xref: /freebsd/crypto/openssl/test/sslapitest.c (revision 1523ccfd9c8c254f7928143d31c305384b05fd11) 
1 /*
2  * Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * We need access to the deprecated low level HMAC APIs for legacy purposes
12  * when the deprecated calls are not hidden
13  */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 #define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17 
18 #include <stdio.h>
19 #include <string.h>
20 
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37 
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "internal/ssl_unwrap.h"
45 #include "../ssl/ssl_local.h"
46 #include "../ssl/record/methods/recmethod_local.h"
47 #include "filterprov.h"
48 
49 #undef OSSL_NO_USABLE_TLS1_3
50 #if defined(OPENSSL_NO_TLS1_3) \
51     || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 /*
53  * If we don't have ec or dh then there are no built-in groups that are usable
54  * with TLSv1.3
55  */
56 #define OSSL_NO_USABLE_TLS1_3
57 #endif
58 
59 /* Defined in tls-provider.c */
60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
61     const OSSL_DISPATCH *in,
62     const OSSL_DISPATCH **out,
63     void **provctx);
64 
65 static OSSL_LIB_CTX *libctx = NULL;
66 static OSSL_PROVIDER *defctxnull = NULL;
67 
68 #ifndef OSSL_NO_USABLE_TLS1_3
69 
70 static SSL_SESSION *clientpsk = NULL;
71 static SSL_SESSION *serverpsk = NULL;
72 static const char *pskid = "Identity";
73 static const char *srvid;
74 
75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
76     size_t *idlen, SSL_SESSION **sess);
77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
78     size_t identity_len, SSL_SESSION **sess);
79 
80 static int use_session_cb_cnt = 0;
81 static int find_session_cb_cnt = 0;
82 static int end_of_early_data = 0;
83 #endif
84 
85 static char *certsdir = NULL;
86 static char *cert = NULL;
87 static char *privkey = NULL;
88 static char *cert2 = NULL;
89 static char *privkey2 = NULL;
90 static char *cert1024 = NULL;
91 static char *privkey1024 = NULL;
92 static char *cert3072 = NULL;
93 static char *privkey3072 = NULL;
94 static char *cert4096 = NULL;
95 static char *privkey4096 = NULL;
96 static char *cert8192 = NULL;
97 static char *privkey8192 = NULL;
98 static char *srpvfile = NULL;
99 static char *tmpfilename = NULL;
100 static char *dhfile = NULL;
101 static char *datadir = NULL;
102 
103 static int is_fips = 0;
104 static int fips_ems_check = 0;
105 
106 #define LOG_BUFFER_SIZE 2048
107 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
108 static size_t server_log_buffer_index = 0;
109 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
110 static size_t client_log_buffer_index = 0;
111 static int error_writing_log = 0;
112 
113 #ifndef OPENSSL_NO_OCSP
114 static const unsigned char orespder[] = "Dummy OCSP Response";
115 static int ocsp_server_called = 0;
116 static int ocsp_client_called = 0;
117 
118 static int cdummyarg = 1;
119 static X509 *ocspcert = NULL;
120 #endif
121 
122 #define CLIENT_VERSION_LEN 2
123 
124 /* The ssltrace test assumes some options are switched on/off */
125 #if !defined(OPENSSL_NO_SSL_TRACE)                                \
126     && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD)     \
127     && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH)        \
128     && !defined(OPENSSL_NO_ML_DSA) && !defined(OPENSSL_NO_ML_KEM) \
129     && !defined(OPENSSL_NO_TLS1_3)
130 #define DO_SSL_TRACE_TEST
131 #endif
132 
133 /*
134  * This structure is used to validate that the correct number of log messages
135  * of various types are emitted when emitting secret logs.
136  */
137 struct sslapitest_log_counts {
138     unsigned int rsa_key_exchange_count;
139     unsigned int master_secret_count;
140     unsigned int client_early_secret_count;
141     unsigned int client_handshake_secret_count;
142     unsigned int server_handshake_secret_count;
143     unsigned int client_application_secret_count;
144     unsigned int server_application_secret_count;
145     unsigned int early_exporter_secret_count;
146     unsigned int exporter_secret_count;
147 };
148 
149 static int hostname_cb(SSL *s, int *al, void *arg)
150 {
151     const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152 
153     if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 || strcmp(hostname, "altgoodhost") == 0))
154         return SSL_TLSEXT_ERR_OK;
155 
156     return SSL_TLSEXT_ERR_NOACK;
157 }
158 
159 static void client_keylog_callback(const SSL *ssl, const char *line)
160 {
161     int line_length = strlen(line);
162 
163     /* If the log doesn't fit, error out. */
164     if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
165         TEST_info("Client log too full");
166         error_writing_log = 1;
167         return;
168     }
169 
170     strcat(client_log_buffer, line);
171     client_log_buffer_index += line_length;
172     client_log_buffer[client_log_buffer_index++] = '\n';
173 }
174 
175 static void server_keylog_callback(const SSL *ssl, const char *line)
176 {
177     int line_length = strlen(line);
178 
179     /* If the log doesn't fit, error out. */
180     if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
181         TEST_info("Server log too full");
182         error_writing_log = 1;
183         return;
184     }
185 
186     strcat(server_log_buffer, line);
187     server_log_buffer_index += line_length;
188     server_log_buffer[server_log_buffer_index++] = '\n';
189 }
190 
191 static int compare_hex_encoded_buffer(const char *hex_encoded,
192     size_t hex_length,
193     const uint8_t *raw,
194     size_t raw_length)
195 {
196     size_t i, j;
197     char hexed[3];
198 
199     if (!TEST_size_t_eq(raw_length * 2, hex_length))
200         return 1;
201 
202     for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
203         BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
204         if (!TEST_int_eq(hexed[0], hex_encoded[j])
205             || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
206             return 1;
207     }
208 
209     return 0;
210 }
211 
212 static int test_keylog_output(char *buffer, const SSL *ssl,
213     const SSL_SESSION *session,
214     struct sslapitest_log_counts *expected)
215 {
216     char *token = NULL;
217     unsigned char actual_client_random[SSL3_RANDOM_SIZE] = { 0 };
218     size_t client_random_size = SSL3_RANDOM_SIZE;
219     unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = { 0 };
220     size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
221     unsigned int rsa_key_exchange_count = 0;
222     unsigned int master_secret_count = 0;
223     unsigned int client_early_secret_count = 0;
224     unsigned int client_handshake_secret_count = 0;
225     unsigned int server_handshake_secret_count = 0;
226     unsigned int client_application_secret_count = 0;
227     unsigned int server_application_secret_count = 0;
228     unsigned int early_exporter_secret_count = 0;
229     unsigned int exporter_secret_count = 0;
230 
231     for (token = strtok(buffer, " \n"); token != NULL;
232         token = strtok(NULL, " \n")) {
233         if (strcmp(token, "RSA") == 0) {
234             /*
235              * Premaster secret. Tokens should be: 16 ASCII bytes of
236              * hex-encoded encrypted secret, then the hex-encoded pre-master
237              * secret.
238              */
239             if (!TEST_ptr(token = strtok(NULL, " \n")))
240                 return 0;
241             if (!TEST_size_t_eq(strlen(token), 16))
242                 return 0;
243             if (!TEST_ptr(token = strtok(NULL, " \n")))
244                 return 0;
245             /*
246              * We can't sensibly check the log because the premaster secret is
247              * transient, and OpenSSL doesn't keep hold of it once the master
248              * secret is generated.
249              */
250             rsa_key_exchange_count++;
251         } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
252             /*
253              * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
254              * client random, then the hex-encoded master secret.
255              */
256             client_random_size = SSL_get_client_random(ssl,
257                 actual_client_random,
258                 SSL3_RANDOM_SIZE);
259             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
260                 return 0;
261 
262             if (!TEST_ptr(token = strtok(NULL, " \n")))
263                 return 0;
264             if (!TEST_size_t_eq(strlen(token), 64))
265                 return 0;
266             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267                     actual_client_random,
268                     client_random_size)))
269                 return 0;
270 
271             if (!TEST_ptr(token = strtok(NULL, " \n")))
272                 return 0;
273             master_key_size = SSL_SESSION_get_master_key(session,
274                 actual_master_key,
275                 master_key_size);
276             if (!TEST_size_t_ne(master_key_size, 0))
277                 return 0;
278             if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
279                     actual_master_key,
280                     master_key_size)))
281                 return 0;
282             master_secret_count++;
283         } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
284             || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
285             || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
286             || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
287             || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
288             || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
289             || strcmp(token, "EXPORTER_SECRET") == 0) {
290             /*
291              * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
292              * client random, and then the hex-encoded secret. In this case,
293              * we treat all of these secrets identically and then just
294              * distinguish between them when counting what we saw.
295              */
296             if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
297                 client_early_secret_count++;
298             else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
299                 client_handshake_secret_count++;
300             else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
301                 server_handshake_secret_count++;
302             else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
303                 client_application_secret_count++;
304             else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
305                 server_application_secret_count++;
306             else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
307                 early_exporter_secret_count++;
308             else if (strcmp(token, "EXPORTER_SECRET") == 0)
309                 exporter_secret_count++;
310 
311             client_random_size = SSL_get_client_random(ssl,
312                 actual_client_random,
313                 SSL3_RANDOM_SIZE);
314             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
315                 return 0;
316 
317             if (!TEST_ptr(token = strtok(NULL, " \n")))
318                 return 0;
319             if (!TEST_size_t_eq(strlen(token), 64))
320                 return 0;
321             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
322                     actual_client_random,
323                     client_random_size)))
324                 return 0;
325 
326             if (!TEST_ptr(token = strtok(NULL, " \n")))
327                 return 0;
328         } else {
329             TEST_info("Unexpected token %s\n", token);
330             return 0;
331         }
332     }
333 
334     /* Got what we expected? */
335     if (!TEST_size_t_eq(rsa_key_exchange_count,
336             expected->rsa_key_exchange_count)
337         || !TEST_size_t_eq(master_secret_count,
338             expected->master_secret_count)
339         || !TEST_size_t_eq(client_early_secret_count,
340             expected->client_early_secret_count)
341         || !TEST_size_t_eq(client_handshake_secret_count,
342             expected->client_handshake_secret_count)
343         || !TEST_size_t_eq(server_handshake_secret_count,
344             expected->server_handshake_secret_count)
345         || !TEST_size_t_eq(client_application_secret_count,
346             expected->client_application_secret_count)
347         || !TEST_size_t_eq(server_application_secret_count,
348             expected->server_application_secret_count)
349         || !TEST_size_t_eq(early_exporter_secret_count,
350             expected->early_exporter_secret_count)
351         || !TEST_size_t_eq(exporter_secret_count,
352             expected->exporter_secret_count))
353         return 0;
354     return 1;
355 }
356 
357 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
358 static int test_keylog(void)
359 {
360     SSL_CTX *cctx = NULL, *sctx = NULL;
361     SSL *clientssl = NULL, *serverssl = NULL;
362     int testresult = 0;
363     struct sslapitest_log_counts expected;
364 
365     /* Clean up logging space */
366     memset(&expected, 0, sizeof(expected));
367     memset(client_log_buffer, 0, sizeof(client_log_buffer));
368     memset(server_log_buffer, 0, sizeof(server_log_buffer));
369     client_log_buffer_index = 0;
370     server_log_buffer_index = 0;
371     error_writing_log = 0;
372 
373     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
374             TLS_client_method(),
375             TLS1_VERSION, 0,
376             &sctx, &cctx, cert, privkey)))
377         return 0;
378 
379     /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
380     SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
381     SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
382 
383     /* We also want to ensure that we use RSA-based key exchange. */
384     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
385         goto end;
386 
387     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
388         || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
389         goto end;
390     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
391     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
392             == client_keylog_callback))
393         goto end;
394     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
395     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
396             == server_keylog_callback))
397         goto end;
398 
399     /* Now do a handshake and check that the logs have been written to. */
400     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
401             &clientssl, NULL, NULL))
402         || !TEST_true(create_ssl_connection(serverssl, clientssl,
403             SSL_ERROR_NONE))
404         || !TEST_false(error_writing_log)
405         || !TEST_int_gt(client_log_buffer_index, 0)
406         || !TEST_int_gt(server_log_buffer_index, 0))
407         goto end;
408 
409     /*
410      * Now we want to test that our output data was vaguely sensible. We
411      * do that by using strtok and confirming that we have more or less the
412      * data we expect. For both client and server, we expect to see one master
413      * secret. The client should also see an RSA key exchange.
414      */
415     expected.rsa_key_exchange_count = 1;
416     expected.master_secret_count = 1;
417     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
418             SSL_get_session(clientssl), &expected)))
419         goto end;
420 
421     expected.rsa_key_exchange_count = 0;
422     if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
423             SSL_get_session(serverssl), &expected)))
424         goto end;
425 
426     testresult = 1;
427 
428 end:
429     SSL_free(serverssl);
430     SSL_free(clientssl);
431     SSL_CTX_free(sctx);
432     SSL_CTX_free(cctx);
433 
434     return testresult;
435 }
436 #endif
437 
438 #ifndef OSSL_NO_USABLE_TLS1_3
439 static int test_keylog_no_master_key(void)
440 {
441     SSL_CTX *cctx = NULL, *sctx = NULL;
442     SSL *clientssl = NULL, *serverssl = NULL;
443     SSL_SESSION *sess = NULL;
444     int testresult = 0;
445     struct sslapitest_log_counts expected;
446     unsigned char buf[1];
447     size_t readbytes, written;
448 
449     /* Clean up logging space */
450     memset(&expected, 0, sizeof(expected));
451     memset(client_log_buffer, 0, sizeof(client_log_buffer));
452     memset(server_log_buffer, 0, sizeof(server_log_buffer));
453     client_log_buffer_index = 0;
454     server_log_buffer_index = 0;
455     error_writing_log = 0;
456 
457     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
458             TLS_client_method(), TLS1_VERSION, 0,
459             &sctx, &cctx, cert, privkey))
460         || !TEST_true(SSL_CTX_set_max_early_data(sctx,
461             SSL3_RT_MAX_PLAIN_LENGTH)))
462         return 0;
463 
464     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
465         || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
466         goto end;
467 
468     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
469     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
470             == client_keylog_callback))
471         goto end;
472 
473     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
474     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
475             == server_keylog_callback))
476         goto end;
477 
478     /* Now do a handshake and check that the logs have been written to. */
479     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
480             &clientssl, NULL, NULL))
481         || !TEST_true(create_ssl_connection(serverssl, clientssl,
482             SSL_ERROR_NONE))
483         || !TEST_false(error_writing_log))
484         goto end;
485 
486     /*
487      * Now we want to test that our output data was vaguely sensible. For this
488      * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
489      * TLSv1.3, but we do expect both client and server to emit keys.
490      */
491     expected.client_handshake_secret_count = 1;
492     expected.server_handshake_secret_count = 1;
493     expected.client_application_secret_count = 1;
494     expected.server_application_secret_count = 1;
495     expected.exporter_secret_count = 1;
496     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
497             SSL_get_session(clientssl), &expected))
498         || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
499             SSL_get_session(serverssl),
500             &expected)))
501         goto end;
502 
503     /* Terminate old session and resume with early data. */
504     sess = SSL_get1_session(clientssl);
505     SSL_shutdown(clientssl);
506     SSL_shutdown(serverssl);
507     SSL_free(serverssl);
508     SSL_free(clientssl);
509     serverssl = clientssl = NULL;
510 
511     /* Reset key log */
512     memset(client_log_buffer, 0, sizeof(client_log_buffer));
513     memset(server_log_buffer, 0, sizeof(server_log_buffer));
514     client_log_buffer_index = 0;
515     server_log_buffer_index = 0;
516 
517     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
518             &clientssl, NULL, NULL))
519         || !TEST_true(SSL_set_session(clientssl, sess))
520         /* Here writing 0 length early data is enough. */
521         || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
522         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
523                             &readbytes),
524             SSL_READ_EARLY_DATA_ERROR)
525         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
526             SSL_EARLY_DATA_ACCEPTED)
527         || !TEST_true(create_ssl_connection(serverssl, clientssl,
528             SSL_ERROR_NONE))
529         || !TEST_true(SSL_session_reused(clientssl)))
530         goto end;
531 
532     /* In addition to the previous entries, expect early secrets. */
533     expected.client_early_secret_count = 1;
534     expected.early_exporter_secret_count = 1;
535     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
536             SSL_get_session(clientssl), &expected))
537         || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
538             SSL_get_session(serverssl),
539             &expected)))
540         goto end;
541 
542     testresult = 1;
543 
544 end:
545     SSL_SESSION_free(sess);
546     SSL_free(serverssl);
547     SSL_free(clientssl);
548     SSL_CTX_free(sctx);
549     SSL_CTX_free(cctx);
550 
551     return testresult;
552 }
553 #endif
554 
555 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
556 {
557     int res = X509_verify_cert(ctx);
558     int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
559     SSL *ssl;
560 
561     /* this should not happen but check anyway */
562     if (idx < 0
563         || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
564         return 0;
565 
566     if (res == 0 && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
567         /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
568         return SSL_set_retry_verify(ssl);
569 
570     return res;
571 }
572 
573 static int test_client_cert_verify_cb(void)
574 {
575     /* server key, cert, chain, and root */
576     char *skey = test_mk_file_path(certsdir, "leaf.key");
577     char *leaf = test_mk_file_path(certsdir, "leaf.pem");
578     char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
579     char *int1 = test_mk_file_path(certsdir, "interCA.pem");
580     char *root = test_mk_file_path(certsdir, "rootCA.pem");
581     X509 *crt1 = NULL, *crt2 = NULL;
582     STACK_OF(X509) *server_chain;
583     SSL_CTX *cctx = NULL, *sctx = NULL;
584     SSL *clientssl = NULL, *serverssl = NULL;
585     int testresult = 0;
586 
587     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
588             TLS_client_method(), TLS1_VERSION, 0,
589             &sctx, &cctx, NULL, NULL)))
590         goto end;
591     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
592         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
593                             SSL_FILETYPE_PEM),
594             1)
595         || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
596         goto end;
597     if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
598         goto end;
599     SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
600     SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
601     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
602             &clientssl, NULL, NULL)))
603         goto end;
604 
605     /* attempt SSL_connect() with incomplete server chain */
606     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
607             SSL_ERROR_WANT_RETRY_VERIFY)))
608         goto end;
609 
610     /* application provides intermediate certs needed to verify server cert */
611     if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
612         || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
613         || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
614         goto end;
615     /* add certs in reverse order to demonstrate real chain building */
616     if (!TEST_true(sk_X509_push(server_chain, crt1)))
617         goto end;
618     crt1 = NULL;
619     if (!TEST_true(sk_X509_push(server_chain, crt2)))
620         goto end;
621     crt2 = NULL;
622 
623     /* continue SSL_connect(), must now succeed with completed server chain */
624     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
625             SSL_ERROR_NONE)))
626         goto end;
627 
628     testresult = 1;
629 
630 end:
631     X509_free(crt1);
632     X509_free(crt2);
633     if (clientssl != NULL) {
634         SSL_shutdown(clientssl);
635         SSL_free(clientssl);
636     }
637     if (serverssl != NULL) {
638         SSL_shutdown(serverssl);
639         SSL_free(serverssl);
640     }
641     SSL_CTX_free(sctx);
642     SSL_CTX_free(cctx);
643 
644     OPENSSL_free(skey);
645     OPENSSL_free(leaf);
646     OPENSSL_free(int2);
647     OPENSSL_free(int1);
648     OPENSSL_free(root);
649 
650     return testresult;
651 }
652 
653 static int test_ssl_build_cert_chain(void)
654 {
655     int ret = 0;
656     SSL_CTX *ssl_ctx = NULL;
657     SSL *ssl = NULL;
658     char *skey = test_mk_file_path(certsdir, "leaf.key");
659     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
660 
661     if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
662         goto end;
663     if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
664         goto end;
665     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
666     if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
667         || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
668         || !TEST_int_eq(SSL_check_private_key(ssl), 1))
669         goto end;
670     if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
671         goto end;
672     ret = 1;
673 end:
674     SSL_free(ssl);
675     SSL_CTX_free(ssl_ctx);
676     OPENSSL_free(leaf_chain);
677     OPENSSL_free(skey);
678     return ret;
679 }
680 
681 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
682 {
683     static const char pass[] = "testpass";
684 
685     if (!TEST_int_eq(size, PEM_BUFSIZE))
686         return -1;
687 
688     memcpy(buf, pass, sizeof(pass) - 1);
689     return sizeof(pass) - 1;
690 }
691 
692 static int test_ssl_ctx_build_cert_chain(void)
693 {
694     int ret = 0;
695     SSL_CTX *ctx = NULL;
696     char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
697     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
698 
699     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
700         goto end;
701     SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
702     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
703     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
704         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
705                             SSL_FILETYPE_PEM),
706             1)
707         || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
708         goto end;
709     if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
710         goto end;
711     ret = 1;
712 end:
713     SSL_CTX_free(ctx);
714     OPENSSL_free(leaf_chain);
715     OPENSSL_free(skey);
716     return ret;
717 }
718 
719 #ifndef OPENSSL_NO_TLS1_2
720 static int full_client_hello_callback(SSL *s, int *al, void *arg)
721 {
722     int *ctr = arg;
723     const unsigned char *p;
724     int *exts;
725 #ifdef OPENSSL_NO_EC
726     const unsigned char expected_ciphers[] = { 0x00, 0x9d };
727 #else
728     const unsigned char expected_ciphers[] = { 0x00, 0x9d, 0xc0,
729         0x2c };
730 #endif
731     const int expected_extensions[] = {
732         65281,
733 #ifndef OPENSSL_NO_EC
734         11, 10,
735 #endif
736         35, 22, 23, 13
737     };
738     size_t len;
739 
740     /* Make sure we can defer processing and get called back. */
741     if ((*ctr)++ == 0)
742         return SSL_CLIENT_HELLO_RETRY;
743 
744     len = SSL_client_hello_get0_ciphers(s, &p);
745     if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
746         || !TEST_size_t_eq(
747             SSL_client_hello_get0_compression_methods(s, &p), 1)
748         || !TEST_int_eq(*p, 0))
749         return SSL_CLIENT_HELLO_ERROR;
750     if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
751         return SSL_CLIENT_HELLO_ERROR;
752     if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
753         printf("ClientHello callback expected extensions mismatch\n");
754         OPENSSL_free(exts);
755         return SSL_CLIENT_HELLO_ERROR;
756     }
757     OPENSSL_free(exts);
758     return SSL_CLIENT_HELLO_SUCCESS;
759 }
760 
761 static int test_client_hello_cb(void)
762 {
763     SSL_CTX *cctx = NULL, *sctx = NULL;
764     SSL *clientssl = NULL, *serverssl = NULL;
765     int testctr = 0, testresult = 0;
766 
767     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
768             TLS_client_method(), TLS1_VERSION, 0,
769             &sctx, &cctx, cert, privkey)))
770         goto end;
771     SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
772 
773     /* The gimpy cipher list we configure can't do TLS 1.3. */
774     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
775     /* Avoid problems where the default seclevel has been changed */
776     SSL_CTX_set_security_level(cctx, 2);
777     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
778             "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
779         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780             &clientssl, NULL, NULL))
781         || !TEST_false(create_ssl_connection(serverssl, clientssl,
782             SSL_ERROR_WANT_CLIENT_HELLO_CB))
783         /*
784          * Passing a -1 literal is a hack since
785          * the real value was lost.
786          * */
787         || !TEST_int_eq(SSL_get_error(serverssl, -1),
788             SSL_ERROR_WANT_CLIENT_HELLO_CB)
789         || !TEST_true(create_ssl_connection(serverssl, clientssl,
790             SSL_ERROR_NONE)))
791         goto end;
792 
793     testresult = 1;
794 
795 end:
796     SSL_free(serverssl);
797     SSL_free(clientssl);
798     SSL_CTX_free(sctx);
799     SSL_CTX_free(cctx);
800 
801     return testresult;
802 }
803 
804 static int test_no_ems(void)
805 {
806     SSL_CTX *cctx = NULL, *sctx = NULL;
807     SSL *clientssl = NULL, *serverssl = NULL;
808     int testresult = 0, status;
809 
810     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
811             TLS1_VERSION, TLS1_2_VERSION,
812             &sctx, &cctx, cert, privkey)) {
813         printf("Unable to create SSL_CTX pair\n");
814         goto end;
815     }
816 
817     SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
818 
819     if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
820         printf("Unable to create SSL objects\n");
821         goto end;
822     }
823 
824     status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
825     if (fips_ems_check) {
826         if (status == 1) {
827             printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
828             goto end;
829         }
830     } else {
831         if (!status) {
832             printf("Creating SSL connection failed\n");
833             goto end;
834         }
835         if (SSL_get_extms_support(serverssl)) {
836             printf("Server reports Extended Master Secret support\n");
837             goto end;
838         }
839         if (SSL_get_extms_support(clientssl)) {
840             printf("Client reports Extended Master Secret support\n");
841             goto end;
842         }
843     }
844     testresult = 1;
845 
846 end:
847     SSL_free(serverssl);
848     SSL_free(clientssl);
849     SSL_CTX_free(sctx);
850     SSL_CTX_free(cctx);
851 
852     return testresult;
853 }
854 
855 /*
856  * Very focused test to exercise a single case in the server-side state
857  * machine, when the ChangeCipherState message needs to actually change
858  * from one cipher to a different cipher (i.e., not changing from null
859  * encryption to real encryption).
860  */
861 static int test_ccs_change_cipher(void)
862 {
863     SSL_CTX *cctx = NULL, *sctx = NULL;
864     SSL *clientssl = NULL, *serverssl = NULL;
865     SSL_SESSION *sess = NULL, *sesspre, *sesspost;
866     int testresult = 0;
867     int i;
868     unsigned char buf;
869     size_t readbytes;
870 
871     /*
872      * Create a connection so we can resume and potentially (but not) use
873      * a different cipher in the second connection.
874      */
875     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
876             TLS_client_method(),
877             TLS1_VERSION, TLS1_2_VERSION,
878             &sctx, &cctx, cert, privkey))
879         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
880         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
881             NULL, NULL))
882         || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
883         || !TEST_true(create_ssl_connection(serverssl, clientssl,
884             SSL_ERROR_NONE))
885         || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
886         || !TEST_ptr(sess = SSL_get1_session(clientssl)))
887         goto end;
888 
889     shutdown_ssl_connection(serverssl, clientssl);
890     serverssl = clientssl = NULL;
891 
892     /* Resume, preferring a different cipher. Our server will force the
893      * same cipher to be used as the initial handshake. */
894     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
895             NULL, NULL))
896         || !TEST_true(SSL_set_session(clientssl, sess))
897         || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
898         || !TEST_true(create_ssl_connection(serverssl, clientssl,
899             SSL_ERROR_NONE))
900         || !TEST_true(SSL_session_reused(clientssl))
901         || !TEST_true(SSL_session_reused(serverssl))
902         || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
903         || !TEST_ptr_eq(sesspre, sesspost)
904         || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
905             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
906         goto end;
907     shutdown_ssl_connection(serverssl, clientssl);
908     serverssl = clientssl = NULL;
909 
910     /*
911      * Now create a fresh connection and try to renegotiate a different
912      * cipher on it.
913      */
914     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
915             NULL, NULL))
916         || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
917         || !TEST_true(create_ssl_connection(serverssl, clientssl,
918             SSL_ERROR_NONE))
919         || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
920         || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
921         || !TEST_true(SSL_renegotiate(clientssl))
922         || !TEST_true(SSL_renegotiate_pending(clientssl)))
923         goto end;
924     /* Actually drive the renegotiation. */
925     for (i = 0; i < 3; i++) {
926         if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
927             if (!TEST_ulong_eq(readbytes, 0))
928                 goto end;
929         } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
930                        SSL_ERROR_WANT_READ)) {
931             goto end;
932         }
933         if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
934             if (!TEST_ulong_eq(readbytes, 0))
935                 goto end;
936         } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
937                        SSL_ERROR_WANT_READ)) {
938             goto end;
939         }
940     }
941     /* sesspre and sesspost should be different since the cipher changed. */
942     if (!TEST_false(SSL_renegotiate_pending(clientssl))
943         || !TEST_false(SSL_session_reused(clientssl))
944         || !TEST_false(SSL_session_reused(serverssl))
945         || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
946         || !TEST_ptr_ne(sesspre, sesspost)
947         || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
948             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
949         goto end;
950 
951     shutdown_ssl_connection(serverssl, clientssl);
952     serverssl = clientssl = NULL;
953 
954     testresult = 1;
955 
956 end:
957     SSL_free(serverssl);
958     SSL_free(clientssl);
959     SSL_CTX_free(sctx);
960     SSL_CTX_free(cctx);
961     SSL_SESSION_free(sess);
962 
963     return testresult;
964 }
965 #endif
966 
967 static int execute_test_large_message(const SSL_METHOD *smeth,
968     const SSL_METHOD *cmeth,
969     int min_version, int max_version,
970     int read_ahead)
971 {
972     SSL_CTX *cctx = NULL, *sctx = NULL;
973     SSL *clientssl = NULL, *serverssl = NULL;
974     int testresult = 0;
975 
976     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
977             max_version, &sctx, &cctx, cert,
978             privkey)))
979         goto end;
980 
981 #ifdef OPENSSL_NO_DTLS1_2
982     if (smeth == DTLS_server_method()) {
983         /*
984          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
985          * level 0
986          */
987         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
988             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
989                 "DEFAULT:@SECLEVEL=0")))
990             goto end;
991     }
992 #endif
993 
994     if (read_ahead) {
995         /*
996          * Test that read_ahead works correctly when dealing with large
997          * records
998          */
999         SSL_CTX_set_read_ahead(cctx, 1);
1000     }
1001 
1002     if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
1003         goto end;
1004 
1005     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1006             NULL, NULL))
1007         || !TEST_true(create_ssl_connection(serverssl, clientssl,
1008             SSL_ERROR_NONE)))
1009         goto end;
1010 
1011     /*
1012      * Calling SSL_clear() first is not required but this tests that SSL_clear()
1013      * doesn't leak.
1014      */
1015     if (!TEST_true(SSL_clear(serverssl)))
1016         goto end;
1017 
1018     testresult = 1;
1019 end:
1020     SSL_free(serverssl);
1021     SSL_free(clientssl);
1022     SSL_CTX_free(sctx);
1023     SSL_CTX_free(cctx);
1024 
1025     return testresult;
1026 }
1027 
1028 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1029 /* sock must be connected */
1030 static int ktls_chk_platform(int sock)
1031 {
1032     if (!ktls_enable(sock))
1033         return 0;
1034     return 1;
1035 }
1036 
1037 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1038 {
1039     static char count = 1;
1040     unsigned char cbuf[16000] = { 0 };
1041     unsigned char sbuf[16000];
1042     size_t err = 0;
1043     char crec_wseq_before[SEQ_NUM_SIZE];
1044     char crec_wseq_after[SEQ_NUM_SIZE];
1045     char crec_rseq_before[SEQ_NUM_SIZE];
1046     char crec_rseq_after[SEQ_NUM_SIZE];
1047     char srec_wseq_before[SEQ_NUM_SIZE];
1048     char srec_wseq_after[SEQ_NUM_SIZE];
1049     char srec_rseq_before[SEQ_NUM_SIZE];
1050     char srec_rseq_after[SEQ_NUM_SIZE];
1051     SSL_CONNECTION *clientsc, *serversc;
1052 
1053     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1054         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1055         goto end;
1056 
1057     cbuf[0] = count++;
1058     memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1059     memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1060     memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1061     memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1062 
1063     if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1064         goto end;
1065 
1066     while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1067         if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1068             goto end;
1069         }
1070     }
1071 
1072     if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1073         goto end;
1074 
1075     while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1076         if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1077             goto end;
1078         }
1079     }
1080 
1081     memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1082     memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1083     memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1084     memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1085 
1086     /* verify the payload */
1087     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1088         goto end;
1089 
1090     /*
1091      * If ktls is used then kernel sequences are used instead of
1092      * OpenSSL sequences
1093      */
1094     if (!BIO_get_ktls_send(clientsc->wbio)) {
1095         if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1096                 crec_wseq_after, SEQ_NUM_SIZE))
1097             goto end;
1098     } else {
1099         if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1100                 crec_wseq_after, SEQ_NUM_SIZE))
1101             goto end;
1102     }
1103 
1104     if (!BIO_get_ktls_send(serversc->wbio)) {
1105         if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1106                 srec_wseq_after, SEQ_NUM_SIZE))
1107             goto end;
1108     } else {
1109         if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1110                 srec_wseq_after, SEQ_NUM_SIZE))
1111             goto end;
1112     }
1113 
1114     if (!BIO_get_ktls_recv(clientsc->wbio)) {
1115         if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1116                 crec_rseq_after, SEQ_NUM_SIZE))
1117             goto end;
1118     } else {
1119         if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1120                 crec_rseq_after, SEQ_NUM_SIZE))
1121             goto end;
1122     }
1123 
1124     if (!BIO_get_ktls_recv(serversc->wbio)) {
1125         if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1126                 srec_rseq_after, SEQ_NUM_SIZE))
1127             goto end;
1128     } else {
1129         if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1130                 srec_rseq_after, SEQ_NUM_SIZE))
1131             goto end;
1132     }
1133 
1134     return 1;
1135 end:
1136     return 0;
1137 }
1138 
1139 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1140     int tls_version, const char *cipher)
1141 {
1142     SSL_CTX *cctx = NULL, *sctx = NULL;
1143     SSL *clientssl = NULL, *serverssl = NULL;
1144     int ktls_used = 0, testresult = 0;
1145     int cfd = -1, sfd = -1;
1146     int rx_supported;
1147     SSL_CONNECTION *clientsc, *serversc;
1148     unsigned char *buf = NULL;
1149     const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1150     int ret;
1151     size_t offset = 0, i;
1152 
1153     if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1154         goto end;
1155 
1156     /* Skip this test if the platform does not support ktls */
1157     if (!ktls_chk_platform(cfd)) {
1158         testresult = TEST_skip("Kernel does not support KTLS");
1159         goto end;
1160     }
1161 
1162     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1163         testresult = TEST_skip("CHACHA is not supported in FIPS");
1164         goto end;
1165     }
1166 
1167     /* Create a session based on SHA-256 */
1168     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1169             TLS_client_method(),
1170             tls_version, tls_version,
1171             &sctx, &cctx, cert, privkey)))
1172         goto end;
1173 
1174     if (tls_version == TLS1_3_VERSION) {
1175         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1176             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1177             goto end;
1178     } else {
1179         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1180             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1181             goto end;
1182     }
1183 
1184     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1185             &clientssl, sfd, cfd)))
1186         goto end;
1187 
1188     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1189         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1190         goto end;
1191 
1192     if (cis_ktls) {
1193         if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1194             goto end;
1195     }
1196 
1197     if (sis_ktls) {
1198         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1199             goto end;
1200     }
1201 
1202     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1203         goto end;
1204 
1205     /*
1206      * The running kernel may not support a given cipher suite
1207      * or direction, so just check that KTLS isn't used when it
1208      * isn't enabled.
1209      */
1210     if (!cis_ktls) {
1211         if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1212             goto end;
1213     } else {
1214         if (BIO_get_ktls_send(clientsc->wbio))
1215             ktls_used = 1;
1216     }
1217 
1218     if (!sis_ktls) {
1219         if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1220             goto end;
1221     } else {
1222         if (BIO_get_ktls_send(serversc->wbio))
1223             ktls_used = 1;
1224     }
1225 
1226 #if defined(OPENSSL_NO_KTLS_RX)
1227     rx_supported = 0;
1228 #else
1229     rx_supported = 1;
1230 #endif
1231     if (!cis_ktls || !rx_supported) {
1232         if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1233             goto end;
1234     } else {
1235         if (BIO_get_ktls_send(clientsc->rbio))
1236             ktls_used = 1;
1237     }
1238 
1239     if (!sis_ktls || !rx_supported) {
1240         if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1241             goto end;
1242     } else {
1243         if (BIO_get_ktls_send(serversc->rbio))
1244             ktls_used = 1;
1245     }
1246 
1247     if ((cis_ktls || sis_ktls) && !ktls_used) {
1248         testresult = TEST_skip("KTLS not supported for %s cipher %s",
1249             tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1250         goto end;
1251     }
1252 
1253     if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1254         goto end;
1255 
1256     buf = OPENSSL_zalloc(bufsz);
1257     if (!TEST_ptr(buf))
1258         goto end;
1259 
1260     /*
1261      * Write some data that exceeds the maximum record length. KTLS may choose
1262      * to coalesce this data into a single buffer when we read it again.
1263      */
1264     while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1265         if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1266             goto end;
1267     }
1268 
1269     /* Now check that we can read all the data we wrote */
1270     do {
1271         ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1272         if (ret <= 0) {
1273             if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1274                 goto end;
1275         } else {
1276             offset += ret;
1277         }
1278     } while (offset < bufsz);
1279 
1280     if (!TEST_true(offset == bufsz))
1281         goto end;
1282     for (i = 0; i < bufsz; i++)
1283         if (!TEST_true(buf[i] == 0))
1284             goto end;
1285 
1286     testresult = 1;
1287 end:
1288     OPENSSL_free(buf);
1289     if (clientssl) {
1290         SSL_shutdown(clientssl);
1291         SSL_free(clientssl);
1292     }
1293     if (serverssl) {
1294         SSL_shutdown(serverssl);
1295         SSL_free(serverssl);
1296     }
1297     SSL_CTX_free(sctx);
1298     SSL_CTX_free(cctx);
1299     serverssl = clientssl = NULL;
1300     if (cfd != -1)
1301         close(cfd);
1302     if (sfd != -1)
1303         close(sfd);
1304     return testresult;
1305 }
1306 
1307 #define SENDFILE_SZ (16 * 4096)
1308 #define SENDFILE_CHUNK (4 * 4096)
1309 #define min(a, b) ((a) > (b) ? (b) : (a))
1310 
1311 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1312     int zerocopy)
1313 {
1314     SSL_CTX *cctx = NULL, *sctx = NULL;
1315     SSL *clientssl = NULL, *serverssl = NULL;
1316     unsigned char *buf, *buf_dst;
1317     BIO *out = NULL, *in = NULL;
1318     int cfd = -1, sfd = -1, ffd, err;
1319     ssize_t chunk_size = 0;
1320     off_t chunk_off = 0;
1321     int testresult = 0;
1322     FILE *ffdp;
1323     SSL_CONNECTION *serversc;
1324 
1325     buf = OPENSSL_zalloc(SENDFILE_SZ);
1326     buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1327     if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1328         || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1329         goto end;
1330 
1331     /* Skip this test if the platform does not support ktls */
1332     if (!ktls_chk_platform(sfd)) {
1333         testresult = TEST_skip("Kernel does not support KTLS");
1334         goto end;
1335     }
1336 
1337     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1338         testresult = TEST_skip("CHACHA is not supported in FIPS");
1339         goto end;
1340     }
1341 
1342     /* Create a session based on SHA-256 */
1343     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1344             TLS_client_method(),
1345             tls_version, tls_version,
1346             &sctx, &cctx, cert, privkey)))
1347         goto end;
1348 
1349     if (tls_version == TLS1_3_VERSION) {
1350         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1351             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1352             goto end;
1353     } else {
1354         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1355             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1356             goto end;
1357     }
1358 
1359     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1360             &clientssl, sfd, cfd)))
1361         goto end;
1362 
1363     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1364         goto end;
1365 
1366     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1367         goto end;
1368 
1369     if (zerocopy) {
1370         if (!TEST_true(SSL_set_options(serverssl,
1371                 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1372             goto end;
1373     }
1374 
1375     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1376             SSL_ERROR_NONE)))
1377         goto end;
1378 
1379     if (!BIO_get_ktls_send(serversc->wbio)) {
1380         testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1381             tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
1382         goto end;
1383     }
1384 
1385     if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1386         goto end;
1387 
1388     out = BIO_new_file(tmpfilename, "wb");
1389     if (!TEST_ptr(out))
1390         goto end;
1391 
1392     if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1393         goto end;
1394 
1395     BIO_free(out);
1396     out = NULL;
1397     in = BIO_new_file(tmpfilename, "rb");
1398     BIO_get_fp(in, &ffdp);
1399     ffd = fileno(ffdp);
1400 
1401     while (chunk_off < SENDFILE_SZ) {
1402         chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1403         while ((err = SSL_sendfile(serverssl,
1404                     ffd,
1405                     chunk_off,
1406                     chunk_size,
1407                     0))
1408             != chunk_size) {
1409             if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1410                 goto end;
1411         }
1412         while ((err = SSL_read(clientssl,
1413                     buf_dst + chunk_off,
1414                     chunk_size))
1415             != chunk_size) {
1416             if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1417                 goto end;
1418         }
1419 
1420         /* verify the payload */
1421         if (!TEST_mem_eq(buf_dst + chunk_off,
1422                 chunk_size,
1423                 buf + chunk_off,
1424                 chunk_size))
1425             goto end;
1426 
1427         chunk_off += chunk_size;
1428     }
1429 
1430     testresult = 1;
1431 end:
1432     if (clientssl) {
1433         SSL_shutdown(clientssl);
1434         SSL_free(clientssl);
1435     }
1436     if (serverssl) {
1437         SSL_shutdown(serverssl);
1438         SSL_free(serverssl);
1439     }
1440     SSL_CTX_free(sctx);
1441     SSL_CTX_free(cctx);
1442     serverssl = clientssl = NULL;
1443     BIO_free(out);
1444     BIO_free(in);
1445     if (cfd != -1)
1446         close(cfd);
1447     if (sfd != -1)
1448         close(sfd);
1449     OPENSSL_free(buf);
1450     OPENSSL_free(buf_dst);
1451     return testresult;
1452 }
1453 
1454 #ifndef OSSL_NO_USABLE_TLS1_3
1455 /*
1456  * Test kTLS with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: retry SSL_write() after
1457  * SSL_ERROR_WANT_WRITE using a different buffer pointer (same content) and
1458  * verify that the data arrives intact.
1459  */
1460 static int test_ktls_moving_write_buffer(void)
1461 {
1462     SSL_CTX *cctx = NULL, *sctx = NULL;
1463     SSL *clientssl = NULL, *serverssl = NULL;
1464     BIO *bio_retry = NULL, *bio_orig = NULL;
1465     int testresult = 0, cfd = -1, sfd = -1;
1466     unsigned char *buf_orig = NULL, *buf_retry = NULL;
1467     unsigned char outbuf[1024];
1468     const size_t bufsz = sizeof(outbuf);
1469     size_t written, readbytes, totread = 0, i;
1470 
1471     /* kTLS requires real sockets */
1472     if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1473         goto end;
1474 
1475     /* Skip if the kernel does not support kTLS */
1476     if (!ktls_chk_platform(cfd)) {
1477         testresult = TEST_skip("Kernel does not support KTLS");
1478         goto end;
1479     }
1480 
1481     if (!TEST_true(create_ssl_ctx_pair(libctx,
1482             TLS_server_method(), TLS_client_method(),
1483             TLS1_3_VERSION, TLS1_3_VERSION,
1484             &sctx, &cctx, cert, privkey)))
1485         goto end;
1486 
1487     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256"))
1488         || !TEST_true(SSL_CTX_set_ciphersuites(sctx, "TLS_AES_128_GCM_SHA256")))
1489         goto end;
1490 
1491     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1492             &clientssl, sfd, cfd)))
1493         goto end;
1494 
1495     /* Enable kTLS on the writing side (client) */
1496     if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1497         goto end;
1498 
1499     SSL_set_mode(clientssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
1500     SSL_set_mode(clientssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
1501 
1502     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1503         goto end;
1504 
1505     /* Get a reference to the original BIO to replace it later. */
1506     bio_orig = SSL_get_wbio(clientssl);
1507     if (!TEST_ptr(bio_orig) || !TEST_true(BIO_up_ref(bio_orig))) {
1508         bio_orig = NULL;
1509         goto end;
1510     }
1511 
1512     /* Skip if kTLS TX was not activated for this cipher */
1513     if (!BIO_get_ktls_send(bio_orig)) {
1514         testresult = TEST_skip("kTLS send not supported");
1515         goto end;
1516     }
1517 
1518     /* Swap write BIO to force WANT_WRITE */
1519     bio_retry = BIO_new(bio_s_always_retry());
1520     if (!TEST_ptr(bio_retry))
1521         goto end;
1522 
1523     SSL_set0_wbio(clientssl, bio_retry);
1524     bio_retry = NULL; /* ownership transferred to clientssl */
1525 
1526     /* Allocate two buffers with identical content but different addresses */
1527     buf_orig = OPENSSL_malloc(bufsz);
1528     buf_retry = OPENSSL_malloc(bufsz);
1529     if (!TEST_ptr(buf_orig) || !TEST_ptr(buf_retry))
1530         goto end;
1531 
1532     for (i = 0; i < bufsz; i++)
1533         buf_orig[i] = buf_retry[i] = (unsigned char)(i & 0xff);
1534 
1535     /* First write attempt - will fail with WANT_WRITE */
1536     if (!TEST_false(SSL_write_ex(clientssl, buf_orig, bufsz, &written))
1537         || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
1538         goto end;
1539 
1540     /* Restore the real socket BIO so the retry can actually send data */
1541     SSL_set0_wbio(clientssl, bio_orig);
1542     bio_orig = NULL;
1543 
1544     /* Poison and free the original buffer */
1545     memset(buf_orig, 0xDE, bufsz);
1546     OPENSSL_free(buf_orig);
1547     buf_orig = NULL;
1548 
1549     /* Retry with a different buffer pointer */
1550     if (!TEST_true(SSL_write_ex(clientssl, buf_retry, bufsz, &written)))
1551         goto end;
1552 
1553     /* Read the data on the server side */
1554     totread = 0;
1555     while (totread < bufsz) {
1556         if (!SSL_read_ex(serverssl, outbuf + totread, bufsz - totread,
1557                 &readbytes)) {
1558             if (!TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
1559                 goto end;
1560         } else {
1561             totread += readbytes;
1562         }
1563     }
1564 
1565     /* Verify data integrity */
1566     if (!TEST_mem_eq(buf_retry, bufsz, outbuf, totread))
1567         goto end;
1568 
1569     testresult = 1;
1570 end:
1571     OPENSSL_free(buf_orig);
1572     OPENSSL_free(buf_retry);
1573     if (clientssl != NULL) {
1574         SSL_shutdown(clientssl);
1575         SSL_free(clientssl);
1576     }
1577     if (serverssl != NULL) {
1578         SSL_shutdown(serverssl);
1579         SSL_free(serverssl);
1580     }
1581     SSL_CTX_free(sctx);
1582     SSL_CTX_free(cctx);
1583     BIO_free_all(bio_orig);
1584     if (cfd != -1)
1585         close(cfd);
1586     if (sfd != -1)
1587         close(sfd);
1588     return testresult;
1589 }
1590 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
1591 
1592 static struct ktls_test_cipher {
1593     int tls_version;
1594     const char *cipher;
1595 } ktls_test_ciphers[] = {
1596 #if !defined(OPENSSL_NO_TLS1_2)
1597 #ifdef OPENSSL_KTLS_AES_GCM_128
1598     { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1599 #endif
1600 #ifdef OPENSSL_KTLS_AES_CCM_128
1601     { TLS1_2_VERSION, "AES128-CCM" },
1602 #endif
1603 #ifdef OPENSSL_KTLS_AES_GCM_256
1604     { TLS1_2_VERSION, "AES256-GCM-SHA384" },
1605 #endif
1606 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1607 #ifndef OPENSSL_NO_EC
1608     { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305" },
1609 #endif
1610 #endif
1611 #endif
1612 #if !defined(OSSL_NO_USABLE_TLS1_3)
1613 #ifdef OPENSSL_KTLS_AES_GCM_128
1614     { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1615 #endif
1616 #ifdef OPENSSL_KTLS_AES_CCM_128
1617     { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1618 #endif
1619 #ifdef OPENSSL_KTLS_AES_GCM_256
1620     { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1621 #endif
1622 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1623     { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1624 #endif
1625 #endif
1626 };
1627 
1628 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1629 
1630 static int test_ktls(int test)
1631 {
1632     struct ktls_test_cipher *cipher;
1633     int cis_ktls, sis_ktls;
1634 
1635     OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1636     cipher = &ktls_test_ciphers[test / 4];
1637 
1638     cis_ktls = (test & 1) != 0;
1639     sis_ktls = (test & 2) != 0;
1640 
1641     return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1642         cipher->cipher);
1643 }
1644 
1645 static int test_ktls_sendfile(int test)
1646 {
1647     struct ktls_test_cipher *cipher;
1648     int tst = test >> 1;
1649 
1650     OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1651     cipher = &ktls_test_ciphers[tst];
1652 
1653     return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1654         test & 1);
1655 }
1656 #endif
1657 
1658 static int test_large_message_tls(void)
1659 {
1660     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1661         TLS1_VERSION, 0, 0);
1662 }
1663 
1664 static int test_large_message_tls_read_ahead(void)
1665 {
1666     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1667         TLS1_VERSION, 0, 1);
1668 }
1669 
1670 #ifndef OPENSSL_NO_DTLS
1671 static int test_large_message_dtls(void)
1672 {
1673 #ifdef OPENSSL_NO_DTLS1_2
1674     /* Not supported in the FIPS provider */
1675     if (is_fips)
1676         return 1;
1677 #endif
1678     /*
1679      * read_ahead is not relevant to DTLS because DTLS always acts as if
1680      * read_ahead is set.
1681      */
1682     return execute_test_large_message(DTLS_server_method(),
1683         DTLS_client_method(),
1684         DTLS1_VERSION, 0, 0);
1685 }
1686 #endif
1687 
1688 /*
1689  * Test we can successfully send the maximum amount of application data. We
1690  * test each protocol version individually, each with and without EtM enabled.
1691  * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1692  * simpler this way. We also test all combinations with and without the
1693  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1694  * underlying buffer.
1695  */
1696 static int test_large_app_data(int tst)
1697 {
1698     SSL_CTX *cctx = NULL, *sctx = NULL;
1699     SSL *clientssl = NULL, *serverssl = NULL;
1700     int testresult = 0, prot;
1701     unsigned char *msg, *buf = NULL;
1702     size_t written, readbytes;
1703     const SSL_METHOD *smeth = TLS_server_method();
1704     const SSL_METHOD *cmeth = TLS_client_method();
1705 
1706     switch (tst >> 2) {
1707     case 0:
1708 #ifndef OSSL_NO_USABLE_TLS1_3
1709         prot = TLS1_3_VERSION;
1710         break;
1711 #else
1712         return TEST_skip("TLS 1.3 not supported");
1713 #endif
1714 
1715     case 1:
1716 #ifndef OPENSSL_NO_TLS1_2
1717         prot = TLS1_2_VERSION;
1718         break;
1719 #else
1720         return TEST_skip("TLS 1.2 not supported");
1721 #endif
1722 
1723     case 2:
1724 #ifndef OPENSSL_NO_TLS1_1
1725         prot = TLS1_1_VERSION;
1726         break;
1727 #else
1728         return TEST_skip("TLS 1.1 not supported");
1729 #endif
1730 
1731     case 3:
1732 #ifndef OPENSSL_NO_TLS1
1733         prot = TLS1_VERSION;
1734         break;
1735 #else
1736         return TEST_skip("TLS 1 not supported");
1737 #endif
1738 
1739     case 4:
1740 #ifndef OPENSSL_NO_SSL3
1741         prot = SSL3_VERSION;
1742         break;
1743 #else
1744         return TEST_skip("SSL 3 not supported");
1745 #endif
1746 
1747     case 5:
1748 #ifndef OPENSSL_NO_DTLS1_2
1749         prot = DTLS1_2_VERSION;
1750         smeth = DTLS_server_method();
1751         cmeth = DTLS_client_method();
1752         break;
1753 #else
1754         return TEST_skip("DTLS 1.2 not supported");
1755 #endif
1756 
1757     case 6:
1758 #ifndef OPENSSL_NO_DTLS1
1759         if (is_fips)
1760             return TEST_skip("DTLS 1 not supported by FIPS provider");
1761         prot = DTLS1_VERSION;
1762         smeth = DTLS_server_method();
1763         cmeth = DTLS_client_method();
1764         break;
1765 #else
1766         return TEST_skip("DTLS 1 not supported");
1767 #endif
1768 
1769     default:
1770         /* Shouldn't happen */
1771         return 0;
1772     }
1773 
1774     if (is_fips && prot < TLS1_2_VERSION)
1775         return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1776 
1777     /* Maximal sized message of zeros */
1778     msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1779     if (!TEST_ptr(msg))
1780         goto end;
1781 
1782     buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1783     if (!TEST_ptr(buf))
1784         goto end;
1785     /* Set whole buffer to all bits set */
1786     memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1787 
1788     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1789             &sctx, &cctx, cert, privkey)))
1790         goto end;
1791 
1792     if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1793         /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1794         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1795             || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1796                 "DEFAULT:@SECLEVEL=0")))
1797             goto end;
1798     }
1799 
1800     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1801             &clientssl, NULL, NULL)))
1802         goto end;
1803 
1804     if ((tst & 1) != 0) {
1805         /* Setting this option gives us a minimally sized underlying buffer */
1806         if (!TEST_true(SSL_set_options(serverssl,
1807                 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1808             || !TEST_true(SSL_set_options(clientssl,
1809                 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1810             goto end;
1811     }
1812 
1813     if ((tst & 2) != 0) {
1814         /*
1815          * Setting this option means the MAC is added before encryption
1816          * giving us a larger record for the encryption process
1817          */
1818         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1819             || !TEST_true(SSL_set_options(clientssl,
1820                 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1821             goto end;
1822     }
1823 
1824     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1825         goto end;
1826 
1827     if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1828             &written))
1829         || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1830         goto end;
1831 
1832     /* We provide a buffer slightly larger than what we are actually expecting */
1833     if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1834             &readbytes)))
1835         goto end;
1836 
1837     if (!TEST_mem_eq(msg, written, buf, readbytes))
1838         goto end;
1839 
1840     testresult = 1;
1841 end:
1842     OPENSSL_free(msg);
1843     OPENSSL_free(buf);
1844     SSL_free(serverssl);
1845     SSL_free(clientssl);
1846     SSL_CTX_free(sctx);
1847     SSL_CTX_free(cctx);
1848     return testresult;
1849 }
1850 
1851 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1852     || !defined(OPENSSL_NO_DTLS)
1853 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1854     const SSL_METHOD *cmeth,
1855     int min_version, int max_version)
1856 {
1857     size_t i;
1858     SSL_CTX *cctx = NULL, *sctx = NULL;
1859     SSL *clientssl = NULL, *serverssl = NULL;
1860     int testresult = 0;
1861     const unsigned char *zbuf;
1862     SSL_CONNECTION *serversc;
1863     TLS_RECORD *rr;
1864 
1865     static unsigned char cbuf[16000];
1866     static unsigned char sbuf[16000];
1867 
1868     if (!TEST_true(create_ssl_ctx_pair(libctx,
1869             smeth, cmeth,
1870             min_version, max_version,
1871             &sctx, &cctx, cert,
1872             privkey)))
1873         goto end;
1874 
1875 #ifdef OPENSSL_NO_DTLS1_2
1876     if (smeth == DTLS_server_method()) {
1877         /* Not supported in the FIPS provider */
1878         if (is_fips) {
1879             testresult = 1;
1880             goto end;
1881         };
1882         /*
1883          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1884          * level 0
1885          */
1886         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1887             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1888                 "DEFAULT:@SECLEVEL=0")))
1889             goto end;
1890     }
1891 #endif
1892 
1893     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1894             NULL, NULL)))
1895         goto end;
1896 
1897     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1898         goto end;
1899 
1900     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1901             SSL_ERROR_NONE)))
1902         goto end;
1903 
1904     for (i = 0; i < sizeof(cbuf); i++) {
1905         cbuf[i] = i & 0xff;
1906     }
1907 
1908     if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1909         goto end;
1910 
1911     if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1912         goto end;
1913 
1914     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1915         goto end;
1916 
1917     /*
1918      * Since we called SSL_peek(), we know the data in the record
1919      * layer is a plaintext record. We can gather the pointer to check
1920      * for zeroization after SSL_read().
1921      */
1922     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1923         goto end;
1924     rr = serversc->rlayer.tlsrecs;
1925 
1926     zbuf = &rr->data[rr->off];
1927     if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1928         goto end;
1929 
1930     /*
1931      * After SSL_peek() the plaintext must still be stored in the
1932      * record.
1933      */
1934     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1935         goto end;
1936 
1937     memset(sbuf, 0, sizeof(sbuf));
1938     if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1939         goto end;
1940 
1941     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1942         goto end;
1943 
1944     /* Check if rbuf is cleansed */
1945     memset(cbuf, 0, sizeof(cbuf));
1946     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1947         goto end;
1948 
1949     testresult = 1;
1950 end:
1951     SSL_free(serverssl);
1952     SSL_free(clientssl);
1953     SSL_CTX_free(sctx);
1954     SSL_CTX_free(cctx);
1955 
1956     return testresult;
1957 }
1958 #endif /*                                                                \
1959         * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1960         * || !defined(OPENSSL_NO_DTLS)                                   \
1961         */
1962 
1963 static int test_cleanse_plaintext(void)
1964 {
1965 #if !defined(OPENSSL_NO_TLS1_2)
1966     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1967             TLS_client_method(),
1968             TLS1_2_VERSION,
1969             TLS1_2_VERSION)))
1970         return 0;
1971 
1972 #endif
1973 
1974 #if !defined(OSSL_NO_USABLE_TLS1_3)
1975     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1976             TLS_client_method(),
1977             TLS1_3_VERSION,
1978             TLS1_3_VERSION)))
1979         return 0;
1980 #endif
1981 
1982 #if !defined(OPENSSL_NO_DTLS)
1983 
1984     if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1985             DTLS_client_method(),
1986             DTLS1_VERSION,
1987             0)))
1988         return 0;
1989 #endif
1990     return 1;
1991 }
1992 
1993 #ifndef OPENSSL_NO_OCSP
1994 static int ocsp_server_cb(SSL *s, void *arg)
1995 {
1996     int *argi = (int *)arg;
1997     unsigned char *copy = NULL;
1998     STACK_OF(OCSP_RESPID) *ids = NULL;
1999     OCSP_RESPID *id = NULL;
2000 
2001     if (*argi == 2) {
2002         /* In this test we are expecting exactly 1 OCSP_RESPID */
2003         SSL_get_tlsext_status_ids(s, &ids);
2004         if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
2005             return SSL_TLSEXT_ERR_ALERT_FATAL;
2006 
2007         id = sk_OCSP_RESPID_value(ids, 0);
2008         if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
2009             return SSL_TLSEXT_ERR_ALERT_FATAL;
2010     } else if (*argi != 1) {
2011         return SSL_TLSEXT_ERR_ALERT_FATAL;
2012     }
2013 
2014     if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
2015         return SSL_TLSEXT_ERR_ALERT_FATAL;
2016 
2017     if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
2018             sizeof(orespder)))) {
2019         OPENSSL_free(copy);
2020         return SSL_TLSEXT_ERR_ALERT_FATAL;
2021     }
2022     ocsp_server_called = 1;
2023     return SSL_TLSEXT_ERR_OK;
2024 }
2025 
2026 static int ocsp_client_cb(SSL *s, void *arg)
2027 {
2028     int *argi = (int *)arg;
2029     const unsigned char *respderin;
2030     size_t len;
2031 
2032     if (*argi != 1 && *argi != 2)
2033         return 0;
2034 
2035     len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
2036     if (!TEST_mem_eq(orespder, len, respderin, len))
2037         return 0;
2038 
2039     ocsp_client_called = 1;
2040     return 1;
2041 }
2042 
2043 static int test_tlsext_status_type(void)
2044 {
2045     SSL_CTX *cctx = NULL, *sctx = NULL;
2046     SSL *clientssl = NULL, *serverssl = NULL;
2047     int testresult = 0;
2048     STACK_OF(OCSP_RESPID) *ids = NULL;
2049     OCSP_RESPID *id = NULL;
2050     BIO *certbio = NULL;
2051 
2052     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
2053             TLS1_VERSION, 0,
2054             &sctx, &cctx, cert, privkey))
2055         return 0;
2056 
2057     if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2058         goto end;
2059 
2060     /* First just do various checks getting and setting tlsext_status_type */
2061 
2062     clientssl = SSL_new(cctx);
2063     if (!TEST_ptr(clientssl))
2064         goto end;
2065     if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
2066         || !TEST_true(SSL_set_tlsext_status_type(clientssl,
2067             TLSEXT_STATUSTYPE_ocsp))
2068         || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
2069             TLSEXT_STATUSTYPE_ocsp))
2070         goto end;
2071 
2072     SSL_free(clientssl);
2073     clientssl = NULL;
2074 
2075     if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
2076         || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2077         goto end;
2078 
2079     clientssl = SSL_new(cctx);
2080     if (!TEST_ptr(clientssl))
2081         goto end;
2082     if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2083         goto end;
2084     SSL_free(clientssl);
2085     clientssl = NULL;
2086 
2087     /*
2088      * Now actually do a handshake and check OCSP information is exchanged and
2089      * the callbacks get called
2090      */
2091     SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
2092     SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
2093     SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
2094     SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
2095     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2096             &clientssl, NULL, NULL))
2097         || !TEST_true(create_ssl_connection(serverssl, clientssl,
2098             SSL_ERROR_NONE))
2099         || !TEST_true(ocsp_client_called)
2100         || !TEST_true(ocsp_server_called))
2101         goto end;
2102     SSL_free(serverssl);
2103     SSL_free(clientssl);
2104     serverssl = NULL;
2105     clientssl = NULL;
2106 
2107     /* Try again but this time force the server side callback to fail */
2108     ocsp_client_called = 0;
2109     ocsp_server_called = 0;
2110     cdummyarg = 0;
2111     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2112             &clientssl, NULL, NULL))
2113         /* This should fail because the callback will fail */
2114         || !TEST_false(create_ssl_connection(serverssl, clientssl,
2115             SSL_ERROR_NONE))
2116         || !TEST_false(ocsp_client_called)
2117         || !TEST_false(ocsp_server_called))
2118         goto end;
2119     SSL_free(serverssl);
2120     SSL_free(clientssl);
2121     serverssl = NULL;
2122     clientssl = NULL;
2123 
2124     /*
2125      * This time we'll get the client to send an OCSP_RESPID that it will
2126      * accept.
2127      */
2128     ocsp_client_called = 0;
2129     ocsp_server_called = 0;
2130     cdummyarg = 2;
2131     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2132             &clientssl, NULL, NULL)))
2133         goto end;
2134 
2135     /*
2136      * We'll just use any old cert for this test - it doesn't have to be an OCSP
2137      * specific one. We'll use the server cert.
2138      */
2139     if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
2140         || !TEST_ptr(id = OCSP_RESPID_new())
2141         || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
2142         || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
2143         || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2144         || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2145         || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2146         goto end;
2147     id = NULL;
2148     SSL_set_tlsext_status_ids(clientssl, ids);
2149     /* Control has been transferred */
2150     ids = NULL;
2151 
2152     BIO_free(certbio);
2153     certbio = NULL;
2154 
2155     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2156             SSL_ERROR_NONE))
2157         || !TEST_true(ocsp_client_called)
2158         || !TEST_true(ocsp_server_called))
2159         goto end;
2160 
2161     testresult = 1;
2162 
2163 end:
2164     SSL_free(serverssl);
2165     SSL_free(clientssl);
2166     SSL_CTX_free(sctx);
2167     SSL_CTX_free(cctx);
2168     sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2169     OCSP_RESPID_free(id);
2170     BIO_free(certbio);
2171     X509_free(ocspcert);
2172     ocspcert = NULL;
2173 
2174     return testresult;
2175 }
2176 #endif
2177 
2178 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2179 static int new_called, remove_called, get_called;
2180 
2181 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2182 {
2183     new_called++;
2184     /*
2185      * sess has been up-refed for us, but we don't actually need it so free it
2186      * immediately.
2187      */
2188     SSL_SESSION_free(sess);
2189     return 1;
2190 }
2191 
2192 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2193 {
2194     remove_called++;
2195 }
2196 
2197 static SSL_SESSION *get_sess_val = NULL;
2198 
2199 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2200     int *copy)
2201 {
2202     get_called++;
2203     *copy = 1;
2204     return get_sess_val;
2205 }
2206 
2207 static int execute_test_session(int maxprot, int use_int_cache,
2208     int use_ext_cache, long s_options)
2209 {
2210     SSL_CTX *sctx = NULL, *cctx = NULL;
2211     SSL *serverssl1 = NULL, *clientssl1 = NULL;
2212     SSL *serverssl2 = NULL, *clientssl2 = NULL;
2213 #ifndef OPENSSL_NO_TLS1_1
2214     SSL *serverssl3 = NULL, *clientssl3 = NULL;
2215 #endif
2216     SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2217     int testresult = 0, numnewsesstick = 1;
2218 
2219     new_called = remove_called = 0;
2220 
2221     /* TLSv1.3 sends 2 NewSessionTickets */
2222     if (maxprot == TLS1_3_VERSION)
2223         numnewsesstick = 2;
2224 
2225     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2226             TLS_client_method(), TLS1_VERSION, 0,
2227             &sctx, &cctx, cert, privkey)))
2228         return 0;
2229 
2230     /*
2231      * Only allow the max protocol version so we can force a connection failure
2232      * later
2233      */
2234     SSL_CTX_set_min_proto_version(cctx, maxprot);
2235     SSL_CTX_set_max_proto_version(cctx, maxprot);
2236 
2237     /* Set up session cache */
2238     if (use_ext_cache) {
2239         SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2240         SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2241     }
2242     if (use_int_cache) {
2243         /* Also covers instance where both are set */
2244         SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2245     } else {
2246         SSL_CTX_set_session_cache_mode(cctx,
2247             SSL_SESS_CACHE_CLIENT
2248                 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2249     }
2250 
2251     if (s_options) {
2252         SSL_CTX_set_options(sctx, s_options);
2253     }
2254 
2255     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2256             NULL, NULL))
2257         || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2258             SSL_ERROR_NONE))
2259         || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2260         goto end;
2261 
2262     /* Should fail because it should already be in the cache */
2263     if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2264         goto end;
2265     if (use_ext_cache
2266         && (!TEST_int_eq(new_called, numnewsesstick)
2267 
2268             || !TEST_int_eq(remove_called, 0)))
2269         goto end;
2270 
2271     new_called = remove_called = 0;
2272     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2273             &clientssl2, NULL, NULL))
2274         || !TEST_true(SSL_set_session(clientssl2, sess1))
2275         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2276             SSL_ERROR_NONE))
2277         || !TEST_true(SSL_session_reused(clientssl2)))
2278         goto end;
2279 
2280     if (maxprot == TLS1_3_VERSION) {
2281         /*
2282          * In TLSv1.3 we should have created a new session even though we have
2283          * resumed. Since we attempted a resume we should also have removed the
2284          * old ticket from the cache so that we try to only use tickets once.
2285          */
2286         if (use_ext_cache
2287             && (!TEST_int_eq(new_called, 1)
2288                 || !TEST_int_eq(remove_called, 1)))
2289             goto end;
2290     } else {
2291         /*
2292          * In TLSv1.2 we expect to have resumed so no sessions added or
2293          * removed.
2294          */
2295         if (use_ext_cache
2296             && (!TEST_int_eq(new_called, 0)
2297                 || !TEST_int_eq(remove_called, 0)))
2298             goto end;
2299     }
2300 
2301     SSL_SESSION_free(sess1);
2302     if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2303         goto end;
2304     shutdown_ssl_connection(serverssl2, clientssl2);
2305     serverssl2 = clientssl2 = NULL;
2306 
2307     new_called = remove_called = 0;
2308     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2309             &clientssl2, NULL, NULL))
2310         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2311             SSL_ERROR_NONE)))
2312         goto end;
2313 
2314     if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2315         goto end;
2316 
2317     if (use_ext_cache
2318         && (!TEST_int_eq(new_called, numnewsesstick)
2319             || !TEST_int_eq(remove_called, 0)))
2320         goto end;
2321 
2322     new_called = remove_called = 0;
2323     /*
2324      * This should clear sess2 from the cache because it is a "bad" session.
2325      * See SSL_set_session() documentation.
2326      */
2327     if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2328         goto end;
2329     if (use_ext_cache
2330         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2331         goto end;
2332     if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2333         goto end;
2334 
2335     if (use_int_cache) {
2336         /* Should succeeded because it should not already be in the cache */
2337         if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2338             || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2339             goto end;
2340     }
2341 
2342     new_called = remove_called = 0;
2343     /* This shouldn't be in the cache so should fail */
2344     if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2345         goto end;
2346 
2347     if (use_ext_cache
2348         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2349         goto end;
2350 
2351 #if !defined(OPENSSL_NO_TLS1_1)
2352     new_called = remove_called = 0;
2353     /* Force a connection failure */
2354     SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2355     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2356             &clientssl3, NULL, NULL))
2357         || !TEST_true(SSL_set_session(clientssl3, sess1))
2358         /* This should fail because of the mismatched protocol versions */
2359         || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2360             SSL_ERROR_NONE)))
2361         goto end;
2362 
2363     /* We should have automatically removed the session from the cache */
2364     if (use_ext_cache
2365         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2366         goto end;
2367 
2368     /* Should succeed because it should not already be in the cache */
2369     if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2370         goto end;
2371 #endif
2372 
2373     /* Now do some tests for server side caching */
2374     if (use_ext_cache) {
2375         SSL_CTX_sess_set_new_cb(cctx, NULL);
2376         SSL_CTX_sess_set_remove_cb(cctx, NULL);
2377         SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2378         SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2379         SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2380         get_sess_val = NULL;
2381     }
2382 
2383     SSL_CTX_set_session_cache_mode(cctx, 0);
2384     /* Internal caching is the default on the server side */
2385     if (!use_int_cache)
2386         SSL_CTX_set_session_cache_mode(sctx,
2387             SSL_SESS_CACHE_SERVER
2388                 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2389 
2390     SSL_free(serverssl1);
2391     SSL_free(clientssl1);
2392     serverssl1 = clientssl1 = NULL;
2393     SSL_free(serverssl2);
2394     SSL_free(clientssl2);
2395     serverssl2 = clientssl2 = NULL;
2396     SSL_SESSION_free(sess1);
2397     sess1 = NULL;
2398     SSL_SESSION_free(sess2);
2399     sess2 = NULL;
2400 
2401     SSL_CTX_set_max_proto_version(sctx, maxprot);
2402     if (maxprot == TLS1_2_VERSION)
2403         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2404     new_called = remove_called = get_called = 0;
2405     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2406             NULL, NULL))
2407         || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2408             SSL_ERROR_NONE))
2409         || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2410         || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2411         goto end;
2412 
2413     if (use_int_cache) {
2414         if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2415             /*
2416              * In TLSv1.3 it should not have been added to the internal cache,
2417              * except in the case where we also have an external cache (in that
2418              * case it gets added to the cache in order to generate remove
2419              * events after timeout).
2420              */
2421             if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2422                 goto end;
2423         } else {
2424             /* Should fail because it should already be in the cache */
2425             if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2426                 goto end;
2427         }
2428     }
2429 
2430     if (use_ext_cache) {
2431         SSL_SESSION *tmp = sess2;
2432 
2433         if (!TEST_int_eq(new_called, numnewsesstick)
2434             || !TEST_int_eq(remove_called, 0)
2435             || !TEST_int_eq(get_called, 0))
2436             goto end;
2437         /*
2438          * Delete the session from the internal cache to force a lookup from
2439          * the external cache. We take a copy first because
2440          * SSL_CTX_remove_session() also marks the session as non-resumable.
2441          */
2442         if (use_int_cache && maxprot != TLS1_3_VERSION) {
2443             if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2444                 || !TEST_true(sess2->owner != NULL)
2445                 || !TEST_true(tmp->owner == NULL)
2446                 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2447                 goto end;
2448             SSL_SESSION_free(sess2);
2449         }
2450         sess2 = tmp;
2451     }
2452 
2453     new_called = remove_called = get_called = 0;
2454     get_sess_val = sess2;
2455     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2456             &clientssl2, NULL, NULL))
2457         || !TEST_true(SSL_set_session(clientssl2, sess1))
2458         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2459             SSL_ERROR_NONE))
2460         || !TEST_true(SSL_session_reused(clientssl2)))
2461         goto end;
2462 
2463     if (use_ext_cache) {
2464         if (!TEST_int_eq(remove_called, 0))
2465             goto end;
2466 
2467         if (maxprot == TLS1_3_VERSION) {
2468             if (!TEST_int_eq(new_called, 1)
2469                 || !TEST_int_eq(get_called, 0))
2470                 goto end;
2471         } else {
2472             if (!TEST_int_eq(new_called, 0)
2473                 || !TEST_int_eq(get_called, 1))
2474                 goto end;
2475         }
2476     }
2477     /*
2478      * Make a small cache, force out all other sessions but
2479      * sess2, try to add sess1, which should succeed. Then
2480      * make sure it's there by checking the owners. Despite
2481      * the timeouts, sess1 should have kicked out sess2
2482      */
2483 
2484     /* Make sess1 expire before sess2 */
2485     if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2486         || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2487         || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2488         || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2489         goto end;
2490 
2491     if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2492         goto end;
2493 
2494     /* Don't care about results - cache should only be sess2 at end */
2495     SSL_CTX_add_session(sctx, sess1);
2496     SSL_CTX_add_session(sctx, sess2);
2497 
2498     /* Now add sess1, and make sure it remains, despite timeout */
2499     if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2500         || !TEST_ptr(sess1->owner)
2501         || !TEST_ptr_null(sess2->owner))
2502         goto end;
2503 
2504     testresult = 1;
2505 
2506 end:
2507     SSL_free(serverssl1);
2508     SSL_free(clientssl1);
2509     SSL_free(serverssl2);
2510     SSL_free(clientssl2);
2511 #ifndef OPENSSL_NO_TLS1_1
2512     SSL_free(serverssl3);
2513     SSL_free(clientssl3);
2514 #endif
2515     SSL_SESSION_free(sess1);
2516     SSL_SESSION_free(sess2);
2517     SSL_CTX_free(sctx);
2518     SSL_CTX_free(cctx);
2519 
2520     return testresult;
2521 }
2522 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2523 
2524 static int test_session_with_only_int_cache(void)
2525 {
2526 #ifndef OSSL_NO_USABLE_TLS1_3
2527     if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2528         return 0;
2529 #endif
2530 
2531 #ifndef OPENSSL_NO_TLS1_2
2532     return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2533 #else
2534     return 1;
2535 #endif
2536 }
2537 
2538 static int test_session_with_only_ext_cache(void)
2539 {
2540 #ifndef OSSL_NO_USABLE_TLS1_3
2541     if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2542         return 0;
2543 #endif
2544 
2545 #ifndef OPENSSL_NO_TLS1_2
2546     return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2547 #else
2548     return 1;
2549 #endif
2550 }
2551 
2552 static int test_session_with_both_cache(void)
2553 {
2554 #ifndef OSSL_NO_USABLE_TLS1_3
2555     if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2556         return 0;
2557 #endif
2558 
2559 #ifndef OPENSSL_NO_TLS1_2
2560     return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2561 #else
2562     return 1;
2563 #endif
2564 }
2565 
2566 static int test_session_wo_ca_names(void)
2567 {
2568 #ifndef OSSL_NO_USABLE_TLS1_3
2569     if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2570         return 0;
2571 #endif
2572 
2573 #ifndef OPENSSL_NO_TLS1_2
2574     return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2575 #else
2576     return 1;
2577 #endif
2578 }
2579 
2580 #ifndef OSSL_NO_USABLE_TLS1_3
2581 static SSL_SESSION *sesscache[6];
2582 static int do_cache;
2583 
2584 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2585 {
2586     if (do_cache) {
2587         sesscache[new_called] = sess;
2588     } else {
2589         /* We don't need the reference to the session, so free it */
2590         SSL_SESSION_free(sess);
2591     }
2592     new_called++;
2593 
2594     return 1;
2595 }
2596 
2597 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2598 {
2599     SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2600     if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2601         return 0;
2602 
2603     /* Start handshake on the server and client */
2604     if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2605         || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2606         || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2607         || !TEST_true(create_ssl_connection(sssl, cssl,
2608             SSL_ERROR_NONE)))
2609         return 0;
2610 
2611     return 1;
2612 }
2613 
2614 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2615     SSL_CTX **cctx)
2616 {
2617     int sess_id_ctx = 1;
2618 
2619     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2620             TLS_client_method(), TLS1_VERSION, 0,
2621             sctx, cctx, cert, privkey))
2622         || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2623         || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2624             (void *)&sess_id_ctx,
2625             sizeof(sess_id_ctx))))
2626         return 0;
2627 
2628     if (stateful)
2629         SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2630 
2631     SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2632     SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2633 
2634     return 1;
2635 }
2636 
2637 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2638 {
2639     SSL *serverssl = NULL, *clientssl = NULL;
2640     int i;
2641 
2642     /* Test that we can resume with all the tickets we got given */
2643     for (i = 0; i < idx * 2; i++) {
2644         new_called = 0;
2645         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2646                 &clientssl, NULL, NULL))
2647             || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2648             goto end;
2649 
2650         SSL_set_post_handshake_auth(clientssl, 1);
2651 
2652         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2653                 SSL_ERROR_NONE)))
2654             goto end;
2655 
2656         /*
2657          * Following a successful resumption we only get 1 ticket. After a
2658          * failed one we should get idx tickets.
2659          */
2660         if (succ) {
2661             if (!TEST_true(SSL_session_reused(clientssl))
2662                 || !TEST_int_eq(new_called, 1))
2663                 goto end;
2664         } else {
2665             if (!TEST_false(SSL_session_reused(clientssl))
2666                 || !TEST_int_eq(new_called, idx))
2667                 goto end;
2668         }
2669 
2670         new_called = 0;
2671         /* After a post-handshake authentication we should get 1 new ticket */
2672         if (succ
2673             && (!post_handshake_verify(serverssl, clientssl)
2674                 || !TEST_int_eq(new_called, 1)))
2675             goto end;
2676 
2677         SSL_shutdown(clientssl);
2678         SSL_shutdown(serverssl);
2679         SSL_free(serverssl);
2680         SSL_free(clientssl);
2681         serverssl = clientssl = NULL;
2682         SSL_SESSION_free(sesscache[i]);
2683         sesscache[i] = NULL;
2684     }
2685 
2686     return 1;
2687 
2688 end:
2689     SSL_free(clientssl);
2690     SSL_free(serverssl);
2691     return 0;
2692 }
2693 
2694 static int test_tickets(int stateful, int idx)
2695 {
2696     SSL_CTX *sctx = NULL, *cctx = NULL;
2697     SSL *serverssl = NULL, *clientssl = NULL;
2698     int testresult = 0;
2699     size_t j;
2700 
2701     /* idx is the test number, but also the number of tickets we want */
2702 
2703     new_called = 0;
2704     do_cache = 1;
2705 
2706     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2707         goto end;
2708 
2709     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2710             &clientssl, NULL, NULL)))
2711         goto end;
2712 
2713     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2714             SSL_ERROR_NONE))
2715         /* Check we got the number of tickets we were expecting */
2716         || !TEST_int_eq(idx, new_called))
2717         goto end;
2718 
2719     SSL_shutdown(clientssl);
2720     SSL_shutdown(serverssl);
2721     SSL_free(serverssl);
2722     SSL_free(clientssl);
2723     SSL_CTX_free(sctx);
2724     SSL_CTX_free(cctx);
2725     clientssl = serverssl = NULL;
2726     sctx = cctx = NULL;
2727 
2728     /*
2729      * Now we try to resume with the tickets we previously created. The
2730      * resumption attempt is expected to fail (because we're now using a new
2731      * SSL_CTX). We should see idx number of tickets issued again.
2732      */
2733 
2734     /* Stop caching sessions - just count them */
2735     do_cache = 0;
2736 
2737     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2738         goto end;
2739 
2740     if (!check_resumption(idx, sctx, cctx, 0))
2741         goto end;
2742 
2743     /* Start again with caching sessions */
2744     new_called = 0;
2745     do_cache = 1;
2746     SSL_CTX_free(sctx);
2747     SSL_CTX_free(cctx);
2748     sctx = cctx = NULL;
2749 
2750     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2751         goto end;
2752 
2753     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2754             &clientssl, NULL, NULL)))
2755         goto end;
2756 
2757     SSL_set_post_handshake_auth(clientssl, 1);
2758 
2759     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2760             SSL_ERROR_NONE))
2761         /* Check we got the number of tickets we were expecting */
2762         || !TEST_int_eq(idx, new_called))
2763         goto end;
2764 
2765     /* After a post-handshake authentication we should get new tickets issued */
2766     if (!post_handshake_verify(serverssl, clientssl)
2767         || !TEST_int_eq(idx * 2, new_called))
2768         goto end;
2769 
2770     SSL_shutdown(clientssl);
2771     SSL_shutdown(serverssl);
2772     SSL_free(serverssl);
2773     SSL_free(clientssl);
2774     serverssl = clientssl = NULL;
2775 
2776     /* Stop caching sessions - just count them */
2777     do_cache = 0;
2778 
2779     /*
2780      * Check we can resume with all the tickets we created. This time around the
2781      * resumptions should all be successful.
2782      */
2783     if (!check_resumption(idx, sctx, cctx, 1))
2784         goto end;
2785 
2786     testresult = 1;
2787 
2788 end:
2789     SSL_free(serverssl);
2790     SSL_free(clientssl);
2791     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2792         SSL_SESSION_free(sesscache[j]);
2793         sesscache[j] = NULL;
2794     }
2795     SSL_CTX_free(sctx);
2796     SSL_CTX_free(cctx);
2797 
2798     return testresult;
2799 }
2800 
2801 static int test_stateless_tickets(int idx)
2802 {
2803     return test_tickets(0, idx);
2804 }
2805 
2806 static int test_stateful_tickets(int idx)
2807 {
2808     return test_tickets(1, idx);
2809 }
2810 
2811 static int test_psk_tickets(void)
2812 {
2813     SSL_CTX *sctx = NULL, *cctx = NULL;
2814     SSL *serverssl = NULL, *clientssl = NULL;
2815     int testresult = 0;
2816     int sess_id_ctx = 1;
2817 
2818     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2819             TLS_client_method(), TLS1_VERSION, 0,
2820             &sctx, &cctx, NULL, NULL))
2821         || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2822             (void *)&sess_id_ctx,
2823             sizeof(sess_id_ctx))))
2824         goto end;
2825 
2826     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2827     SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2828     SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2829     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2830     use_session_cb_cnt = 0;
2831     find_session_cb_cnt = 0;
2832     srvid = pskid;
2833     new_called = 0;
2834 
2835     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2836             NULL, NULL)))
2837         goto end;
2838     clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2839     if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2840         goto end;
2841 
2842     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2843             SSL_ERROR_NONE))
2844         || !TEST_int_eq(1, find_session_cb_cnt)
2845         || !TEST_int_eq(1, use_session_cb_cnt)
2846         /* We should always get 1 ticket when using external PSK */
2847         || !TEST_int_eq(1, new_called))
2848         goto end;
2849 
2850     testresult = 1;
2851 
2852 end:
2853     SSL_free(serverssl);
2854     SSL_free(clientssl);
2855     SSL_CTX_free(sctx);
2856     SSL_CTX_free(cctx);
2857     SSL_SESSION_free(clientpsk);
2858     SSL_SESSION_free(serverpsk);
2859     clientpsk = serverpsk = NULL;
2860 
2861     return testresult;
2862 }
2863 
2864 static int test_extra_tickets(int idx)
2865 {
2866     SSL_CTX *sctx = NULL, *cctx = NULL;
2867     SSL *serverssl = NULL, *clientssl = NULL;
2868     BIO *bretry = BIO_new(bio_s_always_retry());
2869     BIO *tmp = NULL;
2870     int testresult = 0;
2871     int stateful = 0;
2872     size_t nbytes;
2873     unsigned char c, buf[1];
2874 
2875     new_called = 0;
2876     do_cache = 1;
2877 
2878     if (idx >= 3) {
2879         idx -= 3;
2880         stateful = 1;
2881     }
2882 
2883     if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2884         goto end;
2885     SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2886     /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2887     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2888 
2889     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2890             &clientssl, NULL, NULL)))
2891         goto end;
2892 
2893     /*
2894      * Note that we have new_session_cb on both sctx and cctx, so new_called is
2895      * incremented by both client and server.
2896      */
2897     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2898             SSL_ERROR_NONE))
2899         /* Check we got the number of tickets we were expecting */
2900         || !TEST_int_eq(idx * 2, new_called)
2901         || !TEST_true(SSL_new_session_ticket(serverssl))
2902         || !TEST_true(SSL_new_session_ticket(serverssl))
2903         || !TEST_int_eq(idx * 2, new_called))
2904         goto end;
2905 
2906     /* Now try a (real) write to actually send the tickets */
2907     c = '1';
2908     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2909         || !TEST_size_t_eq(1, nbytes)
2910         || !TEST_int_eq(idx * 2 + 2, new_called)
2911         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2912         || !TEST_int_eq(idx * 2 + 4, new_called)
2913         || !TEST_int_eq(sizeof(buf), nbytes)
2914         || !TEST_int_eq(c, buf[0])
2915         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2916         goto end;
2917 
2918     /* Try with only requesting one new ticket, too */
2919     c = '2';
2920     new_called = 0;
2921     if (!TEST_true(SSL_new_session_ticket(serverssl))
2922         || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2923         || !TEST_size_t_eq(sizeof(c), nbytes)
2924         || !TEST_int_eq(1, new_called)
2925         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2926         || !TEST_int_eq(2, new_called)
2927         || !TEST_size_t_eq(sizeof(buf), nbytes)
2928         || !TEST_int_eq(c, buf[0]))
2929         goto end;
2930 
2931     /* Do it again but use dummy writes to drive the ticket generation */
2932     c = '3';
2933     new_called = 0;
2934     if (!TEST_true(SSL_new_session_ticket(serverssl))
2935         || !TEST_true(SSL_new_session_ticket(serverssl))
2936         || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2937         || !TEST_size_t_eq(0, nbytes)
2938         || !TEST_int_eq(2, new_called)
2939         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2940         || !TEST_int_eq(4, new_called))
2941         goto end;
2942 
2943     /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2944     c = '4';
2945     new_called = 0;
2946     if (!TEST_true(SSL_new_session_ticket(serverssl))
2947         || !TEST_true(SSL_new_session_ticket(serverssl))
2948         || !TEST_true(SSL_do_handshake(serverssl))
2949         || !TEST_int_eq(2, new_called)
2950         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2951         || !TEST_int_eq(4, new_called))
2952         goto end;
2953 
2954     /*
2955      * Use the always-retry BIO to exercise the logic that forces ticket
2956      * generation to wait until a record boundary.
2957      */
2958     c = '5';
2959     new_called = 0;
2960     tmp = SSL_get_wbio(serverssl);
2961     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2962         tmp = NULL;
2963         goto end;
2964     }
2965     SSL_set0_wbio(serverssl, bretry);
2966     bretry = NULL;
2967     if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2968         || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2969         || !TEST_size_t_eq(nbytes, 0))
2970         goto end;
2971     /* Restore a BIO that will let the write succeed */
2972     SSL_set0_wbio(serverssl, tmp);
2973     tmp = NULL;
2974     /*
2975      * These calls should just queue the request and not send anything
2976      * even if we explicitly try to hit the state machine.
2977      */
2978     if (!TEST_true(SSL_new_session_ticket(serverssl))
2979         || !TEST_true(SSL_new_session_ticket(serverssl))
2980         || !TEST_int_eq(0, new_called)
2981         || !TEST_true(SSL_do_handshake(serverssl))
2982         || !TEST_int_eq(0, new_called))
2983         goto end;
2984     /* Re-do the write; still no tickets sent */
2985     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2986         || !TEST_size_t_eq(1, nbytes)
2987         || !TEST_int_eq(0, new_called)
2988         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2989         || !TEST_int_eq(0, new_called)
2990         || !TEST_int_eq(sizeof(buf), nbytes)
2991         || !TEST_int_eq(c, buf[0])
2992         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2993         goto end;
2994     /* Even trying to hit the state machine now will still not send tickets */
2995     if (!TEST_true(SSL_do_handshake(serverssl))
2996         || !TEST_int_eq(0, new_called))
2997         goto end;
2998     /* Now the *next* write should send the tickets */
2999     c = '6';
3000     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
3001         || !TEST_size_t_eq(1, nbytes)
3002         || !TEST_int_eq(2, new_called)
3003         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
3004         || !TEST_int_eq(4, new_called)
3005         || !TEST_int_eq(sizeof(buf), nbytes)
3006         || !TEST_int_eq(c, buf[0])
3007         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
3008         goto end;
3009 
3010     SSL_shutdown(clientssl);
3011     SSL_shutdown(serverssl);
3012     testresult = 1;
3013 
3014 end:
3015     BIO_free(bretry);
3016     BIO_free(tmp);
3017     SSL_free(serverssl);
3018     SSL_free(clientssl);
3019     SSL_CTX_free(sctx);
3020     SSL_CTX_free(cctx);
3021     clientssl = serverssl = NULL;
3022     sctx = cctx = NULL;
3023     return testresult;
3024 }
3025 #endif
3026 
3027 #define USE_NULL 0
3028 #define USE_BIO_1 1
3029 #define USE_BIO_2 2
3030 #define USE_DEFAULT 3
3031 
3032 #define CONNTYPE_CONNECTION_SUCCESS 0
3033 #define CONNTYPE_CONNECTION_FAIL 1
3034 #define CONNTYPE_NO_CONNECTION 2
3035 
3036 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
3037 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
3038 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
3039 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
3040 #else
3041 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
3042 #endif
3043 
3044 #define TOTAL_SSL_SET_BIO_TESTS           \
3045     TOTAL_NO_CONN_SSL_SET_BIO_TESTS       \
3046     +TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
3047         + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
3048 
3049 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
3050 {
3051     switch (type) {
3052     case USE_NULL:
3053         *res = NULL;
3054         break;
3055     case USE_BIO_1:
3056         *res = bio1;
3057         break;
3058     case USE_BIO_2:
3059         *res = bio2;
3060         break;
3061     }
3062 }
3063 
3064 /*
3065  * Tests calls to SSL_set_bio() under various conditions.
3066  *
3067  * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
3068  * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
3069  * then do more tests where we create a successful connection first using our
3070  * standard connection setup functions, and then call SSL_set_bio() with
3071  * various combinations of valid BIOs or NULL. We then repeat these tests
3072  * following a failed connection. In this last case we are looking to check that
3073  * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
3074  */
3075 static int test_ssl_set_bio(int idx)
3076 {
3077     SSL_CTX *sctx = NULL, *cctx = NULL;
3078     BIO *bio1 = NULL;
3079     BIO *bio2 = NULL;
3080     BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
3081     SSL *serverssl = NULL, *clientssl = NULL;
3082     int initrbio, initwbio, newrbio, newwbio, conntype;
3083     int testresult = 0;
3084 
3085     if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
3086         initrbio = idx % 3;
3087         idx /= 3;
3088         initwbio = idx % 3;
3089         idx /= 3;
3090         newrbio = idx % 3;
3091         idx /= 3;
3092         newwbio = idx % 3;
3093         conntype = CONNTYPE_NO_CONNECTION;
3094     } else {
3095         idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
3096         initrbio = initwbio = USE_DEFAULT;
3097         newrbio = idx % 2;
3098         idx /= 2;
3099         newwbio = idx % 2;
3100         idx /= 2;
3101         conntype = idx % 2;
3102     }
3103 
3104     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3105             TLS_client_method(), TLS1_VERSION, 0,
3106             &sctx, &cctx, cert, privkey)))
3107         goto end;
3108 
3109     if (conntype == CONNTYPE_CONNECTION_FAIL) {
3110         /*
3111          * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
3112          * because we reduced the number of tests in the definition of
3113          * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
3114          * mismatched protocol versions we will force a connection failure.
3115          */
3116         SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
3117         SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3118     }
3119 
3120     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3121             NULL, NULL)))
3122         goto end;
3123 
3124     if (initrbio == USE_BIO_1
3125         || initwbio == USE_BIO_1
3126         || newrbio == USE_BIO_1
3127         || newwbio == USE_BIO_1) {
3128         if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
3129             goto end;
3130     }
3131 
3132     if (initrbio == USE_BIO_2
3133         || initwbio == USE_BIO_2
3134         || newrbio == USE_BIO_2
3135         || newwbio == USE_BIO_2) {
3136         if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
3137             goto end;
3138     }
3139 
3140     if (initrbio != USE_DEFAULT) {
3141         setupbio(&irbio, bio1, bio2, initrbio);
3142         setupbio(&iwbio, bio1, bio2, initwbio);
3143         SSL_set_bio(clientssl, irbio, iwbio);
3144 
3145         /*
3146          * We want to maintain our own refs to these BIO, so do an up ref for
3147          * each BIO that will have ownership transferred in the SSL_set_bio()
3148          * call
3149          */
3150         if (irbio != NULL && !BIO_up_ref(irbio))
3151             goto end;
3152         if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
3153             BIO_free(irbio);
3154             goto end;
3155         }
3156     }
3157 
3158     if (conntype != CONNTYPE_NO_CONNECTION
3159         && !TEST_true(create_ssl_connection(serverssl, clientssl,
3160                           SSL_ERROR_NONE)
3161             == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3162         goto end;
3163 
3164     setupbio(&nrbio, bio1, bio2, newrbio);
3165     setupbio(&nwbio, bio1, bio2, newwbio);
3166 
3167     /*
3168      * We will (maybe) transfer ownership again so do more up refs.
3169      * SSL_set_bio() has some really complicated ownership rules where BIOs have
3170      * already been set!
3171      */
3172     if (nrbio != NULL
3173         && nrbio != irbio
3174         && (nwbio != iwbio || nrbio != nwbio))
3175         if (!TEST_true(BIO_up_ref(nrbio)))
3176             goto end;
3177     if (nwbio != NULL
3178         && nwbio != nrbio
3179         && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3180         if (!TEST_true(BIO_up_ref(nwbio))) {
3181             if (nrbio != irbio
3182                 && (nwbio != iwbio || nrbio != nwbio))
3183                 BIO_free(nrbio);
3184             goto end;
3185         }
3186 
3187     SSL_set_bio(clientssl, nrbio, nwbio);
3188 
3189     testresult = 1;
3190 
3191 end:
3192     BIO_free(bio1);
3193     BIO_free(bio2);
3194 
3195     /*
3196      * This test is checking that the ref counting for SSL_set_bio is correct.
3197      * If we get here and we did too many frees then we will fail in the above
3198      * functions.
3199      */
3200     SSL_free(serverssl);
3201     SSL_free(clientssl);
3202     SSL_CTX_free(sctx);
3203     SSL_CTX_free(cctx);
3204     return testresult;
3205 }
3206 
3207 typedef enum { NO_BIO_CHANGE,
3208     CHANGE_RBIO,
3209     CHANGE_WBIO } bio_change_t;
3210 
3211 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3212 {
3213     BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3214     SSL_CTX *ctx;
3215     SSL *ssl = NULL;
3216     int testresult = 0;
3217 
3218     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3219         || !TEST_ptr(ssl = SSL_new(ctx))
3220         || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3221         || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3222         goto end;
3223 
3224     BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3225 
3226     /*
3227      * If anything goes wrong here then we could leak memory.
3228      */
3229     BIO_push(sslbio, membio1);
3230 
3231     /* Verify changing the rbio/wbio directly does not cause leaks */
3232     if (change_bio != NO_BIO_CHANGE) {
3233         if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3234             ssl = NULL;
3235             goto end;
3236         }
3237         if (change_bio == CHANGE_RBIO)
3238             SSL_set0_rbio(ssl, membio2);
3239         else
3240             SSL_set0_wbio(ssl, membio2);
3241     }
3242     ssl = NULL;
3243 
3244     if (pop_ssl)
3245         BIO_pop(sslbio);
3246     else
3247         BIO_pop(membio1);
3248 
3249     testresult = 1;
3250 end:
3251     BIO_free(membio1);
3252     BIO_free(sslbio);
3253     SSL_free(ssl);
3254     SSL_CTX_free(ctx);
3255 
3256     return testresult;
3257 }
3258 
3259 static int test_ssl_bio_pop_next_bio(void)
3260 {
3261     return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3262 }
3263 
3264 static int test_ssl_bio_pop_ssl_bio(void)
3265 {
3266     return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3267 }
3268 
3269 static int test_ssl_bio_change_rbio(void)
3270 {
3271     return execute_test_ssl_bio(0, CHANGE_RBIO);
3272 }
3273 
3274 static int test_ssl_bio_change_wbio(void)
3275 {
3276     return execute_test_ssl_bio(0, CHANGE_WBIO);
3277 }
3278 
3279 /*
3280  * Regression for GH #30458: tls_set1_bio() must BIO_free_all the old chain
3281  * when the write BIO is replaced, not only the top BIO.
3282  */
3283 static int test_ssl_set_wbio_chain_no_leak(void)
3284 {
3285     SSL_CTX *ctx = NULL;
3286     SSL *ssl = NULL;
3287     BIO *bio = NULL, *filter = NULL, *chain1 = NULL;
3288     int testresult = 0;
3289 
3290     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())))
3291         goto end;
3292     if (!TEST_ptr(ssl = SSL_new(ctx)))
3293         goto end;
3294 
3295     if (!TEST_ptr(filter = BIO_new(BIO_f_nbio_test())))
3296         goto end;
3297     if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) {
3298         BIO_free(filter);
3299         filter = NULL;
3300         goto end;
3301     }
3302     if (!TEST_ptr(chain1 = BIO_push(filter, bio))) {
3303         BIO_free_all(filter);
3304         filter = bio = NULL;
3305         goto end;
3306     }
3307     filter = bio = NULL;
3308 
3309     SSL_set0_wbio(ssl, chain1);
3310     chain1 = NULL;
3311     SSL_set0_wbio(ssl, NULL);
3312 
3313     testresult = 1;
3314 
3315 end:
3316     BIO_free(filter);
3317     BIO_free(bio);
3318     BIO_free(chain1);
3319     SSL_free(ssl);
3320     SSL_CTX_free(ctx);
3321 
3322     return testresult;
3323 }
3324 
3325 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3326 typedef struct {
3327     /* The list of sig algs */
3328     const int *list;
3329     /* The length of the list */
3330     size_t listlen;
3331     /* A sigalgs list in string format */
3332     const char *liststr;
3333     /* Whether setting the list should succeed */
3334     int valid;
3335     /* Whether creating a connection with the list should succeed */
3336     int connsuccess;
3337 } sigalgs_list;
3338 
3339 static const int validlist1[] = { NID_sha256, EVP_PKEY_RSA };
3340 #ifndef OPENSSL_NO_EC
3341 static const int validlist2[] = { NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC };
3342 static const int validlist3[] = { NID_sha512, EVP_PKEY_EC };
3343 #endif
3344 static const int invalidlist1[] = { NID_undef, EVP_PKEY_RSA };
3345 static const int invalidlist2[] = { NID_sha256, NID_undef };
3346 static const int invalidlist3[] = { NID_sha256, EVP_PKEY_RSA, NID_sha256 };
3347 static const int invalidlist4[] = { NID_sha256 };
3348 static const sigalgs_list testsigalgs[] = {
3349     { validlist1, OSSL_NELEM(validlist1), NULL, 1, 1 },
3350 #ifndef OPENSSL_NO_EC
3351     { validlist2, OSSL_NELEM(validlist2), NULL, 1, 1 },
3352     { validlist3, OSSL_NELEM(validlist3), NULL, 1, 0 },
3353 #endif
3354     { NULL, 0, "RSA+SHA256", 1, 1 },
3355     { NULL, 0, "RSA+SHA256:?Invalid", 1, 1 },
3356 #ifndef OPENSSL_NO_EC
3357     { NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1 },
3358     { NULL, 0, "ECDSA+SHA512", 1, 0 },
3359 #endif
3360     { invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0 },
3361     { invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0 },
3362     { invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0 },
3363     { invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0 },
3364     { NULL, 0, "RSA", 0, 0 },
3365     { NULL, 0, "SHA256", 0, 0 },
3366     { NULL, 0, "RSA+SHA256:SHA256", 0, 0 },
3367     { NULL, 0, "Invalid", 0, 0 }
3368 };
3369 
3370 static int test_set_sigalgs(int idx)
3371 {
3372     SSL_CTX *cctx = NULL, *sctx = NULL;
3373     SSL *clientssl = NULL, *serverssl = NULL;
3374     int testresult = 0;
3375     const sigalgs_list *curr;
3376     int testctx;
3377 
3378     /* Should never happen */
3379     if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3380         return 0;
3381 
3382     testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3383     curr = testctx ? &testsigalgs[idx]
3384                    : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3385 
3386     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3387             TLS_client_method(), TLS1_VERSION, 0,
3388             &sctx, &cctx, cert, privkey)))
3389         return 0;
3390 
3391     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3392 
3393     if (testctx) {
3394         int ret;
3395 
3396         if (curr->list != NULL)
3397             ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3398         else
3399             ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3400 
3401         if (!ret) {
3402             if (curr->valid)
3403                 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3404             else
3405                 testresult = 1;
3406             goto end;
3407         }
3408         if (!curr->valid) {
3409             TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3410             goto end;
3411         }
3412     }
3413 
3414     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3415             &clientssl, NULL, NULL)))
3416         goto end;
3417 
3418     if (!testctx) {
3419         int ret;
3420 
3421         if (curr->list != NULL)
3422             ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3423         else
3424             ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3425         if (!ret) {
3426             if (curr->valid)
3427                 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3428             else
3429                 testresult = 1;
3430             goto end;
3431         }
3432         if (!curr->valid)
3433             goto end;
3434     }
3435 
3436     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3437                          SSL_ERROR_NONE),
3438             curr->connsuccess))
3439         goto end;
3440 
3441     testresult = 1;
3442 
3443 end:
3444     SSL_free(serverssl);
3445     SSL_free(clientssl);
3446     SSL_CTX_free(sctx);
3447     SSL_CTX_free(cctx);
3448 
3449     return testresult;
3450 }
3451 #endif
3452 
3453 #ifndef OSSL_NO_USABLE_TLS1_3
3454 static int psk_client_cb_cnt = 0;
3455 static int psk_server_cb_cnt = 0;
3456 
3457 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3458     size_t *idlen, SSL_SESSION **sess)
3459 {
3460     switch (++use_session_cb_cnt) {
3461     case 1:
3462         /* The first call should always have a NULL md */
3463         if (md != NULL)
3464             return 0;
3465         break;
3466 
3467     case 2:
3468         /* The second call should always have an md */
3469         if (md == NULL)
3470             return 0;
3471         break;
3472 
3473     default:
3474         /* We should only be called a maximum of twice */
3475         return 0;
3476     }
3477 
3478     if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
3479         return 0;
3480 
3481     *sess = clientpsk;
3482     *id = (const unsigned char *)pskid;
3483     *idlen = strlen(pskid);
3484 
3485     return 1;
3486 }
3487 
3488 #ifndef OPENSSL_NO_PSK
3489 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3490     unsigned int max_id_len,
3491     unsigned char *psk,
3492     unsigned int max_psk_len)
3493 {
3494     unsigned int psklen = 0;
3495 
3496     psk_client_cb_cnt++;
3497 
3498     if (strlen(pskid) + 1 > max_id_len)
3499         return 0;
3500 
3501     /* We should only ever be called a maximum of twice per connection */
3502     if (psk_client_cb_cnt > 2)
3503         return 0;
3504 
3505     if (clientpsk == NULL)
3506         return 0;
3507 
3508     /* We'll reuse the PSK we set up for TLSv1.3 */
3509     if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3510         return 0;
3511     psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3512     strncpy(id, pskid, max_id_len);
3513 
3514     return psklen;
3515 }
3516 #endif /* OPENSSL_NO_PSK */
3517 
3518 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3519     size_t identity_len, SSL_SESSION **sess)
3520 {
3521     find_session_cb_cnt++;
3522 
3523     /* We should only ever be called a maximum of twice per connection */
3524     if (find_session_cb_cnt > 2)
3525         return 0;
3526 
3527     if (serverpsk == NULL)
3528         return 0;
3529 
3530     /* Identity should match that set by the client */
3531     if (strlen(srvid) != identity_len
3532         || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3533         /* No PSK found, continue but without a PSK */
3534         *sess = NULL;
3535         return 1;
3536     }
3537 
3538     if (!SSL_SESSION_up_ref(serverpsk))
3539         return 0;
3540 
3541     *sess = serverpsk;
3542 
3543     return 1;
3544 }
3545 
3546 #ifndef OPENSSL_NO_PSK
3547 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3548     unsigned char *psk, unsigned int max_psk_len)
3549 {
3550     unsigned int psklen = 0;
3551 
3552     psk_server_cb_cnt++;
3553 
3554     /* We should only ever be called a maximum of twice per connection */
3555     if (find_session_cb_cnt > 2)
3556         return 0;
3557 
3558     if (serverpsk == NULL)
3559         return 0;
3560 
3561     /* Identity should match that set by the client */
3562     if (strcmp(srvid, identity) != 0) {
3563         return 0;
3564     }
3565 
3566     /* We'll reuse the PSK we set up for TLSv1.3 */
3567     if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3568         return 0;
3569     psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3570 
3571     return psklen;
3572 }
3573 #endif /* OPENSSL_NO_PSK */
3574 
3575 #define MSG1 "Hello"
3576 #define MSG2 "World."
3577 #define MSG3 "This"
3578 #define MSG4 "is"
3579 #define MSG5 "a"
3580 #define MSG6 "test"
3581 #define MSG7 "message."
3582 
3583 static int artificial_ticket_time = 0;
3584 
3585 static int sub_session_time(SSL_SESSION *sess)
3586 {
3587     OSSL_TIME tick_time;
3588 
3589     tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3590     tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3591 
3592     return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3593 }
3594 
3595 static int ed_gen_cb(SSL *s, void *arg)
3596 {
3597     SSL_SESSION *sess = SSL_get0_session(s);
3598 
3599     if (sess == NULL)
3600         return 0;
3601 
3602     /*
3603      * Artificially give the ticket some age. Just do it for the number of
3604      * tickets we've been told to do.
3605      */
3606     if (artificial_ticket_time == 0)
3607         return 1;
3608     artificial_ticket_time--;
3609 
3610     return sub_session_time(sess);
3611 }
3612 
3613 /*
3614  * Helper method to setup objects for early data test. Caller frees objects on
3615  * error.
3616  */
3617 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3618     SSL **serverssl, SSL_SESSION **sess, int idx,
3619     size_t mdsize)
3620 {
3621     int artificial = (artificial_ticket_time > 0);
3622 
3623     if (*sctx == NULL
3624         && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3625             TLS_client_method(),
3626             TLS1_VERSION, 0,
3627             sctx, cctx, cert, privkey)))
3628         return 0;
3629 
3630     if (artificial)
3631         SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3632 
3633     if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3634         return 0;
3635 
3636     if (idx == 1) {
3637         /* When idx == 1 we repeat the tests with read_ahead set */
3638         SSL_CTX_set_read_ahead(*cctx, 1);
3639         SSL_CTX_set_read_ahead(*sctx, 1);
3640     } else if (idx == 2) {
3641         /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3642         SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3643         SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3644         use_session_cb_cnt = 0;
3645         find_session_cb_cnt = 0;
3646         srvid = pskid;
3647     }
3648 
3649     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3650             NULL, NULL)))
3651         return 0;
3652 
3653     /*
3654      * For one of the run throughs (doesn't matter which one), we'll try sending
3655      * some SNI data in the initial ClientHello. This will be ignored (because
3656      * there is no SNI cb set up by the server), so it should not impact
3657      * early_data.
3658      */
3659     if (idx == 1
3660         && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3661         return 0;
3662 
3663     if (idx == 2) {
3664         clientpsk = create_a_psk(*clientssl, mdsize);
3665         if (!TEST_ptr(clientpsk)
3666             /*
3667              * We just choose an arbitrary value for max_early_data which
3668              * should be big enough for testing purposes.
3669              */
3670             || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3671                 0x100))
3672             || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3673             SSL_SESSION_free(clientpsk);
3674             clientpsk = NULL;
3675             return 0;
3676         }
3677         serverpsk = clientpsk;
3678 
3679         if (sess != NULL) {
3680             if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3681                 SSL_SESSION_free(clientpsk);
3682                 SSL_SESSION_free(serverpsk);
3683                 clientpsk = serverpsk = NULL;
3684                 return 0;
3685             }
3686             *sess = clientpsk;
3687         }
3688         return 1;
3689     }
3690 
3691     if (sess == NULL)
3692         return 1;
3693 
3694     if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3695             SSL_ERROR_NONE)))
3696         return 0;
3697 
3698     *sess = SSL_get1_session(*clientssl);
3699     SSL_shutdown(*clientssl);
3700     SSL_shutdown(*serverssl);
3701     SSL_free(*serverssl);
3702     SSL_free(*clientssl);
3703     *serverssl = *clientssl = NULL;
3704 
3705     /*
3706      * Artificially give the ticket some age to match the artificial age we
3707      * gave it on the server side
3708      */
3709     if (artificial
3710         && !TEST_true(sub_session_time(*sess)))
3711         return 0;
3712 
3713     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3714             clientssl, NULL, NULL))
3715         || !TEST_true(SSL_set_session(*clientssl, *sess)))
3716         return 0;
3717 
3718     return 1;
3719 }
3720 
3721 static int check_early_data_timeout(OSSL_TIME timer)
3722 {
3723     int res = 0;
3724 
3725     /*
3726      * Early data is time sensitive. We have an approx 8 second allowance
3727      * between writing the early data and reading it. If we exceed that time
3728      * then this test will fail. This can sometimes (rarely) occur in normal CI
3729      * operation. We can try and detect this and just ignore the result of this
3730      * test if it has taken too long. We assume anything over 7 seconds is too
3731      * long
3732      */
3733     timer = ossl_time_subtract(ossl_time_now(), timer);
3734     if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3735         res = TEST_skip("Test took too long, ignoring result");
3736 
3737     return res;
3738 }
3739 
3740 static int test_early_data_read_write(int idx)
3741 {
3742     SSL_CTX *cctx = NULL, *sctx = NULL;
3743     SSL *clientssl = NULL, *serverssl = NULL;
3744     int testresult = 0;
3745     SSL_SESSION *sess = NULL;
3746     unsigned char buf[20], data[1024];
3747     size_t readbytes, written, eoedlen, rawread, rawwritten;
3748     BIO *rbio;
3749     OSSL_TIME timer;
3750 
3751     /* Artificially give the next 2 tickets some age for non PSK sessions */
3752     if (idx != 2)
3753         artificial_ticket_time = 2;
3754     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3755             &serverssl, &sess, idx,
3756             SHA384_DIGEST_LENGTH))) {
3757         artificial_ticket_time = 0;
3758         goto end;
3759     }
3760     artificial_ticket_time = 0;
3761 
3762     /* Write and read some early data */
3763     timer = ossl_time_now();
3764     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3765             &written))
3766         || !TEST_size_t_eq(written, strlen(MSG1)))
3767         goto end;
3768 
3769     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3770                          &readbytes),
3771             SSL_READ_EARLY_DATA_SUCCESS)) {
3772         testresult = check_early_data_timeout(timer);
3773         goto end;
3774     }
3775 
3776     if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3777         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3778             SSL_EARLY_DATA_ACCEPTED))
3779         goto end;
3780 
3781     /*
3782      * Server should be able to write data, and client should be able to
3783      * read it.
3784      */
3785     if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3786             &written))
3787         || !TEST_size_t_eq(written, strlen(MSG2))
3788         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3789         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3790         goto end;
3791 
3792     /* Even after reading normal data, client should be able write early data */
3793     if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3794             &written))
3795         || !TEST_size_t_eq(written, strlen(MSG3)))
3796         goto end;
3797 
3798     /* Server should still be able read early data after writing data */
3799     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3800                          &readbytes),
3801             SSL_READ_EARLY_DATA_SUCCESS)
3802         || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3803         goto end;
3804 
3805     /* Write more data from server and read it from client */
3806     if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3807             &written))
3808         || !TEST_size_t_eq(written, strlen(MSG4))
3809         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3810         || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3811         goto end;
3812 
3813     /*
3814      * If client writes normal data it should mean writing early data is no
3815      * longer possible.
3816      */
3817     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3818         || !TEST_size_t_eq(written, strlen(MSG5))
3819         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3820             SSL_EARLY_DATA_ACCEPTED))
3821         goto end;
3822 
3823     /*
3824      * At this point the client has written EndOfEarlyData, ClientFinished and
3825      * normal (fully protected) data. We are going to cause a delay between the
3826      * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3827      * in the read BIO, and then just put back the EndOfEarlyData message.
3828      */
3829     rbio = SSL_get_rbio(serverssl);
3830     if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3831         || !TEST_size_t_lt(rawread, sizeof(data))
3832         || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3833         goto end;
3834 
3835     /* Record length is in the 4th and 5th bytes of the record header */
3836     eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3837     if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3838         || !TEST_size_t_eq(rawwritten, eoedlen))
3839         goto end;
3840 
3841     /* Server should be told that there is no more early data */
3842     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3843                          &readbytes),
3844             SSL_READ_EARLY_DATA_FINISH)
3845         || !TEST_size_t_eq(readbytes, 0))
3846         goto end;
3847 
3848     /*
3849      * Server has not finished init yet, so should still be able to write early
3850      * data.
3851      */
3852     if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3853             &written))
3854         || !TEST_size_t_eq(written, strlen(MSG6)))
3855         goto end;
3856 
3857     /* Push the ClientFinished and the normal data back into the server rbio */
3858     if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3859             &rawwritten))
3860         || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3861         goto end;
3862 
3863     /* Server should be able to read normal data */
3864     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3865         || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3866         goto end;
3867 
3868     /* Client and server should not be able to write/read early data now */
3869     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3870             &written)))
3871         goto end;
3872     ERR_clear_error();
3873     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3874                          &readbytes),
3875             SSL_READ_EARLY_DATA_ERROR))
3876         goto end;
3877     ERR_clear_error();
3878 
3879     /* Client should be able to read the data sent by the server */
3880     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3881         || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3882         goto end;
3883 
3884     /*
3885      * Make sure we process the two NewSessionTickets. These arrive
3886      * post-handshake. We attempt reads which we do not expect to return any
3887      * data.
3888      */
3889     if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3890         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3891             &readbytes)))
3892         goto end;
3893 
3894     /* Server should be able to write normal data */
3895     if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3896         || !TEST_size_t_eq(written, strlen(MSG7))
3897         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3898         || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3899         goto end;
3900 
3901     SSL_SESSION_free(sess);
3902     sess = SSL_get1_session(clientssl);
3903     use_session_cb_cnt = 0;
3904     find_session_cb_cnt = 0;
3905 
3906     SSL_shutdown(clientssl);
3907     SSL_shutdown(serverssl);
3908     SSL_free(serverssl);
3909     SSL_free(clientssl);
3910     serverssl = clientssl = NULL;
3911     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3912             &clientssl, NULL, NULL))
3913         || !TEST_true(SSL_set_session(clientssl, sess)))
3914         goto end;
3915 
3916     /* Write and read some early data */
3917     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3918             &written))
3919         || !TEST_size_t_eq(written, strlen(MSG1))
3920         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3921                             &readbytes),
3922             SSL_READ_EARLY_DATA_SUCCESS)
3923         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3924         goto end;
3925 
3926     if (!TEST_int_gt(SSL_connect(clientssl), 0)
3927         || !TEST_int_gt(SSL_accept(serverssl), 0))
3928         goto end;
3929 
3930     /* Client and server should not be able to write/read early data now */
3931     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3932             &written)))
3933         goto end;
3934     ERR_clear_error();
3935     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3936                          &readbytes),
3937             SSL_READ_EARLY_DATA_ERROR))
3938         goto end;
3939     ERR_clear_error();
3940 
3941     /* Client and server should be able to write/read normal data */
3942     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3943         || !TEST_size_t_eq(written, strlen(MSG5))
3944         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3945         || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3946         goto end;
3947 
3948     testresult = 1;
3949 
3950 end:
3951     SSL_SESSION_free(sess);
3952     SSL_SESSION_free(clientpsk);
3953     SSL_SESSION_free(serverpsk);
3954     clientpsk = serverpsk = NULL;
3955     SSL_free(serverssl);
3956     SSL_free(clientssl);
3957     SSL_CTX_free(sctx);
3958     SSL_CTX_free(cctx);
3959     return testresult;
3960 }
3961 
3962 static int allow_ed_cb_called = 0;
3963 
3964 static int allow_early_data_cb(SSL *s, void *arg)
3965 {
3966     int *usecb = (int *)arg;
3967 
3968     allow_ed_cb_called++;
3969 
3970     if (*usecb == 1)
3971         return 0;
3972 
3973     return 1;
3974 }
3975 
3976 /*
3977  * idx == 0: Standard early_data setup
3978  * idx == 1: early_data setup using read_ahead
3979  * usecb == 0: Don't use a custom early data callback
3980  * usecb == 1: Use a custom early data callback and reject the early data
3981  * usecb == 2: Use a custom early data callback and accept the early data
3982  * confopt == 0: Configure anti-replay directly
3983  * confopt == 1: Configure anti-replay using SSL_CONF
3984  */
3985 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3986 {
3987     SSL_CTX *cctx = NULL, *sctx = NULL;
3988     SSL *clientssl = NULL, *serverssl = NULL;
3989     int testresult = 0;
3990     SSL_SESSION *sess = NULL;
3991     size_t readbytes, written;
3992     unsigned char buf[20];
3993     OSSL_TIME timer;
3994 
3995     allow_ed_cb_called = 0;
3996 
3997     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3998             TLS_client_method(), TLS1_VERSION, 0,
3999             &sctx, &cctx, cert, privkey)))
4000         return 0;
4001 
4002     if (usecb > 0) {
4003         if (confopt == 0) {
4004             SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
4005         } else {
4006             SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
4007 
4008             if (!TEST_ptr(confctx))
4009                 goto end;
4010             SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER);
4011             SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
4012             if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
4013                     2)) {
4014                 SSL_CONF_CTX_free(confctx);
4015                 goto end;
4016             }
4017             SSL_CONF_CTX_free(confctx);
4018         }
4019         SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
4020     }
4021 
4022     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4023             &serverssl, &sess, idx,
4024             SHA384_DIGEST_LENGTH)))
4025         goto end;
4026 
4027     /*
4028      * The server is configured to accept early data. Create a connection to
4029      * "use up" the ticket
4030      */
4031     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4032         || !TEST_true(SSL_session_reused(clientssl)))
4033         goto end;
4034 
4035     SSL_shutdown(clientssl);
4036     SSL_shutdown(serverssl);
4037     SSL_free(serverssl);
4038     SSL_free(clientssl);
4039     serverssl = clientssl = NULL;
4040 
4041     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4042             &clientssl, NULL, NULL))
4043         || !TEST_true(SSL_set_session(clientssl, sess)))
4044         goto end;
4045 
4046     /* Write and read some early data */
4047     timer = ossl_time_now();
4048     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4049             &written))
4050         || !TEST_size_t_eq(written, strlen(MSG1)))
4051         goto end;
4052 
4053     if (usecb <= 1) {
4054         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4055                              &readbytes),
4056                 SSL_READ_EARLY_DATA_FINISH)
4057             /*
4058              * The ticket was reused, so the we should have rejected the
4059              * early data
4060              */
4061             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4062                 SSL_EARLY_DATA_REJECTED))
4063             goto end;
4064     } else {
4065         /* In this case the callback decides to accept the early data */
4066         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4067                              &readbytes),
4068                 SSL_READ_EARLY_DATA_SUCCESS)) {
4069             testresult = check_early_data_timeout(timer);
4070             goto end;
4071         }
4072         if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
4073             /*
4074              * Server will have sent its flight so client can now send
4075              * end of early data and complete its half of the handshake
4076              */
4077             || !TEST_int_gt(SSL_connect(clientssl), 0)
4078             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4079                                 &readbytes),
4080                 SSL_READ_EARLY_DATA_FINISH)
4081             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4082                 SSL_EARLY_DATA_ACCEPTED))
4083             goto end;
4084     }
4085 
4086     /* Complete the connection */
4087     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4088         || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
4089         || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
4090         goto end;
4091 
4092     testresult = 1;
4093 
4094 end:
4095     SSL_SESSION_free(sess);
4096     SSL_SESSION_free(clientpsk);
4097     SSL_SESSION_free(serverpsk);
4098     clientpsk = serverpsk = NULL;
4099     SSL_free(serverssl);
4100     SSL_free(clientssl);
4101     SSL_CTX_free(sctx);
4102     SSL_CTX_free(cctx);
4103     return testresult;
4104 }
4105 
4106 static int test_early_data_replay(int idx)
4107 {
4108     int ret = 1, usecb, confopt;
4109 
4110     for (usecb = 0; usecb < 3; usecb++) {
4111         for (confopt = 0; confopt < 2; confopt++)
4112             ret &= test_early_data_replay_int(idx, usecb, confopt);
4113     }
4114 
4115     return ret;
4116 }
4117 
4118 static const char *ciphersuites[] = {
4119     "TLS_AES_128_CCM_8_SHA256",
4120     "TLS_AES_128_GCM_SHA256",
4121     "TLS_AES_256_GCM_SHA384",
4122     "TLS_AES_128_CCM_SHA256",
4123 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4124     "TLS_CHACHA20_POLY1305_SHA256",
4125 #else
4126     NULL,
4127 #endif
4128 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4129     "TLS_SHA256_SHA256",
4130     "TLS_SHA384_SHA384"
4131 #endif
4132 };
4133 
4134 /*
4135  * Helper function to test that a server attempting to read early data can
4136  * handle a connection from a client where the early data should be skipped.
4137  * testtype: 0 == No HRR
4138  * testtype: 1 == HRR
4139  * testtype: 2 == HRR, invalid early_data sent after HRR
4140  * testtype: 3 == recv_max_early_data set to 0
4141  */
4142 static int early_data_skip_helper(int testtype, int cipher, int idx)
4143 {
4144     SSL_CTX *cctx = NULL, *sctx = NULL;
4145     SSL *clientssl = NULL, *serverssl = NULL;
4146     int testresult = 0;
4147     SSL_SESSION *sess = NULL;
4148     unsigned char buf[20];
4149     size_t readbytes, written;
4150 
4151     if (is_fips && cipher >= 4)
4152         return 1;
4153 
4154     if (ciphersuites[cipher] == NULL)
4155         return TEST_skip("Cipher not supported");
4156 
4157     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4158             TLS_client_method(),
4159             TLS1_VERSION, 0,
4160             &sctx, &cctx, cert, privkey)))
4161         goto end;
4162 
4163     if (cipher == 0 || cipher == 5 || cipher == 6) {
4164         SSL_CTX_set_security_level(sctx, 0);
4165         SSL_CTX_set_security_level(cctx, 0);
4166     }
4167 
4168     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
4169         || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
4170         goto end;
4171 
4172     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4173             &serverssl, &sess, idx,
4174             (cipher == 2 || cipher == 6)
4175                 ? SHA384_DIGEST_LENGTH
4176                 : SHA256_DIGEST_LENGTH)))
4177         goto end;
4178 
4179     if (testtype == 1 || testtype == 2) {
4180         /* Force an HRR to occur */
4181 #if defined(OPENSSL_NO_EC)
4182         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4183             goto end;
4184 #else
4185         if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
4186             goto end;
4187 #endif
4188     } else if (idx == 2) {
4189         /*
4190          * We force early_data rejection by ensuring the PSK identity is
4191          * unrecognised
4192          */
4193         srvid = "Dummy Identity";
4194     } else {
4195         /*
4196          * Deliberately corrupt the creation time. We take 20 seconds off the
4197          * time. It could be any value as long as it is not within tolerance.
4198          * This should mean the ticket is rejected.
4199          */
4200         if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4201             goto end;
4202     }
4203 
4204     if (testtype == 3
4205         && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4206         goto end;
4207 
4208     /* Write some early data */
4209     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4210             &written))
4211         || !TEST_size_t_eq(written, strlen(MSG1)))
4212         goto end;
4213 
4214     /* Server should reject the early data */
4215     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4216                          &readbytes),
4217             SSL_READ_EARLY_DATA_FINISH)
4218         || !TEST_size_t_eq(readbytes, 0)
4219         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4220             SSL_EARLY_DATA_REJECTED))
4221         goto end;
4222 
4223     switch (testtype) {
4224     case 0:
4225         /* Nothing to do */
4226         break;
4227 
4228     case 1:
4229         /*
4230          * Finish off the handshake. We perform the same writes and reads as
4231          * further down but we expect them to fail due to the incomplete
4232          * handshake.
4233          */
4234         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4235             || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4236                 &readbytes)))
4237             goto end;
4238         break;
4239 
4240     case 2: {
4241         BIO *wbio = SSL_get_wbio(clientssl);
4242         /* A record that will appear as bad early_data */
4243         const unsigned char bad_early_data[] = {
4244             0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4245         };
4246 
4247         /*
4248          * We force the client to attempt a write. This will fail because
4249          * we're still in the handshake. It will cause the second
4250          * ClientHello to be sent.
4251          */
4252         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4253                 &written)))
4254             goto end;
4255 
4256         /*
4257          * Inject some early_data after the second ClientHello. This should
4258          * cause the server to fail
4259          */
4260         if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4261                 sizeof(bad_early_data), &written)))
4262             goto end;
4263     }
4264         /* FALLTHROUGH */
4265 
4266     case 3:
4267         /*
4268          * This client has sent more early_data than we are willing to skip
4269          * (case 3) or sent invalid early_data (case 2) so the connection should
4270          * abort.
4271          */
4272         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4273             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4274             goto end;
4275 
4276         /* Connection has failed - nothing more to do */
4277         testresult = 1;
4278         goto end;
4279 
4280     default:
4281         TEST_error("Invalid test type");
4282         goto end;
4283     }
4284 
4285     ERR_clear_error();
4286     /*
4287      * Should be able to send normal data despite rejection of early data. The
4288      * early_data should be skipped.
4289      */
4290     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4291         || !TEST_size_t_eq(written, strlen(MSG2))
4292         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4293             SSL_EARLY_DATA_REJECTED)
4294         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4295         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4296         goto end;
4297 
4298     /*
4299      * Failure to decrypt early data records should not leave spurious errors
4300      * on the error stack
4301      */
4302     if (!TEST_long_eq(ERR_peek_error(), 0))
4303         goto end;
4304 
4305     testresult = 1;
4306 
4307 end:
4308     SSL_SESSION_free(clientpsk);
4309     SSL_SESSION_free(serverpsk);
4310     clientpsk = serverpsk = NULL;
4311     SSL_SESSION_free(sess);
4312     SSL_free(serverssl);
4313     SSL_free(clientssl);
4314     SSL_CTX_free(sctx);
4315     SSL_CTX_free(cctx);
4316     return testresult;
4317 }
4318 
4319 /*
4320  * Test that a server attempting to read early data can handle a connection
4321  * from a client where the early data is not acceptable.
4322  */
4323 static int test_early_data_skip(int idx)
4324 {
4325     return early_data_skip_helper(0,
4326         idx % OSSL_NELEM(ciphersuites),
4327         idx / OSSL_NELEM(ciphersuites));
4328 }
4329 
4330 /*
4331  * Test that a server attempting to read early data can handle a connection
4332  * from a client where an HRR occurs.
4333  */
4334 static int test_early_data_skip_hrr(int idx)
4335 {
4336     return early_data_skip_helper(1,
4337         idx % OSSL_NELEM(ciphersuites),
4338         idx / OSSL_NELEM(ciphersuites));
4339 }
4340 
4341 /*
4342  * Test that a server attempting to read early data can handle a connection
4343  * from a client where an HRR occurs and correctly fails if early_data is sent
4344  * after the HRR
4345  */
4346 static int test_early_data_skip_hrr_fail(int idx)
4347 {
4348     return early_data_skip_helper(2,
4349         idx % OSSL_NELEM(ciphersuites),
4350         idx / OSSL_NELEM(ciphersuites));
4351 }
4352 
4353 /*
4354  * Test that a server attempting to read early data will abort if it tries to
4355  * skip over too much.
4356  */
4357 static int test_early_data_skip_abort(int idx)
4358 {
4359     return early_data_skip_helper(3,
4360         idx % OSSL_NELEM(ciphersuites),
4361         idx / OSSL_NELEM(ciphersuites));
4362 }
4363 
4364 /*
4365  * Test that a server attempting to read early data can handle a connection
4366  * from a client that doesn't send any.
4367  */
4368 static int test_early_data_not_sent(int idx)
4369 {
4370     SSL_CTX *cctx = NULL, *sctx = NULL;
4371     SSL *clientssl = NULL, *serverssl = NULL;
4372     int testresult = 0;
4373     SSL_SESSION *sess = NULL;
4374     unsigned char buf[20];
4375     size_t readbytes, written;
4376 
4377     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4378             &serverssl, &sess, idx,
4379             SHA384_DIGEST_LENGTH)))
4380         goto end;
4381 
4382     /* Write some data - should block due to handshake with server */
4383     SSL_set_connect_state(clientssl);
4384     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4385         goto end;
4386 
4387     /* Server should detect that early data has not been sent */
4388     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4389                          &readbytes),
4390             SSL_READ_EARLY_DATA_FINISH)
4391         || !TEST_size_t_eq(readbytes, 0)
4392         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4393             SSL_EARLY_DATA_NOT_SENT)
4394         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4395             SSL_EARLY_DATA_NOT_SENT))
4396         goto end;
4397 
4398     /* Continue writing the message we started earlier */
4399     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4400         || !TEST_size_t_eq(written, strlen(MSG1))
4401         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4402         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4403         || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4404         || !TEST_size_t_eq(written, strlen(MSG2)))
4405         goto end;
4406 
4407     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4408         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4409         goto end;
4410 
4411     testresult = 1;
4412 
4413 end:
4414     SSL_SESSION_free(sess);
4415     SSL_SESSION_free(clientpsk);
4416     SSL_SESSION_free(serverpsk);
4417     clientpsk = serverpsk = NULL;
4418     SSL_free(serverssl);
4419     SSL_free(clientssl);
4420     SSL_CTX_free(sctx);
4421     SSL_CTX_free(cctx);
4422     return testresult;
4423 }
4424 
4425 static const char *servalpn;
4426 
4427 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4428     unsigned char *outlen, const unsigned char *in,
4429     unsigned int inlen, void *arg)
4430 {
4431     unsigned int protlen = 0;
4432     const unsigned char *prot;
4433 
4434     for (prot = in; prot < in + inlen; prot += protlen) {
4435         protlen = *prot++;
4436         if (in + inlen < prot + protlen)
4437             return SSL_TLSEXT_ERR_NOACK;
4438 
4439         if (protlen == strlen(servalpn)
4440             && memcmp(prot, servalpn, protlen) == 0) {
4441             *out = prot;
4442             *outlen = protlen;
4443             return SSL_TLSEXT_ERR_OK;
4444         }
4445     }
4446 
4447     return SSL_TLSEXT_ERR_NOACK;
4448 }
4449 
4450 /* Test that a PSK can be used to send early_data */
4451 static int test_early_data_psk(int idx)
4452 {
4453     SSL_CTX *cctx = NULL, *sctx = NULL;
4454     SSL *clientssl = NULL, *serverssl = NULL;
4455     int testresult = 0;
4456     SSL_SESSION *sess = NULL;
4457     unsigned char alpnlist[] = {
4458         0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4459         'l', 'p', 'n'
4460     };
4461 #define GOODALPNLEN 9
4462 #define BADALPNLEN 8
4463 #define GOODALPN (alpnlist)
4464 #define BADALPN (alpnlist + GOODALPNLEN)
4465     int err = 0;
4466     unsigned char buf[20];
4467     size_t readbytes, written;
4468     int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4469     int edstatus = SSL_EARLY_DATA_ACCEPTED;
4470 
4471     /* We always set this up with a final parameter of "2" for PSK */
4472     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4473             &serverssl, &sess, 2,
4474             SHA384_DIGEST_LENGTH)))
4475         goto end;
4476 
4477     servalpn = "goodalpn";
4478 
4479     /*
4480      * Note: There is no test for inconsistent SNI with late client detection.
4481      * This is because servers do not acknowledge SNI even if they are using
4482      * it in a resumption handshake - so it is not actually possible for a
4483      * client to detect a problem.
4484      */
4485     switch (idx) {
4486     case 0:
4487         /* Set inconsistent SNI (early client detection) */
4488         err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4489         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4490             || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4491             goto end;
4492         break;
4493 
4494     case 1:
4495         /* Set inconsistent ALPN (early client detection) */
4496         err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4497         /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4498         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4499                 GOODALPNLEN))
4500             || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4501                 BADALPNLEN)))
4502             goto end;
4503         break;
4504 
4505     case 2:
4506         /*
4507          * Set invalid protocol version. Technically this affects PSKs without
4508          * early_data too, but we test it here because it is similar to the
4509          * SNI/ALPN consistency tests.
4510          */
4511         err = SSL_R_BAD_PSK;
4512         if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4513             goto end;
4514         break;
4515 
4516     case 3:
4517         /*
4518          * Set inconsistent SNI (server side). In this case the connection
4519          * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4520          * is associated with each handshake - not the session. Therefore it
4521          * should not matter that we used a different server name last time.
4522          */
4523         SSL_SESSION_free(serverpsk);
4524         serverpsk = SSL_SESSION_dup(clientpsk);
4525         if (!TEST_ptr(serverpsk)
4526             || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4527             goto end;
4528         /* Fall through */
4529     case 4:
4530         /* Set consistent SNI */
4531         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4532             || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4533             || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4534                 hostname_cb)))
4535             goto end;
4536         break;
4537 
4538     case 5:
4539         /*
4540          * Set inconsistent ALPN (server detected). In this case the connection
4541          * will succeed but reject early_data.
4542          */
4543         servalpn = "badalpn";
4544         edstatus = SSL_EARLY_DATA_REJECTED;
4545         readearlyres = SSL_READ_EARLY_DATA_FINISH;
4546         /* Fall through */
4547     case 6:
4548         /*
4549          * Set consistent ALPN.
4550          * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4551          * accepts a list of protos (each one length prefixed).
4552          * SSL_set1_alpn_selected accepts a single protocol (not length
4553          * prefixed)
4554          */
4555         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4556                 GOODALPNLEN - 1))
4557             || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4558                 GOODALPNLEN)))
4559             goto end;
4560 
4561         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4562         break;
4563 
4564     case 7:
4565         /* Set inconsistent ALPN (late client detection) */
4566         SSL_SESSION_free(serverpsk);
4567         serverpsk = SSL_SESSION_dup(clientpsk);
4568         if (!TEST_ptr(serverpsk)
4569             || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4570                 BADALPN + 1,
4571                 BADALPNLEN - 1))
4572             || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4573                 GOODALPN + 1,
4574                 GOODALPNLEN - 1))
4575             || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4576                 sizeof(alpnlist))))
4577             goto end;
4578         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4579         edstatus = SSL_EARLY_DATA_ACCEPTED;
4580         readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4581         /* SSL_connect() call should fail */
4582         connectres = -1;
4583         break;
4584 
4585     default:
4586         TEST_error("Bad test index");
4587         goto end;
4588     }
4589 
4590     SSL_set_connect_state(clientssl);
4591     if (err != 0) {
4592         if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4593                 &written))
4594             || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4595             || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4596             goto end;
4597     } else {
4598         OSSL_TIME timer = ossl_time_now();
4599 
4600         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4601                 &written)))
4602             goto end;
4603 
4604         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4605                              &readbytes),
4606                 readearlyres)) {
4607             testresult = check_early_data_timeout(timer);
4608             goto end;
4609         }
4610 
4611         if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4612                 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4613             || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4614             || !TEST_int_eq(SSL_connect(clientssl), connectres))
4615             goto end;
4616     }
4617 
4618     testresult = 1;
4619 
4620 end:
4621     SSL_SESSION_free(sess);
4622     SSL_SESSION_free(clientpsk);
4623     SSL_SESSION_free(serverpsk);
4624     clientpsk = serverpsk = NULL;
4625     SSL_free(serverssl);
4626     SSL_free(clientssl);
4627     SSL_CTX_free(sctx);
4628     SSL_CTX_free(cctx);
4629     return testresult;
4630 }
4631 
4632 /*
4633  * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4634  * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4635  * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4636  * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4637  * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4638  * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4639  * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4640  * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4641  */
4642 static int test_early_data_psk_with_all_ciphers(int idx)
4643 {
4644     SSL_CTX *cctx = NULL, *sctx = NULL;
4645     SSL *clientssl = NULL, *serverssl = NULL;
4646     int testresult = 0;
4647     SSL_SESSION *sess = NULL;
4648     unsigned char buf[20];
4649     size_t readbytes, written;
4650     const SSL_CIPHER *cipher;
4651     OSSL_TIME timer;
4652     const char *cipher_str[] = {
4653         TLS1_3_RFC_AES_128_GCM_SHA256,
4654         TLS1_3_RFC_AES_256_GCM_SHA384,
4655 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4656         TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4657 #else
4658         NULL,
4659 #endif
4660         TLS1_3_RFC_AES_128_CCM_SHA256,
4661         TLS1_3_RFC_AES_128_CCM_8_SHA256,
4662 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4663         TLS1_3_RFC_SHA256_SHA256,
4664         TLS1_3_RFC_SHA384_SHA384
4665 #else
4666         NULL,
4667         NULL
4668 #endif
4669     };
4670     const unsigned char *cipher_bytes[] = {
4671         TLS13_AES_128_GCM_SHA256_BYTES,
4672         TLS13_AES_256_GCM_SHA384_BYTES,
4673 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4674         TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4675 #else
4676         NULL,
4677 #endif
4678         TLS13_AES_128_CCM_SHA256_BYTES,
4679         TLS13_AES_128_CCM_8_SHA256_BYTES,
4680 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4681         TLS13_SHA256_SHA256_BYTES,
4682         TLS13_SHA384_SHA384_BYTES
4683 #else
4684         NULL,
4685         NULL
4686 #endif
4687     };
4688 
4689     if (cipher_str[idx] == NULL)
4690         return 1;
4691     /*
4692      * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4693      * as currently FIPS module does not support them.
4694      */
4695     if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4696         return 1;
4697 
4698     /* We always set this up with a final parameter of "2" for PSK */
4699     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4700             &serverssl, &sess, 2,
4701             SHA384_DIGEST_LENGTH)))
4702         goto end;
4703 
4704     if (idx == 4 || idx == 5 || idx == 6) {
4705         /*
4706          * CCM8 ciphers are considered low security due to their short tag.
4707          * Integrity-only cipher do not provide any confidentiality.
4708          */
4709         SSL_set_security_level(clientssl, 0);
4710         SSL_set_security_level(serverssl, 0);
4711     }
4712 
4713     if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4714         || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4715         goto end;
4716 
4717     /*
4718      * 'setupearly_data_test' creates only one instance of SSL_SESSION
4719      * and assigns to both client and server with incremented reference
4720      * and the same instance is updated in 'sess'.
4721      * So updating ciphersuite in 'sess' which will get reflected in
4722      * PSK handshake using psk use sess and find sess cb.
4723      */
4724     cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4725     if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4726         goto end;
4727 
4728     SSL_set_connect_state(clientssl);
4729     timer = ossl_time_now();
4730     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4731             &written)))
4732         goto end;
4733 
4734     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4735                          &readbytes),
4736             SSL_READ_EARLY_DATA_SUCCESS)) {
4737         testresult = check_early_data_timeout(timer);
4738         goto end;
4739     }
4740 
4741     if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4742         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4743             SSL_EARLY_DATA_ACCEPTED)
4744         || !TEST_int_eq(SSL_connect(clientssl), 1)
4745         || !TEST_int_eq(SSL_accept(serverssl), 1))
4746         goto end;
4747 
4748     /* Send some normal data from client to server */
4749     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4750         || !TEST_size_t_eq(written, strlen(MSG2)))
4751         goto end;
4752 
4753     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4754         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4755         goto end;
4756 
4757     testresult = 1;
4758 end:
4759     SSL_SESSION_free(sess);
4760     SSL_SESSION_free(clientpsk);
4761     SSL_SESSION_free(serverpsk);
4762     clientpsk = serverpsk = NULL;
4763     if (clientssl != NULL)
4764         SSL_shutdown(clientssl);
4765     if (serverssl != NULL)
4766         SSL_shutdown(serverssl);
4767     SSL_free(serverssl);
4768     SSL_free(clientssl);
4769     SSL_CTX_free(sctx);
4770     SSL_CTX_free(cctx);
4771     return testresult;
4772 }
4773 
4774 /*
4775  * Test that a server that doesn't try to read early data can handle a
4776  * client sending some.
4777  */
4778 static int test_early_data_not_expected(int idx)
4779 {
4780     SSL_CTX *cctx = NULL, *sctx = NULL;
4781     SSL *clientssl = NULL, *serverssl = NULL;
4782     int testresult = 0;
4783     SSL_SESSION *sess = NULL;
4784     unsigned char buf[20];
4785     size_t readbytes, written;
4786 
4787     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4788             &serverssl, &sess, idx,
4789             SHA384_DIGEST_LENGTH)))
4790         goto end;
4791 
4792     /* Write some early data */
4793     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4794             &written)))
4795         goto end;
4796 
4797     /*
4798      * Server should skip over early data and then block waiting for client to
4799      * continue handshake
4800      */
4801     if (!TEST_int_le(SSL_accept(serverssl), 0)
4802         || !TEST_int_gt(SSL_connect(clientssl), 0)
4803         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4804             SSL_EARLY_DATA_REJECTED)
4805         || !TEST_int_gt(SSL_accept(serverssl), 0)
4806         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4807             SSL_EARLY_DATA_REJECTED))
4808         goto end;
4809 
4810     /* Send some normal data from client to server */
4811     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4812         || !TEST_size_t_eq(written, strlen(MSG2)))
4813         goto end;
4814 
4815     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4816         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4817         goto end;
4818 
4819     testresult = 1;
4820 
4821 end:
4822     SSL_SESSION_free(sess);
4823     SSL_SESSION_free(clientpsk);
4824     SSL_SESSION_free(serverpsk);
4825     clientpsk = serverpsk = NULL;
4826     SSL_free(serverssl);
4827     SSL_free(clientssl);
4828     SSL_CTX_free(sctx);
4829     SSL_CTX_free(cctx);
4830     return testresult;
4831 }
4832 
4833 #ifndef OPENSSL_NO_TLS1_2
4834 /*
4835  * Test that a server attempting to read early data can handle a connection
4836  * from a TLSv1.2 client.
4837  */
4838 static int test_early_data_tls1_2(int idx)
4839 {
4840     SSL_CTX *cctx = NULL, *sctx = NULL;
4841     SSL *clientssl = NULL, *serverssl = NULL;
4842     int testresult = 0;
4843     unsigned char buf[20];
4844     size_t readbytes, written;
4845 
4846     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4847             &serverssl, NULL, idx,
4848             SHA384_DIGEST_LENGTH)))
4849         goto end;
4850 
4851     /* Write some data - should block due to handshake with server */
4852     SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4853     SSL_set_connect_state(clientssl);
4854     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4855         goto end;
4856 
4857     /*
4858      * Server should do TLSv1.2 handshake. First it will block waiting for more
4859      * messages from client after ServerDone. Then SSL_read_early_data should
4860      * finish and detect that early data has not been sent
4861      */
4862     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4863                          &readbytes),
4864             SSL_READ_EARLY_DATA_ERROR))
4865         goto end;
4866 
4867     /*
4868      * Continue writing the message we started earlier. Will still block waiting
4869      * for the CCS/Finished from server
4870      */
4871     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4872         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4873                             &readbytes),
4874             SSL_READ_EARLY_DATA_FINISH)
4875         || !TEST_size_t_eq(readbytes, 0)
4876         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4877             SSL_EARLY_DATA_NOT_SENT))
4878         goto end;
4879 
4880     /* Continue writing the message we started earlier */
4881     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4882         || !TEST_size_t_eq(written, strlen(MSG1))
4883         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4884             SSL_EARLY_DATA_NOT_SENT)
4885         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4886         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4887         || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4888         || !TEST_size_t_eq(written, strlen(MSG2))
4889         || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4890         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4891         goto end;
4892 
4893     testresult = 1;
4894 
4895 end:
4896     SSL_SESSION_free(clientpsk);
4897     SSL_SESSION_free(serverpsk);
4898     clientpsk = serverpsk = NULL;
4899     SSL_free(serverssl);
4900     SSL_free(clientssl);
4901     SSL_CTX_free(sctx);
4902     SSL_CTX_free(cctx);
4903 
4904     return testresult;
4905 }
4906 #endif /* OPENSSL_NO_TLS1_2 */
4907 
4908 /*
4909  * Test configuring the TLSv1.3 ciphersuites
4910  *
4911  * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4912  * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4913  * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4914  * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4915  * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4916  * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4917  * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4918  * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4919  * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4920  * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4921  */
4922 static int test_set_ciphersuite(int idx)
4923 {
4924     SSL_CTX *cctx = NULL, *sctx = NULL;
4925     SSL *clientssl = NULL, *serverssl = NULL;
4926     int testresult = 0;
4927 
4928     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4929             TLS_client_method(), TLS1_VERSION, 0,
4930             &sctx, &cctx, cert, privkey))
4931         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4932             "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4933         goto end;
4934 
4935     if (idx >= 4 && idx <= 7) {
4936         /* SSL_CTX explicit cipher list */
4937         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4938             goto end;
4939     }
4940 
4941     if (idx == 0 || idx == 4) {
4942         /* Default ciphersuite */
4943         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4944                 "TLS_AES_128_GCM_SHA256")))
4945             goto end;
4946     } else if (idx == 1 || idx == 5) {
4947         /* Non default ciphersuite */
4948         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4949                 "TLS_AES_128_CCM_SHA256")))
4950             goto end;
4951     }
4952 
4953     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4954             &clientssl, NULL, NULL)))
4955         goto end;
4956 
4957     if (idx == 8 || idx == 9) {
4958         /* SSL explicit cipher list */
4959         if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4960             goto end;
4961     }
4962 
4963     if (idx == 2 || idx == 6 || idx == 8) {
4964         /* Default ciphersuite */
4965         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4966                 "TLS_AES_128_GCM_SHA256")))
4967             goto end;
4968     } else if (idx == 3 || idx == 7 || idx == 9) {
4969         /* Non default ciphersuite */
4970         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4971                 "TLS_AES_128_CCM_SHA256")))
4972             goto end;
4973     }
4974 
4975     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4976         goto end;
4977 
4978     testresult = 1;
4979 
4980 end:
4981     SSL_free(serverssl);
4982     SSL_free(clientssl);
4983     SSL_CTX_free(sctx);
4984     SSL_CTX_free(cctx);
4985 
4986     return testresult;
4987 }
4988 
4989 static int test_ciphersuite_change(void)
4990 {
4991     SSL_CTX *cctx = NULL, *sctx = NULL;
4992     SSL *clientssl = NULL, *serverssl = NULL;
4993     SSL_SESSION *clntsess = NULL;
4994     int testresult = 0;
4995     const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4996 
4997     /* Create a session based on SHA-256 */
4998     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4999             TLS_client_method(), TLS1_VERSION, 0,
5000             &sctx, &cctx, cert, privkey))
5001         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5002             "TLS_AES_128_GCM_SHA256:"
5003             "TLS_AES_256_GCM_SHA384:"
5004             "TLS_AES_128_CCM_SHA256"))
5005         || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5006             "TLS_AES_128_GCM_SHA256")))
5007         goto end;
5008 
5009     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5010             NULL, NULL))
5011         || !TEST_true(create_ssl_connection(serverssl, clientssl,
5012             SSL_ERROR_NONE)))
5013         goto end;
5014 
5015     clntsess = SSL_get1_session(clientssl);
5016     /* Save for later */
5017     aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
5018     SSL_shutdown(clientssl);
5019     SSL_shutdown(serverssl);
5020     SSL_free(serverssl);
5021     SSL_free(clientssl);
5022     serverssl = clientssl = NULL;
5023 
5024     /* Check we can resume a session with a different SHA-256 ciphersuite */
5025     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5026             "TLS_AES_128_CCM_SHA256"))
5027         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5028             &clientssl, NULL, NULL))
5029         || !TEST_true(SSL_set_session(clientssl, clntsess))
5030         || !TEST_true(create_ssl_connection(serverssl, clientssl,
5031             SSL_ERROR_NONE))
5032         || !TEST_true(SSL_session_reused(clientssl)))
5033         goto end;
5034 
5035     SSL_SESSION_free(clntsess);
5036     clntsess = SSL_get1_session(clientssl);
5037     SSL_shutdown(clientssl);
5038     SSL_shutdown(serverssl);
5039     SSL_free(serverssl);
5040     SSL_free(clientssl);
5041     serverssl = clientssl = NULL;
5042 
5043     /*
5044      * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
5045      * succeeds but does not resume.
5046      */
5047     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
5048         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5049             NULL, NULL))
5050         || !TEST_true(SSL_set_session(clientssl, clntsess))
5051         || !TEST_true(create_ssl_connection(serverssl, clientssl,
5052             SSL_ERROR_SSL))
5053         || !TEST_false(SSL_session_reused(clientssl)))
5054         goto end;
5055 
5056     SSL_SESSION_free(clntsess);
5057     clntsess = NULL;
5058     SSL_shutdown(clientssl);
5059     SSL_shutdown(serverssl);
5060     SSL_free(serverssl);
5061     SSL_free(clientssl);
5062     serverssl = clientssl = NULL;
5063 
5064     /* Create a session based on SHA384 */
5065     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
5066         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5067             &clientssl, NULL, NULL))
5068         || !TEST_true(create_ssl_connection(serverssl, clientssl,
5069             SSL_ERROR_NONE)))
5070         goto end;
5071 
5072     clntsess = SSL_get1_session(clientssl);
5073     SSL_shutdown(clientssl);
5074     SSL_shutdown(serverssl);
5075     SSL_free(serverssl);
5076     SSL_free(clientssl);
5077     serverssl = clientssl = NULL;
5078 
5079     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5080             "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
5081         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5082             "TLS_AES_256_GCM_SHA384"))
5083         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5084             NULL, NULL))
5085         || !TEST_true(SSL_set_session(clientssl, clntsess))
5086         /*
5087          * We use SSL_ERROR_WANT_READ below so that we can pause the
5088          * connection after the initial ClientHello has been sent to
5089          * enable us to make some session changes.
5090          */
5091         || !TEST_false(create_ssl_connection(serverssl, clientssl,
5092             SSL_ERROR_WANT_READ)))
5093         goto end;
5094 
5095     /* Trick the client into thinking this session is for a different digest */
5096     clntsess->cipher = aes_128_gcm_sha256;
5097     clntsess->cipher_id = clntsess->cipher->id;
5098 
5099     /*
5100      * Continue the previously started connection. Server has selected a SHA-384
5101      * ciphersuite, but client thinks the session is for SHA-256, so it should
5102      * bail out.
5103      */
5104     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
5105             SSL_ERROR_SSL))
5106         || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
5107             SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
5108         goto end;
5109 
5110     testresult = 1;
5111 
5112 end:
5113     SSL_SESSION_free(clntsess);
5114     SSL_free(serverssl);
5115     SSL_free(clientssl);
5116     SSL_CTX_free(sctx);
5117     SSL_CTX_free(cctx);
5118 
5119     return testresult;
5120 }
5121 
5122 /*
5123  * Test TLSv1.3 Key exchange
5124  * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
5125  * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
5126  * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
5127  * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
5128  * Test 4 = Test NID_X25519 with TLSv1.3 client and server
5129  * Test 5 = Test NID_X448 with TLSv1.3 client and server
5130  * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
5131  * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
5132  * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
5133  * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
5134  * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
5135  * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
5136  * Test 12 = Test all ML-KEM with TLSv1.3 client and server
5137  * Test 13 = Test MLKEM512
5138  * Test 14 = Test MLKEM768
5139  * Test 15 = Test MLKEM1024
5140  * Test 16 = Test X25519MLKEM768
5141  * Test 17 = Test SecP256r1MLKEM768
5142  * Test 18 = Test SecP384r1MLKEM1024
5143  * Test 19 = Test all ML-KEM with TLSv1.2 client and server
5144  * Test 20 = Test all FFDHE with TLSv1.2 client and server
5145  * Test 21 = Test all ECDHE with TLSv1.2 client and server
5146  */
5147 #ifndef OPENSSL_NO_EC
5148 static int ecdhe_kexch_groups[] = { NID_X9_62_prime256v1, NID_secp384r1,
5149     NID_secp521r1,
5150 #ifndef OPENSSL_NO_ECX
5151     NID_X25519, NID_X448
5152 #endif
5153 };
5154 #endif
5155 #ifndef OPENSSL_NO_DH
5156 static int ffdhe_kexch_groups[] = { NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
5157     NID_ffdhe6144, NID_ffdhe8192 };
5158 #endif
5159 static int test_key_exchange(int idx)
5160 {
5161     SSL_CTX *sctx = NULL, *cctx = NULL;
5162     SSL *serverssl = NULL, *clientssl = NULL;
5163     int testresult = 0;
5164     int kexch_alg = NID_undef;
5165     int *kexch_groups = &kexch_alg;
5166     int kexch_groups_size = 1;
5167     int max_version = TLS1_3_VERSION;
5168     char *kexch_name0 = NULL;
5169     const char *kexch_names = NULL;
5170     int shared_group0;
5171 
5172     switch (idx) {
5173 #ifndef OPENSSL_NO_EC
5174 #ifndef OPENSSL_NO_TLS1_2
5175     case 21:
5176         max_version = TLS1_2_VERSION;
5177 #endif
5178         /* Fall through */
5179     case 0:
5180         kexch_groups = ecdhe_kexch_groups;
5181         kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
5182         kexch_name0 = "secp256r1";
5183         break;
5184     case 1:
5185         kexch_alg = NID_X9_62_prime256v1;
5186         kexch_name0 = "secp256r1";
5187         break;
5188     case 2:
5189         kexch_alg = NID_secp384r1;
5190         kexch_name0 = "secp384r1";
5191         break;
5192     case 3:
5193         kexch_alg = NID_secp521r1;
5194         kexch_name0 = "secp521r1";
5195         break;
5196 #ifndef OPENSSL_NO_ECX
5197     case 4:
5198         if (is_fips)
5199             return TEST_skip("X25519 might not be supported by fips provider.");
5200         kexch_alg = NID_X25519;
5201         kexch_name0 = "x25519";
5202         break;
5203     case 5:
5204         if (is_fips)
5205             return TEST_skip("X448 might not be supported by fips provider.");
5206         kexch_alg = NID_X448;
5207         kexch_name0 = "x448";
5208         break;
5209 #endif
5210 #endif
5211 #ifndef OPENSSL_NO_DH
5212 #ifndef OPENSSL_NO_TLS1_2
5213     case 20:
5214         max_version = TLS1_2_VERSION;
5215         kexch_name0 = "ffdhe2048";
5216 #endif
5217         /* Fall through */
5218     case 6:
5219         kexch_groups = ffdhe_kexch_groups;
5220         kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5221         kexch_name0 = "ffdhe2048";
5222         break;
5223     case 7:
5224         kexch_alg = NID_ffdhe2048;
5225         kexch_name0 = "ffdhe2048";
5226         break;
5227     case 8:
5228         kexch_alg = NID_ffdhe3072;
5229         kexch_name0 = "ffdhe3072";
5230         break;
5231     case 9:
5232         kexch_alg = NID_ffdhe4096;
5233         kexch_name0 = "ffdhe4096";
5234         break;
5235     case 10:
5236         kexch_alg = NID_ffdhe6144;
5237         kexch_name0 = "ffdhe6144";
5238         break;
5239     case 11:
5240         kexch_alg = NID_ffdhe8192;
5241         kexch_name0 = "ffdhe8192";
5242         break;
5243 #endif
5244 #ifndef OPENSSL_NO_ML_KEM
5245 #if !defined(OPENSSL_NO_TLS1_2)
5246     case 19:
5247         max_version = TLS1_2_VERSION;
5248 #if !defined(OPENSSL_NO_EC)
5249         /* Set at least one EC group so the handshake completes */
5250         kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
5251 #elif !defined(OPENSSL_NO_DH)
5252         kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5253 #else
5254         /* With neither EC nor DH TLS 1.2 can't happen */
5255         return 1;
5256 #endif
5257 #endif
5258         /* Fall through */
5259     case 12:
5260         kexch_groups = NULL;
5261         if (kexch_names == NULL)
5262             kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5263         kexch_name0 = "MLKEM512";
5264         break;
5265     case 13:
5266         kexch_groups = NULL;
5267         kexch_name0 = "MLKEM512";
5268         kexch_names = kexch_name0;
5269         break;
5270     case 14:
5271         kexch_groups = NULL;
5272         kexch_name0 = "MLKEM768";
5273         kexch_names = kexch_name0;
5274         break;
5275     case 15:
5276         kexch_groups = NULL;
5277         kexch_name0 = "MLKEM1024";
5278         kexch_names = kexch_name0;
5279         break;
5280 #ifndef OPENSSL_NO_EC
5281 #ifndef OPENSSL_NO_ECX
5282     case 16:
5283         kexch_groups = NULL;
5284         kexch_name0 = "X25519MLKEM768";
5285         kexch_names = kexch_name0;
5286         break;
5287 #endif
5288     case 17:
5289         kexch_groups = NULL;
5290         kexch_name0 = "SecP256r1MLKEM768";
5291         kexch_names = kexch_name0;
5292         break;
5293     case 18:
5294         kexch_groups = NULL;
5295         kexch_name0 = "SecP384r1MLKEM1024";
5296         kexch_names = kexch_name0;
5297         break;
5298 #endif
5299 #endif
5300     default:
5301         /* We're skipping this test */
5302         return 1;
5303     }
5304 
5305     if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
5306         && idx >= 12 && idx <= 19)
5307         return TEST_skip("ML-KEM not supported in this version of fips provider");
5308 
5309     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5310             TLS_client_method(), TLS1_VERSION,
5311             max_version, &sctx, &cctx, cert,
5312             privkey)))
5313         goto end;
5314 
5315     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5316             TLS1_3_RFC_AES_128_GCM_SHA256)))
5317         goto end;
5318 
5319     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5320             TLS1_3_RFC_AES_128_GCM_SHA256)))
5321         goto end;
5322 
5323     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5324             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5325         || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5326         goto end;
5327 
5328     /*
5329      * Must include an EC ciphersuite so that we send supported groups in
5330      * TLSv1.2
5331      */
5332 #ifndef OPENSSL_NO_TLS1_2
5333     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5334             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5335         goto end;
5336 #endif
5337 
5338     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5339             NULL, NULL)))
5340         goto end;
5341 
5342     if (kexch_groups != NULL) {
5343         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5344             || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5345             goto end;
5346     } else {
5347         if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
5348             || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
5349             goto end;
5350     }
5351 
5352     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5353         goto end;
5354 
5355     /*
5356      * If the handshake succeeds the negotiated kexch alg should be the first
5357      * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
5358      * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
5359      * group to exist.
5360      */
5361     shared_group0 = SSL_get_shared_group(serverssl, 0);
5362     switch (idx) {
5363     case 19:
5364 #if !defined(OPENSSL_NO_EC)
5365         /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
5366         if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
5367             goto end;
5368         break;
5369 #endif
5370         /* Fall through */
5371     case 20:
5372         if (!TEST_int_eq(shared_group0, 0))
5373             goto end;
5374         break;
5375     default:
5376         if (kexch_groups != NULL
5377             && !TEST_int_eq(shared_group0, kexch_groups[0]))
5378             goto end;
5379         if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
5380                 kexch_name0))
5381             goto end;
5382         if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5383             || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5384             goto end;
5385         if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
5386             goto end;
5387         if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
5388             goto end;
5389         break;
5390     }
5391 
5392     testresult = 1;
5393 end:
5394     SSL_free(serverssl);
5395     SSL_free(clientssl);
5396     SSL_CTX_free(sctx);
5397     SSL_CTX_free(cctx);
5398     return testresult;
5399 }
5400 
5401 #if !defined(OPENSSL_NO_TLS1_2) \
5402     && !defined(OPENSSL_NO_EC)  \
5403     && !defined(OPENSSL_NO_DH)
5404 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5405     int isecdhe, int idx)
5406 {
5407     int kexch_alg;
5408     int *kexch_groups = &kexch_alg;
5409     int numec, numff;
5410 
5411     numec = OSSL_NELEM(ecdhe_kexch_groups);
5412     numff = OSSL_NELEM(ffdhe_kexch_groups);
5413     if (isecdhe)
5414         kexch_alg = ecdhe_kexch_groups[idx];
5415     else
5416         kexch_alg = ffdhe_kexch_groups[idx];
5417 
5418     if (clientmulti) {
5419         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5420             return 0;
5421         if (isecdhe) {
5422             if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5423                     numec)))
5424                 return 0;
5425         } else {
5426             if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5427                     numff)))
5428                 return 0;
5429         }
5430     } else {
5431         if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5432             return 0;
5433         if (isecdhe) {
5434             if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5435                     numec)))
5436                 return 0;
5437         } else {
5438             if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5439                     numff)))
5440                 return 0;
5441         }
5442     }
5443     return 1;
5444 }
5445 
5446 /*-
5447  * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5448  * Run through both the ECDHE and FFDHE group lists used in the previous
5449  * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5450  * confirming the expected result; then perform a resumption handshake
5451  * while offering the same group list, and another resumption handshake
5452  * offering a different group list.  The returned value should be the
5453  * negotiated group for the initial handshake; for TLS 1.3 resumption
5454  * handshakes the returned value will be negotiated on the resumption
5455  * handshake itself, but for TLS 1.2 resumption handshakes the value will
5456  * be cached in the session from the original handshake, regardless of what
5457  * was offered in the resumption ClientHello.
5458  *
5459  * Using E for the number of EC groups and F for the number of FF groups:
5460  * E tests of ECDHE with TLS 1.3, server only has one group
5461  * F tests of FFDHE with TLS 1.3, server only has one group
5462  * E tests of ECDHE with TLS 1.2, server only has one group
5463  * F tests of FFDHE with TLS 1.2, server only has one group
5464  * E tests of ECDHE with TLS 1.3, client sends only one group
5465  * F tests of FFDHE with TLS 1.3, client sends only one group
5466  * E tests of ECDHE with TLS 1.2, client sends only one group
5467  * F tests of FFDHE with TLS 1.2, client sends only one group
5468  */
5469 static int test_negotiated_group(int idx)
5470 {
5471     int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5472     int expectednid;
5473     SSL_CTX *sctx = NULL, *cctx = NULL;
5474     SSL *serverssl = NULL, *clientssl = NULL;
5475     SSL_SESSION *origsess = NULL;
5476     int testresult = 0;
5477     int kexch_alg;
5478     int max_version = TLS1_3_VERSION;
5479 
5480     numec = OSSL_NELEM(ecdhe_kexch_groups);
5481     numff = OSSL_NELEM(ffdhe_kexch_groups);
5482     numgroups = numec + numff;
5483     clientmulti = (idx < 2 * numgroups);
5484     idx = idx % (2 * numgroups);
5485     istls13 = (idx < numgroups);
5486     idx = idx % numgroups;
5487     isecdhe = (idx < numec);
5488     if (!isecdhe)
5489         idx -= numec;
5490     /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5491     if (isecdhe)
5492         kexch_alg = ecdhe_kexch_groups[idx];
5493     else
5494         kexch_alg = ffdhe_kexch_groups[idx];
5495     /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5496     if (!istls13 && !isecdhe)
5497         expectednid = NID_undef;
5498     else
5499         expectednid = kexch_alg;
5500 
5501     if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5502         return TEST_skip("X25519 and X448 might not be available in fips provider.");
5503 
5504     if (!istls13)
5505         max_version = TLS1_2_VERSION;
5506 
5507     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5508             TLS_client_method(), TLS1_VERSION,
5509             max_version, &sctx, &cctx, cert,
5510             privkey)))
5511         goto end;
5512 
5513     /*
5514      * Force (EC)DHE ciphers for TLS 1.2.
5515      * Be sure to enable auto tmp DH so that FFDHE can succeed.
5516      */
5517     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5518             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5519         || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5520         goto end;
5521     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5522             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5523         goto end;
5524 
5525     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5526             NULL, NULL)))
5527         goto end;
5528 
5529     if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5530             idx)))
5531         goto end;
5532 
5533     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5534         goto end;
5535 
5536     /* Initial handshake; always the configured one */
5537     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5538         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5539         goto end;
5540 
5541     if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5542         goto end;
5543 
5544     SSL_shutdown(clientssl);
5545     SSL_shutdown(serverssl);
5546     SSL_free(serverssl);
5547     SSL_free(clientssl);
5548     serverssl = clientssl = NULL;
5549 
5550     /* First resumption attempt; use the same config as initial handshake */
5551     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5552             NULL, NULL))
5553         || !TEST_true(SSL_set_session(clientssl, origsess))
5554         || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5555             isecdhe, idx)))
5556         goto end;
5557 
5558     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5559         || !TEST_true(SSL_session_reused(clientssl)))
5560         goto end;
5561 
5562     /* Still had better agree, since nothing changed... */
5563     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5564         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5565         goto end;
5566 
5567     SSL_shutdown(clientssl);
5568     SSL_shutdown(serverssl);
5569     SSL_free(serverssl);
5570     SSL_free(clientssl);
5571     serverssl = clientssl = NULL;
5572 
5573     /*-
5574      * Second resumption attempt
5575      * The party that picks one group changes it, which we effectuate by
5576      * changing 'idx' and updating what we expect.
5577      */
5578     if (idx == 0)
5579         idx = 1;
5580     else
5581         idx--;
5582     if (istls13) {
5583         if (isecdhe)
5584             expectednid = ecdhe_kexch_groups[idx];
5585         else
5586             expectednid = ffdhe_kexch_groups[idx];
5587         /* Verify that we are changing what we expect. */
5588         if (!TEST_int_ne(expectednid, kexch_alg))
5589             goto end;
5590     } else {
5591         /* TLS 1.2 only supports named groups for ECDHE. */
5592         if (isecdhe)
5593             expectednid = kexch_alg;
5594         else
5595             expectednid = 0;
5596     }
5597     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5598             NULL, NULL))
5599         || !TEST_true(SSL_set_session(clientssl, origsess))
5600         || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5601             isecdhe, idx)))
5602         goto end;
5603 
5604     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5605         || !TEST_true(SSL_session_reused(clientssl)))
5606         goto end;
5607 
5608     /* Check that we get what we expected */
5609     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5610         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5611         goto end;
5612 
5613     testresult = 1;
5614 end:
5615     SSL_free(serverssl);
5616     SSL_free(clientssl);
5617     SSL_CTX_free(sctx);
5618     SSL_CTX_free(cctx);
5619     SSL_SESSION_free(origsess);
5620     return testresult;
5621 }
5622 #endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5623 
5624 /*
5625  * Test TLSv1.3 Cipher Suite
5626  * Test 0 = Set TLS1.3 cipher on context
5627  * Test 1 = Set TLS1.3 cipher on SSL
5628  * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5629  * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5630  */
5631 static int test_tls13_ciphersuite(int idx)
5632 {
5633     SSL_CTX *sctx = NULL, *cctx = NULL;
5634     SSL *serverssl = NULL, *clientssl = NULL;
5635     static const struct {
5636         const char *ciphername;
5637         int fipscapable;
5638         int low_security;
5639     } t13_ciphers[] = {
5640         { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5641         { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5642         { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5643 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5644         { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5645         { TLS1_3_RFC_AES_256_GCM_SHA384
5646             ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
5647             0, 0 },
5648 #endif
5649         /* CCM8 ciphers are considered low security due to their short tag */
5650         { TLS1_3_RFC_AES_128_CCM_8_SHA256
5651             ":" TLS1_3_RFC_AES_128_CCM_SHA256,
5652             1, 1 },
5653 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5654         /* Integrity-only cipher do not provide any confidentiality */
5655         { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5656         { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5657 #endif
5658     };
5659     const char *t13_cipher = NULL;
5660     const char *t12_cipher = NULL;
5661     const char *negotiated_scipher;
5662     const char *negotiated_ccipher;
5663     int set_at_ctx = 0;
5664     int set_at_ssl = 0;
5665     int testresult = 0;
5666     int max_ver;
5667     size_t i;
5668 
5669     switch (idx) {
5670     case 0:
5671         set_at_ctx = 1;
5672         break;
5673     case 1:
5674         set_at_ssl = 1;
5675         break;
5676     case 2:
5677         set_at_ctx = 1;
5678         t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5679         break;
5680     case 3:
5681         set_at_ssl = 1;
5682         t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5683         break;
5684     }
5685 
5686     for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5687 #ifdef OPENSSL_NO_TLS1_2
5688         if (max_ver == TLS1_2_VERSION)
5689             continue;
5690 #endif
5691         for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5692             if (is_fips && !t13_ciphers[i].fipscapable)
5693                 continue;
5694             t13_cipher = t13_ciphers[i].ciphername;
5695             if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5696                     TLS_client_method(),
5697                     TLS1_VERSION, max_ver,
5698                     &sctx, &cctx, cert, privkey)))
5699                 goto end;
5700 
5701             if (t13_ciphers[i].low_security) {
5702                 SSL_CTX_set_security_level(sctx, 0);
5703                 SSL_CTX_set_security_level(cctx, 0);
5704             }
5705 
5706             if (set_at_ctx) {
5707                 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5708                     || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5709                     goto end;
5710                 if (t12_cipher != NULL) {
5711                     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5712                         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5713                             t12_cipher)))
5714                         goto end;
5715                 }
5716             }
5717 
5718             if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5719                     &clientssl, NULL, NULL)))
5720                 goto end;
5721 
5722             if (set_at_ssl) {
5723                 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5724                     || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5725                     goto end;
5726                 if (t12_cipher != NULL) {
5727                     if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5728                         || !TEST_true(SSL_set_cipher_list(clientssl,
5729                             t12_cipher)))
5730                         goto end;
5731                 }
5732             }
5733 
5734             if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5735                     SSL_ERROR_NONE)))
5736                 goto end;
5737 
5738             negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5739                 serverssl));
5740             negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5741                 clientssl));
5742             if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5743                 goto end;
5744 
5745             /*
5746              * TEST_strn_eq is used below because t13_cipher can contain
5747              * multiple ciphersuites
5748              */
5749             if (max_ver == TLS1_3_VERSION
5750                 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5751                     strlen(negotiated_scipher)))
5752                 goto end;
5753 
5754 #ifndef OPENSSL_NO_TLS1_2
5755             /* Below validation is not done when t12_cipher is NULL */
5756             if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5757                 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5758                 goto end;
5759 #endif
5760 
5761             SSL_free(serverssl);
5762             serverssl = NULL;
5763             SSL_free(clientssl);
5764             clientssl = NULL;
5765             SSL_CTX_free(sctx);
5766             sctx = NULL;
5767             SSL_CTX_free(cctx);
5768             cctx = NULL;
5769         }
5770     }
5771 
5772     testresult = 1;
5773 end:
5774     SSL_free(serverssl);
5775     SSL_free(clientssl);
5776     SSL_CTX_free(sctx);
5777     SSL_CTX_free(cctx);
5778     return testresult;
5779 }
5780 
5781 /*
5782  * Test TLSv1.3 PSKs
5783  * Test 0 = Test new style callbacks
5784  * Test 1 = Test both new and old style callbacks
5785  * Test 2 = Test old style callbacks
5786  * Test 3 = Test old style callbacks with no certificate
5787  */
5788 static int test_tls13_psk(int idx)
5789 {
5790     SSL_CTX *sctx = NULL, *cctx = NULL;
5791     SSL *serverssl = NULL, *clientssl = NULL;
5792     const SSL_CIPHER *cipher = NULL;
5793     const unsigned char key[] = {
5794         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5795         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5796         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5797         0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5798     };
5799     int testresult = 0;
5800 
5801     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5802             TLS_client_method(), TLS1_VERSION, 0,
5803             &sctx, &cctx, idx == 3 ? NULL : cert,
5804             idx == 3 ? NULL : privkey)))
5805         goto end;
5806 
5807     if (idx != 3) {
5808         /*
5809          * We use a ciphersuite with SHA256 to ease testing old style PSK
5810          * callbacks which will always default to SHA256. This should not be
5811          * necessary if we have no cert/priv key. In that case the server should
5812          * prefer SHA256 automatically.
5813          */
5814         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5815                 "TLS_AES_128_GCM_SHA256")))
5816             goto end;
5817     } else {
5818         /*
5819          * As noted above the server should prefer SHA256 automatically. However
5820          * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5821          * code works even if we are testing with only the FIPS provider loaded.
5822          */
5823         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5824                 "TLS_AES_256_GCM_SHA384:"
5825                 "TLS_AES_128_GCM_SHA256")))
5826             goto end;
5827     }
5828 
5829     /*
5830      * Test 0: New style callbacks only
5831      * Test 1: New and old style callbacks (only the new ones should be used)
5832      * Test 2: Old style callbacks only
5833      */
5834     if (idx == 0 || idx == 1) {
5835         SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5836         SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5837     }
5838 #ifndef OPENSSL_NO_PSK
5839     if (idx >= 1) {
5840         SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5841         SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5842     }
5843 #endif
5844     srvid = pskid;
5845     use_session_cb_cnt = 0;
5846     find_session_cb_cnt = 0;
5847     psk_client_cb_cnt = 0;
5848     psk_server_cb_cnt = 0;
5849 
5850     if (idx != 3) {
5851         /*
5852          * Check we can create a connection if callback decides not to send a
5853          * PSK
5854          */
5855         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5856                 NULL, NULL))
5857             || !TEST_true(create_ssl_connection(serverssl, clientssl,
5858                 SSL_ERROR_NONE))
5859             || !TEST_false(SSL_session_reused(clientssl))
5860             || !TEST_false(SSL_session_reused(serverssl)))
5861             goto end;
5862 
5863         if (idx == 0 || idx == 1) {
5864             if (!TEST_true(use_session_cb_cnt == 1)
5865                 || !TEST_true(find_session_cb_cnt == 0)
5866                 /*
5867                  * If no old style callback then below should be 0
5868                  * otherwise 1
5869                  */
5870                 || !TEST_true(psk_client_cb_cnt == idx)
5871                 || !TEST_true(psk_server_cb_cnt == 0))
5872                 goto end;
5873         } else {
5874             if (!TEST_true(use_session_cb_cnt == 0)
5875                 || !TEST_true(find_session_cb_cnt == 0)
5876                 || !TEST_true(psk_client_cb_cnt == 1)
5877                 || !TEST_true(psk_server_cb_cnt == 0))
5878                 goto end;
5879         }
5880 
5881         shutdown_ssl_connection(serverssl, clientssl);
5882         serverssl = clientssl = NULL;
5883         use_session_cb_cnt = psk_client_cb_cnt = 0;
5884     }
5885 
5886     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5887             NULL, NULL)))
5888         goto end;
5889 
5890     /* Create the PSK */
5891     cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5892     clientpsk = SSL_SESSION_new();
5893     if (!TEST_ptr(clientpsk)
5894         || !TEST_ptr(cipher)
5895         || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5896             sizeof(key)))
5897         || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5898         || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5899             TLS1_3_VERSION))
5900         || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5901         goto end;
5902     serverpsk = clientpsk;
5903 
5904     /* Check we can create a connection and the PSK is used */
5905     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5906         || !TEST_true(SSL_session_reused(clientssl))
5907         || !TEST_true(SSL_session_reused(serverssl)))
5908         goto end;
5909 
5910     if (idx == 0 || idx == 1) {
5911         if (!TEST_true(use_session_cb_cnt == 1)
5912             || !TEST_true(find_session_cb_cnt == 1)
5913             || !TEST_true(psk_client_cb_cnt == 0)
5914             || !TEST_true(psk_server_cb_cnt == 0))
5915             goto end;
5916     } else {
5917         if (!TEST_true(use_session_cb_cnt == 0)
5918             || !TEST_true(find_session_cb_cnt == 0)
5919             || !TEST_true(psk_client_cb_cnt == 1)
5920             || !TEST_true(psk_server_cb_cnt == 1))
5921             goto end;
5922     }
5923 
5924     shutdown_ssl_connection(serverssl, clientssl);
5925     serverssl = clientssl = NULL;
5926     use_session_cb_cnt = find_session_cb_cnt = 0;
5927     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5928 
5929     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5930             NULL, NULL)))
5931         goto end;
5932 
5933     /* Force an HRR */
5934 #if defined(OPENSSL_NO_EC)
5935     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5936         goto end;
5937 #else
5938     if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5939         goto end;
5940 #endif
5941 
5942     /*
5943      * Check we can create a connection, the PSK is used and the callbacks are
5944      * called twice.
5945      */
5946     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5947         || !TEST_true(SSL_session_reused(clientssl))
5948         || !TEST_true(SSL_session_reused(serverssl)))
5949         goto end;
5950 
5951     if (idx == 0 || idx == 1) {
5952         if (!TEST_true(use_session_cb_cnt == 2)
5953             || !TEST_true(find_session_cb_cnt == 2)
5954             || !TEST_true(psk_client_cb_cnt == 0)
5955             || !TEST_true(psk_server_cb_cnt == 0))
5956             goto end;
5957     } else {
5958         if (!TEST_true(use_session_cb_cnt == 0)
5959             || !TEST_true(find_session_cb_cnt == 0)
5960             || !TEST_true(psk_client_cb_cnt == 2)
5961             || !TEST_true(psk_server_cb_cnt == 2))
5962             goto end;
5963     }
5964 
5965     shutdown_ssl_connection(serverssl, clientssl);
5966     serverssl = clientssl = NULL;
5967     use_session_cb_cnt = find_session_cb_cnt = 0;
5968     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5969 
5970     if (idx != 3) {
5971         /*
5972          * Check that if the server rejects the PSK we can still connect, but with
5973          * a full handshake
5974          */
5975         srvid = "Dummy Identity";
5976         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5977                 NULL, NULL))
5978             || !TEST_true(create_ssl_connection(serverssl, clientssl,
5979                 SSL_ERROR_NONE))
5980             || !TEST_false(SSL_session_reused(clientssl))
5981             || !TEST_false(SSL_session_reused(serverssl)))
5982             goto end;
5983 
5984         if (idx == 0 || idx == 1) {
5985             if (!TEST_true(use_session_cb_cnt == 1)
5986                 || !TEST_true(find_session_cb_cnt == 1)
5987                 || !TEST_true(psk_client_cb_cnt == 0)
5988                 /*
5989                  * If no old style callback then below should be 0
5990                  * otherwise 1
5991                  */
5992                 || !TEST_true(psk_server_cb_cnt == idx))
5993                 goto end;
5994         } else {
5995             if (!TEST_true(use_session_cb_cnt == 0)
5996                 || !TEST_true(find_session_cb_cnt == 0)
5997                 || !TEST_true(psk_client_cb_cnt == 1)
5998                 || !TEST_true(psk_server_cb_cnt == 1))
5999                 goto end;
6000         }
6001 
6002         shutdown_ssl_connection(serverssl, clientssl);
6003         serverssl = clientssl = NULL;
6004     }
6005     testresult = 1;
6006 
6007 end:
6008     SSL_SESSION_free(clientpsk);
6009     SSL_SESSION_free(serverpsk);
6010     clientpsk = serverpsk = NULL;
6011     SSL_free(serverssl);
6012     SSL_free(clientssl);
6013     SSL_CTX_free(sctx);
6014     SSL_CTX_free(cctx);
6015     return testresult;
6016 }
6017 
6018 #ifndef OSSL_NO_USABLE_TLS1_3
6019 /*
6020  * Test TLS1.3 connection establishment succeeds with various configurations of
6021  * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
6022  * The verification of whether the right KEX mode is chosen is not covered by
6023  * this test but by `test_tls13kexmodes`.
6024  *
6025  * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
6026  * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
6027  * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
6028  */
6029 static int test_tls13_no_dhe_kex(const int idx)
6030 {
6031     SSL_CTX *sctx = NULL, *cctx = NULL;
6032     SSL *serverssl = NULL, *clientssl = NULL;
6033     int testresult = 0;
6034     size_t j;
6035     SSL_SESSION *saved_session;
6036 
6037     int server_allow_no_dhe = (idx & 1) != 0;
6038     int server_prefer_no_dhe = (idx & 2) != 0;
6039     int client_allow_no_dhe = (idx & 4) != 0;
6040 
6041     uint64_t server_options = 0
6042         | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
6043         | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
6044 
6045     uint64_t client_options = 0
6046         | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
6047 
6048     new_called = 0;
6049     do_cache = 1;
6050 
6051     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6052             TLS_client_method(), TLS1_3_VERSION, 0,
6053             &sctx, &cctx, cert, privkey)))
6054         goto end;
6055 
6056     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
6057 
6058     SSL_CTX_set_options(sctx, server_options);
6059     SSL_CTX_set_options(cctx, client_options);
6060 
6061     SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
6062 
6063     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6064             &clientssl, NULL, NULL)))
6065         goto end;
6066 
6067     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6068             SSL_ERROR_NONE))
6069         /* Check we got the number of tickets we were expecting */
6070         || !TEST_int_eq(2, new_called))
6071         goto end;
6072 
6073     /* We'll reuse the last ticket. */
6074     saved_session = sesscache[new_called - 1];
6075 
6076     SSL_shutdown(clientssl);
6077     SSL_shutdown(serverssl);
6078     SSL_free(serverssl);
6079     SSL_free(clientssl);
6080     SSL_CTX_free(cctx);
6081     clientssl = serverssl = NULL;
6082     cctx = NULL;
6083 
6084     /*
6085      * Now we resume with the last ticket we created.
6086      */
6087 
6088     /* The server context already exists, so we only create the client. */
6089     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6090             TLS_client_method(), TLS1_3_VERSION, 0,
6091             NULL, &cctx, cert, privkey)))
6092         goto end;
6093 
6094     SSL_CTX_set_options(cctx, client_options);
6095 
6096     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6097             &clientssl, NULL, NULL))
6098         || !TEST_true(SSL_set_session(clientssl, saved_session)))
6099         goto end;
6100 
6101     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6102             SSL_ERROR_NONE)))
6103         goto end;
6104 
6105     /*
6106      * Make sure, the session was resumed.
6107      */
6108     if (!TEST_true(SSL_session_reused(clientssl)))
6109         goto end;
6110 
6111     SSL_shutdown(clientssl);
6112     SSL_shutdown(serverssl);
6113 
6114     testresult = 1;
6115 
6116 end:
6117     SSL_free(serverssl);
6118     SSL_free(clientssl);
6119     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
6120         SSL_SESSION_free(sesscache[j]);
6121         sesscache[j] = NULL;
6122     }
6123     SSL_CTX_free(sctx);
6124     SSL_CTX_free(cctx);
6125 
6126     return testresult;
6127 }
6128 #endif /* OSSL_NO_USABLE_TLS1_3 */
6129 
6130 static unsigned char cookie_magic_value[] = "cookie magic";
6131 
6132 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
6133     unsigned int *cookie_len)
6134 {
6135     /*
6136      * Not suitable as a real cookie generation function but good enough for
6137      * testing!
6138      */
6139     memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
6140     *cookie_len = sizeof(cookie_magic_value) - 1;
6141 
6142     return 1;
6143 }
6144 
6145 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
6146     unsigned int cookie_len)
6147 {
6148     if (cookie_len == sizeof(cookie_magic_value) - 1
6149         && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
6150         return 1;
6151 
6152     return 0;
6153 }
6154 
6155 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
6156     size_t *cookie_len)
6157 {
6158     unsigned int temp;
6159     int res = generate_cookie_callback(ssl, cookie, &temp);
6160     *cookie_len = temp;
6161     return res;
6162 }
6163 
6164 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
6165     size_t cookie_len)
6166 {
6167     return verify_cookie_callback(ssl, cookie, cookie_len);
6168 }
6169 
6170 static int test_stateless(void)
6171 {
6172     SSL_CTX *sctx = NULL, *cctx = NULL;
6173     SSL *serverssl = NULL, *clientssl = NULL;
6174     int testresult = 0;
6175 
6176     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6177             TLS_client_method(), TLS1_VERSION, 0,
6178             &sctx, &cctx, cert, privkey)))
6179         goto end;
6180 
6181     /* The arrival of CCS messages can confuse the test */
6182     SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
6183 
6184     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6185             NULL, NULL))
6186         /* Send the first ClientHello */
6187         || !TEST_false(create_ssl_connection(serverssl, clientssl,
6188             SSL_ERROR_WANT_READ))
6189         /*
6190          * This should fail with a -1 return because we have no callbacks
6191          * set up
6192          */
6193         || !TEST_int_eq(SSL_stateless(serverssl), -1))
6194         goto end;
6195 
6196     /* Fatal error so abandon the connection from this client */
6197     SSL_free(clientssl);
6198     clientssl = NULL;
6199 
6200     /* Set up the cookie generation and verification callbacks */
6201     SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
6202     SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
6203 
6204     /*
6205      * Create a new connection from the client (we can reuse the server SSL
6206      * object).
6207      */
6208     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6209             NULL, NULL))
6210         /* Send the first ClientHello */
6211         || !TEST_false(create_ssl_connection(serverssl, clientssl,
6212             SSL_ERROR_WANT_READ))
6213         /* This should fail because there is no cookie */
6214         || !TEST_int_eq(SSL_stateless(serverssl), 0))
6215         goto end;
6216 
6217     /* Abandon the connection from this client */
6218     SSL_free(clientssl);
6219     clientssl = NULL;
6220 
6221     /*
6222      * Now create a connection from a new client but with the same server SSL
6223      * object
6224      */
6225     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6226             NULL, NULL))
6227         /* Send the first ClientHello */
6228         || !TEST_false(create_ssl_connection(serverssl, clientssl,
6229             SSL_ERROR_WANT_READ))
6230         /* This should fail because there is no cookie */
6231         || !TEST_int_eq(SSL_stateless(serverssl), 0)
6232         /* Send the second ClientHello */
6233         || !TEST_false(create_ssl_connection(serverssl, clientssl,
6234             SSL_ERROR_WANT_READ))
6235         /* This should succeed because a cookie is now present */
6236         || !TEST_int_eq(SSL_stateless(serverssl), 1)
6237         /* Complete the connection */
6238         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6239             SSL_ERROR_NONE)))
6240         goto end;
6241 
6242     shutdown_ssl_connection(serverssl, clientssl);
6243     serverssl = clientssl = NULL;
6244     testresult = 1;
6245 
6246 end:
6247     SSL_free(serverssl);
6248     SSL_free(clientssl);
6249     SSL_CTX_free(sctx);
6250     SSL_CTX_free(cctx);
6251     return testresult;
6252 }
6253 #endif /* OSSL_NO_USABLE_TLS1_3 */
6254 
6255 static int clntaddoldcb = 0;
6256 static int clntparseoldcb = 0;
6257 static int srvaddoldcb = 0;
6258 static int srvparseoldcb = 0;
6259 static int clntaddnewcb = 0;
6260 static int clntparsenewcb = 0;
6261 static int srvaddnewcb = 0;
6262 static int srvparsenewcb = 0;
6263 static int snicb = 0;
6264 
6265 #define TEST_EXT_TYPE1 0xff00
6266 
6267 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
6268     size_t *outlen, int *al, void *add_arg)
6269 {
6270     int *server = (int *)add_arg;
6271     unsigned char *data;
6272 
6273     if (SSL_is_server(s))
6274         srvaddoldcb++;
6275     else
6276         clntaddoldcb++;
6277 
6278     if (*server != SSL_is_server(s)
6279         || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6280         return -1;
6281 
6282     *data = 1;
6283     *out = data;
6284     *outlen = sizeof(char);
6285     return 1;
6286 }
6287 
6288 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6289     void *add_arg)
6290 {
6291     OPENSSL_free((unsigned char *)out);
6292 }
6293 
6294 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6295     size_t inlen, int *al, void *parse_arg)
6296 {
6297     int *server = (int *)parse_arg;
6298 
6299     if (SSL_is_server(s))
6300         srvparseoldcb++;
6301     else
6302         clntparseoldcb++;
6303 
6304     if (*server != SSL_is_server(s)
6305         || inlen != sizeof(char)
6306         || *in != 1)
6307         return -1;
6308 
6309     return 1;
6310 }
6311 
6312 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6313     const unsigned char **out, size_t *outlen, X509 *x,
6314     size_t chainidx, int *al, void *add_arg)
6315 {
6316     int *server = (int *)add_arg;
6317     unsigned char *data;
6318 
6319     if (SSL_is_server(s))
6320         srvaddnewcb++;
6321     else
6322         clntaddnewcb++;
6323 
6324     if (*server != SSL_is_server(s)
6325         || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6326         return -1;
6327 
6328     *data = 1;
6329     *out = data;
6330     *outlen = sizeof(*data);
6331     return 1;
6332 }
6333 
6334 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6335     const unsigned char *out, void *add_arg)
6336 {
6337     OPENSSL_free((unsigned char *)out);
6338 }
6339 
6340 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6341     const unsigned char *in, size_t inlen, X509 *x,
6342     size_t chainidx, int *al, void *parse_arg)
6343 {
6344     int *server = (int *)parse_arg;
6345 
6346     if (SSL_is_server(s))
6347         srvparsenewcb++;
6348     else
6349         clntparsenewcb++;
6350 
6351     if (*server != SSL_is_server(s)
6352         || inlen != sizeof(char) || *in != 1)
6353         return -1;
6354 
6355     return 1;
6356 }
6357 
6358 static int sni_cb(SSL *s, int *al, void *arg)
6359 {
6360     SSL_CTX *ctx = (SSL_CTX *)arg;
6361 
6362     if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6363         *al = SSL_AD_INTERNAL_ERROR;
6364         return SSL_TLSEXT_ERR_ALERT_FATAL;
6365     }
6366     snicb++;
6367     return SSL_TLSEXT_ERR_OK;
6368 }
6369 
6370 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6371 {
6372     return 1;
6373 }
6374 
6375 /*
6376  * Custom call back tests.
6377  * Test 0: Old style callbacks in TLSv1.2
6378  * Test 1: New style callbacks in TLSv1.2
6379  * Test 2: New style callbacks in TLSv1.2 with SNI
6380  * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6381  * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6382  * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6383  */
6384 static int test_custom_exts(int tst)
6385 {
6386     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6387     SSL *clientssl = NULL, *serverssl = NULL;
6388     int testresult = 0;
6389     static int server = 1;
6390     static int client = 0;
6391     SSL_SESSION *sess = NULL;
6392     unsigned int context;
6393 
6394 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6395     /* Skip tests for TLSv1.2 and below in this case */
6396     if (tst < 3)
6397         return 1;
6398 #endif
6399 
6400     /* Reset callback counters */
6401     clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6402     clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6403     snicb = 0;
6404 
6405     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6406             TLS_client_method(), TLS1_VERSION, 0,
6407             &sctx, &cctx, cert, privkey)))
6408         goto end;
6409 
6410     if (tst == 2
6411         && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6412             TLS1_VERSION, 0,
6413             &sctx2, NULL, cert, privkey)))
6414         goto end;
6415 
6416     if (tst < 3) {
6417         SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6418         SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6419         if (sctx2 != NULL)
6420             SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6421     }
6422 
6423     if (tst == 5) {
6424         context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6425             | SSL_EXT_TLS1_3_CERTIFICATE;
6426         SSL_CTX_set_verify(sctx,
6427             SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6428             verify_cb);
6429         if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6430                              SSL_FILETYPE_PEM),
6431                 1)
6432             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6433                                 SSL_FILETYPE_PEM),
6434                 1)
6435             || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6436             goto end;
6437     } else if (tst == 4) {
6438         context = SSL_EXT_CLIENT_HELLO
6439             | SSL_EXT_TLS1_2_SERVER_HELLO
6440             | SSL_EXT_TLS1_3_SERVER_HELLO
6441             | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6442             | SSL_EXT_TLS1_3_CERTIFICATE
6443             | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6444     } else {
6445         context = SSL_EXT_CLIENT_HELLO
6446             | SSL_EXT_TLS1_2_SERVER_HELLO
6447             | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6448     }
6449 
6450     /* Create a client side custom extension */
6451     if (tst == 0) {
6452         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6453                 old_add_cb, old_free_cb,
6454                 &client, old_parse_cb,
6455                 &client)))
6456             goto end;
6457     } else {
6458         if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6459                 new_add_cb, new_free_cb,
6460                 &client, new_parse_cb, &client)))
6461             goto end;
6462     }
6463 
6464     /* Should not be able to add duplicates */
6465     if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6466             old_add_cb, old_free_cb,
6467             &client, old_parse_cb,
6468             &client))
6469         || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6470             context, new_add_cb,
6471             new_free_cb, &client,
6472             new_parse_cb, &client)))
6473         goto end;
6474 
6475     /* Create a server side custom extension */
6476     if (tst == 0) {
6477         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6478                 old_add_cb, old_free_cb,
6479                 &server, old_parse_cb,
6480                 &server)))
6481             goto end;
6482     } else {
6483         if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6484                 new_add_cb, new_free_cb,
6485                 &server, new_parse_cb, &server)))
6486             goto end;
6487         if (sctx2 != NULL
6488             && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6489                 context, new_add_cb,
6490                 new_free_cb, &server,
6491                 new_parse_cb, &server)))
6492             goto end;
6493     }
6494 
6495     /* Should not be able to add duplicates */
6496     if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6497             old_add_cb, old_free_cb,
6498             &server, old_parse_cb,
6499             &server))
6500         || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6501             context, new_add_cb,
6502             new_free_cb, &server,
6503             new_parse_cb, &server)))
6504         goto end;
6505 
6506     if (tst == 2) {
6507         /* Set up SNI */
6508         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6509             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6510             goto end;
6511     }
6512 
6513     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6514             &clientssl, NULL, NULL))
6515         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6516             SSL_ERROR_NONE)))
6517         goto end;
6518 
6519     if (tst == 0) {
6520         if (clntaddoldcb != 1
6521             || clntparseoldcb != 1
6522             || srvaddoldcb != 1
6523             || srvparseoldcb != 1)
6524             goto end;
6525     } else if (tst == 1 || tst == 2 || tst == 3) {
6526         if (clntaddnewcb != 1
6527             || clntparsenewcb != 1
6528             || srvaddnewcb != 1
6529             || srvparsenewcb != 1
6530             || (tst != 2 && snicb != 0)
6531             || (tst == 2 && snicb != 1))
6532             goto end;
6533     } else if (tst == 5) {
6534         if (clntaddnewcb != 1
6535             || clntparsenewcb != 1
6536             || srvaddnewcb != 1
6537             || srvparsenewcb != 1)
6538             goto end;
6539     } else {
6540         /* In this case there 2 NewSessionTicket messages created */
6541         if (clntaddnewcb != 1
6542             || clntparsenewcb != 5
6543             || srvaddnewcb != 5
6544             || srvparsenewcb != 1)
6545             goto end;
6546     }
6547 
6548     sess = SSL_get1_session(clientssl);
6549     SSL_shutdown(clientssl);
6550     SSL_shutdown(serverssl);
6551     SSL_free(serverssl);
6552     SSL_free(clientssl);
6553     serverssl = clientssl = NULL;
6554 
6555     if (tst == 3 || tst == 5) {
6556         /* We don't bother with the resumption aspects for these tests */
6557         testresult = 1;
6558         goto end;
6559     }
6560 
6561     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6562             NULL, NULL))
6563         || !TEST_true(SSL_set_session(clientssl, sess))
6564         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6565             SSL_ERROR_NONE)))
6566         goto end;
6567 
6568     /*
6569      * For a resumed session we expect to add the ClientHello extension. For the
6570      * old style callbacks we ignore it on the server side because they set
6571      * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6572      * them.
6573      */
6574     if (tst == 0) {
6575         if (clntaddoldcb != 2
6576             || clntparseoldcb != 1
6577             || srvaddoldcb != 1
6578             || srvparseoldcb != 1)
6579             goto end;
6580     } else if (tst == 1 || tst == 2 || tst == 3) {
6581         if (clntaddnewcb != 2
6582             || clntparsenewcb != 2
6583             || srvaddnewcb != 2
6584             || srvparsenewcb != 2)
6585             goto end;
6586     } else {
6587         /*
6588          * No Certificate message extensions in the resumption handshake,
6589          * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6590          */
6591         if (clntaddnewcb != 2
6592             || clntparsenewcb != 8
6593             || srvaddnewcb != 8
6594             || srvparsenewcb != 2)
6595             goto end;
6596     }
6597 
6598     testresult = 1;
6599 
6600 end:
6601     SSL_SESSION_free(sess);
6602     SSL_free(serverssl);
6603     SSL_free(clientssl);
6604     SSL_CTX_free(sctx2);
6605     SSL_CTX_free(sctx);
6606     SSL_CTX_free(cctx);
6607     return testresult;
6608 }
6609 
6610 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6611 
6612 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6613     | SSL_EXT_CLIENT_HELLO                            \
6614     | SSL_EXT_TLS1_2_SERVER_HELLO                     \
6615     | SSL_EXT_IGNORE_ON_RESUMPTION)
6616 
6617 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6618     | SSL_EXT_TLS1_2_SERVER_HELLO                \
6619     | SSL_EXT_CLIENT_HELLO)
6620 
6621 #define SERVERINFO_CUSTOM                                 \
6622     0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6623         0x00, 0x03,                                       \
6624         0x04, 0x05, 0x06
6625 
6626 static const unsigned char serverinfo_custom_tls13[] = {
6627     0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6628     SERVERINFO_CUSTOM
6629 };
6630 static const unsigned char serverinfo_custom_v2[] = {
6631     0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6632     SERVERINFO_CUSTOM
6633 };
6634 static const unsigned char serverinfo_custom_v1[] = {
6635     SERVERINFO_CUSTOM
6636 };
6637 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6638 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6639 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6640 
6641 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6642     unsigned int context,
6643     const unsigned char *in,
6644     size_t inlen, X509 *x,
6645     size_t chainidx, int *al,
6646     void *parse_arg)
6647 {
6648     const size_t len = serverinfo_custom_v1_len;
6649     const unsigned char *si = &serverinfo_custom_v1[len - 3];
6650     int *p_cb_result = (int *)parse_arg;
6651     *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6652     return 1;
6653 }
6654 
6655 static int test_serverinfo_custom(const int idx)
6656 {
6657     SSL_CTX *sctx = NULL, *cctx = NULL;
6658     SSL *clientssl = NULL, *serverssl = NULL;
6659     int testresult = 0;
6660     int cb_result = 0;
6661 
6662     /*
6663      * Following variables are set in the switch statement
6664      *  according to the test iteration.
6665      * Default values do not make much sense: test would fail with them.
6666      */
6667     int serverinfo_version = 0;
6668     int protocol_version = 0;
6669     unsigned int extension_context = 0;
6670     const unsigned char *si = NULL;
6671     size_t si_len = 0;
6672 
6673     const int call_use_serverinfo_ex = idx > 0;
6674     switch (idx) {
6675     case 0: /* FALLTHROUGH */
6676     case 1:
6677         serverinfo_version = SSL_SERVERINFOV1;
6678         protocol_version = TLS1_2_VERSION;
6679         extension_context = SYNTHV1CONTEXT;
6680         si = serverinfo_custom_v1;
6681         si_len = serverinfo_custom_v1_len;
6682         break;
6683     case 2:
6684         serverinfo_version = SSL_SERVERINFOV2;
6685         protocol_version = TLS1_2_VERSION;
6686         extension_context = SYNTHV1CONTEXT;
6687         si = serverinfo_custom_v2;
6688         si_len = serverinfo_custom_v2_len;
6689         break;
6690     case 3:
6691         serverinfo_version = SSL_SERVERINFOV2;
6692         protocol_version = TLS1_3_VERSION;
6693         extension_context = TLS13CONTEXT;
6694         si = serverinfo_custom_tls13;
6695         si_len = serverinfo_custom_tls13_len;
6696         break;
6697     }
6698 
6699     if (!TEST_true(create_ssl_ctx_pair(libctx,
6700             TLS_method(),
6701             TLS_method(),
6702             protocol_version,
6703             protocol_version,
6704             &sctx, &cctx, cert, privkey)))
6705         goto end;
6706 
6707     if (call_use_serverinfo_ex) {
6708         if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6709                 si, si_len)))
6710             goto end;
6711     } else {
6712         if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6713             goto end;
6714     }
6715 
6716     if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6717             extension_context,
6718             NULL, NULL, NULL,
6719             serverinfo_custom_parse_cb,
6720             &cb_result))
6721         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6722             NULL, NULL))
6723         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6724             SSL_ERROR_NONE))
6725         || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6726         goto end;
6727 
6728     if (!TEST_true(cb_result))
6729         goto end;
6730 
6731     testresult = 1;
6732 
6733 end:
6734     SSL_free(serverssl);
6735     SSL_free(clientssl);
6736     SSL_CTX_free(sctx);
6737     SSL_CTX_free(cctx);
6738 
6739     return testresult;
6740 }
6741 #endif
6742 
6743 /*
6744  * Test that SSL_export_keying_material() produces expected results. There are
6745  * no test vectors so all we do is test that both sides of the communication
6746  * produce the same results for different protocol versions.
6747  */
6748 #define SMALL_LABEL_LEN 10
6749 #define LONG_LABEL_LEN 249
6750 static int test_export_key_mat(int tst)
6751 {
6752     int testresult = 0;
6753     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6754     SSL *clientssl = NULL, *serverssl = NULL;
6755     const char label[LONG_LABEL_LEN + 1] = "test label";
6756     const unsigned char context[] = "context";
6757     const unsigned char *emptycontext = NULL;
6758     unsigned char longcontext[1280];
6759     int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6760     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6761     unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6762     size_t labellen;
6763     const int protocols[] = {
6764         TLS1_VERSION,
6765         TLS1_1_VERSION,
6766         TLS1_2_VERSION,
6767         TLS1_3_VERSION,
6768         TLS1_3_VERSION,
6769         TLS1_3_VERSION
6770     };
6771 
6772 #ifdef OPENSSL_NO_TLS1
6773     if (tst == 0)
6774         return 1;
6775 #endif
6776 #ifdef OPENSSL_NO_TLS1_1
6777     if (tst == 1)
6778         return 1;
6779 #endif
6780     if (is_fips && (tst == 0 || tst == 1))
6781         return 1;
6782 #ifdef OPENSSL_NO_TLS1_2
6783     if (tst == 2)
6784         return 1;
6785 #endif
6786 #ifdef OSSL_NO_USABLE_TLS1_3
6787     if (tst >= 3)
6788         return 1;
6789 #endif
6790     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6791             TLS_client_method(), TLS1_VERSION, 0,
6792             &sctx, &cctx, cert, privkey)))
6793         goto end;
6794 
6795     OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6796     SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6797     SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6798     if ((protocols[tst] < TLS1_2_VERSION) && (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6799         goto end;
6800 
6801     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6802             NULL)))
6803         goto end;
6804 
6805     /*
6806      * Premature call of SSL_export_keying_material should just fail.
6807      */
6808     if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6809                          sizeof(ckeymat1), label,
6810                          SMALL_LABEL_LEN + 1, context,
6811                          sizeof(context) - 1, 1),
6812             0))
6813         goto end;
6814 
6815     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6816             SSL_ERROR_NONE)))
6817         goto end;
6818 
6819     if (tst == 5) {
6820         /*
6821          * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6822          * go over that.
6823          */
6824         if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6825                              sizeof(ckeymat1), label,
6826                              LONG_LABEL_LEN + 1, context,
6827                              sizeof(context) - 1, 1),
6828                 0))
6829             goto end;
6830 
6831         testresult = 1;
6832         goto end;
6833     } else if (tst == 4) {
6834         labellen = LONG_LABEL_LEN;
6835     } else {
6836         labellen = SMALL_LABEL_LEN;
6837     }
6838 
6839     memset(longcontext, 1, sizeof(longcontext));
6840 
6841     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6842                          sizeof(ckeymat1), label,
6843                          labellen, context,
6844                          sizeof(context) - 1, 1),
6845             1)
6846         || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6847                             sizeof(ckeymat2), label,
6848                             labellen,
6849                             emptycontext,
6850                             0, 1),
6851             1)
6852         || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6853                             sizeof(ckeymat3), label,
6854                             labellen,
6855                             NULL, 0, 0),
6856             1)
6857         || (test_longcontext
6858             && !TEST_int_eq(SSL_export_keying_material(clientssl,
6859                                 ckeymat4,
6860                                 sizeof(ckeymat4), label,
6861                                 labellen,
6862                                 longcontext,
6863                                 sizeof(longcontext), 1),
6864                 1))
6865         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6866                             sizeof(skeymat1), label,
6867                             labellen,
6868                             context,
6869                             sizeof(context) - 1, 1),
6870             1)
6871         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6872                             sizeof(skeymat2), label,
6873                             labellen,
6874                             emptycontext,
6875                             0, 1),
6876             1)
6877         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6878                             sizeof(skeymat3), label,
6879                             labellen,
6880                             NULL, 0, 0),
6881             1)
6882         || (test_longcontext
6883             && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6884                                 sizeof(skeymat4), label,
6885                                 labellen,
6886                                 longcontext,
6887                                 sizeof(longcontext), 1),
6888                 1))
6889         /*
6890          * Check that both sides created the same key material with the
6891          * same context.
6892          */
6893         || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6894             sizeof(skeymat1))
6895         /*
6896          * Check that both sides created the same key material with an
6897          * empty context.
6898          */
6899         || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6900             sizeof(skeymat2))
6901         /*
6902          * Check that both sides created the same key material without a
6903          * context.
6904          */
6905         || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6906             sizeof(skeymat3))
6907         /*
6908          * Check that both sides created the same key material with a
6909          * long context.
6910          */
6911         || (test_longcontext
6912             && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6913                 sizeof(skeymat4)))
6914         /* Different contexts should produce different results */
6915         || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6916             sizeof(ckeymat2)))
6917         goto end;
6918 
6919     /*
6920      * Check that an empty context and no context produce different results in
6921      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6922      */
6923     if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3)))
6924         || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))))
6925         goto end;
6926 
6927     testresult = 1;
6928 
6929 end:
6930     SSL_free(serverssl);
6931     SSL_free(clientssl);
6932     SSL_CTX_free(sctx2);
6933     SSL_CTX_free(sctx);
6934     SSL_CTX_free(cctx);
6935 
6936     return testresult;
6937 }
6938 
6939 #ifndef OSSL_NO_USABLE_TLS1_3
6940 /*
6941  * Test that SSL_export_keying_material_early() produces expected
6942  * results. There are no test vectors so all we do is test that both
6943  * sides of the communication produce the same results for different
6944  * protocol versions.
6945  */
6946 static int test_export_key_mat_early(int idx)
6947 {
6948     static const char label[] = "test label";
6949     static const unsigned char context[] = "context";
6950     int testresult = 0;
6951     SSL_CTX *cctx = NULL, *sctx = NULL;
6952     SSL *clientssl = NULL, *serverssl = NULL;
6953     SSL_SESSION *sess = NULL;
6954     const unsigned char *emptycontext = NULL;
6955     unsigned char ckeymat1[80], ckeymat2[80];
6956     unsigned char skeymat1[80], skeymat2[80];
6957     unsigned char buf[1];
6958     size_t readbytes, written;
6959 
6960     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6961             &sess, idx, SHA384_DIGEST_LENGTH)))
6962         goto end;
6963 
6964     /* Here writing 0 length early data is enough. */
6965     if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6966         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6967                             &readbytes),
6968             SSL_READ_EARLY_DATA_ERROR)
6969         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6970             SSL_EARLY_DATA_ACCEPTED))
6971         goto end;
6972 
6973     if (!TEST_int_eq(SSL_export_keying_material_early(
6974                          clientssl, ckeymat1, sizeof(ckeymat1), label,
6975                          sizeof(label) - 1, context, sizeof(context) - 1),
6976             1)
6977         || !TEST_int_eq(SSL_export_keying_material_early(
6978                             clientssl, ckeymat2, sizeof(ckeymat2), label,
6979                             sizeof(label) - 1, emptycontext, 0),
6980             1)
6981         || !TEST_int_eq(SSL_export_keying_material_early(
6982                             serverssl, skeymat1, sizeof(skeymat1), label,
6983                             sizeof(label) - 1, context, sizeof(context) - 1),
6984             1)
6985         || !TEST_int_eq(SSL_export_keying_material_early(
6986                             serverssl, skeymat2, sizeof(skeymat2), label,
6987                             sizeof(label) - 1, emptycontext, 0),
6988             1)
6989         /*
6990          * Check that both sides created the same key material with the
6991          * same context.
6992          */
6993         || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6994             sizeof(skeymat1))
6995         /*
6996          * Check that both sides created the same key material with an
6997          * empty context.
6998          */
6999         || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
7000             sizeof(skeymat2))
7001         /* Different contexts should produce different results */
7002         || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
7003             sizeof(ckeymat2)))
7004         goto end;
7005 
7006     testresult = 1;
7007 
7008 end:
7009     SSL_SESSION_free(sess);
7010     SSL_SESSION_free(clientpsk);
7011     SSL_SESSION_free(serverpsk);
7012     clientpsk = serverpsk = NULL;
7013     SSL_free(serverssl);
7014     SSL_free(clientssl);
7015     SSL_CTX_free(sctx);
7016     SSL_CTX_free(cctx);
7017 
7018     return testresult;
7019 }
7020 
7021 #define NUM_KEY_UPDATE_MESSAGES 40
7022 /*
7023  * Test KeyUpdate.
7024  */
7025 static int test_key_update(void)
7026 {
7027     SSL_CTX *cctx = NULL, *sctx = NULL;
7028     SSL *clientssl = NULL, *serverssl = NULL;
7029     int testresult = 0, i, j;
7030     char buf[20];
7031     static char *mess = "A test message";
7032 
7033     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7034             TLS_client_method(),
7035             TLS1_3_VERSION,
7036             0,
7037             &sctx, &cctx, cert, privkey))
7038         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7039             NULL, NULL))
7040         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7041             SSL_ERROR_NONE)))
7042         goto end;
7043 
7044     for (j = 0; j < 2; j++) {
7045         /* Send lots of KeyUpdate messages */
7046         for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
7047             if (!TEST_true(SSL_key_update(clientssl,
7048                     (j == 0)
7049                         ? SSL_KEY_UPDATE_NOT_REQUESTED
7050                         : SSL_KEY_UPDATE_REQUESTED))
7051                 || !TEST_true(SSL_do_handshake(clientssl)))
7052                 goto end;
7053         }
7054 
7055         /* Check that sending and receiving app data is ok */
7056         if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
7057             || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
7058                 strlen(mess)))
7059             goto end;
7060 
7061         if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
7062             || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
7063                 strlen(mess)))
7064             goto end;
7065     }
7066 
7067     testresult = 1;
7068 
7069 end:
7070     SSL_free(serverssl);
7071     SSL_free(clientssl);
7072     SSL_CTX_free(sctx);
7073     SSL_CTX_free(cctx);
7074 
7075     return testresult;
7076 }
7077 
7078 /*
7079  * Test we can handle a KeyUpdate (update requested) message while
7080  * write data is pending in peer.
7081  * Test 0: Client sends KeyUpdate while Server is writing
7082  * Test 1: Server sends KeyUpdate while Client is writing
7083  */
7084 static int test_key_update_peer_in_write(int tst)
7085 {
7086     SSL_CTX *cctx = NULL, *sctx = NULL;
7087     SSL *clientssl = NULL, *serverssl = NULL;
7088     int testresult = 0;
7089     char buf[20];
7090     static char *mess = "A test message";
7091     BIO *bretry = BIO_new(bio_s_always_retry());
7092     BIO *tmp = NULL;
7093     SSL *peerupdate = NULL, *peerwrite = NULL;
7094 
7095     if (!TEST_ptr(bretry)
7096         || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7097             TLS_client_method(),
7098             TLS1_3_VERSION,
7099             0,
7100             &sctx, &cctx, cert, privkey))
7101         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7102             NULL, NULL))
7103         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7104             SSL_ERROR_NONE)))
7105         goto end;
7106 
7107     peerupdate = tst == 0 ? clientssl : serverssl;
7108     peerwrite = tst == 0 ? serverssl : clientssl;
7109 
7110     if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
7111         || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
7112         goto end;
7113 
7114     /* Swap the writing endpoint's write BIO to force a retry */
7115     tmp = SSL_get_wbio(peerwrite);
7116     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7117         tmp = NULL;
7118         goto end;
7119     }
7120     SSL_set0_wbio(peerwrite, bretry);
7121     bretry = NULL;
7122 
7123     /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
7124     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7125         || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
7126         || !TEST_true(SSL_want_write(peerwrite))
7127         || !TEST_true(SSL_net_write_desired(peerwrite)))
7128         goto end;
7129 
7130     /* Reinstate the original writing endpoint's write BIO */
7131     SSL_set0_wbio(peerwrite, tmp);
7132     tmp = NULL;
7133 
7134     /* Now read some data - we will read the key update */
7135     if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7136         || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
7137         || !TEST_true(SSL_want_read(peerwrite))
7138         || !TEST_true(SSL_net_read_desired(peerwrite)))
7139         goto end;
7140 
7141     /*
7142      * Complete the write we started previously and read it from the other
7143      * endpoint
7144      */
7145     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
7146         || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
7147         goto end;
7148 
7149     /* Write more data to ensure we send the KeyUpdate message back */
7150     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
7151         || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
7152         goto end;
7153 
7154     if (!TEST_false(SSL_net_read_desired(peerwrite))
7155         || !TEST_false(SSL_net_write_desired(peerwrite))
7156         || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
7157         goto end;
7158 
7159     testresult = 1;
7160 
7161 end:
7162     SSL_free(serverssl);
7163     SSL_free(clientssl);
7164     SSL_CTX_free(sctx);
7165     SSL_CTX_free(cctx);
7166     BIO_free(bretry);
7167     BIO_free(tmp);
7168 
7169     return testresult;
7170 }
7171 
7172 /*
7173  * Test we can handle a KeyUpdate (update requested) message while
7174  * peer read data is pending after peer accepted keyupdate(the msg header
7175  * had been read 5 bytes).
7176  * Test 0: Client sends KeyUpdate while Server is reading
7177  * Test 1: Server sends KeyUpdate while Client is reading
7178  */
7179 static int test_key_update_peer_in_read(int tst)
7180 {
7181     SSL_CTX *cctx = NULL, *sctx = NULL;
7182     SSL *clientssl = NULL, *serverssl = NULL;
7183     int testresult = 0;
7184     char prbuf[515], lwbuf[515] = { 0 };
7185     static char *mess = "A test message";
7186     BIO *lbio = NULL, *pbio = NULL;
7187     SSL *local = NULL, *peer = NULL;
7188 
7189     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7190             TLS_client_method(),
7191             TLS1_3_VERSION,
7192             0,
7193             &sctx, &cctx, cert, privkey))
7194         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7195             NULL, NULL))
7196         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7197             SSL_ERROR_NONE)))
7198         goto end;
7199 
7200     local = tst == 0 ? clientssl : serverssl;
7201     peer = tst == 0 ? serverssl : clientssl;
7202 
7203     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7204         goto end;
7205 
7206     SSL_set_bio(local, lbio, lbio);
7207     SSL_set_bio(peer, pbio, pbio);
7208 
7209     /*
7210      * we first write keyupdate msg then appdata in local
7211      * write data in local will fail with SSL_ERROR_WANT_WRITE,because
7212      * lwbuf app data msg size + key updata msg size > 512(the size of
7213      * the bio pair buffer)
7214      */
7215     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7216         || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
7217         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7218         goto end;
7219 
7220     /*
7221      * first read keyupdate msg in peer in peer
7222      * then read appdata that we know will fail with SSL_ERROR_WANT_READ
7223      */
7224     if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
7225         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
7226         goto end;
7227 
7228     /* Now write some data in peer - we will write the key update */
7229     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
7230         goto end;
7231 
7232     /*
7233      * write data in local previously that we will complete
7234      * read data in peer previously that we will complete
7235      */
7236     if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
7237         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
7238         goto end;
7239 
7240     /* check that sending and receiving appdata ok */
7241     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7242         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7243         goto end;
7244 
7245     testresult = 1;
7246 
7247 end:
7248     SSL_free(serverssl);
7249     SSL_free(clientssl);
7250     SSL_CTX_free(sctx);
7251     SSL_CTX_free(cctx);
7252 
7253     return testresult;
7254 }
7255 
7256 /*
7257  * Test we can't send a KeyUpdate (update requested) message while
7258  * local write data is pending.
7259  * Test 0: Client sends KeyUpdate while Client is writing
7260  * Test 1: Server sends KeyUpdate while Server is writing
7261  */
7262 static int test_key_update_local_in_write(int tst)
7263 {
7264     SSL_CTX *cctx = NULL, *sctx = NULL;
7265     SSL *clientssl = NULL, *serverssl = NULL;
7266     int testresult = 0;
7267     char buf[20];
7268     static char *mess = "A test message";
7269     BIO *bretry = BIO_new(bio_s_always_retry());
7270     BIO *tmp = NULL;
7271     SSL *local = NULL, *peer = NULL;
7272 
7273     if (!TEST_ptr(bretry)
7274         || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7275             TLS_client_method(),
7276             TLS1_3_VERSION,
7277             0,
7278             &sctx, &cctx, cert, privkey))
7279         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7280             NULL, NULL))
7281         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7282             SSL_ERROR_NONE)))
7283         goto end;
7284 
7285     local = tst == 0 ? clientssl : serverssl;
7286     peer = tst == 0 ? serverssl : clientssl;
7287 
7288     /* Swap the writing endpoint's write BIO to force a retry */
7289     tmp = SSL_get_wbio(local);
7290     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7291         tmp = NULL;
7292         goto end;
7293     }
7294     SSL_set0_wbio(local, bretry);
7295     bretry = NULL;
7296 
7297     /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7298     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7299         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7300         goto end;
7301 
7302     /* Reinstate the original writing endpoint's write BIO */
7303     SSL_set0_wbio(local, tmp);
7304     tmp = NULL;
7305 
7306     /* SSL_key_update will fail, because writing in local*/
7307     if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7308         || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7309         goto end;
7310 
7311     ERR_clear_error();
7312     /* write data in local previously that we will complete */
7313     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7314         goto end;
7315 
7316     /* SSL_key_update will succeed because there is no pending write data */
7317     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7318         || !TEST_int_eq(SSL_do_handshake(local), 1))
7319         goto end;
7320 
7321     /*
7322      * we write some appdata in local
7323      * read data in peer - we will read the keyupdate msg
7324      */
7325     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7326         || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7327         goto end;
7328 
7329     /* Write more peer more data to ensure we send the keyupdate message back */
7330     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7331         || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7332         goto end;
7333 
7334     testresult = 1;
7335 
7336 end:
7337     SSL_free(serverssl);
7338     SSL_free(clientssl);
7339     SSL_CTX_free(sctx);
7340     SSL_CTX_free(cctx);
7341     BIO_free(bretry);
7342     BIO_free(tmp);
7343 
7344     return testresult;
7345 }
7346 
7347 /*
7348  * Test we can handle a KeyUpdate (update requested) message while
7349  * local read data is pending(the msg header had been read 5 bytes).
7350  * Test 0: Client sends KeyUpdate while Client is reading
7351  * Test 1: Server sends KeyUpdate while Server is reading
7352  */
7353 static int test_key_update_local_in_read(int tst)
7354 {
7355     SSL_CTX *cctx = NULL, *sctx = NULL;
7356     SSL *clientssl = NULL, *serverssl = NULL;
7357     int testresult = 0;
7358     char lrbuf[515], pwbuf[515] = { 0 }, prbuf[20];
7359     static char *mess = "A test message";
7360     BIO *lbio = NULL, *pbio = NULL;
7361     SSL *local = NULL, *peer = NULL;
7362 
7363     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7364             TLS_client_method(),
7365             TLS1_3_VERSION,
7366             0,
7367             &sctx, &cctx, cert, privkey))
7368         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7369             NULL, NULL))
7370         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7371             SSL_ERROR_NONE)))
7372         goto end;
7373 
7374     local = tst == 0 ? clientssl : serverssl;
7375     peer = tst == 0 ? serverssl : clientssl;
7376 
7377     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7378         goto end;
7379 
7380     SSL_set_bio(local, lbio, lbio);
7381     SSL_set_bio(peer, pbio, pbio);
7382 
7383     /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7384     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7385         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7386         goto end;
7387 
7388     /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7389     if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7390         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7391         goto end;
7392 
7393     /* SSL_do_handshake will send keyupdate msg */
7394     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7395         || !TEST_int_eq(SSL_do_handshake(local), 1))
7396         goto end;
7397 
7398     /*
7399      * write data in peer previously that we will complete
7400      * read data in local previously that we will complete
7401      */
7402     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7403         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7404         goto end;
7405 
7406     /*
7407      * write data in local
7408      * read data in peer - we will read the key update
7409      */
7410     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7411         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7412         goto end;
7413 
7414     /* Write more peer data to ensure we send the keyupdate message back */
7415     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7416         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7417         goto end;
7418 
7419     testresult = 1;
7420 
7421 end:
7422     SSL_free(serverssl);
7423     SSL_free(clientssl);
7424     SSL_CTX_free(sctx);
7425     SSL_CTX_free(cctx);
7426 
7427     return testresult;
7428 }
7429 #endif /* OSSL_NO_USABLE_TLS1_3 */
7430 
7431 /*
7432  * Test clearing a connection via SSL_clear(), or resetting it via
7433  * SSL_set_connect_state()/SSL_set_accept_state()
7434  * Test 0: SSL_set_connect_state, TLSv1.3
7435  * Test 1: SSL_set_connect_state, TLSv1.2
7436  * Test 2: SSL_set_accept_state, TLSv1.3
7437  * Test 3: SSL_set_accept_state, TLSv1.2
7438  * Test 4: SSL_clear (client), TLSv1.3
7439  * Test 5: SSL_clear (client), TLSv1.2
7440  * Test 6: SSL_clear (server), TLSv1.3
7441  * Test 7: SSL_clear (server), TLSv1.2
7442  */
7443 static int test_ssl_clear(int idx)
7444 {
7445     SSL_CTX *cctx = NULL, *sctx = NULL;
7446     SSL *clientssl = NULL, *serverssl = NULL;
7447     SSL *writer, *reader;
7448     int testresult = 0;
7449     int tls12test, servertest, cleartest;
7450     size_t written, readbytes;
7451     const char *msg = "Hello World";
7452     unsigned char buf[5];
7453 
7454     tls12test = idx & 1;
7455     idx >>= 1;
7456     servertest = idx & 1;
7457     idx >>= 1;
7458     cleartest = idx & 1;
7459 
7460 #ifdef OPENSSL_NO_TLS1_2
7461     if (tls12test == 1)
7462         return TEST_skip("No TLSv1.2 in this build");
7463 #endif
7464 
7465     /* Create an initial connection */
7466     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7467             TLS_client_method(), TLS1_VERSION, 0,
7468             &sctx, &cctx, cert, privkey))
7469         || (tls12test
7470             && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7471                 TLS1_2_VERSION)))
7472         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7473             &clientssl, NULL, NULL))
7474         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7475             SSL_ERROR_NONE)))
7476         goto end;
7477 
7478     if (servertest) {
7479         writer = clientssl;
7480         reader = serverssl;
7481     } else {
7482         writer = serverssl;
7483         reader = clientssl;
7484     }
7485 
7486     /* Write some data */
7487     if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7488         || written != strlen(msg))
7489         goto end;
7490 
7491     /*
7492      * Read a partial record. The remaining buffered data should be cleared by
7493      * the subsequent clear/reset
7494      */
7495     if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7496         || readbytes != sizeof(buf))
7497         goto end;
7498 
7499     SSL_shutdown(clientssl);
7500     SSL_shutdown(serverssl);
7501 
7502     /* Reset/clear one SSL object in order to reuse it. We free the other one */
7503     if (servertest) {
7504         if (cleartest) {
7505             if (!TEST_true(SSL_clear(serverssl)))
7506                 goto end;
7507         } else {
7508             SSL_set_accept_state(serverssl);
7509         }
7510         SSL_free(clientssl);
7511         clientssl = NULL;
7512     } else {
7513         if (cleartest) {
7514             if (!TEST_true(SSL_clear(clientssl)))
7515                 goto end;
7516         } else {
7517             SSL_set_connect_state(clientssl);
7518         }
7519         SSL_free(serverssl);
7520         serverssl = NULL;
7521     }
7522 
7523     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7524             NULL, NULL))
7525         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7526             SSL_ERROR_NONE))
7527         || !TEST_true(servertest || SSL_session_reused(clientssl)))
7528         goto end;
7529 
7530     SSL_shutdown(clientssl);
7531     SSL_shutdown(serverssl);
7532 
7533     testresult = 1;
7534 
7535 end:
7536     SSL_free(serverssl);
7537     SSL_free(clientssl);
7538     SSL_CTX_free(sctx);
7539     SSL_CTX_free(cctx);
7540 
7541     return testresult;
7542 }
7543 
7544 /* Parse CH and retrieve any MFL extension value if present */
7545 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7546 {
7547     long len;
7548     unsigned char *data;
7549     PACKET pkt, pkt2, pkt3;
7550     unsigned int MFL_code = 0, type = 0;
7551 
7552     if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **)&data), 0))
7553         goto end;
7554 
7555     memset(&pkt, 0, sizeof(pkt));
7556     memset(&pkt2, 0, sizeof(pkt2));
7557     memset(&pkt3, 0, sizeof(pkt3));
7558 
7559     if (!TEST_long_gt(len, 0)
7560         || !TEST_true(PACKET_buf_init(&pkt, data, len))
7561         /* Skip the record header */
7562         || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7563         /* Skip the handshake message header */
7564         || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7565         /* Skip client version and random */
7566         || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE))
7567         /* Skip session id */
7568         || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7569         /* Skip ciphers */
7570         || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7571         /* Skip compression */
7572         || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7573         /* Extensions len */
7574         || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7575         goto end;
7576 
7577     /* Loop through all extensions */
7578     while (PACKET_remaining(&pkt2)) {
7579         if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7580             || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7581             goto end;
7582 
7583         if (type == TLSEXT_TYPE_max_fragment_length) {
7584             if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7585                 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7586                 goto end;
7587 
7588             *mfl_codemfl_code = MFL_code;
7589             return 1;
7590         }
7591     }
7592 
7593 end:
7594     return 0;
7595 }
7596 
7597 /* Maximum-Fragment-Length TLS extension mode to test */
7598 static const unsigned char max_fragment_len_test[] = {
7599     TLSEXT_max_fragment_length_512,
7600     TLSEXT_max_fragment_length_1024,
7601     TLSEXT_max_fragment_length_2048,
7602     TLSEXT_max_fragment_length_4096
7603 };
7604 
7605 static int test_max_fragment_len_ext(int idx_tst)
7606 {
7607     SSL_CTX *ctx = NULL;
7608     SSL *con = NULL;
7609     int testresult = 0, MFL_mode = 0;
7610     BIO *rbio, *wbio;
7611 
7612     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7613             TLS1_VERSION, 0, NULL, &ctx, NULL,
7614             NULL)))
7615         return 0;
7616 
7617     if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7618             ctx, max_fragment_len_test[idx_tst])))
7619         goto end;
7620 
7621     con = SSL_new(ctx);
7622     if (!TEST_ptr(con))
7623         goto end;
7624 
7625     rbio = BIO_new(BIO_s_mem());
7626     wbio = BIO_new(BIO_s_mem());
7627     if (!TEST_ptr(rbio) || !TEST_ptr(wbio)) {
7628         BIO_free(rbio);
7629         BIO_free(wbio);
7630         goto end;
7631     }
7632 
7633     SSL_set_bio(con, rbio, wbio);
7634 
7635     if (!TEST_int_le(SSL_connect(con), 0)) {
7636         /* This shouldn't succeed because we don't have a server! */
7637         goto end;
7638     }
7639 
7640     if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7641         /* no MFL in client hello */
7642         goto end;
7643     if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7644         goto end;
7645 
7646     testresult = 1;
7647 
7648 end:
7649     SSL_free(con);
7650     SSL_CTX_free(ctx);
7651 
7652     return testresult;
7653 }
7654 
7655 #ifndef OSSL_NO_USABLE_TLS1_3
7656 static int test_pha_key_update(void)
7657 {
7658     SSL_CTX *cctx = NULL, *sctx = NULL;
7659     SSL *clientssl = NULL, *serverssl = NULL;
7660     int testresult = 0;
7661 
7662     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7663             TLS_client_method(), TLS1_VERSION, 0,
7664             &sctx, &cctx, cert, privkey)))
7665         return 0;
7666 
7667     if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7668         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7669         || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7670         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7671         goto end;
7672 
7673     SSL_CTX_set_post_handshake_auth(cctx, 1);
7674 
7675     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7676             NULL, NULL)))
7677         goto end;
7678 
7679     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7680             SSL_ERROR_NONE)))
7681         goto end;
7682 
7683     SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7684     if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7685         goto end;
7686 
7687     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7688         goto end;
7689 
7690     /* Start handshake on the server */
7691     if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7692         goto end;
7693 
7694     /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7695     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7696             SSL_ERROR_NONE)))
7697         goto end;
7698 
7699     SSL_shutdown(clientssl);
7700     SSL_shutdown(serverssl);
7701 
7702     testresult = 1;
7703 
7704 end:
7705     SSL_free(serverssl);
7706     SSL_free(clientssl);
7707     SSL_CTX_free(sctx);
7708     SSL_CTX_free(cctx);
7709     return testresult;
7710 }
7711 #endif
7712 
7713 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7714 
7715 static SRP_VBASE *vbase = NULL;
7716 
7717 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7718 {
7719     int ret = SSL3_AL_FATAL;
7720     char *username;
7721     SRP_user_pwd *user = NULL;
7722 
7723     username = SSL_get_srp_username(s);
7724     if (username == NULL) {
7725         *ad = SSL_AD_INTERNAL_ERROR;
7726         goto err;
7727     }
7728 
7729     user = SRP_VBASE_get1_by_user(vbase, username);
7730     if (user == NULL) {
7731         *ad = SSL_AD_INTERNAL_ERROR;
7732         goto err;
7733     }
7734 
7735     if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7736             user->info)
7737         <= 0) {
7738         *ad = SSL_AD_INTERNAL_ERROR;
7739         goto err;
7740     }
7741 
7742     ret = 0;
7743 
7744 err:
7745     SRP_user_pwd_free(user);
7746     return ret;
7747 }
7748 
7749 static int create_new_vfile(char *userid, char *password, const char *filename)
7750 {
7751     char *gNid = NULL;
7752     OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7753     TXT_DB *db = NULL;
7754     int ret = 0;
7755     BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7756     size_t i;
7757 
7758     if (!TEST_ptr(dummy) || !TEST_ptr(row))
7759         goto end;
7760 
7761     gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7762         &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7763     if (!TEST_ptr(gNid))
7764         goto end;
7765 
7766     /*
7767      * The only way to create an empty TXT_DB is to provide a BIO with no data
7768      * in it!
7769      */
7770     db = TXT_DB_read(dummy, DB_NUMBER);
7771     if (!TEST_ptr(db))
7772         goto end;
7773 
7774     out = BIO_new_file(filename, "w");
7775     if (!TEST_ptr(out))
7776         goto end;
7777 
7778     row[DB_srpid] = OPENSSL_strdup(userid);
7779     row[DB_srptype] = OPENSSL_strdup("V");
7780     row[DB_srpgN] = OPENSSL_strdup(gNid);
7781 
7782     if (!TEST_ptr(row[DB_srpid])
7783         || !TEST_ptr(row[DB_srptype])
7784         || !TEST_ptr(row[DB_srpgN])
7785         || !TEST_true(TXT_DB_insert(db, row)))
7786         goto end;
7787 
7788     row = NULL;
7789 
7790     if (TXT_DB_write(out, db) <= 0)
7791         goto end;
7792 
7793     ret = 1;
7794 end:
7795     if (row != NULL) {
7796         for (i = 0; i < DB_NUMBER; i++)
7797             OPENSSL_free(row[i]);
7798     }
7799     OPENSSL_free(row);
7800     BIO_free(dummy);
7801     BIO_free(out);
7802     TXT_DB_free(db);
7803 
7804     return ret;
7805 }
7806 
7807 static int create_new_vbase(char *userid, char *password)
7808 {
7809     BIGNUM *verifier = NULL, *salt = NULL;
7810     const SRP_gN *lgN = NULL;
7811     SRP_user_pwd *user_pwd = NULL;
7812     int ret = 0;
7813 
7814     lgN = SRP_get_default_gN(NULL);
7815     if (!TEST_ptr(lgN))
7816         goto end;
7817 
7818     if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7819             lgN->N, lgN->g, libctx, NULL)))
7820         goto end;
7821 
7822     user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7823     if (!TEST_ptr(user_pwd))
7824         goto end;
7825 
7826     user_pwd->N = lgN->N;
7827     user_pwd->g = lgN->g;
7828     user_pwd->id = OPENSSL_strdup(userid);
7829     if (!TEST_ptr(user_pwd->id))
7830         goto end;
7831 
7832     user_pwd->v = verifier;
7833     user_pwd->s = salt;
7834     verifier = salt = NULL;
7835 
7836     if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7837         goto end;
7838     user_pwd = NULL;
7839 
7840     ret = 1;
7841 end:
7842     SRP_user_pwd_free(user_pwd);
7843     BN_free(salt);
7844     BN_free(verifier);
7845 
7846     return ret;
7847 }
7848 
7849 /*
7850  * SRP tests
7851  *
7852  * Test 0: Simple successful SRP connection, new vbase
7853  * Test 1: Connection failure due to bad password, new vbase
7854  * Test 2: Simple successful SRP connection, vbase loaded from existing file
7855  * Test 3: Connection failure due to bad password, vbase loaded from existing
7856  *         file
7857  * Test 4: Simple successful SRP connection, vbase loaded from new file
7858  * Test 5: Connection failure due to bad password, vbase loaded from new file
7859  */
7860 static int test_srp(int tst)
7861 {
7862     char *userid = "test", *password = "password", *tstsrpfile;
7863     SSL_CTX *cctx = NULL, *sctx = NULL;
7864     SSL *clientssl = NULL, *serverssl = NULL;
7865     int ret, testresult = 0;
7866 
7867     vbase = SRP_VBASE_new(NULL);
7868     if (!TEST_ptr(vbase))
7869         goto end;
7870 
7871     if (tst == 0 || tst == 1) {
7872         if (!TEST_true(create_new_vbase(userid, password)))
7873             goto end;
7874     } else {
7875         if (tst == 4 || tst == 5) {
7876             if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7877                 goto end;
7878             tstsrpfile = tmpfilename;
7879         } else {
7880             tstsrpfile = srpvfile;
7881         }
7882         if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7883             goto end;
7884     }
7885 
7886     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7887             TLS_client_method(), TLS1_VERSION, 0,
7888             &sctx, &cctx, cert, privkey)))
7889         goto end;
7890 
7891     if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7892         || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7893         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7894         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7895         || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7896         goto end;
7897 
7898     if (tst % 2 == 1) {
7899         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7900             goto end;
7901     } else {
7902         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7903             goto end;
7904     }
7905 
7906     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7907             NULL, NULL)))
7908         goto end;
7909 
7910     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7911     if (ret) {
7912         if (!TEST_true(tst % 2 == 0))
7913             goto end;
7914     } else {
7915         if (!TEST_true(tst % 2 == 1))
7916             goto end;
7917     }
7918 
7919     testresult = 1;
7920 
7921 end:
7922     SRP_VBASE_free(vbase);
7923     vbase = NULL;
7924     SSL_free(serverssl);
7925     SSL_free(clientssl);
7926     SSL_CTX_free(sctx);
7927     SSL_CTX_free(cctx);
7928 
7929     return testresult;
7930 }
7931 #endif
7932 
7933 static int info_cb_failed = 0;
7934 static int info_cb_offset = 0;
7935 static int info_cb_this_state = -1;
7936 
7937 static struct info_cb_states_st {
7938     int where;
7939     const char *statestr;
7940 } info_cb_states[][60] = {
7941     {
7942         /* TLSv1.2 server followed by resumption */
7943         { SSL_CB_HANDSHAKE_START, NULL },
7944         { SSL_CB_LOOP, "PINIT" },
7945         { SSL_CB_LOOP, "PINIT" },
7946         { SSL_CB_LOOP, "TRCH" },
7947         { SSL_CB_LOOP, "TWSH" },
7948         { SSL_CB_LOOP, "TWSC" },
7949         { SSL_CB_LOOP, "TWSKE" },
7950         { SSL_CB_LOOP, "TWSD" },
7951         { SSL_CB_EXIT, NULL },
7952         { SSL_CB_LOOP, "TWSD" },
7953         { SSL_CB_LOOP, "TRCKE" },
7954         { SSL_CB_LOOP, "TRCCS" },
7955         { SSL_CB_LOOP, "TRFIN" },
7956         { SSL_CB_LOOP, "TWST" },
7957         { SSL_CB_LOOP, "TWCCS" },
7958         { SSL_CB_LOOP, "TWFIN" },
7959         { SSL_CB_HANDSHAKE_DONE, NULL },
7960         { SSL_CB_EXIT, NULL },
7961         { SSL_CB_ALERT, NULL },
7962         { SSL_CB_HANDSHAKE_START, NULL },
7963         { SSL_CB_LOOP, "PINIT" },
7964         { SSL_CB_LOOP, "PINIT" },
7965         { SSL_CB_LOOP, "TRCH" },
7966         { SSL_CB_LOOP, "TWSH" },
7967         { SSL_CB_LOOP, "TWCCS" },
7968         { SSL_CB_LOOP, "TWFIN" },
7969         { SSL_CB_EXIT, NULL },
7970         { SSL_CB_LOOP, "TWFIN" },
7971         { SSL_CB_LOOP, "TRCCS" },
7972         { SSL_CB_LOOP, "TRFIN" },
7973         { SSL_CB_HANDSHAKE_DONE, NULL },
7974         { SSL_CB_EXIT, NULL },
7975         { 0, NULL },
7976     },
7977     {
7978         /* TLSv1.2 client followed by resumption */
7979         { SSL_CB_HANDSHAKE_START, NULL },
7980         { SSL_CB_LOOP, "PINIT" },
7981         { SSL_CB_LOOP, "TWCH" },
7982         { SSL_CB_EXIT, NULL },
7983         { SSL_CB_LOOP, "TWCH" },
7984         { SSL_CB_LOOP, "TRSH" },
7985         { SSL_CB_LOOP, "TRSC" },
7986         { SSL_CB_LOOP, "TRSKE" },
7987         { SSL_CB_LOOP, "TRSD" },
7988         { SSL_CB_LOOP, "TWCKE" },
7989         { SSL_CB_LOOP, "TWCCS" },
7990         { SSL_CB_LOOP, "TWFIN" },
7991         { SSL_CB_EXIT, NULL },
7992         { SSL_CB_LOOP, "TWFIN" },
7993         { SSL_CB_LOOP, "TRST" },
7994         { SSL_CB_LOOP, "TRCCS" },
7995         { SSL_CB_LOOP, "TRFIN" },
7996         { SSL_CB_HANDSHAKE_DONE, NULL },
7997         { SSL_CB_EXIT, NULL },
7998         { SSL_CB_ALERT, NULL },
7999         { SSL_CB_HANDSHAKE_START, NULL },
8000         { SSL_CB_LOOP, "PINIT" },
8001         { SSL_CB_LOOP, "TWCH" },
8002         { SSL_CB_EXIT, NULL },
8003         { SSL_CB_LOOP, "TWCH" },
8004         { SSL_CB_LOOP, "TRSH" },
8005         { SSL_CB_LOOP, "TRCCS" },
8006         { SSL_CB_LOOP, "TRFIN" },
8007         { SSL_CB_LOOP, "TWCCS" },
8008         { SSL_CB_LOOP, "TWFIN" },
8009         { SSL_CB_HANDSHAKE_DONE, NULL },
8010         { SSL_CB_EXIT, NULL },
8011         { 0, NULL },
8012     },
8013     {
8014         /* TLSv1.3 server followed by resumption */
8015         { SSL_CB_HANDSHAKE_START, NULL },
8016         { SSL_CB_LOOP, "PINIT" },
8017         { SSL_CB_LOOP, "PINIT" },
8018         { SSL_CB_LOOP, "TRCH" },
8019         { SSL_CB_LOOP, "TWSH" },
8020         { SSL_CB_LOOP, "TWCCS" },
8021         { SSL_CB_LOOP, "TWEE" },
8022         { SSL_CB_LOOP, "TWSC" },
8023         { SSL_CB_LOOP, "TWSCV" },
8024         { SSL_CB_LOOP, "TWFIN" },
8025         { SSL_CB_LOOP, "TED" },
8026         { SSL_CB_EXIT, NULL },
8027         { SSL_CB_LOOP, "TED" },
8028         { SSL_CB_LOOP, "TRFIN" },
8029         { SSL_CB_HANDSHAKE_DONE, NULL },
8030         { SSL_CB_LOOP, "TWST" },
8031         { SSL_CB_LOOP, "TWST" },
8032         { SSL_CB_EXIT, NULL },
8033         { SSL_CB_ALERT, NULL },
8034         { SSL_CB_HANDSHAKE_START, NULL },
8035         { SSL_CB_LOOP, "PINIT" },
8036         { SSL_CB_LOOP, "PINIT" },
8037         { SSL_CB_LOOP, "TRCH" },
8038         { SSL_CB_LOOP, "TWSH" },
8039         { SSL_CB_LOOP, "TWCCS" },
8040         { SSL_CB_LOOP, "TWEE" },
8041         { SSL_CB_LOOP, "TWFIN" },
8042         { SSL_CB_LOOP, "TED" },
8043         { SSL_CB_EXIT, NULL },
8044         { SSL_CB_LOOP, "TED" },
8045         { SSL_CB_LOOP, "TRFIN" },
8046         { SSL_CB_HANDSHAKE_DONE, NULL },
8047         { SSL_CB_LOOP, "TWST" },
8048         { SSL_CB_EXIT, NULL },
8049         { 0, NULL },
8050     },
8051     {
8052         /* TLSv1.3 client followed by resumption */
8053         { SSL_CB_HANDSHAKE_START, NULL },
8054         { SSL_CB_LOOP, "PINIT" },
8055         { SSL_CB_LOOP, "TWCH" },
8056         { SSL_CB_EXIT, NULL },
8057         { SSL_CB_LOOP, "TWCH" },
8058         { SSL_CB_LOOP, "TRSH" },
8059         { SSL_CB_LOOP, "TREE" },
8060         { SSL_CB_LOOP, "TRSC" },
8061         { SSL_CB_LOOP, "TRSCV" },
8062         { SSL_CB_LOOP, "TRFIN" },
8063         { SSL_CB_LOOP, "TWCCS" },
8064         { SSL_CB_LOOP, "TWFIN" },
8065         { SSL_CB_HANDSHAKE_DONE, NULL },
8066         { SSL_CB_EXIT, NULL },
8067         { SSL_CB_LOOP, "SSLOK" },
8068         { SSL_CB_LOOP, "SSLOK" },
8069         { SSL_CB_LOOP, "TRST" },
8070         { SSL_CB_EXIT, NULL },
8071         { SSL_CB_LOOP, "SSLOK" },
8072         { SSL_CB_LOOP, "SSLOK" },
8073         { SSL_CB_LOOP, "TRST" },
8074         { SSL_CB_EXIT, NULL },
8075         { SSL_CB_ALERT, NULL },
8076         { SSL_CB_HANDSHAKE_START, NULL },
8077         { SSL_CB_LOOP, "PINIT" },
8078         { SSL_CB_LOOP, "TWCH" },
8079         { SSL_CB_EXIT, NULL },
8080         { SSL_CB_LOOP, "TWCH" },
8081         { SSL_CB_LOOP, "TRSH" },
8082         { SSL_CB_LOOP, "TREE" },
8083         { SSL_CB_LOOP, "TRFIN" },
8084         { SSL_CB_LOOP, "TWCCS" },
8085         { SSL_CB_LOOP, "TWFIN" },
8086         { SSL_CB_HANDSHAKE_DONE, NULL },
8087         { SSL_CB_EXIT, NULL },
8088         { SSL_CB_LOOP, "SSLOK" },
8089         { SSL_CB_LOOP, "SSLOK" },
8090         { SSL_CB_LOOP, "TRST" },
8091         { SSL_CB_EXIT, NULL },
8092         { 0, NULL },
8093     },
8094     {
8095         /* TLSv1.3 server, early_data */
8096         { SSL_CB_HANDSHAKE_START, NULL },
8097         { SSL_CB_LOOP, "PINIT" },
8098         { SSL_CB_LOOP, "PINIT" },
8099         { SSL_CB_LOOP, "TRCH" },
8100         { SSL_CB_LOOP, "TWSH" },
8101         { SSL_CB_LOOP, "TWCCS" },
8102         { SSL_CB_LOOP, "TWEE" },
8103         { SSL_CB_LOOP, "TWFIN" },
8104         { SSL_CB_HANDSHAKE_DONE, NULL },
8105         { SSL_CB_EXIT, NULL },
8106         { SSL_CB_HANDSHAKE_START, NULL },
8107         { SSL_CB_LOOP, "TED" },
8108         { SSL_CB_LOOP, "TED" },
8109         { SSL_CB_LOOP, "TWEOED" },
8110         { SSL_CB_LOOP, "TRFIN" },
8111         { SSL_CB_HANDSHAKE_DONE, NULL },
8112         { SSL_CB_LOOP, "TWST" },
8113         { SSL_CB_EXIT, NULL },
8114         { 0, NULL },
8115     },
8116     {
8117         /* TLSv1.3 client, early_data */
8118         { SSL_CB_HANDSHAKE_START, NULL },
8119         { SSL_CB_LOOP, "PINIT" },
8120         { SSL_CB_LOOP, "TWCH" },
8121         { SSL_CB_LOOP, "TWCCS" },
8122         { SSL_CB_HANDSHAKE_DONE, NULL },
8123         { SSL_CB_EXIT, NULL },
8124         { SSL_CB_HANDSHAKE_START, NULL },
8125         { SSL_CB_LOOP, "TED" },
8126         { SSL_CB_LOOP, "TED" },
8127         { SSL_CB_LOOP, "TRSH" },
8128         { SSL_CB_LOOP, "TREE" },
8129         { SSL_CB_LOOP, "TRFIN" },
8130         { SSL_CB_LOOP, "TPEDE" },
8131         { SSL_CB_LOOP, "TWEOED" },
8132         { SSL_CB_LOOP, "TWFIN" },
8133         { SSL_CB_HANDSHAKE_DONE, NULL },
8134         { SSL_CB_EXIT, NULL },
8135         { SSL_CB_LOOP, "SSLOK" },
8136         { SSL_CB_LOOP, "SSLOK" },
8137         { SSL_CB_LOOP, "TRST" },
8138         { SSL_CB_EXIT, NULL },
8139         { 0, NULL },
8140     },
8141     {
8142         /* TLSv1.3 server, certificate compression, followed by resumption */
8143         { SSL_CB_HANDSHAKE_START, NULL },
8144         { SSL_CB_LOOP, "PINIT" },
8145         { SSL_CB_LOOP, "PINIT" },
8146         { SSL_CB_LOOP, "TRCH" },
8147         { SSL_CB_LOOP, "TWSH" },
8148         { SSL_CB_LOOP, "TWCCS" },
8149         { SSL_CB_LOOP, "TWEE" },
8150         { SSL_CB_LOOP, "TWSCC" },
8151         { SSL_CB_LOOP, "TWSCV" },
8152         { SSL_CB_LOOP, "TWFIN" },
8153         { SSL_CB_LOOP, "TED" },
8154         { SSL_CB_EXIT, NULL },
8155         { SSL_CB_LOOP, "TED" },
8156         { SSL_CB_LOOP, "TRFIN" },
8157         { SSL_CB_HANDSHAKE_DONE, NULL },
8158         { SSL_CB_LOOP, "TWST" },
8159         { SSL_CB_LOOP, "TWST" },
8160         { SSL_CB_EXIT, NULL },
8161         { SSL_CB_ALERT, NULL },
8162         { SSL_CB_HANDSHAKE_START, NULL },
8163         { SSL_CB_LOOP, "PINIT" },
8164         { SSL_CB_LOOP, "PINIT" },
8165         { SSL_CB_LOOP, "TRCH" },
8166         { SSL_CB_LOOP, "TWSH" },
8167         { SSL_CB_LOOP, "TWCCS" },
8168         { SSL_CB_LOOP, "TWEE" },
8169         { SSL_CB_LOOP, "TWFIN" },
8170         { SSL_CB_LOOP, "TED" },
8171         { SSL_CB_EXIT, NULL },
8172         { SSL_CB_LOOP, "TED" },
8173         { SSL_CB_LOOP, "TRFIN" },
8174         { SSL_CB_HANDSHAKE_DONE, NULL },
8175         { SSL_CB_LOOP, "TWST" },
8176         { SSL_CB_EXIT, NULL },
8177         { 0, NULL },
8178     },
8179     {
8180         /* TLSv1.3 client, certificate compression, followed by resumption */
8181         { SSL_CB_HANDSHAKE_START, NULL },
8182         { SSL_CB_LOOP, "PINIT" },
8183         { SSL_CB_LOOP, "TWCH" },
8184         { SSL_CB_EXIT, NULL },
8185         { SSL_CB_LOOP, "TWCH" },
8186         { SSL_CB_LOOP, "TRSH" },
8187         { SSL_CB_LOOP, "TREE" },
8188         { SSL_CB_LOOP, "TRSCC" },
8189         { SSL_CB_LOOP, "TRSCV" },
8190         { SSL_CB_LOOP, "TRFIN" },
8191         { SSL_CB_LOOP, "TWCCS" },
8192         { SSL_CB_LOOP, "TWFIN" },
8193         { SSL_CB_HANDSHAKE_DONE, NULL },
8194         { SSL_CB_EXIT, NULL },
8195         { SSL_CB_LOOP, "SSLOK" },
8196         { SSL_CB_LOOP, "SSLOK" },
8197         { SSL_CB_LOOP, "TRST" },
8198         { SSL_CB_EXIT, NULL },
8199         { SSL_CB_LOOP, "SSLOK" },
8200         { SSL_CB_LOOP, "SSLOK" },
8201         { SSL_CB_LOOP, "TRST" },
8202         { SSL_CB_EXIT, NULL },
8203         { SSL_CB_ALERT, NULL },
8204         { SSL_CB_HANDSHAKE_START, NULL },
8205         { SSL_CB_LOOP, "PINIT" },
8206         { SSL_CB_LOOP, "TWCH" },
8207         { SSL_CB_EXIT, NULL },
8208         { SSL_CB_LOOP, "TWCH" },
8209         { SSL_CB_LOOP, "TRSH" },
8210         { SSL_CB_LOOP, "TREE" },
8211         { SSL_CB_LOOP, "TRFIN" },
8212         { SSL_CB_LOOP, "TWCCS" },
8213         { SSL_CB_LOOP, "TWFIN" },
8214         { SSL_CB_HANDSHAKE_DONE, NULL },
8215         { SSL_CB_EXIT, NULL },
8216         { SSL_CB_LOOP, "SSLOK" },
8217         { SSL_CB_LOOP, "SSLOK" },
8218         { SSL_CB_LOOP, "TRST" },
8219         { SSL_CB_EXIT, NULL },
8220         { 0, NULL },
8221     },
8222     {
8223         { 0, NULL },
8224     }
8225 };
8226 
8227 static void sslapi_info_callback(const SSL *s, int where, int ret)
8228 {
8229     struct info_cb_states_st *state = info_cb_states[info_cb_offset];
8230 
8231     /* We do not ever expect a connection to fail in this test */
8232     if (!TEST_false(ret == 0)) {
8233         info_cb_failed = 1;
8234         return;
8235     }
8236 
8237     /*
8238      * Do some sanity checks. We never expect these things to happen in this
8239      * test
8240      */
8241     if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
8242         || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
8243         || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
8244         info_cb_failed = 1;
8245         return;
8246     }
8247 
8248     /* Now check we're in the right state */
8249     if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
8250         info_cb_failed = 1;
8251         return;
8252     }
8253     if ((where & SSL_CB_LOOP) != 0
8254         && !TEST_int_eq(strcmp(SSL_state_string(s),
8255                             state[info_cb_this_state].statestr),
8256             0)) {
8257         info_cb_failed = 1;
8258         return;
8259     }
8260 
8261     /*
8262      * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
8263      */
8264     if ((where & SSL_CB_HANDSHAKE_DONE)
8265         && SSL_in_init((SSL *)s) != 0) {
8266         info_cb_failed = 1;
8267         return;
8268     }
8269 }
8270 
8271 /*
8272  * Test the info callback gets called when we expect it to.
8273  *
8274  * Test 0: TLSv1.2, server
8275  * Test 1: TLSv1.2, client
8276  * Test 2: TLSv1.3, server
8277  * Test 3: TLSv1.3, client
8278  * Test 4: TLSv1.3, server, early_data
8279  * Test 5: TLSv1.3, client, early_data
8280  * Test 6: TLSv1.3, server, compressed certificate
8281  * Test 7: TLSv1.3, client, compressed certificate
8282  */
8283 static int test_info_callback(int tst)
8284 {
8285     SSL_CTX *cctx = NULL, *sctx = NULL;
8286     SSL *clientssl = NULL, *serverssl = NULL;
8287     SSL_SESSION *clntsess = NULL;
8288     int testresult = 0;
8289     int tlsvers;
8290 
8291     if (tst < 2) {
8292 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
8293 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH))
8294         tlsvers = TLS1_2_VERSION;
8295 #else
8296         return 1;
8297 #endif
8298     } else {
8299 #ifndef OSSL_NO_USABLE_TLS1_3
8300         tlsvers = TLS1_3_VERSION;
8301 #else
8302         return 1;
8303 #endif
8304     }
8305 
8306     /* Reset globals */
8307     info_cb_failed = 0;
8308     info_cb_this_state = -1;
8309     info_cb_offset = tst;
8310 
8311 #ifndef OSSL_NO_USABLE_TLS1_3
8312     if (tst >= 4 && tst < 6) {
8313         SSL_SESSION *sess = NULL;
8314         size_t written, readbytes;
8315         unsigned char buf[80];
8316         OSSL_TIME timer;
8317 
8318         /* early_data tests */
8319         if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
8320                 &serverssl, &sess, 0,
8321                 SHA384_DIGEST_LENGTH)))
8322             goto end;
8323 
8324         /* We don't actually need this reference */
8325         SSL_SESSION_free(sess);
8326 
8327         SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
8328             sslapi_info_callback);
8329 
8330         /* Write and read some early data and then complete the connection */
8331         timer = ossl_time_now();
8332         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
8333                 &written))
8334             || !TEST_size_t_eq(written, strlen(MSG1)))
8335             goto end;
8336 
8337         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
8338                              sizeof(buf), &readbytes),
8339                 SSL_READ_EARLY_DATA_SUCCESS)) {
8340             testresult = check_early_data_timeout(timer);
8341             goto end;
8342         }
8343 
8344         if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
8345             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
8346                 SSL_EARLY_DATA_ACCEPTED)
8347             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8348                 SSL_ERROR_NONE))
8349             || !TEST_false(info_cb_failed))
8350             goto end;
8351 
8352         testresult = 1;
8353         goto end;
8354     }
8355 #endif
8356 
8357     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8358             TLS_client_method(),
8359             tlsvers, tlsvers, &sctx, &cctx, cert,
8360             privkey)))
8361         goto end;
8362 
8363     if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8364         goto end;
8365 
8366     /*
8367      * For even numbered tests we check the server callbacks. For odd numbers we
8368      * check the client.
8369      */
8370     SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
8371         sslapi_info_callback);
8372     if (tst >= 6) {
8373         if (!SSL_CTX_compress_certs(sctx, 0))
8374             goto end;
8375     }
8376 
8377     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8378             &clientssl, NULL, NULL))
8379         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8380             SSL_ERROR_NONE))
8381         || !TEST_false(info_cb_failed))
8382         goto end;
8383 
8384     clntsess = SSL_get1_session(clientssl);
8385     SSL_shutdown(clientssl);
8386     SSL_shutdown(serverssl);
8387     SSL_free(serverssl);
8388     SSL_free(clientssl);
8389     serverssl = clientssl = NULL;
8390 
8391     /* Now do a resumption */
8392     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8393             NULL))
8394         || !TEST_true(SSL_set_session(clientssl, clntsess))
8395         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8396             SSL_ERROR_NONE))
8397         || !TEST_true(SSL_session_reused(clientssl))
8398         || !TEST_false(info_cb_failed))
8399         goto end;
8400 
8401     testresult = 1;
8402 
8403 end:
8404     SSL_free(serverssl);
8405     SSL_free(clientssl);
8406     SSL_SESSION_free(clntsess);
8407     SSL_CTX_free(sctx);
8408     SSL_CTX_free(cctx);
8409     return testresult;
8410 }
8411 
8412 static int test_ssl_pending(int tst)
8413 {
8414     SSL_CTX *cctx = NULL, *sctx = NULL;
8415     SSL *clientssl = NULL, *serverssl = NULL;
8416     int testresult = 0;
8417     char msg[] = "A test message";
8418     char buf[5];
8419     size_t written, readbytes;
8420 
8421     if (tst == 0) {
8422         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8423                 TLS_client_method(),
8424                 TLS1_VERSION, 0,
8425                 &sctx, &cctx, cert, privkey)))
8426             goto end;
8427     } else {
8428 #ifndef OPENSSL_NO_DTLS
8429         if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
8430                 DTLS_client_method(),
8431                 DTLS1_VERSION, 0,
8432                 &sctx, &cctx, cert, privkey)))
8433             goto end;
8434 
8435 #ifdef OPENSSL_NO_DTLS1_2
8436         /* Not supported in the FIPS provider */
8437         if (is_fips) {
8438             testresult = 1;
8439             goto end;
8440         };
8441         /*
8442          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
8443          * level 0
8444          */
8445         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8446             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8447                 "DEFAULT:@SECLEVEL=0")))
8448             goto end;
8449 #endif
8450 #else
8451         return 1;
8452 #endif
8453     }
8454 
8455     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8456             NULL, NULL))
8457         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8458             SSL_ERROR_NONE)))
8459         goto end;
8460 
8461     if (!TEST_int_eq(SSL_pending(clientssl), 0)
8462         || !TEST_false(SSL_has_pending(clientssl))
8463         || !TEST_int_eq(SSL_pending(serverssl), 0)
8464         || !TEST_false(SSL_has_pending(serverssl))
8465         || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8466         || !TEST_size_t_eq(written, sizeof(msg))
8467         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8468         || !TEST_size_t_eq(readbytes, sizeof(buf))
8469         || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8470         || !TEST_true(SSL_has_pending(clientssl)))
8471         goto end;
8472 
8473     testresult = 1;
8474 
8475 end:
8476     SSL_free(serverssl);
8477     SSL_free(clientssl);
8478     SSL_CTX_free(sctx);
8479     SSL_CTX_free(cctx);
8480 
8481     return testresult;
8482 }
8483 
8484 static struct {
8485     unsigned int maxprot;
8486     const char *clntciphers;
8487     const char *clnttls13ciphers;
8488     const char *srvrciphers;
8489     const char *srvrtls13ciphers;
8490     const char *shared;
8491     const char *fipsshared;
8492 } shared_ciphers_data[] = {
8493 /*
8494  * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8495  * TLSv1.3 is enabled but TLSv1.2 is disabled.
8496  */
8497 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8498     { TLS1_2_VERSION,
8499         "AES128-SHA:AES256-SHA",
8500         NULL,
8501         "AES256-SHA:DHE-RSA-AES128-SHA",
8502         NULL,
8503         "AES256-SHA",
8504         "AES256-SHA" },
8505 #if !defined(OPENSSL_NO_CHACHA)      \
8506     && !defined(OPENSSL_NO_POLY1305) \
8507     && !defined(OPENSSL_NO_EC)
8508     { TLS1_2_VERSION,
8509         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8510         NULL,
8511         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8512         NULL,
8513         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8514         "AES128-SHA" },
8515 #endif
8516     { TLS1_2_VERSION,
8517         "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8518         NULL,
8519         "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8520         NULL,
8521         "AES128-SHA:AES256-SHA",
8522         "AES128-SHA:AES256-SHA" },
8523     { TLS1_2_VERSION,
8524         "AES128-SHA:AES256-SHA",
8525         NULL,
8526         "AES128-SHA:DHE-RSA-AES128-SHA",
8527         NULL,
8528         "AES128-SHA",
8529         "AES128-SHA" },
8530     { TLS1_2_VERSION,
8531         "AES256-SHA",
8532         NULL,
8533         "AES128-SHA",
8534         NULL,
8535         "",
8536         "" },
8537 #endif
8538 /*
8539  * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8540  * enabled.
8541  */
8542 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8543     && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8544     { TLS1_3_VERSION,
8545         "AES128-SHA:AES256-SHA",
8546         NULL,
8547         "AES256-SHA:AES128-SHA256",
8548         NULL,
8549         "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8550         "TLS_AES_128_GCM_SHA256:AES256-SHA",
8551         "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" },
8552 #endif
8553 #ifndef OSSL_NO_USABLE_TLS1_3
8554     { TLS1_3_VERSION,
8555         "AES128-SHA",
8556         "TLS_AES_256_GCM_SHA384",
8557         "AES256-SHA",
8558         "TLS_AES_256_GCM_SHA384",
8559         "TLS_AES_256_GCM_SHA384",
8560         "TLS_AES_256_GCM_SHA384" },
8561     { TLS1_3_VERSION,
8562         "AES128-SHA",
8563         "TLS_AES_128_GCM_SHA256",
8564         "AES256-SHA",
8565         "TLS_AES_256_GCM_SHA384",
8566         "",
8567         "" },
8568 #endif
8569 };
8570 
8571 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8572 {
8573     SSL_CTX *cctx = NULL, *sctx = NULL;
8574     SSL *clientssl = NULL, *serverssl = NULL;
8575     int testresult = 0;
8576     char buf[1024];
8577     OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8578     const char *expbuf = is_fips ? shared_ciphers_data[tst].fipsshared
8579                                  : shared_ciphers_data[tst].shared;
8580     int handshakeok = strcmp(expbuf, "") != 0;
8581 
8582     if (!TEST_ptr(tmplibctx))
8583         goto end;
8584 
8585     /*
8586      * Regardless of whether we're testing with the FIPS provider loaded into
8587      * libctx, we want one peer to always use the full set of ciphersuites
8588      * available. Therefore we use a separate libctx with the default provider
8589      * loaded into it. We run the same tests twice - once with the client side
8590      * having the full set of ciphersuites and once with the server side.
8591      */
8592     if (clnt) {
8593         cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8594         if (!TEST_ptr(cctx))
8595             goto end;
8596     } else {
8597         sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8598         if (!TEST_ptr(sctx))
8599             goto end;
8600     }
8601 
8602     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8603             TLS_client_method(),
8604             TLS1_VERSION,
8605             shared_ciphers_data[tst].maxprot,
8606             &sctx, &cctx, cert, privkey)))
8607         goto end;
8608 
8609     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8610             shared_ciphers_data[tst].clntciphers))
8611         || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8612             && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8613                 shared_ciphers_data[tst].clnttls13ciphers)))
8614         || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8615             shared_ciphers_data[tst].srvrciphers))
8616         || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8617             && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8618                 shared_ciphers_data[tst].srvrtls13ciphers))))
8619         goto end;
8620 
8621     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8622             NULL)))
8623         goto end;
8624 
8625     if (handshakeok) {
8626         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8627                 SSL_ERROR_NONE)))
8628             goto end;
8629     } else {
8630         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
8631                 SSL_ERROR_NONE)))
8632             goto end;
8633     }
8634 
8635     if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8636         || !TEST_int_eq(strcmp(buf, expbuf), 0)) {
8637         TEST_info("Shared ciphers are: %s\n", buf);
8638         goto end;
8639     }
8640 
8641     testresult = 1;
8642 
8643 end:
8644     SSL_free(serverssl);
8645     SSL_free(clientssl);
8646     SSL_CTX_free(sctx);
8647     SSL_CTX_free(cctx);
8648     OSSL_LIB_CTX_free(tmplibctx);
8649 
8650     return testresult;
8651 }
8652 
8653 static int test_ssl_get_shared_ciphers(int tst)
8654 {
8655     return int_test_ssl_get_shared_ciphers(tst, 0)
8656         && int_test_ssl_get_shared_ciphers(tst, 1);
8657 }
8658 
8659 static const char *appdata = "Hello World";
8660 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8661 static int tick_key_renew = 0;
8662 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8663 
8664 static int gen_tick_cb(SSL *s, void *arg)
8665 {
8666     gen_tick_called = 1;
8667 
8668     return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8669         strlen(appdata));
8670 }
8671 
8672 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8673     const unsigned char *keyname,
8674     size_t keyname_length,
8675     SSL_TICKET_STATUS status,
8676     void *arg)
8677 {
8678     void *tickdata;
8679     size_t tickdlen;
8680 
8681     dec_tick_called = 1;
8682 
8683     if (status == SSL_TICKET_EMPTY)
8684         return SSL_TICKET_RETURN_IGNORE_RENEW;
8685 
8686     if (!TEST_true(status == SSL_TICKET_SUCCESS
8687             || status == SSL_TICKET_SUCCESS_RENEW))
8688         return SSL_TICKET_RETURN_ABORT;
8689 
8690     if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8691             &tickdlen))
8692         || !TEST_size_t_eq(tickdlen, strlen(appdata))
8693         || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8694         return SSL_TICKET_RETURN_ABORT;
8695 
8696     if (tick_key_cb_called) {
8697         /* Don't change what the ticket key callback wanted to do */
8698         switch (status) {
8699         case SSL_TICKET_NO_DECRYPT:
8700             return SSL_TICKET_RETURN_IGNORE_RENEW;
8701 
8702         case SSL_TICKET_SUCCESS:
8703             return SSL_TICKET_RETURN_USE;
8704 
8705         case SSL_TICKET_SUCCESS_RENEW:
8706             return SSL_TICKET_RETURN_USE_RENEW;
8707 
8708         default:
8709             return SSL_TICKET_RETURN_ABORT;
8710         }
8711     }
8712     return tick_dec_ret;
8713 }
8714 
8715 #ifndef OPENSSL_NO_DEPRECATED_3_0
8716 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8717     unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8718     HMAC_CTX *hctx, int enc)
8719 {
8720     const unsigned char tick_aes_key[16] = "0123456789abcdef";
8721     const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8722     EVP_CIPHER *aes128cbc;
8723     EVP_MD *sha256;
8724     int ret;
8725 
8726     tick_key_cb_called = 1;
8727 
8728     if (tick_key_renew == -1)
8729         return 0;
8730 
8731     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8732     if (!TEST_ptr(aes128cbc))
8733         return 0;
8734     sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8735     if (!TEST_ptr(sha256)) {
8736         EVP_CIPHER_free(aes128cbc);
8737         return 0;
8738     }
8739 
8740     memset(iv, 0, AES_BLOCK_SIZE);
8741     memset(key_name, 0, 16);
8742     if (aes128cbc == NULL
8743         || sha256 == NULL
8744         || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8745         || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8746             NULL))
8747         ret = -1;
8748     else
8749         ret = tick_key_renew ? 2 : 1;
8750 
8751     EVP_CIPHER_free(aes128cbc);
8752     EVP_MD_free(sha256);
8753 
8754     return ret;
8755 }
8756 #endif
8757 
8758 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8759     unsigned char iv[EVP_MAX_IV_LENGTH],
8760     EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8761 {
8762     const unsigned char tick_aes_key[16] = "0123456789abcdef";
8763     unsigned char tick_hmac_key[16] = "0123456789abcdef";
8764     OSSL_PARAM params[2];
8765     EVP_CIPHER *aes128cbc;
8766     int ret;
8767 
8768     tick_key_cb_called = 1;
8769 
8770     if (tick_key_renew == -1)
8771         return 0;
8772 
8773     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8774     if (!TEST_ptr(aes128cbc))
8775         return 0;
8776 
8777     memset(iv, 0, AES_BLOCK_SIZE);
8778     memset(key_name, 0, 16);
8779     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8780         "SHA256", 0);
8781     params[1] = OSSL_PARAM_construct_end();
8782     if (aes128cbc == NULL
8783         || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8784         || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8785             params))
8786         ret = -1;
8787     else
8788         ret = tick_key_renew ? 2 : 1;
8789 
8790     EVP_CIPHER_free(aes128cbc);
8791 
8792     return ret;
8793 }
8794 
8795 /*
8796  * Test the various ticket callbacks
8797  * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8798  * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8799  * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8800  * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8801  * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8802  * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8803  * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8804  * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8805  * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8806  * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8807  * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8808  * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8809  * Test 12: TLSv1.2, old ticket key callback, no ticket
8810  * Test 13: TLSv1.3, old ticket key callback, no ticket
8811  * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8812  * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8813  * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8814  * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8815  * Test 18: TLSv1.2, ticket key callback, no ticket
8816  * Test 19: TLSv1.3, ticket key callback, no ticket
8817  */
8818 static int test_ticket_callbacks(int tst)
8819 {
8820     SSL_CTX *cctx = NULL, *sctx = NULL;
8821     SSL *clientssl = NULL, *serverssl = NULL;
8822     SSL_SESSION *clntsess = NULL;
8823     int testresult = 0;
8824 
8825 #ifdef OPENSSL_NO_TLS1_2
8826     if (tst % 2 == 0)
8827         return 1;
8828 #endif
8829 #ifdef OSSL_NO_USABLE_TLS1_3
8830     if (tst % 2 == 1)
8831         return 1;
8832 #endif
8833 #ifdef OPENSSL_NO_DEPRECATED_3_0
8834     if (tst >= 8 && tst <= 13)
8835         return 1;
8836 #endif
8837 
8838     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8839 
8840     /* Which tests the ticket key callback should request renewal for */
8841 
8842     if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8843         tick_key_renew = 1;
8844     else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8845         tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8846     else
8847         tick_key_renew = 0;
8848 
8849     /* Which tests the decrypt ticket callback should request renewal for */
8850     switch (tst) {
8851     case 0:
8852     case 1:
8853         tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8854         break;
8855 
8856     case 2:
8857     case 3:
8858         tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8859         break;
8860 
8861     case 4:
8862     case 5:
8863         tick_dec_ret = SSL_TICKET_RETURN_USE;
8864         break;
8865 
8866     case 6:
8867     case 7:
8868         tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8869         break;
8870 
8871     default:
8872         tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8873     }
8874 
8875     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8876             TLS_client_method(),
8877             TLS1_VERSION,
8878             ((tst % 2) == 0) ? TLS1_2_VERSION
8879                              : TLS1_3_VERSION,
8880             &sctx, &cctx, cert, privkey)))
8881         goto end;
8882 
8883     /*
8884      * We only want sessions to resume from tickets - not the session cache. So
8885      * switch the cache off.
8886      */
8887     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8888         goto end;
8889 
8890     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8891             NULL)))
8892         goto end;
8893 
8894     if (tst >= 14) {
8895         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8896             goto end;
8897 #ifndef OPENSSL_NO_DEPRECATED_3_0
8898     } else if (tst >= 8) {
8899         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8900             goto end;
8901 #endif
8902     }
8903 
8904     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8905             NULL, NULL))
8906         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8907             SSL_ERROR_NONE)))
8908         goto end;
8909 
8910     /*
8911      * The decrypt ticket key callback in TLSv1.2 should be called even though
8912      * we have no ticket yet, because it gets called with a status of
8913      * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8914      * actually send any ticket data). This does not happen in TLSv1.3 because
8915      * it is not valid to send empty ticket data in TLSv1.3.
8916      */
8917     if (!TEST_int_eq(gen_tick_called, 1)
8918         || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8919         goto end;
8920 
8921     gen_tick_called = dec_tick_called = 0;
8922 
8923     clntsess = SSL_get1_session(clientssl);
8924     SSL_shutdown(clientssl);
8925     SSL_shutdown(serverssl);
8926     SSL_free(serverssl);
8927     SSL_free(clientssl);
8928     serverssl = clientssl = NULL;
8929 
8930     /* Now do a resumption */
8931     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8932             NULL))
8933         || !TEST_true(SSL_set_session(clientssl, clntsess))
8934         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8935             SSL_ERROR_NONE)))
8936         goto end;
8937 
8938     if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8939         || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8940         || tick_key_renew == -1) {
8941         if (!TEST_false(SSL_session_reused(clientssl)))
8942             goto end;
8943     } else {
8944         if (!TEST_true(SSL_session_reused(clientssl)))
8945             goto end;
8946     }
8947 
8948     if (!TEST_int_eq(gen_tick_called,
8949             (tick_key_renew
8950                 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8951                 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8952                 ? 1
8953                 : 0)
8954         /* There is no ticket to decrypt in tests 13 and 19 */
8955         || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8956         goto end;
8957 
8958     testresult = 1;
8959 
8960 end:
8961     SSL_SESSION_free(clntsess);
8962     SSL_free(serverssl);
8963     SSL_free(clientssl);
8964     SSL_CTX_free(sctx);
8965     SSL_CTX_free(cctx);
8966 
8967     return testresult;
8968 }
8969 
8970 /*
8971  * Callback that always returns ABORT for successfully decrypted tickets.
8972  * Used by test_ticket_abort_session_leak to exercise the error path in
8973  * tls_parse_ctos_psk() that previously leaked the SSL_SESSION.
8974  */
8975 static SSL_TICKET_RETURN dec_tick_abort_cb(SSL *s, SSL_SESSION *ss,
8976     const unsigned char *keyname,
8977     size_t keyname_length,
8978     SSL_TICKET_STATUS status,
8979     void *arg)
8980 {
8981     if (status == SSL_TICKET_SUCCESS || status == SSL_TICKET_SUCCESS_RENEW)
8982         return SSL_TICKET_RETURN_ABORT;
8983 
8984     return SSL_TICKET_RETURN_IGNORE_RENEW;
8985 }
8986 
8987 /*
8988  * Test that returning SSL_TICKET_RETURN_ABORT from the decrypt ticket callback
8989  * during TLS 1.3 resumption does not leak the SSL_SESSION allocated by
8990  * tls_decrypt_ticket().  Before the fix, tls_parse_ctos_psk() would execute a
8991  * bare "return 0" instead of "goto err", bypassing SSL_SESSION_free(sess).
8992  * When run under LeakSanitizer the leaked session will be reported.
8993  */
8994 static int test_ticket_abort_session_leak(void)
8995 {
8996     SSL_CTX *cctx = NULL, *sctx = NULL;
8997     SSL *clientssl = NULL, *serverssl = NULL;
8998     SSL_SESSION *clntsess = NULL;
8999     int testresult = 0;
9000 
9001 #ifdef OSSL_NO_USABLE_TLS1_3
9002     return 1;
9003 #endif
9004 
9005     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9006             TLS_client_method(),
9007             TLS1_3_VERSION, TLS1_3_VERSION,
9008             &sctx, &cctx, cert, privkey)))
9009         goto end;
9010 
9011     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
9012         goto end;
9013 
9014     /* First handshake: use the normal gen/dec callbacks to get a ticket */
9015     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
9016             NULL)))
9017         goto end;
9018 
9019     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
9020     tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
9021 
9022     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9023             NULL, NULL))
9024         || !TEST_true(create_ssl_connection(serverssl, clientssl,
9025             SSL_ERROR_NONE)))
9026         goto end;
9027 
9028     clntsess = SSL_get1_session(clientssl);
9029     if (!TEST_ptr(clntsess))
9030         goto end;
9031 
9032     SSL_shutdown(clientssl);
9033     SSL_shutdown(serverssl);
9034     SSL_free(serverssl);
9035     SSL_free(clientssl);
9036     serverssl = clientssl = NULL;
9037 
9038     /*
9039      * Second handshake (resumption): switch to the abort callback.
9040      * The server will decrypt the ticket, allocate an SSL_SESSION, then the
9041      * callback returns ABORT.  The handshake must fail, and the session
9042      * allocated inside tls_decrypt_ticket() must be freed (not leaked).
9043      */
9044     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb,
9045             dec_tick_abort_cb, NULL)))
9046         goto end;
9047 
9048     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9049             NULL, NULL))
9050         || !TEST_true(SSL_set_session(clientssl, clntsess)))
9051         goto end;
9052 
9053     /* Resumption should fail because the callback aborts */
9054     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
9055             SSL_ERROR_SSL)))
9056         goto end;
9057 
9058     testresult = 1;
9059 
9060 end:
9061     SSL_SESSION_free(clntsess);
9062     SSL_free(serverssl);
9063     SSL_free(clientssl);
9064     SSL_CTX_free(sctx);
9065     SSL_CTX_free(cctx);
9066 
9067     return testresult;
9068 }
9069 
9070 /*
9071  * Test incorrect shutdown.
9072  * Test 0: client does not shutdown properly,
9073  *         server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
9074  *         server should get SSL_ERROR_SSL
9075  * Test 1: client does not shutdown properly,
9076  *         server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
9077  *         server should get SSL_ERROR_ZERO_RETURN
9078  */
9079 static int test_incorrect_shutdown(int tst)
9080 {
9081     SSL_CTX *cctx = NULL, *sctx = NULL;
9082     SSL *clientssl = NULL, *serverssl = NULL;
9083     int testresult = 0;
9084     char buf[80];
9085     BIO *c2s;
9086 
9087     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9088             TLS_client_method(), 0, 0,
9089             &sctx, &cctx, cert, privkey)))
9090         goto end;
9091 
9092     if (tst == 1)
9093         SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
9094 
9095     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9096             NULL, NULL)))
9097         goto end;
9098 
9099     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
9100             SSL_ERROR_NONE)))
9101         goto end;
9102 
9103     c2s = SSL_get_rbio(serverssl);
9104     BIO_set_mem_eof_return(c2s, 0);
9105 
9106     if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
9107         goto end;
9108 
9109     if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
9110         goto end;
9111     if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN))
9112         goto end;
9113 
9114     testresult = 1;
9115 
9116 end:
9117     SSL_free(serverssl);
9118     SSL_free(clientssl);
9119     SSL_CTX_free(sctx);
9120     SSL_CTX_free(cctx);
9121 
9122     return testresult;
9123 }
9124 
9125 /*
9126  * Test bi-directional shutdown.
9127  * Test 0: TLSv1.2
9128  * Test 1: TLSv1.2, server continues to read/write after client shutdown
9129  * Test 2: TLSv1.3, no pending NewSessionTicket messages
9130  * Test 3: TLSv1.3, pending NewSessionTicket messages
9131  * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
9132  *                  sends key update, client reads it
9133  * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
9134  *                  sends CertificateRequest, client reads and ignores it
9135  * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
9136  *                  doesn't read it
9137  */
9138 static int test_shutdown(int tst)
9139 {
9140     SSL_CTX *cctx = NULL, *sctx = NULL;
9141     SSL *clientssl = NULL, *serverssl = NULL;
9142     int testresult = 0;
9143     char msg[] = "A test message";
9144     char buf[80];
9145     size_t written, readbytes;
9146     SSL_SESSION *sess;
9147 
9148 #ifdef OPENSSL_NO_TLS1_2
9149     if (tst <= 1)
9150         return 1;
9151 #endif
9152 #ifdef OSSL_NO_USABLE_TLS1_3
9153     if (tst >= 2)
9154         return 1;
9155 #endif
9156 
9157     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9158             TLS_client_method(),
9159             TLS1_VERSION,
9160             (tst <= 1) ? TLS1_2_VERSION
9161                        : TLS1_3_VERSION,
9162             &sctx, &cctx, cert, privkey)))
9163         goto end;
9164 
9165     if (tst == 5)
9166         SSL_CTX_set_post_handshake_auth(cctx, 1);
9167 
9168     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9169             NULL, NULL)))
9170         goto end;
9171 
9172     if (tst == 3) {
9173         if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
9174                 SSL_ERROR_NONE, 1, 0))
9175             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9176             || !TEST_false(SSL_SESSION_is_resumable(sess)))
9177             goto end;
9178     } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
9179                    SSL_ERROR_NONE))
9180         || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9181         || !TEST_true(SSL_SESSION_is_resumable(sess))) {
9182         goto end;
9183     }
9184 
9185     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
9186         goto end;
9187 
9188     if (tst >= 4) {
9189         /*
9190          * Reading on the server after the client has sent close_notify should
9191          * fail and provide SSL_ERROR_ZERO_RETURN
9192          */
9193         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
9194             || !TEST_int_eq(SSL_get_error(serverssl, 0),
9195                 SSL_ERROR_ZERO_RETURN)
9196             || !TEST_int_eq(SSL_get_shutdown(serverssl),
9197                 SSL_RECEIVED_SHUTDOWN)
9198             /*
9199              * Even though we're shutdown on receive we should still be
9200              * able to write.
9201              */
9202             || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
9203             goto end;
9204         if (tst == 4
9205             && !TEST_true(SSL_key_update(serverssl,
9206                 SSL_KEY_UPDATE_REQUESTED)))
9207             goto end;
9208         if (tst == 5) {
9209             SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
9210             if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
9211                 goto end;
9212         }
9213         if ((tst == 4 || tst == 5)
9214             && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
9215             goto end;
9216         if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
9217             goto end;
9218         if (tst == 4 || tst == 5) {
9219             /* Should still be able to read data from server */
9220             if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
9221                     &readbytes))
9222                 || !TEST_size_t_eq(readbytes, sizeof(msg))
9223                 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
9224                 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
9225                     &readbytes))
9226                 || !TEST_size_t_eq(readbytes, sizeof(msg))
9227                 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
9228                 goto end;
9229         }
9230     }
9231 
9232     /* Writing on the client after sending close_notify shouldn't be possible */
9233     if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
9234         goto end;
9235 
9236     if (tst < 4) {
9237         /*
9238          * For these tests the client has sent close_notify but it has not yet
9239          * been received by the server. The server has not sent close_notify
9240          * yet.
9241          */
9242         if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
9243             /*
9244              * Writing on the server after sending close_notify shouldn't
9245              * be possible.
9246              */
9247             || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9248             || !TEST_int_eq(SSL_shutdown(clientssl), 1)
9249             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9250             || !TEST_true(SSL_SESSION_is_resumable(sess))
9251             || !TEST_int_eq(SSL_shutdown(serverssl), 1))
9252             goto end;
9253     } else if (tst == 4 || tst == 5) {
9254         /*
9255          * In this test the client has sent close_notify and it has been
9256          * received by the server which has responded with a close_notify. The
9257          * client needs to read the close_notify sent by the server.
9258          */
9259         if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
9260             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
9261             || !TEST_true(SSL_SESSION_is_resumable(sess)))
9262             goto end;
9263     } else {
9264         /*
9265          * tst == 6
9266          *
9267          * The client has sent close_notify and is expecting a close_notify
9268          * back, but instead there is application data first. The shutdown
9269          * should fail with a fatal error.
9270          */
9271         if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
9272             || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
9273             goto end;
9274     }
9275 
9276     testresult = 1;
9277 
9278 end:
9279     SSL_free(serverssl);
9280     SSL_free(clientssl);
9281     SSL_CTX_free(sctx);
9282     SSL_CTX_free(cctx);
9283 
9284     return testresult;
9285 }
9286 
9287 /*
9288  * Test that sending close_notify alerts works correctly in the case of a
9289  * retryable write failure.
9290  */
9291 static int test_async_shutdown(void)
9292 {
9293     SSL_CTX *cctx = NULL, *sctx = NULL;
9294     SSL *clientssl = NULL, *serverssl = NULL;
9295     int testresult = 0;
9296     BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
9297 
9298     if (!TEST_ptr(bretry))
9299         goto end;
9300 
9301     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9302             TLS_client_method(),
9303             0, 0,
9304             &sctx, &cctx, cert, privkey)))
9305         goto end;
9306 
9307     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9308             NULL)))
9309         goto end;
9310 
9311     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9312         goto end;
9313 
9314     /* Close write side of clientssl */
9315     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
9316         goto end;
9317 
9318     tmp = SSL_get_wbio(serverssl);
9319     if (!TEST_true(BIO_up_ref(tmp))) {
9320         tmp = NULL;
9321         goto end;
9322     }
9323     SSL_set0_wbio(serverssl, bretry);
9324     bretry = NULL;
9325 
9326     /* First server shutdown should fail because of a retrable write failure */
9327     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9328         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9329         goto end;
9330 
9331     /* Second server shutdown should fail for the same reason */
9332     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
9333         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
9334         goto end;
9335 
9336     SSL_set0_wbio(serverssl, tmp);
9337     tmp = NULL;
9338 
9339     /* Third server shutdown should send close_notify */
9340     if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
9341         goto end;
9342 
9343     /* Fourth server shutdown should read close_notify from client and finish */
9344     if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
9345         goto end;
9346 
9347     /* Client should also successfully fully shutdown */
9348     if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
9349         goto end;
9350 
9351     testresult = 1;
9352 end:
9353     SSL_free(serverssl);
9354     SSL_free(clientssl);
9355     SSL_CTX_free(sctx);
9356     SSL_CTX_free(cctx);
9357     BIO_free(bretry);
9358     BIO_free(tmp);
9359 
9360     return testresult;
9361 }
9362 
9363 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9364 static int cert_cb_cnt;
9365 
9366 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
9367     STACK_OF(X509) *chain)
9368 {
9369     char *path = test_mk_file_path(certsdir, file);
9370     BIO *in = NULL;
9371     X509 *x = NULL;
9372     int ok = 0;
9373 
9374     if (path == NULL)
9375         return 0;
9376     if ((in = BIO_new(BIO_s_file())) == NULL
9377         || BIO_read_filename(in, path) <= 0)
9378         goto out;
9379     if (pkey == NULL) {
9380         if ((x = X509_new_ex(libctx, NULL)) == NULL
9381             || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
9382             goto out;
9383         if (chain == NULL)
9384             *x509 = x;
9385         else if (!sk_X509_push(chain, x))
9386             goto out;
9387     } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
9388                    libctx, NULL)
9389         == NULL) {
9390         goto out;
9391     }
9392 
9393     x = NULL;
9394     ok = 1;
9395 out:
9396     X509_free(x);
9397     BIO_free(in);
9398     OPENSSL_free(path);
9399     return ok;
9400 }
9401 
9402 static int cert_cb(SSL *s, void *arg)
9403 {
9404     SSL_CTX *ctx = (SSL_CTX *)arg;
9405     EVP_PKEY *pkey = NULL;
9406     X509 *x509 = NULL, *x = NULL;
9407     STACK_OF(X509) *chain = NULL;
9408     int ret = 0;
9409 
9410     if (cert_cb_cnt == 0) {
9411         /* Suspend the handshake */
9412         cert_cb_cnt++;
9413         return -1;
9414     } else if (cert_cb_cnt == 1) {
9415         /*
9416          * Update the SSL_CTX, set the certificate and private key and then
9417          * continue the handshake normally.
9418          */
9419         if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
9420             return 0;
9421 
9422         if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
9423             || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
9424                 SSL_FILETYPE_PEM))
9425             || !TEST_true(SSL_check_private_key(s)))
9426             return 0;
9427         cert_cb_cnt++;
9428         return 1;
9429     } else if (cert_cb_cnt == 3) {
9430         int rv;
9431 
9432         chain = sk_X509_new_null();
9433 #ifndef OPENSSL_NO_ML_DSA
9434         if (SSL_version(s) >= TLS1_3_VERSION
9435             && fips_provider_version_ge(libctx, 3, 5, 0)) {
9436             if (!TEST_ptr(chain)
9437                 || !TEST_true(load_chain("root-ml-dsa-44-cert.pem", NULL, NULL, chain))
9438                 || !TEST_true(load_chain("server-ml-dsa-44-cert.pem", NULL, &x509, NULL))
9439                 || !TEST_true(load_chain("server-ml-dsa-44-key.pem", &pkey, NULL, NULL)))
9440                 goto out;
9441             goto check;
9442         }
9443 #endif
9444         if (!TEST_ptr(chain)
9445             || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
9446             || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
9447             || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
9448                 &x509, NULL))
9449             || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
9450                 NULL, NULL)))
9451             goto out;
9452 
9453 #ifndef OPENSSL_NO_ML_DSA
9454     check:
9455 #endif
9456         rv = SSL_check_chain(s, x509, pkey, chain);
9457         /*
9458          * If the cert doesn't show as valid here (e.g., because we don't
9459          * have any shared sigalgs), then we will not set it, and there will
9460          * be no certificate at all on the SSL or SSL_CTX.  This, in turn,
9461          * will cause tls_choose_sigalgs() to fail the connection.
9462          */
9463         if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
9464             == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
9465             if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
9466                 goto out;
9467         }
9468 
9469         ret = 1;
9470     }
9471 
9472     /* Abort the handshake */
9473 out:
9474     EVP_PKEY_free(pkey);
9475     X509_free(x509);
9476     X509_free(x);
9477     OSSL_STACK_OF_X509_free(chain);
9478     return ret;
9479 }
9480 
9481 /*
9482  * Test the certificate callback.
9483  * Test 0: Callback fails
9484  * Test 1: Success - no SSL_set_SSL_CTX() in the callback
9485  * Test 2: Success - SSL_set_SSL_CTX() in the callback
9486  * Test 3: Success - Call SSL_check_chain from the callback
9487  * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
9488  *                   chain
9489  * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
9490  */
9491 static int test_cert_cb_int(int prot, int tst)
9492 {
9493     SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
9494     SSL *clientssl = NULL, *serverssl = NULL;
9495     int testresult = 0, ret;
9496 
9497 #ifdef OPENSSL_NO_EC
9498     /* We use an EC cert in these tests with TLS 1.2 or absent ML-DSA */
9499     if (tst >= 3)
9500         return 1;
9501 #endif
9502 
9503     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9504             TLS_client_method(),
9505             prot,
9506             prot,
9507             &sctx, &cctx, NULL, NULL)))
9508         goto end;
9509 
9510     if (tst == 0)
9511         cert_cb_cnt = -1;
9512     else if (tst >= 3)
9513         cert_cb_cnt = 3;
9514     else
9515         cert_cb_cnt = 0;
9516 
9517     if (tst == 2) {
9518         snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9519         if (!TEST_ptr(snictx))
9520             goto end;
9521     }
9522 
9523     SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
9524 
9525     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9526             NULL, NULL)))
9527         goto end;
9528 
9529     if (tst == 3) {
9530         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9531                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9532                 "?ecdsa_secp256r1_sha256:?mldsa44"))
9533             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9534                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9535                 "?ecdsa_secp256r1_sha256:?mldsa44")))
9536             goto end;
9537     } else if (tst == 4) {
9538         /*
9539          * We cause SSL_check_chain() to fail by specifying sig_algs that
9540          * the chain doesn't meet (root either RSA or ML-DSA).
9541          */
9542         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9543                 "ecdsa_secp256r1_sha256"))
9544             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9545                 "?ecdsa_secp256r1_sha256:?mldsa44")))
9546             goto end;
9547     } else if (tst == 5) {
9548         /*
9549          * We cause SSL_check_chain() to fail by specifying sig_algs that
9550          * the ee cert doesn't meet (the ee uses an ECDSA or ML-DSA cert)
9551          */
9552         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9553                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))
9554             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
9555                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
9556                 "?ecdsa_secp256r1_sha256:?mldsa44")))
9557             goto end;
9558     }
9559 
9560     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
9561     if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
9562         || (tst > 0
9563             && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
9564         goto end;
9565     }
9566 
9567     testresult = 1;
9568 
9569 end:
9570     SSL_free(serverssl);
9571     SSL_free(clientssl);
9572     SSL_CTX_free(sctx);
9573     SSL_CTX_free(cctx);
9574     SSL_CTX_free(snictx);
9575 
9576     return testresult;
9577 }
9578 #endif
9579 
9580 static int test_cert_cb(int tst)
9581 {
9582     int testresult = 1;
9583 
9584 #ifndef OPENSSL_NO_TLS1_2
9585     testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
9586 #endif
9587 #ifndef OSSL_NO_USABLE_TLS1_3
9588     testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
9589 #endif
9590 
9591     return testresult;
9592 }
9593 
9594 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9595 {
9596     X509 *xcert;
9597     EVP_PKEY *privpkey;
9598     BIO *in = NULL;
9599     BIO *priv_in = NULL;
9600 
9601     /* Check that SSL_get0_peer_certificate() returns something sensible */
9602     if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9603         return 0;
9604 
9605     in = BIO_new_file(cert, "r");
9606     if (!TEST_ptr(in))
9607         return 0;
9608 
9609     if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9610         || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9611         || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9612         || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9613                          NULL, NULL,
9614                          libctx, NULL)))
9615         goto err;
9616 
9617     *x509 = xcert;
9618     *pkey = privpkey;
9619 
9620     BIO_free(in);
9621     BIO_free(priv_in);
9622     return 1;
9623 err:
9624     X509_free(xcert);
9625     BIO_free(in);
9626     BIO_free(priv_in);
9627     return 0;
9628 }
9629 
9630 static int test_client_cert_cb(int tst)
9631 {
9632     SSL_CTX *cctx = NULL, *sctx = NULL;
9633     SSL *clientssl = NULL, *serverssl = NULL;
9634     int testresult = 0;
9635 
9636 #ifdef OPENSSL_NO_TLS1_2
9637     if (tst == 0)
9638         return 1;
9639 #endif
9640 #ifdef OSSL_NO_USABLE_TLS1_3
9641     if (tst == 1)
9642         return 1;
9643 #endif
9644 
9645     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9646             TLS_client_method(),
9647             TLS1_VERSION,
9648             tst == 0 ? TLS1_2_VERSION
9649                      : TLS1_3_VERSION,
9650             &sctx, &cctx, cert, privkey)))
9651         goto end;
9652 
9653     /*
9654      * Test that setting a client_cert_cb results in a client certificate being
9655      * sent.
9656      */
9657     SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9658     SSL_CTX_set_verify(sctx,
9659         SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9660         verify_cb);
9661 
9662     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9663             NULL, NULL))
9664         || !TEST_true(create_ssl_connection(serverssl, clientssl,
9665             SSL_ERROR_NONE)))
9666         goto end;
9667 
9668     testresult = 1;
9669 
9670 end:
9671     SSL_free(serverssl);
9672     SSL_free(clientssl);
9673     SSL_CTX_free(sctx);
9674     SSL_CTX_free(cctx);
9675 
9676     return testresult;
9677 }
9678 
9679 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9680 /*
9681  * Test setting certificate authorities on both client and server.
9682  *
9683  * Test 0: SSL_CTX_set0_CA_list() only
9684  * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9685  * Test 2: Only SSL_CTX_set_client_CA_list()
9686  */
9687 static int test_ca_names_int(int prot, int tst)
9688 {
9689     SSL_CTX *cctx = NULL, *sctx = NULL;
9690     SSL *clientssl = NULL, *serverssl = NULL;
9691     int testresult = 0;
9692     size_t i;
9693     X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9694     char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9695     STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9696     const STACK_OF(X509_NAME) *sktmp = NULL;
9697 
9698     for (i = 0; i < OSSL_NELEM(name); i++) {
9699         name[i] = X509_NAME_new();
9700         if (!TEST_ptr(name[i])
9701             || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9702                 MBSTRING_ASC,
9703                 (unsigned char *)
9704                     strnames[i],
9705                 -1, -1, 0)))
9706             goto end;
9707     }
9708 
9709     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9710             TLS_client_method(),
9711             TLS1_VERSION,
9712             prot,
9713             &sctx, &cctx, cert, privkey)))
9714         goto end;
9715 
9716     SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9717 
9718     if (tst == 0 || tst == 1) {
9719         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9720             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9721             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9722             || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9723             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9724             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9725             goto end;
9726 
9727         SSL_CTX_set0_CA_list(sctx, sk1);
9728         SSL_CTX_set0_CA_list(cctx, sk2);
9729         sk1 = sk2 = NULL;
9730     }
9731     if (tst == 1 || tst == 2) {
9732         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9733             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9734             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9735             || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9736             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9737             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9738             goto end;
9739 
9740         SSL_CTX_set_client_CA_list(sctx, sk1);
9741         SSL_CTX_set_client_CA_list(cctx, sk2);
9742         sk1 = sk2 = NULL;
9743     }
9744 
9745     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9746             NULL, NULL))
9747         || !TEST_true(create_ssl_connection(serverssl, clientssl,
9748             SSL_ERROR_NONE)))
9749         goto end;
9750 
9751     /*
9752      * We only expect certificate authorities to have been sent to the server
9753      * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9754      */
9755     sktmp = SSL_get0_peer_CA_list(serverssl);
9756     if (prot == TLS1_3_VERSION
9757         && (tst == 0 || tst == 1)) {
9758         if (!TEST_ptr(sktmp)
9759             || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9760             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9761                                 name[0]),
9762                 0)
9763             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9764                                 name[1]),
9765                 0))
9766             goto end;
9767     } else if (!TEST_ptr_null(sktmp)) {
9768         goto end;
9769     }
9770 
9771     /*
9772      * In all tests we expect certificate authorities to have been sent to the
9773      * client. However, SSL_set_client_CA_list() should override
9774      * SSL_set0_CA_list()
9775      */
9776     sktmp = SSL_get0_peer_CA_list(clientssl);
9777     if (!TEST_ptr(sktmp)
9778         || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9779         || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9780                             name[tst == 0 ? 0 : 2]),
9781             0)
9782         || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9783                             name[tst == 0 ? 1 : 3]),
9784             0))
9785         goto end;
9786 
9787     testresult = 1;
9788 
9789 end:
9790     SSL_free(serverssl);
9791     SSL_free(clientssl);
9792     SSL_CTX_free(sctx);
9793     SSL_CTX_free(cctx);
9794     for (i = 0; i < OSSL_NELEM(name); i++)
9795         X509_NAME_free(name[i]);
9796     sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9797     sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9798 
9799     return testresult;
9800 }
9801 #endif
9802 
9803 static int test_ca_names(int tst)
9804 {
9805     int testresult = 1;
9806 
9807 #ifndef OPENSSL_NO_TLS1_2
9808     testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9809 #endif
9810 #ifndef OSSL_NO_USABLE_TLS1_3
9811     testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9812 #endif
9813 
9814     return testresult;
9815 }
9816 
9817 #ifndef OPENSSL_NO_TLS1_2
9818 static const char *multiblock_cipherlist_data[] = {
9819     "AES128-SHA",
9820     "AES128-SHA256",
9821     "AES256-SHA",
9822     "AES256-SHA256",
9823 };
9824 
9825 /* Reduce the fragment size - so the multiblock test buffer can be small */
9826 #define MULTIBLOCK_FRAGSIZE 512
9827 
9828 static int test_multiblock_write(int test_index)
9829 {
9830     static const char *fetchable_ciphers[] = {
9831         "AES-128-CBC-HMAC-SHA1",
9832         "AES-128-CBC-HMAC-SHA256",
9833         "AES-256-CBC-HMAC-SHA1",
9834         "AES-256-CBC-HMAC-SHA256"
9835     };
9836     const char *cipherlist = multiblock_cipherlist_data[test_index];
9837     const SSL_METHOD *smeth = TLS_server_method();
9838     const SSL_METHOD *cmeth = TLS_client_method();
9839     int min_version = TLS1_VERSION;
9840     int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9841     SSL_CTX *cctx = NULL, *sctx = NULL;
9842     SSL *clientssl = NULL, *serverssl = NULL;
9843     int testresult = 0;
9844 
9845     /*
9846      * Choose a buffer large enough to perform a multi-block operation
9847      * i.e: write_len >= 4 * frag_size
9848      * 9 * is chosen so that multiple multiblocks are used + some leftover.
9849      */
9850     unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9851     unsigned char buf[sizeof(msg)], *p = buf;
9852     size_t readbytes, written, len;
9853     EVP_CIPHER *ciph = NULL;
9854 
9855     /*
9856      * Check if the cipher exists before attempting to use it since it only has
9857      * a hardware specific implementation.
9858      */
9859     ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9860     if (ciph == NULL) {
9861         TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9862         return 1;
9863     }
9864     EVP_CIPHER_free(ciph);
9865 
9866     /* Set up a buffer with some data that will be sent to the client */
9867     RAND_bytes(msg, sizeof(msg));
9868 
9869     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9870             max_version, &sctx, &cctx, cert,
9871             privkey)))
9872         goto end;
9873 
9874     if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9875         goto end;
9876 
9877     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9878             NULL, NULL)))
9879         goto end;
9880 
9881     /* settings to force it to use AES-CBC-HMAC_SHA */
9882     SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9883     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9884         goto end;
9885 
9886     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9887         goto end;
9888 
9889     if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9890         || !TEST_size_t_eq(written, sizeof(msg)))
9891         goto end;
9892 
9893     len = written;
9894     while (len > 0) {
9895         if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9896             goto end;
9897         p += readbytes;
9898         len -= readbytes;
9899     }
9900     if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9901         goto end;
9902 
9903     testresult = 1;
9904 end:
9905     SSL_free(serverssl);
9906     SSL_free(clientssl);
9907     SSL_CTX_free(sctx);
9908     SSL_CTX_free(cctx);
9909 
9910     return testresult;
9911 }
9912 #endif /* OPENSSL_NO_TLS1_2 */
9913 
9914 static int test_session_timeout(int test)
9915 {
9916     /*
9917      * Test session ordering and timeout
9918      * Can't explicitly test performance of the new code,
9919      * but can test to see if the ordering of the sessions
9920      * are correct, and they are removed as expected
9921      */
9922     SSL_SESSION *early = NULL;
9923     SSL_SESSION *middle = NULL;
9924     SSL_SESSION *late = NULL;
9925     SSL_CTX *ctx;
9926     int testresult = 0;
9927     time_t now = time(NULL);
9928 #define TIMEOUT 10
9929 
9930     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9931         || !TEST_ptr(early = SSL_SESSION_new())
9932         || !TEST_ptr(middle = SSL_SESSION_new())
9933         || !TEST_ptr(late = SSL_SESSION_new()))
9934         goto end;
9935 
9936     /* assign unique session ids */
9937     early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9938     memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9939     middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9940     memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9941     late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9942     memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9943 
9944     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9945         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9946         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9947         goto end;
9948 
9949     /* Make sure they are all added */
9950     if (!TEST_ptr(early->prev)
9951         || !TEST_ptr(middle->prev)
9952         || !TEST_ptr(late->prev))
9953         goto end;
9954 
9955     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9956         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9957         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9958         goto end;
9959 
9960     if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9961         || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9962         || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9963         goto end;
9964 
9965     /* Make sure they are all still there */
9966     if (!TEST_ptr(early->prev)
9967         || !TEST_ptr(middle->prev)
9968         || !TEST_ptr(late->prev))
9969         goto end;
9970 
9971     /* Make sure they are in the expected order */
9972     if (!TEST_ptr_eq(late->next, middle)
9973         || !TEST_ptr_eq(middle->next, early)
9974         || !TEST_ptr_eq(early->prev, middle)
9975         || !TEST_ptr_eq(middle->prev, late))
9976         goto end;
9977 
9978     /* This should remove "early" */
9979     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9980     if (!TEST_ptr_null(early->prev)
9981         || !TEST_ptr(middle->prev)
9982         || !TEST_ptr(late->prev))
9983         goto end;
9984 
9985     /* This should remove "middle" */
9986     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9987     if (!TEST_ptr_null(early->prev)
9988         || !TEST_ptr_null(middle->prev)
9989         || !TEST_ptr(late->prev))
9990         goto end;
9991 
9992     /* This should remove "late" */
9993     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9994     if (!TEST_ptr_null(early->prev)
9995         || !TEST_ptr_null(middle->prev)
9996         || !TEST_ptr_null(late->prev))
9997         goto end;
9998 
9999     /* Add them back in again */
10000     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
10001         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
10002         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
10003         goto end;
10004 
10005     /* Make sure they are all added */
10006     if (!TEST_ptr(early->prev)
10007         || !TEST_ptr(middle->prev)
10008         || !TEST_ptr(late->prev))
10009         goto end;
10010 
10011     /* This should remove all of them */
10012     SSL_CTX_flush_sessions_ex(ctx, 0);
10013     if (!TEST_ptr_null(early->prev)
10014         || !TEST_ptr_null(middle->prev)
10015         || !TEST_ptr_null(late->prev))
10016         goto end;
10017 
10018     (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME | SSL_CTX_get_session_cache_mode(ctx));
10019 
10020     /* make sure |now| is NOT  equal to the current time */
10021     now -= 10;
10022     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
10023         || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
10024         || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
10025         goto end;
10026 
10027     testresult = 1;
10028 end:
10029     SSL_CTX_free(ctx);
10030     SSL_SESSION_free(early);
10031     SSL_SESSION_free(middle);
10032     SSL_SESSION_free(late);
10033     return testresult;
10034 }
10035 
10036 /*
10037  * Test that a session cache overflow works as expected
10038  * Test 0: TLSv1.3, timeout on new session later than old session
10039  * Test 1: TLSv1.2, timeout on new session later than old session
10040  * Test 2: TLSv1.3, timeout on new session earlier than old session
10041  * Test 3: TLSv1.2, timeout on new session earlier than old session
10042  */
10043 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
10044 static int test_session_cache_overflow(int idx)
10045 {
10046     SSL_CTX *sctx = NULL, *cctx = NULL;
10047     SSL *serverssl = NULL, *clientssl = NULL;
10048     int testresult = 0;
10049     SSL_SESSION *sess = NULL;
10050     int references;
10051 
10052 #ifdef OSSL_NO_USABLE_TLS1_3
10053     /* If no TLSv1.3 available then do nothing in this case */
10054     if (idx % 2 == 0)
10055         return TEST_skip("No TLSv1.3 available");
10056 #endif
10057 #ifdef OPENSSL_NO_TLS1_2
10058     /* If no TLSv1.2 available then do nothing in this case */
10059     if (idx % 2 == 1)
10060         return TEST_skip("No TLSv1.2 available");
10061 #endif
10062 
10063     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10064             TLS_client_method(), TLS1_VERSION,
10065             (idx % 2 == 0) ? TLS1_3_VERSION
10066                            : TLS1_2_VERSION,
10067             &sctx, &cctx, cert, privkey))
10068         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
10069         goto end;
10070 
10071     SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
10072     get_sess_val = NULL;
10073 
10074     SSL_CTX_sess_set_cache_size(sctx, 1);
10075 
10076     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10077             NULL, NULL)))
10078         goto end;
10079 
10080     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10081         goto end;
10082 
10083     if (idx > 1) {
10084         sess = SSL_get_session(serverssl);
10085         if (!TEST_ptr(sess))
10086             goto end;
10087 
10088         /*
10089          * Cause this session to have a longer timeout than the next session to
10090          * be added.
10091          */
10092         if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
10093             sess = NULL;
10094             goto end;
10095         }
10096         sess = NULL;
10097     }
10098 
10099     SSL_shutdown(serverssl);
10100     SSL_shutdown(clientssl);
10101     SSL_free(serverssl);
10102     SSL_free(clientssl);
10103     serverssl = clientssl = NULL;
10104 
10105     /*
10106      * Session cache size is 1 and we already populated the cache with a session
10107      * so the next connection should cause an overflow.
10108      */
10109 
10110     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10111             NULL, NULL)))
10112         goto end;
10113 
10114     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10115         goto end;
10116 
10117     /*
10118      * The session we just negotiated may have been already removed from the
10119      * internal cache - but we will return it anyway from our external cache.
10120      */
10121     get_sess_val = SSL_get_session(serverssl);
10122     if (!TEST_ptr(get_sess_val))
10123         goto end;
10124     /*
10125      * Normally the session is also stored in the cache, thus we have more than
10126      * one reference, but due to an out-of-memory error it can happen that this
10127      * is the only reference, and in that case the SSL_free(serverssl) below
10128      * would free the get_sess_val, causing a use-after-free error.
10129      */
10130     if (!TEST_true(CRYPTO_GET_REF(&get_sess_val->references, &references))
10131         || !TEST_int_ge(references, 2))
10132         goto end;
10133     sess = SSL_get1_session(clientssl);
10134     if (!TEST_ptr(sess))
10135         goto end;
10136 
10137     SSL_shutdown(serverssl);
10138     SSL_shutdown(clientssl);
10139     SSL_free(serverssl);
10140     SSL_free(clientssl);
10141     serverssl = clientssl = NULL;
10142 
10143     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10144             NULL, NULL)))
10145         goto end;
10146 
10147     if (!TEST_true(SSL_set_session(clientssl, sess)))
10148         goto end;
10149 
10150     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10151         goto end;
10152 
10153     testresult = 1;
10154 
10155 end:
10156     SSL_free(serverssl);
10157     SSL_free(clientssl);
10158     SSL_CTX_free(sctx);
10159     SSL_CTX_free(cctx);
10160     SSL_SESSION_free(sess);
10161 
10162     return testresult;
10163 }
10164 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
10165 
10166 /*
10167  * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
10168  * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
10169  * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
10170  * Test 3: Client does not set servername on initial handshake (TLSv1.2)
10171  * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
10172  * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
10173  * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
10174  * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
10175  * Test 8: Client does not set servername on initial handshake(TLSv1.3)
10176  * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
10177  */
10178 static int test_servername(int tst)
10179 {
10180     SSL_CTX *cctx = NULL, *sctx = NULL;
10181     SSL *clientssl = NULL, *serverssl = NULL;
10182     int testresult = 0;
10183     SSL_SESSION *sess = NULL;
10184     const char *sexpectedhost = NULL, *cexpectedhost = NULL;
10185 
10186 #ifdef OPENSSL_NO_TLS1_2
10187     if (tst <= 4)
10188         return 1;
10189 #endif
10190 #ifdef OSSL_NO_USABLE_TLS1_3
10191     if (tst >= 5)
10192         return 1;
10193 #endif
10194 
10195     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10196             TLS_client_method(),
10197             TLS1_VERSION,
10198             (tst <= 4) ? TLS1_2_VERSION
10199                        : TLS1_3_VERSION,
10200             &sctx, &cctx, cert, privkey))
10201         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10202             NULL, NULL)))
10203         goto end;
10204 
10205     if (tst != 1 && tst != 6) {
10206         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
10207                 hostname_cb)))
10208             goto end;
10209     }
10210 
10211     if (tst != 3 && tst != 8) {
10212         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
10213             goto end;
10214         sexpectedhost = cexpectedhost = "goodhost";
10215     }
10216 
10217     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10218         goto end;
10219 
10220     if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
10221             cexpectedhost)
10222         || !TEST_str_eq(SSL_get_servername(serverssl,
10223                             TLSEXT_NAMETYPE_host_name),
10224             sexpectedhost))
10225         goto end;
10226 
10227     /* Now repeat with a resumption handshake */
10228 
10229     if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
10230         || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
10231         || !TEST_true(SSL_SESSION_is_resumable(sess))
10232         || !TEST_int_eq(SSL_shutdown(serverssl), 0))
10233         goto end;
10234 
10235     SSL_free(clientssl);
10236     SSL_free(serverssl);
10237     clientssl = serverssl = NULL;
10238 
10239     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
10240             NULL)))
10241         goto end;
10242 
10243     if (!TEST_true(SSL_set_session(clientssl, sess)))
10244         goto end;
10245 
10246     sexpectedhost = cexpectedhost = "goodhost";
10247     if (tst == 2 || tst == 7) {
10248         /* Set an inconsistent hostname */
10249         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
10250             goto end;
10251         /*
10252          * In TLSv1.2 we expect the hostname from the original handshake, in
10253          * TLSv1.3 we expect the hostname from this handshake
10254          */
10255         if (tst == 7)
10256             sexpectedhost = cexpectedhost = "altgoodhost";
10257 
10258         if (!TEST_str_eq(SSL_get_servername(clientssl,
10259                              TLSEXT_NAMETYPE_host_name),
10260                 "altgoodhost"))
10261             goto end;
10262     } else if (tst == 4 || tst == 9) {
10263         /*
10264          * A TLSv1.3 session does not associate a session with a servername,
10265          * but a TLSv1.2 session does.
10266          */
10267         if (tst == 9)
10268             sexpectedhost = cexpectedhost = NULL;
10269 
10270         if (!TEST_str_eq(SSL_get_servername(clientssl,
10271                              TLSEXT_NAMETYPE_host_name),
10272                 cexpectedhost))
10273             goto end;
10274     } else {
10275         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
10276             goto end;
10277         /*
10278          * In a TLSv1.2 resumption where the hostname was not acknowledged
10279          * we expect the hostname on the server to be empty. On the client we
10280          * return what was requested in this case.
10281          *
10282          * Similarly if the client didn't set a hostname on an original TLSv1.2
10283          * session but is now, the server hostname will be empty, but the client
10284          * is as we set it.
10285          */
10286         if (tst == 1 || tst == 3)
10287             sexpectedhost = NULL;
10288 
10289         if (!TEST_str_eq(SSL_get_servername(clientssl,
10290                              TLSEXT_NAMETYPE_host_name),
10291                 "goodhost"))
10292             goto end;
10293     }
10294 
10295     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10296         goto end;
10297 
10298     if (!TEST_true(SSL_session_reused(clientssl))
10299         || !TEST_true(SSL_session_reused(serverssl))
10300         || !TEST_str_eq(SSL_get_servername(clientssl,
10301                             TLSEXT_NAMETYPE_host_name),
10302             cexpectedhost)
10303         || !TEST_str_eq(SSL_get_servername(serverssl,
10304                             TLSEXT_NAMETYPE_host_name),
10305             sexpectedhost))
10306         goto end;
10307 
10308     testresult = 1;
10309 
10310 end:
10311     SSL_SESSION_free(sess);
10312     SSL_free(serverssl);
10313     SSL_free(clientssl);
10314     SSL_CTX_free(sctx);
10315     SSL_CTX_free(cctx);
10316 
10317     return testresult;
10318 }
10319 
10320 static int test_unknown_sigalgs_groups(void)
10321 {
10322     int ret = 0;
10323     SSL_CTX *ctx = NULL;
10324 
10325     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
10326         goto end;
10327 
10328     if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
10329                          "RSA+SHA256:?nonexistent:?RSA+SHA512"),
10330             0))
10331         goto end;
10332     if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
10333         || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
10334         || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
10335         goto end;
10336 
10337     if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
10338                          "RSA+SHA256:?nonexistent:?RSA+SHA512"),
10339             0))
10340         goto end;
10341     if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
10342         || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
10343         || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
10344         goto end;
10345 
10346     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10347                          "nonexistent"),
10348             0))
10349         goto end;
10350 
10351     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10352                          "?nonexistent1:?nonexistent2:?nonexistent3"),
10353             0))
10354         goto end;
10355 
10356 #ifndef OPENSSL_NO_EC
10357     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
10358                          "P-256:nonexistent"),
10359             0))
10360         goto end;
10361 
10362     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
10363                          "P-384:?nonexistent:?P-521"),
10364             0))
10365         goto end;
10366     if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
10367         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
10368         || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
10369         goto end;
10370 #endif
10371 
10372     ret = 1;
10373 end:
10374     SSL_CTX_free(ctx);
10375     return ret;
10376 }
10377 
10378 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
10379 static int test_configuration_of_groups(void)
10380 {
10381     int ret = 0;
10382     SSL_CTX *ctx = NULL;
10383     size_t groups_len;
10384 
10385     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
10386         goto end;
10387     groups_len = ctx->ext.supportedgroups_len;
10388 
10389     if (!TEST_size_t_gt(groups_len, 0)
10390         || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
10391         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
10392         goto end;
10393 
10394     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
10395 #if !defined(OPENSSL_NO_EC)
10396         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
10397 #else
10398         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
10399 #endif
10400     )
10401         goto end;
10402 
10403 #if !defined(OPENSSL_NO_EC)
10404     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
10405         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
10406         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1))
10407         goto end;
10408 #endif
10409 
10410     ret = 1;
10411 
10412 end:
10413     SSL_CTX_free(ctx);
10414     return ret;
10415 }
10416 #endif
10417 
10418 #if !defined(OPENSSL_NO_EC) \
10419     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10420 /*
10421  * Test that if signature algorithms are not available, then we do not offer or
10422  * accept them.
10423  * Test 0: Two RSA sig algs available: both RSA sig algs shared
10424  * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
10425  * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
10426  * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
10427  * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
10428  * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
10429  */
10430 static int test_sigalgs_available(int idx)
10431 {
10432     SSL_CTX *cctx = NULL, *sctx = NULL;
10433     SSL *clientssl = NULL, *serverssl = NULL;
10434     int testresult = 0;
10435     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
10436     OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
10437     OSSL_PROVIDER *filterprov = NULL;
10438     int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
10439     const char *sigalg_name, *signame_expected;
10440 
10441     if (!TEST_ptr(tmpctx))
10442         goto end;
10443 
10444     if (idx != 0 && idx != 3) {
10445         if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
10446                 filter_provider_init)))
10447             goto end;
10448 
10449         filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
10450         if (!TEST_ptr(filterprov))
10451             goto end;
10452 
10453         if (idx < 3) {
10454             /*
10455              * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
10456              * or accepted for the peer that uses this libctx. Note that libssl
10457              * *requires* SHA2-256 to be available so we cannot disable that. We
10458              * also need SHA1 for our certificate.
10459              */
10460             if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
10461                     "SHA2-256:SHA1")))
10462                 goto end;
10463         } else {
10464             if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
10465                     "ECDSA"))
10466 #ifdef OPENSSL_NO_ECX
10467                 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
10468 #else
10469                 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
10470                     "EC:X25519:X448"))
10471 #endif
10472             )
10473                 goto end;
10474         }
10475 
10476         if (idx == 1 || idx == 4)
10477             clientctx = tmpctx;
10478         else
10479             serverctx = tmpctx;
10480     }
10481 
10482     cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
10483     sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
10484     if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
10485         goto end;
10486 
10487     /* Avoid MLKEM groups that depend on possibly filtered-out digests */
10488     if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
10489             "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
10490         || !TEST_true(SSL_CTX_set1_groups_list(sctx,
10491             "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
10492         goto end;
10493 
10494     if (idx != 5) {
10495         /* RSA first server key */
10496         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10497                 TLS_client_method(),
10498                 TLS1_VERSION,
10499                 0,
10500                 &sctx, &cctx, cert, privkey)))
10501             goto end;
10502     } else {
10503         /* ECDSA P-256 first server key */
10504         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10505                 TLS_client_method(),
10506                 TLS1_VERSION,
10507                 0,
10508                 &sctx, &cctx, cert2, privkey2)))
10509             goto end;
10510     }
10511 
10512     /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
10513     if (idx < 4) {
10514         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10515                 "ECDHE-RSA-AES128-GCM-SHA256")))
10516             goto end;
10517     } else {
10518         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10519                 "ECDHE-ECDSA-AES128-GCM-SHA256")))
10520             goto end;
10521     }
10522 
10523     if (idx < 3) {
10524         if (!SSL_CTX_set1_sigalgs_list(cctx,
10525                 "rsa_pss_rsae_sha384"
10526                 ":rsa_pss_rsae_sha256")
10527             || !SSL_CTX_set1_sigalgs_list(sctx,
10528                 "rsa_pss_rsae_sha384"
10529                 ":rsa_pss_rsae_sha256"))
10530             goto end;
10531     } else {
10532         if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
10533             || !SSL_CTX_set1_sigalgs_list(sctx,
10534                 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
10535             goto end;
10536     }
10537 
10538     /* ECDSA P-256 second server key, unless already first */
10539     if (idx != 5
10540         && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
10541                              SSL_FILETYPE_PEM),
10542                 1)
10543             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10544                                 privkey2,
10545                                 SSL_FILETYPE_PEM),
10546                 1)
10547             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
10548         goto end;
10549 
10550     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10551             NULL, NULL)))
10552         goto end;
10553 
10554     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10555         goto end;
10556 
10557     /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
10558     numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
10559         NULL, NULL, NULL);
10560     numshared_expected = 1;
10561     hash_expected = NID_sha256;
10562     sig_expected = NID_rsassaPss;
10563     signame_expected = "rsa_pss_rsae_sha256";
10564     switch (idx) {
10565     case 0:
10566         hash_expected = NID_sha384;
10567         signame_expected = "rsa_pss_rsae_sha384";
10568         /* FALLTHROUGH */
10569     case 3:
10570         numshared_expected = 2;
10571         break;
10572     case 4:
10573     case 5:
10574         sig_expected = EVP_PKEY_EC;
10575         signame_expected = "ecdsa_secp256r1_sha256";
10576         break;
10577     }
10578     if (!TEST_int_eq(numshared, numshared_expected)
10579         || !TEST_int_eq(hash, hash_expected)
10580         || !TEST_int_eq(sig, sig_expected)
10581         || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10582         || !TEST_ptr(sigalg_name)
10583         || !TEST_str_eq(sigalg_name, signame_expected))
10584         goto end;
10585 
10586     testresult = filter_provider_check_clean_finish();
10587 
10588 end:
10589     SSL_free(serverssl);
10590     SSL_free(clientssl);
10591     SSL_CTX_free(sctx);
10592     SSL_CTX_free(cctx);
10593     OSSL_PROVIDER_unload(filterprov);
10594     OSSL_LIB_CTX_free(tmpctx);
10595 
10596     return testresult;
10597 }
10598 #endif /*                                                                     \
10599         * !defined(OPENSSL_NO_EC)                                             \
10600         * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) \
10601         */
10602 
10603 #ifndef OPENSSL_NO_TLS1_3
10604 /* This test can run in TLSv1.3 even if ec and dh are disabled */
10605 static int test_pluggable_group(int idx)
10606 {
10607     SSL_CTX *cctx = NULL, *sctx = NULL;
10608     SSL *clientssl = NULL, *serverssl = NULL;
10609     int testresult = 0;
10610     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10611     /* Check that we are not impacted by a provider without any groups */
10612     OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
10613     const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
10614 
10615     if (!TEST_ptr(tlsprov))
10616         goto end;
10617 
10618     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10619             TLS_client_method(),
10620             TLS1_3_VERSION,
10621             TLS1_3_VERSION,
10622             &sctx, &cctx, cert, privkey))
10623         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10624             NULL, NULL)))
10625         goto end;
10626 
10627     /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
10628     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
10629         /* removing a single algorithm from the list makes the test pass */
10630         || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
10631         goto end;
10632 
10633     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10634         goto end;
10635 
10636     if (!TEST_str_eq(group_name,
10637             SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
10638         goto end;
10639 
10640     if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
10641         || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
10642         goto end;
10643 
10644     testresult = 1;
10645 
10646 end:
10647     SSL_free(serverssl);
10648     SSL_free(clientssl);
10649     SSL_CTX_free(sctx);
10650     SSL_CTX_free(cctx);
10651     OSSL_PROVIDER_unload(tlsprov);
10652     OSSL_PROVIDER_unload(legacyprov);
10653 
10654     return testresult;
10655 }
10656 
10657 /*
10658  * This function triggers encode, decode and sign functions
10659  * of the artificial "xorhmacsig" algorithm implemented in tls-provider
10660  * creating private key and certificate files for use in TLS testing.
10661  */
10662 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
10663 {
10664     EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
10665         (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
10666     EVP_PKEY *pkey = NULL;
10667     X509 *x509 = X509_new();
10668     X509_NAME *name = NULL;
10669     BIO *keybio = NULL, *certbio = NULL;
10670     int ret = 1;
10671 
10672     if (!TEST_ptr(evpctx)
10673         || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
10674         || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10675         || !TEST_ptr(pkey)
10676         || !TEST_ptr(x509)
10677         || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10678         || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10679         || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10680         || !TEST_true(X509_set_pubkey(x509, pkey))
10681         || !TEST_ptr(name = X509_get_subject_name(x509))
10682         || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
10683             (unsigned char *)"CH", -1, -1, 0))
10684         || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10685             (unsigned char *)"test.org", -1, -1, 0))
10686         || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10687             (unsigned char *)"localhost", -1, -1, 0))
10688         || !TEST_true(X509_set_issuer_name(x509, name))
10689         || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10690         || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10691         || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10692         || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10693         || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10694         ret = 0;
10695 
10696     EVP_PKEY_free(pkey);
10697     X509_free(x509);
10698     EVP_PKEY_CTX_free(evpctx);
10699     BIO_free(keybio);
10700     BIO_free(certbio);
10701     return ret;
10702 }
10703 
10704 /*
10705  * Test that signature algorithms loaded via the provider interface can
10706  * correctly establish a TLS (1.3) connection.
10707  * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10708  * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10709  * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
10710  * Test 3: Test 0 using RPK
10711  * Test 4: Test 1 using RPK
10712  * Test 5: Test 2 using RPK
10713  */
10714 static int test_pluggable_signature(int idx)
10715 {
10716     static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10717     SSL_CTX *cctx = NULL, *sctx = NULL;
10718     SSL *clientssl = NULL, *serverssl = NULL;
10719     int testresult = 0;
10720     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10721     OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10722     char *certfilename = "tls-prov-cert.pem";
10723     char *privkeyfilename = "tls-prov-key.pem";
10724     const char *sigalg_name = NULL, *expected_sigalg_name;
10725     int sigidx = idx % 3;
10726     int rpkidx = idx / 3;
10727     int do_conf_cmd = 0;
10728 
10729     if (sigidx == 2) {
10730         sigidx = 0;
10731         do_conf_cmd = 1;
10732     }
10733 
10734     /* See create_cert_key() above */
10735     expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
10736 
10737     /* create key and certificate for the different algorithm types */
10738     if (!TEST_ptr(tlsprov)
10739         || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10740         goto end;
10741 
10742     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10743             TLS_client_method(),
10744             TLS1_3_VERSION,
10745             TLS1_3_VERSION,
10746             &sctx, &cctx, NULL, NULL)))
10747         goto end;
10748 
10749     if (do_conf_cmd) {
10750         SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
10751 
10752         if (!TEST_ptr(confctx))
10753             goto end;
10754         SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE | SSL_CONF_FLAG_SHOW_ERRORS);
10755         SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
10756         if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
10757             || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
10758             || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
10759             SSL_CONF_CTX_free(confctx);
10760             goto end;
10761         }
10762         SSL_CONF_CTX_free(confctx);
10763     } else {
10764         if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
10765                              SSL_FILETYPE_PEM),
10766                 1)
10767             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10768                                 privkeyfilename,
10769                                 SSL_FILETYPE_PEM),
10770                 1))
10771             goto end;
10772     }
10773     if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
10774         goto end;
10775 
10776     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10777             NULL, NULL)))
10778         goto end;
10779 
10780     /* Enable RPK for server cert */
10781     if (rpkidx) {
10782         if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10783             || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10784             goto end;
10785     }
10786 
10787     /* This is necessary to pass minimal setup w/o other groups configured */
10788     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10789         || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10790         goto end;
10791 
10792     /*
10793      * If this connection gets established, it must have been completed
10794      * via the tls-provider-implemented "hmacsig" algorithm, testing
10795      * both sign and verify functions during handshake.
10796      */
10797     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10798         goto end;
10799 
10800     /* If using RPK, make sure we got one */
10801     if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10802         goto end;
10803 
10804     if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10805         || !TEST_str_eq(sigalg_name, expected_sigalg_name)
10806         || !TEST_ptr(sigalg_name))
10807         goto end;
10808 
10809     testresult = 1;
10810 
10811 end:
10812     SSL_free(serverssl);
10813     SSL_free(clientssl);
10814     SSL_CTX_free(sctx);
10815     SSL_CTX_free(cctx);
10816     OSSL_PROVIDER_unload(tlsprov);
10817     OSSL_PROVIDER_unload(defaultprov);
10818 
10819     return testresult;
10820 }
10821 #endif
10822 
10823 #ifndef OPENSSL_NO_TLS1_2
10824 static int test_ssl_dup(void)
10825 {
10826     SSL_CTX *cctx = NULL, *sctx = NULL;
10827     SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10828     int testresult = 0;
10829     BIO *rbio = NULL, *wbio = NULL;
10830 
10831     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10832             TLS_client_method(),
10833             0,
10834             0,
10835             &sctx, &cctx, cert, privkey)))
10836         goto end;
10837 
10838     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10839             NULL, NULL)))
10840         goto end;
10841 
10842     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10843         || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10844         goto end;
10845 
10846     client2ssl = SSL_dup(clientssl);
10847     rbio = SSL_get_rbio(clientssl);
10848     if (!TEST_ptr(rbio)
10849         || !TEST_true(BIO_up_ref(rbio)))
10850         goto end;
10851     SSL_set0_rbio(client2ssl, rbio);
10852     rbio = NULL;
10853 
10854     wbio = SSL_get_wbio(clientssl);
10855     if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10856         goto end;
10857     SSL_set0_wbio(client2ssl, wbio);
10858     rbio = NULL;
10859 
10860     if (!TEST_ptr(client2ssl)
10861         /* Handshake not started so pointers should be different */
10862         || !TEST_ptr_ne(clientssl, client2ssl))
10863         goto end;
10864 
10865     if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10866         || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10867         goto end;
10868 
10869     if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10870         goto end;
10871 
10872     SSL_free(clientssl);
10873     clientssl = SSL_dup(client2ssl);
10874     if (!TEST_ptr(clientssl)
10875         /* Handshake has finished so pointers should be the same */
10876         || !TEST_ptr_eq(clientssl, client2ssl))
10877         goto end;
10878 
10879     testresult = 1;
10880 
10881 end:
10882     SSL_free(serverssl);
10883     SSL_free(clientssl);
10884     SSL_free(client2ssl);
10885     SSL_CTX_free(sctx);
10886     SSL_CTX_free(cctx);
10887 
10888     return testresult;
10889 }
10890 
10891 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10892     STACK_OF(SSL_CIPHER) *peer_ciphers,
10893     const SSL_CIPHER **cipher, void *arg)
10894 {
10895     int i;
10896     unsigned char *secret = secretin;
10897 
10898     /* Just use a fixed master secret */
10899     for (i = 0; i < *secret_len; i++)
10900         secret[i] = 0xff;
10901 
10902     /* We don't set a preferred cipher */
10903 
10904     return 1;
10905 }
10906 
10907 /*
10908  * Test the session_secret_cb which is designed for use with EAP-FAST
10909  */
10910 static int test_session_secret_cb(int idx)
10911 {
10912     SSL_CTX *cctx = NULL, *sctx = NULL;
10913     SSL *clientssl = NULL, *serverssl = NULL;
10914     SSL_SESSION *secret_sess = NULL, *server_sess = NULL;
10915     unsigned int sess_len;
10916     const unsigned char *sessid;
10917     int testresult = 0;
10918 
10919     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10920             TLS_client_method(),
10921             0,
10922             0,
10923             &sctx, &cctx, cert, privkey)))
10924         goto end;
10925 
10926     /* Create an initial connection and save the session */
10927     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10928             NULL, NULL)))
10929         goto end;
10930 
10931     /* session_secret_cb does not support TLSv1.3 */
10932     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10933         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10934         goto end;
10935 
10936     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10937         goto end;
10938 
10939     if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10940         goto end;
10941 
10942     shutdown_ssl_connection(serverssl, clientssl);
10943     serverssl = clientssl = NULL;
10944 
10945     /* Resume the earlier session */
10946     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10947             NULL, NULL)))
10948         goto end;
10949 
10950     if (idx == 0) {
10951         /*
10952          * Normal case: no session id
10953          */
10954         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10955             goto end;
10956     } else {
10957         /*
10958          * Set an explicit session id. Normally we don't support this, but we
10959          * can get away with it if we reset the session id later
10960          */
10961         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, (unsigned char *)"sessionid", 9)))
10962             goto end;
10963     }
10964 
10965     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10966         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10967         || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10968             NULL))
10969         || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10970             NULL))
10971         || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10972         goto end;
10973 
10974     if (idx == 1) {
10975         /*
10976          * We just send the ClientHello here. We expect this to fail with
10977          * SSL_ERROR_WANT_READ
10978          */
10979         if (!TEST_int_le(SSL_connect(clientssl), 0))
10980             goto end;
10981         /* Reset the session id to avoid confusing the state machine */
10982         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10983             goto end;
10984     }
10985     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10986         goto end;
10987 
10988     /* Check that session resumption was successful */
10989     if (!TEST_true(SSL_session_reused(clientssl))
10990         || !TEST_true(SSL_session_reused(serverssl)))
10991         goto end;
10992 
10993     if (idx == 1) {
10994         server_sess = SSL_get1_session(serverssl);
10995         if (!TEST_ptr(server_sess))
10996             goto end;
10997         sessid = SSL_SESSION_get_id(server_sess, &sess_len);
10998 
10999         if (!TEST_mem_eq(sessid, sess_len, "sessionid", 9))
11000             goto end;
11001     }
11002     testresult = 1;
11003 
11004 end:
11005     SSL_SESSION_free(secret_sess);
11006     SSL_SESSION_free(server_sess);
11007     SSL_free(serverssl);
11008     SSL_free(clientssl);
11009     SSL_CTX_free(sctx);
11010     SSL_CTX_free(cctx);
11011 
11012     return testresult;
11013 }
11014 
11015 #ifndef OPENSSL_NO_DH
11016 
11017 static EVP_PKEY *tmp_dh_params = NULL;
11018 
11019 /* Helper function for the test_set_tmp_dh() tests */
11020 static EVP_PKEY *get_tmp_dh_params(void)
11021 {
11022     if (tmp_dh_params == NULL) {
11023         BIGNUM *p = NULL;
11024         OSSL_PARAM_BLD *tmpl = NULL;
11025         EVP_PKEY_CTX *pctx = NULL;
11026         OSSL_PARAM *params = NULL;
11027         EVP_PKEY *dhpkey = NULL;
11028 
11029         p = BN_get_rfc3526_prime_2048(NULL);
11030         if (!TEST_ptr(p))
11031             goto end;
11032 
11033         pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
11034         if (!TEST_ptr(pctx)
11035             || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
11036             goto end;
11037 
11038         tmpl = OSSL_PARAM_BLD_new();
11039         if (!TEST_ptr(tmpl)
11040             || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
11041                 OSSL_PKEY_PARAM_FFC_P,
11042                 p))
11043             || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
11044                 OSSL_PKEY_PARAM_FFC_G,
11045                 2)))
11046             goto end;
11047 
11048         params = OSSL_PARAM_BLD_to_param(tmpl);
11049         if (!TEST_ptr(params)
11050             || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
11051                                 EVP_PKEY_KEY_PARAMETERS,
11052                                 params),
11053                 1))
11054             goto end;
11055 
11056         tmp_dh_params = dhpkey;
11057     end:
11058         BN_free(p);
11059         EVP_PKEY_CTX_free(pctx);
11060         OSSL_PARAM_BLD_free(tmpl);
11061         OSSL_PARAM_free(params);
11062     }
11063 
11064     if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
11065         return NULL;
11066 
11067     return tmp_dh_params;
11068 }
11069 
11070 #ifndef OPENSSL_NO_DEPRECATED_3_0
11071 /* Callback used by test_set_tmp_dh() */
11072 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
11073 {
11074     EVP_PKEY *dhpkey = get_tmp_dh_params();
11075     DH *ret = NULL;
11076 
11077     if (!TEST_ptr(dhpkey))
11078         return NULL;
11079 
11080     /*
11081      * libssl does not free the returned DH, so we free it now knowing that even
11082      * after we free dhpkey, there will still be a reference to the owning
11083      * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
11084      * of time we need it for.
11085      */
11086     ret = EVP_PKEY_get1_DH(dhpkey);
11087     DH_free(ret);
11088 
11089     EVP_PKEY_free(dhpkey);
11090 
11091     return ret;
11092 }
11093 #endif
11094 
11095 /*
11096  * Test the various methods for setting temporary DH parameters
11097  *
11098  * Test  0: Default (no auto) setting
11099  * Test  1: Explicit SSL_CTX auto off
11100  * Test  2: Explicit SSL auto off
11101  * Test  3: Explicit SSL_CTX auto on
11102  * Test  4: Explicit SSL auto on
11103  * Test  5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
11104  * Test  6: Explicit SSL auto off, custom DH params via EVP_PKEY
11105  *
11106  * The following are testing deprecated APIs, so we only run them if available
11107  * Test  7: Explicit SSL_CTX auto off, custom DH params via DH
11108  * Test  8: Explicit SSL auto off, custom DH params via DH
11109  * Test  9: Explicit SSL_CTX auto off, custom DH params via callback
11110  * Test 10: Explicit SSL auto off, custom DH params via callback
11111  */
11112 static int test_set_tmp_dh(int idx)
11113 {
11114     SSL_CTX *cctx = NULL, *sctx = NULL;
11115     SSL *clientssl = NULL, *serverssl = NULL;
11116     int testresult = 0;
11117     int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
11118     int expected = (idx <= 2) ? 0 : 1;
11119     EVP_PKEY *dhpkey = NULL;
11120 #ifndef OPENSSL_NO_DEPRECATED_3_0
11121     DH *dh = NULL;
11122 #else
11123 
11124     if (idx >= 7)
11125         return 1;
11126 #endif
11127 
11128     if (idx >= 5 && idx <= 8) {
11129         dhpkey = get_tmp_dh_params();
11130         if (!TEST_ptr(dhpkey))
11131             goto end;
11132     }
11133 #ifndef OPENSSL_NO_DEPRECATED_3_0
11134     if (idx == 7 || idx == 8) {
11135         dh = EVP_PKEY_get1_DH(dhpkey);
11136         if (!TEST_ptr(dh))
11137             goto end;
11138     }
11139 #endif
11140 
11141     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11142             TLS_client_method(),
11143             0,
11144             0,
11145             &sctx, &cctx, cert, privkey)))
11146         goto end;
11147 
11148     if ((idx & 1) == 1) {
11149         if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
11150             goto end;
11151     }
11152 
11153     if (idx == 5) {
11154         if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
11155             goto end;
11156         dhpkey = NULL;
11157     }
11158 #ifndef OPENSSL_NO_DEPRECATED_3_0
11159     else if (idx == 7) {
11160         if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
11161             goto end;
11162     } else if (idx == 9) {
11163         SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
11164     }
11165 #endif
11166 
11167     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11168             NULL, NULL)))
11169         goto end;
11170 
11171     if ((idx & 1) == 0 && idx != 0) {
11172         if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
11173             goto end;
11174     }
11175     if (idx == 6) {
11176         if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
11177             goto end;
11178         dhpkey = NULL;
11179     }
11180 #ifndef OPENSSL_NO_DEPRECATED_3_0
11181     else if (idx == 8) {
11182         if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
11183             goto end;
11184     } else if (idx == 10) {
11185         SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
11186     }
11187 #endif
11188 
11189     if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
11190         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
11191         || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
11192         goto end;
11193 
11194     /*
11195      * If autoon then we should succeed. Otherwise we expect failure because
11196      * there are no parameters
11197      */
11198     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
11199                          SSL_ERROR_NONE),
11200             expected))
11201         goto end;
11202 
11203     testresult = 1;
11204 
11205 end:
11206 #ifndef OPENSSL_NO_DEPRECATED_3_0
11207     DH_free(dh);
11208 #endif
11209     SSL_free(serverssl);
11210     SSL_free(clientssl);
11211     SSL_CTX_free(sctx);
11212     SSL_CTX_free(cctx);
11213     EVP_PKEY_free(dhpkey);
11214 
11215     return testresult;
11216 }
11217 
11218 /*
11219  * Test the auto DH keys are appropriately sized
11220  */
11221 static int test_dh_auto(int idx)
11222 {
11223     SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
11224     SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11225     SSL *clientssl = NULL, *serverssl = NULL;
11226     int testresult = 0;
11227     EVP_PKEY *tmpkey = NULL;
11228     char *thiscert = NULL, *thiskey = NULL;
11229     size_t expdhsize = 0;
11230     const char *ciphersuite = "DHE-RSA-AES128-SHA";
11231 
11232     if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
11233         goto end;
11234 
11235     switch (idx) {
11236     case 0:
11237         /* The FIPS provider doesn't support this DH size - so we ignore it */
11238         if (is_fips) {
11239             testresult = 1;
11240             goto end;
11241         }
11242         thiscert = cert1024;
11243         thiskey = privkey1024;
11244         expdhsize = 1024;
11245         SSL_CTX_set_security_level(sctx, 1);
11246         SSL_CTX_set_security_level(cctx, 1);
11247         break;
11248     case 1:
11249         /* 2048 bit prime */
11250         thiscert = cert;
11251         thiskey = privkey;
11252         expdhsize = 2048;
11253         break;
11254     case 2:
11255         thiscert = cert3072;
11256         thiskey = privkey3072;
11257         expdhsize = 3072;
11258         break;
11259     case 3:
11260         thiscert = cert4096;
11261         thiskey = privkey4096;
11262         expdhsize = 4096;
11263         break;
11264     case 4:
11265         thiscert = cert8192;
11266         thiskey = privkey8192;
11267         expdhsize = 8192;
11268         break;
11269     /* No certificate cases */
11270     case 5:
11271         /* The FIPS provider doesn't support this DH size - so we ignore it */
11272         if (is_fips) {
11273             testresult = 1;
11274             goto end;
11275         }
11276         ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
11277         expdhsize = 1024;
11278         break;
11279     case 6:
11280         ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
11281         expdhsize = 3072;
11282         break;
11283     default:
11284         TEST_error("Invalid text index");
11285         goto end;
11286     }
11287 
11288     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
11289             NULL,
11290             0,
11291             0,
11292             &sctx, &cctx, thiscert, thiskey)))
11293         goto end;
11294 
11295     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11296             NULL, NULL)))
11297         goto end;
11298 
11299     if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
11300         || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
11301         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
11302         || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
11303         || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
11304         goto end;
11305 
11306     /*
11307      * Send the server's first flight. At this point the server has created the
11308      * temporary DH key but hasn't finished using it yet. Once used it is
11309      * removed, so we cannot test it.
11310      */
11311     if (!TEST_int_le(SSL_connect(clientssl), 0)
11312         || !TEST_int_le(SSL_accept(serverssl), 0))
11313         goto end;
11314 
11315     if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
11316         goto end;
11317     if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
11318         goto end;
11319 
11320     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11321         goto end;
11322 
11323     testresult = 1;
11324 
11325 end:
11326     SSL_free(serverssl);
11327     SSL_free(clientssl);
11328     SSL_CTX_free(sctx);
11329     SSL_CTX_free(cctx);
11330     EVP_PKEY_free(tmpkey);
11331 
11332     return testresult;
11333 }
11334 #endif /* OPENSSL_NO_DH */
11335 #endif /* OPENSSL_NO_TLS1_2 */
11336 
11337 #ifndef OSSL_NO_USABLE_TLS1_3
11338 /*
11339  * Test that setting an SNI callback works with TLSv1.3. Specifically we check
11340  * that it works even without a certificate configured for the original
11341  * SSL_CTX
11342  */
11343 static int test_sni_tls13(void)
11344 {
11345     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
11346     SSL *clientssl = NULL, *serverssl = NULL;
11347     int testresult = 0;
11348 
11349     /* Reset callback counter */
11350     snicb = 0;
11351 
11352     /* Create an initial SSL_CTX with no certificate configured */
11353     sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11354     if (!TEST_ptr(sctx))
11355         goto end;
11356     /* Require TLSv1.3 as a minimum */
11357     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11358             TLS_client_method(), TLS1_3_VERSION, 0,
11359             &sctx2, &cctx, cert, privkey)))
11360         goto end;
11361 
11362     /* Set up SNI */
11363     if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
11364         || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
11365         goto end;
11366 
11367     /*
11368      * Connection should still succeed because the final SSL_CTX has the right
11369      * certificates configured.
11370      */
11371     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11372             &clientssl, NULL, NULL))
11373         || !TEST_true(create_ssl_connection(serverssl, clientssl,
11374             SSL_ERROR_NONE)))
11375         goto end;
11376 
11377     /* We should have had the SNI callback called exactly once */
11378     if (!TEST_int_eq(snicb, 1))
11379         goto end;
11380 
11381     testresult = 1;
11382 
11383 end:
11384     SSL_free(serverssl);
11385     SSL_free(clientssl);
11386     SSL_CTX_free(sctx2);
11387     SSL_CTX_free(sctx);
11388     SSL_CTX_free(cctx);
11389     return testresult;
11390 }
11391 
11392 /*
11393  * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
11394  * 0 = TLSv1.2
11395  * 1 = TLSv1.3
11396  */
11397 static int test_ticket_lifetime(int idx)
11398 {
11399     SSL_CTX *cctx = NULL, *sctx = NULL;
11400     SSL *clientssl = NULL, *serverssl = NULL;
11401     int testresult = 0;
11402     int version = TLS1_3_VERSION;
11403 
11404 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
11405 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
11406 
11407     if (idx == 0) {
11408 #ifdef OPENSSL_NO_TLS1_2
11409         return TEST_skip("TLS 1.2 is disabled.");
11410 #else
11411         version = TLS1_2_VERSION;
11412 #endif
11413     }
11414 
11415     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11416             TLS_client_method(), version, version,
11417             &sctx, &cctx, cert, privkey)))
11418         goto end;
11419 
11420     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11421             &clientssl, NULL, NULL)))
11422         goto end;
11423 
11424     /*
11425      * Set the timeout to be more than 1 week
11426      * make sure the returned value is the default
11427      */
11428     if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
11429             SSL_get_default_timeout(serverssl)))
11430         goto end;
11431 
11432     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11433         goto end;
11434 
11435     if (idx == 0) {
11436         /* TLSv1.2 uses the set value */
11437         if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
11438             goto end;
11439     } else {
11440         /* TLSv1.3 uses the limited value */
11441         if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
11442             goto end;
11443     }
11444     testresult = 1;
11445 
11446 end:
11447     SSL_free(serverssl);
11448     SSL_free(clientssl);
11449     SSL_CTX_free(sctx);
11450     SSL_CTX_free(cctx);
11451     return testresult;
11452 }
11453 #endif
11454 /*
11455  * Test that setting an ALPN does not violate RFC
11456  */
11457 static int test_set_alpn(void)
11458 {
11459     SSL_CTX *ctx = NULL;
11460     SSL *ssl = NULL;
11461     int testresult = 0;
11462 
11463     unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
11464     unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
11465     unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
11466     unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00 };
11467     unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd' };
11468     unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd' };
11469 
11470     /* Create an initial SSL_CTX with no certificate configured */
11471     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11472     if (!TEST_ptr(ctx))
11473         goto end;
11474 
11475     /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
11476     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
11477         goto end;
11478     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
11479         goto end;
11480     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
11481         goto end;
11482     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
11483         goto end;
11484     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
11485         goto end;
11486     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
11487         goto end;
11488     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
11489         goto end;
11490     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
11491         goto end;
11492     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
11493         goto end;
11494 
11495     ssl = SSL_new(ctx);
11496     if (!TEST_ptr(ssl))
11497         goto end;
11498 
11499     if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
11500         goto end;
11501     if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
11502         goto end;
11503     if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
11504         goto end;
11505     if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
11506         goto end;
11507     if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
11508         goto end;
11509     if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
11510         goto end;
11511     if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
11512         goto end;
11513     if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
11514         goto end;
11515     if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
11516         goto end;
11517 
11518     testresult = 1;
11519 
11520 end:
11521     SSL_free(ssl);
11522     SSL_CTX_free(ctx);
11523     return testresult;
11524 }
11525 
11526 /*
11527  * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
11528  */
11529 static int test_set_verify_cert_store_ssl_ctx(void)
11530 {
11531     SSL_CTX *ctx = NULL;
11532     int testresult = 0;
11533     X509_STORE *store = NULL, *new_store = NULL,
11534                *cstore = NULL, *new_cstore = NULL;
11535 
11536     /* Create an initial SSL_CTX. */
11537     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11538     if (!TEST_ptr(ctx))
11539         goto end;
11540 
11541     /* Retrieve verify store pointer. */
11542     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11543         goto end;
11544 
11545     /* Retrieve chain store pointer. */
11546     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11547         goto end;
11548 
11549     /* We haven't set any yet, so this should be NULL. */
11550     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11551         goto end;
11552 
11553     /* Create stores. We use separate stores so pointers are different. */
11554     new_store = X509_STORE_new();
11555     if (!TEST_ptr(new_store))
11556         goto end;
11557 
11558     new_cstore = X509_STORE_new();
11559     if (!TEST_ptr(new_cstore))
11560         goto end;
11561 
11562     /* Set stores. */
11563     if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
11564         goto end;
11565 
11566     if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
11567         goto end;
11568 
11569     /* Should be able to retrieve the same pointer. */
11570     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11571         goto end;
11572 
11573     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11574         goto end;
11575 
11576     if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11577         goto end;
11578 
11579     /* Should be able to unset again. */
11580     if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
11581         goto end;
11582 
11583     if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
11584         goto end;
11585 
11586     /* Should now be NULL. */
11587     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11588         goto end;
11589 
11590     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11591         goto end;
11592 
11593     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11594         goto end;
11595 
11596     testresult = 1;
11597 
11598 end:
11599     X509_STORE_free(new_store);
11600     X509_STORE_free(new_cstore);
11601     SSL_CTX_free(ctx);
11602     return testresult;
11603 }
11604 
11605 /*
11606  * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
11607  */
11608 static int test_set_verify_cert_store_ssl(void)
11609 {
11610     SSL_CTX *ctx = NULL;
11611     SSL *ssl = NULL;
11612     int testresult = 0;
11613     X509_STORE *store = NULL, *new_store = NULL,
11614                *cstore = NULL, *new_cstore = NULL;
11615 
11616     /* Create an initial SSL_CTX. */
11617     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11618     if (!TEST_ptr(ctx))
11619         goto end;
11620 
11621     /* Create an SSL object. */
11622     ssl = SSL_new(ctx);
11623     if (!TEST_ptr(ssl))
11624         goto end;
11625 
11626     /* Retrieve verify store pointer. */
11627     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11628         goto end;
11629 
11630     /* Retrieve chain store pointer. */
11631     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11632         goto end;
11633 
11634     /* We haven't set any yet, so this should be NULL. */
11635     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11636         goto end;
11637 
11638     /* Create stores. We use separate stores so pointers are different. */
11639     new_store = X509_STORE_new();
11640     if (!TEST_ptr(new_store))
11641         goto end;
11642 
11643     new_cstore = X509_STORE_new();
11644     if (!TEST_ptr(new_cstore))
11645         goto end;
11646 
11647     /* Set stores. */
11648     if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
11649         goto end;
11650 
11651     if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
11652         goto end;
11653 
11654     /* Should be able to retrieve the same pointer. */
11655     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11656         goto end;
11657 
11658     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11659         goto end;
11660 
11661     if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11662         goto end;
11663 
11664     /* Should be able to unset again. */
11665     if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
11666         goto end;
11667 
11668     if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
11669         goto end;
11670 
11671     /* Should now be NULL. */
11672     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11673         goto end;
11674 
11675     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11676         goto end;
11677 
11678     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11679         goto end;
11680 
11681     testresult = 1;
11682 
11683 end:
11684     X509_STORE_free(new_store);
11685     X509_STORE_free(new_cstore);
11686     SSL_free(ssl);
11687     SSL_CTX_free(ctx);
11688     return testresult;
11689 }
11690 
11691 static int test_inherit_verify_param(void)
11692 {
11693     int testresult = 0;
11694 
11695     SSL_CTX *ctx = NULL;
11696     X509_VERIFY_PARAM *cp = NULL;
11697     SSL *ssl = NULL;
11698     X509_VERIFY_PARAM *sp = NULL;
11699     int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
11700 
11701     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11702     if (!TEST_ptr(ctx))
11703         goto end;
11704 
11705     cp = SSL_CTX_get0_param(ctx);
11706     if (!TEST_ptr(cp))
11707         goto end;
11708     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
11709         goto end;
11710 
11711     X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
11712 
11713     ssl = SSL_new(ctx);
11714     if (!TEST_ptr(ssl))
11715         goto end;
11716 
11717     sp = SSL_get0_param(ssl);
11718     if (!TEST_ptr(sp))
11719         goto end;
11720     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
11721         goto end;
11722 
11723     testresult = 1;
11724 
11725 end:
11726     SSL_free(ssl);
11727     SSL_CTX_free(ctx);
11728 
11729     return testresult;
11730 }
11731 
11732 static int test_load_dhfile(void)
11733 {
11734 #ifndef OPENSSL_NO_DH
11735     int testresult = 0;
11736 
11737     SSL_CTX *ctx = NULL;
11738     SSL_CONF_CTX *cctx = NULL;
11739 
11740     if (dhfile == NULL)
11741         return 1;
11742 
11743     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
11744         || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
11745         goto end;
11746 
11747     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
11748     SSL_CONF_CTX_set_flags(cctx,
11749         SSL_CONF_FLAG_CERTIFICATE
11750             | SSL_CONF_FLAG_SERVER
11751             | SSL_CONF_FLAG_FILE);
11752 
11753     if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11754         goto end;
11755 
11756     testresult = 1;
11757 end:
11758     SSL_CONF_CTX_free(cctx);
11759     SSL_CTX_free(ctx);
11760 
11761     return testresult;
11762 #else
11763     return TEST_skip("DH not supported by this build");
11764 #endif
11765 }
11766 
11767 #ifndef OSSL_NO_USABLE_TLS1_3
11768 /* Test that read_ahead works across a key change */
11769 static int test_read_ahead_key_change(void)
11770 {
11771     SSL_CTX *cctx = NULL, *sctx = NULL;
11772     SSL *clientssl = NULL, *serverssl = NULL;
11773     int testresult = 0;
11774     char *msg = "Hello World";
11775     size_t written, readbytes;
11776     char buf[80];
11777     int i;
11778 
11779     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11780             TLS_client_method(), TLS1_3_VERSION, 0,
11781             &sctx, &cctx, cert, privkey)))
11782         goto end;
11783 
11784     SSL_CTX_set_read_ahead(sctx, 1);
11785 
11786     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11787             &clientssl, NULL, NULL)))
11788         goto end;
11789 
11790     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11791         goto end;
11792 
11793     /* Write some data, send a key update, write more data */
11794     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11795         || !TEST_size_t_eq(written, strlen(msg)))
11796         goto end;
11797 
11798     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11799         goto end;
11800 
11801     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11802         || !TEST_size_t_eq(written, strlen(msg)))
11803         goto end;
11804 
11805     /*
11806      * Since read_ahead is on the first read below should read the record with
11807      * the first app data, the second record with the key update message, and
11808      * the third record with the app data all in one go. We should be able to
11809      * still process the read_ahead data correctly even though it crosses
11810      * epochs
11811      */
11812     for (i = 0; i < 2; i++) {
11813         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11814                 &readbytes)))
11815             goto end;
11816 
11817         buf[readbytes] = '\0';
11818         if (!TEST_str_eq(buf, msg))
11819             goto end;
11820     }
11821 
11822     testresult = 1;
11823 
11824 end:
11825     SSL_free(serverssl);
11826     SSL_free(clientssl);
11827     SSL_CTX_free(sctx);
11828     SSL_CTX_free(cctx);
11829     return testresult;
11830 }
11831 
11832 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11833 {
11834     int *called = arg;
11835 
11836     switch ((*called)++) {
11837     case 0:
11838         /* Add some padding to first record */
11839         return 512;
11840     case 1:
11841         /* Maximally pad the second record */
11842         return SSL3_RT_MAX_PLAIN_LENGTH - len;
11843     case 2:
11844         /*
11845          * Exceeding the maximum padding should be fine. It should just pad to
11846          * the maximum anyway
11847          */
11848         return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11849     case 3:
11850         /*
11851          * Very large padding should also be ok. Should just pad to the maximum
11852          * allowed
11853          */
11854         return SIZE_MAX;
11855     default:
11856         return 0;
11857     }
11858 }
11859 
11860 /*
11861  * Test that setting record padding in TLSv1.3 works as expected
11862  * Test 0: Record padding callback on the SSL_CTX
11863  * Test 1: Record padding callback on the SSL
11864  * Test 2: Record block padding on the SSL_CTX
11865  * Test 3: Record block padding on the SSL
11866  * Test 4: Extended record block padding on the SSL_CTX
11867  * Test 5: Extended record block padding on the SSL
11868  */
11869 static int test_tls13_record_padding(int idx)
11870 {
11871     SSL_CTX *cctx = NULL, *sctx = NULL;
11872     SSL *clientssl = NULL, *serverssl = NULL;
11873     int testresult = 0;
11874     char *msg = "Hello World";
11875     size_t written, readbytes;
11876     char buf[80];
11877     int i;
11878     int called = 0;
11879 
11880     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11881             TLS_client_method(), TLS1_3_VERSION, 0,
11882             &sctx, &cctx, cert, privkey)))
11883         goto end;
11884 
11885     if (idx == 0) {
11886         SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11887         SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11888         if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11889             goto end;
11890     } else if (idx == 2) {
11891         /* Exceeding the max plain length should fail */
11892         if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11893                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11894             goto end;
11895         if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11896             goto end;
11897     } else if (idx == 4) {
11898         /* pad only handshake/alert messages */
11899         if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11900             goto end;
11901     }
11902 
11903     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11904             &clientssl, NULL, NULL)))
11905         goto end;
11906 
11907     if (idx == 1) {
11908         SSL_set_record_padding_callback(clientssl, record_pad_cb);
11909         SSL_set_record_padding_callback_arg(clientssl, &called);
11910         if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11911             goto end;
11912     } else if (idx == 3) {
11913         /* Exceeding the max plain length should fail */
11914         if (!TEST_false(SSL_set_block_padding(clientssl,
11915                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11916             goto end;
11917         if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11918             goto end;
11919     } else if (idx == 5) {
11920         /* Exceeding the max plain length should fail */
11921         if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11922                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11923             goto end;
11924         /* pad server and client handshake only */
11925         if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11926             goto end;
11927         if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11928             goto end;
11929     }
11930 
11931     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11932         goto end;
11933 
11934     called = 0;
11935     /*
11936      * Write some data, then check we can read it. Do this four times to check
11937      * we can continue to write and read padded data after the initial record
11938      * padding has been added. We don't actually check that the padding has
11939      * been applied to the record - just that we can continue to communicate
11940      * normally and that the callback has been called (if appropriate).
11941      */
11942     for (i = 0; i < 4; i++) {
11943         if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11944             || !TEST_size_t_eq(written, strlen(msg)))
11945             goto end;
11946 
11947         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11948                 &readbytes))
11949             || !TEST_size_t_eq(written, readbytes))
11950             goto end;
11951 
11952         buf[readbytes] = '\0';
11953         if (!TEST_str_eq(buf, msg))
11954             goto end;
11955     }
11956 
11957     if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11958         goto end;
11959 
11960     testresult = 1;
11961 end:
11962     SSL_free(serverssl);
11963     SSL_free(clientssl);
11964     SSL_CTX_free(sctx);
11965     SSL_CTX_free(cctx);
11966     return testresult;
11967 }
11968 #endif /* OSSL_NO_USABLE_TLS1_3 */
11969 
11970 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11971 /*
11972  * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11973  * support this yet. The only pipeline capable cipher that we have is in the
11974  * dasync engine (providers don't support this yet), so we have to use
11975  * deprecated APIs for this test.
11976  *
11977  * Test 0: Client has pipelining enabled, server does not
11978  * Test 1: Server has pipelining enabled, client does not
11979  * Test 2: Client has pipelining enabled, server does not: not enough data to
11980  *         fill all the pipelines
11981  * Test 3: Client has pipelining enabled, server does not: not enough data to
11982  *         fill all the pipelines by more than a full pipeline's worth
11983  * Test 4: Client has pipelining enabled, server does not: more data than all
11984  *         the available pipelines can take
11985  * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11986  * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11987  *         is created)
11988  */
11989 static int test_pipelining(int idx)
11990 {
11991     SSL_CTX *cctx = NULL, *sctx = NULL;
11992     SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11993     int testresult = 0, numreads;
11994     /* A 55 byte message */
11995     unsigned char *msg = (unsigned char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11996     size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11997     size_t expectedreads;
11998     unsigned char *buf = NULL;
11999     ENGINE *e = NULL;
12000 
12001     if (idx != 6) {
12002         e = load_dasync();
12003         if (e == NULL)
12004             return 0;
12005     }
12006 
12007     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12008             TLS_client_method(), 0,
12009             TLS1_2_VERSION, &sctx, &cctx, cert,
12010             privkey)))
12011         goto end;
12012 
12013     if (idx == 6) {
12014         e = load_dasync();
12015         if (e == NULL)
12016             goto end;
12017         /* Now act like test 0 */
12018         idx = 0;
12019     }
12020 
12021     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12022             &clientssl, NULL, NULL)))
12023         goto end;
12024 
12025     if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
12026         goto end;
12027 
12028     /* peera is always configured for pipelining, while peerb is not. */
12029     if (idx == 1) {
12030         peera = serverssl;
12031         peerb = clientssl;
12032 
12033     } else {
12034         peera = clientssl;
12035         peerb = serverssl;
12036     }
12037 
12038     if (idx == 5) {
12039         numpipes = 2;
12040         /* Maximum allowed fragment size */
12041         fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
12042         msglen = fragsize * numpipes;
12043         msg = OPENSSL_malloc(msglen);
12044         if (!TEST_ptr(msg))
12045             goto end;
12046         if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
12047             goto end;
12048     } else if (idx == 4) {
12049         msglen = 55;
12050     } else {
12051         msglen = 50;
12052     }
12053     if (idx == 2)
12054         msglen -= 2; /* Send 2 less bytes */
12055     else if (idx == 3)
12056         msglen -= 12; /* Send 12 less bytes */
12057 
12058     buf = OPENSSL_malloc(msglen);
12059     if (!TEST_ptr(buf))
12060         goto end;
12061 
12062     if (idx == 5) {
12063         /*
12064          * Test that setting a split send fragment longer than the maximum
12065          * allowed fails
12066          */
12067         if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
12068             goto end;
12069     }
12070 
12071     /*
12072      * In the normal case. We have 5 pipelines with 10 bytes per pipeline
12073      * (50 bytes in total). This is a ridiculously small number of bytes -
12074      * but sufficient for our purposes
12075      */
12076     if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
12077         || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
12078         goto end;
12079 
12080     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12081         goto end;
12082 
12083     /* Write some data from peera to peerb */
12084     if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
12085         || !TEST_size_t_eq(written, msglen))
12086         goto end;
12087 
12088     /*
12089      * If the pipelining code worked, then we expect all |numpipes| pipelines to
12090      * have been used - except in test 3 where only |numpipes - 1| pipelines
12091      * will be used. This will result in |numpipes| records (|numpipes - 1| for
12092      * test 3) having been sent to peerb. Since peerb is not using read_ahead we
12093      * expect this to be read in |numpipes| or |numpipes - 1| separate
12094      * SSL_read_ex calls. In the case of test 4, there is then one additional
12095      * read for left over data that couldn't fit in the previous pipelines
12096      */
12097     for (offset = 0, numreads = 0;
12098         offset < msglen;
12099         offset += readbytes, numreads++) {
12100         if (!TEST_true(SSL_read_ex(peerb, buf + offset,
12101                 msglen - offset, &readbytes)))
12102             goto end;
12103     }
12104 
12105     expectedreads = idx == 4 ? numpipes + 1
12106                              : (idx == 3 ? numpipes - 1 : numpipes);
12107     if (!TEST_mem_eq(msg, msglen, buf, offset)
12108         || !TEST_int_eq(numreads, expectedreads))
12109         goto end;
12110 
12111     /*
12112      * Write some data from peerb to peera. We do this in up to |numpipes + 1|
12113      * chunks to exercise the read pipelining code on peera.
12114      */
12115     for (offset = 0; offset < msglen; offset += fragsize) {
12116         size_t sendlen = msglen - offset;
12117 
12118         if (sendlen > fragsize)
12119             sendlen = fragsize;
12120         if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
12121             || !TEST_size_t_eq(written, sendlen))
12122             goto end;
12123     }
12124 
12125     /*
12126      * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
12127      * separate chunks (depending on which test we are running). If the
12128      * pipelining is working then we expect peera to read up to numpipes chunks
12129      * and process them in parallel, giving back the complete result in a single
12130      * call to SSL_read_ex
12131      */
12132     if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
12133         || !TEST_size_t_le(readbytes, msglen))
12134         goto end;
12135 
12136     if (idx == 4) {
12137         size_t readbytes2;
12138 
12139         if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
12140                 msglen - readbytes, &readbytes2)))
12141             goto end;
12142         readbytes += readbytes2;
12143         if (!TEST_size_t_le(readbytes, msglen))
12144             goto end;
12145     }
12146 
12147     if (!TEST_mem_eq(msg, msglen, buf, readbytes))
12148         goto end;
12149 
12150     testresult = 1;
12151 end:
12152     SSL_free(serverssl);
12153     SSL_free(clientssl);
12154     SSL_CTX_free(sctx);
12155     SSL_CTX_free(cctx);
12156     if (e != NULL) {
12157         ENGINE_unregister_ciphers(e);
12158         ENGINE_finish(e);
12159         ENGINE_free(e);
12160     }
12161     OPENSSL_free(buf);
12162     if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
12163         OPENSSL_free(msg);
12164     return testresult;
12165 }
12166 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
12167 
12168 static int check_version_string(SSL *s, int version)
12169 {
12170     const char *verstr = NULL;
12171 
12172     switch (version) {
12173     case SSL3_VERSION:
12174         verstr = "SSLv3";
12175         break;
12176     case TLS1_VERSION:
12177         verstr = "TLSv1";
12178         break;
12179     case TLS1_1_VERSION:
12180         verstr = "TLSv1.1";
12181         break;
12182     case TLS1_2_VERSION:
12183         verstr = "TLSv1.2";
12184         break;
12185     case TLS1_3_VERSION:
12186         verstr = "TLSv1.3";
12187         break;
12188     case DTLS1_VERSION:
12189         verstr = "DTLSv1";
12190         break;
12191     case DTLS1_2_VERSION:
12192         verstr = "DTLSv1.2";
12193     }
12194 
12195     return TEST_str_eq(verstr, SSL_get_version(s));
12196 }
12197 
12198 /*
12199  * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
12200  * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
12201  * test_version() in quicapitest.c which does the same thing for QUIC
12202  * connections.
12203  */
12204 static int test_version(int idx)
12205 {
12206     SSL_CTX *cctx = NULL, *sctx = NULL;
12207     SSL *clientssl = NULL, *serverssl = NULL;
12208     int testresult = 0, version;
12209     const SSL_METHOD *servmeth = TLS_server_method();
12210     const SSL_METHOD *clientmeth = TLS_client_method();
12211 
12212     switch (idx) {
12213 #if !defined(OPENSSL_NO_SSL3)
12214     case 0:
12215         version = SSL3_VERSION;
12216         break;
12217 #endif
12218 #if !defined(OPENSSL_NO_TLS1)
12219     case 1:
12220         version = TLS1_VERSION;
12221         break;
12222 #endif
12223 #if !defined(OPENSSL_NO_TLS1_2)
12224     case 2:
12225         version = TLS1_2_VERSION;
12226         break;
12227 #endif
12228 #if !defined(OSSL_NO_USABLE_TLS1_3)
12229     case 3:
12230         version = TLS1_3_VERSION;
12231         break;
12232 #endif
12233 #if !defined(OPENSSL_NO_DTLS1)
12234     case 4:
12235         version = DTLS1_VERSION;
12236         break;
12237 #endif
12238 #if !defined(OPENSSL_NO_DTLS1_2)
12239     case 5:
12240         version = DTLS1_2_VERSION;
12241         break;
12242 #endif
12243     /*
12244      * NB we do not support QUIC in this test. That is covered by quicapitest.c
12245      * We also don't support DTLS1_BAD_VER since we have no server support for
12246      * that.
12247      */
12248     default:
12249         TEST_skip("Unsupported protocol version");
12250         return 1;
12251     }
12252 
12253     if (is_fips
12254         && (version == SSL3_VERSION
12255             || version == TLS1_VERSION
12256             || version == DTLS1_VERSION)) {
12257         TEST_skip("Protocol version not supported with FIPS");
12258         return 1;
12259     }
12260 
12261 #if !defined(OPENSSL_NO_DTLS)
12262     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
12263         servmeth = DTLS_server_method();
12264         clientmeth = DTLS_client_method();
12265     }
12266 #endif
12267 
12268     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
12269             version, &sctx, &cctx, cert, privkey)))
12270         goto end;
12271 
12272     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
12273         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
12274             "DEFAULT:@SECLEVEL=0")))
12275         goto end;
12276 
12277     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12278             &clientssl, NULL, NULL)))
12279         goto end;
12280 
12281     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12282         goto end;
12283 
12284     if (!TEST_int_eq(SSL_version(serverssl), version)
12285         || !TEST_int_eq(SSL_version(clientssl), version)
12286         || !TEST_true(check_version_string(serverssl, version))
12287         || !TEST_true(check_version_string(clientssl, version)))
12288         goto end;
12289 
12290     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
12291         if (!TEST_true(SSL_is_dtls(serverssl))
12292             || !TEST_true(SSL_is_dtls(clientssl))
12293             || !TEST_false(SSL_is_tls(serverssl))
12294             || !TEST_false(SSL_is_tls(clientssl))
12295             || !TEST_false(SSL_is_quic(serverssl))
12296             || !TEST_false(SSL_is_quic(clientssl)))
12297             goto end;
12298     } else {
12299         if (!TEST_true(SSL_is_tls(serverssl))
12300             || !TEST_true(SSL_is_tls(clientssl))
12301             || !TEST_false(SSL_is_dtls(serverssl))
12302             || !TEST_false(SSL_is_dtls(clientssl))
12303             || !TEST_false(SSL_is_quic(serverssl))
12304             || !TEST_false(SSL_is_quic(clientssl)))
12305             goto end;
12306     }
12307 
12308     testresult = 1;
12309 end:
12310     SSL_free(serverssl);
12311     SSL_free(clientssl);
12312     SSL_CTX_free(sctx);
12313     SSL_CTX_free(cctx);
12314     return testresult;
12315 }
12316 
12317 /*
12318  * Test that the SSL_rstate_string*() APIs return sane results
12319  */
12320 static int test_rstate_string(void)
12321 {
12322     SSL_CTX *cctx = NULL, *sctx = NULL;
12323     SSL *clientssl = NULL, *serverssl = NULL;
12324     int testresult = 0, version;
12325     const SSL_METHOD *servmeth = TLS_server_method();
12326     const SSL_METHOD *clientmeth = TLS_client_method();
12327     size_t written, readbytes;
12328     unsigned char buf[2];
12329     unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
12330         SSL3_RT_APPLICATION_DATA,
12331         TLS1_2_VERSION_MAJOR,
12332         0, /* To be filled in later */
12333         0,
12334         1
12335     };
12336 
12337     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
12338             0, &sctx, &cctx, cert, privkey)))
12339         goto end;
12340 
12341     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12342             &clientssl, NULL, NULL)))
12343         goto end;
12344 
12345     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
12346         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
12347         goto end;
12348 
12349     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12350         goto end;
12351 
12352     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
12353         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
12354         goto end;
12355 
12356     /* Fill in the correct version for the record header */
12357     version = SSL_version(serverssl);
12358     if (version == TLS1_3_VERSION)
12359         version = TLS1_2_VERSION;
12360     dummyheader[2] = version & 0xff;
12361 
12362     /*
12363      * Send a dummy header. If we continued to read the body as well this
12364      * would fail with a bad record mac, but we're not going to go that far.
12365      */
12366     if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
12367             sizeof(dummyheader), &written))
12368         || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
12369         goto end;
12370 
12371     if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
12372         goto end;
12373 
12374     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
12375         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
12376         goto end;
12377 
12378     testresult = 1;
12379 end:
12380     SSL_free(serverssl);
12381     SSL_free(clientssl);
12382     SSL_CTX_free(sctx);
12383     SSL_CTX_free(cctx);
12384     return testresult;
12385 }
12386 
12387 /*
12388  * Force a write retry during handshaking. We test various combinations of
12389  * scenarios. We test a large certificate message which will fill the buffering
12390  * BIO used in the handshake. We try with client auth on and off. Finally we
12391  * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
12392  * to indicate retry via -1 - but sometimes BIOs don't do that.
12393  *
12394  * Test 0: Standard certificate message
12395  * Test 1: Large certificate message
12396  * Test 2: Standard cert, verify peer
12397  * Test 3: Large cert, verify peer
12398  * Test 4: Standard cert, BIO returns 0 on retry
12399  * Test 5: Large cert, BIO returns 0 on retry
12400  * Test 6: Standard cert, verify peer, BIO returns 0 on retry
12401  * Test 7: Large cert, verify peer, BIO returns 0 on retry
12402  * Test 8-15: Repeat of above with TLSv1.2
12403  */
12404 static int test_handshake_retry(int idx)
12405 {
12406     SSL_CTX *cctx = NULL, *sctx = NULL;
12407     SSL *clientssl = NULL, *serverssl = NULL;
12408     int testresult = 0;
12409     BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
12410     int maxversion = 0;
12411 
12412     if (!TEST_ptr(bretry))
12413         goto end;
12414 
12415 #ifndef OPENSSL_NO_TLS1_2
12416     if ((idx & 8) == 8)
12417         maxversion = TLS1_2_VERSION;
12418 #else
12419     if ((idx & 8) == 8)
12420         return TEST_skip("No TLSv1.2");
12421 #endif
12422 
12423     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12424             TLS_client_method(), 0, maxversion,
12425             &sctx, &cctx, cert, privkey)))
12426         goto end;
12427 
12428     /*
12429      * Add a large amount of data to fill the buffering BIO used by the SSL
12430      * object
12431      */
12432     if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
12433         goto end;
12434 
12435     /*
12436      * We don't actually configure a client cert, but neither do we fail if one
12437      * isn't present.
12438      */
12439     if ((idx & 2) == 2)
12440         SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
12441 
12442     if ((idx & 4) == 4)
12443         set_always_retry_err_val(0);
12444 
12445     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
12446             &clientssl, NULL, NULL)))
12447         goto end;
12448 
12449     tmp = SSL_get_wbio(serverssl);
12450     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
12451         tmp = NULL;
12452         goto end;
12453     }
12454     SSL_set0_wbio(serverssl, bretry);
12455     bretry = NULL;
12456 
12457     if (!TEST_int_eq(SSL_connect(clientssl), -1))
12458         goto end;
12459 
12460     if (!TEST_int_eq(SSL_accept(serverssl), -1)
12461         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
12462         goto end;
12463 
12464     /* Restore a BIO that will let the write succeed */
12465     SSL_set0_wbio(serverssl, tmp);
12466     tmp = NULL;
12467 
12468     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12469         goto end;
12470 
12471     testresult = 1;
12472 end:
12473     SSL_free(serverssl);
12474     SSL_free(clientssl);
12475     SSL_CTX_free(sctx);
12476     SSL_CTX_free(cctx);
12477     BIO_free(bretry);
12478     BIO_free(tmp);
12479     set_always_retry_err_val(-1);
12480     return testresult;
12481 }
12482 
12483 /*
12484  * Test that receiving retries when writing application data works as expected
12485  */
12486 static int test_data_retry(void)
12487 {
12488     SSL_CTX *cctx = NULL, *sctx = NULL;
12489     SSL *clientssl = NULL, *serverssl = NULL;
12490     int testresult = 0;
12491     unsigned char inbuf[1200], outbuf[1200];
12492     size_t i;
12493     BIO *tmp = NULL;
12494     BIO *bretry = BIO_new(bio_s_maybe_retry());
12495     size_t written, readbytes, totread = 0;
12496 
12497     if (!TEST_ptr(bretry))
12498         goto end;
12499 
12500     for (i = 0; i < sizeof(inbuf); i++)
12501         inbuf[i] = (unsigned char)(0xff & i);
12502     memset(outbuf, 0, sizeof(outbuf));
12503 
12504     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12505             TLS_client_method(), 0, 0, &sctx, &cctx,
12506             cert, privkey)))
12507         goto end;
12508 
12509     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12510             NULL)))
12511         goto end;
12512 
12513     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12514         goto end;
12515 
12516     /* Smallest possible max send fragment is 512 */
12517     if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
12518         goto end;
12519 
12520     tmp = SSL_get_wbio(clientssl);
12521     if (!TEST_ptr(tmp))
12522         goto end;
12523     if (!TEST_true(BIO_up_ref(tmp)))
12524         goto end;
12525     BIO_push(bretry, tmp);
12526     tmp = NULL;
12527     SSL_set0_wbio(clientssl, bretry);
12528     if (!BIO_up_ref(bretry)) {
12529         bretry = NULL;
12530         goto end;
12531     }
12532 
12533     for (i = 0; i < 3; i++) {
12534         /* We expect this call to make no progress and indicate retry */
12535         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12536             goto end;
12537         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12538             goto end;
12539 
12540         /* Allow one write to progress, but the next one to signal retry */
12541         if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
12542                 NULL)))
12543             goto end;
12544 
12545         if (i == 2)
12546             break;
12547 
12548         /*
12549          * This call will hopefully make progress but will still indicate retry
12550          * because there is more data than will fit into a single record.
12551          */
12552         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12553             goto end;
12554         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12555             goto end;
12556     }
12557 
12558     /* The final call should write the last chunk of data and succeed */
12559     if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12560         goto end;
12561     /* Read all the data available */
12562     while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
12563         &readbytes))
12564         totread += readbytes;
12565     if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
12566         goto end;
12567 
12568     testresult = 1;
12569 end:
12570     SSL_free(serverssl);
12571     SSL_free(clientssl);
12572     SSL_CTX_free(sctx);
12573     SSL_CTX_free(cctx);
12574     BIO_free_all(bretry);
12575     BIO_free(tmp);
12576     return testresult;
12577 }
12578 
12579 struct resume_servername_cb_data {
12580     int i;
12581     SSL_CTX *cctx;
12582     SSL_CTX *sctx;
12583     SSL_SESSION *sess;
12584     int recurse;
12585 };
12586 
12587 /*
12588  * Servername callback. We use it here to run another complete handshake using
12589  * the same session - and mark the session as not_resuamble at the end
12590  */
12591 static int resume_servername_cb(SSL *s, int *ad, void *arg)
12592 {
12593     struct resume_servername_cb_data *cbdata = arg;
12594     SSL *serverssl = NULL, *clientssl = NULL;
12595     int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
12596 
12597     if (cbdata->recurse)
12598         return SSL_TLSEXT_ERR_ALERT_FATAL;
12599 
12600     if ((cbdata->i % 3) != 1)
12601         return SSL_TLSEXT_ERR_OK;
12602 
12603     cbdata->recurse = 1;
12604 
12605     if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
12606             &clientssl, NULL, NULL))
12607         || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
12608         goto end;
12609 
12610     ERR_set_mark();
12611     /*
12612      * We expect this to fail - because the servername cb will fail. This will
12613      * mark the session as not_resumable.
12614      */
12615     if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
12616         ERR_clear_last_mark();
12617         goto end;
12618     }
12619     ERR_pop_to_mark();
12620 
12621     ret = SSL_TLSEXT_ERR_OK;
12622 end:
12623     SSL_free(serverssl);
12624     SSL_free(clientssl);
12625     cbdata->recurse = 0;
12626     return ret;
12627 }
12628 /*
12629  * Test multiple resumptions and cache size handling
12630  * Test 0: TLSv1.3 (max_early_data set)
12631  * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
12632  * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
12633  * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
12634  * Test 4: TLSv1.2
12635  */
12636 static int test_multi_resume(int idx)
12637 {
12638     SSL_CTX *sctx = NULL, *cctx = NULL;
12639     SSL *serverssl = NULL, *clientssl = NULL;
12640     SSL_SESSION *sess = NULL;
12641     int max_version = TLS1_3_VERSION;
12642     int i, testresult = 0;
12643     struct resume_servername_cb_data cbdata;
12644 
12645 #if defined(OPENSSL_NO_TLS1_2)
12646     if (idx == 4)
12647         return TEST_skip("TLSv1.2 is disabled in this build");
12648 #else
12649     if (idx == 4)
12650         max_version = TLS1_2_VERSION;
12651 #endif
12652 #if defined(OSSL_NO_USABLE_TLS1_3)
12653     if (idx != 4)
12654         return TEST_skip("No usable TLSv1.3 in this build");
12655 #endif
12656 
12657     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12658             TLS_client_method(), TLS1_VERSION,
12659             max_version, &sctx, &cctx, cert,
12660             privkey)))
12661         goto end;
12662 
12663     /*
12664      * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
12665      * replay protection), or if SSL_OP_NO_TICKET is in use
12666      */
12667     if (idx == 0 || idx == 2) {
12668         if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
12669             goto end;
12670     }
12671     if (idx == 1 || idx == 2 || idx == 3)
12672         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
12673 
12674     SSL_CTX_sess_set_cache_size(sctx, 5);
12675 
12676     if (idx == 3) {
12677         SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
12678         SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
12679         cbdata.cctx = cctx;
12680         cbdata.sctx = sctx;
12681         cbdata.recurse = 0;
12682     }
12683 
12684     for (i = 0; i < 30; i++) {
12685         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
12686                 NULL, NULL))
12687             || !TEST_true(SSL_set_session(clientssl, sess)))
12688             goto end;
12689 
12690         /*
12691          * Check simultaneous resumes. We pause the connection part way through
12692          * the handshake by (mis)using the servername_cb. The pause occurs after
12693          * session resumption has already occurred, but before any session
12694          * tickets have been issued. While paused we run another complete
12695          * handshake resuming the same session.
12696          */
12697         if (idx == 3) {
12698             cbdata.i = i;
12699             cbdata.sess = sess;
12700         }
12701 
12702         /*
12703          * Recreate a bug where dynamically changing the max_early_data value
12704          * can cause sessions in the session cache which cannot be deleted.
12705          */
12706         if ((idx == 0 || idx == 2) && (i % 3) == 2)
12707             SSL_set_max_early_data(serverssl, 0);
12708 
12709         if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12710             goto end;
12711 
12712         if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
12713             if (!TEST_false(SSL_session_reused(clientssl)))
12714                 goto end;
12715         } else {
12716             if (!TEST_true(SSL_session_reused(clientssl)))
12717                 goto end;
12718         }
12719         SSL_SESSION_free(sess);
12720 
12721         /* Do a full handshake, followed by two resumptions */
12722         if ((i % 3) == 2) {
12723             sess = NULL;
12724         } else {
12725             if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
12726                 goto end;
12727         }
12728 
12729         SSL_shutdown(clientssl);
12730         SSL_shutdown(serverssl);
12731         SSL_free(serverssl);
12732         SSL_free(clientssl);
12733         serverssl = clientssl = NULL;
12734     }
12735 
12736     /* We should never exceed the session cache size limit */
12737     if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
12738         goto end;
12739 
12740     testresult = 1;
12741 end:
12742     SSL_free(serverssl);
12743     SSL_free(clientssl);
12744     SSL_CTX_free(sctx);
12745     SSL_CTX_free(cctx);
12746     SSL_SESSION_free(sess);
12747     return testresult;
12748 }
12749 
12750 static struct next_proto_st {
12751     int serverlen;
12752     unsigned char server[40];
12753     int clientlen;
12754     unsigned char client[40];
12755     int expected_ret;
12756     size_t selectedlen;
12757     unsigned char selected[40];
12758 } next_proto_tests[] = {
12759     { 4, { 3, 'a', 'b', 'c' },
12760         4, { 3, 'a', 'b', 'c' },
12761         OPENSSL_NPN_NEGOTIATED,
12762         3, { 'a', 'b', 'c' } },
12763     { 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12764         4, { 3, 'a', 'b', 'c' },
12765         OPENSSL_NPN_NEGOTIATED,
12766         3, { 'a', 'b', 'c' } },
12767     { 7, {
12768              2,
12769              'a',
12770              'b',
12771              3,
12772              'a',
12773              'b',
12774              'c',
12775          },
12776         4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12777     { 4, { 3, 'a', 'b', 'c' }, 7, {
12778                                       3,
12779                                       'a',
12780                                       'b',
12781                                       'c',
12782                                       2,
12783                                       'a',
12784                                       'b',
12785                                   },
12786         OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
12787     { 4, { 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'b', 'c', 'd' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 0, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { -1, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 0, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 4, { 3, 'a', 'b', 'c' }, -1, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 3, { 3, 'a', 'b', 'c' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 3, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }
12788 };
12789 
12790 static int test_select_next_proto(int idx)
12791 {
12792     struct next_proto_st *np = &next_proto_tests[idx];
12793     int ret = 0;
12794     unsigned char *out, *client, *server;
12795     unsigned char outlen;
12796     unsigned int clientlen, serverlen;
12797 
12798     if (np->clientlen == -1) {
12799         client = NULL;
12800         clientlen = 0;
12801     } else {
12802         client = np->client;
12803         clientlen = (unsigned int)np->clientlen;
12804     }
12805     if (np->serverlen == -1) {
12806         server = NULL;
12807         serverlen = 0;
12808     } else {
12809         server = np->server;
12810         serverlen = (unsigned int)np->serverlen;
12811     }
12812 
12813     if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12814                          client, clientlen),
12815             np->expected_ret))
12816         goto err;
12817 
12818     if (np->selectedlen == 0) {
12819         if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12820             goto err;
12821     } else {
12822         if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12823             goto err;
12824     }
12825 
12826     ret = 1;
12827 err:
12828     return ret;
12829 }
12830 
12831 static const unsigned char fooprot[] = { 3, 'f', 'o', 'o' };
12832 static const unsigned char barprot[] = { 3, 'b', 'a', 'r' };
12833 
12834 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12835 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12836     unsigned int *outlen, void *arg)
12837 {
12838     int *idx = (int *)arg;
12839 
12840     switch (*idx) {
12841     default:
12842     case 0:
12843         *out = fooprot;
12844         *outlen = sizeof(fooprot);
12845         return SSL_TLSEXT_ERR_OK;
12846 
12847     case 1:
12848         *out = NULL;
12849         *outlen = 0;
12850         return SSL_TLSEXT_ERR_OK;
12851 
12852     case 2:
12853         return SSL_TLSEXT_ERR_NOACK;
12854     }
12855 }
12856 
12857 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12858     const unsigned char *in, unsigned int inlen, void *arg)
12859 {
12860     int *idx = (int *)arg;
12861 
12862     switch (*idx) {
12863     case 0:
12864     case 1:
12865         *out = (unsigned char *)(fooprot + 1);
12866         *outlen = *fooprot;
12867         return SSL_TLSEXT_ERR_OK;
12868 
12869     case 3:
12870         *out = (unsigned char *)(barprot + 1);
12871         *outlen = *barprot;
12872         return SSL_TLSEXT_ERR_OK;
12873 
12874     case 4:
12875         *outlen = 0;
12876         return SSL_TLSEXT_ERR_OK;
12877 
12878     default:
12879     case 2:
12880         return SSL_TLSEXT_ERR_ALERT_FATAL;
12881     }
12882 }
12883 
12884 /*
12885  * Test the NPN callbacks
12886  * Test 0: advert = foo, select = foo
12887  * Test 1: advert = <empty>, select = foo
12888  * Test 2: no advert
12889  * Test 3: advert = foo, select = bar
12890  * Test 4: advert = foo, select = <empty> (should fail)
12891  */
12892 static int test_npn(int idx)
12893 {
12894     SSL_CTX *sctx = NULL, *cctx = NULL;
12895     SSL *serverssl = NULL, *clientssl = NULL;
12896     int testresult = 0;
12897 
12898     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12899             TLS_client_method(), 0, TLS1_2_VERSION,
12900             &sctx, &cctx, cert, privkey)))
12901         goto end;
12902 
12903     SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12904     SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12905 
12906     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12907             NULL)))
12908         goto end;
12909 
12910     if (idx == 4) {
12911         /* We don't allow empty selection of NPN, so this should fail */
12912         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12913                 SSL_ERROR_NONE)))
12914             goto end;
12915     } else {
12916         const unsigned char *prot;
12917         unsigned int protlen;
12918 
12919         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12920                 SSL_ERROR_NONE)))
12921             goto end;
12922 
12923         SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12924         switch (idx) {
12925         case 0:
12926         case 1:
12927             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12928                 goto end;
12929             break;
12930         case 2:
12931             if (!TEST_uint_eq(protlen, 0))
12932                 goto end;
12933             break;
12934         case 3:
12935             if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12936                 goto end;
12937             break;
12938         default:
12939             TEST_error("Should not get here");
12940             goto end;
12941         }
12942     }
12943 
12944     testresult = 1;
12945 end:
12946     SSL_free(serverssl);
12947     SSL_free(clientssl);
12948     SSL_CTX_free(sctx);
12949     SSL_CTX_free(cctx);
12950 
12951     return testresult;
12952 }
12953 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12954 
12955 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12956     unsigned char *outlen, const unsigned char *in,
12957     unsigned int inlen, void *arg)
12958 {
12959     int *idx = (int *)arg;
12960 
12961     switch (*idx) {
12962     case 0:
12963         *out = (unsigned char *)(fooprot + 1);
12964         *outlen = *fooprot;
12965         return SSL_TLSEXT_ERR_OK;
12966 
12967     case 2:
12968         *out = (unsigned char *)(barprot + 1);
12969         *outlen = *barprot;
12970         return SSL_TLSEXT_ERR_OK;
12971 
12972     case 3:
12973         *outlen = 0;
12974         return SSL_TLSEXT_ERR_OK;
12975 
12976     default:
12977     case 1:
12978         return SSL_TLSEXT_ERR_ALERT_FATAL;
12979     }
12980     return 0;
12981 }
12982 
12983 /*
12984  * Test the ALPN callbacks
12985  * Test 0: client = foo, select = foo
12986  * Test 1: client = <empty>, select = none
12987  * Test 2: client = foo, select = bar (should fail)
12988  * Test 3: client = foo, select = <empty> (should fail)
12989  */
12990 static int test_alpn(int idx)
12991 {
12992     SSL_CTX *sctx = NULL, *cctx = NULL;
12993     SSL *serverssl = NULL, *clientssl = NULL;
12994     int testresult = 0;
12995     const unsigned char *prots = fooprot;
12996     unsigned int protslen = sizeof(fooprot);
12997 
12998     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12999             TLS_client_method(), 0, 0,
13000             &sctx, &cctx, cert, privkey)))
13001         goto end;
13002 
13003     SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
13004 
13005     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13006             NULL)))
13007         goto end;
13008 
13009     if (idx == 1) {
13010         prots = NULL;
13011         protslen = 0;
13012     }
13013 
13014     /* SSL_set_alpn_protos returns 0 for success! */
13015     if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
13016         goto end;
13017 
13018     if (idx == 2 || idx == 3) {
13019         /* We don't allow empty selection of NPN, so this should fail */
13020         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
13021                 SSL_ERROR_NONE)))
13022             goto end;
13023     } else {
13024         const unsigned char *prot;
13025         unsigned int protlen;
13026 
13027         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
13028                 SSL_ERROR_NONE)))
13029             goto end;
13030 
13031         SSL_get0_alpn_selected(clientssl, &prot, &protlen);
13032         switch (idx) {
13033         case 0:
13034             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
13035                 goto end;
13036             break;
13037         case 1:
13038             if (!TEST_uint_eq(protlen, 0))
13039                 goto end;
13040             break;
13041         default:
13042             TEST_error("Should not get here");
13043             goto end;
13044         }
13045     }
13046 
13047     testresult = 1;
13048 end:
13049     SSL_free(serverssl);
13050     SSL_free(clientssl);
13051     SSL_CTX_free(sctx);
13052     SSL_CTX_free(cctx);
13053 
13054     return testresult;
13055 }
13056 
13057 #if !defined(OSSL_NO_USABLE_TLS1_3)
13058 struct quic_tls_test_data {
13059     struct quic_tls_test_data *peer;
13060     uint32_t renc_level;
13061     uint32_t wenc_level;
13062     unsigned char rcd_data[4][2048];
13063     size_t rcd_data_len[4];
13064     unsigned char rsecret[3][48];
13065     size_t rsecret_len[3];
13066     unsigned char wsecret[3][48];
13067     size_t wsecret_len[3];
13068     unsigned char params[3];
13069     size_t params_len;
13070     int alert;
13071     int err;
13072     int forcefail;
13073     int sm_count;
13074 };
13075 
13076 static int clientquicdata = 0xff, serverquicdata = 0xfe;
13077 
13078 static int check_app_data(SSL *s)
13079 {
13080     int *data, *comparedata;
13081 
13082     /* Check app data works */
13083     data = (int *)SSL_get_app_data(s);
13084     comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
13085 
13086     if (!TEST_true(comparedata == data))
13087         return 0;
13088 
13089     return 1;
13090 }
13091 
13092 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
13093     size_t *consumed, void *arg)
13094 {
13095     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13096     struct quic_tls_test_data *peer = data->peer;
13097     size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
13098         - peer->rcd_data_len[data->wenc_level];
13099 
13100     if (!check_app_data(s)) {
13101         data->err = 1;
13102         return 0;
13103     }
13104 
13105     if (buf_len > max_len)
13106         buf_len = max_len;
13107 
13108     if (buf_len == 0) {
13109         *consumed = 0;
13110         return 1;
13111     }
13112 
13113     memcpy(peer->rcd_data[data->wenc_level]
13114             + peer->rcd_data_len[data->wenc_level],
13115         buf, buf_len);
13116     peer->rcd_data_len[data->wenc_level] += buf_len;
13117 
13118     *consumed = buf_len;
13119     return 1;
13120 }
13121 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
13122     size_t *bytes_read, void *arg)
13123 {
13124     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13125 
13126     if (!check_app_data(s)) {
13127         data->err = 1;
13128         return 0;
13129     }
13130 
13131     *bytes_read = data->rcd_data_len[data->renc_level];
13132     *buf = data->rcd_data[data->renc_level];
13133     return 1;
13134 }
13135 
13136 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
13137 {
13138     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13139 
13140     if (!check_app_data(s)) {
13141         data->err = 1;
13142         return 0;
13143     }
13144 
13145     /* See if we need to force a failure in this callback */
13146     if (data->forcefail) {
13147         data->forcefail = 0;
13148         data->err = 1;
13149         return 0;
13150     }
13151 
13152     if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
13153         || !TEST_size_t_gt(bytes_read, 0)) {
13154         data->err = 1;
13155         return 0;
13156     }
13157     data->rcd_data_len[data->renc_level] = 0;
13158 
13159     return 1;
13160 }
13161 
13162 struct secret_yield_entry {
13163     uint8_t recorded;
13164     int prot_level;
13165     int direction;
13166     int sm_generation;
13167     SSL *ssl;
13168 };
13169 
13170 static struct secret_yield_entry secret_history[16];
13171 static int secret_history_idx = 0;
13172 /*
13173  * Note, this enum needs to match the direction values passed
13174  * to yield_secret_cb
13175  */
13176 typedef enum {
13177     LAST_DIR_READ = 0,
13178     LAST_DIR_WRITE = 1,
13179     LAST_DIR_UNSET = 2
13180 } last_dir_history_state;
13181 
13182 static int check_secret_history(SSL *s)
13183 {
13184     int i;
13185     int ret = 0;
13186     last_dir_history_state last_state = LAST_DIR_UNSET;
13187     int last_prot_level = 0;
13188     int last_generation = 0;
13189 
13190     TEST_info("Checking history for %p\n", (void *)s);
13191     for (i = 0; secret_history[i].recorded == 1; i++) {
13192         if (secret_history[i].ssl != s)
13193             continue;
13194         TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
13195             secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
13196             secret_history[i].prot_level, last_prot_level, last_state,
13197             secret_history[i].sm_generation);
13198 
13199         if (last_state == LAST_DIR_UNSET) {
13200             last_prot_level = secret_history[i].prot_level;
13201             last_state = secret_history[i].direction;
13202             last_generation = secret_history[i].sm_generation;
13203             continue;
13204         }
13205 
13206         switch (secret_history[i].direction) {
13207         case 1:
13208             /*
13209              * write case
13210              * NOTE: There is an odd corner case here.  It may occur that
13211              * in a single iteration of the state machine, the read key is yielded
13212              * prior to the write key for the same level.  This is undesirable
13213              * for quic, but it is ok, as the general implementation of every 3rd
13214              * party quic stack while preferring write keys before read, allows
13215              * for read before write if both keys are yielded in the same call
13216              * to SSL_do_handshake, as the tls adaptation code for that quic stack
13217              * can then cache keys until both are available, so we allow read before
13218              * write here iff they occur in the same iteration of SSL_do_handshake
13219              * as represented by the recorded sm_generation value.
13220              */
13221             if (last_prot_level == secret_history[i].prot_level
13222                 && last_state == LAST_DIR_READ) {
13223                 if (last_generation == secret_history[i].sm_generation) {
13224                     TEST_info("Read before write key in same SSL state machine iteration is ok");
13225                 } else {
13226                     TEST_error("Got read key before write key");
13227                     goto end;
13228                 }
13229             }
13230             /* FALLTHROUGH */
13231         case 0:
13232             /*
13233              * Read case
13234              */
13235             break;
13236         default:
13237             TEST_error("Unknown direction");
13238             goto end;
13239         }
13240         last_prot_level = secret_history[i].prot_level;
13241         last_state = secret_history[i].direction;
13242         last_generation = secret_history[i].sm_generation;
13243     }
13244 
13245     ret = 1;
13246 end:
13247     return ret;
13248 }
13249 
13250 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
13251     const unsigned char *secret, size_t secret_len,
13252     void *arg)
13253 {
13254     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13255 
13256     if (!check_app_data(s))
13257         goto err;
13258 
13259     if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
13260         || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13261         goto err;
13262 
13263     switch (direction) {
13264     case 0: /* read */
13265         if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
13266             goto err;
13267         data->renc_level = prot_level;
13268         memcpy(data->rsecret[prot_level - 1], secret, secret_len);
13269         data->rsecret_len[prot_level - 1] = secret_len;
13270         break;
13271 
13272     case 1: /* write */
13273         if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
13274             goto err;
13275         data->wenc_level = prot_level;
13276         memcpy(data->wsecret[prot_level - 1], secret, secret_len);
13277         data->wsecret_len[prot_level - 1] = secret_len;
13278         break;
13279 
13280     default:
13281         goto err;
13282     }
13283 
13284     secret_history[secret_history_idx].direction = direction;
13285     secret_history[secret_history_idx].prot_level = (int)prot_level;
13286     secret_history[secret_history_idx].recorded = 1;
13287     secret_history[secret_history_idx].ssl = s;
13288     secret_history[secret_history_idx].sm_generation = data->sm_count;
13289     secret_history_idx++;
13290     return 1;
13291 err:
13292     data->err = 1;
13293     return 0;
13294 }
13295 
13296 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
13297     const unsigned char *secret, size_t secret_len,
13298     void *arg)
13299 {
13300     (void)s;
13301     (void)prot_level;
13302     (void)direction;
13303     (void)secret;
13304     (void)secret_len;
13305     (void)arg;
13306     /*
13307      * This callback is to test double free in quic tls
13308      */
13309     return 0;
13310 }
13311 
13312 static int got_transport_params_cb(SSL *s, const unsigned char *params,
13313     size_t params_len,
13314     void *arg)
13315 {
13316     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13317 
13318     if (!check_app_data(s)) {
13319         data->err = 1;
13320         return 0;
13321     }
13322 
13323     if (!TEST_size_t_le(params_len, sizeof(data->params))) {
13324         data->err = 1;
13325         return 0;
13326     }
13327 
13328     memcpy(data->params, params, params_len);
13329     data->params_len = params_len;
13330 
13331     return 1;
13332 }
13333 
13334 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
13335 {
13336     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
13337 
13338     if (!check_app_data(s)) {
13339         data->err = 1;
13340         return 0;
13341     }
13342 
13343     data->alert = 1;
13344     return 1;
13345 }
13346 
13347 /* Extension id reserved for private use by IANA */
13348 #define TEST_TLS_EXTENSION_ID 65282
13349 
13350 static int add_ext_cb_called = 0;
13351 static int parse_ext_cb_called = 0;
13352 
13353 static int add_old_ext(SSL *s, unsigned int ext_type,
13354     const unsigned char **out, size_t *outlen,
13355     int *al, void *add_arg)
13356 {
13357     static const unsigned char data = 0xff;
13358 
13359     add_ext_cb_called++;
13360     *out = &data;
13361     *outlen = 1;
13362     return 1;
13363 }
13364 
13365 static void free_old_ext(SSL *s, unsigned int ext_type,
13366     const unsigned char *out, void *add_arg)
13367 {
13368     /* Do nothing */
13369 }
13370 
13371 static int parse_old_ext(SSL *s, unsigned int ext_type,
13372     const unsigned char *in, size_t inlen,
13373     int *al, void *parse_arg)
13374 {
13375     parse_ext_cb_called++;
13376     if (inlen != 1 || *in != 0xff) {
13377         *al = SSL_AD_DECODE_ERROR;
13378         return 0;
13379     }
13380     return 1;
13381 }
13382 
13383 /*
13384  * Test the QUIC TLS API
13385  * Test 0: Normal run
13386  * Test 1: Force a failure
13387  * Test 3: Use a CCM based ciphersuite
13388  * Test 4: fail yield_secret_cb to see double free
13389  * Test 5: Normal run with SNI
13390  */
13391 static int test_quic_tls(int idx)
13392 {
13393     SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
13394     SSL *serverssl = NULL, *clientssl = NULL;
13395     int testresult = 0;
13396     OSSL_DISPATCH qtdis[] = {
13397         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
13398         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13399             (void (*)(void))crypto_recv_rcd_cb },
13400         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13401             (void (*)(void))crypto_release_rcd_cb },
13402         { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13403             (void (*)(void))yield_secret_cb },
13404         { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13405             (void (*)(void))got_transport_params_cb },
13406         { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
13407         { 0, NULL }
13408     };
13409     struct quic_tls_test_data sdata, cdata;
13410     const unsigned char cparams[] = {
13411         0xff, 0x01, 0x00
13412     };
13413     const unsigned char sparams[] = {
13414         0xfe, 0x01, 0x00
13415     };
13416     int i;
13417 
13418     if (idx == 4)
13419         qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
13420 
13421     snicb = 0;
13422     memset(secret_history, 0, sizeof(secret_history));
13423     secret_history_idx = 0;
13424     memset(&sdata, 0, sizeof(sdata));
13425     memset(&cdata, 0, sizeof(cdata));
13426     sdata.peer = &cdata;
13427     cdata.peer = &sdata;
13428     if (idx == 1)
13429         sdata.forcefail = 1;
13430 
13431     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13432             TLS_client_method(), TLS1_3_VERSION, 0,
13433             &sctx, &cctx, cert, privkey)))
13434         goto end;
13435 
13436     if (idx == 5) {
13437         static int dummy = 1;
13438 
13439         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
13440                 TLS1_3_VERSION, 0,
13441                 &sctx2, NULL, cert, privkey)))
13442             goto end;
13443 
13444         /*
13445          * We add an old style custom extension to ensure that it gets correctly
13446          * handled when we copy QUIC's connection specific custom extensions.
13447          */
13448         add_ext_cb_called = 0;
13449         parse_ext_cb_called = 0;
13450         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx,
13451                 TEST_TLS_EXTENSION_ID,
13452                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13453             goto end;
13454         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx,
13455                 TEST_TLS_EXTENSION_ID,
13456                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13457             goto end;
13458         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx2,
13459                 TEST_TLS_EXTENSION_ID,
13460                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
13461             goto end;
13462 
13463         /* Set up SNI */
13464         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
13465             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
13466             goto end;
13467     }
13468 
13469     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13470             NULL)))
13471         goto end;
13472 
13473     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13474     SSL_set_bio(serverssl, NULL, NULL);
13475     SSL_set_bio(clientssl, NULL, NULL);
13476 
13477     if (idx == 2) {
13478         if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
13479             || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
13480             goto end;
13481     }
13482 
13483     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13484         || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13485         goto end;
13486 
13487     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13488         || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13489         || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13490             sizeof(cparams)))
13491         || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13492             sizeof(sparams))))
13493         goto end;
13494 
13495     if (idx != 1 && idx != 4) {
13496         if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13497                 &cdata.sm_count, &sdata.sm_count)))
13498             goto end;
13499     } else {
13500         /* We expect this connection to fail */
13501         if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13502                 &cdata.sm_count, &sdata.sm_count)))
13503             goto end;
13504         testresult = 1;
13505         sdata.err = 0;
13506         goto end;
13507     }
13508 
13509     /* We should have had the SNI callback called exactly once */
13510     if (idx == 5) {
13511         if (!TEST_int_eq(snicb, 1))
13512             goto end;
13513     }
13514 
13515     /* Check no problems during the handshake */
13516     if (!TEST_false(sdata.alert)
13517         || !TEST_false(cdata.alert)
13518         || !TEST_false(sdata.err)
13519         || !TEST_false(cdata.err))
13520         goto end;
13521 
13522     /* Check the secrets all match */
13523     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13524         i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13525         i++) {
13526         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13527                 cdata.rsecret[i], cdata.rsecret_len[i]))
13528             goto end;
13529     }
13530 
13531     /*
13532      * Check that our secret history yields write secrets before read secrets
13533      */
13534     if (!TEST_int_eq(check_secret_history(serverssl), 1))
13535         goto end;
13536     if (!TEST_int_eq(check_secret_history(clientssl), 1))
13537         goto end;
13538 
13539     /* Check the transport params */
13540     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13541         || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13542             sizeof(sparams)))
13543         goto end;
13544 
13545     /* Check the encryption levels are what we expect them to be */
13546     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13547         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13548         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13549         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13550         goto end;
13551 
13552     /*
13553      * We only expect the add cb to have actually been called because we are
13554      * using the old style callbacks that only apply to TLSv1.2. Since we are
13555      * using TLSv1.3 here, the add will be called for the ClientHello but
13556      * nothing else.
13557      */
13558     if (idx == 5) {
13559         if (!TEST_int_eq(add_ext_cb_called, 1)
13560             || !TEST_int_eq(parse_ext_cb_called, 0))
13561             goto end;
13562     }
13563 
13564     testresult = 1;
13565 end:
13566     SSL_free(serverssl);
13567     SSL_free(clientssl);
13568     SSL_CTX_free(sctx2);
13569     SSL_CTX_free(sctx);
13570     SSL_CTX_free(cctx);
13571 
13572     /* Check that we didn't suddenly hit an unexpected failure during cleanup */
13573     if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
13574         testresult = 0;
13575 
13576     return testresult;
13577 }
13578 
13579 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
13580     const void *buf, size_t msglen, SSL *ssl, void *arg)
13581 {
13582     const unsigned char *msg = buf;
13583 
13584     if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
13585         end_of_early_data = 1;
13586 }
13587 
13588 static int test_quic_tls_early_data(void)
13589 {
13590     SSL_CTX *sctx = NULL, *cctx = NULL;
13591     SSL *serverssl = NULL, *clientssl = NULL;
13592     int testresult = 0;
13593     SSL_SESSION *sess = NULL;
13594     const OSSL_DISPATCH qtdis[] = {
13595         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
13596         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13597             (void (*)(void))crypto_recv_rcd_cb },
13598         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13599             (void (*)(void))crypto_release_rcd_cb },
13600         { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13601             (void (*)(void))yield_secret_cb },
13602         { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13603             (void (*)(void))got_transport_params_cb },
13604         { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
13605         { 0, NULL }
13606     };
13607     struct quic_tls_test_data sdata, cdata;
13608     const unsigned char cparams[] = {
13609         0xff, 0x01, 0x00
13610     };
13611     const unsigned char sparams[] = {
13612         0xfe, 0x01, 0x00
13613     };
13614     int i;
13615 
13616     memset(secret_history, 0, sizeof(secret_history));
13617     secret_history_idx = 0;
13618     memset(&sdata, 0, sizeof(sdata));
13619     memset(&cdata, 0, sizeof(cdata));
13620     sdata.peer = &cdata;
13621     cdata.peer = &sdata;
13622     end_of_early_data = 0;
13623 
13624     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13625             TLS_client_method(), TLS1_3_VERSION, 0,
13626             &sctx, &cctx, cert, privkey)))
13627         goto end;
13628 
13629     SSL_CTX_set_max_early_data(sctx, 0xffffffff);
13630     SSL_CTX_set_max_early_data(cctx, 0xffffffff);
13631 
13632     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13633             NULL)))
13634         goto end;
13635 
13636     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13637         goto end;
13638 
13639     sess = SSL_get1_session(clientssl);
13640     SSL_shutdown(clientssl);
13641     SSL_shutdown(serverssl);
13642     SSL_free(serverssl);
13643     SSL_free(clientssl);
13644     serverssl = clientssl = NULL;
13645 
13646     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
13647             &clientssl, NULL, NULL))
13648         || !TEST_true(SSL_set_session(clientssl, sess)))
13649         goto end;
13650 
13651     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13652     SSL_set_bio(serverssl, NULL, NULL);
13653     SSL_set_bio(clientssl, NULL, NULL);
13654 
13655     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13656         || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13657         goto end;
13658 
13659     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13660         || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13661         || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13662             sizeof(cparams)))
13663         || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13664             sizeof(sparams))))
13665         goto end;
13666 
13667     /*
13668      * Reset our secret history so we get the record of the second connection
13669      */
13670     memset(secret_history, 0, sizeof(secret_history));
13671     secret_history_idx = 0;
13672 
13673     SSL_set_quic_tls_early_data_enabled(serverssl, 1);
13674     SSL_set_quic_tls_early_data_enabled(clientssl, 1);
13675 
13676     SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
13677     SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
13678 
13679     if (!TEST_int_eq(SSL_connect(clientssl), -1)
13680         || !TEST_int_eq(SSL_accept(serverssl), -1)
13681         || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
13682         || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
13683         || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
13684         goto end;
13685 
13686     /* Check the encryption levels are what we expect them to be */
13687     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
13688         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13689         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
13690         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
13691         goto end;
13692 
13693     sdata.sm_count = 0;
13694     cdata.sm_count = 0;
13695     if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13696             &cdata.sm_count, &sdata.sm_count)))
13697         goto end;
13698 
13699     /* Check no problems during the handshake */
13700     if (!TEST_false(sdata.alert)
13701         || !TEST_false(cdata.alert)
13702         || !TEST_false(sdata.err)
13703         || !TEST_false(cdata.err))
13704         goto end;
13705 
13706     /* Check the secrets all match */
13707     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13708         i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13709         i++) {
13710         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13711                 cdata.rsecret[i], cdata.rsecret_len[i]))
13712             goto end;
13713     }
13714 
13715     if (!TEST_int_eq(check_secret_history(serverssl), 1))
13716         goto end;
13717     if (!TEST_int_eq(check_secret_history(clientssl), 1))
13718         goto end;
13719 
13720     /* Check the transport params */
13721     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13722         || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13723             sizeof(sparams)))
13724         goto end;
13725 
13726     /* Check the encryption levels are what we expect them to be */
13727     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13728         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13729         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13730         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13731         goto end;
13732 
13733     /* Check there is no EndOfEearlyData in handshake */
13734     if (!TEST_int_eq(end_of_early_data, 0))
13735         goto end;
13736 
13737     testresult = 1;
13738 end:
13739     SSL_SESSION_free(sess);
13740     SSL_SESSION_free(clientpsk);
13741     SSL_SESSION_free(serverpsk);
13742     clientpsk = serverpsk = NULL;
13743     SSL_free(serverssl);
13744     SSL_free(clientssl);
13745     SSL_CTX_free(sctx);
13746     SSL_CTX_free(cctx);
13747 
13748     return testresult;
13749 }
13750 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
13751 
13752 static int test_no_renegotiation(int idx)
13753 {
13754     SSL_CTX *sctx = NULL, *cctx = NULL;
13755     SSL *serverssl = NULL, *clientssl = NULL;
13756     int testresult = 0, ret;
13757     int max_proto;
13758     const SSL_METHOD *sm, *cm;
13759     unsigned char buf[5];
13760 
13761     if (idx == 0) {
13762 #ifndef OPENSSL_NO_TLS1_2
13763         max_proto = TLS1_2_VERSION;
13764         sm = TLS_server_method();
13765         cm = TLS_client_method();
13766 #else
13767         return TEST_skip("TLSv1.2 is disabled in this build");
13768 #endif
13769     } else {
13770 #ifndef OPENSSL_NO_DTLS1_2
13771         max_proto = DTLS1_2_VERSION;
13772         sm = DTLS_server_method();
13773         cm = DTLS_client_method();
13774 #else
13775         return TEST_skip("DTLSv1.2 is disabled in this build");
13776 #endif
13777     }
13778     if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
13779             &sctx, &cctx, cert, privkey)))
13780         goto end;
13781 
13782     SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
13783 
13784     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13785             NULL)))
13786         goto end;
13787 
13788     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13789         goto end;
13790 
13791     if (!TEST_true(SSL_renegotiate(clientssl))
13792         || !TEST_int_le(ret = SSL_connect(clientssl), 0)
13793         || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
13794         goto end;
13795 
13796     /*
13797      * We've not sent any application data, so we expect this to fail. It should
13798      * also read the renegotiation attempt, and send back a no_renegotiation
13799      * warning alert because we have renegotiation disabled.
13800      */
13801     if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
13802         goto end;
13803     if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
13804         goto end;
13805 
13806     /*
13807      * The client should now see the no_renegotiation warning and fail the
13808      * connection
13809      */
13810     if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
13811         || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
13812         || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
13813         goto end;
13814 
13815     testresult = 1;
13816 end:
13817     SSL_free(serverssl);
13818     SSL_free(clientssl);
13819     SSL_CTX_free(sctx);
13820     SSL_CTX_free(cctx);
13821 
13822     return testresult;
13823 }
13824 
13825 #if defined(DO_SSL_TRACE_TEST)
13826 /*
13827  * Tests that the SSL_trace() msg_callback works as expected with a PQ Groups.
13828  */
13829 static int test_ssl_trace(void)
13830 {
13831     SSL_CTX *sctx = NULL, *cctx = NULL;
13832     SSL *serverssl = NULL, *clientssl = NULL;
13833     int testresult = 0;
13834     BIO *bio = NULL;
13835     char *reffile = NULL;
13836     char *grouplist = "MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768"
13837                       ":SecP384r1MLKEM1024:secp521r1:secp384r1:secp256r1";
13838 
13839     if (!fips_provider_version_ge(libctx, 3, 5, 0))
13840         return TEST_skip("FIPS provider does not support MLKEM algorithms");
13841 
13842     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13843             TLS_client_method(),
13844             TLS1_3_VERSION, TLS1_3_VERSION,
13845             &sctx, &cctx, cert, privkey))
13846         || !TEST_ptr(bio = BIO_new(BIO_s_mem()))
13847         || !TEST_true(SSL_CTX_set1_groups_list(sctx, grouplist))
13848         || !TEST_true(SSL_CTX_set1_groups_list(cctx, grouplist))
13849         || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
13850             "TLS_AES_128_GCM_SHA256"))
13851         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
13852             "TLS_AES_128_GCM_SHA256"))
13853 #ifdef SSL_OP_LEGACY_EC_POINT_FORMATS
13854         || !TEST_true(SSL_CTX_set_options(cctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13855         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
13856 #endif
13857         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
13858             NULL, NULL)))
13859         goto err;
13860 
13861     SSL_set_msg_callback(clientssl, SSL_trace);
13862     SSL_set_msg_callback_arg(clientssl, bio);
13863 
13864     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13865         goto err;
13866 
13867     /* Skip the comparison of the trace when the fips provider is used. */
13868     if (is_fips) {
13869         /* Check whether there was something written. */
13870         if (!TEST_int_gt(BIO_pending(bio), 0))
13871             goto err;
13872     } else {
13873 
13874 #ifdef OPENSSL_NO_ZLIB
13875         reffile = test_mk_file_path(datadir, "ssltraceref.txt");
13876 #else
13877         reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt");
13878 #endif
13879         if (!TEST_true(compare_with_reference_file(bio, reffile)))
13880             goto err;
13881     }
13882 
13883     testresult = 1;
13884 err:
13885     BIO_free(bio);
13886     SSL_free(serverssl);
13887     SSL_free(clientssl);
13888     SSL_CTX_free(sctx);
13889     SSL_CTX_free(cctx);
13890     OPENSSL_free(reffile);
13891 
13892     return testresult;
13893 }
13894 #endif
13895 
13896 /*
13897  * Test that SSL_CTX_set1_groups() when called with a list where the first
13898  * entry is unsupported, will send a key_share that uses the next usable entry.
13899  */
13900 static int test_ssl_set_groups_unsupported_keyshare(int idx)
13901 {
13902 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
13903     int testresult = 0;
13904     SSL_CTX *sctx = NULL, *cctx = NULL;
13905     SSL *serverssl = NULL, *clientssl = NULL;
13906     int client_groups[] = {
13907         NID_brainpoolP256r1tls13,
13908         NID_sect163k1,
13909         NID_secp384r1,
13910         NID_ffdhe2048,
13911     };
13912 
13913     switch (idx) {
13914     case 1:
13915         client_groups[0] = NID_id_tc26_gost_3410_2012_512_paramSetC;
13916         if (sizeof(unsigned long) == 4) {
13917             return TEST_skip("SSL_CTX_set1_groups() is broken on 32-bit systems with TLS"
13918                              " group IDs > 0x20, see https://github.com/openssl/openssl/issues/29196");
13919         }
13920         break;
13921     }
13922 
13923     if (!TEST_true(create_ssl_ctx_pair(libctx,
13924             TLS_server_method(),
13925             TLS_client_method(),
13926             0, 0,
13927             &sctx,
13928             &cctx,
13929             cert,
13930             privkey)))
13931         goto end;
13932 
13933     if (!TEST_true(SSL_CTX_set1_groups(cctx,
13934             client_groups,
13935             OSSL_NELEM(client_groups))))
13936         goto end;
13937 
13938     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13939             NULL)))
13940         goto end;
13941 
13942     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13943         goto end;
13944 
13945     testresult = 1;
13946 end:
13947     SSL_free(serverssl);
13948     SSL_free(clientssl);
13949     SSL_CTX_free(sctx);
13950     SSL_CTX_free(cctx);
13951 
13952     return testresult;
13953 #else /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13954     return TEST_skip("No EC and DH support.");
13955 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
13956 }
13957 
13958 /*
13959  * Test that if we attempt to send HTTP to a TLS server that we get the expected
13960  * failure reason code.
13961  */
13962 static int test_http_verbs(int idx)
13963 {
13964     SSL_CTX *sctx = NULL;
13965     SSL *serverssl = NULL;
13966     int testresult = 0;
13967     const char *verbs[] = { "GET", "POST", "HEAD" };
13968     const char *http_trailer = " / HTTP/1.0\r\n\r\n";
13969     BIO *b = BIO_new(BIO_s_mem());
13970 
13971     if (!TEST_true((unsigned int)idx < OSSL_NELEM(verbs)))
13972         goto end;
13973 
13974     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13975             NULL, 0, 0, &sctx, NULL, cert, privkey)))
13976         goto end;
13977 
13978     serverssl = SSL_new(sctx);
13979     if (!TEST_ptr(serverssl))
13980         goto end;
13981 
13982     if (!TEST_int_gt(BIO_write(b, verbs[idx], (int)strlen(verbs[idx])), 0))
13983         goto end;
13984     if (!TEST_int_gt(BIO_write(b, http_trailer, (int)strlen(http_trailer)), 0))
13985         goto end;
13986     SSL_set_bio(serverssl, b, b);
13987     b = NULL;
13988 
13989     ERR_clear_error();
13990     if (!TEST_int_le(SSL_accept(serverssl), 0))
13991         goto end;
13992     if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_HTTP_REQUEST))
13993         goto end;
13994 
13995     testresult = 1;
13996 end:
13997     SSL_free(serverssl);
13998     SSL_CTX_free(sctx);
13999     BIO_free(b);
14000 
14001     return testresult;
14002 }
14003 
14004 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
14005 
14006 int setup_tests(void)
14007 {
14008     char *modulename;
14009     char *configfile;
14010 
14011     libctx = OSSL_LIB_CTX_new();
14012     if (!TEST_ptr(libctx))
14013         return 0;
14014 
14015     defctxnull = OSSL_PROVIDER_load(NULL, "null");
14016 
14017     /*
14018      * Verify that the default and fips providers in the default libctx are not
14019      * available
14020      */
14021     if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
14022         || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
14023         return 0;
14024 
14025     if (!test_skip_common_options()) {
14026         TEST_error("Error parsing test options\n");
14027         return 0;
14028     }
14029 
14030     if (!TEST_ptr(certsdir = test_get_argument(0))
14031         || !TEST_ptr(srpvfile = test_get_argument(1))
14032         || !TEST_ptr(tmpfilename = test_get_argument(2))
14033         || !TEST_ptr(modulename = test_get_argument(3))
14034         || !TEST_ptr(configfile = test_get_argument(4))
14035         || !TEST_ptr(dhfile = test_get_argument(5)))
14036         return 0;
14037 
14038     datadir = test_get_argument(6);
14039 
14040     if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
14041         return 0;
14042 
14043     /* Check we have the expected provider available */
14044     if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
14045         return 0;
14046 
14047     /* Check the default provider is not available */
14048     if (strcmp(modulename, "default") != 0
14049         && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
14050         return 0;
14051 
14052     if (strcmp(modulename, "fips") == 0) {
14053         OSSL_PROVIDER *prov = NULL;
14054         OSSL_PARAM params[2];
14055 
14056         is_fips = 1;
14057 
14058         prov = OSSL_PROVIDER_load(libctx, "fips");
14059         if (prov != NULL) {
14060             /* Query the fips provider to check if the check ems option is enabled */
14061             params[0] = OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
14062                 &fips_ems_check);
14063             params[1] = OSSL_PARAM_construct_end();
14064             OSSL_PROVIDER_get_params(prov, params);
14065             OSSL_PROVIDER_unload(prov);
14066         }
14067     }
14068 
14069     /*
14070      * We add, but don't load the test "tls-provider". We'll load it when we
14071      * need it.
14072      */
14073     if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
14074             tls_provider_init)))
14075         return 0;
14076 
14077     if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
14078 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
14079         TEST_error("not supported in this build");
14080         return 0;
14081 #else
14082         int i, mcount, rcount, fcount;
14083 
14084         for (i = 0; i < 4; i++)
14085             test_export_key_mat(i);
14086         CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
14087         test_printf_stdout("malloc %d realloc %d free %d\n",
14088             mcount, rcount, fcount);
14089         return 1;
14090 #endif
14091     }
14092 
14093     cert = test_mk_file_path(certsdir, "servercert.pem");
14094     if (cert == NULL)
14095         goto err;
14096 
14097     privkey = test_mk_file_path(certsdir, "serverkey.pem");
14098     if (privkey == NULL)
14099         goto err;
14100 
14101     cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
14102     if (cert2 == NULL)
14103         goto err;
14104 
14105     privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
14106     if (privkey2 == NULL)
14107         goto err;
14108 
14109     cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
14110     if (cert1024 == NULL)
14111         goto err;
14112 
14113     privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
14114     if (privkey1024 == NULL)
14115         goto err;
14116 
14117     cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
14118     if (cert3072 == NULL)
14119         goto err;
14120 
14121     privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
14122     if (privkey3072 == NULL)
14123         goto err;
14124 
14125     cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
14126     if (cert4096 == NULL)
14127         goto err;
14128 
14129     privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
14130     if (privkey4096 == NULL)
14131         goto err;
14132 
14133     cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
14134     if (cert8192 == NULL)
14135         goto err;
14136 
14137     privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
14138     if (privkey8192 == NULL)
14139         goto err;
14140 
14141     if (fips_ems_check) {
14142 #ifndef OPENSSL_NO_TLS1_2
14143         ADD_TEST(test_no_ems);
14144 #endif
14145         return 1;
14146     }
14147 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
14148 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
14149     ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
14150     ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
14151 #endif
14152 #ifndef OSSL_NO_USABLE_TLS1_3
14153     ADD_TEST(test_ktls_moving_write_buffer);
14154 #endif
14155 #endif
14156     ADD_TEST(test_large_message_tls);
14157     ADD_TEST(test_large_message_tls_read_ahead);
14158 #ifndef OPENSSL_NO_DTLS
14159     ADD_TEST(test_large_message_dtls);
14160 #endif
14161     ADD_ALL_TESTS(test_large_app_data, 28);
14162     ADD_TEST(test_cleanse_plaintext);
14163 #ifndef OPENSSL_NO_OCSP
14164     ADD_TEST(test_tlsext_status_type);
14165 #endif
14166     ADD_TEST(test_session_with_only_int_cache);
14167     ADD_TEST(test_session_with_only_ext_cache);
14168     ADD_TEST(test_session_with_both_cache);
14169     ADD_TEST(test_session_wo_ca_names);
14170 #ifndef OSSL_NO_USABLE_TLS1_3
14171     ADD_ALL_TESTS(test_stateful_tickets, 3);
14172     ADD_ALL_TESTS(test_stateless_tickets, 3);
14173     ADD_TEST(test_psk_tickets);
14174     ADD_ALL_TESTS(test_extra_tickets, 6);
14175 #endif
14176     ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
14177     ADD_TEST(test_ssl_bio_pop_next_bio);
14178     ADD_TEST(test_ssl_bio_pop_ssl_bio);
14179     ADD_TEST(test_ssl_bio_change_rbio);
14180     ADD_TEST(test_ssl_bio_change_wbio);
14181     ADD_TEST(test_ssl_set_wbio_chain_no_leak);
14182 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
14183     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
14184     ADD_TEST(test_keylog);
14185 #endif
14186 #ifndef OSSL_NO_USABLE_TLS1_3
14187     ADD_TEST(test_keylog_no_master_key);
14188 #endif
14189     ADD_TEST(test_client_cert_verify_cb);
14190     ADD_TEST(test_ssl_build_cert_chain);
14191     ADD_TEST(test_ssl_ctx_build_cert_chain);
14192 #ifndef OPENSSL_NO_TLS1_2
14193     ADD_TEST(test_client_hello_cb);
14194     ADD_TEST(test_no_ems);
14195     ADD_TEST(test_ccs_change_cipher);
14196 #endif
14197 #ifndef OSSL_NO_USABLE_TLS1_3
14198     ADD_ALL_TESTS(test_early_data_read_write, 6);
14199     /*
14200      * We don't do replay tests for external PSK. Replay protection isn't used
14201      * in that scenario.
14202      */
14203     ADD_ALL_TESTS(test_early_data_replay, 2);
14204     ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
14205     ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
14206     ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
14207     ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
14208     ADD_ALL_TESTS(test_early_data_not_sent, 3);
14209     ADD_ALL_TESTS(test_early_data_psk, 8);
14210     ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
14211     ADD_ALL_TESTS(test_early_data_not_expected, 3);
14212 #ifndef OPENSSL_NO_TLS1_2
14213     ADD_ALL_TESTS(test_early_data_tls1_2, 3);
14214 #endif
14215 #endif
14216 #ifndef OSSL_NO_USABLE_TLS1_3
14217     ADD_ALL_TESTS(test_set_ciphersuite, 10);
14218     ADD_TEST(test_ciphersuite_change);
14219     ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
14220 #ifdef OPENSSL_NO_PSK
14221     ADD_ALL_TESTS(test_tls13_psk, 1);
14222 #else
14223     ADD_ALL_TESTS(test_tls13_psk, 4);
14224 #endif /* OPENSSL_NO_PSK */
14225 #ifndef OSSL_NO_USABLE_TLS1_3
14226     ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
14227 #endif /* OSSL_NO_USABLE_TLS1_3 */
14228 #ifndef OPENSSL_NO_TLS1_2
14229     /* Test with both TLSv1.3 and 1.2 versions */
14230     ADD_ALL_TESTS(test_key_exchange, 21);
14231 #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
14232     ADD_ALL_TESTS(test_negotiated_group,
14233         4 * (OSSL_NELEM(ecdhe_kexch_groups) + OSSL_NELEM(ffdhe_kexch_groups)));
14234 #endif
14235 #else
14236     /* Test with only TLSv1.3 versions */
14237     ADD_ALL_TESTS(test_key_exchange, 18);
14238 #endif
14239     ADD_ALL_TESTS(test_custom_exts, 6);
14240     ADD_TEST(test_stateless);
14241     ADD_TEST(test_pha_key_update);
14242 #else
14243     ADD_ALL_TESTS(test_custom_exts, 3);
14244 #endif
14245     ADD_ALL_TESTS(test_export_key_mat, 6);
14246 #ifndef OSSL_NO_USABLE_TLS1_3
14247     ADD_ALL_TESTS(test_export_key_mat_early, 3);
14248     ADD_TEST(test_key_update);
14249     ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
14250     ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
14251     ADD_ALL_TESTS(test_key_update_local_in_write, 2);
14252     ADD_ALL_TESTS(test_key_update_local_in_read, 2);
14253 #endif
14254     ADD_ALL_TESTS(test_ssl_clear, 8);
14255     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
14256 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
14257     ADD_ALL_TESTS(test_srp, 6);
14258 #endif
14259 #if !defined(OPENSSL_NO_COMP_ALG)
14260     /* Add compression case */
14261     ADD_ALL_TESTS(test_info_callback, 8);
14262 #else
14263     ADD_ALL_TESTS(test_info_callback, 6);
14264 #endif
14265     ADD_ALL_TESTS(test_ssl_pending, 2);
14266     ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
14267     ADD_ALL_TESTS(test_ticket_callbacks, 20);
14268     ADD_TEST(test_ticket_abort_session_leak);
14269     ADD_ALL_TESTS(test_shutdown, 7);
14270     ADD_TEST(test_async_shutdown);
14271     ADD_ALL_TESTS(test_incorrect_shutdown, 2);
14272     ADD_ALL_TESTS(test_cert_cb, 6);
14273     ADD_ALL_TESTS(test_client_cert_cb, 2);
14274     ADD_ALL_TESTS(test_ca_names, 3);
14275 #ifndef OPENSSL_NO_TLS1_2
14276     ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
14277 #endif
14278     ADD_ALL_TESTS(test_servername, 10);
14279     ADD_TEST(test_unknown_sigalgs_groups);
14280 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
14281     ADD_TEST(test_configuration_of_groups);
14282 #endif
14283 #if !defined(OPENSSL_NO_EC) \
14284     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
14285     ADD_ALL_TESTS(test_sigalgs_available, 6);
14286 #endif
14287 #ifndef OPENSSL_NO_TLS1_3
14288     ADD_ALL_TESTS(test_pluggable_group, 2);
14289     ADD_ALL_TESTS(test_pluggable_signature, 6);
14290 #endif
14291 #ifndef OPENSSL_NO_TLS1_2
14292     ADD_TEST(test_ssl_dup);
14293     ADD_ALL_TESTS(test_session_secret_cb, 2);
14294 #ifndef OPENSSL_NO_DH
14295     ADD_ALL_TESTS(test_set_tmp_dh, 11);
14296     ADD_ALL_TESTS(test_dh_auto, 7);
14297 #endif
14298 #endif
14299 #ifndef OSSL_NO_USABLE_TLS1_3
14300     ADD_TEST(test_sni_tls13);
14301     ADD_ALL_TESTS(test_ticket_lifetime, 2);
14302 #endif
14303     ADD_TEST(test_inherit_verify_param);
14304     ADD_TEST(test_set_alpn);
14305     ADD_TEST(test_set_verify_cert_store_ssl_ctx);
14306     ADD_TEST(test_set_verify_cert_store_ssl);
14307     ADD_ALL_TESTS(test_session_timeout, 1);
14308 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
14309     ADD_ALL_TESTS(test_session_cache_overflow, 4);
14310 #endif
14311     ADD_TEST(test_load_dhfile);
14312 #ifndef OSSL_NO_USABLE_TLS1_3
14313     ADD_TEST(test_read_ahead_key_change);
14314     ADD_ALL_TESTS(test_tls13_record_padding, 6);
14315 #endif
14316 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
14317     ADD_ALL_TESTS(test_serverinfo_custom, 4);
14318 #endif
14319 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
14320     ADD_ALL_TESTS(test_pipelining, 7);
14321 #endif
14322     ADD_ALL_TESTS(test_version, 6);
14323     ADD_TEST(test_rstate_string);
14324     ADD_ALL_TESTS(test_handshake_retry, 16);
14325     ADD_TEST(test_data_retry);
14326     ADD_ALL_TESTS(test_multi_resume, 5);
14327     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
14328 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
14329     ADD_ALL_TESTS(test_npn, 5);
14330 #endif
14331     ADD_ALL_TESTS(test_alpn, 4);
14332 #if !defined(OSSL_NO_USABLE_TLS1_3)
14333     ADD_ALL_TESTS(test_quic_tls, 6);
14334     ADD_TEST(test_quic_tls_early_data);
14335 #endif
14336     ADD_ALL_TESTS(test_no_renegotiation, 2);
14337 #if defined(DO_SSL_TRACE_TEST)
14338     if (datadir != NULL)
14339         ADD_TEST(test_ssl_trace);
14340 #endif
14341     ADD_ALL_TESTS(test_ssl_set_groups_unsupported_keyshare, 2);
14342     ADD_ALL_TESTS(test_http_verbs, 3);
14343     return 1;
14344 
14345 err:
14346     OPENSSL_free(cert);
14347     OPENSSL_free(privkey);
14348     OPENSSL_free(cert2);
14349     OPENSSL_free(privkey2);
14350     return 0;
14351 }
14352 
14353 void cleanup_tests(void)
14354 {
14355 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
14356     EVP_PKEY_free(tmp_dh_params);
14357 #endif
14358     OPENSSL_free(cert);
14359     OPENSSL_free(privkey);
14360     OPENSSL_free(cert2);
14361     OPENSSL_free(privkey2);
14362     OPENSSL_free(cert1024);
14363     OPENSSL_free(privkey1024);
14364     OPENSSL_free(cert3072);
14365     OPENSSL_free(privkey3072);
14366     OPENSSL_free(cert4096);
14367     OPENSSL_free(privkey4096);
14368     OPENSSL_free(cert8192);
14369     OPENSSL_free(privkey8192);
14370     bio_s_mempacket_test_free();
14371     bio_s_always_retry_free();
14372     bio_s_maybe_retry_free();
14373     OSSL_PROVIDER_unload(defctxnull);
14374     OSSL_LIB_CTX_free(libctx);
14375 }
14376