From: Norbert Pocs <norbertp@openssl.org>
Date: Mon, 28 Jul 2025 08:32:53 +0000 (+0200)
Subject: quicapitest: Check if we can handle HRR
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=605eda60ae1c221e38710a3a83df2c4e24d0cc04;p=thirdparty%2Fopenssl.git

quicapitest: Check if we can handle HRR

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28115)
---

diff --git a/test/quicapitest.c b/test/quicapitest.c
index bc0b32a034..c98764b00f 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -3018,6 +3018,63 @@ static int test_accept_stream(void)
     return testresult;
 }
 
+/*
+ * When the server has a different primary group than the client, the server
+ * should not fail on the client hello retry.
+ */
+static int test_client_hello_retry(void)
+{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECX)
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL, *qlistener = NULL;
+    int testresult = 0, i = 0, ret = 0;
+
+    if (!TEST_ptr(sctx = create_server_ctx())
+        || !TEST_ptr(cctx = create_client_ctx()))
+        goto err;
+    /*
+     * set the specific groups for the test
+     */
+    if (!TEST_true(SSL_CTX_set1_groups_list(cctx, "secp384r1:secp256r1")))
+        goto err;
+    if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "secp256r1")))
+        goto err;
+
+    if (!create_quic_ssl_objects(sctx, cctx, &qlistener, &clientssl))
+        goto err;
+
+    /* Send ClientHello and server retry */
+    for (i = 0; i < 2; i++) {
+        ret = SSL_connect(clientssl);
+        if (!TEST_int_le(ret, 0)
+            || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
+            goto err;
+        SSL_handle_events(qlistener);
+    }
+
+    /* We expect a server SSL object which has not yet completed its handshake */
+    serverssl = SSL_accept_connection(qlistener, 0);
+
+    /* Call SSL_accept() and SSL_connect() until we are connected */
+    if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
+                                              SSL_ERROR_NONE, 0, 0)))
+        goto err;
+
+    testresult = 1;
+
+err:
+    SSL_CTX_free(cctx);
+    SSL_CTX_free(sctx);
+    SSL_free(clientssl);
+    SSL_free(serverssl);
+    SSL_free(qlistener);
+
+    return testresult;
+#else
+    return TEST_skip("EC(X) keys are not supported in this build");
+#endif
+}
+
 /***********************************************************************************/
 OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n")
 
@@ -3120,6 +3177,7 @@ int setup_tests(void)
     ADD_TEST(test_ssl_accept_connection);
     ADD_TEST(test_ssl_set_verify);
     ADD_TEST(test_accept_stream);
+    ADD_TEST(test_client_hello_retry);
     return 1;
  err:
     cleanup_tests();