto end;
3762
3763 /*
3764 * The server is configured to accept early data. Create a connection to
3765 * "use up" the ticket
3766 */
3767 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3768 || !TEST_true(SSL_session_reused(clientssl)))
3769 goto end;
3770
3771 SSL_shutdown(clientssl);
3772 SSL_shutdown(serverssl);
3773 SSL_free(serverssl);
3774 SSL_free(clientssl);
3775 serverssl = clientssl = NULL;
3776
3777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3778 &clientssl, NULL, NULL))
5a421415
MC		 3779 || !TEST_true(SSL_set_session(clientssl, sess)))
3780 goto end;
3781
3782 /* Write and read some early data */
3783 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3784 &written))
3785 || !TEST_size_t_eq(written, strlen(MSG1)))
3786 goto end;
3787
3788 if (usecb <= 1) {
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3790 &readbytes),
3791 SSL_READ_EARLY_DATA_FINISH)
3792 /*
3793 * The ticket was reused, so the we should have rejected the
3794 * early data
3795 */
3796 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3797 SSL_EARLY_DATA_REJECTED))
3798 goto end;
3799 } else {
3800 /* In this case the callback decides to accept the early data */
3801 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3802 &readbytes),
3803 SSL_READ_EARLY_DATA_SUCCESS)
3804 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3805 /*
3806 * Server will have sent its flight so client can now send
3807 * end of early data and complete its half of the handshake
3808 */
3809 || !TEST_int_gt(SSL_connect(clientssl), 0)
3810 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3811 &readbytes),
3812 SSL_READ_EARLY_DATA_FINISH)
3813 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3814 SSL_EARLY_DATA_ACCEPTED))
3815 goto end;
3816 }
3817
3818 /* Complete the connection */
3819 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3820 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3821 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3822 goto end;
3823
3824 testresult = 1;
3825
3826 end:
c20e3b28 3827 SSL_SESSION_free(sess);
78fb5374
MC		 3828 SSL_SESSION_free(clientpsk);
3829 SSL_SESSION_free(serverpsk);
3830 clientpsk = serverpsk = NULL;
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 SSL_CTX_free(sctx);
3834 SSL_CTX_free(cctx);
3835 return testresult;
3836}
3837
5a421415
MC		 3838static int test_early_data_replay(int idx)
3839{
3bb5e5b0 3840 int ret = 1, usecb, confopt;
5a421415 3841
3bb5e5b0
MC		 3842 for (usecb = 0; usecb < 3; usecb++) {
3843 for (confopt = 0; confopt < 2; confopt++)
3844 ret &= test_early_data_replay_int(idx, usecb, confopt);
3845 }
5a421415
MC		 3846
3847 return ret;
3848}
3849
710756a9 3850/*
6b84e6bf
MC		 3851 * Helper function to test that a server attempting to read early data can
3852 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3853 * testtype: 0 == No HRR
3854 * testtype: 1 == HRR
0efa0ba4
MC		 3855 * testtype: 2 == HRR, invalid early_data sent after HRR
3856 * testtype: 3 == recv_max_early_data set to 0
710756a9 3857 */
0d1b7789 3858static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3859{
3860 SSL_CTX *cctx = NULL, *sctx = NULL;
3861 SSL *clientssl = NULL, *serverssl = NULL;
3862 int testresult = 0;
018fcbec 3863 SSL_SESSION *sess = NULL;
5f982038
MC		 3864 unsigned char buf[20];
3865 size_t readbytes, written;
3866
710756a9
RS		 3867 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3868 &serverssl, &sess, idx)))
5f982038
MC		 3869 goto end;
3870
0efa0ba4 3871 if (testtype == 1 || testtype == 2) {
6b84e6bf 3872 /* Force an HRR to occur */
dbc6268f
MC		 3873#if defined(OPENSSL_NO_EC)
3874 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3875 goto end;
3876#else
6b84e6bf
MC		 3877 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3878 goto end;
dbc6268f 3879#endif
02a3ed5a
MC		 3880 } else if (idx == 2) {
3881 /*
3882 * We force early_data rejection by ensuring the PSK identity is
3883 * unrecognised
3884 */
3885 srvid = "Dummy Identity";
6b84e6bf
MC		 3886 } else {
3887 /*
3888 * Deliberately corrupt the creation time. We take 20 seconds off the
3889 * time. It could be any value as long as it is not within tolerance.
3890 * This should mean the ticket is rejected.
3891 */
5d99881e 3892 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3893 goto end;
3894 }
5f982038 3895
0efa0ba4 3896 if (testtype == 3
0d1b7789
MC		 3897 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3898 goto end;
3899
5f982038 3900 /* Write some early data */
710756a9
RS		 3901 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3902 &written))
3903 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3904 goto end;
5f982038 3905
0d1b7789 3906 /* Server should reject the early data */
710756a9
RS		 3907 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3908 &readbytes),
3909 SSL_READ_EARLY_DATA_FINISH)
3910 || !TEST_size_t_eq(readbytes, 0)
3911 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3912 SSL_EARLY_DATA_REJECTED))
5f982038 3913 goto end;
5f982038 3914
0efa0ba4
MC		 3915 switch (testtype) {
3916 case 0:
3917 /* Nothing to do */
3918 break;
3919
3920 case 1:
6b84e6bf
MC		 3921 /*
3922 * Finish off the handshake. We perform the same writes and reads as
3923 * further down but we expect them to fail due to the incomplete
3924 * handshake.
3925 */
3926 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3927 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3928 &readbytes)))
3929 goto end;
0efa0ba4
MC		 3930 break;
3931
3932 case 2:
3933 {
3934 BIO *wbio = SSL_get_wbio(clientssl);
3935 /* A record that will appear as bad early_data */
3936 const unsigned char bad_early_data[] = {
3937 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3938 };
3939
3940 /*
3941 * We force the client to attempt a write. This will fail because
3942 * we're still in the handshake. It will cause the second
3943 * ClientHello to be sent.
3944 */
3945 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3946 &written)))
3947 goto end;
3948
3949 /*
3950 * Inject some early_data after the second ClientHello. This should
3951 * cause the server to fail
3952 */
3953 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3954 sizeof(bad_early_data), &written)))
3955 goto end;
3956 }
3957 /* fallthrough */
3958
3959 case 3:
0d1b7789 3960 /*
0efa0ba4
MC		 3961 * This client has sent more early_data than we are willing to skip
3962 * (case 3) or sent invalid early_data (case 2) so the connection should
3963 * abort.
0d1b7789
MC		 3964 */
3965 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3966 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3967 goto end;
3968
3969 /* Connection has failed - nothing more to do */
3970 testresult = 1;
3971 goto end;
0efa0ba4
MC		 3972
3973 default:
3974 TEST_error("Invalid test type");
3975 goto end;
6b84e6bf
MC		 3976 }
3977
0d1b7789
MC		 3978 /*
3979 * Should be able to send normal data despite rejection of early data. The
3980 * early_data should be skipped.
3981 */
710756a9
RS		 3982 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3983 || !TEST_size_t_eq(written, strlen(MSG2))
3984 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3985 SSL_EARLY_DATA_REJECTED)
3986 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3987 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3988 goto end;
5f982038
MC		 3989
3990 testresult = 1;
3991
3992 end:
c20e3b28 3993 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3994 SSL_SESSION_free(serverpsk);
3995 clientpsk = serverpsk = NULL;
5f982038
MC		 3996 SSL_SESSION_free(sess);
3997 SSL_free(serverssl);
3998 SSL_free(clientssl);
3999 SSL_CTX_free(sctx);
4000 SSL_CTX_free(cctx);
5f982038
MC		 4001 return testresult;
4002}
4003
6b84e6bf
MC		 4004/*
4005 * Test that a server attempting to read early data can handle a connection
4006 * from a client where the early data is not acceptable.
4007 */
4008static int test_early_data_skip(int idx)
4009{
4010 return early_data_skip_helper(0, idx);
4011}
4012
4013/*
4014 * Test that a server attempting to read early data can handle a connection
4015 * from a client where an HRR occurs.
4016 */
4017static int test_early_data_skip_hrr(int idx)
4018{
4019 return early_data_skip_helper(1, idx);
4020}
4021
0efa0ba4
MC		 4022/*
4023 * Test that a server attempting to read early data can handle a connection
4024 * from a client where an HRR occurs and correctly fails if early_data is sent
4025 * after the HRR
4026 */
4027static int test_early_data_skip_hrr_fail(int idx)
4028{
4029 return early_data_skip_helper(2, idx);
4030}
4031
0d1b7789
MC		 4032/*
4033 * Test that a server attempting to read early data will abort if it tries to
4034 * skip over too much.
4035 */
4036static int test_early_data_skip_abort(int idx)
4037{
0efa0ba4 4038 return early_data_skip_helper(3, idx);
0d1b7789
MC		 4039}
4040
710756a9
RS		 4041/*
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client that doesn't send any.
4044 */
3cb47b4e 4045static int test_early_data_not_sent(int idx)
5f982038
MC		 4046{
4047 SSL_CTX *cctx = NULL, *sctx = NULL;
4048 SSL *clientssl = NULL, *serverssl = NULL;
4049 int testresult = 0;
018fcbec 4050 SSL_SESSION *sess = NULL;
5f982038
MC		 4051 unsigned char buf[20];
4052 size_t readbytes, written;
4053
710756a9
RS		 4054 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4055 &serverssl, &sess, idx)))
5f982038
MC		 4056 goto end;
4057
4058 /* Write some data - should block due to handshake with server */
4059 SSL_set_connect_state(clientssl);
710756a9 4060 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4061 goto end;
5f982038
MC		 4062
4063 /* Server should detect that early data has not been sent */
710756a9
RS		 4064 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4065 &readbytes),
4066 SSL_READ_EARLY_DATA_FINISH)
4067 || !TEST_size_t_eq(readbytes, 0)
4068 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4069 SSL_EARLY_DATA_NOT_SENT)
4070 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4071 SSL_EARLY_DATA_NOT_SENT))
5f982038 4072 goto end;
5f982038
MC		 4073
4074 /* Continue writing the message we started earlier */
710756a9
RS		 4075 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4076 || !TEST_size_t_eq(written, strlen(MSG1))
4077 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4078 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4079 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4080 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4081 goto end;
5f982038 4082
710756a9
RS		 4083 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4084 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4085 goto end;
5f982038
MC		 4086
4087 testresult = 1;
4088
4089 end:
5f982038 4090 SSL_SESSION_free(sess);
c20e3b28 4091 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4092 SSL_SESSION_free(serverpsk);
4093 clientpsk = serverpsk = NULL;
5f982038
MC		 4094 SSL_free(serverssl);
4095 SSL_free(clientssl);
4096 SSL_CTX_free(sctx);
4097 SSL_CTX_free(cctx);
5f982038
MC		 4098 return testresult;
4099}
4100
976e5323
MC		 4101static const char *servalpn;
4102
c7558d5b
PY		 4103static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4104 unsigned char *outlen, const unsigned char *in,
4105 unsigned int inlen, void *arg)
976e5323 4106{
c7558d5b 4107 unsigned int protlen = 0;
976e5323
MC		 4108 const unsigned char *prot;
4109
c7558d5b
PY		 4110 for (prot = in; prot < in + inlen; prot += protlen) {
4111 protlen = *prot++;
5d99881e 4112 if (in + inlen < prot + protlen)
976e5323
MC		 4113 return SSL_TLSEXT_ERR_NOACK;
4114
4115 if (protlen == strlen(servalpn)
0bd42fde 4116 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4117 *out = prot;
4118 *outlen = protlen;
4119 return SSL_TLSEXT_ERR_OK;
4120 }
4121 }
4122
4123 return SSL_TLSEXT_ERR_NOACK;
4124}
4125
57dee9bb 4126/* Test that a PSK can be used to send early_data */
976e5323
MC		 4127static int test_early_data_psk(int idx)
4128{
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4131 int testresult = 0;
4132 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4133 unsigned char alpnlist[] = {
4134 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4135 'l', 'p', 'n'
4136 };
4137#define GOODALPNLEN 9
4138#define BADALPNLEN 8
4139#define GOODALPN (alpnlist)
4140#define BADALPN (alpnlist + GOODALPNLEN)
4141 int err = 0;
976e5323
MC		 4142 unsigned char buf[20];
4143 size_t readbytes, written;
57dee9bb 4144 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4145 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4146
4147 /* We always set this up with a final parameter of "2" for PSK */
4148 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4149 &serverssl, &sess, 2)))
4150 goto end;
4151
976e5323
MC		 4152 servalpn = "goodalpn";
4153
57dee9bb
MC		 4154 /*
4155 * Note: There is no test for inconsistent SNI with late client detection.
4156 * This is because servers do not acknowledge SNI even if they are using
4157 * it in a resumption handshake - so it is not actually possible for a
4158 * client to detect a problem.
4159 */
976e5323
MC		 4160 switch (idx) {
4161 case 0:
57dee9bb 4162 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4163 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4164 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4165 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4166 goto end;
4167 break;
4168
4169 case 1:
57dee9bb 4170 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4171 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4172 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4173 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4174 GOODALPNLEN))
4175 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4176 BADALPNLEN)))
976e5323
MC		 4177 goto end;
4178 break;
4179
4180 case 2:
4181 /*
4182 * Set invalid protocol version. Technically this affects PSKs without
4183 * early_data too, but we test it here because it is similar to the
4184 * SNI/ALPN consistency tests.
4185 */
4186 err = SSL_R_BAD_PSK;
4187 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4188 goto end;
4189 break;
4190
4191 case 3:
4192 /*
49ef3d07
MC		 4193 * Set inconsistent SNI (server side). In this case the connection
4194 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4195 * is associated with each handshake - not the session. Therefore it
4196 * should not matter that we used a different server name last time.
976e5323 4197 */
281bf233
MC		 4198 SSL_SESSION_free(serverpsk);
4199 serverpsk = SSL_SESSION_dup(clientpsk);
4200 if (!TEST_ptr(serverpsk)
4201 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4202 goto end;
976e5323
MC		 4203 /* Fall through */
4204 case 4:
4205 /* Set consistent SNI */
976e5323
MC		 4206 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4207 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4208 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4209 hostname_cb)))
4210 goto end;
4211 break;
4212
4213 case 5:
4214 /*
4215 * Set inconsistent ALPN (server detected). In this case the connection
4216 * will succeed but reject early_data.
4217 */
4218 servalpn = "badalpn";
4219 edstatus = SSL_EARLY_DATA_REJECTED;
4220 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4221 /* Fall through */
4222 case 6:
976e5323 4223 /*
57dee9bb 4224 * Set consistent ALPN.
976e5323
MC		 4225 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4226 * accepts a list of protos (each one length prefixed).
4227 * SSL_set1_alpn_selected accepts a single protocol (not length
4228 * prefixed)
4229 */
57dee9bb
MC		 4230 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4231 GOODALPNLEN - 1))
4232 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4233 GOODALPNLEN)))
976e5323
MC		 4234 goto end;
4235
4236 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4237 break;
4238
57dee9bb
MC		 4239 case 7:
4240 /* Set inconsistent ALPN (late client detection) */
4241 SSL_SESSION_free(serverpsk);
4242 serverpsk = SSL_SESSION_dup(clientpsk);
4243 if (!TEST_ptr(serverpsk)
4244 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4245 BADALPN + 1,
4246 BADALPNLEN - 1))
4247 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4248 GOODALPN + 1,
4249 GOODALPNLEN - 1))
4250 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4251 sizeof(alpnlist))))
4252 goto end;
4253 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4254 edstatus = SSL_EARLY_DATA_ACCEPTED;
4255 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4256 /* SSL_connect() call should fail */
4257 connectres = -1;
4258 break;
4259
976e5323
MC		 4260 default:
4261 TEST_error("Bad test index");
4262 goto end;
4263 }
4264
4265 SSL_set_connect_state(clientssl);
4266 if (err != 0) {
4267 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4268 &written))
4269 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4270 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4271 goto end;
4272 } else {
4273 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4274 &written)))
4275 goto end;
4276
4277 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4278 &readbytes), readearlyres)
976e5323
MC		 4279 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4280 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4281 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4282 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4283 goto end;
4284 }
4285
4286 testresult = 1;
4287
4288 end:
c20e3b28 4289 SSL_SESSION_free(sess);
57dee9bb
MC		 4290 SSL_SESSION_free(clientpsk);
4291 SSL_SESSION_free(serverpsk);
4292 clientpsk = serverpsk = NULL;
976e5323
MC		 4293 SSL_free(serverssl);
4294 SSL_free(clientssl);
4295 SSL_CTX_free(sctx);
4296 SSL_CTX_free(cctx);
4297 return testresult;
4298}
4299
0b2b0be9 4300/*
4301 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4302 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4303 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4304 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4305 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4306 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4307 */
4308static int test_early_data_psk_with_all_ciphers(int idx)
4309{
4310 SSL_CTX *cctx = NULL, *sctx = NULL;
4311 SSL *clientssl = NULL, *serverssl = NULL;
4312 int testresult = 0;
4313 SSL_SESSION *sess = NULL;
4314 unsigned char buf[20];
4315 size_t readbytes, written;
4316 const SSL_CIPHER *cipher;
4317 const char *cipher_str[] = {
4318 TLS1_3_RFC_AES_128_GCM_SHA256,
4319 TLS1_3_RFC_AES_256_GCM_SHA384,
4320# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4321 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4322# else
4323 NULL,
4324# endif
4325 TLS1_3_RFC_AES_128_CCM_SHA256,
4326 TLS1_3_RFC_AES_128_CCM_8_SHA256
4327 };
4328 const unsigned char *cipher_bytes[] = {
4329 TLS13_AES_128_GCM_SHA256_BYTES,
4330 TLS13_AES_256_GCM_SHA384_BYTES,
4331# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4332 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4333# else
4334 NULL,
4335# endif
4336 TLS13_AES_128_CCM_SHA256_BYTES,
4337 TLS13_AES_128_CCM_8_SHA256_BYTES
4338 };
4339
4340 if (cipher_str[idx] == NULL)
4341 return 1;
4342 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4343 if (idx == 2 && is_fips == 1)
4344 return 1;
4345
4346 /* We always set this up with a final parameter of "2" for PSK */
4347 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4348 &serverssl, &sess, 2)))
4349 goto end;
4350
e0710222
P		 4351 if (idx == 4) {
4352 /* CCM8 ciphers are considered low security due to their short tag */
4353 SSL_set_security_level(clientssl, 0);
4354 SSL_set_security_level(serverssl, 0);
4355 }
4356
0b2b0be9 4357 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4358 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4359 goto end;
4360
4361 /*
4362 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4363 * and assigns to both client and server with incremented reference
4364 * and the same instance is updated in 'sess'.
4365 * So updating ciphersuite in 'sess' which will get reflected in
4366 * PSK handshake using psk use sess and find sess cb.
4367 */
4368 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4369 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4370 goto end;
4371
4372 SSL_set_connect_state(clientssl);
4373 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4374 &written)))
4375 goto end;
4376
4377 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4378 &readbytes),
4379 SSL_READ_EARLY_DATA_SUCCESS)
4380 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4381 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4382 SSL_EARLY_DATA_ACCEPTED)
4383 || !TEST_int_eq(SSL_connect(clientssl), 1)
4384 || !TEST_int_eq(SSL_accept(serverssl), 1))
4385 goto end;
4386
4387 /* Send some normal data from client to server */
4388 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4389 || !TEST_size_t_eq(written, strlen(MSG2)))
4390 goto end;
4391
4392 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4393 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4394 goto end;
4395
4396 testresult = 1;
4397 end:
4398 SSL_SESSION_free(sess);
4399 SSL_SESSION_free(clientpsk);
4400 SSL_SESSION_free(serverpsk);
4401 clientpsk = serverpsk = NULL;
4402 if (clientssl != NULL)
4403 SSL_shutdown(clientssl);
4404 if (serverssl != NULL)
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 SSL_CTX_free(sctx);
4409 SSL_CTX_free(cctx);
4410 return testresult;
4411}
4412
710756a9
RS		 4413/*
4414 * Test that a server that doesn't try to read early data can handle a
4415 * client sending some.
4416 */
3cb47b4e 4417static int test_early_data_not_expected(int idx)
5f982038
MC		 4418{
4419 SSL_CTX *cctx = NULL, *sctx = NULL;
4420 SSL *clientssl = NULL, *serverssl = NULL;
4421 int testresult = 0;
018fcbec 4422 SSL_SESSION *sess = NULL;
5f982038
MC		 4423 unsigned char buf[20];
4424 size_t readbytes, written;
4425
710756a9
RS		 4426 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4427 &serverssl, &sess, idx)))
5f982038
MC		 4428 goto end;
4429
4430 /* Write some early data */
710756a9
RS		 4431 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4432 &written)))
5f982038 4433 goto end;
5f982038
MC		 4434
4435 /*
4436 * Server should skip over early data and then block waiting for client to
4437 * continue handshake
4438 */
710756a9
RS		 4439 if (!TEST_int_le(SSL_accept(serverssl), 0)
4440 || !TEST_int_gt(SSL_connect(clientssl), 0)
4441 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4442 SSL_EARLY_DATA_REJECTED)
4443 || !TEST_int_gt(SSL_accept(serverssl), 0)
4444 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4445 SSL_EARLY_DATA_REJECTED))
5f982038 4446 goto end;
5f982038
MC		 4447
4448 /* Send some normal data from client to server */
710756a9
RS		 4449 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4450 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4451 goto end;
5f982038 4452
710756a9
RS		 4453 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4454 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4455 goto end;
5f982038
MC		 4456
4457 testresult = 1;
4458
4459 end:
5f982038 4460 SSL_SESSION_free(sess);
c20e3b28 4461 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4462 SSL_SESSION_free(serverpsk);
4463 clientpsk = serverpsk = NULL;
5f982038
MC		 4464 SSL_free(serverssl);
4465 SSL_free(clientssl);
4466 SSL_CTX_free(sctx);
4467 SSL_CTX_free(cctx);
5f982038
MC		 4468 return testresult;
4469}
4470
4471
4472# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4473/*
4474 * Test that a server attempting to read early data can handle a connection
4475 * from a TLSv1.2 client.
4476 */
3cb47b4e 4477static int test_early_data_tls1_2(int idx)
5f982038
MC		 4478{
4479 SSL_CTX *cctx = NULL, *sctx = NULL;
4480 SSL *clientssl = NULL, *serverssl = NULL;
4481 int testresult = 0;
4482 unsigned char buf[20];
4483 size_t readbytes, written;
4484
02a3ed5a
MC		 4485 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4486 &serverssl, NULL, idx)))
5f982038 4487 goto end;
5f982038
MC		 4488
4489 /* Write some data - should block due to handshake with server */
4490 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4491 SSL_set_connect_state(clientssl);
710756a9 4492 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4493 goto end;
5f982038
MC		 4494
4495 /*
4496 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4497 * messages from client after ServerDone. Then SSL_read_early_data should
4498 * finish and detect that early data has not been sent
5f982038 4499 */
710756a9
RS		 4500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4501 &readbytes),
4502 SSL_READ_EARLY_DATA_ERROR))
5f982038 4503 goto end;
5f982038
MC		 4504
4505 /*
4506 * Continue writing the message we started earlier. Will still block waiting
4507 * for the CCS/Finished from server
4508 */
710756a9
RS		 4509 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4510 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4511 &readbytes),
4512 SSL_READ_EARLY_DATA_FINISH)
4513 || !TEST_size_t_eq(readbytes, 0)
4514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4515 SSL_EARLY_DATA_NOT_SENT))
5f982038 4516 goto end;
5f982038
MC		 4517
4518 /* Continue writing the message we started earlier */
710756a9
RS		 4519 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4520 || !TEST_size_t_eq(written, strlen(MSG1))
4521 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4522 SSL_EARLY_DATA_NOT_SENT)
4523 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4524 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4525 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4526 || !TEST_size_t_eq(written, strlen(MSG2))
4527 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4528 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4529 goto end;
5f982038
MC		 4530
4531 testresult = 1;
4532
4533 end:
57dee9bb
MC		 4534 SSL_SESSION_free(clientpsk);
4535 SSL_SESSION_free(serverpsk);
4536 clientpsk = serverpsk = NULL;
5f982038
MC		 4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 SSL_CTX_free(sctx);
4540 SSL_CTX_free(cctx);
4541
4542 return testresult;
4543}
ca0413ae
MC		 4544# endif /* OPENSSL_NO_TLS1_2 */
4545
034cb87b
MC		 4546/*
4547 * Test configuring the TLSv1.3 ciphersuites
4548 *
4549 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4550 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4551 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4552 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4553 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4554 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4555 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4556 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4557 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4558 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4559 */
4560static int test_set_ciphersuite(int idx)
4561{
4562 SSL_CTX *cctx = NULL, *sctx = NULL;
4563 SSL *clientssl = NULL, *serverssl = NULL;
4564 int testresult = 0;
4565
5e30f2fd
MC		 4566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4567 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4568 &sctx, &cctx, cert, privkey))
4569 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4570 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4571 goto end;
4572
4573 if (idx >=4 && idx <= 7) {
4574 /* SSL_CTX explicit cipher list */
4575 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4576 goto end;
4577 }
4578
4579 if (idx == 0 || idx == 4) {
4580 /* Default ciphersuite */
4581 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4582 "TLS_AES_128_GCM_SHA256")))
4583 goto end;
4584 } else if (idx == 1 || idx == 5) {
4585 /* Non default ciphersuite */
4586 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4587 "TLS_AES_128_CCM_SHA256")))
4588 goto end;
4589 }
4590
4591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4592 &clientssl, NULL, NULL)))
4593 goto end;
4594
4595 if (idx == 8 || idx == 9) {
4596 /* SSL explicit cipher list */
4597 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4598 goto end;
4599 }
4600
4601 if (idx == 2 || idx == 6 || idx == 8) {
4602 /* Default ciphersuite */
4603 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4604 "TLS_AES_128_GCM_SHA256")))
4605 goto end;
4606 } else if (idx == 3 || idx == 7 || idx == 9) {
4607 /* Non default ciphersuite */
4608 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4609 "TLS_AES_128_CCM_SHA256")))
4610 goto end;
4611 }
4612
4613 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4614 goto end;
4615
4616 testresult = 1;
4617
4618 end:
4619 SSL_free(serverssl);
4620 SSL_free(clientssl);
4621 SSL_CTX_free(sctx);
4622 SSL_CTX_free(cctx);
4623
4624 return testresult;
4625}
4626
ca0413ae
MC		 4627static int test_ciphersuite_change(void)
4628{
4629 SSL_CTX *cctx = NULL, *sctx = NULL;
4630 SSL *clientssl = NULL, *serverssl = NULL;
4631 SSL_SESSION *clntsess = NULL;
4632 int testresult = 0;
4633 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4634
4635 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4636 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4637 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4638 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4639 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4640 "TLS_AES_128_GCM_SHA256:"
4641 "TLS_AES_256_GCM_SHA384:"
4642 "TLS_AES_128_CCM_SHA256"))
f865b081 4643 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4644 "TLS_AES_128_GCM_SHA256")))
4645 goto end;
4646
4647 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4648 NULL, NULL))
ca0413ae
MC		 4649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4650 SSL_ERROR_NONE)))
4651 goto end;
4652
4653 clntsess = SSL_get1_session(clientssl);
4654 /* Save for later */
4655 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4656 SSL_shutdown(clientssl);
4657 SSL_shutdown(serverssl);
4658 SSL_free(serverssl);
4659 SSL_free(clientssl);
4660 serverssl = clientssl = NULL;
4661
4662 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4663 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4664 "TLS_AES_128_CCM_SHA256"))
4665 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4666 &clientssl, NULL, NULL))
ca0413ae
MC		 4667 || !TEST_true(SSL_set_session(clientssl, clntsess))
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4669 SSL_ERROR_NONE))
4670 || !TEST_true(SSL_session_reused(clientssl)))
4671 goto end;
4672
4673 SSL_SESSION_free(clntsess);
4674 clntsess = SSL_get1_session(clientssl);
4675 SSL_shutdown(clientssl);
4676 SSL_shutdown(serverssl);
4677 SSL_free(serverssl);
4678 SSL_free(clientssl);
4679 serverssl = clientssl = NULL;
4680
4681 /*
4682 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4683 * succeeds but does not resume.
ca0413ae 4684 */
f865b081 4685 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4686 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4687 NULL, NULL))
4688 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4689 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4690 SSL_ERROR_SSL))
0de6d66d 4691 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4692 goto end;
4693
4694 SSL_SESSION_free(clntsess);
4695 clntsess = NULL;
4696 SSL_shutdown(clientssl);
4697 SSL_shutdown(serverssl);
4698 SSL_free(serverssl);
4699 SSL_free(clientssl);
4700 serverssl = clientssl = NULL;
4701
4702 /* Create a session based on SHA384 */
f865b081 4703 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL))
4706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4707 SSL_ERROR_NONE)))
4708 goto end;
4709
4710 clntsess = SSL_get1_session(clientssl);
4711 SSL_shutdown(clientssl);
4712 SSL_shutdown(serverssl);
4713 SSL_free(serverssl);
4714 SSL_free(clientssl);
4715 serverssl = clientssl = NULL;
4716
f865b081
MC		 4717 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4718 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4719 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4720 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4721 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4722 NULL, NULL))
4723 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4724 /*
4725 * We use SSL_ERROR_WANT_READ below so that we can pause the
4726 * connection after the initial ClientHello has been sent to
4727 * enable us to make some session changes.
4728 */
ca0413ae
MC		 4729 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4730 SSL_ERROR_WANT_READ)))
4731 goto end;
4732
4733 /* Trick the client into thinking this session is for a different digest */
4734 clntsess->cipher = aes_128_gcm_sha256;
4735 clntsess->cipher_id = clntsess->cipher->id;
4736
4737 /*
3b0e88d3
MC		 4738 * Continue the previously started connection. Server has selected a SHA-384
4739 * ciphersuite, but client thinks the session is for SHA-256, so it should
4740 * bail out.
ca0413ae
MC		 4741 */
4742 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4743 SSL_ERROR_SSL))
4744 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4745 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4746 goto end;
4747
4748 testresult = 1;
4749
4750 end:
4751 SSL_SESSION_free(clntsess);
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 SSL_CTX_free(sctx);
4755 SSL_CTX_free(cctx);
4756
4757 return testresult;
4758}
4759
8e63900a 4760/*
5bf2eade 4761 * Test TLSv1.3 Key exchange
4762 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4763 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4764 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4765 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4766 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4767 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4768 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4769 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4770 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4771 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4772 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4773 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4774 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4775 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4776 */
f89d3d69
BK		 4777# ifndef OPENSSL_NO_EC
4778static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4779 NID_secp521r1, NID_X25519, NID_X448};
4780# endif
4781# ifndef OPENSSL_NO_DH
4782static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4783 NID_ffdhe6144, NID_ffdhe8192};
4784# endif
db26ec80 4785static int test_key_exchange(int idx)
8e63900a 4786{
4787 SSL_CTX *sctx = NULL, *cctx = NULL;
4788 SSL *serverssl = NULL, *clientssl = NULL;
4789 int testresult = 0;
fb8c6db4 4790 int kexch_alg;
4791 int *kexch_groups = &kexch_alg;
4792 int kexch_groups_size = 1;
8e63900a 4793 int max_version = TLS1_3_VERSION;
becbacd7 4794 char *kexch_name0 = NULL;
8e63900a 4795
4796 switch (idx) {
5bf2eade 4797# ifndef OPENSSL_NO_EC
db26ec80 4798# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4799 case 12:
fb8c6db4 4800 max_version = TLS1_2_VERSION;
db26ec80 4801# endif
fb8c6db4 4802 /* Fall through */
4803 case 0:
4804 kexch_groups = ecdhe_kexch_groups;
4805 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4806 kexch_name0 = "secp256r1";
fb8c6db4 4807 break;
5bf2eade 4808 case 1:
fb8c6db4 4809 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4810 kexch_name0 = "secp256r1";
fb8c6db4 4811 break;
5bf2eade 4812 case 2:
fb8c6db4 4813 kexch_alg = NID_secp384r1;
becbacd7 4814 kexch_name0 = "secp384r1";
fb8c6db4 4815 break;
5bf2eade 4816 case 3:
fb8c6db4 4817 kexch_alg = NID_secp521r1;
becbacd7 4818 kexch_name0 = "secp521r1";
fb8c6db4 4819 break;
5bf2eade 4820 case 4:
fb8c6db4 4821 kexch_alg = NID_X25519;
becbacd7 4822 kexch_name0 = "x25519";
fb8c6db4 4823 break;
5bf2eade 4824 case 5:
fb8c6db4 4825 kexch_alg = NID_X448;
becbacd7 4826 kexch_name0 = "x448";
fb8c6db4 4827 break;
5bf2eade 4828# endif
4829# ifndef OPENSSL_NO_DH
db26ec80 4830# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4831 case 13:
dbc6268f 4832 max_version = TLS1_2_VERSION;
becbacd7 4833 kexch_name0 = "ffdhe2048";
db26ec80 4834# endif
dbc6268f 4835 /* Fall through */
5bf2eade 4836 case 6:
8e63900a 4837 kexch_groups = ffdhe_kexch_groups;
4838 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4839 kexch_name0 = "ffdhe2048";
8e63900a 4840 break;
5bf2eade 4841 case 7:
fb8c6db4 4842 kexch_alg = NID_ffdhe2048;
becbacd7 4843 kexch_name0 = "ffdhe2048";
fb8c6db4 4844 break;
5bf2eade 4845 case 8:
fb8c6db4 4846 kexch_alg = NID_ffdhe3072;
becbacd7 4847 kexch_name0 = "ffdhe3072";
fb8c6db4 4848 break;
5bf2eade 4849 case 9:
fb8c6db4 4850 kexch_alg = NID_ffdhe4096;
becbacd7 4851 kexch_name0 = "ffdhe4096";
fb8c6db4 4852 break;
5bf2eade 4853 case 10:
fb8c6db4 4854 kexch_alg = NID_ffdhe6144;
becbacd7 4855 kexch_name0 = "ffdhe6144";
fb8c6db4 4856 break;
5bf2eade 4857 case 11:
fb8c6db4 4858 kexch_alg = NID_ffdhe8192;
becbacd7 4859 kexch_name0 = "ffdhe8192";
8e63900a 4860 break;
5bf2eade 4861# endif
6597d62b
MC		 4862 default:
4863 /* We're skipping this test */
4864 return 1;
8e63900a 4865 }
4866
5e30f2fd
MC		 4867 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4868 TLS_client_method(), TLS1_VERSION,
4869 max_version, &sctx, &cctx, cert,
4870 privkey)))
8e63900a 4871 goto end;
4872
5bf2eade 4873 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4874 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4875 goto end;
4876
5bf2eade 4877 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4878 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4879 goto end;
4880
5bf2eade 4881 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4882 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4883 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4884 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4885 goto end;
4886
dbc6268f
MC		 4887 /*
4888 * Must include an EC ciphersuite so that we send supported groups in
4889 * TLSv1.2
4890 */
5bf2eade 4891# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4892 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4893 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4894 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4895 goto end;
5bf2eade 4896# endif
8e63900a 4897
4898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4899 NULL, NULL)))
4900 goto end;
4901
4902 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4903 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4904 goto end;
4905
5bf2eade 4906 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4907 goto end;
8e63900a 4908
dbc6268f 4909 /*
5bf2eade 4910 * If Handshake succeeds the negotiated kexch alg should be the first one in
4911 * configured, except in the case of FFDHE groups (idx 13), which are
4912 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4913 */
4914 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4915 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4916 goto end;
becbacd7
MB		 4917
4918 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4919 kexch_name0))
4920 goto end;
4921
75d48520
BK		 4922 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4923 if (idx != 13) {
fb8c6db4 4924 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4925 goto end;
4926 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4927 goto end;
4928 }
8e63900a 4929
4930 testresult = 1;
4931 end:
4932 SSL_free(serverssl);
4933 SSL_free(clientssl);
4934 SSL_CTX_free(sctx);
4935 SSL_CTX_free(cctx);
4936 return testresult;
4937}
4938
c9cddf05
P		 4939# if !defined(OPENSSL_NO_TLS1_2) \
4940 && !defined(OPENSSL_NO_EC) \
4941 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4942static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4943 int isecdhe, int idx)
4944{
4945 int kexch_alg;
4946 int *kexch_groups = &kexch_alg;
4947 int numec, numff;
4948
4949 numec = OSSL_NELEM(ecdhe_kexch_groups);
4950 numff = OSSL_NELEM(ffdhe_kexch_groups);
4951 if (isecdhe)
4952 kexch_alg = ecdhe_kexch_groups[idx];
4953 else
4954 kexch_alg = ffdhe_kexch_groups[idx];
4955
4956 if (clientmulti) {
4957 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4958 return 0;
4959 if (isecdhe) {
4960 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4961 numec)))
4962 return 0;
4963 } else {
4964 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4965 numff)))
4966 return 0;
4967 }
4968 } else {
4969 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4970 return 0;
4971 if (isecdhe) {
4972 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4973 numec)))
4974 return 0;
4975 } else {
4976 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4977 numff)))
4978 return 0;
4979 }
4980 }
4981 return 1;
4982}
4983
4984/*-
4985 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4986 * Run through both the ECDHE and FFDHE group lists used in the previous
4987 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4988 * confirming the expected result; then perform a resumption handshake
4989 * while offering the same group list, and another resumption handshake
4990 * offering a different group list. The returned value should be the
4991 * negotiated group for the initial handshake; for TLS 1.3 resumption
4992 * handshakes the returned value will be negotiated on the resumption
4993 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4994 * be cached in the session from the original handshake, regardless of what
4995 * was offered in the resumption ClientHello.
4996 *
4997 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4998 * E tests of ECDHE with TLS 1.3, server only has one group
4999 * F tests of FFDHE with TLS 1.3, server only has one group
5000 * E tests of ECDHE with TLS 1.2, server only has one group
5001 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5002 * E tests of ECDHE with TLS 1.3, client sends only one group
5003 * F tests of FFDHE with TLS 1.3, client sends only one group
5004 * E tests of ECDHE with TLS 1.2, client sends only one group
5005 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5006 */
5007static int test_negotiated_group(int idx)
5008{
5009 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5010 int expectednid;
5011 SSL_CTX *sctx = NULL, *cctx = NULL;
5012 SSL *serverssl = NULL, *clientssl = NULL;
5013 SSL_SESSION *origsess = NULL;
5014 int testresult = 0;
5015 int kexch_alg;
5016 int max_version = TLS1_3_VERSION;
5017
5018 numec = OSSL_NELEM(ecdhe_kexch_groups);
5019 numff = OSSL_NELEM(ffdhe_kexch_groups);
5020 numgroups = numec + numff;
5021 clientmulti = (idx < 2 * numgroups);
5022 idx = idx % (2 * numgroups);
5023 istls13 = (idx < numgroups);
5024 idx = idx % numgroups;
5025 isecdhe = (idx < numec);
5026 if (!isecdhe)
5027 idx -= numec;
5028 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5029 if (isecdhe)
5030 kexch_alg = ecdhe_kexch_groups[idx];
5031 else
5032 kexch_alg = ffdhe_kexch_groups[idx];
5033 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5034 if (!istls13 && !isecdhe)
5035 expectednid = NID_undef;
5036 else
5037 expectednid = kexch_alg;
5038
5039 if (!istls13)
5040 max_version = TLS1_2_VERSION;
5041
5042 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5043 TLS_client_method(), TLS1_VERSION,
5044 max_version, &sctx, &cctx, cert,
5045 privkey)))
5046 goto end;
5047
5048 /*
5049 * Force (EC)DHE ciphers for TLS 1.2.
5050 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5051 */
5052 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5053 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5054 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5055 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5056 goto end;
5057 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5058 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5059 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5060 goto end;
5061
5062 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5063 NULL, NULL)))
5064 goto end;
5065
5066 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5067 idx)))
5068 goto end;
5069
5070 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5071 goto end;
5072
5073 /* Initial handshake; always the configured one */
5074 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5075 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5076 goto end;
5077
5078 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5079 goto end;
5080
5081 SSL_shutdown(clientssl);
5082 SSL_shutdown(serverssl);
5083 SSL_free(serverssl);
5084 SSL_free(clientssl);
5085 serverssl = clientssl = NULL;
5086
5087 /* First resumption attempt; use the same config as initial handshake */
5088 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5089 NULL, NULL))
5090 || !TEST_true(SSL_set_session(clientssl, origsess))
5091 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5092 isecdhe, idx)))
5093 goto end;
5094
5095 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5096 || !TEST_true(SSL_session_reused(clientssl)))
5097 goto end;
5098
5099 /* Still had better agree, since nothing changed... */
5100 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5101 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5102 goto end;
5103
5104 SSL_shutdown(clientssl);
5105 SSL_shutdown(serverssl);
5106 SSL_free(serverssl);
5107 SSL_free(clientssl);
5108 serverssl = clientssl = NULL;
5109
5110 /*-
5111 * Second resumption attempt
5112 * The party that picks one group changes it, which we effectuate by
5113 * changing 'idx' and updating what we expect.
5114 */
5115 if (idx == 0)
5116 idx = 1;
5117 else
5118 idx--;
5119 if (istls13) {
5120 if (isecdhe)
5121 expectednid = ecdhe_kexch_groups[idx];
5122 else
5123 expectednid = ffdhe_kexch_groups[idx];
5124 /* Verify that we are changing what we expect. */
5125 if (!TEST_int_ne(expectednid, kexch_alg))
5126 goto end;
5127 } else {
5128 /* TLS 1.2 only supports named groups for ECDHE. */
5129 if (isecdhe)
5130 expectednid = kexch_alg;
5131 else
5132 expectednid = 0;
5133 }
5134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5135 NULL, NULL))
5136 || !TEST_true(SSL_set_session(clientssl, origsess))
5137 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5138 isecdhe, idx)))
5139 goto end;
5140
5141 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5142 || !TEST_true(SSL_session_reused(clientssl)))
5143 goto end;
5144
5145 /* Check that we get what we expected */
5146 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5147 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5148 goto end;
5149
5150 testresult = 1;
5151 end:
5152 SSL_free(serverssl);
5153 SSL_free(clientssl);
5154 SSL_CTX_free(sctx);
5155 SSL_CTX_free(cctx);
5156 SSL_SESSION_free(origsess);
5157 return testresult;
5158}
5159# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5160
5bf2eade 5161/*
5162 * Test TLSv1.3 Cipher Suite
5163 * Test 0 = Set TLS1.3 cipher on context
5164 * Test 1 = Set TLS1.3 cipher on SSL
5165 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5166 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5167 */
5168static int test_tls13_ciphersuite(int idx)
5169{
5170 SSL_CTX *sctx = NULL, *cctx = NULL;
5171 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5172 static const struct {
5173 const char *ciphername;
5174 int fipscapable;
e0710222 5175 int low_security;
4f6c7044 5176 } t13_ciphers[] = {
e0710222
P		 5177 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5178 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5179 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5180# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5181 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5182 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5183 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5184# endif
e0710222
P		 5185 /* CCM8 ciphers are considered low security due to their short tag */
5186 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5187 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5188 };
5189 const char *t13_cipher = NULL;
5190 const char *t12_cipher = NULL;
5191 const char *negotiated_scipher;
5192 const char *negotiated_ccipher;
5193 int set_at_ctx = 0;
5194 int set_at_ssl = 0;
5195 int testresult = 0;
5196 int max_ver;
5197 size_t i;
5198
5199 switch (idx) {
5200 case 0:
5201 set_at_ctx = 1;
5202 break;
5203 case 1:
5204 set_at_ssl = 1;
5205 break;
5206 case 2:
5207 set_at_ctx = 1;
2d900758 5208 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5209 break;
5210 case 3:
5211 set_at_ssl = 1;
2d900758 5212 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5213 break;
5214 }
5215
5216 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5217# ifdef OPENSSL_NO_TLS1_2
5218 if (max_ver == TLS1_2_VERSION)
5219 continue;
5220# endif
5221 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5222 if (is_fips && !t13_ciphers[i].fipscapable)
5223 continue;
5224 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5226 TLS_client_method(),
5227 TLS1_VERSION, max_ver,
5228 &sctx, &cctx, cert, privkey)))
5229 goto end;
5230
e0710222
P		 5231 if (t13_ciphers[i].low_security) {
5232 SSL_CTX_set_security_level(sctx, 0);
5233 SSL_CTX_set_security_level(cctx, 0);
5234 }
5235
5bf2eade 5236 if (set_at_ctx) {
5237 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5238 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5239 goto end;
5240 if (t12_cipher != NULL) {
5241 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5242 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5243 t12_cipher)))
5244 goto end;
5245 }
5246 }
5247
5248 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5249 &clientssl, NULL, NULL)))
5250 goto end;
5251
5252 if (set_at_ssl) {
5253 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5254 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5255 goto end;
5256 if (t12_cipher != NULL) {
5257 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5258 || !TEST_true(SSL_set_cipher_list(clientssl,
5259 t12_cipher)))
5260 goto end;
5261 }
5262 }
5263
5264 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5265 SSL_ERROR_NONE)))
5266 goto end;
5267
5268 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5269 serverssl));
5270 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5271 clientssl));
5272 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5273 goto end;
5274
5275 /*
5276 * TEST_strn_eq is used below because t13_cipher can contain
5277 * multiple ciphersuites
5278 */
5279 if (max_ver == TLS1_3_VERSION
5280 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5281 strlen(negotiated_scipher)))
5282 goto end;
5283
5284# ifndef OPENSSL_NO_TLS1_2
5285 /* Below validation is not done when t12_cipher is NULL */
5286 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5287 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5288 goto end;
5289# endif
5290
5291 SSL_free(serverssl);
5292 serverssl = NULL;
5293 SSL_free(clientssl);
5294 clientssl = NULL;
5295 SSL_CTX_free(sctx);
5296 sctx = NULL;
5297 SSL_CTX_free(cctx);
5298 cctx = NULL;
5299 }
5300 }
5301
5302 testresult = 1;
5303 end:
5304 SSL_free(serverssl);
5305 SSL_free(clientssl);
5306 SSL_CTX_free(sctx);
5307 SSL_CTX_free(cctx);
5308 return testresult;
5309}
5310
0d8da779
MC		 5311/*
5312 * Test TLSv1.3 PSKs
5313 * Test 0 = Test new style callbacks
5314 * Test 1 = Test both new and old style callbacks
5315 * Test 2 = Test old style callbacks
5316 * Test 3 = Test old style callbacks with no certificate
5317 */
532f9578 5318static int test_tls13_psk(int idx)
ca8c71ba
MC		 5319{
5320 SSL_CTX *sctx = NULL, *cctx = NULL;
5321 SSL *serverssl = NULL, *clientssl = NULL;
5322 const SSL_CIPHER *cipher = NULL;
5323 const unsigned char key[] = {
5324 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5325 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5326 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5327 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5328 };
5329 int testresult = 0;
5330
5e30f2fd
MC		 5331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5332 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5333 &sctx, &cctx, idx == 3 ? NULL : cert,
5334 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5335 goto end;
5336
0d8da779
MC		 5337 if (idx != 3) {
5338 /*
5339 * We use a ciphersuite with SHA256 to ease testing old style PSK
5340 * callbacks which will always default to SHA256. This should not be
5341 * necessary if we have no cert/priv key. In that case the server should
5342 * prefer SHA256 automatically.
5343 */
5344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5345 "TLS_AES_128_GCM_SHA256")))
5346 goto end;
4f6c7044
MC		 5347 } else {
5348 /*
5349 * As noted above the server should prefer SHA256 automatically. However
5350 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5351 * code works even if we are testing with only the FIPS provider loaded.
5352 */
5353 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5354 "TLS_AES_256_GCM_SHA384:"
5355 "TLS_AES_128_GCM_SHA256")))
5356 goto end;
0d8da779 5357 }
532f9578
MC		 5358
5359 /*
5360 * Test 0: New style callbacks only
5361 * Test 1: New and old style callbacks (only the new ones should be used)
5362 * Test 2: Old style callbacks only
5363 */
5364 if (idx == 0 || idx == 1) {
5365 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5366 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5367 }
c2b290c3 5368#ifndef OPENSSL_NO_PSK
0d8da779 5369 if (idx >= 1) {
532f9578
MC		 5370 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5371 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5372 }
c2b290c3 5373#endif
ca8c71ba 5374 srvid = pskid;
02a3ed5a
MC		 5375 use_session_cb_cnt = 0;
5376 find_session_cb_cnt = 0;
532f9578
MC		 5377 psk_client_cb_cnt = 0;
5378 psk_server_cb_cnt = 0;
ca8c71ba 5379
0d8da779
MC		 5380 if (idx != 3) {
5381 /*
5382 * Check we can create a connection if callback decides not to send a
5383 * PSK
5384 */
5385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5386 NULL, NULL))
5387 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5388 SSL_ERROR_NONE))
5389 || !TEST_false(SSL_session_reused(clientssl))
5390 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5391 goto end;
532f9578 5392
0d8da779
MC		 5393 if (idx == 0 || idx == 1) {
5394 if (!TEST_true(use_session_cb_cnt == 1)
5395 || !TEST_true(find_session_cb_cnt == 0)
5396 /*
5397 * If no old style callback then below should be 0
5398 * otherwise 1
5399 */
5400 || !TEST_true(psk_client_cb_cnt == idx)
5401 || !TEST_true(psk_server_cb_cnt == 0))
5402 goto end;
5403 } else {
5404 if (!TEST_true(use_session_cb_cnt == 0)
5405 || !TEST_true(find_session_cb_cnt == 0)
5406 || !TEST_true(psk_client_cb_cnt == 1)
5407 || !TEST_true(psk_server_cb_cnt == 0))
5408 goto end;
5409 }
5410
5411 shutdown_ssl_connection(serverssl, clientssl);
5412 serverssl = clientssl = NULL;
5413 use_session_cb_cnt = psk_client_cb_cnt = 0;
5414 }
ca8c71ba
MC		 5415
5416 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5417 NULL, NULL)))
5418 goto end;
5419
5420 /* Create the PSK */
532f9578 5421 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5422 clientpsk = SSL_SESSION_new();
5423 if (!TEST_ptr(clientpsk)
ca8c71ba 5424 || !TEST_ptr(cipher)
57dee9bb
MC		 5425 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5426 sizeof(key)))
5427 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5428 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5429 TLS1_3_VERSION))
5430 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5431 goto end;
57dee9bb 5432 serverpsk = clientpsk;
ca8c71ba
MC		 5433
5434 /* Check we can create a connection and the PSK is used */
5435 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5436 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5437 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5438 goto end;
5439
532f9578
MC		 5440 if (idx == 0 || idx == 1) {
5441 if (!TEST_true(use_session_cb_cnt == 1)
5442 || !TEST_true(find_session_cb_cnt == 1)
5443 || !TEST_true(psk_client_cb_cnt == 0)
5444 || !TEST_true(psk_server_cb_cnt == 0))
5445 goto end;
5446 } else {
5447 if (!TEST_true(use_session_cb_cnt == 0)
5448 || !TEST_true(find_session_cb_cnt == 0)
5449 || !TEST_true(psk_client_cb_cnt == 1)
5450 || !TEST_true(psk_server_cb_cnt == 1))
5451 goto end;
5452 }
5453
ca8c71ba
MC		 5454 shutdown_ssl_connection(serverssl, clientssl);
5455 serverssl = clientssl = NULL;
5456 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5457 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5458
5459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5460 NULL, NULL)))
5461 goto end;
5462
5463 /* Force an HRR */
dbc6268f
MC		 5464#if defined(OPENSSL_NO_EC)
5465 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5466 goto end;
5467#else
ca8c71ba
MC		 5468 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5469 goto end;
dbc6268f 5470#endif
ca8c71ba
MC		 5471
5472 /*
5473 * Check we can create a connection, the PSK is used and the callbacks are
5474 * called twice.
5475 */
5476 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5477 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5478 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5479 goto end;
5480
532f9578
MC		 5481 if (idx == 0 || idx == 1) {
5482 if (!TEST_true(use_session_cb_cnt == 2)
5483 || !TEST_true(find_session_cb_cnt == 2)
5484 || !TEST_true(psk_client_cb_cnt == 0)
5485 || !TEST_true(psk_server_cb_cnt == 0))
5486 goto end;
5487 } else {
5488 if (!TEST_true(use_session_cb_cnt == 0)
5489 || !TEST_true(find_session_cb_cnt == 0)
5490 || !TEST_true(psk_client_cb_cnt == 2)
5491 || !TEST_true(psk_server_cb_cnt == 2))
5492 goto end;
5493 }
5494
ca8c71ba
MC		 5495 shutdown_ssl_connection(serverssl, clientssl);
5496 serverssl = clientssl = NULL;
5497 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5498 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5499
0d8da779
MC		 5500 if (idx != 3) {
5501 /*
5502 * Check that if the server rejects the PSK we can still connect, but with
5503 * a full handshake
5504 */
5505 srvid = "Dummy Identity";
5506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5507 NULL, NULL))
5508 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5509 SSL_ERROR_NONE))
5510 || !TEST_false(SSL_session_reused(clientssl))
5511 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5512 goto end;
532f9578 5513
0d8da779
MC		 5514 if (idx == 0 || idx == 1) {
5515 if (!TEST_true(use_session_cb_cnt == 1)
5516 || !TEST_true(find_session_cb_cnt == 1)
5517 || !TEST_true(psk_client_cb_cnt == 0)
5518 /*
5519 * If no old style callback then below should be 0
5520 * otherwise 1
5521 */
5522 || !TEST_true(psk_server_cb_cnt == idx))
5523 goto end;
5524 } else {
5525 if (!TEST_true(use_session_cb_cnt == 0)
5526 || !TEST_true(find_session_cb_cnt == 0)
5527 || !TEST_true(psk_client_cb_cnt == 1)
5528 || !TEST_true(psk_server_cb_cnt == 1))
5529 goto end;
5530 }
5531
5532 shutdown_ssl_connection(serverssl, clientssl);
5533 serverssl = clientssl = NULL;
5534 }
ca8c71ba
MC		 5535 testresult = 1;
5536
5537 end:
57dee9bb
MC		 5538 SSL_SESSION_free(clientpsk);
5539 SSL_SESSION_free(serverpsk);
5540 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5541 SSL_free(serverssl);
5542 SSL_free(clientssl);
5543 SSL_CTX_free(sctx);
5544 SSL_CTX_free(cctx);
5545 return testresult;
5546}
5547
c7b8ff25
MC		 5548static unsigned char cookie_magic_value[] = "cookie magic";
5549
5550static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5551 unsigned int *cookie_len)
5552{
5553 /*
5554 * Not suitable as a real cookie generation function but good enough for
5555 * testing!
5556 */
97ea1e7f
MC		 5557 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5558 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5559
5560 return 1;
5561}
5562
5563static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5564 unsigned int cookie_len)
5565{
97ea1e7f 5566 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5567 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5568 return 1;
5569
5570 return 0;
5571}
5572
3fa2812f
BS		 5573static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5574 size_t *cookie_len)
5575{
5576 unsigned int temp;
5577 int res = generate_cookie_callback(ssl, cookie, &temp);
5578 *cookie_len = temp;
5579 return res;
5580}
5581
5582static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5583 size_t cookie_len)
5584{
5585 return verify_cookie_callback(ssl, cookie, cookie_len);
5586}
5587
c7b8ff25
MC		 5588static int test_stateless(void)
5589{
5590 SSL_CTX *sctx = NULL, *cctx = NULL;
5591 SSL *serverssl = NULL, *clientssl = NULL;
5592 int testresult = 0;
5593
5e30f2fd
MC		 5594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5595 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5596 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5597 goto end;
5598
e440f513
MC		 5599 /* The arrival of CCS messages can confuse the test */
5600 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5601
5602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5603 NULL, NULL))
5604 /* Send the first ClientHello */
5605 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5606 SSL_ERROR_WANT_READ))
5607 /*
5608 * This should fail with a -1 return because we have no callbacks
5609 * set up
5610 */
5611 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5612 goto end;
5613
5614 /* Fatal error so abandon the connection from this client */
5615 SSL_free(clientssl);
5616 clientssl = NULL;
5617
c7b8ff25 5618 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5619 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5620 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5621
e440f513
MC		 5622 /*
5623 * Create a new connection from the client (we can reuse the server SSL
5624 * object).
5625 */
c7b8ff25
MC		 5626 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5627 NULL, NULL))
5628 /* Send the first ClientHello */
5629 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5630 SSL_ERROR_WANT_READ))
5631 /* This should fail because there is no cookie */
e440f513 5632 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5633 goto end;
5634
5635 /* Abandon the connection from this client */
5636 SSL_free(clientssl);
5637 clientssl = NULL;
5638
5639 /*
5640 * Now create a connection from a new client but with the same server SSL
5641 * object
5642 */
5643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5644 NULL, NULL))
5645 /* Send the first ClientHello */
5646 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5647 SSL_ERROR_WANT_READ))
5648 /* This should fail because there is no cookie */
e440f513 5649 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5650 /* Send the second ClientHello */
5651 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5652 SSL_ERROR_WANT_READ))
5653 /* This should succeed because a cookie is now present */
e440f513 5654 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5655 /* Complete the connection */
5656 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5657 SSL_ERROR_NONE)))
5658 goto end;
5659
5660 shutdown_ssl_connection(serverssl, clientssl);
5661 serverssl = clientssl = NULL;
5662 testresult = 1;
5663
5664 end:
5665 SSL_free(serverssl);
5666 SSL_free(clientssl);
5667 SSL_CTX_free(sctx);
5668 SSL_CTX_free(cctx);
5669 return testresult;
5670
5671}
a763ca11 5672#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5673
a37008d9
MC		 5674static int clntaddoldcb = 0;
5675static int clntparseoldcb = 0;
5676static int srvaddoldcb = 0;
5677static int srvparseoldcb = 0;
5678static int clntaddnewcb = 0;
5679static int clntparsenewcb = 0;
5680static int srvaddnewcb = 0;
5681static int srvparsenewcb = 0;
bb01ef3f 5682static int snicb = 0;
a37008d9
MC		 5683
5684#define TEST_EXT_TYPE1 0xff00
5685
5686static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5687 size_t *outlen, int *al, void *add_arg)
5688{
5689 int *server = (int *)add_arg;
5690 unsigned char *data;
5691
5692 if (SSL_is_server(s))
5693 srvaddoldcb++;
5694 else
5695 clntaddoldcb++;
5696
710756a9
RS		 5697 if (*server != SSL_is_server(s)
5698 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5699 return -1;
5700
5701 *data = 1;
5702 *out = data;
5703 *outlen = sizeof(char);
a37008d9
MC		 5704 return 1;
5705}
5706
5707static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5708 void *add_arg)
5709{
5710 OPENSSL_free((unsigned char *)out);
5711}
5712
5713static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5714 size_t inlen, int *al, void *parse_arg)
5715{
5716 int *server = (int *)parse_arg;
5717
5718 if (SSL_is_server(s))
5719 srvparseoldcb++;
5720 else
5721 clntparseoldcb++;
5722
710756a9
RS		 5723 if (*server != SSL_is_server(s)
5724 || inlen != sizeof(char)
5725 || *in != 1)
a37008d9
MC		 5726 return -1;
5727
5728 return 1;
5729}
5730
5731static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5732 const unsigned char **out, size_t *outlen, X509 *x,
5733 size_t chainidx, int *al, void *add_arg)
5734{
5735 int *server = (int *)add_arg;
5736 unsigned char *data;
5737
5738 if (SSL_is_server(s))
5739 srvaddnewcb++;
5740 else
5741 clntaddnewcb++;
5742
710756a9
RS		 5743 if (*server != SSL_is_server(s)
5744 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5745 return -1;
5746
5747 *data = 1;
5748 *out = data;
710756a9 5749 *outlen = sizeof(*data);
a37008d9
MC		 5750 return 1;
5751}
5752
5753static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5754 const unsigned char *out, void *add_arg)
5755{
5756 OPENSSL_free((unsigned char *)out);
5757}
5758
5759static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5760 const unsigned char *in, size_t inlen, X509 *x,
5761 size_t chainidx, int *al, void *parse_arg)
5762{
5763 int *server = (int *)parse_arg;
5764
5765 if (SSL_is_server(s))
5766 srvparsenewcb++;
5767 else
5768 clntparsenewcb++;
5769
710756a9
RS		 5770 if (*server != SSL_is_server(s)
5771 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5772 return -1;
5773
5774 return 1;
5775}
bb01ef3f
MC		 5776
5777static int sni_cb(SSL *s, int *al, void *arg)
5778{
5779 SSL_CTX *ctx = (SSL_CTX *)arg;
5780
5781 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5782 *al = SSL_AD_INTERNAL_ERROR;
5783 return SSL_TLSEXT_ERR_ALERT_FATAL;
5784 }
5785 snicb++;
5786 return SSL_TLSEXT_ERR_OK;
5787}
5788
0db3a990
MC		 5789static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5790{
5791 return 1;
5792}
5793
a37008d9
MC		 5794/*
5795 * Custom call back tests.
5796 * Test 0: Old style callbacks in TLSv1.2
5797 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5798 * Test 2: New style callbacks in TLSv1.2 with SNI
5799 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5800 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5801 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5802 */
710756a9
RS		 5803static int test_custom_exts(int tst)
5804{
bb01ef3f 5805 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5806 SSL *clientssl = NULL, *serverssl = NULL;
5807 int testresult = 0;
5808 static int server = 1;
5809 static int client = 0;
5810 SSL_SESSION *sess = NULL;
5811 unsigned int context;
5812
a763ca11 5813#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5814 /* Skip tests for TLSv1.2 and below in this case */
5815 if (tst < 3)
5816 return 1;
5817#endif
5818
a37008d9
MC		 5819 /* Reset callback counters */
5820 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5821 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5822 snicb = 0;
a37008d9 5823
5e30f2fd
MC		 5824 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5825 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5826 &sctx, &cctx, cert, privkey)))
710756a9 5827 goto end;
a37008d9 5828
bb01ef3f 5829 if (tst == 2
5e30f2fd 5830 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5831 TLS1_VERSION, 0,
7d7f6834 5832 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5833 goto end;
5834
5835
5836 if (tst < 3) {
a37008d9
MC		 5837 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5838 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5839 if (sctx2 != NULL)
5840 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5841 }
5842
0db3a990
MC		 5843 if (tst == 5) {
5844 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5845 | SSL_EXT_TLS1_3_CERTIFICATE;
5846 SSL_CTX_set_verify(sctx,
5847 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5848 verify_cb);
5849 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5850 SSL_FILETYPE_PEM), 1)
5851 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5852 SSL_FILETYPE_PEM), 1)
5853 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5854 goto end;
5855 } else if (tst == 4) {
710756a9
RS		 5856 context = SSL_EXT_CLIENT_HELLO
5857 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5858 | SSL_EXT_TLS1_3_SERVER_HELLO
5859 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5860 | SSL_EXT_TLS1_3_CERTIFICATE
5861 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5862 } else {
710756a9
RS		 5863 context = SSL_EXT_CLIENT_HELLO
5864 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5865 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5866 }
5867
5868 /* Create a client side custom extension */
5869 if (tst == 0) {
710756a9
RS		 5870 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5871 old_add_cb, old_free_cb,
5872 &client, old_parse_cb,
5873 &client)))
5874 goto end;
a37008d9 5875 } else {
710756a9
RS		 5876 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5877 new_add_cb, new_free_cb,
5878 &client, new_parse_cb, &client)))
5879 goto end;
a37008d9
MC		 5880 }
5881
5882 /* Should not be able to add duplicates */
710756a9
RS		 5883 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5884 old_add_cb, old_free_cb,
5885 &client, old_parse_cb,
5886 &client))
5887 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5888 context, new_add_cb,
5889 new_free_cb, &client,
5890 new_parse_cb, &client)))
5891 goto end;
a37008d9
MC		 5892
5893 /* Create a server side custom extension */
5894 if (tst == 0) {
710756a9
RS		 5895 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5896 old_add_cb, old_free_cb,
5897 &server, old_parse_cb,
5898 &server)))
5899 goto end;
a37008d9 5900 } else {
710756a9
RS		 5901 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5902 new_add_cb, new_free_cb,
5903 &server, new_parse_cb, &server)))
5904 goto end;
bb01ef3f
MC		 5905 if (sctx2 != NULL
5906 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5907 context, new_add_cb,
5908 new_free_cb, &server,
5909 new_parse_cb, &server)))
5910 goto end;
a37008d9
MC		 5911 }
5912
5913 /* Should not be able to add duplicates */
710756a9
RS		 5914 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5915 old_add_cb, old_free_cb,
5916 &server, old_parse_cb,
5917 &server))
5918 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5919 context, new_add_cb,
5920 new_free_cb, &server,
5921 new_parse_cb, &server)))
a37008d9 5922 goto end;
a37008d9 5923
bb01ef3f
MC		 5924 if (tst == 2) {
5925 /* Set up SNI */
5926 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5927 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5928 goto end;
5929 }
5930
710756a9
RS		 5931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5932 &clientssl, NULL, NULL))
5933 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5934 SSL_ERROR_NONE)))
a37008d9 5935 goto end;
a37008d9
MC		 5936
5937 if (tst == 0) {
710756a9
RS		 5938 if (clntaddoldcb != 1
5939 || clntparseoldcb != 1
5940 || srvaddoldcb != 1
5941 || srvparseoldcb != 1)
a37008d9 5942 goto end;
bb01ef3f 5943 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5944 if (clntaddnewcb != 1
5945 || clntparsenewcb != 1
5946 || srvaddnewcb != 1
bb01ef3f
MC		 5947 || srvparsenewcb != 1
5948 || (tst != 2 && snicb != 0)
5949 || (tst == 2 && snicb != 1))
a37008d9 5950 goto end;
0db3a990
MC		 5951 } else if (tst == 5) {
5952 if (clntaddnewcb != 1
5953 || clntparsenewcb != 1
5954 || srvaddnewcb != 1
5955 || srvparsenewcb != 1)
5956 goto end;
a37008d9 5957 } else {
36ff232c 5958 /* In this case there 2 NewSessionTicket messages created */
710756a9 5959 if (clntaddnewcb != 1
36ff232c
MC		 5960 || clntparsenewcb != 5
5961 || srvaddnewcb != 5
710756a9 5962 || srvparsenewcb != 1)
a37008d9 5963 goto end;
a37008d9
MC		 5964 }
5965
5966 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5967 SSL_shutdown(clientssl);
5968 SSL_shutdown(serverssl);
a37008d9
MC		 5969 SSL_free(serverssl);
5970 SSL_free(clientssl);
5971 serverssl = clientssl = NULL;
5972
0db3a990
MC		 5973 if (tst == 3 || tst == 5) {
5974 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5975 testresult = 1;
5976 goto end;
5977 }
5978
710756a9
RS		 5979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5980 NULL, NULL))
5981 || !TEST_true(SSL_set_session(clientssl, sess))
5982 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5983 SSL_ERROR_NONE)))
a37008d9 5984 goto end;
a37008d9
MC		 5985
5986 /*
5987 * For a resumed session we expect to add the ClientHello extension. For the
5988 * old style callbacks we ignore it on the server side because they set
5989 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5990 * them.
5991 */
5992 if (tst == 0) {
710756a9
RS		 5993 if (clntaddoldcb != 2
5994 || clntparseoldcb != 1
5995 || srvaddoldcb != 1
5996 || srvparseoldcb != 1)
a37008d9 5997 goto end;
bb01ef3f 5998 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5999 if (clntaddnewcb != 2
6000 || clntparsenewcb != 2
6001 || srvaddnewcb != 2
6002 || srvparsenewcb != 2)
a37008d9 6003 goto end;
a37008d9 6004 } else {
36ff232c
MC		 6005 /*
6006 * No Certificate message extensions in the resumption handshake,
6007 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6008 */
710756a9 6009 if (clntaddnewcb != 2
36ff232c
MC		 6010 || clntparsenewcb != 8
6011 || srvaddnewcb != 8
710756a9 6012 || srvparsenewcb != 2)
a37008d9 6013 goto end;
a37008d9
MC		 6014 }
6015
6016 testresult = 1;
6017
6018end:
6019 SSL_SESSION_free(sess);
6020 SSL_free(serverssl);
6021 SSL_free(clientssl);
bb01ef3f 6022 SSL_CTX_free(sctx2);
a37008d9
MC		 6023 SSL_CTX_free(sctx);
6024 SSL_CTX_free(cctx);
a37008d9
MC		 6025 return testresult;
6026}
6027
555dd939 6028#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6029
555dd939
DF		 6030#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6031 | SSL_EXT_CLIENT_HELLO \
6032 | SSL_EXT_TLS1_2_SERVER_HELLO \
6033 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6034
555dd939
DF		 6035#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6036 | SSL_EXT_TLS1_2_SERVER_HELLO \
6037 | SSL_EXT_CLIENT_HELLO)
16afd71c 6038
555dd939
DF		 6039#define SERVERINFO_CUSTOM \
6040 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6041 0x00, 0x03, \
6042 0x04, 0x05, 0x06 \
6043
6044static const unsigned char serverinfo_custom_tls13[] = {
6045 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6046 SERVERINFO_CUSTOM
6047};
6048static const unsigned char serverinfo_custom_v2[] = {
6049 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6050 SERVERINFO_CUSTOM
6051};
6052static const unsigned char serverinfo_custom_v1[] = {
6053 SERVERINFO_CUSTOM
6054};
6055static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6056static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6057static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6058
6059static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6060 unsigned int context,
6061 const unsigned char *in,
6062 size_t inlen, X509 *x,
6063 size_t chainidx, int *al,
6064 void *parse_arg)
6065{
6066 const size_t len = serverinfo_custom_v1_len;
6067 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6068 int *p_cb_result = (int*)parse_arg;
6069 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6070 return 1;
6071}
6072
6073static int test_serverinfo_custom(const int idx)
6074{
6075 SSL_CTX *sctx = NULL, *cctx = NULL;
6076 SSL *clientssl = NULL, *serverssl = NULL;
6077 int testresult = 0;
6078 int cb_result = 0;
6079
6080 /*
6081 * Following variables are set in the switch statement
6082 * according to the test iteration.
6083 * Default values do not make much sense: test would fail with them.
6084 */
6085 int serverinfo_version = 0;
6086 int protocol_version = 0;
6087 unsigned int extension_context = 0;
6088 const unsigned char *si = NULL;
6089 size_t si_len = 0;
6090
6091 const int call_use_serverinfo_ex = idx > 0;
6092 switch (idx) {
6093 case 0: /* FALLTHROUGH */
6094 case 1:
6095 serverinfo_version = SSL_SERVERINFOV1;
6096 protocol_version = TLS1_2_VERSION;
6097 extension_context = SYNTHV1CONTEXT;
6098 si = serverinfo_custom_v1;
6099 si_len = serverinfo_custom_v1_len;
6100 break;
6101 case 2:
6102 serverinfo_version = SSL_SERVERINFOV2;
6103 protocol_version = TLS1_2_VERSION;
6104 extension_context = SYNTHV1CONTEXT;
6105 si = serverinfo_custom_v2;
6106 si_len = serverinfo_custom_v2_len;
6107 break;
6108 case 3:
6109 serverinfo_version = SSL_SERVERINFOV2;
6110 protocol_version = TLS1_3_VERSION;
6111 extension_context = TLS13CONTEXT;
6112 si = serverinfo_custom_tls13;
6113 si_len = serverinfo_custom_tls13_len;
6114 break;
16afd71c
MC		 6115 }
6116
555dd939
DF		 6117 if (!TEST_true(create_ssl_ctx_pair(libctx,
6118 TLS_method(),
6119 TLS_method(),
6120 protocol_version,
6121 protocol_version,
6122 &sctx, &cctx, cert, privkey)))
6123 goto end;
16afd71c 6124
555dd939
DF		 6125 if (call_use_serverinfo_ex) {
6126 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6127 si, si_len)))
6128 goto end;
6129 } else {
6130 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6131 goto end;
16afd71c
MC		 6132 }
6133
555dd939
DF		 6134 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6135 extension_context,
6136 NULL, NULL, NULL,
6137 serverinfo_custom_parse_cb,
6138 &cb_result))
6139 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6140 NULL, NULL))
6141 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6142 SSL_ERROR_NONE))
6143 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6144 goto end;
6145
6146 if (!TEST_true(cb_result))
16afd71c
MC		 6147 goto end;
6148
6149 testresult = 1;
6150
6151 end:
555dd939
DF		 6152 SSL_free(serverssl);
6153 SSL_free(clientssl);
6154 SSL_CTX_free(sctx);
6155 SSL_CTX_free(cctx);
16afd71c
MC		 6156
6157 return testresult;
6158}
555dd939 6159#endif
16afd71c 6160
2197d1df
MC		 6161/*
6162 * Test that SSL_export_keying_material() produces expected results. There are
6163 * no test vectors so all we do is test that both sides of the communication
6164 * produce the same results for different protocol versions.
6165 */
0fb2815b
MC		 6166#define SMALL_LABEL_LEN 10
6167#define LONG_LABEL_LEN 249
2197d1df
MC		 6168static int test_export_key_mat(int tst)
6169{
a599574b 6170 int testresult = 0;
2197d1df
MC		 6171 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6172 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6173 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6174 const unsigned char context[] = "context";
6175 const unsigned char *emptycontext = NULL;
6176 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6177 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 6178 size_t labellen;
a599574b
MC		 6179 const int protocols[] = {
6180 TLS1_VERSION,
6181 TLS1_1_VERSION,
6182 TLS1_2_VERSION,
0fb2815b
MC		 6183 TLS1_3_VERSION,
6184 TLS1_3_VERSION,
a599574b
MC		 6185 TLS1_3_VERSION
6186 };
2197d1df
MC		 6187
6188#ifdef OPENSSL_NO_TLS1
6189 if (tst == 0)
6190 return 1;
6191#endif
6192#ifdef OPENSSL_NO_TLS1_1
6193 if (tst == 1)
6194 return 1;
6195#endif
4f6c7044
MC		 6196 if (is_fips && (tst == 0 || tst == 1))
6197 return 1;
2197d1df
MC		 6198#ifdef OPENSSL_NO_TLS1_2
6199 if (tst == 2)
6200 return 1;
6201#endif
a763ca11 6202#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6203 if (tst >= 3)
2197d1df
MC		 6204 return 1;
6205#endif
5e30f2fd
MC		 6206 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6207 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6208 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6209 goto end;
6210
a599574b
MC		 6211 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6212 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6213 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6214 if ((protocols[tst] < TLS1_2_VERSION) &&
6215 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6216 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6217 goto end;
2197d1df
MC		 6218
6219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6220 NULL)))
6221 goto end;
6222
6223 /*
6224 * Premature call of SSL_export_keying_material should just fail.
6225 */
6226 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6227 sizeof(ckeymat1), label,
6228 SMALL_LABEL_LEN + 1, context,
6229 sizeof(context) - 1, 1), 0))
6230 goto end;
6231
6232 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6233 SSL_ERROR_NONE)))
2197d1df
MC		 6234 goto end;
6235
0fb2815b
MC		 6236 if (tst == 5) {
6237 /*
6238 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6239 * go over that.
6240 */
6241 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6242 sizeof(ckeymat1), label,
6243 LONG_LABEL_LEN + 1, context,
6244 sizeof(context) - 1, 1), 0))
6245 goto end;
6246
6247 testresult = 1;
6248 goto end;
6249 } else if (tst == 4) {
6250 labellen = LONG_LABEL_LEN;
6251 } else {
6252 labellen = SMALL_LABEL_LEN;
6253 }
6254
2197d1df
MC		 6255 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6256 sizeof(ckeymat1), label,
0fb2815b 6257 labellen, context,
2197d1df
MC		 6258 sizeof(context) - 1, 1), 1)
6259 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6260 sizeof(ckeymat2), label,
0fb2815b 6261 labellen,
2197d1df
MC		 6262 emptycontext,
6263 0, 1), 1)
6264 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6265 sizeof(ckeymat3), label,
0fb2815b 6266 labellen,
2197d1df
MC		 6267 NULL, 0, 0), 1)
6268 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6269 sizeof(skeymat1), label,
0fb2815b 6270 labellen,
2197d1df
MC		 6271 context,
6272 sizeof(context) -1, 1),
6273 1)
6274 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6275 sizeof(skeymat2), label,
0fb2815b 6276 labellen,
2197d1df
MC		 6277 emptycontext,
6278 0, 1), 1)
6279 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6280 sizeof(skeymat3), label,
0fb2815b 6281 labellen,
2197d1df
MC		 6282 NULL, 0, 0), 1)
6283 /*
6284 * Check that both sides created the same key material with the
6285 * same context.
6286 */
6287 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6288 sizeof(skeymat1))
6289 /*
6290 * Check that both sides created the same key material with an
6291 * empty context.
6292 */
6293 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6294 sizeof(skeymat2))
6295 /*
6296 * Check that both sides created the same key material without a
6297 * context.
6298 */
6299 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6300 sizeof(skeymat3))
6301 /* Different contexts should produce different results */
6302 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6303 sizeof(ckeymat2)))
6304 goto end;
6305
6306 /*
6307 * Check that an empty context and no context produce different results in
6308 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6309 */
0fb2815b 6310 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6311 sizeof(ckeymat3)))
0fb2815b
MC		 6312 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6313 sizeof(ckeymat3))))
2197d1df
MC		 6314 goto end;
6315
6316 testresult = 1;
6317
6318 end:
6319 SSL_free(serverssl);
6320 SSL_free(clientssl);
6321 SSL_CTX_free(sctx2);
6322 SSL_CTX_free(sctx);
6323 SSL_CTX_free(cctx);
6324
6325 return testresult;
6326}
6327
a763ca11 6328#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6329/*
6330 * Test that SSL_export_keying_material_early() produces expected
6331 * results. There are no test vectors so all we do is test that both
6332 * sides of the communication produce the same results for different
6333 * protocol versions.
6334 */
6335static int test_export_key_mat_early(int idx)
6336{
6337 static const char label[] = "test label";
6338 static const unsigned char context[] = "context";
6339 int testresult = 0;
6340 SSL_CTX *cctx = NULL, *sctx = NULL;
6341 SSL *clientssl = NULL, *serverssl = NULL;
6342 SSL_SESSION *sess = NULL;
6343 const unsigned char *emptycontext = NULL;
6344 unsigned char ckeymat1[80], ckeymat2[80];
6345 unsigned char skeymat1[80], skeymat2[80];
6346 unsigned char buf[1];
6347 size_t readbytes, written;
6348
6349 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6350 &sess, idx)))
6351 goto end;
6352
6353 /* Here writing 0 length early data is enough. */
6354 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6355 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6356 &readbytes),
6357 SSL_READ_EARLY_DATA_ERROR)
6358 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6359 SSL_EARLY_DATA_ACCEPTED))
6360 goto end;
6361
6362 if (!TEST_int_eq(SSL_export_keying_material_early(
6363 clientssl, ckeymat1, sizeof(ckeymat1), label,
6364 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6365 || !TEST_int_eq(SSL_export_keying_material_early(
6366 clientssl, ckeymat2, sizeof(ckeymat2), label,
6367 sizeof(label) - 1, emptycontext, 0), 1)
6368 || !TEST_int_eq(SSL_export_keying_material_early(
6369 serverssl, skeymat1, sizeof(skeymat1), label,
6370 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6371 || !TEST_int_eq(SSL_export_keying_material_early(
6372 serverssl, skeymat2, sizeof(skeymat2), label,
6373 sizeof(label) - 1, emptycontext, 0), 1)
6374 /*
6375 * Check that both sides created the same key material with the
6376 * same context.
6377 */
6378 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6379 sizeof(skeymat1))
6380 /*
6381 * Check that both sides created the same key material with an
6382 * empty context.
6383 */
6384 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6385 sizeof(skeymat2))
6386 /* Different contexts should produce different results */
6387 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6388 sizeof(ckeymat2)))
6389 goto end;
6390
6391 testresult = 1;
6392
6393 end:
c20e3b28 6394 SSL_SESSION_free(sess);
b38ede80
TT		 6395 SSL_SESSION_free(clientpsk);
6396 SSL_SESSION_free(serverpsk);
34ff74eb 6397 clientpsk = serverpsk = NULL;
b38ede80
TT		 6398 SSL_free(serverssl);
6399 SSL_free(clientssl);
6400 SSL_CTX_free(sctx);
6401 SSL_CTX_free(cctx);
6402
6403 return testresult;
6404}
3409a5ff
MC		 6405
6406#define NUM_KEY_UPDATE_MESSAGES 40
6407/*
6408 * Test KeyUpdate.
6409 */
6410static int test_key_update(void)
6411{
6412 SSL_CTX *cctx = NULL, *sctx = NULL;
6413 SSL *clientssl = NULL, *serverssl = NULL;
6414 int testresult = 0, i, j;
6415 char buf[20];
6416 static char *mess = "A test message";
6417
5e30f2fd 6418 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6419 TLS_client_method(),
6420 TLS1_3_VERSION,
6421 0,
6422 &sctx, &cctx, cert, privkey))
6423 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6424 NULL, NULL))
6425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6426 SSL_ERROR_NONE)))
6427 goto end;
6428
6429 for (j = 0; j < 2; j++) {
6430 /* Send lots of KeyUpdate messages */
6431 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6432 if (!TEST_true(SSL_key_update(clientssl,
6433 (j == 0)
6434 ? SSL_KEY_UPDATE_NOT_REQUESTED
6435 : SSL_KEY_UPDATE_REQUESTED))
6436 || !TEST_true(SSL_do_handshake(clientssl)))
6437 goto end;
6438 }
6439
6440 /* Check that sending and receiving app data is ok */
6441 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6442 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6443 strlen(mess)))
6444 goto end;
a77b4dba
MC		 6445
6446 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6447 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6448 strlen(mess)))
6449 goto end;
3409a5ff
MC		 6450 }
6451
6452 testresult = 1;
6453
6454 end:
6455 SSL_free(serverssl);
6456 SSL_free(clientssl);
6457 SSL_CTX_free(sctx);
6458 SSL_CTX_free(cctx);
6459
6460 return testresult;
6461}
a77b4dba
MC		 6462
6463/*
0c48fda8 6464 * Test we can handle a KeyUpdate (update requested) message while
6465 * write data is pending in peer.
a77b4dba
MC		 6466 * Test 0: Client sends KeyUpdate while Server is writing
6467 * Test 1: Server sends KeyUpdate while Client is writing
6468 */
0c48fda8 6469static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6470{
6471 SSL_CTX *cctx = NULL, *sctx = NULL;
6472 SSL *clientssl = NULL, *serverssl = NULL;
6473 int testresult = 0;
6474 char buf[20];
6475 static char *mess = "A test message";
6476 BIO *bretry = BIO_new(bio_s_always_retry());
6477 BIO *tmp = NULL;
6478 SSL *peerupdate = NULL, *peerwrite = NULL;
6479
6480 if (!TEST_ptr(bretry)
5e30f2fd 6481 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6482 TLS_client_method(),
6483 TLS1_3_VERSION,
6484 0,
6485 &sctx, &cctx, cert, privkey))
6486 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6487 NULL, NULL))
6488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6489 SSL_ERROR_NONE)))
6490 goto end;
6491
6492 peerupdate = tst == 0 ? clientssl : serverssl;
6493 peerwrite = tst == 0 ? serverssl : clientssl;
6494
6495 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6496 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6497 goto end;
6498
6499 /* Swap the writing endpoint's write BIO to force a retry */
6500 tmp = SSL_get_wbio(peerwrite);
6501 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6502 tmp = NULL;
6503 goto end;
6504 }
6505 SSL_set0_wbio(peerwrite, bretry);
6506 bretry = NULL;
6507
6508 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6509 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6510 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6511 goto end;
6512
6513 /* Reinstate the original writing endpoint's write BIO */
6514 SSL_set0_wbio(peerwrite, tmp);
6515 tmp = NULL;
6516
6517 /* Now read some data - we will read the key update */
6518 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6519 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6520 goto end;
6521
6522 /*
6523 * Complete the write we started previously and read it from the other
6524 * endpoint
6525 */
6526 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6527 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6528 goto end;
6529
6530 /* Write more data to ensure we send the KeyUpdate message back */
6531 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6532 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6533 goto end;
6534
6535 testresult = 1;
6536
6537 end:
6538 SSL_free(serverssl);
6539 SSL_free(clientssl);
6540 SSL_CTX_free(sctx);
6541 SSL_CTX_free(cctx);
6542 BIO_free(bretry);
6543 BIO_free(tmp);
6544
6545 return testresult;
6546}
0c48fda8 6547
6548/*
6549 * Test we can handle a KeyUpdate (update requested) message while
6550 * peer read data is pending after peer accepted keyupdate(the msg header
6551 * had been read 5 bytes).
6552 * Test 0: Client sends KeyUpdate while Server is reading
6553 * Test 1: Server sends KeyUpdate while Client is reading
6554 */
6555static int test_key_update_peer_in_read(int tst)
6556{
6557 SSL_CTX *cctx = NULL, *sctx = NULL;
6558 SSL *clientssl = NULL, *serverssl = NULL;
6559 int testresult = 0;
6560 char prbuf[515], lwbuf[515] = {0};
6561 static char *mess = "A test message";
6562 BIO *lbio = NULL, *pbio = NULL;
6563 SSL *local = NULL, *peer = NULL;
6564
6565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6566 TLS_client_method(),
6567 TLS1_3_VERSION,
6568 0,
6569 &sctx, &cctx, cert, privkey))
6570 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6571 NULL, NULL))
6572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6573 SSL_ERROR_NONE)))
6574 goto end;
6575
6576 local = tst == 0 ? clientssl : serverssl;
6577 peer = tst == 0 ? serverssl : clientssl;
6578
6579 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6580 goto end;
6581
6582 SSL_set_bio(local, lbio, lbio);
6583 SSL_set_bio(peer, pbio, pbio);
6584
6585 /*
6586 * we first write keyupdate msg then appdata in local
6587 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6588 * lwbuf app data msg size + key updata msg size > 512(the size of
6589 * the bio pair buffer)
6590 */
6591 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6592 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6593 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6594 goto end;
6595
6596 /*
6597 * first read keyupdate msg in peer in peer
6598 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6599 */
6600 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6601 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6602 goto end;
6603
6604 /* Now write some data in peer - we will write the key update */
6605 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6606 goto end;
6607
6608 /*
6609 * write data in local previously that we will complete
6610 * read data in peer previously that we will complete
6611 */
6612 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6613 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6614 goto end;
6615
6616 /* check that sending and receiving appdata ok */
6617 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6618 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6619 goto end;
6620
6621 testresult = 1;
6622
6623 end:
6624 SSL_free(serverssl);
6625 SSL_free(clientssl);
6626 SSL_CTX_free(sctx);
6627 SSL_CTX_free(cctx);
6628
6629 return testresult;
6630}
6631
6632/*
6633 * Test we can't send a KeyUpdate (update requested) message while
6634 * local write data is pending.
6635 * Test 0: Client sends KeyUpdate while Client is writing
6636 * Test 1: Server sends KeyUpdate while Server is writing
6637 */
6638static int test_key_update_local_in_write(int tst)
6639{
6640 SSL_CTX *cctx = NULL, *sctx = NULL;
6641 SSL *clientssl = NULL, *serverssl = NULL;
6642 int testresult = 0;
6643 char buf[20];
6644 static char *mess = "A test message";
6645 BIO *bretry = BIO_new(bio_s_always_retry());
6646 BIO *tmp = NULL;
6647 SSL *local = NULL, *peer = NULL;
6648
6649 if (!TEST_ptr(bretry)
6650 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6651 TLS_client_method(),
6652 TLS1_3_VERSION,
6653 0,
6654 &sctx, &cctx, cert, privkey))
6655 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6656 NULL, NULL))
6657 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6658 SSL_ERROR_NONE)))
6659 goto end;
6660
6661 local = tst == 0 ? clientssl : serverssl;
6662 peer = tst == 0 ? serverssl : clientssl;
6663
6664 /* Swap the writing endpoint's write BIO to force a retry */
6665 tmp = SSL_get_wbio(local);
6666 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6667 tmp = NULL;
6668 goto end;
6669 }
6670 SSL_set0_wbio(local, bretry);
6671 bretry = NULL;
6672
6673 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6674 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6675 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6676 goto end;
6677
6678 /* Reinstate the original writing endpoint's write BIO */
6679 SSL_set0_wbio(local, tmp);
6680 tmp = NULL;
6681
6682 /* SSL_key_update will fail, because writing in local*/
6683 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6684 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6685 goto end;
6686
6687 ERR_clear_error();
6688 /* write data in local previously that we will complete */
6689 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6690 goto end;
6691
6692 /* SSL_key_update will succeed because there is no pending write data */
6693 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6694 || !TEST_int_eq(SSL_do_handshake(local), 1))
6695 goto end;
6696
6697 /*
6698 * we write some appdata in local
6699 * read data in peer - we will read the keyupdate msg
6700 */
6701 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6702 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6703 goto end;
6704
6705 /* Write more peer more data to ensure we send the keyupdate message back */
6706 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6707 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6708 goto end;
6709
6710 testresult = 1;
6711
6712 end:
6713 SSL_free(serverssl);
6714 SSL_free(clientssl);
6715 SSL_CTX_free(sctx);
6716 SSL_CTX_free(cctx);
6717 BIO_free(bretry);
6718 BIO_free(tmp);
6719
6720 return testresult;
6721}
6722
6723/*
6724 * Test we can handle a KeyUpdate (update requested) message while
6725 * local read data is pending(the msg header had been read 5 bytes).
6726 * Test 0: Client sends KeyUpdate while Client is reading
6727 * Test 1: Server sends KeyUpdate while Server is reading
6728 */
6729static int test_key_update_local_in_read(int tst)
6730{
6731 SSL_CTX *cctx = NULL, *sctx = NULL;
6732 SSL *clientssl = NULL, *serverssl = NULL;
6733 int testresult = 0;
6734 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6735 static char *mess = "A test message";
6736 BIO *lbio = NULL, *pbio = NULL;
6737 SSL *local = NULL, *peer = NULL;
6738
6739 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6740 TLS_client_method(),
6741 TLS1_3_VERSION,
6742 0,
6743 &sctx, &cctx, cert, privkey))
6744 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6745 NULL, NULL))
6746 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6747 SSL_ERROR_NONE)))
6748 goto end;
6749
6750 local = tst == 0 ? clientssl : serverssl;
6751 peer = tst == 0 ? serverssl : clientssl;
6752
6753 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6754 goto end;
6755
6756 SSL_set_bio(local, lbio, lbio);
6757 SSL_set_bio(peer, pbio, pbio);
6758
6759 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6760 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6761 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6762 goto end;
6763
6764 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6765 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6766 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6767 goto end;
6768
6769 /* SSL_do_handshake will send keyupdate msg */
6770 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6771 || !TEST_int_eq(SSL_do_handshake(local), 1))
6772 goto end;
6773
6774 /*
6775 * write data in peer previously that we will complete
6776 * read data in local previously that we will complete
6777 */
6778 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6779 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6780 goto end;
6781
6782 /*
6783 * write data in local
6784 * read data in peer - we will read the key update
6785 */
6786 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6787 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6788 goto end;
6789
6790 /* Write more peer data to ensure we send the keyupdate message back */
6791 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6792 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6793 goto end;
6794
6795 testresult = 1;
6796
6797 end:
6798 SSL_free(serverssl);
6799 SSL_free(clientssl);
6800 SSL_CTX_free(sctx);
6801 SSL_CTX_free(cctx);
6802
6803 return testresult;
6804}
a763ca11 6805#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6806
e11b6aa4
MC		 6807static int test_ssl_clear(int idx)
6808{
6809 SSL_CTX *cctx = NULL, *sctx = NULL;
6810 SSL *clientssl = NULL, *serverssl = NULL;
6811 int testresult = 0;
6812
6813#ifdef OPENSSL_NO_TLS1_2
6814 if (idx == 1)
6815 return 1;
6816#endif
6817
6818 /* Create an initial connection */
5e30f2fd
MC		 6819 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6820 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6821 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6822 || (idx == 1
6823 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6824 TLS1_2_VERSION)))
6825 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6826 &clientssl, NULL, NULL))
6827 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6828 SSL_ERROR_NONE)))
6829 goto end;
6830
6831 SSL_shutdown(clientssl);
6832 SSL_shutdown(serverssl);
6833 SSL_free(serverssl);
6834 serverssl = NULL;
6835
6836 /* Clear clientssl - we're going to reuse the object */
6837 if (!TEST_true(SSL_clear(clientssl)))
6838 goto end;
6839
6840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6841 NULL, NULL))
6842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6843 SSL_ERROR_NONE))
6844 || !TEST_true(SSL_session_reused(clientssl)))
6845 goto end;
6846
6847 SSL_shutdown(clientssl);
6848 SSL_shutdown(serverssl);
6849
6850 testresult = 1;
6851
6852 end:
6853 SSL_free(serverssl);
6854 SSL_free(clientssl);
6855 SSL_CTX_free(sctx);
6856 SSL_CTX_free(cctx);
6857
6858 return testresult;
6859}
6860
cf72c757
F		 6861/* Parse CH and retrieve any MFL extension value if present */
6862static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6863{
6864 long len;
6865 unsigned char *data;
72962d02 6866 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6867 unsigned int MFL_code = 0, type = 0;
6868
1287dabd 6869 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6870 goto end;
6871
72962d02
P		 6872 memset(&pkt, 0, sizeof(pkt));
6873 memset(&pkt2, 0, sizeof(pkt2));
6874 memset(&pkt3, 0, sizeof(pkt3));
6875
9ba18520 6876 if (!TEST_long_gt(len, 0)
1287dabd 6877 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6878 /* Skip the record header */
6879 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6880 /* Skip the handshake message header */
6881 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6882 /* Skip client version and random */
6883 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6884 + SSL3_RANDOM_SIZE))
6885 /* Skip session id */
6886 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6887 /* Skip ciphers */
6888 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6889 /* Skip compression */
6890 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6891 /* Extensions len */
6892 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6893 goto end;
6894
6895 /* Loop through all extensions */
6896 while (PACKET_remaining(&pkt2)) {
6897 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6898 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6899 goto end;
6900
6901 if (type == TLSEXT_TYPE_max_fragment_length) {
6902 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6903 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6904 goto end;
6905
6906 *mfl_codemfl_code = MFL_code;
6907 return 1;
6908 }
6909 }
6910
6911 end:
6912 return 0;
6913}
6914
6915/* Maximum-Fragment-Length TLS extension mode to test */
6916static const unsigned char max_fragment_len_test[] = {
6917 TLSEXT_max_fragment_length_512,
6918 TLSEXT_max_fragment_length_1024,
6919 TLSEXT_max_fragment_length_2048,
6920 TLSEXT_max_fragment_length_4096
6921};
6922
6923static int test_max_fragment_len_ext(int idx_tst)
6924{
a763ca11 6925 SSL_CTX *ctx = NULL;
cf72c757
F		 6926 SSL *con = NULL;
6927 int testresult = 0, MFL_mode = 0;
6928 BIO *rbio, *wbio;
6929
a763ca11
MC		 6930 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6931 TLS1_VERSION, 0, NULL, &ctx, NULL,
6932 NULL)))
6933 return 0;
cf72c757
F		 6934
6935 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6936 ctx, max_fragment_len_test[idx_tst])))
6937 goto end;
6938
6939 con = SSL_new(ctx);
6940 if (!TEST_ptr(con))
6941 goto end;
6942
6943 rbio = BIO_new(BIO_s_mem());
6944 wbio = BIO_new(BIO_s_mem());
6945 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6946 BIO_free(rbio);
6947 BIO_free(wbio);
6948 goto end;
6949 }
6950
6951 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6952
6953 if (!TEST_int_le(SSL_connect(con), 0)) {
6954 /* This shouldn't succeed because we don't have a server! */
6955 goto end;
6956 }
6957
6958 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6959 /* no MFL in client hello */
6960 goto end;
6961 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6962 goto end;
6963
6964 testresult = 1;
6965
6966end:
6967 SSL_free(con);
6968 SSL_CTX_free(ctx);
6969
6970 return testresult;
6971}
6972
a763ca11 6973#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6974static int test_pha_key_update(void)
6975{
6976 SSL_CTX *cctx = NULL, *sctx = NULL;
6977 SSL *clientssl = NULL, *serverssl = NULL;
6978 int testresult = 0;
6979
5e30f2fd
MC		 6980 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6981 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6982 &sctx, &cctx, cert, privkey)))
6983 return 0;
6984
6985 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6986 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6987 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6988 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6989 goto end;
6990
e97be718 6991 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6992
6993 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6994 NULL, NULL)))
6995 goto end;
6996
9d75dce3
TS		 6997 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6998 SSL_ERROR_NONE)))
6999 goto end;
7000
7001 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7002 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7003 goto end;
7004
7005 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7006 goto end;
7007
7008 /* Start handshake on the server */
7009 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7010 goto end;
7011
7012 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7013 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7014 SSL_ERROR_NONE)))
7015 goto end;
7016
7017 SSL_shutdown(clientssl);
7018 SSL_shutdown(serverssl);
7019
7020 testresult = 1;
7021
7022 end:
7023 SSL_free(serverssl);
7024 SSL_free(clientssl);
7025 SSL_CTX_free(sctx);
7026 SSL_CTX_free(cctx);
7027 return testresult;
7028}
7029#endif
7030
76fd7a1d
MC		 7031#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7032
7033static SRP_VBASE *vbase = NULL;
7034
7035static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7036{
7037 int ret = SSL3_AL_FATAL;
7038 char *username;
7039 SRP_user_pwd *user = NULL;
7040
7041 username = SSL_get_srp_username(s);
7042 if (username == NULL) {
7043 *ad = SSL_AD_INTERNAL_ERROR;
7044 goto err;
7045 }
7046
7047 user = SRP_VBASE_get1_by_user(vbase, username);
7048 if (user == NULL) {
7049 *ad = SSL_AD_INTERNAL_ERROR;
7050 goto err;
7051 }
7052
7053 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7054 user->info) <= 0) {
7055 *ad = SSL_AD_INTERNAL_ERROR;
7056 goto err;
7057 }
7058
7059 ret = 0;
7060
7061 err:
7062 SRP_user_pwd_free(user);
7063 return ret;
7064}
7065
7066static int create_new_vfile(char *userid, char *password, const char *filename)
7067{
7068 char *gNid = NULL;
7069 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7070 TXT_DB *db = NULL;
7071 int ret = 0;
7072 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7073 size_t i;
7074
7075 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7076 goto end;
7077
20c00d0a 7078 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7079 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7080 if (!TEST_ptr(gNid))
7081 goto end;
7082
7083 /*
7084 * The only way to create an empty TXT_DB is to provide a BIO with no data
7085 * in it!
7086 */
7087 db = TXT_DB_read(dummy, DB_NUMBER);
7088 if (!TEST_ptr(db))
7089 goto end;
7090
7091 out = BIO_new_file(filename, "w");
7092 if (!TEST_ptr(out))
7093 goto end;
7094
7095 row[DB_srpid] = OPENSSL_strdup(userid);
7096 row[DB_srptype] = OPENSSL_strdup("V");
7097 row[DB_srpgN] = OPENSSL_strdup(gNid);
7098
7099 if (!TEST_ptr(row[DB_srpid])
7100 || !TEST_ptr(row[DB_srptype])
7101 || !TEST_ptr(row[DB_srpgN])
7102 || !TEST_true(TXT_DB_insert(db, row)))
7103 goto end;
7104
7105 row = NULL;
7106
aba9943f 7107 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7108 goto end;
7109
7110 ret = 1;
7111 end:
7112 if (row != NULL) {
7113 for (i = 0; i < DB_NUMBER; i++)
7114 OPENSSL_free(row[i]);
7115 }
7116 OPENSSL_free(row);
7117 BIO_free(dummy);
7118 BIO_free(out);
7119 TXT_DB_free(db);
7120
7121 return ret;
7122}
7123
7124static int create_new_vbase(char *userid, char *password)
7125{
7126 BIGNUM *verifier = NULL, *salt = NULL;
7127 const SRP_gN *lgN = NULL;
7128 SRP_user_pwd *user_pwd = NULL;
7129 int ret = 0;
7130
7131 lgN = SRP_get_default_gN(NULL);
7132 if (!TEST_ptr(lgN))
7133 goto end;
7134
20c00d0a 7135 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7136 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7137 goto end;
7138
7139 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7140 if (!TEST_ptr(user_pwd))
7141 goto end;
7142
7143 user_pwd->N = lgN->N;
7144 user_pwd->g = lgN->g;
7145 user_pwd->id = OPENSSL_strdup(userid);
7146 if (!TEST_ptr(user_pwd->id))
7147 goto end;
7148
7149 user_pwd->v = verifier;
7150 user_pwd->s = salt;
7151 verifier = salt = NULL;
7152
7153 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7154 goto end;
7155 user_pwd = NULL;
7156
7157 ret = 1;
7158end:
7159 SRP_user_pwd_free(user_pwd);
7160 BN_free(salt);
7161 BN_free(verifier);
7162
7163 return ret;
7164}
7165
7166/*
7167 * SRP tests
7168 *
7169 * Test 0: Simple successful SRP connection, new vbase
7170 * Test 1: Connection failure due to bad password, new vbase
7171 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7172 * Test 3: Connection failure due to bad password, vbase loaded from existing
7173 * file
7174 * Test 4: Simple successful SRP connection, vbase loaded from new file
7175 * Test 5: Connection failure due to bad password, vbase loaded from new file
7176 */
7177static int test_srp(int tst)
7178{
7179 char *userid = "test", *password = "password", *tstsrpfile;
7180 SSL_CTX *cctx = NULL, *sctx = NULL;
7181 SSL *clientssl = NULL, *serverssl = NULL;
7182 int ret, testresult = 0;
7183
7184 vbase = SRP_VBASE_new(NULL);
7185 if (!TEST_ptr(vbase))
7186 goto end;
7187
7188 if (tst == 0 || tst == 1) {
7189 if (!TEST_true(create_new_vbase(userid, password)))
7190 goto end;
7191 } else {
7192 if (tst == 4 || tst == 5) {
7193 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7194 goto end;
7195 tstsrpfile = tmpfilename;
7196 } else {
7197 tstsrpfile = srpvfile;
7198 }
7199 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7200 goto end;
7201 }
7202
5e30f2fd
MC		 7203 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7204 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7205 &sctx, &cctx, cert, privkey)))
7206 goto end;
7207
7208 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7209 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7210 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7211 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7212 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7213 goto end;
7214
7215 if (tst % 2 == 1) {
7216 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7217 goto end;
7218 } else {
7219 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7220 goto end;
7221 }
7222
7223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7224 NULL, NULL)))
7225 goto end;
7226
7227 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7228 if (ret) {
7229 if (!TEST_true(tst % 2 == 0))
7230 goto end;
7231 } else {
7232 if (!TEST_true(tst % 2 == 1))
7233 goto end;
7234 }
7235
7236 testresult = 1;
7237
7238 end:
7239 SRP_VBASE_free(vbase);
7240 vbase = NULL;
7241 SSL_free(serverssl);
7242 SSL_free(clientssl);
7243 SSL_CTX_free(sctx);
7244 SSL_CTX_free(cctx);
7245
7246 return testresult;
7247}
7248#endif
7249
5718fe45
MC		 7250static int info_cb_failed = 0;
7251static int info_cb_offset = 0;
7252static int info_cb_this_state = -1;
7253
7254static struct info_cb_states_st {
7255 int where;
7256 const char *statestr;
7257} info_cb_states[][60] = {
7258 {
7259 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7260 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7261 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7262 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7263 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7264 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7265 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7266 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7267 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7268 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7269 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7270 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7271 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7272 {SSL_CB_EXIT, NULL}, {0, NULL},
7273 }, {
7274 /* TLSv1.2 client followed by resumption */
e0f69c35 7275 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7276 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7277 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7278 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7279 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7280 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7281 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7282 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7283 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7284 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7285 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7286 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7287 }, {
7288 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7289 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7290 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7291 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7292 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7293 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7294 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7295 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7296 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7297 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7298 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7299 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7300 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7301 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7302 }, {
7303 /* TLSv1.3 client followed by resumption */
e0f69c35 7304 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7305 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7306 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7307 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7308 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7309 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7310 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7311 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7312 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7313 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7314 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7315 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7316 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7317 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7318 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7319 }, {
7320 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7321 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7322 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7323 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7324 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7325 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7326 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7327 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7328 {SSL_CB_EXIT, NULL}, {0, NULL},
7329 }, {
7330 /* TLSv1.3 client, early_data */
e0f69c35 7331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7333 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7334 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7335 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7336 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7337 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7338 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7339 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7340 }, {
7341 /* TLSv1.3 server, certificate compression, followed by resumption */
7342 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7343 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7344 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7345 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7346 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7347 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7348 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7349 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7350 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7351 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7352 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7353 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7354 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7355 }, {
7356 /* TLSv1.3 client, certificate compression, followed by resumption */
7357 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7358 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7359 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7360 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7361 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7362 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7363 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7364 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7365 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7366 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7367 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7368 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7369 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7370 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7371 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7372 }, {
7373 {0, NULL},
7374 }
7375};
7376
7377static void sslapi_info_callback(const SSL *s, int where, int ret)
7378{
7379 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7380
7381 /* We do not ever expect a connection to fail in this test */
7382 if (!TEST_false(ret == 0)) {
7383 info_cb_failed = 1;
7384 return;
7385 }
7386
7387 /*
7388 * Do some sanity checks. We never expect these things to happen in this
7389 * test
7390 */
7391 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7392 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7393 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7394 info_cb_failed = 1;
7395 return;
7396 }
7397
7398 /* Now check we're in the right state */
7399 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7400 info_cb_failed = 1;
7401 return;
7402 }
7403 if ((where & SSL_CB_LOOP) != 0
7404 && !TEST_int_eq(strcmp(SSL_state_string(s),
7405 state[info_cb_this_state].statestr), 0)) {
7406 info_cb_failed = 1;
7407 return;
7408 }
033c181b 7409
4af5836b
MC		 7410 /*
7411 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7412 */
7413 if ((where & SSL_CB_HANDSHAKE_DONE)
7414 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7415 info_cb_failed = 1;
7416 return;
7417 }
5718fe45
MC		 7418}
7419
7420/*
7421 * Test the info callback gets called when we expect it to.
7422 *
7423 * Test 0: TLSv1.2, server
7424 * Test 1: TLSv1.2, client
7425 * Test 2: TLSv1.3, server
7426 * Test 3: TLSv1.3, client
7427 * Test 4: TLSv1.3, server, early_data
7428 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7429 * Test 6: TLSv1.3, server, compressed certificate
7430 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7431 */
7432static int test_info_callback(int tst)
7433{
7434 SSL_CTX *cctx = NULL, *sctx = NULL;
7435 SSL *clientssl = NULL, *serverssl = NULL;
7436 SSL_SESSION *clntsess = NULL;
7437 int testresult = 0;
7438 int tlsvers;
7439
7440 if (tst < 2) {
1aac20f5
MC		 7441/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7442#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7443 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7444 tlsvers = TLS1_2_VERSION;
7445#else
7446 return 1;
7447#endif
7448 } else {
a763ca11 7449#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7450 tlsvers = TLS1_3_VERSION;
7451#else
7452 return 1;
7453#endif
7454 }
7455
7456 /* Reset globals */
7457 info_cb_failed = 0;
7458 info_cb_this_state = -1;
7459 info_cb_offset = tst;
7460
a763ca11 7461#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7462 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7463 SSL_SESSION *sess = NULL;
7464 size_t written, readbytes;
7465 unsigned char buf[80];
7466
7467 /* early_data tests */
7468 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7469 &serverssl, &sess, 0)))
7470 goto end;
7471
7472 /* We don't actually need this reference */
7473 SSL_SESSION_free(sess);
7474
7475 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7476 sslapi_info_callback);
7477
7478 /* Write and read some early data and then complete the connection */
7479 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7480 &written))
7481 || !TEST_size_t_eq(written, strlen(MSG1))
7482 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7483 sizeof(buf), &readbytes),
7484 SSL_READ_EARLY_DATA_SUCCESS)
7485 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7486 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7487 SSL_EARLY_DATA_ACCEPTED)
7488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7489 SSL_ERROR_NONE))
7490 || !TEST_false(info_cb_failed))
7491 goto end;
7492
7493 testresult = 1;
7494 goto end;
7495 }
6e07834c 7496#endif
5718fe45 7497
5e30f2fd 7498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7499 TLS_client_method(),
7500 tlsvers, tlsvers, &sctx, &cctx, cert,
7501 privkey)))
7502 goto end;
7503
33c39a06
MC		 7504 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7505 goto end;
7506
5718fe45
MC		 7507 /*
7508 * For even numbered tests we check the server callbacks. For odd numbers we
7509 * check the client.
7510 */
7511 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7512 sslapi_info_callback);
b67cb09f
TS		 7513 if (tst >= 6) {
7514 if (!SSL_CTX_compress_certs(sctx, 0))
7515 goto end;
7516 }
5718fe45
MC		 7517
7518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7519 &clientssl, NULL, NULL))
7520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7521 SSL_ERROR_NONE))
7522 || !TEST_false(info_cb_failed))
7523 goto end;
7524
7525
7526
7527 clntsess = SSL_get1_session(clientssl);
7528 SSL_shutdown(clientssl);
7529 SSL_shutdown(serverssl);
7530 SSL_free(serverssl);
7531 SSL_free(clientssl);
7532 serverssl = clientssl = NULL;
7533
7534 /* Now do a resumption */
7535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7536 NULL))
7537 || !TEST_true(SSL_set_session(clientssl, clntsess))
7538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7539 SSL_ERROR_NONE))
7540 || !TEST_true(SSL_session_reused(clientssl))
7541 || !TEST_false(info_cb_failed))
7542 goto end;
7543
7544 testresult = 1;
7545
7546 end:
7547 SSL_free(serverssl);
7548 SSL_free(clientssl);
7549 SSL_SESSION_free(clntsess);
7550 SSL_CTX_free(sctx);
7551 SSL_CTX_free(cctx);
7552 return testresult;
7553}
7554
4a432af8
MC		 7555static int test_ssl_pending(int tst)
7556{
7557 SSL_CTX *cctx = NULL, *sctx = NULL;
7558 SSL *clientssl = NULL, *serverssl = NULL;
7559 int testresult = 0;
7560 char msg[] = "A test message";
7561 char buf[5];
7562 size_t written, readbytes;
7563
7564 if (tst == 0) {
5e30f2fd 7565 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7566 TLS_client_method(),
5c587fb6 7567 TLS1_VERSION, 0,
4a432af8
MC		 7568 &sctx, &cctx, cert, privkey)))
7569 goto end;
7570 } else {
7571#ifndef OPENSSL_NO_DTLS
5e30f2fd 7572 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7573 DTLS_client_method(),
5c587fb6 7574 DTLS1_VERSION, 0,
4a432af8
MC		 7575 &sctx, &cctx, cert, privkey)))
7576 goto end;
8ce390e1
MC		 7577
7578# ifdef OPENSSL_NO_DTLS1_2
7579 /* Not supported in the FIPS provider */
7580 if (is_fips) {
7581 testresult = 1;
7582 goto end;
7583 };
7584 /*
7585 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7586 * level 0
7587 */
7588 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7589 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7590 "DEFAULT:@SECLEVEL=0")))
7591 goto end;
7592# endif
4a432af8
MC		 7593#else
7594 return 1;
7595#endif
7596 }
7597
7598 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7599 NULL, NULL))
7600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7601 SSL_ERROR_NONE)))
7602 goto end;
7603
e8251092
MC		 7604 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7605 || !TEST_false(SSL_has_pending(clientssl))
7606 || !TEST_int_eq(SSL_pending(serverssl), 0)
7607 || !TEST_false(SSL_has_pending(serverssl))
7608 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7609 || !TEST_size_t_eq(written, sizeof(msg))
7610 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7611 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7612 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7613 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7614 goto end;
7615
7616 testresult = 1;
7617
7618 end:
7619 SSL_free(serverssl);
7620 SSL_free(clientssl);
7621 SSL_CTX_free(sctx);
7622 SSL_CTX_free(cctx);
7623
7624 return testresult;
7625}
7626
e401389a
MC		 7627static struct {
7628 unsigned int maxprot;
7629 const char *clntciphers;
7630 const char *clnttls13ciphers;
7631 const char *srvrciphers;
7632 const char *srvrtls13ciphers;
7633 const char *shared;
a96e6c34 7634 const char *fipsshared;
e401389a 7635} shared_ciphers_data[] = {
60155b9a
MC		 7636/*
7637 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7638 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7639 */
a763ca11 7640#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7641 {
7642 TLS1_2_VERSION,
7643 "AES128-SHA:AES256-SHA",
7644 NULL,
7645 "AES256-SHA:DHE-RSA-AES128-SHA",
7646 NULL,
a96e6c34 7647 "AES256-SHA",
e401389a
MC		 7648 "AES256-SHA"
7649 },
a96e6c34
MC		 7650# if !defined(OPENSSL_NO_CHACHA) \
7651 && !defined(OPENSSL_NO_POLY1305) \
7652 && !defined(OPENSSL_NO_EC)
7653 {
7654 TLS1_2_VERSION,
7655 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7656 NULL,
7657 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7658 NULL,
7659 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7660 "AES128-SHA"
7661 },
7662# endif
e401389a
MC		 7663 {
7664 TLS1_2_VERSION,
7665 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7666 NULL,
7667 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7668 NULL,
a96e6c34 7669 "AES128-SHA:AES256-SHA",
e401389a
MC		 7670 "AES128-SHA:AES256-SHA"
7671 },
7672 {
7673 TLS1_2_VERSION,
7674 "AES128-SHA:AES256-SHA",
7675 NULL,
7676 "AES128-SHA:DHE-RSA-AES128-SHA",
7677 NULL,
a96e6c34 7678 "AES128-SHA",
e401389a
MC		 7679 "AES128-SHA"
7680 },
60155b9a
MC		 7681#endif
7682/*
7683 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7684 * enabled.
7685 */
a763ca11 7686#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7687 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7688 {
7689 TLS1_3_VERSION,
7690 "AES128-SHA:AES256-SHA",
7691 NULL,
7692 "AES256-SHA:AES128-SHA256",
7693 NULL,
7694 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7695 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7696 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7697 },
60155b9a 7698#endif
a763ca11 7699#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7700 {
7701 TLS1_3_VERSION,
7702 "AES128-SHA",
7703 "TLS_AES_256_GCM_SHA384",
7704 "AES256-SHA",
7705 "TLS_AES_256_GCM_SHA384",
a96e6c34 7706 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7707 "TLS_AES_256_GCM_SHA384"
7708 },
7709#endif
7710};
7711
a96e6c34 7712static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7713{
7714 SSL_CTX *cctx = NULL, *sctx = NULL;
7715 SSL *clientssl = NULL, *serverssl = NULL;
7716 int testresult = 0;
7717 char buf[1024];
b4250010 7718 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7719
7720 if (!TEST_ptr(tmplibctx))
7721 goto end;
7722
7723 /*
7724 * Regardless of whether we're testing with the FIPS provider loaded into
7725 * libctx, we want one peer to always use the full set of ciphersuites
7726 * available. Therefore we use a separate libctx with the default provider
7727 * loaded into it. We run the same tests twice - once with the client side
7728 * having the full set of ciphersuites and once with the server side.
7729 */
7730 if (clnt) {
d8652be0 7731 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7732 if (!TEST_ptr(cctx))
7733 goto end;
7734 } else {
d8652be0 7735 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7736 if (!TEST_ptr(sctx))
7737 goto end;
7738 }
e401389a 7739
5e30f2fd 7740 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7741 TLS_client_method(),
7742 TLS1_VERSION,
7743 shared_ciphers_data[tst].maxprot,
7744 &sctx, &cctx, cert, privkey)))
7745 goto end;
7746
7747 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7748 shared_ciphers_data[tst].clntciphers))
7749 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7750 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7751 shared_ciphers_data[tst].clnttls13ciphers)))
7752 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7753 shared_ciphers_data[tst].srvrciphers))
7754 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7755 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7756 shared_ciphers_data[tst].srvrtls13ciphers))))
7757 goto end;
7758
7759
7760 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7761 NULL, NULL))
7762 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7763 SSL_ERROR_NONE)))
7764 goto end;
7765
7766 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7767 || !TEST_int_eq(strcmp(buf,
7768 is_fips
7769 ? shared_ciphers_data[tst].fipsshared
7770 : shared_ciphers_data[tst].shared),
7771 0)) {
e401389a
MC		 7772 TEST_info("Shared ciphers are: %s\n", buf);
7773 goto end;
7774 }
7775
7776 testresult = 1;
7777
7778 end:
7779 SSL_free(serverssl);
7780 SSL_free(clientssl);
7781 SSL_CTX_free(sctx);
7782 SSL_CTX_free(cctx);
b4250010 7783 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7784
7785 return testresult;
7786}
7787
a96e6c34
MC		 7788static int test_ssl_get_shared_ciphers(int tst)
7789{
7790 return int_test_ssl_get_shared_ciphers(tst, 0)
7791 && int_test_ssl_get_shared_ciphers(tst, 1);
7792}
7793
7794
d0191fe0 7795static const char *appdata = "Hello World";
61fb5923
MC		 7796static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7797static int tick_key_renew = 0;
7798static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7799
7800static int gen_tick_cb(SSL *s, void *arg)
7801{
7802 gen_tick_called = 1;
7803
7804 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7805 strlen(appdata));
7806}
7807
7808static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7809 const unsigned char *keyname,
7810 size_t keyname_length,
61fb5923
MC		 7811 SSL_TICKET_STATUS status,
7812 void *arg)
d0191fe0
MC		 7813{
7814 void *tickdata;
7815 size_t tickdlen;
7816
7817 dec_tick_called = 1;
7818
61fb5923
MC		 7819 if (status == SSL_TICKET_EMPTY)
7820 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7821
61fb5923
MC		 7822 if (!TEST_true(status == SSL_TICKET_SUCCESS
7823 || status == SSL_TICKET_SUCCESS_RENEW))
7824 return SSL_TICKET_RETURN_ABORT;
7825
7826 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7827 &tickdlen))
d0191fe0
MC		 7828 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7829 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7830 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7831
61fb5923
MC		 7832 if (tick_key_cb_called) {
7833 /* Don't change what the ticket key callback wanted to do */
7834 switch (status) {
7835 case SSL_TICKET_NO_DECRYPT:
7836 return SSL_TICKET_RETURN_IGNORE_RENEW;
7837
7838 case SSL_TICKET_SUCCESS:
7839 return SSL_TICKET_RETURN_USE;
d0191fe0 7840
61fb5923
MC		 7841 case SSL_TICKET_SUCCESS_RENEW:
7842 return SSL_TICKET_RETURN_USE_RENEW;
7843
7844 default:
7845 return SSL_TICKET_RETURN_ABORT;
7846 }
7847 }
7848 return tick_dec_ret;
7849
7850}
d0191fe0 7851
a76ce286 7852#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7853static int tick_key_cb(SSL *s, unsigned char key_name[16],
7854 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7855 HMAC_CTX *hctx, int enc)
7856{
7857 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7858 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 7859 EVP_CIPHER *aes128cbc;
7860 EVP_MD *sha256;
5e30f2fd 7861 int ret;
d0191fe0 7862
61fb5923 7863 tick_key_cb_called = 1;
3b7a3241
MC		 7864
7865 if (tick_key_renew == -1)
7866 return 0;
7867
7868 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7869 if (!TEST_ptr(aes128cbc))
7870 return 0;
7871 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7872 if (!TEST_ptr(sha256)) {
7873 EVP_CIPHER_free(aes128cbc);
7874 return 0;
7875 }
7876
d0191fe0
MC		 7877 memset(iv, 0, AES_BLOCK_SIZE);
7878 memset(key_name, 0, 16);
5e30f2fd
MC		 7879 if (aes128cbc == NULL
7880 || sha256 == NULL
7881 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7882 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7883 NULL))
7884 ret = -1;
7885 else
7886 ret = tick_key_renew ? 2 : 1;
d0191fe0 7887
5e30f2fd
MC		 7888 EVP_CIPHER_free(aes128cbc);
7889 EVP_MD_free(sha256);
7890
7891 return ret;
d0191fe0 7892}
a76ce286
P		 7893#endif
7894
7895static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7896 unsigned char iv[EVP_MAX_IV_LENGTH],
7897 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7898{
7899 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7900 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7901 OSSL_PARAM params[2];
3b7a3241 7902 EVP_CIPHER *aes128cbc;
5e30f2fd 7903 int ret;
a76ce286
P		 7904
7905 tick_key_cb_called = 1;
3b7a3241
MC		 7906
7907 if (tick_key_renew == -1)
7908 return 0;
7909
7910 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7911 if (!TEST_ptr(aes128cbc))
7912 return 0;
7913
a76ce286
P		 7914 memset(iv, 0, AES_BLOCK_SIZE);
7915 memset(key_name, 0, 16);
7916 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7917 "SHA256", 0);
77e4ae58 7918 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7919 if (aes128cbc == NULL
7920 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7921 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7922 params))
5e30f2fd
MC		 7923 ret = -1;
7924 else
7925 ret = tick_key_renew ? 2 : 1;
7926
7927 EVP_CIPHER_free(aes128cbc);
a76ce286 7928
5e30f2fd 7929 return ret;
a76ce286 7930}
d0191fe0
MC		 7931
7932/*
7933 * Test the various ticket callbacks
61fb5923
MC		 7934 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7935 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7936 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7937 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7938 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7939 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7940 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7941 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7942 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7943 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7944 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7945 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 7946 * Test 12: TLSv1.2, old ticket key callback, no ticket
7947 * Test 13: TLSv1.3, old ticket key callback, no ticket
7948 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7949 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7950 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7951 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7952 * Test 18: TLSv1.2, ticket key callback, no ticket
7953 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 7954 */
7955static int test_ticket_callbacks(int tst)
7956{
7957 SSL_CTX *cctx = NULL, *sctx = NULL;
7958 SSL *clientssl = NULL, *serverssl = NULL;
7959 SSL_SESSION *clntsess = NULL;
7960 int testresult = 0;
7961
7962#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7963 if (tst % 2 == 0)
d0191fe0
MC		 7964 return 1;
7965#endif
a763ca11 7966#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7967 if (tst % 2 == 1)
d0191fe0
MC		 7968 return 1;
7969#endif
a76ce286 7970#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 7971 if (tst >= 8 && tst <= 13)
a76ce286
P		 7972 return 1;
7973#endif
d0191fe0 7974
61fb5923 7975 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7976
7977 /* Which tests the ticket key callback should request renewal for */
3b7a3241
MC		 7978
7979 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 7980 tick_key_renew = 1;
3b7a3241
MC		 7981 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7982 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 7983 else
61fb5923
MC		 7984 tick_key_renew = 0;
7985
7986 /* Which tests the decrypt ticket callback should request renewal for */
7987 switch (tst) {
7988 case 0:
7989 case 1:
7990 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7991 break;
7992
7993 case 2:
7994 case 3:
7995 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7996 break;
7997
7998 case 4:
7999 case 5:
8000 tick_dec_ret = SSL_TICKET_RETURN_USE;
8001 break;
8002
8003 case 6:
8004 case 7:
8005 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8006 break;
8007
8008 default:
8009 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8010 }
d0191fe0 8011
5e30f2fd 8012 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8013 TLS_client_method(),
8014 TLS1_VERSION,
61fb5923
MC		 8015 ((tst % 2) == 0) ? TLS1_2_VERSION
8016 : TLS1_3_VERSION,
d0191fe0
MC		 8017 &sctx, &cctx, cert, privkey)))
8018 goto end;
8019
61fb5923
MC		 8020 /*
8021 * We only want sessions to resume from tickets - not the session cache. So
8022 * switch the cache off.
8023 */
8024 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8025 goto end;
8026
d0191fe0
MC		 8027 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8028 NULL)))
8029 goto end;
8030
3b7a3241 8031 if (tst >= 14) {
a76ce286
P		 8032 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8033 goto end;
8034#ifndef OPENSSL_NO_DEPRECATED_3_0
8035 } else if (tst >= 8) {
8036 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8037 goto end;
8038#endif
8039 }
d0191fe0
MC		 8040
8041 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8042 NULL, NULL))
8043 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8044 SSL_ERROR_NONE)))
8045 goto end;
8046
61fb5923
MC		 8047 /*
8048 * The decrypt ticket key callback in TLSv1.2 should be called even though
8049 * we have no ticket yet, because it gets called with a status of
8050 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8051 * actually send any ticket data). This does not happen in TLSv1.3 because
8052 * it is not valid to send empty ticket data in TLSv1.3.
8053 */
d0191fe0 8054 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8055 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8056 goto end;
8057
8058 gen_tick_called = dec_tick_called = 0;
8059
8060 clntsess = SSL_get1_session(clientssl);
8061 SSL_shutdown(clientssl);
8062 SSL_shutdown(serverssl);
8063 SSL_free(serverssl);
8064 SSL_free(clientssl);
8065 serverssl = clientssl = NULL;
8066
8067 /* Now do a resumption */
8068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8069 NULL))
8070 || !TEST_true(SSL_set_session(clientssl, clntsess))
8071 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8072 SSL_ERROR_NONE)))
d0191fe0
MC		 8073 goto end;
8074
61fb5923 8075 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8076 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8077 || tick_key_renew == -1) {
61fb5923
MC		 8078 if (!TEST_false(SSL_session_reused(clientssl)))
8079 goto end;
8080 } else {
8081 if (!TEST_true(SSL_session_reused(clientssl)))
8082 goto end;
8083 }
8084
d0191fe0 8085 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8086 (tick_key_renew
8087 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8088 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8089 ? 1 : 0)
3b7a3241
MC		 8090 /* There is no ticket to decrypt in tests 13 and 19 */
8091 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8092 goto end;
8093
8094 testresult = 1;
8095
8096 end:
8097 SSL_SESSION_free(clntsess);
8098 SSL_free(serverssl);
8099 SSL_free(clientssl);
8100 SSL_CTX_free(sctx);
8101 SSL_CTX_free(cctx);
8102
8103 return testresult;
8104}
8105
e638112e
DB		 8106/*
8107 * Test incorrect shutdown.
8108 * Test 0: client does not shutdown properly,
8109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8110 * server should get SSL_ERROR_SSL
8111 * Test 1: client does not shutdown properly,
8112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8113 * server should get SSL_ERROR_ZERO_RETURN
8114 */
8115static int test_incorrect_shutdown(int tst)
8116{
8117 SSL_CTX *cctx = NULL, *sctx = NULL;
8118 SSL *clientssl = NULL, *serverssl = NULL;
8119 int testresult = 0;
8120 char buf[80];
8121 BIO *c2s;
8122
8123 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8124 TLS_client_method(), 0, 0,
8125 &sctx, &cctx, cert, privkey)))
8126 goto end;
8127
8128 if (tst == 1)
8129 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8130
8131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8132 NULL, NULL)))
8133 goto end;
8134
8135 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8136 SSL_ERROR_NONE)))
8137 goto end;
8138
8139 c2s = SSL_get_rbio(serverssl);
8140 BIO_set_mem_eof_return(c2s, 0);
8141
8142 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8143 goto end;
8144
8145 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8146 goto end;
8147 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8148 goto end;
8149
8150 testresult = 1;
8151
8152 end:
8153 SSL_free(serverssl);
8154 SSL_free(clientssl);
8155 SSL_CTX_free(sctx);
8156 SSL_CTX_free(cctx);
8157
8158 return testresult;
8159}
8160
c748834f
MC		 8161/*
8162 * Test bi-directional shutdown.
8163 * Test 0: TLSv1.2
8164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8166 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8168 * sends key update, client reads it
57d7b988
MC		 8169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8170 * sends CertificateRequest, client reads and ignores it
8171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8172 * doesn't read it
8173 */
8174static int test_shutdown(int tst)
8175{
8176 SSL_CTX *cctx = NULL, *sctx = NULL;
8177 SSL *clientssl = NULL, *serverssl = NULL;
8178 int testresult = 0;
8179 char msg[] = "A test message";
8180 char buf[80];
8181 size_t written, readbytes;
80eff008 8182 SSL_SESSION *sess;
c748834f
MC		 8183
8184#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8185 if (tst <= 1)
c748834f
MC		 8186 return 1;
8187#endif
a763ca11 8188#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8189 if (tst >= 2)
c748834f
MC		 8190 return 1;
8191#endif
8192
5e30f2fd 8193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8194 TLS_client_method(),
8195 TLS1_VERSION,
8196 (tst <= 1) ? TLS1_2_VERSION
8197 : TLS1_3_VERSION,
57d7b988
MC		 8198 &sctx, &cctx, cert, privkey)))
8199 goto end;
8200
8201 if (tst == 5)
8202 SSL_CTX_set_post_handshake_auth(cctx, 1);
8203
8204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8205 NULL, NULL)))
8206 goto end;
8207
8208 if (tst == 3) {
8209 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8210 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8212 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8213 goto end;
8214 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8215 SSL_ERROR_NONE))
8216 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8217 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8218 goto end;
8219 }
8220
8221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8222 goto end;
8223
8224 if (tst >= 4) {
8225 /*
8226 * Reading on the server after the client has sent close_notify should
8227 * fail and provide SSL_ERROR_ZERO_RETURN
8228 */
8229 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8230 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8231 SSL_ERROR_ZERO_RETURN)
8232 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8233 SSL_RECEIVED_SHUTDOWN)
8234 /*
8235 * Even though we're shutdown on receive we should still be
8236 * able to write.
8237 */
80eff008
KR		 8238 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8239 goto end;
57d7b988
MC		 8240 if (tst == 4
8241 && !TEST_true(SSL_key_update(serverssl,
8242 SSL_KEY_UPDATE_REQUESTED)))
8243 goto end;
8244 if (tst == 5) {
8245 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8247 goto end;
8248 }
8249 if ((tst == 4 || tst == 5)
8250 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8251 goto end;
8252 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8253 goto end;
57d7b988 8254 if (tst == 4 || tst == 5) {
80eff008 8255 /* Should still be able to read data from server */
c748834f 8256 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8257 &readbytes))
8258 || !TEST_size_t_eq(readbytes, sizeof(msg))
8259 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8260 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8261 &readbytes))
c748834f
MC		 8262 || !TEST_size_t_eq(readbytes, sizeof(msg))
8263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8264 goto end;
8265 }
8266 }
8267
8268 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8269 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8270 goto end;
8271
8272 if (tst < 4) {
8273 /*
8274 * For these tests the client has sent close_notify but it has not yet
8275 * been received by the server. The server has not sent close_notify
8276 * yet.
8277 */
8278 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8279 /*
8280 * Writing on the server after sending close_notify shouldn't
8281 * be possible.
8282 */
8283 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8284 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8285 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8286 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8287 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8288 goto end;
57d7b988 8289 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8290 /*
8291 * In this test the client has sent close_notify and it has been
8292 * received by the server which has responded with a close_notify. The
358ffa05 8293 * client needs to read the close_notify sent by the server.
c748834f 8294 */
80eff008
KR		 8295 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8296 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8297 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8298 goto end;
358ffa05
MC		 8299 } else {
8300 /*
57d7b988 8301 * tst == 6
358ffa05
MC		 8302 *
8303 * The client has sent close_notify and is expecting a close_notify
8304 * back, but instead there is application data first. The shutdown
8305 * should fail with a fatal error.
8306 */
8307 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8308 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8309 goto end;
c748834f
MC		 8310 }
8311
8312 testresult = 1;
8313
8314 end:
8315 SSL_free(serverssl);
8316 SSL_free(clientssl);
8317 SSL_CTX_free(sctx);
8318 SSL_CTX_free(cctx);
8319
8320 return testresult;
8321}
8322
cbf965b4
MC		 8323/*
8324 * Test that sending close_notify alerts works correctly in the case of a
8325 * retryable write failure.
8326 */
8327static int test_async_shutdown(void)
8328{
8329 SSL_CTX *cctx = NULL, *sctx = NULL;
8330 SSL *clientssl = NULL, *serverssl = NULL;
8331 int testresult = 0;
8332 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8333
8334 if (!TEST_ptr(bretry))
8335 goto end;
8336
8337 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8338 TLS_client_method(),
8339 0, 0,
8340 &sctx, &cctx, cert, privkey)))
8341 goto end;
8342
8343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8344 NULL)))
8345 goto end;
8346
8347 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8348 goto end;
8349
8350 /* Close write side of clientssl */
8351 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8352 goto end;
8353
8354 tmp = SSL_get_wbio(serverssl);
8355 if (!TEST_true(BIO_up_ref(tmp))) {
8356 tmp = NULL;
8357 goto end;
8358 }
8359 SSL_set0_wbio(serverssl, bretry);
8360 bretry = NULL;
8361
8362 /* First server shutdown should fail because of a retrable write failure */
8363 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8364 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8365 goto end;
8366
8367 /* Second server shutdown should fail for the same reason */
8368 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8369 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8370 goto end;
8371
8372 SSL_set0_wbio(serverssl, tmp);
8373 tmp = NULL;
8374
8375 /* Third server shutdown should send close_notify */
8376 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8377 goto end;
8378
8379 /* Fourth server shutdown should read close_notify from client and finish */
8380 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8381 goto end;
8382
8383 /* Client should also successfully fully shutdown */
8384 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8385 goto end;
8386
8387 testresult = 1;
8388 end:
8389 SSL_free(serverssl);
8390 SSL_free(clientssl);
8391 SSL_CTX_free(sctx);
8392 SSL_CTX_free(cctx);
8393 BIO_free(bretry);
8394 BIO_free(tmp);
8395
8396 return testresult;
8397}
8398
a763ca11 8399#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8400static int cert_cb_cnt;
8401
8402static int cert_cb(SSL *s, void *arg)
8403{
8404 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8405 BIO *in = NULL;
8406 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8407 X509 *x509 = NULL, *rootx = NULL;
8408 STACK_OF(X509) *chain = NULL;
8409 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8410 int ret = 0;
cd6fe29f
MC		 8411
8412 if (cert_cb_cnt == 0) {
8413 /* Suspend the handshake */
8414 cert_cb_cnt++;
8415 return -1;
8416 } else if (cert_cb_cnt == 1) {
8417 /*
8418 * Update the SSL_CTX, set the certificate and private key and then
8419 * continue the handshake normally.
8420 */
8421 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8422 return 0;
8423
8424 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8425 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8426 SSL_FILETYPE_PEM))
8427 || !TEST_true(SSL_check_private_key(s)))
8428 return 0;
8429 cert_cb_cnt++;
8430 return 1;
7cb8fb07
BK		 8431 } else if (cert_cb_cnt == 3) {
8432 int rv;
1a2a3a42
MC		 8433
8434 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8435 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8436 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8437 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8438 goto out;
8439 chain = sk_X509_new_null();
8440 if (!TEST_ptr(chain))
8441 goto out;
7cb8fb07 8442 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8443 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8444 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8445 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8446 || !TEST_true(sk_X509_push(chain, rootx)))
8447 goto out;
8448 rootx = NULL;
8449 BIO_free(in);
8450 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8451 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8452 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8453 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8454 goto out;
8455 BIO_free(in);
8456 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8457 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8458 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8459 NULL, NULL,
8460 libctx, NULL)))
7cb8fb07 8461 goto out;
1a2a3a42 8462 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8463 /*
8464 * If the cert doesn't show as valid here (e.g., because we don't
8465 * have any shared sigalgs), then we will not set it, and there will
8466 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8467 * will cause tls_choose_sigalgs() to fail the connection.
8468 */
1a2a3a42
MC		 8469 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8470 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8471 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8472 goto out;
8473 }
1a2a3a42
MC		 8474
8475 ret = 1;
cd6fe29f
MC		 8476 }
8477
8478 /* Abort the handshake */
7cb8fb07 8479 out:
1a2a3a42
MC		 8480 OPENSSL_free(ecdsacert);
8481 OPENSSL_free(ecdsakey);
8482 OPENSSL_free(rootfile);
7cb8fb07
BK		 8483 BIO_free(in);
8484 EVP_PKEY_free(pkey);
8485 X509_free(x509);
1a2a3a42 8486 X509_free(rootx);
79b2a2f2 8487 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8488 return ret;
cd6fe29f
MC		 8489}
8490
8491/*
8492 * Test the certificate callback.
8493 * Test 0: Callback fails
8494 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8495 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8496 * Test 3: Success - Call SSL_check_chain from the callback
8497 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8498 * chain
8499 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8500 */
8501static int test_cert_cb_int(int prot, int tst)
8502{
8503 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8504 SSL *clientssl = NULL, *serverssl = NULL;
8505 int testresult = 0, ret;
8506
1a2a3a42
MC		 8507#ifdef OPENSSL_NO_EC
8508 /* We use an EC cert in these tests, so we skip in a no-ec build */
8509 if (tst >= 3)
8510 return 1;
8511#endif
8512
5e30f2fd 8513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8514 TLS_client_method(),
8515 TLS1_VERSION,
8516 prot,
8517 &sctx, &cctx, NULL, NULL)))
8518 goto end;
8519
8520 if (tst == 0)
8521 cert_cb_cnt = -1;
1a2a3a42 8522 else if (tst >= 3)
7cb8fb07 8523 cert_cb_cnt = 3;
cd6fe29f
MC		 8524 else
8525 cert_cb_cnt = 0;
1a2a3a42 8526
b0317df2 8527 if (tst == 2) {
7e1eda48 8528 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8529 if (!TEST_ptr(snictx))
8530 goto end;
8531 }
8532
cd6fe29f
MC		 8533 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8534
8535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8536 NULL, NULL)))
8537 goto end;
8538
1a2a3a42
MC		 8539 if (tst == 4) {
8540 /*
8541 * We cause SSL_check_chain() to fail by specifying sig_algs that
8542 * the chain doesn't meet (the root uses an RSA cert)
8543 */
8544 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8545 "ecdsa_secp256r1_sha256")))
8546 goto end;
8547 } else if (tst == 5) {
8548 /*
8549 * We cause SSL_check_chain() to fail by specifying sig_algs that
8550 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8551 */
8552 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8553 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8554 goto end;
8555 }
8556
cd6fe29f 8557 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8558 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8559 || (tst > 0
8560 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8561 goto end;
8562 }
8563
8564 testresult = 1;
8565
8566 end:
8567 SSL_free(serverssl);
8568 SSL_free(clientssl);
8569 SSL_CTX_free(sctx);
8570 SSL_CTX_free(cctx);
8571 SSL_CTX_free(snictx);
8572
8573 return testresult;
8574}
7f1d923a 8575#endif
cd6fe29f
MC		 8576
8577static int test_cert_cb(int tst)
8578{
8579 int testresult = 1;
8580
8581#ifndef OPENSSL_NO_TLS1_2
8582 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8583#endif
a763ca11 8584#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8585 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8586#endif
8587
8588 return testresult;
8589}
8590
6e46c065
MC		 8591static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8592{
8c2bfd25 8593 X509 *xcert;
6e46c065
MC		 8594 EVP_PKEY *privpkey;
8595 BIO *in = NULL;
6725682d 8596 BIO *priv_in = NULL;
6e46c065 8597
8c2bfd25
TS		 8598 /* Check that SSL_get0_peer_certificate() returns something sensible */
8599 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8600 return 0;
6e46c065
MC		 8601
8602 in = BIO_new_file(cert, "r");
8603 if (!TEST_ptr(in))
8604 return 0;
8605
d8652be0 8606 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8607 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8608 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8609 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8610 NULL, NULL,
8611 libctx, NULL)))
6725682d 8612 goto err;
6e46c065
MC		 8613
8614 *x509 = xcert;
8615 *pkey = privpkey;
8616
6725682d
SL		 8617 BIO_free(in);
8618 BIO_free(priv_in);
6e46c065 8619 return 1;
6725682d
SL		 8620err:
8621 X509_free(xcert);
8622 BIO_free(in);
8623 BIO_free(priv_in);
8624 return 0;
6e46c065
MC		 8625}
8626
6e46c065
MC		 8627static int test_client_cert_cb(int tst)
8628{
8629 SSL_CTX *cctx = NULL, *sctx = NULL;
8630 SSL *clientssl = NULL, *serverssl = NULL;
8631 int testresult = 0;
8632
8633#ifdef OPENSSL_NO_TLS1_2
8634 if (tst == 0)
8635 return 1;
8636#endif
a763ca11 8637#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8638 if (tst == 1)
8639 return 1;
8640#endif
8641
5e30f2fd 8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8643 TLS_client_method(),
8644 TLS1_VERSION,
8645 tst == 0 ? TLS1_2_VERSION
8646 : TLS1_3_VERSION,
8647 &sctx, &cctx, cert, privkey)))
8648 goto end;
8649
8650 /*
8651 * Test that setting a client_cert_cb results in a client certificate being
8652 * sent.
8653 */
8654 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8655 SSL_CTX_set_verify(sctx,
8656 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8657 verify_cb);
fb8c8359
MC		 8658
8659 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8660 NULL, NULL))
8661 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8662 SSL_ERROR_NONE)))
8663 goto end;
8664
8665 testresult = 1;
8666
8667 end:
8668 SSL_free(serverssl);
8669 SSL_free(clientssl);
8670 SSL_CTX_free(sctx);
8671 SSL_CTX_free(cctx);
8672
8673 return testresult;
8674}
8675
a763ca11 8676#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8677/*
8678 * Test setting certificate authorities on both client and server.
8679 *
8680 * Test 0: SSL_CTX_set0_CA_list() only
8681 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8682 * Test 2: Only SSL_CTX_set_client_CA_list()
8683 */
8684static int test_ca_names_int(int prot, int tst)
8685{
8686 SSL_CTX *cctx = NULL, *sctx = NULL;
8687 SSL *clientssl = NULL, *serverssl = NULL;
8688 int testresult = 0;
8689 size_t i;
8690 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8691 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8692 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8693 const STACK_OF(X509_NAME) *sktmp = NULL;
8694
8695 for (i = 0; i < OSSL_NELEM(name); i++) {
8696 name[i] = X509_NAME_new();
8697 if (!TEST_ptr(name[i])
8698 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8699 MBSTRING_ASC,
8700 (unsigned char *)
8701 strnames[i],
8702 -1, -1, 0)))
8703 goto end;
8704 }
8705
5e30f2fd 8706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8707 TLS_client_method(),
8708 TLS1_VERSION,
8709 prot,
8710 &sctx, &cctx, cert, privkey)))
8711 goto end;
8712
8713 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8714
8715 if (tst == 0 || tst == 1) {
8716 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8717 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8718 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8719 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8720 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8721 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8722 goto end;
8723
8724 SSL_CTX_set0_CA_list(sctx, sk1);
8725 SSL_CTX_set0_CA_list(cctx, sk2);
8726 sk1 = sk2 = NULL;
8727 }
8728 if (tst == 1 || tst == 2) {
8729 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8730 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8731 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8732 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8733 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8734 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8735 goto end;
8736
8737 SSL_CTX_set_client_CA_list(sctx, sk1);
8738 SSL_CTX_set_client_CA_list(cctx, sk2);
8739 sk1 = sk2 = NULL;
8740 }
8741
6e46c065
MC		 8742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8743 NULL, NULL))
8744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8745 SSL_ERROR_NONE)))
8746 goto end;
8747
fb8c8359
MC		 8748 /*
8749 * We only expect certificate authorities to have been sent to the server
8750 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8751 */
8752 sktmp = SSL_get0_peer_CA_list(serverssl);
8753 if (prot == TLS1_3_VERSION
8754 && (tst == 0 || tst == 1)) {
8755 if (!TEST_ptr(sktmp)
8756 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8757 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8758 name[0]), 0)
8759 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8760 name[1]), 0))
8761 goto end;
8762 } else if (!TEST_ptr_null(sktmp)) {
8763 goto end;
8764 }
8765
8766 /*
8767 * In all tests we expect certificate authorities to have been sent to the
8768 * client. However, SSL_set_client_CA_list() should override
8769 * SSL_set0_CA_list()
8770 */
8771 sktmp = SSL_get0_peer_CA_list(clientssl);
8772 if (!TEST_ptr(sktmp)
8773 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8774 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8775 name[tst == 0 ? 0 : 2]), 0)
8776 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8777 name[tst == 0 ? 1 : 3]), 0))
8778 goto end;
8779
6e46c065
MC		 8780 testresult = 1;
8781
8782 end:
8783 SSL_free(serverssl);
8784 SSL_free(clientssl);
8785 SSL_CTX_free(sctx);
8786 SSL_CTX_free(cctx);
fb8c8359
MC		 8787 for (i = 0; i < OSSL_NELEM(name); i++)
8788 X509_NAME_free(name[i]);
8789 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8790 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8791
8792 return testresult;
8793}
8794#endif
8795
8796static int test_ca_names(int tst)
8797{
8798 int testresult = 1;
8799
8800#ifndef OPENSSL_NO_TLS1_2
8801 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8802#endif
a763ca11 8803#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8804 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8805#endif
6e46c065
MC		 8806
8807 return testresult;
8808}
8809
0d2bfe52
SL		 8810#ifndef OPENSSL_NO_TLS1_2
8811static const char *multiblock_cipherlist_data[]=
8812{
8813 "AES128-SHA",
8814 "AES128-SHA256",
8815 "AES256-SHA",
8816 "AES256-SHA256",
8817};
8818
8819/* Reduce the fragment size - so the multiblock test buffer can be small */
8820# define MULTIBLOCK_FRAGSIZE 512
8821
8822static int test_multiblock_write(int test_index)
8823{
8824 static const char *fetchable_ciphers[]=
8825 {
8826 "AES-128-CBC-HMAC-SHA1",
8827 "AES-128-CBC-HMAC-SHA256",
8828 "AES-256-CBC-HMAC-SHA1",
8829 "AES-256-CBC-HMAC-SHA256"
8830 };
8831 const char *cipherlist = multiblock_cipherlist_data[test_index];
8832 const SSL_METHOD *smeth = TLS_server_method();
8833 const SSL_METHOD *cmeth = TLS_client_method();
8834 int min_version = TLS1_VERSION;
8835 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8836 SSL_CTX *cctx = NULL, *sctx = NULL;
8837 SSL *clientssl = NULL, *serverssl = NULL;
8838 int testresult = 0;
8839
8840 /*
8841 * Choose a buffer large enough to perform a multi-block operation
8842 * i.e: write_len >= 4 * frag_size
8843 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8844 */
8845 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8846 unsigned char buf[sizeof(msg)], *p = buf;
8847 size_t readbytes, written, len;
8848 EVP_CIPHER *ciph = NULL;
8849
8850 /*
8851 * Check if the cipher exists before attempting to use it since it only has
8852 * a hardware specific implementation.
8853 */
7c82a7a8 8854 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 8855 if (ciph == NULL) {
8856 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8857 return 1;
8858 }
8859 EVP_CIPHER_free(ciph);
8860
8861 /* Set up a buffer with some data that will be sent to the client */
8862 RAND_bytes(msg, sizeof(msg));
8863
5e30f2fd
MC		 8864 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8865 max_version, &sctx, &cctx, cert,
8866 privkey)))
0d2bfe52
SL		 8867 goto end;
8868
8869 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8870 goto end;
8871
8872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8873 NULL, NULL)))
8874 goto end;
8875
8876 /* settings to force it to use AES-CBC-HMAC_SHA */
8877 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8878 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8879 goto end;
8880
8881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8882 goto end;
8883
8884 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8885 || !TEST_size_t_eq(written, sizeof(msg)))
8886 goto end;
8887
8888 len = written;
8889 while (len > 0) {
8890 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8891 goto end;
8892 p += readbytes;
8893 len -= readbytes;
8894 }
8895 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8896 goto end;
8897
8898 testresult = 1;
8899end:
8900 SSL_free(serverssl);
8901 SSL_free(clientssl);
8902 SSL_CTX_free(sctx);
8903 SSL_CTX_free(cctx);
8904
8905 return testresult;
8906}
8907#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8908
25959e04
TS		 8909static int test_session_timeout(int test)
8910{
8911 /*
8912 * Test session ordering and timeout
8913 * Can't explicitly test performance of the new code,
8914 * but can test to see if the ordering of the sessions
8915 * are correct, and they they are removed as expected
8916 */
8917 SSL_SESSION *early = NULL;
8918 SSL_SESSION *middle = NULL;
8919 SSL_SESSION *late = NULL;
8920 SSL_CTX *ctx;
8921 int testresult = 0;
8922 long now = (long)time(NULL);
8923#define TIMEOUT 10
8924
8925 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8926 || !TEST_ptr(early = SSL_SESSION_new())
8927 || !TEST_ptr(middle = SSL_SESSION_new())
8928 || !TEST_ptr(late = SSL_SESSION_new()))
8929 goto end;
8930
8931 /* assign unique session ids */
8932 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8933 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8934 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8935 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8936 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8937 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8938
8939 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8940 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8941 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8942 goto end;
8943
8944 /* Make sure they are all added */
8945 if (!TEST_ptr(early->prev)
8946 || !TEST_ptr(middle->prev)
8947 || !TEST_ptr(late->prev))
8948 goto end;
8949
8950 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8951 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8952 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8953 goto end;
8954
8955 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8956 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8957 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8958 goto end;
8959
8960 /* Make sure they are all still there */
8961 if (!TEST_ptr(early->prev)
8962 || !TEST_ptr(middle->prev)
8963 || !TEST_ptr(late->prev))
8964 goto end;
8965
8966 /* Make sure they are in the expected order */
8967 if (!TEST_ptr_eq(late->next, middle)
8968 || !TEST_ptr_eq(middle->next, early)
8969 || !TEST_ptr_eq(early->prev, middle)
8970 || !TEST_ptr_eq(middle->prev, late))
8971 goto end;
8972
8973 /* This should remove "early" */
8974 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8975 if (!TEST_ptr_null(early->prev)
8976 || !TEST_ptr(middle->prev)
8977 || !TEST_ptr(late->prev))
8978 goto end;
8979
8980 /* This should remove "middle" */
8981 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8982 if (!TEST_ptr_null(early->prev)
8983 || !TEST_ptr_null(middle->prev)
8984 || !TEST_ptr(late->prev))
8985 goto end;
8986
8987 /* This should remove "late" */
8988 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8989 if (!TEST_ptr_null(early->prev)
8990 || !TEST_ptr_null(middle->prev)
8991 || !TEST_ptr_null(late->prev))
8992 goto end;
8993
8994 /* Add them back in again */
8995 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8996 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8997 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8998 goto end;
8999
9000 /* Make sure they are all added */
9001 if (!TEST_ptr(early->prev)
9002 || !TEST_ptr(middle->prev)
9003 || !TEST_ptr(late->prev))
9004 goto end;
9005
9006 /* This should remove all of them */
9007 SSL_CTX_flush_sessions(ctx, 0);
9008 if (!TEST_ptr_null(early->prev)
9009 || !TEST_ptr_null(middle->prev)
9010 || !TEST_ptr_null(late->prev))
9011 goto end;
9012
9013 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9014 | SSL_CTX_get_session_cache_mode(ctx));
9015
9016 /* make sure |now| is NOT equal to the current time */
9017 now -= 10;
9018 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9019 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9020 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9021 goto end;
9022
9023 testresult = 1;
9024 end:
9025 SSL_CTX_free(ctx);
9026 SSL_SESSION_free(early);
9027 SSL_SESSION_free(middle);
9028 SSL_SESSION_free(late);
9029 return testresult;
9030}
9031
49ef3d07
MC		 9032/*
9033 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9034 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9035 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9036 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9037 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9038 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9039 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9040 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9041 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9042 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9043 */
9044static int test_servername(int tst)
9045{
9046 SSL_CTX *cctx = NULL, *sctx = NULL;
9047 SSL *clientssl = NULL, *serverssl = NULL;
9048 int testresult = 0;
9049 SSL_SESSION *sess = NULL;
9050 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9051
9052#ifdef OPENSSL_NO_TLS1_2
9053 if (tst <= 4)
9054 return 1;
9055#endif
a763ca11 9056#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9057 if (tst >= 5)
9058 return 1;
9059#endif
9060
5e30f2fd 9061 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9062 TLS_client_method(),
9063 TLS1_VERSION,
9064 (tst <= 4) ? TLS1_2_VERSION
9065 : TLS1_3_VERSION,
9066 &sctx, &cctx, cert, privkey))
9067 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9068 NULL, NULL)))
9069 goto end;
9070
9071 if (tst != 1 && tst != 6) {
9072 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9073 hostname_cb)))
9074 goto end;
9075 }
9076
9077 if (tst != 3 && tst != 8) {
9078 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9079 goto end;
9080 sexpectedhost = cexpectedhost = "goodhost";
9081 }
9082
9083 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9084 goto end;
9085
9086 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9087 cexpectedhost)
9088 || !TEST_str_eq(SSL_get_servername(serverssl,
9089 TLSEXT_NAMETYPE_host_name),
9090 sexpectedhost))
9091 goto end;
9092
9093 /* Now repeat with a resumption handshake */
9094
9095 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9096 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9097 || !TEST_true(SSL_SESSION_is_resumable(sess))
9098 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9099 goto end;
9100
9101 SSL_free(clientssl);
9102 SSL_free(serverssl);
9103 clientssl = serverssl = NULL;
9104
9105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9106 NULL)))
9107 goto end;
9108
9109 if (!TEST_true(SSL_set_session(clientssl, sess)))
9110 goto end;
9111
9112 sexpectedhost = cexpectedhost = "goodhost";
9113 if (tst == 2 || tst == 7) {
9114 /* Set an inconsistent hostname */
9115 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9116 goto end;
9117 /*
9118 * In TLSv1.2 we expect the hostname from the original handshake, in
9119 * TLSv1.3 we expect the hostname from this handshake
9120 */
9121 if (tst == 7)
9122 sexpectedhost = cexpectedhost = "altgoodhost";
9123
9124 if (!TEST_str_eq(SSL_get_servername(clientssl,
9125 TLSEXT_NAMETYPE_host_name),
9126 "altgoodhost"))
9127 goto end;
9128 } else if (tst == 4 || tst == 9) {
9129 /*
9130 * A TLSv1.3 session does not associate a session with a servername,
9131 * but a TLSv1.2 session does.
9132 */
9133 if (tst == 9)
9134 sexpectedhost = cexpectedhost = NULL;
9135
9136 if (!TEST_str_eq(SSL_get_servername(clientssl,
9137 TLSEXT_NAMETYPE_host_name),
9138 cexpectedhost))
9139 goto end;
9140 } else {
9141 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9142 goto end;
9143 /*
9144 * In a TLSv1.2 resumption where the hostname was not acknowledged
9145 * we expect the hostname on the server to be empty. On the client we
9146 * return what was requested in this case.
9147 *
9148 * Similarly if the client didn't set a hostname on an original TLSv1.2
9149 * session but is now, the server hostname will be empty, but the client
9150 * is as we set it.
9151 */
9152 if (tst == 1 || tst == 3)
9153 sexpectedhost = NULL;
9154
9155 if (!TEST_str_eq(SSL_get_servername(clientssl,
9156 TLSEXT_NAMETYPE_host_name),
9157 "goodhost"))
9158 goto end;
9159 }
9160
9161 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9162 goto end;
9163
9164 if (!TEST_true(SSL_session_reused(clientssl))
9165 || !TEST_true(SSL_session_reused(serverssl))
9166 || !TEST_str_eq(SSL_get_servername(clientssl,
9167 TLSEXT_NAMETYPE_host_name),
9168 cexpectedhost)
9169 || !TEST_str_eq(SSL_get_servername(serverssl,
9170 TLSEXT_NAMETYPE_host_name),
9171 sexpectedhost))
9172 goto end;
9173
9174 testresult = 1;
9175
9176 end:
9177 SSL_SESSION_free(sess);
9178 SSL_free(serverssl);
9179 SSL_free(clientssl);
9180 SSL_CTX_free(sctx);
9181 SSL_CTX_free(cctx);
9182
9183 return testresult;
9184}
9185
b1fdbc68 9186#if !defined(OPENSSL_NO_EC) \
a763ca11 9187 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9188/*
9189 * Test that if signature algorithms are not available, then we do not offer or
9190 * accept them.
9191 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9192 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9193 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9194 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9195 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9196 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9197 */
9198static int test_sigalgs_available(int idx)
9199{
9200 SSL_CTX *cctx = NULL, *sctx = NULL;
9201 SSL *clientssl = NULL, *serverssl = NULL;
9202 int testresult = 0;
b4250010
DMSP		 9203 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9204 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9205 OSSL_PROVIDER *filterprov = NULL;
9206 int sig, hash;
9207
9208 if (!TEST_ptr(tmpctx))
9209 goto end;
9210
9211 if (idx != 0 && idx != 3) {
9212 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9213 filter_provider_init)))
9214 goto end;
9215
9216 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9217 if (!TEST_ptr(filterprov))
9218 goto end;
9219
9220 if (idx < 3) {
9221 /*
9222 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9223 * or accepted for the peer that uses this libctx. Note that libssl
9224 * *requires* SHA2-256 to be available so we cannot disable that. We
9225 * also need SHA1 for our certificate.
9226 */
9227 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9228 "SHA2-256:SHA1")))
9229 goto end;
9230 } else {
9231 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9232 "ECDSA"))
9233 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9234 "EC:X25519:X448")))
9235 goto end;
9236 }
9237
9238 if (idx == 1 || idx == 4)
9239 clientctx = tmpctx;
9240 else
9241 serverctx = tmpctx;
9242 }
9243
d8652be0
MC		 9244 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9245 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9246 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9247 goto end;
b3842539 9248
b4c4a2c6
TM		 9249 if (idx != 5) {
9250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9251 TLS_client_method(),
9252 TLS1_VERSION,
9253 0,
9254 &sctx, &cctx, cert, privkey)))
9255 goto end;
9256 } else {
9257 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9258 TLS_client_method(),
9259 TLS1_VERSION,
9260 0,
9261 &sctx, &cctx, cert2, privkey2)))
9262 goto end;
9263 }
b3842539 9264
b1fdbc68
MC		 9265 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9266 if (idx < 4) {
9267 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9268 "ECDHE-RSA-AES128-GCM-SHA256")))
9269 goto end;
9270 } else {
9271 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9272 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9273 goto end;
9274 }
9275
b3842539
MC		 9276 if (idx < 3) {
9277 if (!SSL_CTX_set1_sigalgs_list(cctx,
9278 "rsa_pss_rsae_sha384"
9279 ":rsa_pss_rsae_sha256")
9280 || !SSL_CTX_set1_sigalgs_list(sctx,
9281 "rsa_pss_rsae_sha384"
9282 ":rsa_pss_rsae_sha256"))
9283 goto end;
9284 } else {
9285 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9286 || !SSL_CTX_set1_sigalgs_list(sctx,
9287 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9288 goto end;
9289 }
9290
b4c4a2c6
TM		 9291 if (idx != 5
9292 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9293 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9294 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9295 privkey2,
9296 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9297 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9298 goto end;
9299
9300 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9301 NULL, NULL)))
b3842539
MC		 9302 goto end;
9303
9304 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9305 goto end;
9306
9307 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9308 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9309 NULL, NULL),
9310 (idx == 0 || idx == 3) ? 2 : 1))
9311 goto end;
9312
9313 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9314 goto end;
9315
9316 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9317 : NID_rsassaPss))
9318 goto end;
9319
b0001d0c 9320 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9321
9322 end:
9323 SSL_free(serverssl);
9324 SSL_free(clientssl);
9325 SSL_CTX_free(sctx);
9326 SSL_CTX_free(cctx);
9327 OSSL_PROVIDER_unload(filterprov);
b4250010 9328 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9329
9330 return testresult;
9331}
b1fdbc68
MC		 9332#endif /*
9333 * !defined(OPENSSL_NO_EC) \
a763ca11 9334 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9335 */
b3842539 9336
0c13cdf8 9337#ifndef OPENSSL_NO_TLS1_3
a763ca11 9338/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9339static int test_pluggable_group(int idx)
0c13cdf8
MC		 9340{
9341 SSL_CTX *cctx = NULL, *sctx = NULL;
9342 SSL *clientssl = NULL, *serverssl = NULL;
9343 int testresult = 0;
9344 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9345 /* Check that we are not impacted by a provider without any groups */
9346 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 9347 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 9348
5ae54dba 9349 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9350 goto end;
9351
5ae54dba
MC		 9352 if (legacyprov == NULL) {
9353 /*
9354 * In this case we assume we've been built with "no-legacy" and skip
9355 * this test (there is no OPENSSL_NO_LEGACY)
9356 */
9357 testresult = 1;
9358 goto end;
9359 }
9360
0c13cdf8
MC		 9361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9362 TLS_client_method(),
9363 TLS1_3_VERSION,
9364 TLS1_3_VERSION,
9365 &sctx, &cctx, cert, privkey))
9366 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9367 NULL, NULL)))
9368 goto end;
9369
c8e3a4c6
NT		 9370 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9371 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9372 goto end;
9373
9374 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9375 goto end;
9376
becbacd7
MB		 9377 if (!TEST_str_eq(group_name,
9378 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9379 goto end;
9380
0c13cdf8
MC		 9381 testresult = 1;
9382
9383 end:
9384 SSL_free(serverssl);
9385 SSL_free(clientssl);
9386 SSL_CTX_free(sctx);
9387 SSL_CTX_free(cctx);
9388 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9389 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9390
9391 return testresult;
9392}
ee58915c
MB		 9393
9394/*
9395 * This function triggers encode, decode and sign functions
9396 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9397 * creating private key and certificate files for use in TLS testing.
9398 */
9399static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9400{
9401 EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx,
9402 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9403 EVP_PKEY *pkey = NULL;
9404 X509 *x509 = X509_new();
9405 X509_NAME *name = NULL;
9406 BIO *keybio = NULL, *certbio = NULL;
9407 int ret = 1;
9408
9409 if (!TEST_ptr(evpctx)
9410 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9411 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9412 || !TEST_ptr(pkey)
9413 || !TEST_ptr(x509)
9414 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9415 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9416 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9417 || !TEST_true(X509_set_pubkey(x509, pkey))
9418 || !TEST_ptr(name = X509_get_subject_name(x509))
9419 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9420 (unsigned char *)"CH", -1, -1, 0))
9421 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9422 (unsigned char *)"test.org", -1, -1, 0))
9423 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9424 (unsigned char *)"localhost", -1, -1, 0))
9425 || !TEST_true(X509_set_issuer_name(x509, name))
9426 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9427 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9428 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9429 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9430 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9431 ret = 0;
9432
9433 EVP_PKEY_free(pkey);
9434 X509_free(x509);
9435 EVP_PKEY_CTX_free(evpctx);
9436 BIO_free(keybio);
9437 BIO_free(certbio);
9438 return ret;
9439}
9440
9441/*
9442 * Test that signature algorithms loaded via the provider interface can
9443 * correctly establish a TLS (1.3) connection.
9444 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9445 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
9446 */
9447static int test_pluggable_signature(int idx)
9448{
9449 SSL_CTX *cctx = NULL, *sctx = NULL;
9450 SSL *clientssl = NULL, *serverssl = NULL;
9451 int testresult = 0;
9452 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9453 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9454 char *certfilename = "tls-prov-cert.pem";
9455 char *privkeyfilename = "tls-prov-key.pem";
9456
9457 /* create key and certificate for the different algorithm types */
9458 if (!TEST_ptr(tlsprov)
9459 || !TEST_true(create_cert_key(idx, certfilename, privkeyfilename)))
9460 goto end;
9461
9462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9463 TLS_client_method(),
9464 TLS1_3_VERSION,
9465 TLS1_3_VERSION,
9466 &sctx, &cctx, certfilename, privkeyfilename))
9467 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9468 NULL, NULL)))
9469 goto end;
9470
9471 /* This is necessary to pass minimal setup w/o other groups configured */
9472 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9473 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9474 goto end;
9475
9476 /*
9477 * If this connection gets established, it must have been completed
9478 * via the tls-provider-implemented "hmacsig" algorithm, testing
9479 * both sign and verify functions during handshake.
9480 */
9481 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9482 goto end;
9483
9484 testresult = 1;
9485
9486 end:
9487 SSL_free(serverssl);
9488 SSL_free(clientssl);
9489 SSL_CTX_free(sctx);
9490 SSL_CTX_free(cctx);
9491 OSSL_PROVIDER_unload(tlsprov);
9492 OSSL_PROVIDER_unload(defaultprov);
9493
9494 return testresult;
9495}
0c13cdf8 9496#endif
b3842539 9497
49a36a52
MC		 9498#ifndef OPENSSL_NO_TLS1_2
9499static int test_ssl_dup(void)
9500{
9501 SSL_CTX *cctx = NULL, *sctx = NULL;
9502 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9503 int testresult = 0;
9504 BIO *rbio = NULL, *wbio = NULL;
9505
9506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9507 TLS_client_method(),
9508 0,
9509 0,
9510 &sctx, &cctx, cert, privkey)))
9511 goto end;
9512
9513 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9514 NULL, NULL)))
9515 goto end;
9516
9517 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9518 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9519 goto end;
9520
9521 client2ssl = SSL_dup(clientssl);
9522 rbio = SSL_get_rbio(clientssl);
9523 if (!TEST_ptr(rbio)
9524 || !TEST_true(BIO_up_ref(rbio)))
9525 goto end;
9526 SSL_set0_rbio(client2ssl, rbio);
9527 rbio = NULL;
9528
9529 wbio = SSL_get_wbio(clientssl);
9530 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9531 goto end;
9532 SSL_set0_wbio(client2ssl, wbio);
9533 rbio = NULL;
9534
9535 if (!TEST_ptr(client2ssl)
9536 /* Handshake not started so pointers should be different */
9537 || !TEST_ptr_ne(clientssl, client2ssl))
9538 goto end;
9539
9540 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9541 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9542 goto end;
9543
9544 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9545 goto end;
9546
9547 SSL_free(clientssl);
9548 clientssl = SSL_dup(client2ssl);
9549 if (!TEST_ptr(clientssl)
9550 /* Handshake has finished so pointers should be the same */
9551 || !TEST_ptr_eq(clientssl, client2ssl))
9552 goto end;
9553
9554 testresult = 1;
9555
9556 end:
9557 SSL_free(serverssl);
9558 SSL_free(clientssl);
9559 SSL_free(client2ssl);
9560 SSL_CTX_free(sctx);
9561 SSL_CTX_free(cctx);
9562
9563 return testresult;
9564}
33c39a06
MC		 9565
9566# ifndef OPENSSL_NO_DH
9567
9568static EVP_PKEY *tmp_dh_params = NULL;
9569
9570/* Helper function for the test_set_tmp_dh() tests */
9571static EVP_PKEY *get_tmp_dh_params(void)
9572{
9573 if (tmp_dh_params == NULL) {
9574 BIGNUM *p = NULL;
9575 OSSL_PARAM_BLD *tmpl = NULL;
9576 EVP_PKEY_CTX *pctx = NULL;
9577 OSSL_PARAM *params = NULL;
9578 EVP_PKEY *dhpkey = NULL;
9579
9580 p = BN_get_rfc3526_prime_2048(NULL);
9581 if (!TEST_ptr(p))
9582 goto end;
9583
9584 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9585 if (!TEST_ptr(pctx)
884400d7 9586 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9587 goto end;
9588
9589 tmpl = OSSL_PARAM_BLD_new();
9590 if (!TEST_ptr(tmpl)
9591 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9592 OSSL_PKEY_PARAM_FFC_P,
9593 p))
9594 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9595 OSSL_PKEY_PARAM_FFC_G,
9596 2)))
9597 goto end;
9598
9599 params = OSSL_PARAM_BLD_to_param(tmpl);
9600 if (!TEST_ptr(params)
884400d7 9601 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9602 EVP_PKEY_KEY_PARAMETERS,
9603 params), 1))
33c39a06
MC		 9604 goto end;
9605
9606 tmp_dh_params = dhpkey;
9607 end:
9608 BN_free(p);
9609 EVP_PKEY_CTX_free(pctx);
9610 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9611 OSSL_PARAM_free(params);
33c39a06
MC		 9612 }
9613
f1619160 9614 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9615 return NULL;
9616
9617 return tmp_dh_params;
9618}
9619
39f3427d 9620# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9621/* Callback used by test_set_tmp_dh() */
9622static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9623{
9624 EVP_PKEY *dhpkey = get_tmp_dh_params();
9625 DH *ret = NULL;
9626
9627 if (!TEST_ptr(dhpkey))
9628 return NULL;
9629
7bc0fdd3
MC		 9630 /*
9631 * libssl does not free the returned DH, so we free it now knowing that even
9632 * after we free dhpkey, there will still be a reference to the owning
9633 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9634 * of time we need it for.
9635 */
9636 ret = EVP_PKEY_get1_DH(dhpkey);
9637 DH_free(ret);
33c39a06
MC		 9638
9639 EVP_PKEY_free(dhpkey);
9640
9641 return ret;
9642}
9643# endif
9644
9645/*
9646 * Test the various methods for setting temporary DH parameters
9647 *
9648 * Test 0: Default (no auto) setting
9649 * Test 1: Explicit SSL_CTX auto off
9650 * Test 2: Explicit SSL auto off
9651 * Test 3: Explicit SSL_CTX auto on
9652 * Test 4: Explicit SSL auto on
9653 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9654 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9655 *
9656 * The following are testing deprecated APIs, so we only run them if available
9657 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9658 * Test 8: Explicit SSL auto off, custom DH params via DH
9659 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9660 * Test 10: Explicit SSL auto off, custom DH params via callback
9661 */
9662static int test_set_tmp_dh(int idx)
9663{
9664 SSL_CTX *cctx = NULL, *sctx = NULL;
9665 SSL *clientssl = NULL, *serverssl = NULL;
9666 int testresult = 0;
9667 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9668 int expected = (idx <= 2) ? 0 : 1;
9669 EVP_PKEY *dhpkey = NULL;
9670# ifndef OPENSSL_NO_DEPRECATED_3_0
9671 DH *dh = NULL;
9672# else
9673
9674 if (idx >= 7)
9675 return 1;
9676# endif
9677
9678 if (idx >= 5 && idx <= 8) {
9679 dhpkey = get_tmp_dh_params();
9680 if (!TEST_ptr(dhpkey))
9681 goto end;
9682 }
9683# ifndef OPENSSL_NO_DEPRECATED_3_0
9684 if (idx == 7 || idx == 8) {
7bc0fdd3 9685 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9686 if (!TEST_ptr(dh))
9687 goto end;
9688 }
9689# endif
9690
9691 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9692 TLS_client_method(),
9693 0,
9694 0,
9695 &sctx, &cctx, cert, privkey)))
9696 goto end;
9697
9698 if ((idx & 1) == 1) {
9699 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9700 goto end;
9701 }
9702
9703 if (idx == 5) {
9704 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9705 goto end;
9706 dhpkey = NULL;
9707 }
9708# ifndef OPENSSL_NO_DEPRECATED_3_0
9709 else if (idx == 7) {
9710 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9711 goto end;
9712 } else if (idx == 9) {
9713 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9714 }
9715# endif
9716
9717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9718 NULL, NULL)))
9719 goto end;
9720
9721 if ((idx & 1) == 0 && idx != 0) {
9722 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9723 goto end;
9724 }
9725 if (idx == 6) {
9726 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9727 goto end;
9728 dhpkey = NULL;
9729 }
9730# ifndef OPENSSL_NO_DEPRECATED_3_0
9731 else if (idx == 8) {
9732 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9733 goto end;
9734 } else if (idx == 10) {
9735 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9736 }
9737# endif
9738
9739 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9740 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9741 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9742 goto end;
9743
9744 /*
9745 * If autoon then we should succeed. Otherwise we expect failure because
9746 * there are no parameters
9747 */
9748 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9749 SSL_ERROR_NONE), expected))
9750 goto end;
9751
9752 testresult = 1;
9753
9754 end:
7bc0fdd3
MC		 9755# ifndef OPENSSL_NO_DEPRECATED_3_0
9756 DH_free(dh);
9757# endif
33c39a06
MC		 9758 SSL_free(serverssl);
9759 SSL_free(clientssl);
9760 SSL_CTX_free(sctx);
9761 SSL_CTX_free(cctx);
9762 EVP_PKEY_free(dhpkey);
9763
9764 return testresult;
9765}
3105d846
MC		 9766
9767/*
9768 * Test the auto DH keys are appropriately sized
9769 */
9770static int test_dh_auto(int idx)
9771{
61cab650
MC		 9772 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9773 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9774 SSL *clientssl = NULL, *serverssl = NULL;
9775 int testresult = 0;
9776 EVP_PKEY *tmpkey = NULL;
9777 char *thiscert = NULL, *thiskey = NULL;
9778 size_t expdhsize = 0;
9779 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9780
61cab650
MC		 9781 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9782 goto end;
9783
3105d846
MC		 9784 switch (idx) {
9785 case 0:
9786 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9787 if (is_fips) {
9788 testresult = 1;
9789 goto end;
9790 }
3105d846
MC		 9791 thiscert = cert1024;
9792 thiskey = privkey1024;
9793 expdhsize = 1024;
61cab650
MC		 9794 SSL_CTX_set_security_level(sctx, 1);
9795 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9796 break;
9797 case 1:
9798 /* 2048 bit prime */
9799 thiscert = cert;
9800 thiskey = privkey;
9801 expdhsize = 2048;
9802 break;
9803 case 2:
9804 thiscert = cert3072;
9805 thiskey = privkey3072;
9806 expdhsize = 3072;
9807 break;
9808 case 3:
9809 thiscert = cert4096;
9810 thiskey = privkey4096;
9811 expdhsize = 4096;
9812 break;
9813 case 4:
9814 thiscert = cert8192;
9815 thiskey = privkey8192;
9816 expdhsize = 8192;
9817 break;
9818 /* No certificate cases */
9819 case 5:
9820 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9821 if (is_fips) {
9822 testresult = 1;
9823 goto end;
9824 }
3105d846
MC		 9825 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9826 expdhsize = 1024;
9827 break;
9828 case 6:
9829 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9830 expdhsize = 3072;
9831 break;
9832 default:
9833 TEST_error("Invalid text index");
9834 goto end;
9835 }
9836
61cab650
MC		 9837 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9838 NULL,
3105d846
MC		 9839 0,
9840 0,
9841 &sctx, &cctx, thiscert, thiskey)))
9842 goto end;
9843
9844 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9845 NULL, NULL)))
9846 goto end;
9847
9848 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9849 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9850 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9851 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9852 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9853 goto end;
9854
9855 /*
9856 * Send the server's first flight. At this point the server has created the
9857 * temporary DH key but hasn't finished using it yet. Once used it is
9858 * removed, so we cannot test it.
9859 */
9860 if (!TEST_int_le(SSL_connect(clientssl), 0)
9861 || !TEST_int_le(SSL_accept(serverssl), 0))
9862 goto end;
9863
9864 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9865 goto end;
ed576acd 9866 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9867 goto end;
9868
9869 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9870 goto end;
9871
9872 testresult = 1;
9873
9874 end:
9875 SSL_free(serverssl);
9876 SSL_free(clientssl);
9877 SSL_CTX_free(sctx);
9878 SSL_CTX_free(cctx);
9879 EVP_PKEY_free(tmpkey);
9880
9881 return testresult;
9882
9883}
33c39a06
MC		 9884# endif /* OPENSSL_NO_DH */
9885#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9886
a763ca11 9887#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9888/*
9889 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9890 * that it works even without a certificate configured for the original
9891 * SSL_CTX
9892 */
9893static int test_sni_tls13(void)
9894{
9895 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9896 SSL *clientssl = NULL, *serverssl = NULL;
9897 int testresult = 0;
9898
9899 /* Reset callback counter */
9900 snicb = 0;
9901
9902 /* Create an initial SSL_CTX with no certificate configured */
9903 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9904 if (!TEST_ptr(sctx))
9905 goto end;
9906 /* Require TLSv1.3 as a minimum */
9907 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9908 TLS_client_method(), TLS1_3_VERSION, 0,
9909 &sctx2, &cctx, cert, privkey)))
9910 goto end;
9911
9912 /* Set up SNI */
9913 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9914 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9915 goto end;
9916
9917 /*
9918 * Connection should still succeed because the final SSL_CTX has the right
9919 * certificates configured.
9920 */
9921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9922 &clientssl, NULL, NULL))
9923 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9924 SSL_ERROR_NONE)))
9925 goto end;
9926
9927 /* We should have had the SNI callback called exactly once */
9928 if (!TEST_int_eq(snicb, 1))
9929 goto end;
9930
9931 testresult = 1;
9932
9933end:
9934 SSL_free(serverssl);
9935 SSL_free(clientssl);
9936 SSL_CTX_free(sctx2);
9937 SSL_CTX_free(sctx);
9938 SSL_CTX_free(cctx);
9939 return testresult;
9940}
0089cc7f
TS		 9941
9942/*
9943 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9944 * 0 = TLSv1.2
9945 * 1 = TLSv1.3
9946 */
9947static int test_ticket_lifetime(int idx)
9948{
9949 SSL_CTX *cctx = NULL, *sctx = NULL;
9950 SSL *clientssl = NULL, *serverssl = NULL;
9951 int testresult = 0;
9952 int version = TLS1_3_VERSION;
9953
9954#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9955#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9956
9957 if (idx == 0) {
40fb5a4c
TS		 9958#ifdef OPENSSL_NO_TLS1_2
9959 return TEST_skip("TLS 1.2 is disabled.");
9960#else
0089cc7f 9961 version = TLS1_2_VERSION;
40fb5a4c 9962#endif
0089cc7f
TS		 9963 }
9964
9965 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9966 TLS_client_method(), version, version,
9967 &sctx, &cctx, cert, privkey)))
9968 goto end;
9969
9970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9971 &clientssl, NULL, NULL)))
9972 goto end;
9973
9974 /*
9975 * Set the timeout to be more than 1 week
9976 * make sure the returned value is the default
9977 */
9978 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9979 SSL_get_default_timeout(serverssl)))
9980 goto end;
9981
9982 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9983 goto end;
9984
9985 if (idx == 0) {
9986 /* TLSv1.2 uses the set value */
9987 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9988 goto end;
9989 } else {
9990 /* TLSv1.3 uses the limited value */
9991 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9992 goto end;
9993 }
9994 testresult = 1;
9995
9996end:
9997 SSL_free(serverssl);
9998 SSL_free(clientssl);
9999 SSL_CTX_free(sctx);
10000 SSL_CTX_free(cctx);
10001 return testresult;
10002}
6582661f 10003#endif
feba11cf
TS		 10004/*
10005 * Test that setting an ALPN does not violate RFC
10006 */
10007static int test_set_alpn(void)
10008{
10009 SSL_CTX *ctx = NULL;
10010 SSL *ssl = NULL;
10011 int testresult = 0;
10012
10013 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10014 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10015 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10016 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10017 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10018 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10019
10020 /* Create an initial SSL_CTX with no certificate configured */
10021 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10022 if (!TEST_ptr(ctx))
10023 goto end;
10024
10025 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10026 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10027 goto end;
10028 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10029 goto end;
10030 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10031 goto end;
10032 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10033 goto end;
10034 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10035 goto end;
10036 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10037 goto end;
10038 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10039 goto end;
10040 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10041 goto end;
10042 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10043 goto end;
10044
10045 ssl = SSL_new(ctx);
10046 if (!TEST_ptr(ssl))
10047 goto end;
10048
10049 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10050 goto end;
10051 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10052 goto end;
10053 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10054 goto end;
10055 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10056 goto end;
10057 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10058 goto end;
10059 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10060 goto end;
10061 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10062 goto end;
10063 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10064 goto end;
10065 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10066 goto end;
10067
10068 testresult = 1;
10069
10070end:
10071 SSL_free(ssl);
10072 SSL_CTX_free(ctx);
10073 return testresult;
10074}
6582661f 10075
948cf521
HL		 10076/*
10077 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10078 */
10079static int test_set_verify_cert_store_ssl_ctx(void)
10080{
10081 SSL_CTX *ctx = NULL;
10082 int testresult = 0;
10083 X509_STORE *store = NULL, *new_store = NULL,
10084 *cstore = NULL, *new_cstore = NULL;
10085
10086 /* Create an initial SSL_CTX. */
10087 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10088 if (!TEST_ptr(ctx))
10089 goto end;
10090
10091 /* Retrieve verify store pointer. */
10092 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10093 goto end;
10094
10095 /* Retrieve chain store pointer. */
10096 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10097 goto end;
10098
10099 /* We haven't set any yet, so this should be NULL. */
10100 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10101 goto end;
10102
10103 /* Create stores. We use separate stores so pointers are different. */
10104 new_store = X509_STORE_new();
10105 if (!TEST_ptr(new_store))
10106 goto end;
10107
10108 new_cstore = X509_STORE_new();
10109 if (!TEST_ptr(new_cstore))
10110 goto end;
10111
10112 /* Set stores. */
10113 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10114 goto end;
10115
10116 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10117 goto end;
10118
10119 /* Should be able to retrieve the same pointer. */
10120 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10121 goto end;
10122
10123 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10124 goto end;
10125
10126 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10127 goto end;
10128
10129 /* Should be able to unset again. */
10130 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10131 goto end;
10132
10133 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10134 goto end;
10135
10136 /* Should now be NULL. */
10137 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10138 goto end;
10139
10140 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10141 goto end;
10142
10143 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10144 goto end;
10145
10146 testresult = 1;
10147
10148end:
10149 X509_STORE_free(new_store);
10150 X509_STORE_free(new_cstore);
10151 SSL_CTX_free(ctx);
10152 return testresult;
10153}
10154
10155/*
10156 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10157 */
10158static int test_set_verify_cert_store_ssl(void)
10159{
10160 SSL_CTX *ctx = NULL;
10161 SSL *ssl = NULL;
10162 int testresult = 0;
10163 X509_STORE *store = NULL, *new_store = NULL,
10164 *cstore = NULL, *new_cstore = NULL;
10165
10166 /* Create an initial SSL_CTX. */
10167 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10168 if (!TEST_ptr(ctx))
10169 goto end;
10170
10171 /* Create an SSL object. */
10172 ssl = SSL_new(ctx);
10173 if (!TEST_ptr(ssl))
10174 goto end;
10175
10176 /* Retrieve verify store pointer. */
10177 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10178 goto end;
10179
10180 /* Retrieve chain store pointer. */
10181 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10182 goto end;
10183
10184 /* We haven't set any yet, so this should be NULL. */
10185 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10186 goto end;
10187
10188 /* Create stores. We use separate stores so pointers are different. */
10189 new_store = X509_STORE_new();
10190 if (!TEST_ptr(new_store))
10191 goto end;
10192
10193 new_cstore = X509_STORE_new();
10194 if (!TEST_ptr(new_cstore))
10195 goto end;
10196
10197 /* Set stores. */
10198 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10199 goto end;
10200
10201 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10202 goto end;
10203
10204 /* Should be able to retrieve the same pointer. */
10205 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10206 goto end;
10207
10208 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10209 goto end;
10210
10211 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10212 goto end;
10213
10214 /* Should be able to unset again. */
10215 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10216 goto end;
10217
10218 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10219 goto end;
10220
10221 /* Should now be NULL. */
10222 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10223 goto end;
10224
10225 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10226 goto end;
10227
10228 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10229 goto end;
10230
10231 testresult = 1;
10232
10233end:
10234 X509_STORE_free(new_store);
10235 X509_STORE_free(new_cstore);
10236 SSL_free(ssl);
10237 SSL_CTX_free(ctx);
10238 return testresult;
10239}
10240
10241
dfccfde0
CH		 10242static int test_inherit_verify_param(void)
10243{
10244 int testresult = 0;
10245
10246 SSL_CTX *ctx = NULL;
10247 X509_VERIFY_PARAM *cp = NULL;
10248 SSL *ssl = NULL;
10249 X509_VERIFY_PARAM *sp = NULL;
10250 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10251
10252 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10253 if (!TEST_ptr(ctx))
10254 goto end;
10255
10256 cp = SSL_CTX_get0_param(ctx);
10257 if (!TEST_ptr(cp))
10258 goto end;
10259 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10260 goto end;
10261
10262 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10263
10264 ssl = SSL_new(ctx);
10265 if (!TEST_ptr(ssl))
10266 goto end;
10267
10268 sp = SSL_get0_param(ssl);
10269 if (!TEST_ptr(sp))
10270 goto end;
10271 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10272 goto end;
10273
10274 testresult = 1;
10275
10276 end:
10277 SSL_free(ssl);
10278 SSL_CTX_free(ctx);
10279
10280 return testresult;
10281}
10282
b2b8d188
DF		 10283static int test_load_dhfile(void)
10284{
10285#ifndef OPENSSL_NO_DH
10286 int testresult = 0;
10287
10288 SSL_CTX *ctx = NULL;
10289 SSL_CONF_CTX *cctx = NULL;
10290
10291 if (dhfile == NULL)
10292 return 1;
10293
10294 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10295 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10296 goto end;
10297
10298 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10299 SSL_CONF_CTX_set_flags(cctx,
10300 SSL_CONF_FLAG_CERTIFICATE
10301 | SSL_CONF_FLAG_SERVER
10302 | SSL_CONF_FLAG_FILE);
10303
10304 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10305 goto end;
10306
10307 testresult = 1;
10308end:
10309 SSL_CONF_CTX_free(cctx);
10310 SSL_CTX_free(ctx);
10311
10312 return testresult;
10313#else
10314 return TEST_skip("DH not supported by this build");
10315#endif
10316}
10317
f7565348
MC		 10318#ifndef OSSL_NO_USABLE_TLS1_3
10319/* Test that read_ahead works across a key change */
10320static int test_read_ahead_key_change(void)
10321{
10322 SSL_CTX *cctx = NULL, *sctx = NULL;
10323 SSL *clientssl = NULL, *serverssl = NULL;
10324 int testresult = 0;
10325 char *msg = "Hello World";
10326 size_t written, readbytes;
10327 char buf[80];
10328 int i;
10329
10330 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10331 TLS_client_method(), TLS1_3_VERSION, 0,
10332 &sctx, &cctx, cert, privkey)))
10333 goto end;
10334
10335 SSL_CTX_set_read_ahead(sctx, 1);
10336
10337 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10338 &clientssl, NULL, NULL)))
10339 goto end;
10340
10341 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10342 goto end;
10343
10344 /* Write some data, send a key update, write more data */
10345 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10346 || !TEST_size_t_eq(written, strlen(msg)))
10347 goto end;
10348
10349 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10350 goto end;
10351
10352 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10353 || !TEST_size_t_eq(written, strlen(msg)))
10354 goto end;
10355
10356 /*
10357 * Since read_ahead is on the first read below should read the record with
10358 * the first app data, the second record with the key update message, and
10359 * the third record with the app data all in one go. We should be able to
10360 * still process the read_ahead data correctly even though it crosses
10361 * epochs
10362 */
10363 for (i = 0; i < 2; i++) {
10364 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10365 &readbytes)))
10366 goto end;
10367
10368 buf[readbytes] = '\0';
10369 if (!TEST_str_eq(buf, msg))
10370 goto end;
10371 }
10372
10373 testresult = 1;
10374
10375end:
10376 SSL_free(serverssl);
10377 SSL_free(clientssl);
10378 SSL_CTX_free(sctx);
10379 SSL_CTX_free(cctx);
10380 return testresult;
10381}
f3f8e53c
MC		 10382
10383static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10384{
10385 int *called = arg;
10386
10387 switch ((*called)++) {
10388 case 0:
10389 /* Add some padding to first record */
10390 return 512;
10391 case 1:
10392 /* Maximally pad the second record */
10393 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10394 case 2:
10395 /*
10396 * Exceeding the maximum padding should be fine. It should just pad to
10397 * the maximum anyway
10398 */
10399 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10400 case 3:
10401 /*
10402 * Very large padding should also be ok. Should just pad to the maximum
10403 * allowed
10404 */
10405 return SIZE_MAX;
10406 default:
10407 return 0;
10408 }
10409}
10410
10411/*
10412 * Test that setting record padding in TLSv1.3 works as expected
10413 * Test 0: Record padding callback on the SSL_CTX
10414 * Test 1: Record padding callback on the SSL
10415 * Test 2: Record block padding on the SSL_CTX
10416 * Test 3: Record block padding on the SSL
10417 */
10418static int test_tls13_record_padding(int idx)
10419{
10420 SSL_CTX *cctx = NULL, *sctx = NULL;
10421 SSL *clientssl = NULL, *serverssl = NULL;
10422 int testresult = 0;
10423 char *msg = "Hello World";
10424 size_t written, readbytes;
10425 char buf[80];
10426 int i;
10427 int called = 0;
10428
10429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10430 TLS_client_method(), TLS1_3_VERSION, 0,
10431 &sctx, &cctx, cert, privkey)))
10432 goto end;
10433
10434 if (idx == 0) {
10435 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10436 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10437 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10438 goto end;
10439 } else if (idx == 2) {
10440 /* Exceeding the max plain length should fail */
10441 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10442 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10443 goto end;
10444 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10445 goto end;
10446 }
10447
10448 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10449 &clientssl, NULL, NULL)))
10450 goto end;
10451
10452 if (idx == 1) {
10453 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10454 SSL_set_record_padding_callback_arg(clientssl, &called);
10455 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10456 goto end;
10457 } else if (idx == 3) {
10458 /* Exceeding the max plain length should fail */
10459 if (!TEST_false(SSL_set_block_padding(clientssl,
10460 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10461 goto end;
10462 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10463 goto end;
10464 }
10465
10466 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10467 goto end;
10468
10469 called = 0;
10470 /*
10471 * Write some data, then check we can read it. Do this four times to check
10472 * we can continue to write and read padded data after the initial record
10473 * padding has been added. We don't actually check that the padding has
10474 * been applied to the record - just that we can continue to communicate
10475 * normally and that the callback has been called (if appropriate).
10476 */
10477 for (i = 0; i < 4; i++) {
10478 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10479 || !TEST_size_t_eq(written, strlen(msg)))
10480 goto end;
10481
10482 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10483 &readbytes))
10484 || !TEST_size_t_eq(written, readbytes))
10485 goto end;
10486
10487 buf[readbytes] = '\0';
10488 if (!TEST_str_eq(buf, msg))
10489 goto end;
10490 }
10491
10492 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10493 goto end;
10494
10495 testresult = 1;
10496end:
10497 SSL_free(serverssl);
10498 SSL_free(clientssl);
10499 SSL_CTX_free(sctx);
10500 SSL_CTX_free(cctx);
10501 return testresult;
10502}
f7565348
MC		 10503#endif /* OSSL_NO_USABLE_TLS1_3 */
10504
b718f6fc
MC		 10505#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10506/*
10507 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10508 * support this yet. The only pipeline capable cipher that we have is in the
10509 * dasync engine (providers don't support this yet), so we have to use
10510 * deprecated APIs for this test.
10511 *
10512 * Test 0: Client has pipelining enabled, server does not
10513 * Test 1: Server has pipelining enabled, client does not
10514 * Test 2: Client has pipelining enabled, server does not: not enough data to
10515 * fill all the pipelines
10516 * Test 3: Client has pipelining enabled, server does not: not enough data to
10517 * fill all the pipelines by more than a full pipeline's worth
10518 * Test 4: Client has pipelining enabled, server does not: more data than all
10519 * the available pipelines can take
10520 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10521 */
10522static int test_pipelining(int idx)
10523{
10524 SSL_CTX *cctx = NULL, *sctx = NULL;
10525 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10526 int testresult = 0, numreads;
10527 /* A 55 byte message */
10528 unsigned char *msg = (unsigned char *)
10529 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10530 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10531 size_t expectedreads;
10532 unsigned char *buf = NULL;
10533 ENGINE *e;
10534
10535 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10536 return 0;
10537
10538 if (!TEST_true(ENGINE_init(e))) {
10539 ENGINE_free(e);
10540 return 0;
10541 }
10542
10543 if (!TEST_true(ENGINE_register_ciphers(e)))
10544 goto end;
10545
10546 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10547 TLS_client_method(), 0,
10548 TLS1_2_VERSION, &sctx, &cctx, cert,
10549 privkey)))
10550 goto end;
10551
10552 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10553 &clientssl, NULL, NULL)))
10554 goto end;
10555
10556 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10557 goto end;
10558
10559 /* peera is always configured for pipelining, while peerb is not. */
10560 if (idx == 1) {
10561 peera = serverssl;
10562 peerb = clientssl;
10563
10564 } else {
10565 peera = clientssl;
10566 peerb = serverssl;
10567 }
10568
10569 if (idx == 5) {
10570 numpipes = 2;
10571 /* Maximum allowed fragment size */
10572 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10573 msglen = fragsize * numpipes;
10574 msg = OPENSSL_malloc(msglen);
10575 if (!TEST_ptr(msg))
10576 goto end;
10577 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10578 goto end;
10579 } else if (idx == 4) {
10580 msglen = 55;
10581 } else {
10582 msglen = 50;
10583 }
10584 if (idx == 2)
10585 msglen -= 2; /* Send 2 less bytes */
10586 else if (idx == 3)
10587 msglen -= 12; /* Send 12 less bytes */
10588
10589 buf = OPENSSL_malloc(msglen);
10590 if (!TEST_ptr(buf))
10591 goto end;
10592
10593 if (idx == 5) {
10594 /*
10595 * Test that setting a split send fragment longer than the maximum
10596 * allowed fails
10597 */
10598 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10599 goto end;
10600 }
10601
10602 /*
10603 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10604 * (50 bytes in total). This is a ridiculously small number of bytes -
10605 * but sufficient for our purposes
10606 */
10607 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10608 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10609 goto end;
10610
10611 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10612 goto end;
10613
10614 /* Write some data from peera to peerb */
10615 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10616 || !TEST_size_t_eq(written, msglen))
10617 goto end;
10618
10619 /*
10620 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10621 * have been used - except in test 3 where only |numpipes - 1| pipelines
10622 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10623 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10624 * expect this to be read in |numpipes| or |numpipes - 1| separate
10625 * SSL_read_ex calls. In the case of test 4, there is then one additional
10626 * read for left over data that couldn't fit in the previous pipelines
10627 */
10628 for (offset = 0, numreads = 0;
10629 offset < msglen;
10630 offset += readbytes, numreads++) {
10631 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10632 msglen - offset, &readbytes)))
10633 goto end;
10634 }
10635
10636 expectedreads = idx == 4 ? numpipes + 1
10637 : (idx == 3 ? numpipes - 1 : numpipes);
10638 if (!TEST_mem_eq(msg, msglen, buf, offset)
10639 || !TEST_int_eq(numreads, expectedreads))
10640 goto end;
10641
10642 /*
10643 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10644 * chunks to exercise the read pipelining code on peera.
10645 */
10646 for (offset = 0; offset < msglen; offset += fragsize) {
10647 size_t sendlen = msglen - offset;
10648
10649 if (sendlen > fragsize)
10650 sendlen = fragsize;
10651 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10652 || !TEST_size_t_eq(written, sendlen))
10653 goto end;
10654 }
10655
10656 /*
10657 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10658 * separate chunks (depending on which test we are running). If the
10659 * pipelining is working then we expect peera to read up to numpipes chunks
10660 * and process them in parallel, giving back the complete result in a single
10661 * call to SSL_read_ex
10662 */
10663 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10664 || !TEST_size_t_le(readbytes, msglen))
10665 goto end;
10666
10667 if (idx == 4) {
10668 size_t readbytes2;
10669
10670 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10671 msglen - readbytes, &readbytes2)))
10672 goto end;
10673 readbytes += readbytes2;
10674 if (!TEST_size_t_le(readbytes, msglen))
10675 goto end;
10676 }
10677
10678 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10679 goto end;
10680
10681 testresult = 1;
10682end:
10683 SSL_free(serverssl);
10684 SSL_free(clientssl);
10685 SSL_CTX_free(sctx);
10686 SSL_CTX_free(cctx);
10687 ENGINE_unregister_ciphers(e);
10688 ENGINE_finish(e);
10689 ENGINE_free(e);
10690 OPENSSL_free(buf);
10691 if (idx == 5)
10692 OPENSSL_free(msg);
10693 return testresult;
10694}
10695#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10696
b2b8d188 10697OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 10698
ad887416 10699int setup_tests(void)
2cb4b5f6 10700{
5e30f2fd
MC		 10701 char *modulename;
10702 char *configfile;
10703
b4250010 10704 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 10705 if (!TEST_ptr(libctx))
10706 return 0;
10707
10708 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10709
10710 /*
10711 * Verify that the default and fips providers in the default libctx are not
10712 * available
10713 */
10714 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10715 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10716 return 0;
10717
8d242823
MC		 10718 if (!test_skip_common_options()) {
10719 TEST_error("Error parsing test options\n");
10720 return 0;
10721 }
10722
1a2a3a42
MC		 10723 if (!TEST_ptr(certsdir = test_get_argument(0))
10724 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 10725 || !TEST_ptr(tmpfilename = test_get_argument(2))
10726 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 10727 || !TEST_ptr(configfile = test_get_argument(4))
10728 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 10729 return 0;
10730
b4250010 10731 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 10732 return 0;
10733
10734 /* Check we have the expected provider available */
10735 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10736 return 0;
10737
10738 /* Check the default provider is not available */
10739 if (strcmp(modulename, "default") != 0
10740 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 10741 return 0;
2cb4b5f6 10742
4f6c7044
MC		 10743 if (strcmp(modulename, "fips") == 0)
10744 is_fips = 1;
10745
0c13cdf8
MC		 10746 /*
10747 * We add, but don't load the test "tls-provider". We'll load it when we
10748 * need it.
10749 */
10750 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10751 tls_provider_init)))
10752 return 0;
10753
10754
f297e4ec
RS		 10755 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10756#ifdef OPENSSL_NO_CRYPTO_MDEBUG
10757 TEST_error("not supported in this build");
10758 return 0;
10759#else
10760 int i, mcount, rcount, fcount;
10761
10762 for (i = 0; i < 4; i++)
10763 test_export_key_mat(i);
10764 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10765 test_printf_stdout("malloc %d realloc %d free %d\n",
10766 mcount, rcount, fcount);
10767 return 1;
10768#endif
10769 }
10770
1a2a3a42
MC		 10771 cert = test_mk_file_path(certsdir, "servercert.pem");
10772 if (cert == NULL)
b3842539 10773 goto err;
1a2a3a42
MC		 10774
10775 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 10776 if (privkey == NULL)
10777 goto err;
10778
10779 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10780 if (cert2 == NULL)
10781 goto err;
10782
10783 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10784 if (privkey2 == NULL)
10785 goto err;
1a2a3a42 10786
3105d846
MC		 10787 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10788 if (cert1024 == NULL)
10789 goto err;
10790
10791 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10792 if (privkey1024 == NULL)
10793 goto err;
10794
10795 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10796 if (cert3072 == NULL)
10797 goto err;
10798
10799 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10800 if (privkey3072 == NULL)
10801 goto err;
10802
10803 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10804 if (cert4096 == NULL)
10805 goto err;
10806
10807 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10808 if (privkey4096 == NULL)
10809 goto err;
10810
10811 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10812 if (cert8192 == NULL)
10813 goto err;
10814
10815 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10816 if (privkey8192 == NULL)
10817 goto err;
10818
da4db160 10819#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 10820# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 10821 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 10822 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 10823# endif
fe5d9450 10824#endif
84d5549e 10825 ADD_TEST(test_large_message_tls);
7856332e 10826 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 10827#ifndef OPENSSL_NO_DTLS
84d5549e 10828 ADD_TEST(test_large_message_dtls);
55386bef 10829#endif
2fda45d5 10830 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 10831 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 10832#ifndef OPENSSL_NO_OCSP
c887104f 10833 ADD_TEST(test_tlsext_status_type);
8f8c11d8 10834#endif
eaa776da
MC		 10835 ADD_TEST(test_session_with_only_int_cache);
10836 ADD_TEST(test_session_with_only_ext_cache);
10837 ADD_TEST(test_session_with_both_cache);
90fc2c26 10838 ADD_TEST(test_session_wo_ca_names);
a763ca11 10839#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 10840 ADD_ALL_TESTS(test_stateful_tickets, 3);
10841 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 10842 ADD_TEST(test_psk_tickets);
f0049b86 10843 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 10844#endif
7fb4c820 10845 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 10846 ADD_TEST(test_ssl_bio_pop_next_bio);
10847 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10848 ADD_TEST(test_ssl_bio_change_rbio);
10849 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 10850#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 10851 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 10852 ADD_TEST(test_keylog);
c423ecaa 10853#endif
a763ca11 10854#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 10855 ADD_TEST(test_keylog_no_master_key);
10856#endif
0c3eb279 10857 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 10858 ADD_TEST(test_ssl_build_cert_chain);
10859 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 10860#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 10861 ADD_TEST(test_client_hello_cb);
088dfa13 10862 ADD_TEST(test_no_ems);
3cd14e5e 10863 ADD_TEST(test_ccs_change_cipher);
5f982038 10864#endif
a763ca11 10865#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 10866 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 10867 /*
10868 * We don't do replay tests for external PSK. Replay protection isn't used
10869 * in that scenario.
10870 */
10871 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 10872 ADD_ALL_TESTS(test_early_data_skip, 3);
10873 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 10874 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 10875 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 10876 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 10877 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 10878 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 10879 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 10880# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 10881 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 10882# endif
e9ee6536 10883#endif
a763ca11 10884#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 10885 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 10886 ADD_TEST(test_ciphersuite_change);
5bf2eade 10887 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10888# ifdef OPENSSL_NO_PSK
c2b290c3 10889 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 10890# else
0d8da779 10891 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 10892# endif /* OPENSSL_NO_PSK */
10893# ifndef OPENSSL_NO_TLS1_2
10894 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 10895 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 10896# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10897 ADD_ALL_TESTS(test_negotiated_group,
10898 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10899 + OSSL_NELEM(ffdhe_kexch_groups)));
10900# endif
5bf2eade 10901# else
10902 /* Test with only TLSv1.3 versions */
10903 ADD_ALL_TESTS(test_key_exchange, 12);
10904# endif
0db3a990 10905 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 10906 ADD_TEST(test_stateless);
9d75dce3 10907 ADD_TEST(test_pha_key_update);
a273157a 10908#else
bb01ef3f 10909 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 10910#endif
0fb2815b 10911 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 10912#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 10913 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 10914 ADD_TEST(test_key_update);
0c48fda8 10915 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10916 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10917 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10918 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 10919#endif
e11b6aa4 10920 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 10921 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 10922#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10923 ADD_ALL_TESTS(test_srp, 6);
10924#endif
b67cb09f
TS		 10925#if !defined(OPENSSL_NO_COMP_ALG)
10926 /* Add compression case */
10927 ADD_ALL_TESTS(test_info_callback, 8);
10928#else
5718fe45 10929 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 10930#endif
4a432af8 10931 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 10932 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 10933 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 10934 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 10935 ADD_TEST(test_async_shutdown);
e638112e 10936 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 10937 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 10938 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 10939 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 10940#ifndef OPENSSL_NO_TLS1_2
10941 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10942#endif
49ef3d07 10943 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 10944#if !defined(OPENSSL_NO_EC) \
a763ca11 10945 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 10946 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 10947#endif
10948#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 10949 ADD_ALL_TESTS(test_pluggable_group, 2);
ee58915c 10950 ADD_ALL_TESTS(test_pluggable_signature, 2);
49a36a52
MC		 10951#endif
10952#ifndef OPENSSL_NO_TLS1_2
10953 ADD_TEST(test_ssl_dup);
33c39a06
MC		 10954# ifndef OPENSSL_NO_DH
10955 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 10956 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 10957# endif
6582661f 10958#endif
a763ca11 10959#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 10960 ADD_TEST(test_sni_tls13);
0089cc7f 10961 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 10962#endif
dfccfde0 10963 ADD_TEST(test_inherit_verify_param);
feba11cf 10964 ADD_TEST(test_set_alpn);
948cf521
HL		 10965 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10966 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 10967 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 10968 ADD_TEST(test_load_dhfile);
f7565348
MC		 10969#ifndef OSSL_NO_USABLE_TLS1_3
10970 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 10971 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 10972#endif
10973#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10974 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 10975#endif
10976#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10977 ADD_ALL_TESTS(test_pipelining, 6);
f7565348 10978#endif
ad887416 10979 return 1;
b3842539
MC		 10980
10981 err:
10982 OPENSSL_free(cert);
10983 OPENSSL_free(privkey);
10984 OPENSSL_free(cert2);
10985 OPENSSL_free(privkey2);
10986 return 0;
ad887416 10987}
2cb4b5f6 10988
ad887416
P		 10989void cleanup_tests(void)
10990{
8778f0eb 10991# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 10992 EVP_PKEY_free(tmp_dh_params);
10993#endif
1a2a3a42
MC		 10994 OPENSSL_free(cert);
10995 OPENSSL_free(privkey);
b3842539
MC		 10996 OPENSSL_free(cert2);
10997 OPENSSL_free(privkey2);
3105d846
MC		 10998 OPENSSL_free(cert1024);
10999 OPENSSL_free(privkey1024);
11000 OPENSSL_free(cert3072);
11001 OPENSSL_free(privkey3072);
11002 OPENSSL_free(cert4096);
11003 OPENSSL_free(privkey4096);
11004 OPENSSL_free(cert8192);
11005 OPENSSL_free(privkey8192);
fa454945 11006 bio_s_mempacket_test_free();
a77b4dba 11007 bio_s_always_retry_free();
5e30f2fd 11008 OSSL_PROVIDER_unload(defctxnull);
b4250010 11009 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 11010}
A mirror of the official openssl repository