xref: /freebsd/crypto/openssl/test/sslapitest.c (revision 4b15965daa99044daf184221b7c283bf7f2d7e66) 
1 /*
2  * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * We need access to the deprecated low level HMAC APIs for legacy purposes
12  * when the deprecated calls are not hidden
13  */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17 
18 #include <stdio.h>
19 #include <string.h>
20 
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37 
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/tlsgroups.h"
43 #include "internal/ktls.h"
44 #include "internal/ssl_unwrap.h"
45 #include "../ssl/ssl_local.h"
46 #include "../ssl/record/methods/recmethod_local.h"
47 #include "filterprov.h"
48 
49 #undef OSSL_NO_USABLE_TLS1_3
50 #if defined(OPENSSL_NO_TLS1_3) \
51     || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
52 /*
53  * If we don't have ec or dh then there are no built-in groups that are usable
54  * with TLSv1.3
55  */
56 # define OSSL_NO_USABLE_TLS1_3
57 #endif
58 
59 /* Defined in tls-provider.c */
60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
61                       const OSSL_DISPATCH *in,
62                       const OSSL_DISPATCH **out,
63                       void **provctx);
64 
65 static OSSL_LIB_CTX *libctx = NULL;
66 static OSSL_PROVIDER *defctxnull = NULL;
67 
68 #ifndef OSSL_NO_USABLE_TLS1_3
69 
70 static SSL_SESSION *clientpsk = NULL;
71 static SSL_SESSION *serverpsk = NULL;
72 static const char *pskid = "Identity";
73 static const char *srvid;
74 
75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
76                           size_t *idlen, SSL_SESSION **sess);
77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
78                            size_t identity_len, SSL_SESSION **sess);
79 
80 static int use_session_cb_cnt = 0;
81 static int find_session_cb_cnt = 0;
82 static int end_of_early_data = 0;
83 #endif
84 
85 static char *certsdir = NULL;
86 static char *cert = NULL;
87 static char *privkey = NULL;
88 static char *cert2 = NULL;
89 static char *privkey2 = NULL;
90 static char *cert1024 = NULL;
91 static char *privkey1024 = NULL;
92 static char *cert3072 = NULL;
93 static char *privkey3072 = NULL;
94 static char *cert4096 = NULL;
95 static char *privkey4096 = NULL;
96 static char *cert8192 = NULL;
97 static char *privkey8192 = NULL;
98 static char *srpvfile = NULL;
99 static char *tmpfilename = NULL;
100 static char *dhfile = NULL;
101 
102 static int is_fips = 0;
103 static int fips_ems_check = 0;
104 
105 #define LOG_BUFFER_SIZE 2048
106 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
107 static size_t server_log_buffer_index = 0;
108 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
109 static size_t client_log_buffer_index = 0;
110 static int error_writing_log = 0;
111 
112 #ifndef OPENSSL_NO_OCSP
113 static const unsigned char orespder[] = "Dummy OCSP Response";
114 static int ocsp_server_called = 0;
115 static int ocsp_client_called = 0;
116 
117 static int cdummyarg = 1;
118 static X509 *ocspcert = NULL;
119 #endif
120 
121 #define CLIENT_VERSION_LEN      2
122 
123 /*
124  * This structure is used to validate that the correct number of log messages
125  * of various types are emitted when emitting secret logs.
126  */
127 struct sslapitest_log_counts {
128     unsigned int rsa_key_exchange_count;
129     unsigned int master_secret_count;
130     unsigned int client_early_secret_count;
131     unsigned int client_handshake_secret_count;
132     unsigned int server_handshake_secret_count;
133     unsigned int client_application_secret_count;
134     unsigned int server_application_secret_count;
135     unsigned int early_exporter_secret_count;
136     unsigned int exporter_secret_count;
137 };
138 
139 
140 static int hostname_cb(SSL *s, int *al, void *arg)
141 {
142     const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
143 
144     if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
145                              || strcmp(hostname, "altgoodhost") == 0))
146         return  SSL_TLSEXT_ERR_OK;
147 
148     return SSL_TLSEXT_ERR_NOACK;
149 }
150 
151 static void client_keylog_callback(const SSL *ssl, const char *line)
152 {
153     int line_length = strlen(line);
154 
155     /* If the log doesn't fit, error out. */
156     if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
157         TEST_info("Client log too full");
158         error_writing_log = 1;
159         return;
160     }
161 
162     strcat(client_log_buffer, line);
163     client_log_buffer_index += line_length;
164     client_log_buffer[client_log_buffer_index++] = '\n';
165 }
166 
167 static void server_keylog_callback(const SSL *ssl, const char *line)
168 {
169     int line_length = strlen(line);
170 
171     /* If the log doesn't fit, error out. */
172     if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
173         TEST_info("Server log too full");
174         error_writing_log = 1;
175         return;
176     }
177 
178     strcat(server_log_buffer, line);
179     server_log_buffer_index += line_length;
180     server_log_buffer[server_log_buffer_index++] = '\n';
181 }
182 
183 static int compare_hex_encoded_buffer(const char *hex_encoded,
184                                       size_t hex_length,
185                                       const uint8_t *raw,
186                                       size_t raw_length)
187 {
188     size_t i, j;
189     char hexed[3];
190 
191     if (!TEST_size_t_eq(raw_length * 2, hex_length))
192         return 1;
193 
194     for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
195         BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
196         if (!TEST_int_eq(hexed[0], hex_encoded[j])
197                 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
198             return 1;
199     }
200 
201     return 0;
202 }
203 
204 static int test_keylog_output(char *buffer, const SSL *ssl,
205                               const SSL_SESSION *session,
206                               struct sslapitest_log_counts *expected)
207 {
208     char *token = NULL;
209     unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
210     size_t client_random_size = SSL3_RANDOM_SIZE;
211     unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
212     size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
213     unsigned int rsa_key_exchange_count = 0;
214     unsigned int master_secret_count = 0;
215     unsigned int client_early_secret_count = 0;
216     unsigned int client_handshake_secret_count = 0;
217     unsigned int server_handshake_secret_count = 0;
218     unsigned int client_application_secret_count = 0;
219     unsigned int server_application_secret_count = 0;
220     unsigned int early_exporter_secret_count = 0;
221     unsigned int exporter_secret_count = 0;
222 
223     for (token = strtok(buffer, " \n"); token != NULL;
224          token = strtok(NULL, " \n")) {
225         if (strcmp(token, "RSA") == 0) {
226             /*
227              * Premaster secret. Tokens should be: 16 ASCII bytes of
228              * hex-encoded encrypted secret, then the hex-encoded pre-master
229              * secret.
230              */
231             if (!TEST_ptr(token = strtok(NULL, " \n")))
232                 return 0;
233             if (!TEST_size_t_eq(strlen(token), 16))
234                 return 0;
235             if (!TEST_ptr(token = strtok(NULL, " \n")))
236                 return 0;
237             /*
238              * We can't sensibly check the log because the premaster secret is
239              * transient, and OpenSSL doesn't keep hold of it once the master
240              * secret is generated.
241              */
242             rsa_key_exchange_count++;
243         } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
244             /*
245              * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
246              * client random, then the hex-encoded master secret.
247              */
248             client_random_size = SSL_get_client_random(ssl,
249                                                        actual_client_random,
250                                                        SSL3_RANDOM_SIZE);
251             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
252                 return 0;
253 
254             if (!TEST_ptr(token = strtok(NULL, " \n")))
255                 return 0;
256             if (!TEST_size_t_eq(strlen(token), 64))
257                 return 0;
258             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
259                                                        actual_client_random,
260                                                        client_random_size)))
261                 return 0;
262 
263             if (!TEST_ptr(token = strtok(NULL, " \n")))
264                 return 0;
265             master_key_size = SSL_SESSION_get_master_key(session,
266                                                          actual_master_key,
267                                                          master_key_size);
268             if (!TEST_size_t_ne(master_key_size, 0))
269                 return 0;
270             if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
271                                                        actual_master_key,
272                                                        master_key_size)))
273                 return 0;
274             master_secret_count++;
275         } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
276                     || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
277                     || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
278                     || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
279                     || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
280                     || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
281                     || strcmp(token, "EXPORTER_SECRET") == 0) {
282             /*
283              * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
284              * client random, and then the hex-encoded secret. In this case,
285              * we treat all of these secrets identically and then just
286              * distinguish between them when counting what we saw.
287              */
288             if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
289                 client_early_secret_count++;
290             else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
291                 client_handshake_secret_count++;
292             else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
293                 server_handshake_secret_count++;
294             else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
295                 client_application_secret_count++;
296             else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
297                 server_application_secret_count++;
298             else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
299                 early_exporter_secret_count++;
300             else if (strcmp(token, "EXPORTER_SECRET") == 0)
301                 exporter_secret_count++;
302 
303             client_random_size = SSL_get_client_random(ssl,
304                                                        actual_client_random,
305                                                        SSL3_RANDOM_SIZE);
306             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
307                 return 0;
308 
309             if (!TEST_ptr(token = strtok(NULL, " \n")))
310                 return 0;
311             if (!TEST_size_t_eq(strlen(token), 64))
312                 return 0;
313             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
314                                                        actual_client_random,
315                                                        client_random_size)))
316                 return 0;
317 
318             if (!TEST_ptr(token = strtok(NULL, " \n")))
319                 return 0;
320         } else {
321             TEST_info("Unexpected token %s\n", token);
322             return 0;
323         }
324     }
325 
326     /* Got what we expected? */
327     if (!TEST_size_t_eq(rsa_key_exchange_count,
328                         expected->rsa_key_exchange_count)
329             || !TEST_size_t_eq(master_secret_count,
330                                expected->master_secret_count)
331             || !TEST_size_t_eq(client_early_secret_count,
332                                expected->client_early_secret_count)
333             || !TEST_size_t_eq(client_handshake_secret_count,
334                                expected->client_handshake_secret_count)
335             || !TEST_size_t_eq(server_handshake_secret_count,
336                                expected->server_handshake_secret_count)
337             || !TEST_size_t_eq(client_application_secret_count,
338                                expected->client_application_secret_count)
339             || !TEST_size_t_eq(server_application_secret_count,
340                                expected->server_application_secret_count)
341             || !TEST_size_t_eq(early_exporter_secret_count,
342                                expected->early_exporter_secret_count)
343             || !TEST_size_t_eq(exporter_secret_count,
344                                expected->exporter_secret_count))
345         return 0;
346     return 1;
347 }
348 
349 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
350 static int test_keylog(void)
351 {
352     SSL_CTX *cctx = NULL, *sctx = NULL;
353     SSL *clientssl = NULL, *serverssl = NULL;
354     int testresult = 0;
355     struct sslapitest_log_counts expected;
356 
357     /* Clean up logging space */
358     memset(&expected, 0, sizeof(expected));
359     memset(client_log_buffer, 0, sizeof(client_log_buffer));
360     memset(server_log_buffer, 0, sizeof(server_log_buffer));
361     client_log_buffer_index = 0;
362     server_log_buffer_index = 0;
363     error_writing_log = 0;
364 
365     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
366                                        TLS_client_method(),
367                                        TLS1_VERSION, 0,
368                                        &sctx, &cctx, cert, privkey)))
369         return 0;
370 
371     /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
372     SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
373     SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
374 
375     /* We also want to ensure that we use RSA-based key exchange. */
376     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
377         goto end;
378 
379     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
380             || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
381         goto end;
382     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
383     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
384                    == client_keylog_callback))
385         goto end;
386     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
387     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
388                    == server_keylog_callback))
389         goto end;
390 
391     /* Now do a handshake and check that the logs have been written to. */
392     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
393                                       &clientssl, NULL, NULL))
394             || !TEST_true(create_ssl_connection(serverssl, clientssl,
395                                                 SSL_ERROR_NONE))
396             || !TEST_false(error_writing_log)
397             || !TEST_int_gt(client_log_buffer_index, 0)
398             || !TEST_int_gt(server_log_buffer_index, 0))
399         goto end;
400 
401     /*
402      * Now we want to test that our output data was vaguely sensible. We
403      * do that by using strtok and confirming that we have more or less the
404      * data we expect. For both client and server, we expect to see one master
405      * secret. The client should also see an RSA key exchange.
406      */
407     expected.rsa_key_exchange_count = 1;
408     expected.master_secret_count = 1;
409     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
410                                       SSL_get_session(clientssl), &expected)))
411         goto end;
412 
413     expected.rsa_key_exchange_count = 0;
414     if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
415                                       SSL_get_session(serverssl), &expected)))
416         goto end;
417 
418     testresult = 1;
419 
420 end:
421     SSL_free(serverssl);
422     SSL_free(clientssl);
423     SSL_CTX_free(sctx);
424     SSL_CTX_free(cctx);
425 
426     return testresult;
427 }
428 #endif
429 
430 #ifndef OSSL_NO_USABLE_TLS1_3
431 static int test_keylog_no_master_key(void)
432 {
433     SSL_CTX *cctx = NULL, *sctx = NULL;
434     SSL *clientssl = NULL, *serverssl = NULL;
435     SSL_SESSION *sess = NULL;
436     int testresult = 0;
437     struct sslapitest_log_counts expected;
438     unsigned char buf[1];
439     size_t readbytes, written;
440 
441     /* Clean up logging space */
442     memset(&expected, 0, sizeof(expected));
443     memset(client_log_buffer, 0, sizeof(client_log_buffer));
444     memset(server_log_buffer, 0, sizeof(server_log_buffer));
445     client_log_buffer_index = 0;
446     server_log_buffer_index = 0;
447     error_writing_log = 0;
448 
449     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
450                                        TLS_client_method(), TLS1_VERSION, 0,
451                                        &sctx, &cctx, cert, privkey))
452         || !TEST_true(SSL_CTX_set_max_early_data(sctx,
453                                                  SSL3_RT_MAX_PLAIN_LENGTH)))
454         return 0;
455 
456     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
457             || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
458         goto end;
459 
460     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
461     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
462                    == client_keylog_callback))
463         goto end;
464 
465     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
466     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
467                    == server_keylog_callback))
468         goto end;
469 
470     /* Now do a handshake and check that the logs have been written to. */
471     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
472                                       &clientssl, NULL, NULL))
473             || !TEST_true(create_ssl_connection(serverssl, clientssl,
474                                                 SSL_ERROR_NONE))
475             || !TEST_false(error_writing_log))
476         goto end;
477 
478     /*
479      * Now we want to test that our output data was vaguely sensible. For this
480      * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
481      * TLSv1.3, but we do expect both client and server to emit keys.
482      */
483     expected.client_handshake_secret_count = 1;
484     expected.server_handshake_secret_count = 1;
485     expected.client_application_secret_count = 1;
486     expected.server_application_secret_count = 1;
487     expected.exporter_secret_count = 1;
488     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
489                                       SSL_get_session(clientssl), &expected))
490             || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
491                                              SSL_get_session(serverssl),
492                                              &expected)))
493         goto end;
494 
495     /* Terminate old session and resume with early data. */
496     sess = SSL_get1_session(clientssl);
497     SSL_shutdown(clientssl);
498     SSL_shutdown(serverssl);
499     SSL_free(serverssl);
500     SSL_free(clientssl);
501     serverssl = clientssl = NULL;
502 
503     /* Reset key log */
504     memset(client_log_buffer, 0, sizeof(client_log_buffer));
505     memset(server_log_buffer, 0, sizeof(server_log_buffer));
506     client_log_buffer_index = 0;
507     server_log_buffer_index = 0;
508 
509     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
510                                       &clientssl, NULL, NULL))
511             || !TEST_true(SSL_set_session(clientssl, sess))
512             /* Here writing 0 length early data is enough. */
513             || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
514             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
515                                                 &readbytes),
516                             SSL_READ_EARLY_DATA_ERROR)
517             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
518                             SSL_EARLY_DATA_ACCEPTED)
519             || !TEST_true(create_ssl_connection(serverssl, clientssl,
520                           SSL_ERROR_NONE))
521             || !TEST_true(SSL_session_reused(clientssl)))
522         goto end;
523 
524     /* In addition to the previous entries, expect early secrets. */
525     expected.client_early_secret_count = 1;
526     expected.early_exporter_secret_count = 1;
527     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
528                                       SSL_get_session(clientssl), &expected))
529             || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
530                                              SSL_get_session(serverssl),
531                                              &expected)))
532         goto end;
533 
534     testresult = 1;
535 
536 end:
537     SSL_SESSION_free(sess);
538     SSL_free(serverssl);
539     SSL_free(clientssl);
540     SSL_CTX_free(sctx);
541     SSL_CTX_free(cctx);
542 
543     return testresult;
544 }
545 #endif
546 
547 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
548 {
549     int res = X509_verify_cert(ctx);
550     int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
551     SSL *ssl;
552 
553     /* this should not happen but check anyway */
554     if (idx < 0
555         || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
556         return 0;
557 
558     if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
559         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
560         /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
561         return SSL_set_retry_verify(ssl);
562 
563     return res;
564 }
565 
566 static int test_client_cert_verify_cb(void)
567 {
568     /* server key, cert, chain, and root */
569     char *skey = test_mk_file_path(certsdir, "leaf.key");
570     char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571     char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572     char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573     char *root = test_mk_file_path(certsdir, "rootCA.pem");
574     X509 *crt1 = NULL, *crt2 = NULL;
575     STACK_OF(X509) *server_chain;
576     SSL_CTX *cctx = NULL, *sctx = NULL;
577     SSL *clientssl = NULL, *serverssl = NULL;
578     int testresult = 0;
579 
580     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581                                        TLS_client_method(), TLS1_VERSION, 0,
582                                        &sctx, &cctx, NULL, NULL)))
583         goto end;
584     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586                                                         SSL_FILETYPE_PEM), 1)
587             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588         goto end;
589     if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590         goto end;
591     SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592     SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594                                       &clientssl, NULL, NULL)))
595         goto end;
596 
597     /* attempt SSL_connect() with incomplete server chain */
598     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599                                           SSL_ERROR_WANT_RETRY_VERIFY)))
600         goto end;
601 
602     /* application provides intermediate certs needed to verify server cert */
603     if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604         || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605         || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606         goto end;
607     /* add certs in reverse order to demonstrate real chain building */
608     if (!TEST_true(sk_X509_push(server_chain, crt1)))
609         goto end;
610     crt1 = NULL;
611     if (!TEST_true(sk_X509_push(server_chain, crt2)))
612         goto end;
613     crt2 = NULL;
614 
615     /* continue SSL_connect(), must now succeed with completed server chain */
616     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
617                                          SSL_ERROR_NONE)))
618         goto end;
619 
620     testresult = 1;
621 
622 end:
623     X509_free(crt1);
624     X509_free(crt2);
625     if (clientssl != NULL) {
626         SSL_shutdown(clientssl);
627         SSL_free(clientssl);
628     }
629     if (serverssl != NULL) {
630         SSL_shutdown(serverssl);
631         SSL_free(serverssl);
632     }
633     SSL_CTX_free(sctx);
634     SSL_CTX_free(cctx);
635 
636     OPENSSL_free(skey);
637     OPENSSL_free(leaf);
638     OPENSSL_free(int2);
639     OPENSSL_free(int1);
640     OPENSSL_free(root);
641 
642     return testresult;
643 }
644 
645 static int test_ssl_build_cert_chain(void)
646 {
647     int ret = 0;
648     SSL_CTX *ssl_ctx = NULL;
649     SSL *ssl = NULL;
650     char *skey = test_mk_file_path(certsdir, "leaf.key");
651     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652 
653     if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654         goto end;
655     if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656         goto end;
657     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658     if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659         || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660         || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661         goto end;
662     if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663                                              | SSL_BUILD_CHAIN_FLAG_CHECK)))
664         goto end;
665     ret = 1;
666 end:
667     SSL_free(ssl);
668     SSL_CTX_free(ssl_ctx);
669     OPENSSL_free(leaf_chain);
670     OPENSSL_free(skey);
671     return ret;
672 }
673 
674 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
675 {
676     static const char pass[] = "testpass";
677 
678     if (!TEST_int_eq(size, PEM_BUFSIZE))
679         return -1;
680 
681     memcpy(buf, pass, sizeof(pass) - 1);
682     return sizeof(pass) - 1;
683 }
684 
685 static int test_ssl_ctx_build_cert_chain(void)
686 {
687     int ret = 0;
688     SSL_CTX *ctx = NULL;
689     char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
690     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
691 
692     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
693         goto end;
694     SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
695     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
696     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
697         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
698                                                     SSL_FILETYPE_PEM), 1)
699         || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
700         goto end;
701     if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
702                                                 | SSL_BUILD_CHAIN_FLAG_CHECK)))
703         goto end;
704     ret = 1;
705 end:
706     SSL_CTX_free(ctx);
707     OPENSSL_free(leaf_chain);
708     OPENSSL_free(skey);
709     return ret;
710 }
711 
712 #ifndef OPENSSL_NO_TLS1_2
713 static int full_client_hello_callback(SSL *s, int *al, void *arg)
714 {
715     int *ctr = arg;
716     const unsigned char *p;
717     int *exts;
718 #ifdef OPENSSL_NO_EC
719     const unsigned char expected_ciphers[] = {0x00, 0x9d};
720 #else
721     const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
722                                               0x2c};
723 #endif
724     const int expected_extensions[] = {
725                                        65281,
726 #ifndef OPENSSL_NO_EC
727                                        11, 10,
728 #endif
729                                        35, 22, 23, 13};
730     size_t len;
731 
732     /* Make sure we can defer processing and get called back. */
733     if ((*ctr)++ == 0)
734         return SSL_CLIENT_HELLO_RETRY;
735 
736     len = SSL_client_hello_get0_ciphers(s, &p);
737     if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
738             || !TEST_size_t_eq(
739                        SSL_client_hello_get0_compression_methods(s, &p), 1)
740             || !TEST_int_eq(*p, 0))
741         return SSL_CLIENT_HELLO_ERROR;
742     if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
743         return SSL_CLIENT_HELLO_ERROR;
744     if (len != OSSL_NELEM(expected_extensions) ||
745         memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
746         printf("ClientHello callback expected extensions mismatch\n");
747         OPENSSL_free(exts);
748         return SSL_CLIENT_HELLO_ERROR;
749     }
750     OPENSSL_free(exts);
751     return SSL_CLIENT_HELLO_SUCCESS;
752 }
753 
754 static int test_client_hello_cb(void)
755 {
756     SSL_CTX *cctx = NULL, *sctx = NULL;
757     SSL *clientssl = NULL, *serverssl = NULL;
758     int testctr = 0, testresult = 0;
759 
760     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
761                                        TLS_client_method(), TLS1_VERSION, 0,
762                                        &sctx, &cctx, cert, privkey)))
763         goto end;
764     SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
765 
766     /* The gimpy cipher list we configure can't do TLS 1.3. */
767     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
768     /* Avoid problems where the default seclevel has been changed */
769     SSL_CTX_set_security_level(cctx, 2);
770     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
771                         "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
772             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
773                                              &clientssl, NULL, NULL))
774             || !TEST_false(create_ssl_connection(serverssl, clientssl,
775                         SSL_ERROR_WANT_CLIENT_HELLO_CB))
776                 /*
777                  * Passing a -1 literal is a hack since
778                  * the real value was lost.
779                  * */
780             || !TEST_int_eq(SSL_get_error(serverssl, -1),
781                             SSL_ERROR_WANT_CLIENT_HELLO_CB)
782             || !TEST_true(create_ssl_connection(serverssl, clientssl,
783                                                 SSL_ERROR_NONE)))
784         goto end;
785 
786     testresult = 1;
787 
788 end:
789     SSL_free(serverssl);
790     SSL_free(clientssl);
791     SSL_CTX_free(sctx);
792     SSL_CTX_free(cctx);
793 
794     return testresult;
795 }
796 
797 static int test_no_ems(void)
798 {
799     SSL_CTX *cctx = NULL, *sctx = NULL;
800     SSL *clientssl = NULL, *serverssl = NULL;
801     int testresult = 0, status;
802 
803     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
804                              TLS1_VERSION, TLS1_2_VERSION,
805                              &sctx, &cctx, cert, privkey)) {
806         printf("Unable to create SSL_CTX pair\n");
807         goto end;
808     }
809 
810     SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
811 
812     if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
813         printf("Unable to create SSL objects\n");
814         goto end;
815     }
816 
817     status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
818     if (fips_ems_check) {
819         if (status == 1) {
820             printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
821             goto end;
822         }
823     } else {
824         if (!status) {
825             printf("Creating SSL connection failed\n");
826             goto end;
827         }
828         if (SSL_get_extms_support(serverssl)) {
829             printf("Server reports Extended Master Secret support\n");
830             goto end;
831         }
832         if (SSL_get_extms_support(clientssl)) {
833             printf("Client reports Extended Master Secret support\n");
834             goto end;
835         }
836     }
837     testresult = 1;
838 
839 end:
840     SSL_free(serverssl);
841     SSL_free(clientssl);
842     SSL_CTX_free(sctx);
843     SSL_CTX_free(cctx);
844 
845     return testresult;
846 }
847 
848 /*
849  * Very focused test to exercise a single case in the server-side state
850  * machine, when the ChangeCipherState message needs to actually change
851  * from one cipher to a different cipher (i.e., not changing from null
852  * encryption to real encryption).
853  */
854 static int test_ccs_change_cipher(void)
855 {
856     SSL_CTX *cctx = NULL, *sctx = NULL;
857     SSL *clientssl = NULL, *serverssl = NULL;
858     SSL_SESSION *sess = NULL, *sesspre, *sesspost;
859     int testresult = 0;
860     int i;
861     unsigned char buf;
862     size_t readbytes;
863 
864     /*
865      * Create a connection so we can resume and potentially (but not) use
866      * a different cipher in the second connection.
867      */
868     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
869                                        TLS_client_method(),
870                                        TLS1_VERSION, TLS1_2_VERSION,
871                                        &sctx, &cctx, cert, privkey))
872             || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
873             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
874                           NULL, NULL))
875             || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
876             || !TEST_true(create_ssl_connection(serverssl, clientssl,
877                                                 SSL_ERROR_NONE))
878             || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
879             || !TEST_ptr(sess = SSL_get1_session(clientssl)))
880         goto end;
881 
882     shutdown_ssl_connection(serverssl, clientssl);
883     serverssl = clientssl = NULL;
884 
885     /* Resume, preferring a different cipher. Our server will force the
886      * same cipher to be used as the initial handshake. */
887     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
888                           NULL, NULL))
889             || !TEST_true(SSL_set_session(clientssl, sess))
890             || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
891             || !TEST_true(create_ssl_connection(serverssl, clientssl,
892                                                 SSL_ERROR_NONE))
893             || !TEST_true(SSL_session_reused(clientssl))
894             || !TEST_true(SSL_session_reused(serverssl))
895             || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
896             || !TEST_ptr_eq(sesspre, sesspost)
897             || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
898                             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
899         goto end;
900     shutdown_ssl_connection(serverssl, clientssl);
901     serverssl = clientssl = NULL;
902 
903     /*
904      * Now create a fresh connection and try to renegotiate a different
905      * cipher on it.
906      */
907     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
908                                       NULL, NULL))
909             || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
910             || !TEST_true(create_ssl_connection(serverssl, clientssl,
911                                                 SSL_ERROR_NONE))
912             || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
913             || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
914             || !TEST_true(SSL_renegotiate(clientssl))
915             || !TEST_true(SSL_renegotiate_pending(clientssl)))
916         goto end;
917     /* Actually drive the renegotiation. */
918     for (i = 0; i < 3; i++) {
919         if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
920             if (!TEST_ulong_eq(readbytes, 0))
921                 goto end;
922         } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
923                                 SSL_ERROR_WANT_READ)) {
924             goto end;
925         }
926         if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
927             if (!TEST_ulong_eq(readbytes, 0))
928                 goto end;
929         } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
930                                 SSL_ERROR_WANT_READ)) {
931             goto end;
932         }
933     }
934     /* sesspre and sesspost should be different since the cipher changed. */
935     if (!TEST_false(SSL_renegotiate_pending(clientssl))
936             || !TEST_false(SSL_session_reused(clientssl))
937             || !TEST_false(SSL_session_reused(serverssl))
938             || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
939             || !TEST_ptr_ne(sesspre, sesspost)
940             || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
941                             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
942         goto end;
943 
944     shutdown_ssl_connection(serverssl, clientssl);
945     serverssl = clientssl = NULL;
946 
947     testresult = 1;
948 
949 end:
950     SSL_free(serverssl);
951     SSL_free(clientssl);
952     SSL_CTX_free(sctx);
953     SSL_CTX_free(cctx);
954     SSL_SESSION_free(sess);
955 
956     return testresult;
957 }
958 #endif
959 
960 static int execute_test_large_message(const SSL_METHOD *smeth,
961                                       const SSL_METHOD *cmeth,
962                                       int min_version, int max_version,
963                                       int read_ahead)
964 {
965     SSL_CTX *cctx = NULL, *sctx = NULL;
966     SSL *clientssl = NULL, *serverssl = NULL;
967     int testresult = 0;
968 
969     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
970                                        max_version, &sctx, &cctx, cert,
971                                        privkey)))
972         goto end;
973 
974 #ifdef OPENSSL_NO_DTLS1_2
975     if (smeth == DTLS_server_method()) {
976         /*
977          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
978          * level 0
979          */
980         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
981                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
982                                                     "DEFAULT:@SECLEVEL=0")))
983             goto end;
984     }
985 #endif
986 
987     if (read_ahead) {
988         /*
989          * Test that read_ahead works correctly when dealing with large
990          * records
991          */
992         SSL_CTX_set_read_ahead(cctx, 1);
993     }
994 
995     if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
996         goto end;
997 
998     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
999                                       NULL, NULL))
1000             || !TEST_true(create_ssl_connection(serverssl, clientssl,
1001                                                 SSL_ERROR_NONE)))
1002         goto end;
1003 
1004     /*
1005      * Calling SSL_clear() first is not required but this tests that SSL_clear()
1006      * doesn't leak.
1007      */
1008     if (!TEST_true(SSL_clear(serverssl)))
1009         goto end;
1010 
1011     testresult = 1;
1012  end:
1013     SSL_free(serverssl);
1014     SSL_free(clientssl);
1015     SSL_CTX_free(sctx);
1016     SSL_CTX_free(cctx);
1017 
1018     return testresult;
1019 }
1020 
1021 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1022     !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1023 /* sock must be connected */
1024 static int ktls_chk_platform(int sock)
1025 {
1026     if (!ktls_enable(sock))
1027         return 0;
1028     return 1;
1029 }
1030 
1031 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1032 {
1033     static char count = 1;
1034     unsigned char cbuf[16000] = {0};
1035     unsigned char sbuf[16000];
1036     size_t err = 0;
1037     char crec_wseq_before[SEQ_NUM_SIZE];
1038     char crec_wseq_after[SEQ_NUM_SIZE];
1039     char crec_rseq_before[SEQ_NUM_SIZE];
1040     char crec_rseq_after[SEQ_NUM_SIZE];
1041     char srec_wseq_before[SEQ_NUM_SIZE];
1042     char srec_wseq_after[SEQ_NUM_SIZE];
1043     char srec_rseq_before[SEQ_NUM_SIZE];
1044     char srec_rseq_after[SEQ_NUM_SIZE];
1045     SSL_CONNECTION *clientsc, *serversc;
1046 
1047     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1048         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1049         goto end;
1050 
1051     cbuf[0] = count++;
1052     memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1053     memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1054     memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1055     memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1056 
1057     if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1058         goto end;
1059 
1060     while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1061         if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1062             goto end;
1063         }
1064     }
1065 
1066     if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1067         goto end;
1068 
1069     while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1070         if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1071             goto end;
1072         }
1073     }
1074 
1075     memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1076     memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1077     memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1078     memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
1079 
1080     /* verify the payload */
1081     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1082         goto end;
1083 
1084     /*
1085      * If ktls is used then kernel sequences are used instead of
1086      * OpenSSL sequences
1087      */
1088     if (!BIO_get_ktls_send(clientsc->wbio)) {
1089         if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1090                          crec_wseq_after, SEQ_NUM_SIZE))
1091             goto end;
1092     } else {
1093         if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1094                          crec_wseq_after, SEQ_NUM_SIZE))
1095             goto end;
1096     }
1097 
1098     if (!BIO_get_ktls_send(serversc->wbio)) {
1099         if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1100                          srec_wseq_after, SEQ_NUM_SIZE))
1101             goto end;
1102     } else {
1103         if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1104                          srec_wseq_after, SEQ_NUM_SIZE))
1105             goto end;
1106     }
1107 
1108     if (!BIO_get_ktls_recv(clientsc->wbio)) {
1109         if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1110                          crec_rseq_after, SEQ_NUM_SIZE))
1111             goto end;
1112     } else {
1113         if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1114                          crec_rseq_after, SEQ_NUM_SIZE))
1115             goto end;
1116     }
1117 
1118     if (!BIO_get_ktls_recv(serversc->wbio)) {
1119         if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1120                          srec_rseq_after, SEQ_NUM_SIZE))
1121             goto end;
1122     } else {
1123         if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1124                          srec_rseq_after, SEQ_NUM_SIZE))
1125             goto end;
1126     }
1127 
1128     return 1;
1129 end:
1130     return 0;
1131 }
1132 
1133 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1134                              int tls_version, const char *cipher)
1135 {
1136     SSL_CTX *cctx = NULL, *sctx = NULL;
1137     SSL *clientssl = NULL, *serverssl = NULL;
1138     int ktls_used = 0, testresult = 0;
1139     int cfd = -1, sfd = -1;
1140     int rx_supported;
1141     SSL_CONNECTION *clientsc, *serversc;
1142     unsigned char *buf = NULL;
1143     const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1144     int ret;
1145     size_t offset = 0, i;
1146 
1147     if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1148         goto end;
1149 
1150     /* Skip this test if the platform does not support ktls */
1151     if (!ktls_chk_platform(cfd)) {
1152         testresult = TEST_skip("Kernel does not support KTLS");
1153         goto end;
1154     }
1155 
1156     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1157         testresult = TEST_skip("CHACHA is not supported in FIPS");
1158         goto end;
1159     }
1160 
1161     /* Create a session based on SHA-256 */
1162     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1163                                        TLS_client_method(),
1164                                        tls_version, tls_version,
1165                                        &sctx, &cctx, cert, privkey)))
1166         goto end;
1167 
1168     if (tls_version == TLS1_3_VERSION) {
1169         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1170             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1171             goto end;
1172     } else {
1173         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1174             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1175             goto end;
1176     }
1177 
1178     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1179                                        &clientssl, sfd, cfd)))
1180         goto end;
1181 
1182     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1183         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1184         goto end;
1185 
1186     if (cis_ktls) {
1187         if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1188             goto end;
1189     }
1190 
1191     if (sis_ktls) {
1192         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1193             goto end;
1194     }
1195 
1196     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1197         goto end;
1198 
1199     /*
1200      * The running kernel may not support a given cipher suite
1201      * or direction, so just check that KTLS isn't used when it
1202      * isn't enabled.
1203      */
1204     if (!cis_ktls) {
1205         if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
1206             goto end;
1207     } else {
1208         if (BIO_get_ktls_send(clientsc->wbio))
1209             ktls_used = 1;
1210     }
1211 
1212     if (!sis_ktls) {
1213         if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
1214             goto end;
1215     } else {
1216         if (BIO_get_ktls_send(serversc->wbio))
1217             ktls_used = 1;
1218     }
1219 
1220 #if defined(OPENSSL_NO_KTLS_RX)
1221     rx_supported = 0;
1222 #else
1223     rx_supported = 1;
1224 #endif
1225     if (!cis_ktls || !rx_supported) {
1226         if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
1227             goto end;
1228     } else {
1229         if (BIO_get_ktls_send(clientsc->rbio))
1230             ktls_used = 1;
1231     }
1232 
1233     if (!sis_ktls || !rx_supported) {
1234         if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
1235             goto end;
1236     } else {
1237         if (BIO_get_ktls_send(serversc->rbio))
1238             ktls_used = 1;
1239     }
1240 
1241     if ((cis_ktls || sis_ktls) && !ktls_used) {
1242         testresult = TEST_skip("KTLS not supported for %s cipher %s",
1243                                tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1244                                "TLS 1.2", cipher);
1245         goto end;
1246     }
1247 
1248     if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1249         goto end;
1250 
1251     buf = OPENSSL_zalloc(bufsz);
1252     if (!TEST_ptr(buf))
1253         goto end;
1254 
1255     /*
1256      * Write some data that exceeds the maximum record length. KTLS may choose
1257      * to coalesce this data into a single buffer when we read it again.
1258      */
1259     while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1260         if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1261             goto end;
1262     }
1263 
1264     /* Now check that we can read all the data we wrote */
1265     do {
1266         ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1267         if (ret <= 0) {
1268             if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1269                 goto end;
1270         } else {
1271             offset += ret;
1272         }
1273     } while (offset < bufsz);
1274 
1275     if (!TEST_true(offset == bufsz))
1276         goto end;
1277     for (i = 0; i < bufsz; i++)
1278         if (!TEST_true(buf[i] == 0))
1279             goto end;
1280 
1281     testresult = 1;
1282 end:
1283     OPENSSL_free(buf);
1284     if (clientssl) {
1285         SSL_shutdown(clientssl);
1286         SSL_free(clientssl);
1287     }
1288     if (serverssl) {
1289         SSL_shutdown(serverssl);
1290         SSL_free(serverssl);
1291     }
1292     SSL_CTX_free(sctx);
1293     SSL_CTX_free(cctx);
1294     serverssl = clientssl = NULL;
1295     if (cfd != -1)
1296         close(cfd);
1297     if (sfd != -1)
1298         close(sfd);
1299     return testresult;
1300 }
1301 
1302 #define SENDFILE_SZ                     (16 * 4096)
1303 #define SENDFILE_CHUNK                  (4 * 4096)
1304 #define min(a,b)                        ((a) > (b) ? (b) : (a))
1305 
1306 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1307                                       int zerocopy)
1308 {
1309     SSL_CTX *cctx = NULL, *sctx = NULL;
1310     SSL *clientssl = NULL, *serverssl = NULL;
1311     unsigned char *buf, *buf_dst;
1312     BIO *out = NULL, *in = NULL;
1313     int cfd = -1, sfd = -1, ffd, err;
1314     ssize_t chunk_size = 0;
1315     off_t chunk_off = 0;
1316     int testresult = 0;
1317     FILE *ffdp;
1318     SSL_CONNECTION *serversc;
1319 
1320     buf = OPENSSL_zalloc(SENDFILE_SZ);
1321     buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1322     if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1323         || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
1324         goto end;
1325 
1326     /* Skip this test if the platform does not support ktls */
1327     if (!ktls_chk_platform(sfd)) {
1328         testresult = TEST_skip("Kernel does not support KTLS");
1329         goto end;
1330     }
1331 
1332     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1333         testresult = TEST_skip("CHACHA is not supported in FIPS");
1334         goto end;
1335     }
1336 
1337     /* Create a session based on SHA-256 */
1338     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1339                                        TLS_client_method(),
1340                                        tls_version, tls_version,
1341                                        &sctx, &cctx, cert, privkey)))
1342         goto end;
1343 
1344     if (tls_version == TLS1_3_VERSION) {
1345         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1346             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1347             goto end;
1348     } else {
1349         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1350             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1351             goto end;
1352     }
1353 
1354     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1355                                        &clientssl, sfd, cfd)))
1356         goto end;
1357 
1358     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1359         goto end;
1360 
1361     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1362         goto end;
1363 
1364     if (zerocopy) {
1365         if (!TEST_true(SSL_set_options(serverssl,
1366                                        SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1367             goto end;
1368     }
1369 
1370     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1371                                          SSL_ERROR_NONE)))
1372         goto end;
1373 
1374     if (!BIO_get_ktls_send(serversc->wbio)) {
1375         testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1376                                tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1377                                "TLS 1.2", cipher);
1378         goto end;
1379     }
1380 
1381     if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1382         goto end;
1383 
1384     out = BIO_new_file(tmpfilename, "wb");
1385     if (!TEST_ptr(out))
1386         goto end;
1387 
1388     if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1389         goto end;
1390 
1391     BIO_free(out);
1392     out = NULL;
1393     in = BIO_new_file(tmpfilename, "rb");
1394     BIO_get_fp(in, &ffdp);
1395     ffd = fileno(ffdp);
1396 
1397     while (chunk_off < SENDFILE_SZ) {
1398         chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1399         while ((err = SSL_sendfile(serverssl,
1400                                    ffd,
1401                                    chunk_off,
1402                                    chunk_size,
1403                                    0)) != chunk_size) {
1404             if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1405                 goto end;
1406         }
1407         while ((err = SSL_read(clientssl,
1408                                buf_dst + chunk_off,
1409                                chunk_size)) != chunk_size) {
1410             if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1411                 goto end;
1412         }
1413 
1414         /* verify the payload */
1415         if (!TEST_mem_eq(buf_dst + chunk_off,
1416                          chunk_size,
1417                          buf + chunk_off,
1418                          chunk_size))
1419             goto end;
1420 
1421         chunk_off += chunk_size;
1422     }
1423 
1424     testresult = 1;
1425 end:
1426     if (clientssl) {
1427         SSL_shutdown(clientssl);
1428         SSL_free(clientssl);
1429     }
1430     if (serverssl) {
1431         SSL_shutdown(serverssl);
1432         SSL_free(serverssl);
1433     }
1434     SSL_CTX_free(sctx);
1435     SSL_CTX_free(cctx);
1436     serverssl = clientssl = NULL;
1437     BIO_free(out);
1438     BIO_free(in);
1439     if (cfd != -1)
1440         close(cfd);
1441     if (sfd != -1)
1442         close(sfd);
1443     OPENSSL_free(buf);
1444     OPENSSL_free(buf_dst);
1445     return testresult;
1446 }
1447 
1448 static struct ktls_test_cipher {
1449     int tls_version;
1450     const char *cipher;
1451 } ktls_test_ciphers[] = {
1452 # if !defined(OPENSSL_NO_TLS1_2)
1453 #  ifdef OPENSSL_KTLS_AES_GCM_128
1454     { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1455 #  endif
1456 #  ifdef OPENSSL_KTLS_AES_CCM_128
1457     { TLS1_2_VERSION, "AES128-CCM"},
1458 #  endif
1459 #  ifdef OPENSSL_KTLS_AES_GCM_256
1460     { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1461 #  endif
1462 #  ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1463 #    ifndef OPENSSL_NO_EC
1464     { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1465 #    endif
1466 #  endif
1467 # endif
1468 # if !defined(OSSL_NO_USABLE_TLS1_3)
1469 #  ifdef OPENSSL_KTLS_AES_GCM_128
1470     { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1471 #  endif
1472 #  ifdef OPENSSL_KTLS_AES_CCM_128
1473     { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1474 #  endif
1475 #  ifdef OPENSSL_KTLS_AES_GCM_256
1476     { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1477 #  endif
1478 #  ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1479     { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1480 #  endif
1481 # endif
1482 };
1483 
1484 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
1485 
1486 static int test_ktls(int test)
1487 {
1488     struct ktls_test_cipher *cipher;
1489     int cis_ktls, sis_ktls;
1490 
1491     OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1492     cipher = &ktls_test_ciphers[test / 4];
1493 
1494     cis_ktls = (test & 1) != 0;
1495     sis_ktls = (test & 2) != 0;
1496 
1497     return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1498                              cipher->cipher);
1499 }
1500 
1501 static int test_ktls_sendfile(int test)
1502 {
1503     struct ktls_test_cipher *cipher;
1504     int tst = test >> 1;
1505 
1506     OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1507     cipher = &ktls_test_ciphers[tst];
1508 
1509     return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1510                                       test & 1);
1511 }
1512 #endif
1513 
1514 static int test_large_message_tls(void)
1515 {
1516     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1517                                       TLS1_VERSION, 0, 0);
1518 }
1519 
1520 static int test_large_message_tls_read_ahead(void)
1521 {
1522     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1523                                       TLS1_VERSION, 0, 1);
1524 }
1525 
1526 #ifndef OPENSSL_NO_DTLS
1527 static int test_large_message_dtls(void)
1528 {
1529 # ifdef OPENSSL_NO_DTLS1_2
1530     /* Not supported in the FIPS provider */
1531     if (is_fips)
1532         return 1;
1533 # endif
1534     /*
1535      * read_ahead is not relevant to DTLS because DTLS always acts as if
1536      * read_ahead is set.
1537      */
1538     return execute_test_large_message(DTLS_server_method(),
1539                                       DTLS_client_method(),
1540                                       DTLS1_VERSION, 0, 0);
1541 }
1542 #endif
1543 
1544 /*
1545  * Test we can successfully send the maximum amount of application data. We
1546  * test each protocol version individually, each with and without EtM enabled.
1547  * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1548  * simpler this way. We also test all combinations with and without the
1549  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1550  * underlying buffer.
1551  */
1552 static int test_large_app_data(int tst)
1553 {
1554     SSL_CTX *cctx = NULL, *sctx = NULL;
1555     SSL *clientssl = NULL, *serverssl = NULL;
1556     int testresult = 0, prot;
1557     unsigned char *msg, *buf = NULL;
1558     size_t written, readbytes;
1559     const SSL_METHOD *smeth = TLS_server_method();
1560     const SSL_METHOD *cmeth = TLS_client_method();
1561 
1562     switch (tst >> 2) {
1563     case 0:
1564 #ifndef OSSL_NO_USABLE_TLS1_3
1565         prot = TLS1_3_VERSION;
1566         break;
1567 #else
1568         return TEST_skip("TLS 1.3 not supported");
1569 #endif
1570 
1571     case 1:
1572 #ifndef OPENSSL_NO_TLS1_2
1573         prot = TLS1_2_VERSION;
1574         break;
1575 #else
1576         return TEST_skip("TLS 1.2 not supported");
1577 #endif
1578 
1579     case 2:
1580 #ifndef OPENSSL_NO_TLS1_1
1581         prot = TLS1_1_VERSION;
1582         break;
1583 #else
1584         return TEST_skip("TLS 1.1 not supported");
1585 #endif
1586 
1587     case 3:
1588 #ifndef OPENSSL_NO_TLS1
1589         prot = TLS1_VERSION;
1590         break;
1591 #else
1592         return TEST_skip("TLS 1 not supported");
1593 #endif
1594 
1595     case 4:
1596 #ifndef OPENSSL_NO_SSL3
1597         prot = SSL3_VERSION;
1598         break;
1599 #else
1600         return TEST_skip("SSL 3 not supported");
1601 #endif
1602 
1603     case 5:
1604 #ifndef OPENSSL_NO_DTLS1_2
1605         prot = DTLS1_2_VERSION;
1606         smeth = DTLS_server_method();
1607         cmeth = DTLS_client_method();
1608         break;
1609 #else
1610         return TEST_skip("DTLS 1.2 not supported");
1611 #endif
1612 
1613     case 6:
1614 #ifndef OPENSSL_NO_DTLS1
1615         if (is_fips)
1616             return TEST_skip("DTLS 1 not supported by FIPS provider");
1617         prot = DTLS1_VERSION;
1618         smeth = DTLS_server_method();
1619         cmeth = DTLS_client_method();
1620         break;
1621 #else
1622         return TEST_skip("DTLS 1 not supported");
1623 #endif
1624 
1625     default:
1626         /* Shouldn't happen */
1627         return 0;
1628     }
1629 
1630     if (is_fips && prot < TLS1_2_VERSION)
1631         return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
1632 
1633     /* Maximal sized message of zeros */
1634     msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1635     if (!TEST_ptr(msg))
1636         goto end;
1637 
1638     buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639     if (!TEST_ptr(buf))
1640         goto end;
1641     /* Set whole buffer to all bits set */
1642     memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1643 
1644     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1645                                        &sctx, &cctx, cert, privkey)))
1646         goto end;
1647 
1648     if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1649         /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1650         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1651                 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1652                                                       "DEFAULT:@SECLEVEL=0")))
1653         goto end;
1654     }
1655 
1656     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1657                                       &clientssl, NULL, NULL)))
1658         goto end;
1659 
1660     if ((tst & 1) != 0) {
1661         /* Setting this option gives us a minimally sized underlying buffer */
1662         if (!TEST_true(SSL_set_options(serverssl,
1663                                        SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1664                 || !TEST_true(SSL_set_options(clientssl,
1665                                               SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1666             goto end;
1667     }
1668 
1669     if ((tst & 2) != 0) {
1670         /*
1671          * Setting this option means the MAC is added before encryption
1672          * giving us a larger record for the encryption process
1673          */
1674         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1675                 || !TEST_true(SSL_set_options(clientssl,
1676                                               SSL_OP_NO_ENCRYPT_THEN_MAC)))
1677             goto end;
1678     }
1679 
1680     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1681         goto end;
1682 
1683     if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1684                                 &written))
1685             || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1686         goto end;
1687 
1688     /* We provide a buffer slightly larger than what we are actually expecting */
1689     if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1690                                &readbytes)))
1691         goto end;
1692 
1693     if (!TEST_mem_eq(msg, written, buf, readbytes))
1694         goto end;
1695 
1696     testresult = 1;
1697 end:
1698     OPENSSL_free(msg);
1699     OPENSSL_free(buf);
1700     SSL_free(serverssl);
1701     SSL_free(clientssl);
1702     SSL_CTX_free(sctx);
1703     SSL_CTX_free(cctx);
1704     return testresult;
1705 }
1706 
1707 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1708     || !defined(OPENSSL_NO_DTLS)
1709 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1710                                      const SSL_METHOD *cmeth,
1711                                      int min_version, int max_version)
1712 {
1713     size_t i;
1714     SSL_CTX *cctx = NULL, *sctx = NULL;
1715     SSL *clientssl = NULL, *serverssl = NULL;
1716     int testresult = 0;
1717     const unsigned char *zbuf;
1718     SSL_CONNECTION *serversc;
1719     TLS_RECORD *rr;
1720 
1721     static unsigned char cbuf[16000];
1722     static unsigned char sbuf[16000];
1723 
1724     if (!TEST_true(create_ssl_ctx_pair(libctx,
1725                                        smeth, cmeth,
1726                                        min_version, max_version,
1727                                        &sctx, &cctx, cert,
1728                                        privkey)))
1729         goto end;
1730 
1731 # ifdef OPENSSL_NO_DTLS1_2
1732     if (smeth == DTLS_server_method()) {
1733         /* Not supported in the FIPS provider */
1734         if (is_fips) {
1735             testresult = 1;
1736             goto end;
1737         };
1738         /*
1739          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1740          * level 0
1741          */
1742         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1743                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1744                                                     "DEFAULT:@SECLEVEL=0")))
1745             goto end;
1746     }
1747 # endif
1748 
1749     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1750                                       NULL, NULL)))
1751         goto end;
1752 
1753     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1754         goto end;
1755 
1756     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1757                                          SSL_ERROR_NONE)))
1758         goto end;
1759 
1760     for (i = 0; i < sizeof(cbuf); i++) {
1761         cbuf[i] = i & 0xff;
1762     }
1763 
1764     if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1765         goto end;
1766 
1767     if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1768         goto end;
1769 
1770     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1771         goto end;
1772 
1773     /*
1774      * Since we called SSL_peek(), we know the data in the record
1775      * layer is a plaintext record. We can gather the pointer to check
1776      * for zeroization after SSL_read().
1777      */
1778     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1779         goto end;
1780     rr = serversc->rlayer.tlsrecs;
1781 
1782     zbuf = &rr->data[rr->off];
1783     if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1784         goto end;
1785 
1786     /*
1787      * After SSL_peek() the plaintext must still be stored in the
1788      * record.
1789      */
1790     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1791         goto end;
1792 
1793     memset(sbuf, 0, sizeof(sbuf));
1794     if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1795         goto end;
1796 
1797     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1798         goto end;
1799 
1800     /* Check if rbuf is cleansed */
1801     memset(cbuf, 0, sizeof(cbuf));
1802     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1803         goto end;
1804 
1805     testresult = 1;
1806  end:
1807     SSL_free(serverssl);
1808     SSL_free(clientssl);
1809     SSL_CTX_free(sctx);
1810     SSL_CTX_free(cctx);
1811 
1812     return testresult;
1813 }
1814 #endif /*
1815         * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1816         * || !defined(OPENSSL_NO_DTLS)
1817         */
1818 
1819 static int test_cleanse_plaintext(void)
1820 {
1821 #if !defined(OPENSSL_NO_TLS1_2)
1822     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1823                                              TLS_client_method(),
1824                                              TLS1_2_VERSION,
1825                                              TLS1_2_VERSION)))
1826         return 0;
1827 
1828 #endif
1829 
1830 #if !defined(OSSL_NO_USABLE_TLS1_3)
1831     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1832                                              TLS_client_method(),
1833                                              TLS1_3_VERSION,
1834                                              TLS1_3_VERSION)))
1835         return 0;
1836 #endif
1837 
1838 #if !defined(OPENSSL_NO_DTLS)
1839 
1840     if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1841                                              DTLS_client_method(),
1842                                              DTLS1_VERSION,
1843                                              0)))
1844         return 0;
1845 #endif
1846     return 1;
1847 }
1848 
1849 #ifndef OPENSSL_NO_OCSP
1850 static int ocsp_server_cb(SSL *s, void *arg)
1851 {
1852     int *argi = (int *)arg;
1853     unsigned char *copy = NULL;
1854     STACK_OF(OCSP_RESPID) *ids = NULL;
1855     OCSP_RESPID *id = NULL;
1856 
1857     if (*argi == 2) {
1858         /* In this test we are expecting exactly 1 OCSP_RESPID */
1859         SSL_get_tlsext_status_ids(s, &ids);
1860         if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1861             return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 
1863         id = sk_OCSP_RESPID_value(ids, 0);
1864         if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1865             return SSL_TLSEXT_ERR_ALERT_FATAL;
1866     } else if (*argi != 1) {
1867         return SSL_TLSEXT_ERR_ALERT_FATAL;
1868     }
1869 
1870     if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1871         return SSL_TLSEXT_ERR_ALERT_FATAL;
1872 
1873     if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1874                                                    sizeof(orespder)))) {
1875         OPENSSL_free(copy);
1876         return SSL_TLSEXT_ERR_ALERT_FATAL;
1877     }
1878     ocsp_server_called = 1;
1879     return SSL_TLSEXT_ERR_OK;
1880 }
1881 
1882 static int ocsp_client_cb(SSL *s, void *arg)
1883 {
1884     int *argi = (int *)arg;
1885     const unsigned char *respderin;
1886     size_t len;
1887 
1888     if (*argi != 1 && *argi != 2)
1889         return 0;
1890 
1891     len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1892     if (!TEST_mem_eq(orespder, len, respderin, len))
1893         return 0;
1894 
1895     ocsp_client_called = 1;
1896     return 1;
1897 }
1898 
1899 static int test_tlsext_status_type(void)
1900 {
1901     SSL_CTX *cctx = NULL, *sctx = NULL;
1902     SSL *clientssl = NULL, *serverssl = NULL;
1903     int testresult = 0;
1904     STACK_OF(OCSP_RESPID) *ids = NULL;
1905     OCSP_RESPID *id = NULL;
1906     BIO *certbio = NULL;
1907 
1908     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1909                              TLS1_VERSION, 0,
1910                              &sctx, &cctx, cert, privkey))
1911         return 0;
1912 
1913     if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1914         goto end;
1915 
1916     /* First just do various checks getting and setting tlsext_status_type */
1917 
1918     clientssl = SSL_new(cctx);
1919     if (!TEST_ptr(clientssl))
1920         goto end;
1921     if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1922             || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1923                                                       TLSEXT_STATUSTYPE_ocsp))
1924             || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1925                             TLSEXT_STATUSTYPE_ocsp))
1926         goto end;
1927 
1928     SSL_free(clientssl);
1929     clientssl = NULL;
1930 
1931     if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1932      || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1933         goto end;
1934 
1935     clientssl = SSL_new(cctx);
1936     if (!TEST_ptr(clientssl))
1937         goto end;
1938     if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1939         goto end;
1940     SSL_free(clientssl);
1941     clientssl = NULL;
1942 
1943     /*
1944      * Now actually do a handshake and check OCSP information is exchanged and
1945      * the callbacks get called
1946      */
1947     SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1948     SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1949     SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1950     SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1951     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1952                                       &clientssl, NULL, NULL))
1953             || !TEST_true(create_ssl_connection(serverssl, clientssl,
1954                                                 SSL_ERROR_NONE))
1955             || !TEST_true(ocsp_client_called)
1956             || !TEST_true(ocsp_server_called))
1957         goto end;
1958     SSL_free(serverssl);
1959     SSL_free(clientssl);
1960     serverssl = NULL;
1961     clientssl = NULL;
1962 
1963     /* Try again but this time force the server side callback to fail */
1964     ocsp_client_called = 0;
1965     ocsp_server_called = 0;
1966     cdummyarg = 0;
1967     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1968                                       &clientssl, NULL, NULL))
1969                 /* This should fail because the callback will fail */
1970             || !TEST_false(create_ssl_connection(serverssl, clientssl,
1971                                                  SSL_ERROR_NONE))
1972             || !TEST_false(ocsp_client_called)
1973             || !TEST_false(ocsp_server_called))
1974         goto end;
1975     SSL_free(serverssl);
1976     SSL_free(clientssl);
1977     serverssl = NULL;
1978     clientssl = NULL;
1979 
1980     /*
1981      * This time we'll get the client to send an OCSP_RESPID that it will
1982      * accept.
1983      */
1984     ocsp_client_called = 0;
1985     ocsp_server_called = 0;
1986     cdummyarg = 2;
1987     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1988                                       &clientssl, NULL, NULL)))
1989         goto end;
1990 
1991     /*
1992      * We'll just use any old cert for this test - it doesn't have to be an OCSP
1993      * specific one. We'll use the server cert.
1994      */
1995     if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1996             || !TEST_ptr(id = OCSP_RESPID_new())
1997             || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1998             || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1999             || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
2000             || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
2001             || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
2002         goto end;
2003     id = NULL;
2004     SSL_set_tlsext_status_ids(clientssl, ids);
2005     /* Control has been transferred */
2006     ids = NULL;
2007 
2008     BIO_free(certbio);
2009     certbio = NULL;
2010 
2011     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2012                                          SSL_ERROR_NONE))
2013             || !TEST_true(ocsp_client_called)
2014             || !TEST_true(ocsp_server_called))
2015         goto end;
2016 
2017     testresult = 1;
2018 
2019  end:
2020     SSL_free(serverssl);
2021     SSL_free(clientssl);
2022     SSL_CTX_free(sctx);
2023     SSL_CTX_free(cctx);
2024     sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2025     OCSP_RESPID_free(id);
2026     BIO_free(certbio);
2027     X509_free(ocspcert);
2028     ocspcert = NULL;
2029 
2030     return testresult;
2031 }
2032 #endif
2033 
2034 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2035 static int new_called, remove_called, get_called;
2036 
2037 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2038 {
2039     new_called++;
2040     /*
2041      * sess has been up-refed for us, but we don't actually need it so free it
2042      * immediately.
2043      */
2044     SSL_SESSION_free(sess);
2045     return 1;
2046 }
2047 
2048 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2049 {
2050     remove_called++;
2051 }
2052 
2053 static SSL_SESSION *get_sess_val = NULL;
2054 
2055 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2056                                    int *copy)
2057 {
2058     get_called++;
2059     *copy = 1;
2060     return get_sess_val;
2061 }
2062 
2063 static int execute_test_session(int maxprot, int use_int_cache,
2064                                 int use_ext_cache, long s_options)
2065 {
2066     SSL_CTX *sctx = NULL, *cctx = NULL;
2067     SSL *serverssl1 = NULL, *clientssl1 = NULL;
2068     SSL *serverssl2 = NULL, *clientssl2 = NULL;
2069 # ifndef OPENSSL_NO_TLS1_1
2070     SSL *serverssl3 = NULL, *clientssl3 = NULL;
2071 # endif
2072     SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2073     int testresult = 0, numnewsesstick = 1;
2074 
2075     new_called = remove_called = 0;
2076 
2077     /* TLSv1.3 sends 2 NewSessionTickets */
2078     if (maxprot == TLS1_3_VERSION)
2079         numnewsesstick = 2;
2080 
2081     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2082                                        TLS_client_method(), TLS1_VERSION, 0,
2083                                        &sctx, &cctx, cert, privkey)))
2084         return 0;
2085 
2086     /*
2087      * Only allow the max protocol version so we can force a connection failure
2088      * later
2089      */
2090     SSL_CTX_set_min_proto_version(cctx, maxprot);
2091     SSL_CTX_set_max_proto_version(cctx, maxprot);
2092 
2093     /* Set up session cache */
2094     if (use_ext_cache) {
2095         SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2096         SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2097     }
2098     if (use_int_cache) {
2099         /* Also covers instance where both are set */
2100         SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2101     } else {
2102         SSL_CTX_set_session_cache_mode(cctx,
2103                                        SSL_SESS_CACHE_CLIENT
2104                                        | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2105     }
2106 
2107     if (s_options) {
2108         SSL_CTX_set_options(sctx, s_options);
2109     }
2110 
2111     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2112                                       NULL, NULL))
2113             || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2114                                                 SSL_ERROR_NONE))
2115             || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2116         goto end;
2117 
2118     /* Should fail because it should already be in the cache */
2119     if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2120         goto end;
2121     if (use_ext_cache
2122             && (!TEST_int_eq(new_called, numnewsesstick)
2123 
2124                 || !TEST_int_eq(remove_called, 0)))
2125         goto end;
2126 
2127     new_called = remove_called = 0;
2128     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2129                                       &clientssl2, NULL, NULL))
2130             || !TEST_true(SSL_set_session(clientssl2, sess1))
2131             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2132                                                 SSL_ERROR_NONE))
2133             || !TEST_true(SSL_session_reused(clientssl2)))
2134         goto end;
2135 
2136     if (maxprot == TLS1_3_VERSION) {
2137         /*
2138          * In TLSv1.3 we should have created a new session even though we have
2139          * resumed. Since we attempted a resume we should also have removed the
2140          * old ticket from the cache so that we try to only use tickets once.
2141          */
2142         if (use_ext_cache
2143                 && (!TEST_int_eq(new_called, 1)
2144                     || !TEST_int_eq(remove_called, 1)))
2145             goto end;
2146     } else {
2147         /*
2148          * In TLSv1.2 we expect to have resumed so no sessions added or
2149          * removed.
2150          */
2151         if (use_ext_cache
2152                 && (!TEST_int_eq(new_called, 0)
2153                     || !TEST_int_eq(remove_called, 0)))
2154             goto end;
2155     }
2156 
2157     SSL_SESSION_free(sess1);
2158     if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2159         goto end;
2160     shutdown_ssl_connection(serverssl2, clientssl2);
2161     serverssl2 = clientssl2 = NULL;
2162 
2163     new_called = remove_called = 0;
2164     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2165                                       &clientssl2, NULL, NULL))
2166             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2167                                                 SSL_ERROR_NONE)))
2168         goto end;
2169 
2170     if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2171         goto end;
2172 
2173     if (use_ext_cache
2174             && (!TEST_int_eq(new_called, numnewsesstick)
2175                 || !TEST_int_eq(remove_called, 0)))
2176         goto end;
2177 
2178     new_called = remove_called = 0;
2179     /*
2180      * This should clear sess2 from the cache because it is a "bad" session.
2181      * See SSL_set_session() documentation.
2182      */
2183     if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2184         goto end;
2185     if (use_ext_cache
2186             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2187         goto end;
2188     if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2189         goto end;
2190 
2191     if (use_int_cache) {
2192         /* Should succeeded because it should not already be in the cache */
2193         if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2194                 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2195             goto end;
2196     }
2197 
2198     new_called = remove_called = 0;
2199     /* This shouldn't be in the cache so should fail */
2200     if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2201         goto end;
2202 
2203     if (use_ext_cache
2204             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2205         goto end;
2206 
2207 # if !defined(OPENSSL_NO_TLS1_1)
2208     new_called = remove_called = 0;
2209     /* Force a connection failure */
2210     SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2211     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2212                                       &clientssl3, NULL, NULL))
2213             || !TEST_true(SSL_set_session(clientssl3, sess1))
2214             /* This should fail because of the mismatched protocol versions */
2215             || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2216                                                  SSL_ERROR_NONE)))
2217         goto end;
2218 
2219     /* We should have automatically removed the session from the cache */
2220     if (use_ext_cache
2221             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2222         goto end;
2223 
2224     /* Should succeed because it should not already be in the cache */
2225     if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2226         goto end;
2227 # endif
2228 
2229     /* Now do some tests for server side caching */
2230     if (use_ext_cache) {
2231         SSL_CTX_sess_set_new_cb(cctx, NULL);
2232         SSL_CTX_sess_set_remove_cb(cctx, NULL);
2233         SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2234         SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2235         SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2236         get_sess_val = NULL;
2237     }
2238 
2239     SSL_CTX_set_session_cache_mode(cctx, 0);
2240     /* Internal caching is the default on the server side */
2241     if (!use_int_cache)
2242         SSL_CTX_set_session_cache_mode(sctx,
2243                                        SSL_SESS_CACHE_SERVER
2244                                        | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2245 
2246     SSL_free(serverssl1);
2247     SSL_free(clientssl1);
2248     serverssl1 = clientssl1 = NULL;
2249     SSL_free(serverssl2);
2250     SSL_free(clientssl2);
2251     serverssl2 = clientssl2 = NULL;
2252     SSL_SESSION_free(sess1);
2253     sess1 = NULL;
2254     SSL_SESSION_free(sess2);
2255     sess2 = NULL;
2256 
2257     SSL_CTX_set_max_proto_version(sctx, maxprot);
2258     if (maxprot == TLS1_2_VERSION)
2259         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2260     new_called = remove_called = get_called = 0;
2261     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2262                                       NULL, NULL))
2263             || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2264                                                 SSL_ERROR_NONE))
2265             || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2266             || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2267         goto end;
2268 
2269     if (use_int_cache) {
2270         if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2271             /*
2272              * In TLSv1.3 it should not have been added to the internal cache,
2273              * except in the case where we also have an external cache (in that
2274              * case it gets added to the cache in order to generate remove
2275              * events after timeout).
2276              */
2277             if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2278                 goto end;
2279         } else {
2280             /* Should fail because it should already be in the cache */
2281             if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2282                 goto end;
2283         }
2284     }
2285 
2286     if (use_ext_cache) {
2287         SSL_SESSION *tmp = sess2;
2288 
2289         if (!TEST_int_eq(new_called, numnewsesstick)
2290                 || !TEST_int_eq(remove_called, 0)
2291                 || !TEST_int_eq(get_called, 0))
2292             goto end;
2293         /*
2294          * Delete the session from the internal cache to force a lookup from
2295          * the external cache. We take a copy first because
2296          * SSL_CTX_remove_session() also marks the session as non-resumable.
2297          */
2298         if (use_int_cache && maxprot != TLS1_3_VERSION) {
2299             if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2300                 || !TEST_true(sess2->owner != NULL)
2301                 || !TEST_true(tmp->owner == NULL)
2302                 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2303                 goto end;
2304             SSL_SESSION_free(sess2);
2305         }
2306         sess2 = tmp;
2307     }
2308 
2309     new_called = remove_called = get_called = 0;
2310     get_sess_val = sess2;
2311     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2312                                       &clientssl2, NULL, NULL))
2313             || !TEST_true(SSL_set_session(clientssl2, sess1))
2314             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2315                                                 SSL_ERROR_NONE))
2316             || !TEST_true(SSL_session_reused(clientssl2)))
2317         goto end;
2318 
2319     if (use_ext_cache) {
2320         if (!TEST_int_eq(remove_called, 0))
2321             goto end;
2322 
2323         if (maxprot == TLS1_3_VERSION) {
2324             if (!TEST_int_eq(new_called, 1)
2325                     || !TEST_int_eq(get_called, 0))
2326                 goto end;
2327         } else {
2328             if (!TEST_int_eq(new_called, 0)
2329                     || !TEST_int_eq(get_called, 1))
2330                 goto end;
2331         }
2332     }
2333     /*
2334      * Make a small cache, force out all other sessions but
2335      * sess2, try to add sess1, which should succeed. Then
2336      * make sure it's there by checking the owners. Despite
2337      * the timeouts, sess1 should have kicked out sess2
2338      */
2339 
2340     /* Make sess1 expire before sess2 */
2341     if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
2342             || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2343             || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
2344             || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2345         goto end;
2346 
2347     if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2348         goto end;
2349 
2350     /* Don't care about results - cache should only be sess2 at end */
2351     SSL_CTX_add_session(sctx, sess1);
2352     SSL_CTX_add_session(sctx, sess2);
2353 
2354     /* Now add sess1, and make sure it remains, despite timeout */
2355     if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2356             || !TEST_ptr(sess1->owner)
2357             || !TEST_ptr_null(sess2->owner))
2358         goto end;
2359 
2360     testresult = 1;
2361 
2362  end:
2363     SSL_free(serverssl1);
2364     SSL_free(clientssl1);
2365     SSL_free(serverssl2);
2366     SSL_free(clientssl2);
2367 # ifndef OPENSSL_NO_TLS1_1
2368     SSL_free(serverssl3);
2369     SSL_free(clientssl3);
2370 # endif
2371     SSL_SESSION_free(sess1);
2372     SSL_SESSION_free(sess2);
2373     SSL_CTX_free(sctx);
2374     SSL_CTX_free(cctx);
2375 
2376     return testresult;
2377 }
2378 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2379 
2380 static int test_session_with_only_int_cache(void)
2381 {
2382 #ifndef OSSL_NO_USABLE_TLS1_3
2383     if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2384         return 0;
2385 #endif
2386 
2387 #ifndef OPENSSL_NO_TLS1_2
2388     return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2389 #else
2390     return 1;
2391 #endif
2392 }
2393 
2394 static int test_session_with_only_ext_cache(void)
2395 {
2396 #ifndef OSSL_NO_USABLE_TLS1_3
2397     if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2398         return 0;
2399 #endif
2400 
2401 #ifndef OPENSSL_NO_TLS1_2
2402     return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2403 #else
2404     return 1;
2405 #endif
2406 }
2407 
2408 static int test_session_with_both_cache(void)
2409 {
2410 #ifndef OSSL_NO_USABLE_TLS1_3
2411     if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2412         return 0;
2413 #endif
2414 
2415 #ifndef OPENSSL_NO_TLS1_2
2416     return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2417 #else
2418     return 1;
2419 #endif
2420 }
2421 
2422 static int test_session_wo_ca_names(void)
2423 {
2424 #ifndef OSSL_NO_USABLE_TLS1_3
2425     if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2426         return 0;
2427 #endif
2428 
2429 #ifndef OPENSSL_NO_TLS1_2
2430     return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2431 #else
2432     return 1;
2433 #endif
2434 }
2435 
2436 #ifndef OSSL_NO_USABLE_TLS1_3
2437 static SSL_SESSION *sesscache[6];
2438 static int do_cache;
2439 
2440 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2441 {
2442     if (do_cache) {
2443         sesscache[new_called] = sess;
2444     } else {
2445         /* We don't need the reference to the session, so free it */
2446         SSL_SESSION_free(sess);
2447     }
2448     new_called++;
2449 
2450     return 1;
2451 }
2452 
2453 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2454 {
2455     SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2456     if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2457         return 0;
2458 
2459     /* Start handshake on the server and client */
2460     if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2461             || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2462             || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2463             || !TEST_true(create_ssl_connection(sssl, cssl,
2464                                                 SSL_ERROR_NONE)))
2465         return 0;
2466 
2467     return 1;
2468 }
2469 
2470 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2471                              SSL_CTX **cctx)
2472 {
2473     int sess_id_ctx = 1;
2474 
2475     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2476                                        TLS_client_method(), TLS1_VERSION, 0,
2477                                        sctx, cctx, cert, privkey))
2478             || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2479             || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2480                                                          (void *)&sess_id_ctx,
2481                                                          sizeof(sess_id_ctx))))
2482         return 0;
2483 
2484     if (stateful)
2485         SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2486 
2487     SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2488                                           | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2489     SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2490 
2491     return 1;
2492 }
2493 
2494 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2495 {
2496     SSL *serverssl = NULL, *clientssl = NULL;
2497     int i;
2498 
2499     /* Test that we can resume with all the tickets we got given */
2500     for (i = 0; i < idx * 2; i++) {
2501         new_called = 0;
2502         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2503                                               &clientssl, NULL, NULL))
2504                 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2505             goto end;
2506 
2507         SSL_set_post_handshake_auth(clientssl, 1);
2508 
2509         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2510                                                     SSL_ERROR_NONE)))
2511             goto end;
2512 
2513         /*
2514          * Following a successful resumption we only get 1 ticket. After a
2515          * failed one we should get idx tickets.
2516          */
2517         if (succ) {
2518             if (!TEST_true(SSL_session_reused(clientssl))
2519                     || !TEST_int_eq(new_called, 1))
2520                 goto end;
2521         } else {
2522             if (!TEST_false(SSL_session_reused(clientssl))
2523                     || !TEST_int_eq(new_called, idx))
2524                 goto end;
2525         }
2526 
2527         new_called = 0;
2528         /* After a post-handshake authentication we should get 1 new ticket */
2529         if (succ
2530                 && (!post_handshake_verify(serverssl, clientssl)
2531                     || !TEST_int_eq(new_called, 1)))
2532             goto end;
2533 
2534         SSL_shutdown(clientssl);
2535         SSL_shutdown(serverssl);
2536         SSL_free(serverssl);
2537         SSL_free(clientssl);
2538         serverssl = clientssl = NULL;
2539         SSL_SESSION_free(sesscache[i]);
2540         sesscache[i] = NULL;
2541     }
2542 
2543     return 1;
2544 
2545  end:
2546     SSL_free(clientssl);
2547     SSL_free(serverssl);
2548     return 0;
2549 }
2550 
2551 static int test_tickets(int stateful, int idx)
2552 {
2553     SSL_CTX *sctx = NULL, *cctx = NULL;
2554     SSL *serverssl = NULL, *clientssl = NULL;
2555     int testresult = 0;
2556     size_t j;
2557 
2558     /* idx is the test number, but also the number of tickets we want */
2559 
2560     new_called = 0;
2561     do_cache = 1;
2562 
2563     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2564         goto end;
2565 
2566     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2567                                           &clientssl, NULL, NULL)))
2568         goto end;
2569 
2570     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2571                                                 SSL_ERROR_NONE))
2572                /* Check we got the number of tickets we were expecting */
2573             || !TEST_int_eq(idx, new_called))
2574         goto end;
2575 
2576     SSL_shutdown(clientssl);
2577     SSL_shutdown(serverssl);
2578     SSL_free(serverssl);
2579     SSL_free(clientssl);
2580     SSL_CTX_free(sctx);
2581     SSL_CTX_free(cctx);
2582     clientssl = serverssl = NULL;
2583     sctx = cctx = NULL;
2584 
2585     /*
2586      * Now we try to resume with the tickets we previously created. The
2587      * resumption attempt is expected to fail (because we're now using a new
2588      * SSL_CTX). We should see idx number of tickets issued again.
2589      */
2590 
2591     /* Stop caching sessions - just count them */
2592     do_cache = 0;
2593 
2594     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2595         goto end;
2596 
2597     if (!check_resumption(idx, sctx, cctx, 0))
2598         goto end;
2599 
2600     /* Start again with caching sessions */
2601     new_called = 0;
2602     do_cache = 1;
2603     SSL_CTX_free(sctx);
2604     SSL_CTX_free(cctx);
2605     sctx = cctx = NULL;
2606 
2607     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2608         goto end;
2609 
2610     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2611                                           &clientssl, NULL, NULL)))
2612         goto end;
2613 
2614     SSL_set_post_handshake_auth(clientssl, 1);
2615 
2616     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2617                                                 SSL_ERROR_NONE))
2618                /* Check we got the number of tickets we were expecting */
2619             || !TEST_int_eq(idx, new_called))
2620         goto end;
2621 
2622     /* After a post-handshake authentication we should get new tickets issued */
2623     if (!post_handshake_verify(serverssl, clientssl)
2624             || !TEST_int_eq(idx * 2, new_called))
2625         goto end;
2626 
2627     SSL_shutdown(clientssl);
2628     SSL_shutdown(serverssl);
2629     SSL_free(serverssl);
2630     SSL_free(clientssl);
2631     serverssl = clientssl = NULL;
2632 
2633     /* Stop caching sessions - just count them */
2634     do_cache = 0;
2635 
2636     /*
2637      * Check we can resume with all the tickets we created. This time around the
2638      * resumptions should all be successful.
2639      */
2640     if (!check_resumption(idx, sctx, cctx, 1))
2641         goto end;
2642 
2643     testresult = 1;
2644 
2645  end:
2646     SSL_free(serverssl);
2647     SSL_free(clientssl);
2648     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2649         SSL_SESSION_free(sesscache[j]);
2650         sesscache[j] = NULL;
2651     }
2652     SSL_CTX_free(sctx);
2653     SSL_CTX_free(cctx);
2654 
2655     return testresult;
2656 }
2657 
2658 static int test_stateless_tickets(int idx)
2659 {
2660     return test_tickets(0, idx);
2661 }
2662 
2663 static int test_stateful_tickets(int idx)
2664 {
2665     return test_tickets(1, idx);
2666 }
2667 
2668 static int test_psk_tickets(void)
2669 {
2670     SSL_CTX *sctx = NULL, *cctx = NULL;
2671     SSL *serverssl = NULL, *clientssl = NULL;
2672     int testresult = 0;
2673     int sess_id_ctx = 1;
2674 
2675     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2676                                        TLS_client_method(), TLS1_VERSION, 0,
2677                                        &sctx, &cctx, NULL, NULL))
2678             || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2679                                                          (void *)&sess_id_ctx,
2680                                                          sizeof(sess_id_ctx))))
2681         goto end;
2682 
2683     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2684                                          | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2685     SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2686     SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2687     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2688     use_session_cb_cnt = 0;
2689     find_session_cb_cnt = 0;
2690     srvid = pskid;
2691     new_called = 0;
2692 
2693     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2694                                       NULL, NULL)))
2695         goto end;
2696     clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2697     if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
2698         goto end;
2699 
2700     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2701                                                 SSL_ERROR_NONE))
2702             || !TEST_int_eq(1, find_session_cb_cnt)
2703             || !TEST_int_eq(1, use_session_cb_cnt)
2704                /* We should always get 1 ticket when using external PSK */
2705             || !TEST_int_eq(1, new_called))
2706         goto end;
2707 
2708     testresult = 1;
2709 
2710  end:
2711     SSL_free(serverssl);
2712     SSL_free(clientssl);
2713     SSL_CTX_free(sctx);
2714     SSL_CTX_free(cctx);
2715     SSL_SESSION_free(clientpsk);
2716     SSL_SESSION_free(serverpsk);
2717     clientpsk = serverpsk = NULL;
2718 
2719     return testresult;
2720 }
2721 
2722 static int test_extra_tickets(int idx)
2723 {
2724     SSL_CTX *sctx = NULL, *cctx = NULL;
2725     SSL *serverssl = NULL, *clientssl = NULL;
2726     BIO *bretry = BIO_new(bio_s_always_retry());
2727     BIO *tmp = NULL;
2728     int testresult = 0;
2729     int stateful = 0;
2730     size_t nbytes;
2731     unsigned char c, buf[1];
2732 
2733     new_called = 0;
2734     do_cache = 1;
2735 
2736     if (idx >= 3) {
2737         idx -= 3;
2738         stateful = 1;
2739     }
2740 
2741     if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2742         goto end;
2743     SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2744     /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2745     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2746 
2747     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2748                                           &clientssl, NULL, NULL)))
2749         goto end;
2750 
2751     /*
2752      * Note that we have new_session_cb on both sctx and cctx, so new_called is
2753      * incremented by both client and server.
2754      */
2755     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2756                                                 SSL_ERROR_NONE))
2757                /* Check we got the number of tickets we were expecting */
2758             || !TEST_int_eq(idx * 2, new_called)
2759             || !TEST_true(SSL_new_session_ticket(serverssl))
2760             || !TEST_true(SSL_new_session_ticket(serverssl))
2761             || !TEST_int_eq(idx * 2, new_called))
2762         goto end;
2763 
2764     /* Now try a (real) write to actually send the tickets */
2765     c = '1';
2766     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2767             || !TEST_size_t_eq(1, nbytes)
2768             || !TEST_int_eq(idx * 2 + 2, new_called)
2769             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2770             || !TEST_int_eq(idx * 2 + 4, new_called)
2771             || !TEST_int_eq(sizeof(buf), nbytes)
2772             || !TEST_int_eq(c, buf[0])
2773             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2774         goto end;
2775 
2776     /* Try with only requesting one new ticket, too */
2777     c = '2';
2778     new_called = 0;
2779     if (!TEST_true(SSL_new_session_ticket(serverssl))
2780             || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2781             || !TEST_size_t_eq(sizeof(c), nbytes)
2782             || !TEST_int_eq(1, new_called)
2783             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2784             || !TEST_int_eq(2, new_called)
2785             || !TEST_size_t_eq(sizeof(buf), nbytes)
2786             || !TEST_int_eq(c, buf[0]))
2787         goto end;
2788 
2789     /* Do it again but use dummy writes to drive the ticket generation */
2790     c = '3';
2791     new_called = 0;
2792     if (!TEST_true(SSL_new_session_ticket(serverssl))
2793             || !TEST_true(SSL_new_session_ticket(serverssl))
2794             || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2795             || !TEST_size_t_eq(0, nbytes)
2796             || !TEST_int_eq(2, new_called)
2797             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2798             || !TEST_int_eq(4, new_called))
2799         goto end;
2800 
2801     /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2802     c = '4';
2803     new_called = 0;
2804     if (!TEST_true(SSL_new_session_ticket(serverssl))
2805             || !TEST_true(SSL_new_session_ticket(serverssl))
2806             || !TEST_true(SSL_do_handshake(serverssl))
2807             || !TEST_int_eq(2, new_called)
2808             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2809             || !TEST_int_eq(4, new_called))
2810         goto end;
2811 
2812     /*
2813      * Use the always-retry BIO to exercise the logic that forces ticket
2814      * generation to wait until a record boundary.
2815      */
2816     c = '5';
2817     new_called = 0;
2818     tmp = SSL_get_wbio(serverssl);
2819     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2820         tmp = NULL;
2821         goto end;
2822     }
2823     SSL_set0_wbio(serverssl, bretry);
2824     bretry = NULL;
2825     if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2826             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2827             || !TEST_size_t_eq(nbytes, 0))
2828         goto end;
2829     /* Restore a BIO that will let the write succeed */
2830     SSL_set0_wbio(serverssl, tmp);
2831     tmp = NULL;
2832     /*
2833      * These calls should just queue the request and not send anything
2834      * even if we explicitly try to hit the state machine.
2835      */
2836     if (!TEST_true(SSL_new_session_ticket(serverssl))
2837             || !TEST_true(SSL_new_session_ticket(serverssl))
2838             || !TEST_int_eq(0, new_called)
2839             || !TEST_true(SSL_do_handshake(serverssl))
2840             || !TEST_int_eq(0, new_called))
2841         goto end;
2842     /* Re-do the write; still no tickets sent */
2843     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2844             || !TEST_size_t_eq(1, nbytes)
2845             || !TEST_int_eq(0, new_called)
2846             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2847             || !TEST_int_eq(0, new_called)
2848             || !TEST_int_eq(sizeof(buf), nbytes)
2849             || !TEST_int_eq(c, buf[0])
2850             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2851         goto end;
2852     /* Even trying to hit the state machine now will still not send tickets */
2853     if (!TEST_true(SSL_do_handshake(serverssl))
2854             || !TEST_int_eq(0, new_called))
2855         goto end;
2856     /* Now the *next* write should send the tickets */
2857     c = '6';
2858     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2859             || !TEST_size_t_eq(1, nbytes)
2860             || !TEST_int_eq(2, new_called)
2861             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2862             || !TEST_int_eq(4, new_called)
2863             || !TEST_int_eq(sizeof(buf), nbytes)
2864             || !TEST_int_eq(c, buf[0])
2865             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2866         goto end;
2867 
2868     SSL_shutdown(clientssl);
2869     SSL_shutdown(serverssl);
2870     testresult = 1;
2871 
2872  end:
2873     BIO_free(bretry);
2874     BIO_free(tmp);
2875     SSL_free(serverssl);
2876     SSL_free(clientssl);
2877     SSL_CTX_free(sctx);
2878     SSL_CTX_free(cctx);
2879     clientssl = serverssl = NULL;
2880     sctx = cctx = NULL;
2881     return testresult;
2882 }
2883 #endif
2884 
2885 #define USE_NULL            0
2886 #define USE_BIO_1           1
2887 #define USE_BIO_2           2
2888 #define USE_DEFAULT         3
2889 
2890 #define CONNTYPE_CONNECTION_SUCCESS  0
2891 #define CONNTYPE_CONNECTION_FAIL     1
2892 #define CONNTYPE_NO_CONNECTION       2
2893 
2894 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS         (3 * 3 * 3 * 3)
2895 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS    (2 * 2)
2896 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2897 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       (2 * 2)
2898 #else
2899 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       0
2900 #endif
2901 
2902 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2903                                 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2904                                 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2905 
2906 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2907 {
2908     switch (type) {
2909     case USE_NULL:
2910         *res = NULL;
2911         break;
2912     case USE_BIO_1:
2913         *res = bio1;
2914         break;
2915     case USE_BIO_2:
2916         *res = bio2;
2917         break;
2918     }
2919 }
2920 
2921 
2922 /*
2923  * Tests calls to SSL_set_bio() under various conditions.
2924  *
2925  * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2926  * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2927  * then do more tests where we create a successful connection first using our
2928  * standard connection setup functions, and then call SSL_set_bio() with
2929  * various combinations of valid BIOs or NULL. We then repeat these tests
2930  * following a failed connection. In this last case we are looking to check that
2931  * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2932  */
2933 static int test_ssl_set_bio(int idx)
2934 {
2935     SSL_CTX *sctx = NULL, *cctx = NULL;
2936     BIO *bio1 = NULL;
2937     BIO *bio2 = NULL;
2938     BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2939     SSL *serverssl = NULL, *clientssl = NULL;
2940     int initrbio, initwbio, newrbio, newwbio, conntype;
2941     int testresult = 0;
2942 
2943     if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2944         initrbio = idx % 3;
2945         idx /= 3;
2946         initwbio = idx % 3;
2947         idx /= 3;
2948         newrbio = idx % 3;
2949         idx /= 3;
2950         newwbio = idx % 3;
2951         conntype = CONNTYPE_NO_CONNECTION;
2952     } else {
2953         idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2954         initrbio = initwbio = USE_DEFAULT;
2955         newrbio = idx % 2;
2956         idx /= 2;
2957         newwbio = idx % 2;
2958         idx /= 2;
2959         conntype = idx % 2;
2960     }
2961 
2962     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2963                                        TLS_client_method(), TLS1_VERSION, 0,
2964                                        &sctx, &cctx, cert, privkey)))
2965         goto end;
2966 
2967     if (conntype == CONNTYPE_CONNECTION_FAIL) {
2968         /*
2969          * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2970          * because we reduced the number of tests in the definition of
2971          * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2972          * mismatched protocol versions we will force a connection failure.
2973          */
2974         SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2975         SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2976     }
2977 
2978     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2979                                       NULL, NULL)))
2980         goto end;
2981 
2982     if (initrbio == USE_BIO_1
2983             || initwbio == USE_BIO_1
2984             || newrbio == USE_BIO_1
2985             || newwbio == USE_BIO_1) {
2986         if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2987             goto end;
2988     }
2989 
2990     if (initrbio == USE_BIO_2
2991             || initwbio == USE_BIO_2
2992             || newrbio == USE_BIO_2
2993             || newwbio == USE_BIO_2) {
2994         if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2995             goto end;
2996     }
2997 
2998     if (initrbio != USE_DEFAULT) {
2999         setupbio(&irbio, bio1, bio2, initrbio);
3000         setupbio(&iwbio, bio1, bio2, initwbio);
3001         SSL_set_bio(clientssl, irbio, iwbio);
3002 
3003         /*
3004          * We want to maintain our own refs to these BIO, so do an up ref for
3005          * each BIO that will have ownership transferred in the SSL_set_bio()
3006          * call
3007          */
3008         if (irbio != NULL && !BIO_up_ref(irbio))
3009             goto end;
3010         if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
3011             BIO_free(irbio);
3012             goto end;
3013         }
3014     }
3015 
3016     if (conntype != CONNTYPE_NO_CONNECTION
3017             && !TEST_true(create_ssl_connection(serverssl, clientssl,
3018                                                 SSL_ERROR_NONE)
3019                           == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3020         goto end;
3021 
3022     setupbio(&nrbio, bio1, bio2, newrbio);
3023     setupbio(&nwbio, bio1, bio2, newwbio);
3024 
3025     /*
3026      * We will (maybe) transfer ownership again so do more up refs.
3027      * SSL_set_bio() has some really complicated ownership rules where BIOs have
3028      * already been set!
3029      */
3030     if (nrbio != NULL
3031             && nrbio != irbio
3032             && (nwbio != iwbio || nrbio != nwbio))
3033         if (!TEST_true(BIO_up_ref(nrbio)))
3034             goto end;
3035     if (nwbio != NULL
3036             && nwbio != nrbio
3037             && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3038         if (!TEST_true(BIO_up_ref(nwbio))) {
3039             if (nrbio != irbio
3040                     && (nwbio != iwbio || nrbio != nwbio))
3041                 BIO_free(nrbio);
3042             goto end;
3043         }
3044 
3045     SSL_set_bio(clientssl, nrbio, nwbio);
3046 
3047     testresult = 1;
3048 
3049  end:
3050     BIO_free(bio1);
3051     BIO_free(bio2);
3052 
3053     /*
3054      * This test is checking that the ref counting for SSL_set_bio is correct.
3055      * If we get here and we did too many frees then we will fail in the above
3056      * functions.
3057      */
3058     SSL_free(serverssl);
3059     SSL_free(clientssl);
3060     SSL_CTX_free(sctx);
3061     SSL_CTX_free(cctx);
3062     return testresult;
3063 }
3064 
3065 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3066 
3067 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3068 {
3069     BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3070     SSL_CTX *ctx;
3071     SSL *ssl = NULL;
3072     int testresult = 0;
3073 
3074     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3075             || !TEST_ptr(ssl = SSL_new(ctx))
3076             || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3077             || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3078         goto end;
3079 
3080     BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3081 
3082     /*
3083      * If anything goes wrong here then we could leak memory.
3084      */
3085     BIO_push(sslbio, membio1);
3086 
3087     /* Verify changing the rbio/wbio directly does not cause leaks */
3088     if (change_bio != NO_BIO_CHANGE) {
3089         if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3090             ssl = NULL;
3091             goto end;
3092         }
3093         if (change_bio == CHANGE_RBIO)
3094             SSL_set0_rbio(ssl, membio2);
3095         else
3096             SSL_set0_wbio(ssl, membio2);
3097     }
3098     ssl = NULL;
3099 
3100     if (pop_ssl)
3101         BIO_pop(sslbio);
3102     else
3103         BIO_pop(membio1);
3104 
3105     testresult = 1;
3106  end:
3107     BIO_free(membio1);
3108     BIO_free(sslbio);
3109     SSL_free(ssl);
3110     SSL_CTX_free(ctx);
3111 
3112     return testresult;
3113 }
3114 
3115 static int test_ssl_bio_pop_next_bio(void)
3116 {
3117     return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3118 }
3119 
3120 static int test_ssl_bio_pop_ssl_bio(void)
3121 {
3122     return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3123 }
3124 
3125 static int test_ssl_bio_change_rbio(void)
3126 {
3127     return execute_test_ssl_bio(0, CHANGE_RBIO);
3128 }
3129 
3130 static int test_ssl_bio_change_wbio(void)
3131 {
3132     return execute_test_ssl_bio(0, CHANGE_WBIO);
3133 }
3134 
3135 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3136 typedef struct {
3137     /* The list of sig algs */
3138     const int *list;
3139     /* The length of the list */
3140     size_t listlen;
3141     /* A sigalgs list in string format */
3142     const char *liststr;
3143     /* Whether setting the list should succeed */
3144     int valid;
3145     /* Whether creating a connection with the list should succeed */
3146     int connsuccess;
3147 } sigalgs_list;
3148 
3149 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3150 # ifndef OPENSSL_NO_EC
3151 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3152 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3153 # endif
3154 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3155 static const int invalidlist2[] = {NID_sha256, NID_undef};
3156 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3157 static const int invalidlist4[] = {NID_sha256};
3158 static const sigalgs_list testsigalgs[] = {
3159     {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3160 # ifndef OPENSSL_NO_EC
3161     {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3162     {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3163 # endif
3164     {NULL, 0, "RSA+SHA256", 1, 1},
3165     {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
3166 # ifndef OPENSSL_NO_EC
3167     {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3168     {NULL, 0, "ECDSA+SHA512", 1, 0},
3169 # endif
3170     {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3171     {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3172     {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3173     {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3174     {NULL, 0, "RSA", 0, 0},
3175     {NULL, 0, "SHA256", 0, 0},
3176     {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3177     {NULL, 0, "Invalid", 0, 0}
3178 };
3179 
3180 static int test_set_sigalgs(int idx)
3181 {
3182     SSL_CTX *cctx = NULL, *sctx = NULL;
3183     SSL *clientssl = NULL, *serverssl = NULL;
3184     int testresult = 0;
3185     const sigalgs_list *curr;
3186     int testctx;
3187 
3188     /* Should never happen */
3189     if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3190         return 0;
3191 
3192     testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3193     curr = testctx ? &testsigalgs[idx]
3194                    : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3195 
3196     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3197                                        TLS_client_method(), TLS1_VERSION, 0,
3198                                        &sctx, &cctx, cert, privkey)))
3199         return 0;
3200 
3201     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3202 
3203     if (testctx) {
3204         int ret;
3205 
3206         if (curr->list != NULL)
3207             ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3208         else
3209             ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3210 
3211         if (!ret) {
3212             if (curr->valid)
3213                 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3214             else
3215                 testresult = 1;
3216             goto end;
3217         }
3218         if (!curr->valid) {
3219             TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3220             goto end;
3221         }
3222     }
3223 
3224     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3225                                       &clientssl, NULL, NULL)))
3226         goto end;
3227 
3228     if (!testctx) {
3229         int ret;
3230 
3231         if (curr->list != NULL)
3232             ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3233         else
3234             ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3235         if (!ret) {
3236             if (curr->valid)
3237                 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3238             else
3239                 testresult = 1;
3240             goto end;
3241         }
3242         if (!curr->valid)
3243             goto end;
3244     }
3245 
3246     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3247                                            SSL_ERROR_NONE),
3248                 curr->connsuccess))
3249         goto end;
3250 
3251     testresult = 1;
3252 
3253  end:
3254     SSL_free(serverssl);
3255     SSL_free(clientssl);
3256     SSL_CTX_free(sctx);
3257     SSL_CTX_free(cctx);
3258 
3259     return testresult;
3260 }
3261 #endif
3262 
3263 #ifndef OSSL_NO_USABLE_TLS1_3
3264 static int psk_client_cb_cnt = 0;
3265 static int psk_server_cb_cnt = 0;
3266 
3267 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3268                           size_t *idlen, SSL_SESSION **sess)
3269 {
3270     switch (++use_session_cb_cnt) {
3271     case 1:
3272         /* The first call should always have a NULL md */
3273         if (md != NULL)
3274             return 0;
3275         break;
3276 
3277     case 2:
3278         /* The second call should always have an md */
3279         if (md == NULL)
3280             return 0;
3281         break;
3282 
3283     default:
3284         /* We should only be called a maximum of twice */
3285         return 0;
3286     }
3287 
3288     if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
3289         return 0;
3290 
3291     *sess = clientpsk;
3292     *id = (const unsigned char *)pskid;
3293     *idlen = strlen(pskid);
3294 
3295     return 1;
3296 }
3297 
3298 #ifndef OPENSSL_NO_PSK
3299 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3300                                   unsigned int max_id_len,
3301                                   unsigned char *psk,
3302                                   unsigned int max_psk_len)
3303 {
3304     unsigned int psklen = 0;
3305 
3306     psk_client_cb_cnt++;
3307 
3308     if (strlen(pskid) + 1 > max_id_len)
3309         return 0;
3310 
3311     /* We should only ever be called a maximum of twice per connection */
3312     if (psk_client_cb_cnt > 2)
3313         return 0;
3314 
3315     if (clientpsk == NULL)
3316         return 0;
3317 
3318     /* We'll reuse the PSK we set up for TLSv1.3 */
3319     if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3320         return 0;
3321     psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3322     strncpy(id, pskid, max_id_len);
3323 
3324     return psklen;
3325 }
3326 #endif /* OPENSSL_NO_PSK */
3327 
3328 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3329                            size_t identity_len, SSL_SESSION **sess)
3330 {
3331     find_session_cb_cnt++;
3332 
3333     /* We should only ever be called a maximum of twice per connection */
3334     if (find_session_cb_cnt > 2)
3335         return 0;
3336 
3337     if (serverpsk == NULL)
3338         return 0;
3339 
3340     /* Identity should match that set by the client */
3341     if (strlen(srvid) != identity_len
3342             || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3343         /* No PSK found, continue but without a PSK */
3344         *sess = NULL;
3345         return 1;
3346     }
3347 
3348     if (!SSL_SESSION_up_ref(serverpsk))
3349         return 0;
3350 
3351     *sess = serverpsk;
3352 
3353     return 1;
3354 }
3355 
3356 #ifndef OPENSSL_NO_PSK
3357 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3358                                   unsigned char *psk, unsigned int max_psk_len)
3359 {
3360     unsigned int psklen = 0;
3361 
3362     psk_server_cb_cnt++;
3363 
3364     /* We should only ever be called a maximum of twice per connection */
3365     if (find_session_cb_cnt > 2)
3366         return 0;
3367 
3368     if (serverpsk == NULL)
3369         return 0;
3370 
3371     /* Identity should match that set by the client */
3372     if (strcmp(srvid, identity) != 0) {
3373         return 0;
3374     }
3375 
3376     /* We'll reuse the PSK we set up for TLSv1.3 */
3377     if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3378         return 0;
3379     psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3380 
3381     return psklen;
3382 }
3383 #endif /* OPENSSL_NO_PSK */
3384 
3385 #define MSG1    "Hello"
3386 #define MSG2    "World."
3387 #define MSG3    "This"
3388 #define MSG4    "is"
3389 #define MSG5    "a"
3390 #define MSG6    "test"
3391 #define MSG7    "message."
3392 
3393 static int artificial_ticket_time = 0;
3394 
3395 static int sub_session_time(SSL_SESSION *sess)
3396 {
3397     OSSL_TIME tick_time;
3398 
3399     tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3400     tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3401 
3402     return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3403 }
3404 
3405 static int ed_gen_cb(SSL *s, void *arg)
3406 {
3407     SSL_SESSION *sess = SSL_get0_session(s);
3408 
3409     if (sess == NULL)
3410         return 0;
3411 
3412     /*
3413      * Artificially give the ticket some age. Just do it for the number of
3414      * tickets we've been told to do.
3415      */
3416     if (artificial_ticket_time == 0)
3417         return 1;
3418     artificial_ticket_time--;
3419 
3420     return sub_session_time(sess);
3421 }
3422 
3423 /*
3424  * Helper method to setup objects for early data test. Caller frees objects on
3425  * error.
3426  */
3427 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3428                                 SSL **serverssl, SSL_SESSION **sess, int idx,
3429                                 size_t mdsize)
3430 {
3431     int artificial = (artificial_ticket_time > 0);
3432 
3433     if (*sctx == NULL
3434             && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3435                                               TLS_client_method(),
3436                                               TLS1_VERSION, 0,
3437                                               sctx, cctx, cert, privkey)))
3438         return 0;
3439 
3440     if (artificial)
3441         SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3442 
3443     if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3444         return 0;
3445 
3446     if (idx == 1) {
3447         /* When idx == 1 we repeat the tests with read_ahead set */
3448         SSL_CTX_set_read_ahead(*cctx, 1);
3449         SSL_CTX_set_read_ahead(*sctx, 1);
3450     } else if (idx == 2) {
3451         /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3452         SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3453         SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3454         use_session_cb_cnt = 0;
3455         find_session_cb_cnt = 0;
3456         srvid = pskid;
3457     }
3458 
3459     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3460                                       NULL, NULL)))
3461         return 0;
3462 
3463     /*
3464      * For one of the run throughs (doesn't matter which one), we'll try sending
3465      * some SNI data in the initial ClientHello. This will be ignored (because
3466      * there is no SNI cb set up by the server), so it should not impact
3467      * early_data.
3468      */
3469     if (idx == 1
3470             && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3471         return 0;
3472 
3473     if (idx == 2) {
3474         clientpsk = create_a_psk(*clientssl, mdsize);
3475         if (!TEST_ptr(clientpsk)
3476                    /*
3477                     * We just choose an arbitrary value for max_early_data which
3478                     * should be big enough for testing purposes.
3479                     */
3480                 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3481                                                              0x100))
3482                 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3483             SSL_SESSION_free(clientpsk);
3484             clientpsk = NULL;
3485             return 0;
3486         }
3487         serverpsk = clientpsk;
3488 
3489         if (sess != NULL) {
3490             if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3491                 SSL_SESSION_free(clientpsk);
3492                 SSL_SESSION_free(serverpsk);
3493                 clientpsk = serverpsk = NULL;
3494                 return 0;
3495             }
3496             *sess = clientpsk;
3497         }
3498         return 1;
3499     }
3500 
3501     if (sess == NULL)
3502         return 1;
3503 
3504     if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3505                                          SSL_ERROR_NONE)))
3506         return 0;
3507 
3508     *sess = SSL_get1_session(*clientssl);
3509     SSL_shutdown(*clientssl);
3510     SSL_shutdown(*serverssl);
3511     SSL_free(*serverssl);
3512     SSL_free(*clientssl);
3513     *serverssl = *clientssl = NULL;
3514 
3515     /*
3516      * Artificially give the ticket some age to match the artificial age we
3517      * gave it on the server side
3518      */
3519     if (artificial
3520             && !TEST_true(sub_session_time(*sess)))
3521         return 0;
3522 
3523     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3524                                       clientssl, NULL, NULL))
3525             || !TEST_true(SSL_set_session(*clientssl, *sess)))
3526         return 0;
3527 
3528     return 1;
3529 }
3530 
3531 static int check_early_data_timeout(OSSL_TIME timer)
3532 {
3533     int res = 0;
3534 
3535     /*
3536      * Early data is time sensitive. We have an approx 8 second allowance
3537      * between writing the early data and reading it. If we exceed that time
3538      * then this test will fail. This can sometimes (rarely) occur in normal CI
3539      * operation. We can try and detect this and just ignore the result of this
3540      * test if it has taken too long. We assume anything over 7 seconds is too
3541      * long
3542      */
3543     timer = ossl_time_subtract(ossl_time_now(), timer);
3544     if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3545         res = TEST_skip("Test took too long, ignoring result");
3546 
3547     return res;
3548 }
3549 
3550 static int test_early_data_read_write(int idx)
3551 {
3552     SSL_CTX *cctx = NULL, *sctx = NULL;
3553     SSL *clientssl = NULL, *serverssl = NULL;
3554     int testresult = 0;
3555     SSL_SESSION *sess = NULL;
3556     unsigned char buf[20], data[1024];
3557     size_t readbytes, written, eoedlen, rawread, rawwritten;
3558     BIO *rbio;
3559     OSSL_TIME timer;
3560 
3561     /* Artificially give the next 2 tickets some age for non PSK sessions */
3562     if (idx != 2)
3563         artificial_ticket_time = 2;
3564     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3565                                         &serverssl, &sess, idx,
3566                                         SHA384_DIGEST_LENGTH))) {
3567         artificial_ticket_time = 0;
3568         goto end;
3569     }
3570     artificial_ticket_time = 0;
3571 
3572     /* Write and read some early data */
3573     timer = ossl_time_now();
3574     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3575                                         &written))
3576             || !TEST_size_t_eq(written, strlen(MSG1)))
3577         goto end;
3578 
3579     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3580                                          &readbytes),
3581                      SSL_READ_EARLY_DATA_SUCCESS)) {
3582         testresult = check_early_data_timeout(timer);
3583         goto end;
3584     }
3585 
3586     if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3587             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3588                             SSL_EARLY_DATA_ACCEPTED))
3589         goto end;
3590 
3591     /*
3592      * Server should be able to write data, and client should be able to
3593      * read it.
3594      */
3595     if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3596                                         &written))
3597             || !TEST_size_t_eq(written, strlen(MSG2))
3598             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3599             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3600         goto end;
3601 
3602     /* Even after reading normal data, client should be able write early data */
3603     if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3604                                         &written))
3605             || !TEST_size_t_eq(written, strlen(MSG3)))
3606         goto end;
3607 
3608     /* Server should still be able read early data after writing data */
3609     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3610                                          &readbytes),
3611                      SSL_READ_EARLY_DATA_SUCCESS)
3612             || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3613         goto end;
3614 
3615     /* Write more data from server and read it from client */
3616     if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3617                                         &written))
3618             || !TEST_size_t_eq(written, strlen(MSG4))
3619             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3620             || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3621         goto end;
3622 
3623     /*
3624      * If client writes normal data it should mean writing early data is no
3625      * longer possible.
3626      */
3627     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3628             || !TEST_size_t_eq(written, strlen(MSG5))
3629             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3630                             SSL_EARLY_DATA_ACCEPTED))
3631         goto end;
3632 
3633     /*
3634      * At this point the client has written EndOfEarlyData, ClientFinished and
3635      * normal (fully protected) data. We are going to cause a delay between the
3636      * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3637      * in the read BIO, and then just put back the EndOfEarlyData message.
3638      */
3639     rbio = SSL_get_rbio(serverssl);
3640     if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3641             || !TEST_size_t_lt(rawread, sizeof(data))
3642             || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3643         goto end;
3644 
3645     /* Record length is in the 4th and 5th bytes of the record header */
3646     eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3647     if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3648             || !TEST_size_t_eq(rawwritten, eoedlen))
3649         goto end;
3650 
3651     /* Server should be told that there is no more early data */
3652     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3653                                          &readbytes),
3654                      SSL_READ_EARLY_DATA_FINISH)
3655             || !TEST_size_t_eq(readbytes, 0))
3656         goto end;
3657 
3658     /*
3659      * Server has not finished init yet, so should still be able to write early
3660      * data.
3661      */
3662     if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3663                                         &written))
3664             || !TEST_size_t_eq(written, strlen(MSG6)))
3665         goto end;
3666 
3667     /* Push the ClientFinished and the normal data back into the server rbio */
3668     if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3669                                 &rawwritten))
3670             || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3671         goto end;
3672 
3673     /* Server should be able to read normal data */
3674     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3675             || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3676         goto end;
3677 
3678     /* Client and server should not be able to write/read early data now */
3679     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3680                                          &written)))
3681         goto end;
3682     ERR_clear_error();
3683     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3684                                          &readbytes),
3685                      SSL_READ_EARLY_DATA_ERROR))
3686         goto end;
3687     ERR_clear_error();
3688 
3689     /* Client should be able to read the data sent by the server */
3690     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691             || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3692         goto end;
3693 
3694     /*
3695      * Make sure we process the two NewSessionTickets. These arrive
3696      * post-handshake. We attempt reads which we do not expect to return any
3697      * data.
3698      */
3699     if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3700             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3701                            &readbytes)))
3702         goto end;
3703 
3704     /* Server should be able to write normal data */
3705     if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3706             || !TEST_size_t_eq(written, strlen(MSG7))
3707             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3708             || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3709         goto end;
3710 
3711     SSL_SESSION_free(sess);
3712     sess = SSL_get1_session(clientssl);
3713     use_session_cb_cnt = 0;
3714     find_session_cb_cnt = 0;
3715 
3716     SSL_shutdown(clientssl);
3717     SSL_shutdown(serverssl);
3718     SSL_free(serverssl);
3719     SSL_free(clientssl);
3720     serverssl = clientssl = NULL;
3721     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3722                                       &clientssl, NULL, NULL))
3723             || !TEST_true(SSL_set_session(clientssl, sess)))
3724         goto end;
3725 
3726     /* Write and read some early data */
3727     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3728                                         &written))
3729             || !TEST_size_t_eq(written, strlen(MSG1))
3730             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3731                                                 &readbytes),
3732                             SSL_READ_EARLY_DATA_SUCCESS)
3733             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3734         goto end;
3735 
3736     if (!TEST_int_gt(SSL_connect(clientssl), 0)
3737             || !TEST_int_gt(SSL_accept(serverssl), 0))
3738         goto end;
3739 
3740     /* Client and server should not be able to write/read early data now */
3741     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3742                                          &written)))
3743         goto end;
3744     ERR_clear_error();
3745     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3746                                          &readbytes),
3747                      SSL_READ_EARLY_DATA_ERROR))
3748         goto end;
3749     ERR_clear_error();
3750 
3751     /* Client and server should be able to write/read normal data */
3752     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3753             || !TEST_size_t_eq(written, strlen(MSG5))
3754             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3755             || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3756         goto end;
3757 
3758     testresult = 1;
3759 
3760  end:
3761     SSL_SESSION_free(sess);
3762     SSL_SESSION_free(clientpsk);
3763     SSL_SESSION_free(serverpsk);
3764     clientpsk = serverpsk = NULL;
3765     SSL_free(serverssl);
3766     SSL_free(clientssl);
3767     SSL_CTX_free(sctx);
3768     SSL_CTX_free(cctx);
3769     return testresult;
3770 }
3771 
3772 static int allow_ed_cb_called = 0;
3773 
3774 static int allow_early_data_cb(SSL *s, void *arg)
3775 {
3776     int *usecb = (int *)arg;
3777 
3778     allow_ed_cb_called++;
3779 
3780     if (*usecb == 1)
3781         return 0;
3782 
3783     return 1;
3784 }
3785 
3786 /*
3787  * idx == 0: Standard early_data setup
3788  * idx == 1: early_data setup using read_ahead
3789  * usecb == 0: Don't use a custom early data callback
3790  * usecb == 1: Use a custom early data callback and reject the early data
3791  * usecb == 2: Use a custom early data callback and accept the early data
3792  * confopt == 0: Configure anti-replay directly
3793  * confopt == 1: Configure anti-replay using SSL_CONF
3794  */
3795 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3796 {
3797     SSL_CTX *cctx = NULL, *sctx = NULL;
3798     SSL *clientssl = NULL, *serverssl = NULL;
3799     int testresult = 0;
3800     SSL_SESSION *sess = NULL;
3801     size_t readbytes, written;
3802     unsigned char buf[20];
3803     OSSL_TIME timer;
3804 
3805     allow_ed_cb_called = 0;
3806 
3807     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3808                                        TLS_client_method(), TLS1_VERSION, 0,
3809                                        &sctx, &cctx, cert, privkey)))
3810         return 0;
3811 
3812     if (usecb > 0) {
3813         if (confopt == 0) {
3814             SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3815         } else {
3816             SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3817 
3818             if (!TEST_ptr(confctx))
3819                 goto end;
3820             SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3821                                             | SSL_CONF_FLAG_SERVER);
3822             SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3823             if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3824                              2)) {
3825                 SSL_CONF_CTX_free(confctx);
3826                 goto end;
3827             }
3828             SSL_CONF_CTX_free(confctx);
3829         }
3830         SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3831     }
3832 
3833     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3834                                         &serverssl, &sess, idx,
3835                                         SHA384_DIGEST_LENGTH)))
3836         goto end;
3837 
3838     /*
3839      * The server is configured to accept early data. Create a connection to
3840      * "use up" the ticket
3841      */
3842     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3843             || !TEST_true(SSL_session_reused(clientssl)))
3844         goto end;
3845 
3846     SSL_shutdown(clientssl);
3847     SSL_shutdown(serverssl);
3848     SSL_free(serverssl);
3849     SSL_free(clientssl);
3850     serverssl = clientssl = NULL;
3851 
3852     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3853                                       &clientssl, NULL, NULL))
3854             || !TEST_true(SSL_set_session(clientssl, sess)))
3855         goto end;
3856 
3857     /* Write and read some early data */
3858     timer = ossl_time_now();
3859     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3860                                         &written))
3861             || !TEST_size_t_eq(written, strlen(MSG1)))
3862         goto end;
3863 
3864     if (usecb <= 1) {
3865         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3866                                              &readbytes),
3867                          SSL_READ_EARLY_DATA_FINISH)
3868                    /*
3869                     * The ticket was reused, so the we should have rejected the
3870                     * early data
3871                     */
3872                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3873                                 SSL_EARLY_DATA_REJECTED))
3874             goto end;
3875     } else {
3876         /* In this case the callback decides to accept the early data */
3877         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3878                                              &readbytes),
3879                          SSL_READ_EARLY_DATA_SUCCESS)) {
3880             testresult = check_early_data_timeout(timer);
3881             goto end;
3882         }
3883         if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3884                    /*
3885                     * Server will have sent its flight so client can now send
3886                     * end of early data and complete its half of the handshake
3887                     */
3888                 || !TEST_int_gt(SSL_connect(clientssl), 0)
3889                 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3890                                              &readbytes),
3891                                 SSL_READ_EARLY_DATA_FINISH)
3892                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3893                                 SSL_EARLY_DATA_ACCEPTED))
3894             goto end;
3895     }
3896 
3897     /* Complete the connection */
3898     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3899             || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3900             || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3901         goto end;
3902 
3903     testresult = 1;
3904 
3905  end:
3906     SSL_SESSION_free(sess);
3907     SSL_SESSION_free(clientpsk);
3908     SSL_SESSION_free(serverpsk);
3909     clientpsk = serverpsk = NULL;
3910     SSL_free(serverssl);
3911     SSL_free(clientssl);
3912     SSL_CTX_free(sctx);
3913     SSL_CTX_free(cctx);
3914     return testresult;
3915 }
3916 
3917 static int test_early_data_replay(int idx)
3918 {
3919     int ret = 1, usecb, confopt;
3920 
3921     for (usecb = 0; usecb < 3; usecb++) {
3922         for (confopt = 0; confopt < 2; confopt++)
3923             ret &= test_early_data_replay_int(idx, usecb, confopt);
3924     }
3925 
3926     return ret;
3927 }
3928 
3929 static const char *ciphersuites[] = {
3930     "TLS_AES_128_CCM_8_SHA256",
3931     "TLS_AES_128_GCM_SHA256",
3932     "TLS_AES_256_GCM_SHA384",
3933     "TLS_AES_128_CCM_SHA256",
3934 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3935     "TLS_CHACHA20_POLY1305_SHA256",
3936 #else
3937     NULL,
3938 #endif
3939 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3940     "TLS_SHA256_SHA256",
3941     "TLS_SHA384_SHA384"
3942 #endif
3943 };
3944 
3945 /*
3946  * Helper function to test that a server attempting to read early data can
3947  * handle a connection from a client where the early data should be skipped.
3948  * testtype: 0 == No HRR
3949  * testtype: 1 == HRR
3950  * testtype: 2 == HRR, invalid early_data sent after HRR
3951  * testtype: 3 == recv_max_early_data set to 0
3952  */
3953 static int early_data_skip_helper(int testtype, int cipher, int idx)
3954 {
3955     SSL_CTX *cctx = NULL, *sctx = NULL;
3956     SSL *clientssl = NULL, *serverssl = NULL;
3957     int testresult = 0;
3958     SSL_SESSION *sess = NULL;
3959     unsigned char buf[20];
3960     size_t readbytes, written;
3961 
3962     if (is_fips && cipher >= 4)
3963         return 1;
3964 
3965     if (ciphersuites[cipher] == NULL)
3966         return TEST_skip("Cipher not supported");
3967 
3968     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3969                                               TLS_client_method(),
3970                                               TLS1_VERSION, 0,
3971                                               &sctx, &cctx, cert, privkey)))
3972         goto end;
3973 
3974     if (cipher == 0 || cipher == 5 || cipher == 6) {
3975         SSL_CTX_set_security_level(sctx, 0);
3976         SSL_CTX_set_security_level(cctx, 0);
3977     }
3978 
3979     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3980             || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3981         goto end;
3982 
3983     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3984                                         &serverssl, &sess, idx,
3985                                         (cipher == 2 || cipher == 6)
3986                                             ? SHA384_DIGEST_LENGTH
3987                                             : SHA256_DIGEST_LENGTH)))
3988         goto end;
3989 
3990     if (testtype == 1 || testtype == 2) {
3991         /* Force an HRR to occur */
3992 #if defined(OPENSSL_NO_EC)
3993         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3994             goto end;
3995 #else
3996         if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3997             goto end;
3998 #endif
3999     } else if (idx == 2) {
4000         /*
4001          * We force early_data rejection by ensuring the PSK identity is
4002          * unrecognised
4003          */
4004         srvid = "Dummy Identity";
4005     } else {
4006         /*
4007          * Deliberately corrupt the creation time. We take 20 seconds off the
4008          * time. It could be any value as long as it is not within tolerance.
4009          * This should mean the ticket is rejected.
4010          */
4011         if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
4012             goto end;
4013     }
4014 
4015     if (testtype == 3
4016             && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4017         goto end;
4018 
4019     /* Write some early data */
4020     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4021                                         &written))
4022             || !TEST_size_t_eq(written, strlen(MSG1)))
4023         goto end;
4024 
4025     /* Server should reject the early data */
4026     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4027                                          &readbytes),
4028                      SSL_READ_EARLY_DATA_FINISH)
4029             || !TEST_size_t_eq(readbytes, 0)
4030             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4031                             SSL_EARLY_DATA_REJECTED))
4032         goto end;
4033 
4034     switch (testtype) {
4035     case 0:
4036         /* Nothing to do */
4037         break;
4038 
4039     case 1:
4040         /*
4041          * Finish off the handshake. We perform the same writes and reads as
4042          * further down but we expect them to fail due to the incomplete
4043          * handshake.
4044          */
4045         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4046                 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4047                                &readbytes)))
4048             goto end;
4049         break;
4050 
4051     case 2:
4052         {
4053             BIO *wbio = SSL_get_wbio(clientssl);
4054             /* A record that will appear as bad early_data */
4055             const unsigned char bad_early_data[] = {
4056                 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4057             };
4058 
4059             /*
4060              * We force the client to attempt a write. This will fail because
4061              * we're still in the handshake. It will cause the second
4062              * ClientHello to be sent.
4063              */
4064             if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4065                                          &written)))
4066                 goto end;
4067 
4068             /*
4069              * Inject some early_data after the second ClientHello. This should
4070              * cause the server to fail
4071              */
4072             if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4073                                         sizeof(bad_early_data), &written)))
4074                 goto end;
4075         }
4076         /* FALLTHROUGH */
4077 
4078     case 3:
4079         /*
4080          * This client has sent more early_data than we are willing to skip
4081          * (case 3) or sent invalid early_data (case 2) so the connection should
4082          * abort.
4083          */
4084         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4085                 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4086             goto end;
4087 
4088         /* Connection has failed - nothing more to do */
4089         testresult = 1;
4090         goto end;
4091 
4092     default:
4093         TEST_error("Invalid test type");
4094         goto end;
4095     }
4096 
4097     ERR_clear_error();
4098     /*
4099      * Should be able to send normal data despite rejection of early data. The
4100      * early_data should be skipped.
4101      */
4102     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4103             || !TEST_size_t_eq(written, strlen(MSG2))
4104             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4105                             SSL_EARLY_DATA_REJECTED)
4106             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4107             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4108         goto end;
4109 
4110     /*
4111      * Failure to decrypt early data records should not leave spurious errors
4112      * on the error stack
4113      */
4114     if (!TEST_long_eq(ERR_peek_error(), 0))
4115         goto end;
4116 
4117     testresult = 1;
4118 
4119  end:
4120     SSL_SESSION_free(clientpsk);
4121     SSL_SESSION_free(serverpsk);
4122     clientpsk = serverpsk = NULL;
4123     SSL_SESSION_free(sess);
4124     SSL_free(serverssl);
4125     SSL_free(clientssl);
4126     SSL_CTX_free(sctx);
4127     SSL_CTX_free(cctx);
4128     return testresult;
4129 }
4130 
4131 /*
4132  * Test that a server attempting to read early data can handle a connection
4133  * from a client where the early data is not acceptable.
4134  */
4135 static int test_early_data_skip(int idx)
4136 {
4137     return early_data_skip_helper(0,
4138                                   idx % OSSL_NELEM(ciphersuites),
4139                                   idx / OSSL_NELEM(ciphersuites));
4140 }
4141 
4142 /*
4143  * Test that a server attempting to read early data can handle a connection
4144  * from a client where an HRR occurs.
4145  */
4146 static int test_early_data_skip_hrr(int idx)
4147 {
4148     return early_data_skip_helper(1,
4149                                   idx % OSSL_NELEM(ciphersuites),
4150                                   idx / OSSL_NELEM(ciphersuites));
4151 }
4152 
4153 /*
4154  * Test that a server attempting to read early data can handle a connection
4155  * from a client where an HRR occurs and correctly fails if early_data is sent
4156  * after the HRR
4157  */
4158 static int test_early_data_skip_hrr_fail(int idx)
4159 {
4160     return early_data_skip_helper(2,
4161                                   idx % OSSL_NELEM(ciphersuites),
4162                                   idx / OSSL_NELEM(ciphersuites));
4163 }
4164 
4165 /*
4166  * Test that a server attempting to read early data will abort if it tries to
4167  * skip over too much.
4168  */
4169 static int test_early_data_skip_abort(int idx)
4170 {
4171     return early_data_skip_helper(3,
4172                                   idx % OSSL_NELEM(ciphersuites),
4173                                   idx / OSSL_NELEM(ciphersuites));
4174 }
4175 
4176 /*
4177  * Test that a server attempting to read early data can handle a connection
4178  * from a client that doesn't send any.
4179  */
4180 static int test_early_data_not_sent(int idx)
4181 {
4182     SSL_CTX *cctx = NULL, *sctx = NULL;
4183     SSL *clientssl = NULL, *serverssl = NULL;
4184     int testresult = 0;
4185     SSL_SESSION *sess = NULL;
4186     unsigned char buf[20];
4187     size_t readbytes, written;
4188 
4189     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4190                                         &serverssl, &sess, idx,
4191                                         SHA384_DIGEST_LENGTH)))
4192         goto end;
4193 
4194     /* Write some data - should block due to handshake with server */
4195     SSL_set_connect_state(clientssl);
4196     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4197         goto end;
4198 
4199     /* Server should detect that early data has not been sent */
4200     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4201                                          &readbytes),
4202                      SSL_READ_EARLY_DATA_FINISH)
4203             || !TEST_size_t_eq(readbytes, 0)
4204             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4205                             SSL_EARLY_DATA_NOT_SENT)
4206             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4207                             SSL_EARLY_DATA_NOT_SENT))
4208         goto end;
4209 
4210     /* Continue writing the message we started earlier */
4211     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4212             || !TEST_size_t_eq(written, strlen(MSG1))
4213             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4214             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4215             || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4216             || !TEST_size_t_eq(written, strlen(MSG2)))
4217         goto end;
4218 
4219     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4220             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4221         goto end;
4222 
4223     testresult = 1;
4224 
4225  end:
4226     SSL_SESSION_free(sess);
4227     SSL_SESSION_free(clientpsk);
4228     SSL_SESSION_free(serverpsk);
4229     clientpsk = serverpsk = NULL;
4230     SSL_free(serverssl);
4231     SSL_free(clientssl);
4232     SSL_CTX_free(sctx);
4233     SSL_CTX_free(cctx);
4234     return testresult;
4235 }
4236 
4237 static const char *servalpn;
4238 
4239 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4240                           unsigned char *outlen, const unsigned char *in,
4241                           unsigned int inlen, void *arg)
4242 {
4243     unsigned int protlen = 0;
4244     const unsigned char *prot;
4245 
4246     for (prot = in; prot < in + inlen; prot += protlen) {
4247         protlen = *prot++;
4248         if (in + inlen < prot + protlen)
4249             return SSL_TLSEXT_ERR_NOACK;
4250 
4251         if (protlen == strlen(servalpn)
4252                 && memcmp(prot, servalpn, protlen) == 0) {
4253             *out = prot;
4254             *outlen = protlen;
4255             return SSL_TLSEXT_ERR_OK;
4256         }
4257     }
4258 
4259     return SSL_TLSEXT_ERR_NOACK;
4260 }
4261 
4262 /* Test that a PSK can be used to send early_data */
4263 static int test_early_data_psk(int idx)
4264 {
4265     SSL_CTX *cctx = NULL, *sctx = NULL;
4266     SSL *clientssl = NULL, *serverssl = NULL;
4267     int testresult = 0;
4268     SSL_SESSION *sess = NULL;
4269     unsigned char alpnlist[] = {
4270         0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4271         'l', 'p', 'n'
4272     };
4273 #define GOODALPNLEN     9
4274 #define BADALPNLEN      8
4275 #define GOODALPN        (alpnlist)
4276 #define BADALPN         (alpnlist + GOODALPNLEN)
4277     int err = 0;
4278     unsigned char buf[20];
4279     size_t readbytes, written;
4280     int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4281     int edstatus = SSL_EARLY_DATA_ACCEPTED;
4282 
4283     /* We always set this up with a final parameter of "2" for PSK */
4284     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4285                                         &serverssl, &sess, 2,
4286                                         SHA384_DIGEST_LENGTH)))
4287         goto end;
4288 
4289     servalpn = "goodalpn";
4290 
4291     /*
4292      * Note: There is no test for inconsistent SNI with late client detection.
4293      * This is because servers do not acknowledge SNI even if they are using
4294      * it in a resumption handshake - so it is not actually possible for a
4295      * client to detect a problem.
4296      */
4297     switch (idx) {
4298     case 0:
4299         /* Set inconsistent SNI (early client detection) */
4300         err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4301         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4302                 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4303             goto end;
4304         break;
4305 
4306     case 1:
4307         /* Set inconsistent ALPN (early client detection) */
4308         err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4309         /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4310         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4311                                                       GOODALPNLEN))
4312                 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4313                                                    BADALPNLEN)))
4314             goto end;
4315         break;
4316 
4317     case 2:
4318         /*
4319          * Set invalid protocol version. Technically this affects PSKs without
4320          * early_data too, but we test it here because it is similar to the
4321          * SNI/ALPN consistency tests.
4322          */
4323         err = SSL_R_BAD_PSK;
4324         if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4325             goto end;
4326         break;
4327 
4328     case 3:
4329         /*
4330          * Set inconsistent SNI (server side). In this case the connection
4331          * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4332          * is associated with each handshake - not the session. Therefore it
4333          * should not matter that we used a different server name last time.
4334          */
4335         SSL_SESSION_free(serverpsk);
4336         serverpsk = SSL_SESSION_dup(clientpsk);
4337         if (!TEST_ptr(serverpsk)
4338                 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4339             goto end;
4340         /* Fall through */
4341     case 4:
4342         /* Set consistent SNI */
4343         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4344                 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4345                 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4346                                 hostname_cb)))
4347             goto end;
4348         break;
4349 
4350     case 5:
4351         /*
4352          * Set inconsistent ALPN (server detected). In this case the connection
4353          * will succeed but reject early_data.
4354          */
4355         servalpn = "badalpn";
4356         edstatus = SSL_EARLY_DATA_REJECTED;
4357         readearlyres = SSL_READ_EARLY_DATA_FINISH;
4358         /* Fall through */
4359     case 6:
4360         /*
4361          * Set consistent ALPN.
4362          * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4363          * accepts a list of protos (each one length prefixed).
4364          * SSL_set1_alpn_selected accepts a single protocol (not length
4365          * prefixed)
4366          */
4367         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4368                                                       GOODALPNLEN - 1))
4369                 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4370                                                    GOODALPNLEN)))
4371             goto end;
4372 
4373         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4374         break;
4375 
4376     case 7:
4377         /* Set inconsistent ALPN (late client detection) */
4378         SSL_SESSION_free(serverpsk);
4379         serverpsk = SSL_SESSION_dup(clientpsk);
4380         if (!TEST_ptr(serverpsk)
4381                 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4382                                                              BADALPN + 1,
4383                                                              BADALPNLEN - 1))
4384                 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4385                                                              GOODALPN + 1,
4386                                                              GOODALPNLEN - 1))
4387                 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4388                                                    sizeof(alpnlist))))
4389             goto end;
4390         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4391         edstatus = SSL_EARLY_DATA_ACCEPTED;
4392         readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4393         /* SSL_connect() call should fail */
4394         connectres = -1;
4395         break;
4396 
4397     default:
4398         TEST_error("Bad test index");
4399         goto end;
4400     }
4401 
4402     SSL_set_connect_state(clientssl);
4403     if (err != 0) {
4404         if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4405                                             &written))
4406                 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4407                 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4408             goto end;
4409     } else {
4410         OSSL_TIME timer = ossl_time_now();
4411 
4412         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4413                                             &written)))
4414             goto end;
4415 
4416         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4417                                              &readbytes), readearlyres)) {
4418             testresult = check_early_data_timeout(timer);
4419             goto end;
4420         }
4421 
4422         if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4423                     && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4424                 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4425                 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4426             goto end;
4427     }
4428 
4429     testresult = 1;
4430 
4431  end:
4432     SSL_SESSION_free(sess);
4433     SSL_SESSION_free(clientpsk);
4434     SSL_SESSION_free(serverpsk);
4435     clientpsk = serverpsk = NULL;
4436     SSL_free(serverssl);
4437     SSL_free(clientssl);
4438     SSL_CTX_free(sctx);
4439     SSL_CTX_free(cctx);
4440     return testresult;
4441 }
4442 
4443 /*
4444  * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
4445  * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4446  * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4447  * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4448  * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4449  * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4450  * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4451  * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
4452  */
4453 static int test_early_data_psk_with_all_ciphers(int idx)
4454 {
4455     SSL_CTX *cctx = NULL, *sctx = NULL;
4456     SSL *clientssl = NULL, *serverssl = NULL;
4457     int testresult = 0;
4458     SSL_SESSION *sess = NULL;
4459     unsigned char buf[20];
4460     size_t readbytes, written;
4461     const SSL_CIPHER *cipher;
4462     OSSL_TIME timer;
4463     const char *cipher_str[] = {
4464         TLS1_3_RFC_AES_128_GCM_SHA256,
4465         TLS1_3_RFC_AES_256_GCM_SHA384,
4466 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4467         TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4468 # else
4469         NULL,
4470 # endif
4471         TLS1_3_RFC_AES_128_CCM_SHA256,
4472         TLS1_3_RFC_AES_128_CCM_8_SHA256,
4473 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4474         TLS1_3_RFC_SHA256_SHA256,
4475         TLS1_3_RFC_SHA384_SHA384
4476 #else
4477         NULL,
4478         NULL
4479 #endif
4480     };
4481     const unsigned char *cipher_bytes[] = {
4482         TLS13_AES_128_GCM_SHA256_BYTES,
4483         TLS13_AES_256_GCM_SHA384_BYTES,
4484 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4485         TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4486 # else
4487         NULL,
4488 # endif
4489         TLS13_AES_128_CCM_SHA256_BYTES,
4490         TLS13_AES_128_CCM_8_SHA256_BYTES,
4491 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4492         TLS13_SHA256_SHA256_BYTES,
4493         TLS13_SHA384_SHA384_BYTES
4494 #else
4495         NULL,
4496         NULL
4497 #endif
4498     };
4499 
4500     if (cipher_str[idx] == NULL)
4501         return 1;
4502     /*
4503      * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4504      * as currently FIPS module does not support them.
4505      */
4506     if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
4507         return 1;
4508 
4509     /* We always set this up with a final parameter of "2" for PSK */
4510     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4511                                         &serverssl, &sess, 2,
4512                                         SHA384_DIGEST_LENGTH)))
4513         goto end;
4514 
4515     if (idx == 4 || idx == 5 || idx == 6) {
4516         /*
4517          * CCM8 ciphers are considered low security due to their short tag.
4518          * Integrity-only cipher do not provide any confidentiality.
4519          */
4520         SSL_set_security_level(clientssl, 0);
4521         SSL_set_security_level(serverssl, 0);
4522     }
4523 
4524     if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4525             || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4526         goto end;
4527 
4528     /*
4529      * 'setupearly_data_test' creates only one instance of SSL_SESSION
4530      * and assigns to both client and server with incremented reference
4531      * and the same instance is updated in 'sess'.
4532      * So updating ciphersuite in 'sess' which will get reflected in
4533      * PSK handshake using psk use sess and find sess cb.
4534      */
4535     cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4536     if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4537         goto end;
4538 
4539     SSL_set_connect_state(clientssl);
4540     timer = ossl_time_now();
4541     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4542                                         &written)))
4543         goto end;
4544 
4545     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4546                                          &readbytes),
4547                                          SSL_READ_EARLY_DATA_SUCCESS)) {
4548         testresult = check_early_data_timeout(timer);
4549         goto end;
4550     }
4551 
4552     if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4553             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4554                                                       SSL_EARLY_DATA_ACCEPTED)
4555             || !TEST_int_eq(SSL_connect(clientssl), 1)
4556             || !TEST_int_eq(SSL_accept(serverssl), 1))
4557         goto end;
4558 
4559     /* Send some normal data from client to server */
4560     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4561             || !TEST_size_t_eq(written, strlen(MSG2)))
4562         goto end;
4563 
4564     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4565             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4566         goto end;
4567 
4568     testresult = 1;
4569  end:
4570     SSL_SESSION_free(sess);
4571     SSL_SESSION_free(clientpsk);
4572     SSL_SESSION_free(serverpsk);
4573     clientpsk = serverpsk = NULL;
4574     if (clientssl != NULL)
4575         SSL_shutdown(clientssl);
4576     if (serverssl != NULL)
4577         SSL_shutdown(serverssl);
4578     SSL_free(serverssl);
4579     SSL_free(clientssl);
4580     SSL_CTX_free(sctx);
4581     SSL_CTX_free(cctx);
4582     return testresult;
4583 }
4584 
4585 /*
4586  * Test that a server that doesn't try to read early data can handle a
4587  * client sending some.
4588  */
4589 static int test_early_data_not_expected(int idx)
4590 {
4591     SSL_CTX *cctx = NULL, *sctx = NULL;
4592     SSL *clientssl = NULL, *serverssl = NULL;
4593     int testresult = 0;
4594     SSL_SESSION *sess = NULL;
4595     unsigned char buf[20];
4596     size_t readbytes, written;
4597 
4598     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4599                                         &serverssl, &sess, idx,
4600                                         SHA384_DIGEST_LENGTH)))
4601         goto end;
4602 
4603     /* Write some early data */
4604     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4605                                         &written)))
4606         goto end;
4607 
4608     /*
4609      * Server should skip over early data and then block waiting for client to
4610      * continue handshake
4611      */
4612     if (!TEST_int_le(SSL_accept(serverssl), 0)
4613      || !TEST_int_gt(SSL_connect(clientssl), 0)
4614      || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4615                      SSL_EARLY_DATA_REJECTED)
4616      || !TEST_int_gt(SSL_accept(serverssl), 0)
4617      || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4618                      SSL_EARLY_DATA_REJECTED))
4619         goto end;
4620 
4621     /* Send some normal data from client to server */
4622     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4623             || !TEST_size_t_eq(written, strlen(MSG2)))
4624         goto end;
4625 
4626     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4627             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4628         goto end;
4629 
4630     testresult = 1;
4631 
4632  end:
4633     SSL_SESSION_free(sess);
4634     SSL_SESSION_free(clientpsk);
4635     SSL_SESSION_free(serverpsk);
4636     clientpsk = serverpsk = NULL;
4637     SSL_free(serverssl);
4638     SSL_free(clientssl);
4639     SSL_CTX_free(sctx);
4640     SSL_CTX_free(cctx);
4641     return testresult;
4642 }
4643 
4644 
4645 # ifndef OPENSSL_NO_TLS1_2
4646 /*
4647  * Test that a server attempting to read early data can handle a connection
4648  * from a TLSv1.2 client.
4649  */
4650 static int test_early_data_tls1_2(int idx)
4651 {
4652     SSL_CTX *cctx = NULL, *sctx = NULL;
4653     SSL *clientssl = NULL, *serverssl = NULL;
4654     int testresult = 0;
4655     unsigned char buf[20];
4656     size_t readbytes, written;
4657 
4658     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4659                                         &serverssl, NULL, idx,
4660                                         SHA384_DIGEST_LENGTH)))
4661         goto end;
4662 
4663     /* Write some data - should block due to handshake with server */
4664     SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4665     SSL_set_connect_state(clientssl);
4666     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4667         goto end;
4668 
4669     /*
4670      * Server should do TLSv1.2 handshake. First it will block waiting for more
4671      * messages from client after ServerDone. Then SSL_read_early_data should
4672      * finish and detect that early data has not been sent
4673      */
4674     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4675                                          &readbytes),
4676                      SSL_READ_EARLY_DATA_ERROR))
4677         goto end;
4678 
4679     /*
4680      * Continue writing the message we started earlier. Will still block waiting
4681      * for the CCS/Finished from server
4682      */
4683     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4684             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4685                                                 &readbytes),
4686                             SSL_READ_EARLY_DATA_FINISH)
4687             || !TEST_size_t_eq(readbytes, 0)
4688             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4689                             SSL_EARLY_DATA_NOT_SENT))
4690         goto end;
4691 
4692     /* Continue writing the message we started earlier */
4693     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4694             || !TEST_size_t_eq(written, strlen(MSG1))
4695             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4696                             SSL_EARLY_DATA_NOT_SENT)
4697             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4698             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4699             || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4700             || !TEST_size_t_eq(written, strlen(MSG2))
4701             || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4702             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4703         goto end;
4704 
4705     testresult = 1;
4706 
4707  end:
4708     SSL_SESSION_free(clientpsk);
4709     SSL_SESSION_free(serverpsk);
4710     clientpsk = serverpsk = NULL;
4711     SSL_free(serverssl);
4712     SSL_free(clientssl);
4713     SSL_CTX_free(sctx);
4714     SSL_CTX_free(cctx);
4715 
4716     return testresult;
4717 }
4718 # endif /* OPENSSL_NO_TLS1_2 */
4719 
4720 /*
4721  * Test configuring the TLSv1.3 ciphersuites
4722  *
4723  * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4724  * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4725  * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4726  * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4727  * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4728  * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4729  * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4730  * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4731  * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4732  * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4733  */
4734 static int test_set_ciphersuite(int idx)
4735 {
4736     SSL_CTX *cctx = NULL, *sctx = NULL;
4737     SSL *clientssl = NULL, *serverssl = NULL;
4738     int testresult = 0;
4739 
4740     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4741                                        TLS_client_method(), TLS1_VERSION, 0,
4742                                        &sctx, &cctx, cert, privkey))
4743             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4744                            "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4745         goto end;
4746 
4747     if (idx >=4 && idx <= 7) {
4748         /* SSL_CTX explicit cipher list */
4749         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4750             goto end;
4751     }
4752 
4753     if (idx == 0 || idx == 4) {
4754         /* Default ciphersuite */
4755         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4756                                                 "TLS_AES_128_GCM_SHA256")))
4757             goto end;
4758     } else if (idx == 1 || idx == 5) {
4759         /* Non default ciphersuite */
4760         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4761                                                 "TLS_AES_128_CCM_SHA256")))
4762             goto end;
4763     }
4764 
4765     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4766                                           &clientssl, NULL, NULL)))
4767         goto end;
4768 
4769     if (idx == 8 || idx == 9) {
4770         /* SSL explicit cipher list */
4771         if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4772             goto end;
4773     }
4774 
4775     if (idx == 2 || idx == 6 || idx == 8) {
4776         /* Default ciphersuite */
4777         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4778                                             "TLS_AES_128_GCM_SHA256")))
4779             goto end;
4780     } else if (idx == 3 || idx == 7 || idx == 9) {
4781         /* Non default ciphersuite */
4782         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4783                                             "TLS_AES_128_CCM_SHA256")))
4784             goto end;
4785     }
4786 
4787     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4788         goto end;
4789 
4790     testresult = 1;
4791 
4792  end:
4793     SSL_free(serverssl);
4794     SSL_free(clientssl);
4795     SSL_CTX_free(sctx);
4796     SSL_CTX_free(cctx);
4797 
4798     return testresult;
4799 }
4800 
4801 static int test_ciphersuite_change(void)
4802 {
4803     SSL_CTX *cctx = NULL, *sctx = NULL;
4804     SSL *clientssl = NULL, *serverssl = NULL;
4805     SSL_SESSION *clntsess = NULL;
4806     int testresult = 0;
4807     const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4808 
4809     /* Create a session based on SHA-256 */
4810     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4811                                        TLS_client_method(), TLS1_VERSION, 0,
4812                                        &sctx, &cctx, cert, privkey))
4813             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4814                                                    "TLS_AES_128_GCM_SHA256:"
4815                                                    "TLS_AES_256_GCM_SHA384:"
4816                                                    "TLS_AES_128_CCM_SHA256"))
4817             || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4818                                                    "TLS_AES_128_GCM_SHA256")))
4819         goto end;
4820 
4821     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4822                                       NULL, NULL))
4823             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4824                                                 SSL_ERROR_NONE)))
4825         goto end;
4826 
4827     clntsess = SSL_get1_session(clientssl);
4828     /* Save for later */
4829     aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4830     SSL_shutdown(clientssl);
4831     SSL_shutdown(serverssl);
4832     SSL_free(serverssl);
4833     SSL_free(clientssl);
4834     serverssl = clientssl = NULL;
4835 
4836     /* Check we can resume a session with a different SHA-256 ciphersuite */
4837     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4838                                             "TLS_AES_128_CCM_SHA256"))
4839             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4840                                              &clientssl, NULL, NULL))
4841             || !TEST_true(SSL_set_session(clientssl, clntsess))
4842             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4843                                                 SSL_ERROR_NONE))
4844             || !TEST_true(SSL_session_reused(clientssl)))
4845         goto end;
4846 
4847     SSL_SESSION_free(clntsess);
4848     clntsess = SSL_get1_session(clientssl);
4849     SSL_shutdown(clientssl);
4850     SSL_shutdown(serverssl);
4851     SSL_free(serverssl);
4852     SSL_free(clientssl);
4853     serverssl = clientssl = NULL;
4854 
4855     /*
4856      * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4857      * succeeds but does not resume.
4858      */
4859     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4860             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4861                                              NULL, NULL))
4862             || !TEST_true(SSL_set_session(clientssl, clntsess))
4863             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4864                                                 SSL_ERROR_SSL))
4865             || !TEST_false(SSL_session_reused(clientssl)))
4866         goto end;
4867 
4868     SSL_SESSION_free(clntsess);
4869     clntsess = NULL;
4870     SSL_shutdown(clientssl);
4871     SSL_shutdown(serverssl);
4872     SSL_free(serverssl);
4873     SSL_free(clientssl);
4874     serverssl = clientssl = NULL;
4875 
4876     /* Create a session based on SHA384 */
4877     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4878             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4879                                           &clientssl, NULL, NULL))
4880             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4881                                                 SSL_ERROR_NONE)))
4882         goto end;
4883 
4884     clntsess = SSL_get1_session(clientssl);
4885     SSL_shutdown(clientssl);
4886     SSL_shutdown(serverssl);
4887     SSL_free(serverssl);
4888     SSL_free(clientssl);
4889     serverssl = clientssl = NULL;
4890 
4891     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4892                    "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4893             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4894                                                    "TLS_AES_256_GCM_SHA384"))
4895             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4896                                              NULL, NULL))
4897             || !TEST_true(SSL_set_session(clientssl, clntsess))
4898                /*
4899                 * We use SSL_ERROR_WANT_READ below so that we can pause the
4900                 * connection after the initial ClientHello has been sent to
4901                 * enable us to make some session changes.
4902                 */
4903             || !TEST_false(create_ssl_connection(serverssl, clientssl,
4904                                                 SSL_ERROR_WANT_READ)))
4905         goto end;
4906 
4907     /* Trick the client into thinking this session is for a different digest */
4908     clntsess->cipher = aes_128_gcm_sha256;
4909     clntsess->cipher_id = clntsess->cipher->id;
4910 
4911     /*
4912      * Continue the previously started connection. Server has selected a SHA-384
4913      * ciphersuite, but client thinks the session is for SHA-256, so it should
4914      * bail out.
4915      */
4916     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4917                                                 SSL_ERROR_SSL))
4918             || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4919                             SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4920         goto end;
4921 
4922     testresult = 1;
4923 
4924  end:
4925     SSL_SESSION_free(clntsess);
4926     SSL_free(serverssl);
4927     SSL_free(clientssl);
4928     SSL_CTX_free(sctx);
4929     SSL_CTX_free(cctx);
4930 
4931     return testresult;
4932 }
4933 
4934 /*
4935  * Test TLSv1.3 Key exchange
4936  * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4937  * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4938  * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4939  * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4940  * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4941  * Test 5 = Test NID_X448 with TLSv1.3 client and server
4942  * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4943  * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4944  * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4945  * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4946  * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4947  * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4948  * Test 12 = Test all ML-KEM with TLSv1.3 client and server
4949  * Test 13 = Test MLKEM512
4950  * Test 14 = Test MLKEM768
4951  * Test 15 = Test MLKEM1024
4952  * Test 16 = Test X25519MLKEM768
4953  * Test 17 = Test SecP256r1MLKEM768
4954  * Test 18 = Test SecP384r1MLKEM1024
4955  * Test 19 = Test all ML-KEM with TLSv1.2 client and server
4956  * Test 20 = Test all FFDHE with TLSv1.2 client and server
4957  * Test 21 = Test all ECDHE with TLSv1.2 client and server
4958  */
4959 # ifndef OPENSSL_NO_EC
4960 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4961                                    NID_secp521r1,
4962 #  ifndef OPENSSL_NO_ECX
4963                                    NID_X25519, NID_X448
4964 #  endif
4965                                    };
4966 # endif
4967 # ifndef OPENSSL_NO_DH
4968 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4969                                    NID_ffdhe6144, NID_ffdhe8192};
4970 # endif
4971 static int test_key_exchange(int idx)
4972 {
4973     SSL_CTX *sctx = NULL, *cctx = NULL;
4974     SSL *serverssl = NULL, *clientssl = NULL;
4975     int testresult = 0;
4976     int kexch_alg = NID_undef;
4977     int *kexch_groups = &kexch_alg;
4978     int kexch_groups_size = 1;
4979     int max_version = TLS1_3_VERSION;
4980     char *kexch_name0 = NULL;
4981     const char *kexch_names = NULL;
4982     int shared_group0;
4983 
4984     switch (idx) {
4985 # ifndef OPENSSL_NO_EC
4986 # ifndef OPENSSL_NO_TLS1_2
4987         case 21:
4988             max_version = TLS1_2_VERSION;
4989 # endif
4990             /* Fall through */
4991         case 0:
4992             kexch_groups = ecdhe_kexch_groups;
4993             kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4994             kexch_name0 = "secp256r1";
4995             break;
4996         case 1:
4997             kexch_alg = NID_X9_62_prime256v1;
4998             kexch_name0 = "secp256r1";
4999             break;
5000         case 2:
5001             kexch_alg = NID_secp384r1;
5002             kexch_name0 = "secp384r1";
5003             break;
5004         case 3:
5005             kexch_alg = NID_secp521r1;
5006             kexch_name0 = "secp521r1";
5007             break;
5008 #  ifndef OPENSSL_NO_ECX
5009         case 4:
5010             if (is_fips)
5011                 return TEST_skip("X25519 might not be supported by fips provider.");
5012             kexch_alg = NID_X25519;
5013             kexch_name0 = "x25519";
5014             break;
5015         case 5:
5016             if (is_fips)
5017                 return TEST_skip("X448 might not be supported by fips provider.");
5018             kexch_alg = NID_X448;
5019             kexch_name0 = "x448";
5020             break;
5021 #  endif
5022 # endif
5023 # ifndef OPENSSL_NO_DH
5024 # ifndef OPENSSL_NO_TLS1_2
5025         case 20:
5026             max_version = TLS1_2_VERSION;
5027             kexch_name0 = "ffdhe2048";
5028 # endif
5029             /* Fall through */
5030         case 6:
5031             kexch_groups = ffdhe_kexch_groups;
5032             kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
5033             kexch_name0 = "ffdhe2048";
5034             break;
5035         case 7:
5036             kexch_alg = NID_ffdhe2048;
5037             kexch_name0 = "ffdhe2048";
5038             break;
5039         case 8:
5040             kexch_alg = NID_ffdhe3072;
5041             kexch_name0 = "ffdhe3072";
5042             break;
5043         case 9:
5044             kexch_alg = NID_ffdhe4096;
5045             kexch_name0 = "ffdhe4096";
5046             break;
5047         case 10:
5048             kexch_alg = NID_ffdhe6144;
5049             kexch_name0 = "ffdhe6144";
5050             break;
5051         case 11:
5052             kexch_alg = NID_ffdhe8192;
5053             kexch_name0 = "ffdhe8192";
5054             break;
5055 # endif
5056 # ifndef OPENSSL_NO_ML_KEM
5057 #  if !defined(OPENSSL_NO_TLS1_2)
5058         case 19:
5059             max_version = TLS1_2_VERSION;
5060 #   if !defined(OPENSSL_NO_EC)
5061             /* Set at least one EC group so the handshake completes */
5062             kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
5063 #   elif !defined(OPENSSL_NO_DH)
5064             kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5065 #   else
5066             /* With neither EC nor DH TLS 1.2 can't happen */
5067             return 1;
5068 #   endif
5069 #  endif
5070             /* Fall through */
5071         case 12:
5072             kexch_groups = NULL;
5073             if (kexch_names == NULL)
5074                 kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
5075             kexch_name0 = "MLKEM512";
5076             break;
5077         case 13:
5078             kexch_groups = NULL;
5079             kexch_name0 = "MLKEM512";
5080             kexch_names = kexch_name0;
5081             break;
5082         case 14:
5083             kexch_groups = NULL;
5084             kexch_name0 = "MLKEM768";
5085             kexch_names = kexch_name0;
5086             break;
5087         case 15:
5088             kexch_groups = NULL;
5089             kexch_name0 = "MLKEM1024";
5090             kexch_names = kexch_name0;
5091             break;
5092 #  ifndef OPENSSL_NO_EC
5093 #   ifndef OPENSSL_NO_ECX
5094         case 16:
5095             kexch_groups = NULL;
5096             kexch_name0 = "X25519MLKEM768";
5097             kexch_names = kexch_name0;
5098             break;
5099 #   endif
5100         case 17:
5101             kexch_groups = NULL;
5102             kexch_name0 = "SecP256r1MLKEM768";
5103             kexch_names = kexch_name0;
5104             break;
5105         case 18:
5106             kexch_groups = NULL;
5107             kexch_name0 = "SecP384r1MLKEM1024";
5108             kexch_names = kexch_name0;
5109             break;
5110 #  endif
5111 # endif
5112         default:
5113             /* We're skipping this test */
5114             return 1;
5115     }
5116 
5117     if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
5118             && idx >= 12 && idx <= 19)
5119         return TEST_skip("ML-KEM not supported in this version of fips provider");
5120 
5121     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5122                                        TLS_client_method(), TLS1_VERSION,
5123                                        max_version, &sctx, &cctx, cert,
5124                                        privkey)))
5125         goto end;
5126 
5127     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5128                    TLS1_3_RFC_AES_128_GCM_SHA256)))
5129         goto end;
5130 
5131     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5132                    TLS1_3_RFC_AES_128_GCM_SHA256)))
5133         goto end;
5134 
5135     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5136                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5137                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5138             || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5139         goto end;
5140 
5141     /*
5142      * Must include an EC ciphersuite so that we send supported groups in
5143      * TLSv1.2
5144      */
5145 # ifndef OPENSSL_NO_TLS1_2
5146     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5147                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5148                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5149         goto end;
5150 # endif
5151 
5152     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5153                                              NULL, NULL)))
5154         goto end;
5155 
5156     if (kexch_groups != NULL) {
5157         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5158             || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5159             goto end;
5160     } else {
5161         if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
5162             || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
5163             goto end;
5164     }
5165 
5166     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5167         goto end;
5168 
5169     /*
5170      * If the handshake succeeds the negotiated kexch alg should be the first
5171      * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
5172      * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
5173      * group to exist.
5174      */
5175     shared_group0 = SSL_get_shared_group(serverssl, 0);
5176     switch (idx) {
5177     case 19:
5178 # if !defined(OPENSSL_NO_EC)
5179         /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
5180         if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
5181             goto end;
5182         break;
5183 # endif
5184         /* Fall through */
5185     case 20:
5186         if (!TEST_int_eq(shared_group0, 0))
5187             goto end;
5188         break;
5189     default:
5190         if (kexch_groups != NULL
5191             && !TEST_int_eq(shared_group0, kexch_groups[0]))
5192             goto end;
5193         if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
5194                          kexch_name0))
5195             goto end;
5196         if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5197             || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5198             goto end;
5199         if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
5200             goto end;
5201         if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
5202             goto end;
5203         break;
5204     }
5205 
5206     testresult = 1;
5207  end:
5208     SSL_free(serverssl);
5209     SSL_free(clientssl);
5210     SSL_CTX_free(sctx);
5211     SSL_CTX_free(cctx);
5212     return testresult;
5213 }
5214 
5215 # if !defined(OPENSSL_NO_TLS1_2) \
5216      && !defined(OPENSSL_NO_EC)  \
5217      && !defined(OPENSSL_NO_DH)
5218 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5219                           int isecdhe, int idx)
5220 {
5221     int kexch_alg;
5222     int *kexch_groups = &kexch_alg;
5223     int numec, numff;
5224 
5225     numec = OSSL_NELEM(ecdhe_kexch_groups);
5226     numff = OSSL_NELEM(ffdhe_kexch_groups);
5227     if (isecdhe)
5228         kexch_alg = ecdhe_kexch_groups[idx];
5229     else
5230         kexch_alg = ffdhe_kexch_groups[idx];
5231 
5232     if (clientmulti) {
5233         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5234             return 0;
5235         if (isecdhe) {
5236             if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5237                                            numec)))
5238                 return 0;
5239         } else {
5240             if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5241                                            numff)))
5242                 return 0;
5243         }
5244     } else {
5245         if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5246             return 0;
5247         if (isecdhe) {
5248             if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5249                                            numec)))
5250                 return 0;
5251         } else {
5252             if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5253                                            numff)))
5254                 return 0;
5255         }
5256     }
5257     return 1;
5258 }
5259 
5260 /*-
5261  * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5262  * Run through both the ECDHE and FFDHE group lists used in the previous
5263  * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5264  * confirming the expected result; then perform a resumption handshake
5265  * while offering the same group list, and another resumption handshake
5266  * offering a different group list.  The returned value should be the
5267  * negotiated group for the initial handshake; for TLS 1.3 resumption
5268  * handshakes the returned value will be negotiated on the resumption
5269  * handshake itself, but for TLS 1.2 resumption handshakes the value will
5270  * be cached in the session from the original handshake, regardless of what
5271  * was offered in the resumption ClientHello.
5272  *
5273  * Using E for the number of EC groups and F for the number of FF groups:
5274  * E tests of ECDHE with TLS 1.3, server only has one group
5275  * F tests of FFDHE with TLS 1.3, server only has one group
5276  * E tests of ECDHE with TLS 1.2, server only has one group
5277  * F tests of FFDHE with TLS 1.2, server only has one group
5278  * E tests of ECDHE with TLS 1.3, client sends only one group
5279  * F tests of FFDHE with TLS 1.3, client sends only one group
5280  * E tests of ECDHE with TLS 1.2, client sends only one group
5281  * F tests of FFDHE with TLS 1.2, client sends only one group
5282  */
5283 static int test_negotiated_group(int idx)
5284 {
5285     int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5286     int expectednid;
5287     SSL_CTX *sctx = NULL, *cctx = NULL;
5288     SSL *serverssl = NULL, *clientssl = NULL;
5289     SSL_SESSION *origsess = NULL;
5290     int testresult = 0;
5291     int kexch_alg;
5292     int max_version = TLS1_3_VERSION;
5293 
5294     numec = OSSL_NELEM(ecdhe_kexch_groups);
5295     numff = OSSL_NELEM(ffdhe_kexch_groups);
5296     numgroups = numec + numff;
5297     clientmulti = (idx < 2 * numgroups);
5298     idx = idx % (2 * numgroups);
5299     istls13 = (idx < numgroups);
5300     idx = idx % numgroups;
5301     isecdhe = (idx < numec);
5302     if (!isecdhe)
5303         idx -= numec;
5304     /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5305     if (isecdhe)
5306         kexch_alg = ecdhe_kexch_groups[idx];
5307     else
5308         kexch_alg = ffdhe_kexch_groups[idx];
5309     /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5310     if (!istls13 && !isecdhe)
5311         expectednid = NID_undef;
5312     else
5313         expectednid = kexch_alg;
5314 
5315     if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5316         return TEST_skip("X25519 and X448 might not be available in fips provider.");
5317 
5318     if (!istls13)
5319         max_version = TLS1_2_VERSION;
5320 
5321     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5322                                        TLS_client_method(), TLS1_VERSION,
5323                                        max_version, &sctx, &cctx, cert,
5324                                        privkey)))
5325         goto end;
5326 
5327     /*
5328      * Force (EC)DHE ciphers for TLS 1.2.
5329      * Be sure to enable auto tmp DH so that FFDHE can succeed.
5330      */
5331     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5332                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5333                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5334             || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5335         goto end;
5336     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5337                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5338                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5339         goto end;
5340 
5341     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5342                                              NULL, NULL)))
5343         goto end;
5344 
5345     if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5346                                   idx)))
5347         goto end;
5348 
5349     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5350         goto end;
5351 
5352     /* Initial handshake; always the configured one */
5353     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5354             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5355         goto end;
5356 
5357     if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5358         goto end;
5359 
5360     SSL_shutdown(clientssl);
5361     SSL_shutdown(serverssl);
5362     SSL_free(serverssl);
5363     SSL_free(clientssl);
5364     serverssl = clientssl = NULL;
5365 
5366     /* First resumption attempt; use the same config as initial handshake */
5367     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5368                                              NULL, NULL))
5369             || !TEST_true(SSL_set_session(clientssl, origsess))
5370             || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5371                                          isecdhe, idx)))
5372         goto end;
5373 
5374     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5375             || !TEST_true(SSL_session_reused(clientssl)))
5376         goto end;
5377 
5378     /* Still had better agree, since nothing changed... */
5379     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5380             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5381         goto end;
5382 
5383     SSL_shutdown(clientssl);
5384     SSL_shutdown(serverssl);
5385     SSL_free(serverssl);
5386     SSL_free(clientssl);
5387     serverssl = clientssl = NULL;
5388 
5389     /*-
5390      * Second resumption attempt
5391      * The party that picks one group changes it, which we effectuate by
5392      * changing 'idx' and updating what we expect.
5393      */
5394     if (idx == 0)
5395         idx = 1;
5396     else
5397         idx--;
5398     if (istls13) {
5399         if (isecdhe)
5400             expectednid = ecdhe_kexch_groups[idx];
5401         else
5402             expectednid = ffdhe_kexch_groups[idx];
5403         /* Verify that we are changing what we expect. */
5404         if (!TEST_int_ne(expectednid, kexch_alg))
5405             goto end;
5406     } else {
5407         /* TLS 1.2 only supports named groups for ECDHE. */
5408         if (isecdhe)
5409             expectednid = kexch_alg;
5410         else
5411             expectednid = 0;
5412     }
5413     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5414                                              NULL, NULL))
5415             || !TEST_true(SSL_set_session(clientssl, origsess))
5416             || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5417                                          isecdhe, idx)))
5418         goto end;
5419 
5420     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5421             || !TEST_true(SSL_session_reused(clientssl)))
5422         goto end;
5423 
5424     /* Check that we get what we expected */
5425     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5426             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5427         goto end;
5428 
5429     testresult = 1;
5430  end:
5431     SSL_free(serverssl);
5432     SSL_free(clientssl);
5433     SSL_CTX_free(sctx);
5434     SSL_CTX_free(cctx);
5435     SSL_SESSION_free(origsess);
5436     return testresult;
5437 }
5438 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5439 
5440 /*
5441  * Test TLSv1.3 Cipher Suite
5442  * Test 0 = Set TLS1.3 cipher on context
5443  * Test 1 = Set TLS1.3 cipher on SSL
5444  * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5445  * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5446  */
5447 static int test_tls13_ciphersuite(int idx)
5448 {
5449     SSL_CTX *sctx = NULL, *cctx = NULL;
5450     SSL *serverssl = NULL, *clientssl = NULL;
5451     static const struct {
5452         const char *ciphername;
5453         int fipscapable;
5454         int low_security;
5455     } t13_ciphers[] = {
5456         { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5457         { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5458         { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5459 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5460         { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5461         { TLS1_3_RFC_AES_256_GCM_SHA384
5462           ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5463 # endif
5464         /* CCM8 ciphers are considered low security due to their short tag */
5465         { TLS1_3_RFC_AES_128_CCM_8_SHA256
5466           ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
5467 # if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5468         /* Integrity-only cipher do not provide any confidentiality */
5469         { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5470         { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5471 # endif
5472     };
5473     const char *t13_cipher = NULL;
5474     const char *t12_cipher = NULL;
5475     const char *negotiated_scipher;
5476     const char *negotiated_ccipher;
5477     int set_at_ctx = 0;
5478     int set_at_ssl = 0;
5479     int testresult = 0;
5480     int max_ver;
5481     size_t i;
5482 
5483     switch (idx) {
5484         case 0:
5485             set_at_ctx = 1;
5486             break;
5487         case 1:
5488             set_at_ssl = 1;
5489             break;
5490         case 2:
5491             set_at_ctx = 1;
5492             t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5493             break;
5494         case 3:
5495             set_at_ssl = 1;
5496             t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5497             break;
5498     }
5499 
5500     for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5501 # ifdef OPENSSL_NO_TLS1_2
5502         if (max_ver == TLS1_2_VERSION)
5503             continue;
5504 # endif
5505         for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5506             if (is_fips && !t13_ciphers[i].fipscapable)
5507                 continue;
5508             t13_cipher = t13_ciphers[i].ciphername;
5509             if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5510                                                TLS_client_method(),
5511                                                TLS1_VERSION, max_ver,
5512                                                &sctx, &cctx, cert, privkey)))
5513                 goto end;
5514 
5515             if (t13_ciphers[i].low_security) {
5516                 SSL_CTX_set_security_level(sctx, 0);
5517                 SSL_CTX_set_security_level(cctx, 0);
5518             }
5519 
5520             if (set_at_ctx) {
5521                 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5522                     || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5523                     goto end;
5524                 if (t12_cipher != NULL) {
5525                     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5526                         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5527                                                               t12_cipher)))
5528                         goto end;
5529                 }
5530             }
5531 
5532             if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5533                                               &clientssl, NULL, NULL)))
5534                 goto end;
5535 
5536             if (set_at_ssl) {
5537                 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5538                     || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5539                     goto end;
5540                 if (t12_cipher != NULL) {
5541                     if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5542                         || !TEST_true(SSL_set_cipher_list(clientssl,
5543                                                           t12_cipher)))
5544                         goto end;
5545                 }
5546             }
5547 
5548             if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5549                                                  SSL_ERROR_NONE)))
5550                 goto end;
5551 
5552             negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5553                                                                  serverssl));
5554             negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5555                                                                  clientssl));
5556             if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5557                 goto end;
5558 
5559             /*
5560              * TEST_strn_eq is used below because t13_cipher can contain
5561              * multiple ciphersuites
5562              */
5563             if (max_ver == TLS1_3_VERSION
5564                 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5565                                  strlen(negotiated_scipher)))
5566                 goto end;
5567 
5568 # ifndef OPENSSL_NO_TLS1_2
5569             /* Below validation is not done when t12_cipher is NULL */
5570             if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5571                 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5572                 goto end;
5573 # endif
5574 
5575             SSL_free(serverssl);
5576             serverssl = NULL;
5577             SSL_free(clientssl);
5578             clientssl = NULL;
5579             SSL_CTX_free(sctx);
5580             sctx = NULL;
5581             SSL_CTX_free(cctx);
5582             cctx = NULL;
5583         }
5584     }
5585 
5586     testresult = 1;
5587  end:
5588     SSL_free(serverssl);
5589     SSL_free(clientssl);
5590     SSL_CTX_free(sctx);
5591     SSL_CTX_free(cctx);
5592     return testresult;
5593 }
5594 
5595 /*
5596  * Test TLSv1.3 PSKs
5597  * Test 0 = Test new style callbacks
5598  * Test 1 = Test both new and old style callbacks
5599  * Test 2 = Test old style callbacks
5600  * Test 3 = Test old style callbacks with no certificate
5601  */
5602 static int test_tls13_psk(int idx)
5603 {
5604     SSL_CTX *sctx = NULL, *cctx = NULL;
5605     SSL *serverssl = NULL, *clientssl = NULL;
5606     const SSL_CIPHER *cipher = NULL;
5607     const unsigned char key[] = {
5608         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5609         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5610         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5611         0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5612     };
5613     int testresult = 0;
5614 
5615     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5616                                        TLS_client_method(), TLS1_VERSION, 0,
5617                                        &sctx, &cctx, idx == 3 ? NULL : cert,
5618                                        idx == 3 ? NULL : privkey)))
5619         goto end;
5620 
5621     if (idx != 3) {
5622         /*
5623          * We use a ciphersuite with SHA256 to ease testing old style PSK
5624          * callbacks which will always default to SHA256. This should not be
5625          * necessary if we have no cert/priv key. In that case the server should
5626          * prefer SHA256 automatically.
5627          */
5628         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5629                                                 "TLS_AES_128_GCM_SHA256")))
5630             goto end;
5631     } else {
5632         /*
5633          * As noted above the server should prefer SHA256 automatically. However
5634          * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5635          * code works even if we are testing with only the FIPS provider loaded.
5636          */
5637         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5638                                                 "TLS_AES_256_GCM_SHA384:"
5639                                                 "TLS_AES_128_GCM_SHA256")))
5640             goto end;
5641     }
5642 
5643     /*
5644      * Test 0: New style callbacks only
5645      * Test 1: New and old style callbacks (only the new ones should be used)
5646      * Test 2: Old style callbacks only
5647      */
5648     if (idx == 0 || idx == 1) {
5649         SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5650         SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5651     }
5652 #ifndef OPENSSL_NO_PSK
5653     if (idx >= 1) {
5654         SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5655         SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5656     }
5657 #endif
5658     srvid = pskid;
5659     use_session_cb_cnt = 0;
5660     find_session_cb_cnt = 0;
5661     psk_client_cb_cnt = 0;
5662     psk_server_cb_cnt = 0;
5663 
5664     if (idx != 3) {
5665         /*
5666          * Check we can create a connection if callback decides not to send a
5667          * PSK
5668          */
5669         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5670                                                  NULL, NULL))
5671                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5672                                                     SSL_ERROR_NONE))
5673                 || !TEST_false(SSL_session_reused(clientssl))
5674                 || !TEST_false(SSL_session_reused(serverssl)))
5675             goto end;
5676 
5677         if (idx == 0 || idx == 1) {
5678             if (!TEST_true(use_session_cb_cnt == 1)
5679                     || !TEST_true(find_session_cb_cnt == 0)
5680                        /*
5681                         * If no old style callback then below should be 0
5682                         * otherwise 1
5683                         */
5684                     || !TEST_true(psk_client_cb_cnt == idx)
5685                     || !TEST_true(psk_server_cb_cnt == 0))
5686                 goto end;
5687         } else {
5688             if (!TEST_true(use_session_cb_cnt == 0)
5689                     || !TEST_true(find_session_cb_cnt == 0)
5690                     || !TEST_true(psk_client_cb_cnt == 1)
5691                     || !TEST_true(psk_server_cb_cnt == 0))
5692                 goto end;
5693         }
5694 
5695         shutdown_ssl_connection(serverssl, clientssl);
5696         serverssl = clientssl = NULL;
5697         use_session_cb_cnt = psk_client_cb_cnt = 0;
5698     }
5699 
5700     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5701                                              NULL, NULL)))
5702         goto end;
5703 
5704     /* Create the PSK */
5705     cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5706     clientpsk = SSL_SESSION_new();
5707     if (!TEST_ptr(clientpsk)
5708             || !TEST_ptr(cipher)
5709             || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5710                                                       sizeof(key)))
5711             || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5712             || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5713                                                            TLS1_3_VERSION))
5714             || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5715         goto end;
5716     serverpsk = clientpsk;
5717 
5718     /* Check we can create a connection and the PSK is used */
5719     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5720             || !TEST_true(SSL_session_reused(clientssl))
5721             || !TEST_true(SSL_session_reused(serverssl)))
5722         goto end;
5723 
5724     if (idx == 0 || idx == 1) {
5725         if (!TEST_true(use_session_cb_cnt == 1)
5726                 || !TEST_true(find_session_cb_cnt == 1)
5727                 || !TEST_true(psk_client_cb_cnt == 0)
5728                 || !TEST_true(psk_server_cb_cnt == 0))
5729             goto end;
5730     } else {
5731         if (!TEST_true(use_session_cb_cnt == 0)
5732                 || !TEST_true(find_session_cb_cnt == 0)
5733                 || !TEST_true(psk_client_cb_cnt == 1)
5734                 || !TEST_true(psk_server_cb_cnt == 1))
5735             goto end;
5736     }
5737 
5738     shutdown_ssl_connection(serverssl, clientssl);
5739     serverssl = clientssl = NULL;
5740     use_session_cb_cnt = find_session_cb_cnt = 0;
5741     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5742 
5743     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5744                                              NULL, NULL)))
5745         goto end;
5746 
5747     /* Force an HRR */
5748 #if defined(OPENSSL_NO_EC)
5749     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5750         goto end;
5751 #else
5752     if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5753         goto end;
5754 #endif
5755 
5756     /*
5757      * Check we can create a connection, the PSK is used and the callbacks are
5758      * called twice.
5759      */
5760     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5761             || !TEST_true(SSL_session_reused(clientssl))
5762             || !TEST_true(SSL_session_reused(serverssl)))
5763         goto end;
5764 
5765     if (idx == 0 || idx == 1) {
5766         if (!TEST_true(use_session_cb_cnt == 2)
5767                 || !TEST_true(find_session_cb_cnt == 2)
5768                 || !TEST_true(psk_client_cb_cnt == 0)
5769                 || !TEST_true(psk_server_cb_cnt == 0))
5770             goto end;
5771     } else {
5772         if (!TEST_true(use_session_cb_cnt == 0)
5773                 || !TEST_true(find_session_cb_cnt == 0)
5774                 || !TEST_true(psk_client_cb_cnt == 2)
5775                 || !TEST_true(psk_server_cb_cnt == 2))
5776             goto end;
5777     }
5778 
5779     shutdown_ssl_connection(serverssl, clientssl);
5780     serverssl = clientssl = NULL;
5781     use_session_cb_cnt = find_session_cb_cnt = 0;
5782     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5783 
5784     if (idx != 3) {
5785         /*
5786          * Check that if the server rejects the PSK we can still connect, but with
5787          * a full handshake
5788          */
5789         srvid = "Dummy Identity";
5790         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5791                                                  NULL, NULL))
5792                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5793                                                     SSL_ERROR_NONE))
5794                 || !TEST_false(SSL_session_reused(clientssl))
5795                 || !TEST_false(SSL_session_reused(serverssl)))
5796             goto end;
5797 
5798         if (idx == 0 || idx == 1) {
5799             if (!TEST_true(use_session_cb_cnt == 1)
5800                     || !TEST_true(find_session_cb_cnt == 1)
5801                     || !TEST_true(psk_client_cb_cnt == 0)
5802                        /*
5803                         * If no old style callback then below should be 0
5804                         * otherwise 1
5805                         */
5806                     || !TEST_true(psk_server_cb_cnt == idx))
5807                 goto end;
5808         } else {
5809             if (!TEST_true(use_session_cb_cnt == 0)
5810                     || !TEST_true(find_session_cb_cnt == 0)
5811                     || !TEST_true(psk_client_cb_cnt == 1)
5812                     || !TEST_true(psk_server_cb_cnt == 1))
5813                 goto end;
5814         }
5815 
5816         shutdown_ssl_connection(serverssl, clientssl);
5817         serverssl = clientssl = NULL;
5818     }
5819     testresult = 1;
5820 
5821  end:
5822     SSL_SESSION_free(clientpsk);
5823     SSL_SESSION_free(serverpsk);
5824     clientpsk = serverpsk = NULL;
5825     SSL_free(serverssl);
5826     SSL_free(clientssl);
5827     SSL_CTX_free(sctx);
5828     SSL_CTX_free(cctx);
5829     return testresult;
5830 }
5831 
5832 #ifndef OSSL_NO_USABLE_TLS1_3
5833 /*
5834  * Test TLS1.3 connection establishment succeeds with various configurations of
5835  * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5836  * The verification of whether the right KEX mode is chosen is not covered by
5837  * this test but by `test_tls13kexmodes`.
5838  *
5839  * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5840  * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5841  * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5842  */
5843 static int test_tls13_no_dhe_kex(const int idx)
5844 {
5845     SSL_CTX *sctx = NULL, *cctx = NULL;
5846     SSL *serverssl = NULL, *clientssl = NULL;
5847     int testresult = 0;
5848     size_t j;
5849     SSL_SESSION *saved_session;
5850 
5851     int server_allow_no_dhe = (idx & 1) != 0;
5852     int server_prefer_no_dhe = (idx & 2) != 0;
5853     int client_allow_no_dhe = (idx & 4) != 0;
5854 
5855     uint64_t server_options = 0
5856             | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5857             | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5858 
5859     uint64_t client_options = 0
5860             | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5861 
5862     new_called = 0;
5863     do_cache = 1;
5864 
5865     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5866                                        TLS_client_method(), TLS1_3_VERSION, 0,
5867                                        &sctx, &cctx, cert, privkey)))
5868         goto end;
5869 
5870     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5871                                           | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5872 
5873     SSL_CTX_set_options(sctx, server_options);
5874     SSL_CTX_set_options(cctx, client_options);
5875 
5876     SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5877 
5878     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5879                                       &clientssl, NULL, NULL)))
5880         goto end;
5881 
5882     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5883                                          SSL_ERROR_NONE))
5884             /* Check we got the number of tickets we were expecting */
5885             || !TEST_int_eq(2, new_called))
5886         goto end;
5887 
5888     /* We'll reuse the last ticket. */
5889     saved_session = sesscache[new_called - 1];
5890 
5891     SSL_shutdown(clientssl);
5892     SSL_shutdown(serverssl);
5893     SSL_free(serverssl);
5894     SSL_free(clientssl);
5895     SSL_CTX_free(cctx);
5896     clientssl = serverssl = NULL;
5897     cctx = NULL;
5898 
5899     /*
5900      * Now we resume with the last ticket we created.
5901      */
5902 
5903     /* The server context already exists, so we only create the client. */
5904     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5905                                        TLS_client_method(), TLS1_3_VERSION, 0,
5906                                        NULL, &cctx, cert, privkey)))
5907         goto end;
5908 
5909     SSL_CTX_set_options(cctx, client_options);
5910 
5911     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5912                                       &clientssl, NULL, NULL))
5913             || !TEST_true(SSL_set_session(clientssl, saved_session)))
5914         goto end;
5915 
5916     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5917                                          SSL_ERROR_NONE)))
5918         goto end;
5919 
5920     /*
5921      * Make sure, the session was resumed.
5922      */
5923     if (!TEST_true(SSL_session_reused(clientssl)))
5924         goto end;
5925 
5926     SSL_shutdown(clientssl);
5927     SSL_shutdown(serverssl);
5928 
5929     testresult = 1;
5930 
5931  end:
5932     SSL_free(serverssl);
5933     SSL_free(clientssl);
5934     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5935         SSL_SESSION_free(sesscache[j]);
5936         sesscache[j] = NULL;
5937     }
5938     SSL_CTX_free(sctx);
5939     SSL_CTX_free(cctx);
5940 
5941     return testresult;
5942 }
5943 #endif /* OSSL_NO_USABLE_TLS1_3 */
5944 
5945 static unsigned char cookie_magic_value[] = "cookie magic";
5946 
5947 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5948                                     unsigned int *cookie_len)
5949 {
5950     /*
5951      * Not suitable as a real cookie generation function but good enough for
5952      * testing!
5953      */
5954     memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5955     *cookie_len = sizeof(cookie_magic_value) - 1;
5956 
5957     return 1;
5958 }
5959 
5960 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5961                                   unsigned int cookie_len)
5962 {
5963     if (cookie_len == sizeof(cookie_magic_value) - 1
5964         && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5965         return 1;
5966 
5967     return 0;
5968 }
5969 
5970 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5971                                         size_t *cookie_len)
5972 {
5973     unsigned int temp;
5974     int res = generate_cookie_callback(ssl, cookie, &temp);
5975     *cookie_len = temp;
5976     return res;
5977 }
5978 
5979 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5980                                       size_t cookie_len)
5981 {
5982     return verify_cookie_callback(ssl, cookie, cookie_len);
5983 }
5984 
5985 static int test_stateless(void)
5986 {
5987     SSL_CTX *sctx = NULL, *cctx = NULL;
5988     SSL *serverssl = NULL, *clientssl = NULL;
5989     int testresult = 0;
5990 
5991     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5992                                        TLS_client_method(), TLS1_VERSION, 0,
5993                                        &sctx, &cctx, cert, privkey)))
5994         goto end;
5995 
5996     /* The arrival of CCS messages can confuse the test */
5997     SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5998 
5999     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6000                                       NULL, NULL))
6001                /* Send the first ClientHello */
6002             || !TEST_false(create_ssl_connection(serverssl, clientssl,
6003                                                  SSL_ERROR_WANT_READ))
6004                /*
6005                 * This should fail with a -1 return because we have no callbacks
6006                 * set up
6007                 */
6008             || !TEST_int_eq(SSL_stateless(serverssl), -1))
6009         goto end;
6010 
6011     /* Fatal error so abandon the connection from this client */
6012     SSL_free(clientssl);
6013     clientssl = NULL;
6014 
6015     /* Set up the cookie generation and verification callbacks */
6016     SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
6017     SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
6018 
6019     /*
6020      * Create a new connection from the client (we can reuse the server SSL
6021      * object).
6022      */
6023     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6024                                              NULL, NULL))
6025                /* Send the first ClientHello */
6026             || !TEST_false(create_ssl_connection(serverssl, clientssl,
6027                                                 SSL_ERROR_WANT_READ))
6028                /* This should fail because there is no cookie */
6029             || !TEST_int_eq(SSL_stateless(serverssl), 0))
6030         goto end;
6031 
6032     /* Abandon the connection from this client */
6033     SSL_free(clientssl);
6034     clientssl = NULL;
6035 
6036     /*
6037      * Now create a connection from a new client but with the same server SSL
6038      * object
6039      */
6040     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6041                                              NULL, NULL))
6042                /* Send the first ClientHello */
6043             || !TEST_false(create_ssl_connection(serverssl, clientssl,
6044                                                 SSL_ERROR_WANT_READ))
6045                /* This should fail because there is no cookie */
6046             || !TEST_int_eq(SSL_stateless(serverssl), 0)
6047                /* Send the second ClientHello */
6048             || !TEST_false(create_ssl_connection(serverssl, clientssl,
6049                                                 SSL_ERROR_WANT_READ))
6050                /* This should succeed because a cookie is now present */
6051             || !TEST_int_eq(SSL_stateless(serverssl), 1)
6052                /* Complete the connection */
6053             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6054                                                 SSL_ERROR_NONE)))
6055         goto end;
6056 
6057     shutdown_ssl_connection(serverssl, clientssl);
6058     serverssl = clientssl = NULL;
6059     testresult = 1;
6060 
6061  end:
6062     SSL_free(serverssl);
6063     SSL_free(clientssl);
6064     SSL_CTX_free(sctx);
6065     SSL_CTX_free(cctx);
6066     return testresult;
6067 
6068 }
6069 #endif /* OSSL_NO_USABLE_TLS1_3 */
6070 
6071 static int clntaddoldcb = 0;
6072 static int clntparseoldcb = 0;
6073 static int srvaddoldcb = 0;
6074 static int srvparseoldcb = 0;
6075 static int clntaddnewcb = 0;
6076 static int clntparsenewcb = 0;
6077 static int srvaddnewcb = 0;
6078 static int srvparsenewcb = 0;
6079 static int snicb = 0;
6080 
6081 #define TEST_EXT_TYPE1  0xff00
6082 
6083 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
6084                       size_t *outlen, int *al, void *add_arg)
6085 {
6086     int *server = (int *)add_arg;
6087     unsigned char *data;
6088 
6089     if (SSL_is_server(s))
6090         srvaddoldcb++;
6091     else
6092         clntaddoldcb++;
6093 
6094     if (*server != SSL_is_server(s)
6095             || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6096         return -1;
6097 
6098     *data = 1;
6099     *out = data;
6100     *outlen = sizeof(char);
6101     return 1;
6102 }
6103 
6104 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
6105                         void *add_arg)
6106 {
6107     OPENSSL_free((unsigned char *)out);
6108 }
6109 
6110 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
6111                         size_t inlen, int *al, void *parse_arg)
6112 {
6113     int *server = (int *)parse_arg;
6114 
6115     if (SSL_is_server(s))
6116         srvparseoldcb++;
6117     else
6118         clntparseoldcb++;
6119 
6120     if (*server != SSL_is_server(s)
6121             || inlen != sizeof(char)
6122             || *in != 1)
6123         return -1;
6124 
6125     return 1;
6126 }
6127 
6128 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6129                       const unsigned char **out, size_t *outlen, X509 *x,
6130                       size_t chainidx, int *al, void *add_arg)
6131 {
6132     int *server = (int *)add_arg;
6133     unsigned char *data;
6134 
6135     if (SSL_is_server(s))
6136         srvaddnewcb++;
6137     else
6138         clntaddnewcb++;
6139 
6140     if (*server != SSL_is_server(s)
6141             || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
6142         return -1;
6143 
6144     *data = 1;
6145     *out = data;
6146     *outlen = sizeof(*data);
6147     return 1;
6148 }
6149 
6150 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6151                         const unsigned char *out, void *add_arg)
6152 {
6153     OPENSSL_free((unsigned char *)out);
6154 }
6155 
6156 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6157                         const unsigned char *in, size_t inlen, X509 *x,
6158                         size_t chainidx, int *al, void *parse_arg)
6159 {
6160     int *server = (int *)parse_arg;
6161 
6162     if (SSL_is_server(s))
6163         srvparsenewcb++;
6164     else
6165         clntparsenewcb++;
6166 
6167     if (*server != SSL_is_server(s)
6168             || inlen != sizeof(char) || *in != 1)
6169         return -1;
6170 
6171     return 1;
6172 }
6173 
6174 static int sni_cb(SSL *s, int *al, void *arg)
6175 {
6176     SSL_CTX *ctx = (SSL_CTX *)arg;
6177 
6178     if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6179         *al = SSL_AD_INTERNAL_ERROR;
6180         return SSL_TLSEXT_ERR_ALERT_FATAL;
6181     }
6182     snicb++;
6183     return SSL_TLSEXT_ERR_OK;
6184 }
6185 
6186 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6187 {
6188     return 1;
6189 }
6190 
6191 /*
6192  * Custom call back tests.
6193  * Test 0: Old style callbacks in TLSv1.2
6194  * Test 1: New style callbacks in TLSv1.2
6195  * Test 2: New style callbacks in TLSv1.2 with SNI
6196  * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6197  * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
6198  * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
6199  */
6200 static int test_custom_exts(int tst)
6201 {
6202     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6203     SSL *clientssl = NULL, *serverssl = NULL;
6204     int testresult = 0;
6205     static int server = 1;
6206     static int client = 0;
6207     SSL_SESSION *sess = NULL;
6208     unsigned int context;
6209 
6210 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6211     /* Skip tests for TLSv1.2 and below in this case */
6212     if (tst < 3)
6213         return 1;
6214 #endif
6215 
6216     /* Reset callback counters */
6217     clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6218     clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
6219     snicb = 0;
6220 
6221     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6222                                        TLS_client_method(), TLS1_VERSION, 0,
6223                                        &sctx, &cctx, cert, privkey)))
6224         goto end;
6225 
6226     if (tst == 2
6227             && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
6228                                               TLS1_VERSION, 0,
6229                                               &sctx2, NULL, cert, privkey)))
6230         goto end;
6231 
6232 
6233     if (tst < 3) {
6234         SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6235         SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
6236         if (sctx2 != NULL)
6237             SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
6238     }
6239 
6240     if (tst == 5) {
6241         context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6242                   | SSL_EXT_TLS1_3_CERTIFICATE;
6243         SSL_CTX_set_verify(sctx,
6244                            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6245                            verify_cb);
6246         if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6247                                                       SSL_FILETYPE_PEM), 1)
6248                 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6249                                                             SSL_FILETYPE_PEM), 1)
6250                 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6251             goto end;
6252     } else if (tst == 4) {
6253         context = SSL_EXT_CLIENT_HELLO
6254                   | SSL_EXT_TLS1_2_SERVER_HELLO
6255                   | SSL_EXT_TLS1_3_SERVER_HELLO
6256                   | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6257                   | SSL_EXT_TLS1_3_CERTIFICATE
6258                   | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6259     } else {
6260         context = SSL_EXT_CLIENT_HELLO
6261                   | SSL_EXT_TLS1_2_SERVER_HELLO
6262                   | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6263     }
6264 
6265     /* Create a client side custom extension */
6266     if (tst == 0) {
6267         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6268                                                      old_add_cb, old_free_cb,
6269                                                      &client, old_parse_cb,
6270                                                      &client)))
6271             goto end;
6272     } else {
6273         if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6274                                               new_add_cb, new_free_cb,
6275                                               &client, new_parse_cb, &client)))
6276             goto end;
6277     }
6278 
6279     /* Should not be able to add duplicates */
6280     if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6281                                                   old_add_cb, old_free_cb,
6282                                                   &client, old_parse_cb,
6283                                                   &client))
6284             || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6285                                                   context, new_add_cb,
6286                                                   new_free_cb, &client,
6287                                                   new_parse_cb, &client)))
6288         goto end;
6289 
6290     /* Create a server side custom extension */
6291     if (tst == 0) {
6292         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6293                                                      old_add_cb, old_free_cb,
6294                                                      &server, old_parse_cb,
6295                                                      &server)))
6296             goto end;
6297     } else {
6298         if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6299                                               new_add_cb, new_free_cb,
6300                                               &server, new_parse_cb, &server)))
6301             goto end;
6302         if (sctx2 != NULL
6303                 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6304                                                      context, new_add_cb,
6305                                                      new_free_cb, &server,
6306                                                      new_parse_cb, &server)))
6307             goto end;
6308     }
6309 
6310     /* Should not be able to add duplicates */
6311     if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6312                                                   old_add_cb, old_free_cb,
6313                                                   &server, old_parse_cb,
6314                                                   &server))
6315             || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6316                                                   context, new_add_cb,
6317                                                   new_free_cb, &server,
6318                                                   new_parse_cb, &server)))
6319         goto end;
6320 
6321     if (tst == 2) {
6322         /* Set up SNI */
6323         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6324                 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6325             goto end;
6326     }
6327 
6328     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6329                                       &clientssl, NULL, NULL))
6330             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6331                                                 SSL_ERROR_NONE)))
6332         goto end;
6333 
6334     if (tst == 0) {
6335         if (clntaddoldcb != 1
6336                 || clntparseoldcb != 1
6337                 || srvaddoldcb != 1
6338                 || srvparseoldcb != 1)
6339             goto end;
6340     } else if (tst == 1 || tst == 2 || tst == 3) {
6341         if (clntaddnewcb != 1
6342                 || clntparsenewcb != 1
6343                 || srvaddnewcb != 1
6344                 || srvparsenewcb != 1
6345                 || (tst != 2 && snicb != 0)
6346                 || (tst == 2 && snicb != 1))
6347             goto end;
6348     } else if (tst == 5) {
6349         if (clntaddnewcb != 1
6350                 || clntparsenewcb != 1
6351                 || srvaddnewcb != 1
6352                 || srvparsenewcb != 1)
6353             goto end;
6354     } else {
6355         /* In this case there 2 NewSessionTicket messages created */
6356         if (clntaddnewcb != 1
6357                 || clntparsenewcb != 5
6358                 || srvaddnewcb != 5
6359                 || srvparsenewcb != 1)
6360             goto end;
6361     }
6362 
6363     sess = SSL_get1_session(clientssl);
6364     SSL_shutdown(clientssl);
6365     SSL_shutdown(serverssl);
6366     SSL_free(serverssl);
6367     SSL_free(clientssl);
6368     serverssl = clientssl = NULL;
6369 
6370     if (tst == 3 || tst == 5) {
6371         /* We don't bother with the resumption aspects for these tests */
6372         testresult = 1;
6373         goto end;
6374     }
6375 
6376     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6377                                       NULL, NULL))
6378             || !TEST_true(SSL_set_session(clientssl, sess))
6379             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6380                                                SSL_ERROR_NONE)))
6381         goto end;
6382 
6383     /*
6384      * For a resumed session we expect to add the ClientHello extension. For the
6385      * old style callbacks we ignore it on the server side because they set
6386      * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6387      * them.
6388      */
6389     if (tst == 0) {
6390         if (clntaddoldcb != 2
6391                 || clntparseoldcb != 1
6392                 || srvaddoldcb != 1
6393                 || srvparseoldcb != 1)
6394             goto end;
6395     } else if (tst == 1 || tst == 2 || tst == 3) {
6396         if (clntaddnewcb != 2
6397                 || clntparsenewcb != 2
6398                 || srvaddnewcb != 2
6399                 || srvparsenewcb != 2)
6400             goto end;
6401     } else {
6402         /*
6403          * No Certificate message extensions in the resumption handshake,
6404          * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6405          */
6406         if (clntaddnewcb != 2
6407                 || clntparsenewcb != 8
6408                 || srvaddnewcb != 8
6409                 || srvparsenewcb != 2)
6410             goto end;
6411     }
6412 
6413     testresult = 1;
6414 
6415 end:
6416     SSL_SESSION_free(sess);
6417     SSL_free(serverssl);
6418     SSL_free(clientssl);
6419     SSL_CTX_free(sctx2);
6420     SSL_CTX_free(sctx);
6421     SSL_CTX_free(cctx);
6422     return testresult;
6423 }
6424 
6425 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6426 
6427 #define  SYNTHV1CONTEXT     (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6428                              | SSL_EXT_CLIENT_HELLO \
6429                              | SSL_EXT_TLS1_2_SERVER_HELLO \
6430                              | SSL_EXT_IGNORE_ON_RESUMPTION)
6431 
6432 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6433                       | SSL_EXT_TLS1_2_SERVER_HELLO \
6434                       | SSL_EXT_CLIENT_HELLO)
6435 
6436 #define SERVERINFO_CUSTOM                                 \
6437     0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6438     0x00, 0x03,                                           \
6439     0x04, 0x05, 0x06                                      \
6440 
6441 static const unsigned char serverinfo_custom_tls13[] = {
6442     0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6443     SERVERINFO_CUSTOM
6444 };
6445 static const unsigned char serverinfo_custom_v2[] = {
6446     0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff,  SYNTHV1CONTEXT & 0xff,
6447     SERVERINFO_CUSTOM
6448 };
6449 static const unsigned char serverinfo_custom_v1[] = {
6450     SERVERINFO_CUSTOM
6451 };
6452 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6453 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6454 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6455 
6456 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6457                                       unsigned int context,
6458                                       const unsigned char *in,
6459                                       size_t inlen, X509 *x,
6460                                       size_t chainidx, int *al,
6461                                       void *parse_arg)
6462 {
6463     const size_t len = serverinfo_custom_v1_len;
6464     const unsigned char *si = &serverinfo_custom_v1[len - 3];
6465     int *p_cb_result = (int*)parse_arg;
6466     *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6467     return 1;
6468 }
6469 
6470 static int test_serverinfo_custom(const int idx)
6471 {
6472     SSL_CTX *sctx = NULL, *cctx = NULL;
6473     SSL *clientssl = NULL, *serverssl = NULL;
6474     int testresult = 0;
6475     int cb_result = 0;
6476 
6477     /*
6478      * Following variables are set in the switch statement
6479      *  according to the test iteration.
6480      * Default values do not make much sense: test would fail with them.
6481      */
6482     int serverinfo_version = 0;
6483     int protocol_version = 0;
6484     unsigned int extension_context = 0;
6485     const unsigned char *si = NULL;
6486     size_t si_len = 0;
6487 
6488     const int call_use_serverinfo_ex = idx > 0;
6489     switch (idx) {
6490     case 0: /* FALLTHROUGH */
6491     case 1:
6492         serverinfo_version = SSL_SERVERINFOV1;
6493         protocol_version = TLS1_2_VERSION;
6494         extension_context = SYNTHV1CONTEXT;
6495         si = serverinfo_custom_v1;
6496         si_len = serverinfo_custom_v1_len;
6497         break;
6498     case 2:
6499         serverinfo_version = SSL_SERVERINFOV2;
6500         protocol_version = TLS1_2_VERSION;
6501         extension_context = SYNTHV1CONTEXT;
6502         si = serverinfo_custom_v2;
6503         si_len = serverinfo_custom_v2_len;
6504         break;
6505     case 3:
6506         serverinfo_version = SSL_SERVERINFOV2;
6507         protocol_version = TLS1_3_VERSION;
6508         extension_context = TLS13CONTEXT;
6509         si = serverinfo_custom_tls13;
6510         si_len = serverinfo_custom_tls13_len;
6511         break;
6512     }
6513 
6514     if (!TEST_true(create_ssl_ctx_pair(libctx,
6515                                        TLS_method(),
6516                                        TLS_method(),
6517                                        protocol_version,
6518                                        protocol_version,
6519                                        &sctx, &cctx, cert, privkey)))
6520         goto end;
6521 
6522     if (call_use_serverinfo_ex) {
6523         if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6524                                                  si, si_len)))
6525             goto end;
6526     } else {
6527         if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6528             goto end;
6529     }
6530 
6531     if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6532                                           extension_context,
6533                                           NULL, NULL, NULL,
6534                                           serverinfo_custom_parse_cb,
6535                                           &cb_result))
6536         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6537                                          NULL, NULL))
6538         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6539                                             SSL_ERROR_NONE))
6540         || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6541         goto end;
6542 
6543     if (!TEST_true(cb_result))
6544         goto end;
6545 
6546     testresult = 1;
6547 
6548  end:
6549     SSL_free(serverssl);
6550     SSL_free(clientssl);
6551     SSL_CTX_free(sctx);
6552     SSL_CTX_free(cctx);
6553 
6554     return testresult;
6555 }
6556 #endif
6557 
6558 /*
6559  * Test that SSL_export_keying_material() produces expected results. There are
6560  * no test vectors so all we do is test that both sides of the communication
6561  * produce the same results for different protocol versions.
6562  */
6563 #define SMALL_LABEL_LEN 10
6564 #define LONG_LABEL_LEN  249
6565 static int test_export_key_mat(int tst)
6566 {
6567     int testresult = 0;
6568     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6569     SSL *clientssl = NULL, *serverssl = NULL;
6570     const char label[LONG_LABEL_LEN + 1] = "test label";
6571     const unsigned char context[] = "context";
6572     const unsigned char *emptycontext = NULL;
6573     unsigned char longcontext[1280];
6574     int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
6575     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6576     unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
6577     size_t labellen;
6578     const int protocols[] = {
6579         TLS1_VERSION,
6580         TLS1_1_VERSION,
6581         TLS1_2_VERSION,
6582         TLS1_3_VERSION,
6583         TLS1_3_VERSION,
6584         TLS1_3_VERSION
6585     };
6586 
6587 #ifdef OPENSSL_NO_TLS1
6588     if (tst == 0)
6589         return 1;
6590 #endif
6591 #ifdef OPENSSL_NO_TLS1_1
6592     if (tst == 1)
6593         return 1;
6594 #endif
6595     if (is_fips && (tst == 0 || tst == 1))
6596         return 1;
6597 #ifdef OPENSSL_NO_TLS1_2
6598     if (tst == 2)
6599         return 1;
6600 #endif
6601 #ifdef OSSL_NO_USABLE_TLS1_3
6602     if (tst >= 3)
6603         return 1;
6604 #endif
6605     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6606                                        TLS_client_method(), TLS1_VERSION, 0,
6607                                        &sctx, &cctx, cert, privkey)))
6608         goto end;
6609 
6610     OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6611     SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6612     SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6613     if ((protocols[tst] < TLS1_2_VERSION) &&
6614         (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6615         || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6616         goto end;
6617 
6618     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6619                                       NULL)))
6620         goto end;
6621 
6622     /*
6623      * Premature call of SSL_export_keying_material should just fail.
6624      */
6625     if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6626                                                 sizeof(ckeymat1), label,
6627                                                 SMALL_LABEL_LEN + 1, context,
6628                                                 sizeof(context) - 1, 1), 0))
6629         goto end;
6630 
6631     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6632                                          SSL_ERROR_NONE)))
6633         goto end;
6634 
6635     if (tst == 5) {
6636         /*
6637          * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6638          * go over that.
6639          */
6640         if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6641                                                     sizeof(ckeymat1), label,
6642                                                     LONG_LABEL_LEN + 1, context,
6643                                                     sizeof(context) - 1, 1), 0))
6644             goto end;
6645 
6646         testresult = 1;
6647         goto end;
6648     } else if (tst == 4) {
6649         labellen = LONG_LABEL_LEN;
6650     } else {
6651         labellen = SMALL_LABEL_LEN;
6652     }
6653 
6654     memset(longcontext, 1, sizeof(longcontext));
6655 
6656     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6657                                                 sizeof(ckeymat1), label,
6658                                                 labellen, context,
6659                                                 sizeof(context) - 1, 1), 1)
6660             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6661                                                        sizeof(ckeymat2), label,
6662                                                        labellen,
6663                                                        emptycontext,
6664                                                        0, 1), 1)
6665             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6666                                                        sizeof(ckeymat3), label,
6667                                                        labellen,
6668                                                        NULL, 0, 0), 1)
6669             || (test_longcontext
6670                 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6671                                                            ckeymat4,
6672                                                            sizeof(ckeymat4), label,
6673                                                            labellen,
6674                                                            longcontext,
6675                                                            sizeof(longcontext), 1),
6676                                 1))
6677             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6678                                                        sizeof(skeymat1), label,
6679                                                        labellen,
6680                                                        context,
6681                                                        sizeof(context) -1, 1),
6682                             1)
6683             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6684                                                        sizeof(skeymat2), label,
6685                                                        labellen,
6686                                                        emptycontext,
6687                                                        0, 1), 1)
6688             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6689                                                        sizeof(skeymat3), label,
6690                                                        labellen,
6691                                                        NULL, 0, 0), 1)
6692             || (test_longcontext
6693                 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6694                                                            sizeof(skeymat4), label,
6695                                                            labellen,
6696                                                            longcontext,
6697                                                            sizeof(longcontext), 1),
6698                                 1))
6699                /*
6700                 * Check that both sides created the same key material with the
6701                 * same context.
6702                 */
6703             || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6704                             sizeof(skeymat1))
6705                /*
6706                 * Check that both sides created the same key material with an
6707                 * empty context.
6708                 */
6709             || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6710                             sizeof(skeymat2))
6711                /*
6712                 * Check that both sides created the same key material without a
6713                 * context.
6714                 */
6715             || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6716                             sizeof(skeymat3))
6717                /*
6718                 * Check that both sides created the same key material with a
6719                 * long context.
6720                 */
6721             || (test_longcontext
6722                 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6723                                 sizeof(skeymat4)))
6724                /* Different contexts should produce different results */
6725             || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6726                             sizeof(ckeymat2)))
6727         goto end;
6728 
6729     /*
6730      * Check that an empty context and no context produce different results in
6731      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6732      */
6733     if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6734                                   sizeof(ckeymat3)))
6735             || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6736                                          sizeof(ckeymat3))))
6737         goto end;
6738 
6739     testresult = 1;
6740 
6741  end:
6742     SSL_free(serverssl);
6743     SSL_free(clientssl);
6744     SSL_CTX_free(sctx2);
6745     SSL_CTX_free(sctx);
6746     SSL_CTX_free(cctx);
6747 
6748     return testresult;
6749 }
6750 
6751 #ifndef OSSL_NO_USABLE_TLS1_3
6752 /*
6753  * Test that SSL_export_keying_material_early() produces expected
6754  * results. There are no test vectors so all we do is test that both
6755  * sides of the communication produce the same results for different
6756  * protocol versions.
6757  */
6758 static int test_export_key_mat_early(int idx)
6759 {
6760     static const char label[] = "test label";
6761     static const unsigned char context[] = "context";
6762     int testresult = 0;
6763     SSL_CTX *cctx = NULL, *sctx = NULL;
6764     SSL *clientssl = NULL, *serverssl = NULL;
6765     SSL_SESSION *sess = NULL;
6766     const unsigned char *emptycontext = NULL;
6767     unsigned char ckeymat1[80], ckeymat2[80];
6768     unsigned char skeymat1[80], skeymat2[80];
6769     unsigned char buf[1];
6770     size_t readbytes, written;
6771 
6772     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6773                                         &sess, idx, SHA384_DIGEST_LENGTH)))
6774         goto end;
6775 
6776     /* Here writing 0 length early data is enough. */
6777     if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6778             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6779                                                 &readbytes),
6780                             SSL_READ_EARLY_DATA_ERROR)
6781             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6782                             SSL_EARLY_DATA_ACCEPTED))
6783         goto end;
6784 
6785     if (!TEST_int_eq(SSL_export_keying_material_early(
6786                      clientssl, ckeymat1, sizeof(ckeymat1), label,
6787                      sizeof(label) - 1, context, sizeof(context) - 1), 1)
6788             || !TEST_int_eq(SSL_export_keying_material_early(
6789                             clientssl, ckeymat2, sizeof(ckeymat2), label,
6790                             sizeof(label) - 1, emptycontext, 0), 1)
6791             || !TEST_int_eq(SSL_export_keying_material_early(
6792                             serverssl, skeymat1, sizeof(skeymat1), label,
6793                             sizeof(label) - 1, context, sizeof(context) - 1), 1)
6794             || !TEST_int_eq(SSL_export_keying_material_early(
6795                             serverssl, skeymat2, sizeof(skeymat2), label,
6796                             sizeof(label) - 1, emptycontext, 0), 1)
6797                /*
6798                 * Check that both sides created the same key material with the
6799                 * same context.
6800                 */
6801             || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6802                             sizeof(skeymat1))
6803                /*
6804                 * Check that both sides created the same key material with an
6805                 * empty context.
6806                 */
6807             || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6808                             sizeof(skeymat2))
6809                /* Different contexts should produce different results */
6810             || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6811                             sizeof(ckeymat2)))
6812         goto end;
6813 
6814     testresult = 1;
6815 
6816  end:
6817     SSL_SESSION_free(sess);
6818     SSL_SESSION_free(clientpsk);
6819     SSL_SESSION_free(serverpsk);
6820     clientpsk = serverpsk = NULL;
6821     SSL_free(serverssl);
6822     SSL_free(clientssl);
6823     SSL_CTX_free(sctx);
6824     SSL_CTX_free(cctx);
6825 
6826     return testresult;
6827 }
6828 
6829 #define NUM_KEY_UPDATE_MESSAGES 40
6830 /*
6831  * Test KeyUpdate.
6832  */
6833 static int test_key_update(void)
6834 {
6835     SSL_CTX *cctx = NULL, *sctx = NULL;
6836     SSL *clientssl = NULL, *serverssl = NULL;
6837     int testresult = 0, i, j;
6838     char buf[20];
6839     static char *mess = "A test message";
6840 
6841     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6842                                        TLS_client_method(),
6843                                        TLS1_3_VERSION,
6844                                        0,
6845                                        &sctx, &cctx, cert, privkey))
6846             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6847                                              NULL, NULL))
6848             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6849                                                 SSL_ERROR_NONE)))
6850         goto end;
6851 
6852     for (j = 0; j < 2; j++) {
6853         /* Send lots of KeyUpdate messages */
6854         for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6855             if (!TEST_true(SSL_key_update(clientssl,
6856                                           (j == 0)
6857                                           ? SSL_KEY_UPDATE_NOT_REQUESTED
6858                                           : SSL_KEY_UPDATE_REQUESTED))
6859                     || !TEST_true(SSL_do_handshake(clientssl)))
6860                 goto end;
6861         }
6862 
6863         /* Check that sending and receiving app data is ok */
6864         if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6865                 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6866                                          strlen(mess)))
6867             goto end;
6868 
6869         if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6870                 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6871                                          strlen(mess)))
6872             goto end;
6873     }
6874 
6875     testresult = 1;
6876 
6877  end:
6878     SSL_free(serverssl);
6879     SSL_free(clientssl);
6880     SSL_CTX_free(sctx);
6881     SSL_CTX_free(cctx);
6882 
6883     return testresult;
6884 }
6885 
6886 /*
6887  * Test we can handle a KeyUpdate (update requested) message while
6888  * write data is pending in peer.
6889  * Test 0: Client sends KeyUpdate while Server is writing
6890  * Test 1: Server sends KeyUpdate while Client is writing
6891  */
6892 static int test_key_update_peer_in_write(int tst)
6893 {
6894     SSL_CTX *cctx = NULL, *sctx = NULL;
6895     SSL *clientssl = NULL, *serverssl = NULL;
6896     int testresult = 0;
6897     char buf[20];
6898     static char *mess = "A test message";
6899     BIO *bretry = BIO_new(bio_s_always_retry());
6900     BIO *tmp = NULL;
6901     SSL *peerupdate = NULL, *peerwrite = NULL;
6902 
6903     if (!TEST_ptr(bretry)
6904             || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6905                                               TLS_client_method(),
6906                                               TLS1_3_VERSION,
6907                                               0,
6908                                               &sctx, &cctx, cert, privkey))
6909             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6910                                              NULL, NULL))
6911             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6912                                                 SSL_ERROR_NONE)))
6913         goto end;
6914 
6915     peerupdate = tst == 0 ? clientssl : serverssl;
6916     peerwrite = tst == 0 ? serverssl : clientssl;
6917 
6918     if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6919             || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6920         goto end;
6921 
6922     /* Swap the writing endpoint's write BIO to force a retry */
6923     tmp = SSL_get_wbio(peerwrite);
6924     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6925         tmp = NULL;
6926         goto end;
6927     }
6928     SSL_set0_wbio(peerwrite, bretry);
6929     bretry = NULL;
6930 
6931     /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6932     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6933             || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6934             || !TEST_true(SSL_want_write(peerwrite))
6935             || !TEST_true(SSL_net_write_desired(peerwrite)))
6936         goto end;
6937 
6938     /* Reinstate the original writing endpoint's write BIO */
6939     SSL_set0_wbio(peerwrite, tmp);
6940     tmp = NULL;
6941 
6942     /* Now read some data - we will read the key update */
6943     if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6944             || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6945             || !TEST_true(SSL_want_read(peerwrite))
6946             || !TEST_true(SSL_net_read_desired(peerwrite)))
6947         goto end;
6948 
6949     /*
6950      * Complete the write we started previously and read it from the other
6951      * endpoint
6952      */
6953     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6954             || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6955         goto end;
6956 
6957     /* Write more data to ensure we send the KeyUpdate message back */
6958     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6959             || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6960         goto end;
6961 
6962     if (!TEST_false(SSL_net_read_desired(peerwrite))
6963         || !TEST_false(SSL_net_write_desired(peerwrite))
6964         || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6965         goto end;
6966 
6967     testresult = 1;
6968 
6969  end:
6970     SSL_free(serverssl);
6971     SSL_free(clientssl);
6972     SSL_CTX_free(sctx);
6973     SSL_CTX_free(cctx);
6974     BIO_free(bretry);
6975     BIO_free(tmp);
6976 
6977     return testresult;
6978 }
6979 
6980 /*
6981  * Test we can handle a KeyUpdate (update requested) message while
6982  * peer read data is pending after peer accepted keyupdate(the msg header
6983  * had been read 5 bytes).
6984  * Test 0: Client sends KeyUpdate while Server is reading
6985  * Test 1: Server sends KeyUpdate while Client is reading
6986  */
6987 static int test_key_update_peer_in_read(int tst)
6988 {
6989     SSL_CTX *cctx = NULL, *sctx = NULL;
6990     SSL *clientssl = NULL, *serverssl = NULL;
6991     int testresult = 0;
6992     char prbuf[515], lwbuf[515] = {0};
6993     static char *mess = "A test message";
6994     BIO *lbio = NULL, *pbio = NULL;
6995     SSL *local = NULL, *peer = NULL;
6996 
6997     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6998                                               TLS_client_method(),
6999                                               TLS1_3_VERSION,
7000                                               0,
7001                                               &sctx, &cctx, cert, privkey))
7002             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7003                                              NULL, NULL))
7004             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7005                                                 SSL_ERROR_NONE)))
7006         goto end;
7007 
7008     local = tst == 0 ? clientssl : serverssl;
7009     peer = tst == 0 ? serverssl : clientssl;
7010 
7011     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7012         goto end;
7013 
7014     SSL_set_bio(local, lbio, lbio);
7015     SSL_set_bio(peer, pbio, pbio);
7016 
7017     /*
7018      * we first write keyupdate msg then appdata in local
7019      * write data in local will fail with SSL_ERROR_WANT_WRITE,because
7020      * lwbuf app data msg size + key updata msg size > 512(the size of
7021      * the bio pair buffer)
7022      */
7023     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7024             || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
7025             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7026         goto end;
7027 
7028     /*
7029      * first read keyupdate msg in peer in peer
7030      * then read appdata that we know will fail with SSL_ERROR_WANT_READ
7031      */
7032     if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
7033             || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
7034         goto end;
7035 
7036     /* Now write some data in peer - we will write the key update */
7037     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
7038         goto end;
7039 
7040     /*
7041      * write data in local previously that we will complete
7042      * read data in peer previously that we will complete
7043      */
7044     if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
7045             || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
7046         goto end;
7047 
7048     /* check that sending and receiving appdata ok */
7049     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7050             || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7051         goto end;
7052 
7053     testresult = 1;
7054 
7055  end:
7056     SSL_free(serverssl);
7057     SSL_free(clientssl);
7058     SSL_CTX_free(sctx);
7059     SSL_CTX_free(cctx);
7060 
7061     return testresult;
7062 }
7063 
7064 /*
7065  * Test we can't send a KeyUpdate (update requested) message while
7066  * local write data is pending.
7067  * Test 0: Client sends KeyUpdate while Client is writing
7068  * Test 1: Server sends KeyUpdate while Server is writing
7069  */
7070 static int test_key_update_local_in_write(int tst)
7071 {
7072     SSL_CTX *cctx = NULL, *sctx = NULL;
7073     SSL *clientssl = NULL, *serverssl = NULL;
7074     int testresult = 0;
7075     char buf[20];
7076     static char *mess = "A test message";
7077     BIO *bretry = BIO_new(bio_s_always_retry());
7078     BIO *tmp = NULL;
7079     SSL *local = NULL, *peer = NULL;
7080 
7081     if (!TEST_ptr(bretry)
7082             || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7083                                               TLS_client_method(),
7084                                               TLS1_3_VERSION,
7085                                               0,
7086                                               &sctx, &cctx, cert, privkey))
7087             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7088                                              NULL, NULL))
7089             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7090                                                 SSL_ERROR_NONE)))
7091         goto end;
7092 
7093     local = tst == 0 ? clientssl : serverssl;
7094     peer = tst == 0 ? serverssl : clientssl;
7095 
7096     /* Swap the writing endpoint's write BIO to force a retry */
7097     tmp = SSL_get_wbio(local);
7098     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
7099         tmp = NULL;
7100         goto end;
7101     }
7102     SSL_set0_wbio(local, bretry);
7103     bretry = NULL;
7104 
7105     /* write data in local will fail with SSL_ERROR_WANT_WRITE */
7106     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
7107             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
7108         goto end;
7109 
7110     /* Reinstate the original writing endpoint's write BIO */
7111     SSL_set0_wbio(local, tmp);
7112     tmp = NULL;
7113 
7114     /* SSL_key_update will fail, because writing in local*/
7115     if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7116         || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7117     goto end;
7118 
7119     ERR_clear_error();
7120     /* write data in local previously that we will complete */
7121     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7122         goto end;
7123 
7124     /* SSL_key_update will succeed because there is no pending write data */
7125     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7126         || !TEST_int_eq(SSL_do_handshake(local), 1))
7127         goto end;
7128 
7129     /*
7130      * we write some appdata in local
7131      * read data in peer - we will read the keyupdate msg
7132      */
7133     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7134         || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7135         goto end;
7136 
7137     /* Write more peer more data to ensure we send the keyupdate message back */
7138     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7139             || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7140         goto end;
7141 
7142     testresult = 1;
7143 
7144  end:
7145     SSL_free(serverssl);
7146     SSL_free(clientssl);
7147     SSL_CTX_free(sctx);
7148     SSL_CTX_free(cctx);
7149     BIO_free(bretry);
7150     BIO_free(tmp);
7151 
7152     return testresult;
7153 }
7154 
7155 /*
7156  * Test we can handle a KeyUpdate (update requested) message while
7157  * local read data is pending(the msg header had been read 5 bytes).
7158  * Test 0: Client sends KeyUpdate while Client is reading
7159  * Test 1: Server sends KeyUpdate while Server is reading
7160  */
7161 static int test_key_update_local_in_read(int tst)
7162 {
7163     SSL_CTX *cctx = NULL, *sctx = NULL;
7164     SSL *clientssl = NULL, *serverssl = NULL;
7165     int testresult = 0;
7166     char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7167     static char *mess = "A test message";
7168     BIO *lbio = NULL, *pbio = NULL;
7169     SSL *local = NULL, *peer = NULL;
7170 
7171     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7172                                               TLS_client_method(),
7173                                               TLS1_3_VERSION,
7174                                               0,
7175                                               &sctx, &cctx, cert, privkey))
7176             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7177                                              NULL, NULL))
7178             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7179                                                 SSL_ERROR_NONE)))
7180         goto end;
7181 
7182     local = tst == 0 ? clientssl : serverssl;
7183     peer = tst == 0 ? serverssl : clientssl;
7184 
7185     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7186         goto end;
7187 
7188     SSL_set_bio(local, lbio, lbio);
7189     SSL_set_bio(peer, pbio, pbio);
7190 
7191     /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7192     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7193         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7194         goto end;
7195 
7196     /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7197     if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7198             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7199         goto end;
7200 
7201     /* SSL_do_handshake will send keyupdate msg */
7202     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7203             || !TEST_int_eq(SSL_do_handshake(local), 1))
7204         goto end;
7205 
7206     /*
7207      * write data in peer previously that we will complete
7208      * read data in local previously that we will complete
7209      */
7210     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7211         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7212         goto end;
7213 
7214     /*
7215      * write data in local
7216      * read data in peer - we will read the key update
7217      */
7218     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7219         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7220         goto end;
7221 
7222   /* Write more peer data to ensure we send the keyupdate message back */
7223     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7224             || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7225         goto end;
7226 
7227     testresult = 1;
7228 
7229  end:
7230     SSL_free(serverssl);
7231     SSL_free(clientssl);
7232     SSL_CTX_free(sctx);
7233     SSL_CTX_free(cctx);
7234 
7235     return testresult;
7236 }
7237 #endif /* OSSL_NO_USABLE_TLS1_3 */
7238 
7239 /*
7240  * Test clearing a connection via SSL_clear(), or resetting it via
7241  * SSL_set_connect_state()/SSL_set_accept_state()
7242  * Test 0: SSL_set_connect_state, TLSv1.3
7243  * Test 1: SSL_set_connect_state, TLSv1.2
7244  * Test 2: SSL_set_accept_state, TLSv1.3
7245  * Test 3: SSL_set_accept_state, TLSv1.2
7246  * Test 4: SSL_clear (client), TLSv1.3
7247  * Test 5: SSL_clear (client), TLSv1.2
7248  * Test 6: SSL_clear (server), TLSv1.3
7249  * Test 7: SSL_clear (server), TLSv1.2
7250  */
7251 static int test_ssl_clear(int idx)
7252 {
7253     SSL_CTX *cctx = NULL, *sctx = NULL;
7254     SSL *clientssl = NULL, *serverssl = NULL;
7255     SSL *writer, *reader;
7256     int testresult = 0;
7257     int tls12test, servertest, cleartest;
7258     size_t written, readbytes;
7259     const char *msg = "Hello World";
7260     unsigned char buf[5];
7261 
7262     tls12test = idx & 1;
7263     idx >>= 1;
7264     servertest = idx & 1;
7265     idx >>= 1;
7266     cleartest = idx & 1;
7267 
7268 #ifdef OPENSSL_NO_TLS1_2
7269     if (tls12test == 1)
7270         return TEST_skip("No TLSv1.2 in this build");
7271 #endif
7272 
7273     /* Create an initial connection */
7274     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7275                                        TLS_client_method(), TLS1_VERSION, 0,
7276                                        &sctx, &cctx, cert, privkey))
7277             || (tls12test
7278                 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7279                                                             TLS1_2_VERSION)))
7280             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7281                                           &clientssl, NULL, NULL))
7282             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7283                                                 SSL_ERROR_NONE)))
7284         goto end;
7285 
7286     if (servertest) {
7287         writer = clientssl;
7288         reader = serverssl;
7289     } else {
7290         writer = serverssl;
7291         reader = clientssl;
7292     }
7293 
7294     /* Write some data */
7295     if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7296             || written != strlen(msg))
7297         goto end;
7298 
7299     /*
7300      * Read a partial record. The remaining buffered data should be cleared by
7301      * the subsequent clear/reset
7302      */
7303     if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7304             || readbytes != sizeof(buf))
7305         goto end;
7306 
7307     SSL_shutdown(clientssl);
7308     SSL_shutdown(serverssl);
7309 
7310     /* Reset/clear one SSL object in order to reuse it. We free the other one */
7311     if (servertest) {
7312         if (cleartest) {
7313             if (!TEST_true(SSL_clear(serverssl)))
7314                 goto end;
7315         } else {
7316             SSL_set_accept_state(serverssl);
7317         }
7318         SSL_free(clientssl);
7319         clientssl = NULL;
7320     } else {
7321         if (cleartest) {
7322             if (!TEST_true(SSL_clear(clientssl)))
7323                 goto end;
7324         } else {
7325             SSL_set_connect_state(clientssl);
7326         }
7327         SSL_free(serverssl);
7328         serverssl = NULL;
7329     }
7330 
7331     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7332                                              NULL, NULL))
7333             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7334                                                 SSL_ERROR_NONE))
7335             || !TEST_true(servertest || SSL_session_reused(clientssl)))
7336         goto end;
7337 
7338     SSL_shutdown(clientssl);
7339     SSL_shutdown(serverssl);
7340 
7341     testresult = 1;
7342 
7343  end:
7344     SSL_free(serverssl);
7345     SSL_free(clientssl);
7346     SSL_CTX_free(sctx);
7347     SSL_CTX_free(cctx);
7348 
7349     return testresult;
7350 }
7351 
7352 /* Parse CH and retrieve any MFL extension value if present */
7353 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7354 {
7355     long len;
7356     unsigned char *data;
7357     PACKET pkt, pkt2, pkt3;
7358     unsigned int MFL_code = 0, type = 0;
7359 
7360     if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
7361         goto end;
7362 
7363     memset(&pkt, 0, sizeof(pkt));
7364     memset(&pkt2, 0, sizeof(pkt2));
7365     memset(&pkt3, 0, sizeof(pkt3));
7366 
7367     if (!TEST_long_gt(len, 0)
7368             || !TEST_true(PACKET_buf_init(&pkt, data, len))
7369                /* Skip the record header */
7370             || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7371                /* Skip the handshake message header */
7372             || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7373                /* Skip client version and random */
7374             || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7375                                                + SSL3_RANDOM_SIZE))
7376                /* Skip session id */
7377             || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7378                /* Skip ciphers */
7379             || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7380                /* Skip compression */
7381             || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7382                /* Extensions len */
7383             || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7384         goto end;
7385 
7386     /* Loop through all extensions */
7387     while (PACKET_remaining(&pkt2)) {
7388         if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7389                 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7390             goto end;
7391 
7392         if (type == TLSEXT_TYPE_max_fragment_length) {
7393             if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7394                     || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7395                 goto end;
7396 
7397             *mfl_codemfl_code = MFL_code;
7398             return 1;
7399         }
7400     }
7401 
7402  end:
7403     return 0;
7404 }
7405 
7406 /* Maximum-Fragment-Length TLS extension mode to test */
7407 static const unsigned char max_fragment_len_test[] = {
7408     TLSEXT_max_fragment_length_512,
7409     TLSEXT_max_fragment_length_1024,
7410     TLSEXT_max_fragment_length_2048,
7411     TLSEXT_max_fragment_length_4096
7412 };
7413 
7414 static int test_max_fragment_len_ext(int idx_tst)
7415 {
7416     SSL_CTX *ctx = NULL;
7417     SSL *con = NULL;
7418     int testresult = 0, MFL_mode = 0;
7419     BIO *rbio, *wbio;
7420 
7421     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7422                                        TLS1_VERSION, 0, NULL, &ctx, NULL,
7423                                        NULL)))
7424         return 0;
7425 
7426     if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7427                    ctx, max_fragment_len_test[idx_tst])))
7428         goto end;
7429 
7430     con = SSL_new(ctx);
7431     if (!TEST_ptr(con))
7432         goto end;
7433 
7434     rbio = BIO_new(BIO_s_mem());
7435     wbio = BIO_new(BIO_s_mem());
7436     if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7437         BIO_free(rbio);
7438         BIO_free(wbio);
7439         goto end;
7440     }
7441 
7442     SSL_set_bio(con, rbio, wbio);
7443 
7444     if (!TEST_int_le(SSL_connect(con), 0)) {
7445         /* This shouldn't succeed because we don't have a server! */
7446         goto end;
7447     }
7448 
7449     if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7450         /* no MFL in client hello */
7451         goto end;
7452     if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7453         goto end;
7454 
7455     testresult = 1;
7456 
7457 end:
7458     SSL_free(con);
7459     SSL_CTX_free(ctx);
7460 
7461     return testresult;
7462 }
7463 
7464 #ifndef OSSL_NO_USABLE_TLS1_3
7465 static int test_pha_key_update(void)
7466 {
7467     SSL_CTX *cctx = NULL, *sctx = NULL;
7468     SSL *clientssl = NULL, *serverssl = NULL;
7469     int testresult = 0;
7470 
7471     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7472                                        TLS_client_method(), TLS1_VERSION, 0,
7473                                        &sctx, &cctx, cert, privkey)))
7474         return 0;
7475 
7476     if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7477         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7478         || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7479         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7480         goto end;
7481 
7482     SSL_CTX_set_post_handshake_auth(cctx, 1);
7483 
7484     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7485                                       NULL, NULL)))
7486         goto end;
7487 
7488     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7489                                          SSL_ERROR_NONE)))
7490         goto end;
7491 
7492     SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7493     if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7494         goto end;
7495 
7496     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7497         goto end;
7498 
7499     /* Start handshake on the server */
7500     if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7501         goto end;
7502 
7503     /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7504     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7505                                          SSL_ERROR_NONE)))
7506         goto end;
7507 
7508     SSL_shutdown(clientssl);
7509     SSL_shutdown(serverssl);
7510 
7511     testresult = 1;
7512 
7513  end:
7514     SSL_free(serverssl);
7515     SSL_free(clientssl);
7516     SSL_CTX_free(sctx);
7517     SSL_CTX_free(cctx);
7518     return testresult;
7519 }
7520 #endif
7521 
7522 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7523 
7524 static SRP_VBASE *vbase = NULL;
7525 
7526 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7527 {
7528     int ret = SSL3_AL_FATAL;
7529     char *username;
7530     SRP_user_pwd *user = NULL;
7531 
7532     username = SSL_get_srp_username(s);
7533     if (username == NULL) {
7534         *ad = SSL_AD_INTERNAL_ERROR;
7535         goto err;
7536     }
7537 
7538     user = SRP_VBASE_get1_by_user(vbase, username);
7539     if (user == NULL) {
7540         *ad = SSL_AD_INTERNAL_ERROR;
7541         goto err;
7542     }
7543 
7544     if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7545                                  user->info) <= 0) {
7546         *ad = SSL_AD_INTERNAL_ERROR;
7547         goto err;
7548     }
7549 
7550     ret = 0;
7551 
7552  err:
7553     SRP_user_pwd_free(user);
7554     return ret;
7555 }
7556 
7557 static int create_new_vfile(char *userid, char *password, const char *filename)
7558 {
7559     char *gNid = NULL;
7560     OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7561     TXT_DB *db = NULL;
7562     int ret = 0;
7563     BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7564     size_t i;
7565 
7566     if (!TEST_ptr(dummy) || !TEST_ptr(row))
7567         goto end;
7568 
7569     gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7570                                   &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7571     if (!TEST_ptr(gNid))
7572         goto end;
7573 
7574     /*
7575      * The only way to create an empty TXT_DB is to provide a BIO with no data
7576      * in it!
7577      */
7578     db = TXT_DB_read(dummy, DB_NUMBER);
7579     if (!TEST_ptr(db))
7580         goto end;
7581 
7582     out = BIO_new_file(filename, "w");
7583     if (!TEST_ptr(out))
7584         goto end;
7585 
7586     row[DB_srpid] = OPENSSL_strdup(userid);
7587     row[DB_srptype] = OPENSSL_strdup("V");
7588     row[DB_srpgN] = OPENSSL_strdup(gNid);
7589 
7590     if (!TEST_ptr(row[DB_srpid])
7591             || !TEST_ptr(row[DB_srptype])
7592             || !TEST_ptr(row[DB_srpgN])
7593             || !TEST_true(TXT_DB_insert(db, row)))
7594         goto end;
7595 
7596     row = NULL;
7597 
7598     if (TXT_DB_write(out, db) <= 0)
7599         goto end;
7600 
7601     ret = 1;
7602  end:
7603     if (row != NULL) {
7604         for (i = 0; i < DB_NUMBER; i++)
7605             OPENSSL_free(row[i]);
7606     }
7607     OPENSSL_free(row);
7608     BIO_free(dummy);
7609     BIO_free(out);
7610     TXT_DB_free(db);
7611 
7612     return ret;
7613 }
7614 
7615 static int create_new_vbase(char *userid, char *password)
7616 {
7617     BIGNUM *verifier = NULL, *salt = NULL;
7618     const SRP_gN *lgN = NULL;
7619     SRP_user_pwd *user_pwd = NULL;
7620     int ret = 0;
7621 
7622     lgN = SRP_get_default_gN(NULL);
7623     if (!TEST_ptr(lgN))
7624         goto end;
7625 
7626     if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7627                                              lgN->N, lgN->g, libctx, NULL)))
7628         goto end;
7629 
7630     user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7631     if (!TEST_ptr(user_pwd))
7632         goto end;
7633 
7634     user_pwd->N = lgN->N;
7635     user_pwd->g = lgN->g;
7636     user_pwd->id = OPENSSL_strdup(userid);
7637     if (!TEST_ptr(user_pwd->id))
7638         goto end;
7639 
7640     user_pwd->v = verifier;
7641     user_pwd->s = salt;
7642     verifier = salt = NULL;
7643 
7644     if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7645         goto end;
7646     user_pwd = NULL;
7647 
7648     ret = 1;
7649 end:
7650     SRP_user_pwd_free(user_pwd);
7651     BN_free(salt);
7652     BN_free(verifier);
7653 
7654     return ret;
7655 }
7656 
7657 /*
7658  * SRP tests
7659  *
7660  * Test 0: Simple successful SRP connection, new vbase
7661  * Test 1: Connection failure due to bad password, new vbase
7662  * Test 2: Simple successful SRP connection, vbase loaded from existing file
7663  * Test 3: Connection failure due to bad password, vbase loaded from existing
7664  *         file
7665  * Test 4: Simple successful SRP connection, vbase loaded from new file
7666  * Test 5: Connection failure due to bad password, vbase loaded from new file
7667  */
7668 static int test_srp(int tst)
7669 {
7670     char *userid = "test", *password = "password", *tstsrpfile;
7671     SSL_CTX *cctx = NULL, *sctx = NULL;
7672     SSL *clientssl = NULL, *serverssl = NULL;
7673     int ret, testresult = 0;
7674 
7675     vbase = SRP_VBASE_new(NULL);
7676     if (!TEST_ptr(vbase))
7677         goto end;
7678 
7679     if (tst == 0 || tst == 1) {
7680         if (!TEST_true(create_new_vbase(userid, password)))
7681             goto end;
7682     } else {
7683         if (tst == 4 || tst == 5) {
7684             if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7685                 goto end;
7686             tstsrpfile = tmpfilename;
7687         } else {
7688             tstsrpfile = srpvfile;
7689         }
7690         if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7691             goto end;
7692     }
7693 
7694     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7695                                        TLS_client_method(), TLS1_VERSION, 0,
7696                                        &sctx, &cctx, cert, privkey)))
7697         goto end;
7698 
7699     if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7700             || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7701             || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7702             || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7703             || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7704         goto end;
7705 
7706     if (tst % 2 == 1) {
7707         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7708             goto end;
7709     } else {
7710         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7711             goto end;
7712     }
7713 
7714     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7715                                       NULL, NULL)))
7716         goto end;
7717 
7718     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7719     if (ret) {
7720         if (!TEST_true(tst % 2 == 0))
7721             goto end;
7722     } else {
7723         if (!TEST_true(tst % 2 == 1))
7724             goto end;
7725     }
7726 
7727     testresult = 1;
7728 
7729  end:
7730     SRP_VBASE_free(vbase);
7731     vbase = NULL;
7732     SSL_free(serverssl);
7733     SSL_free(clientssl);
7734     SSL_CTX_free(sctx);
7735     SSL_CTX_free(cctx);
7736 
7737     return testresult;
7738 }
7739 #endif
7740 
7741 static int info_cb_failed = 0;
7742 static int info_cb_offset = 0;
7743 static int info_cb_this_state = -1;
7744 
7745 static struct info_cb_states_st {
7746     int where;
7747     const char *statestr;
7748 } info_cb_states[][60] = {
7749     {
7750         /* TLSv1.2 server followed by resumption */
7751         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7752         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7753         {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7754         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7755         {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7756         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7757         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7758         {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7759         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7760         {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7761         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7762         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7763         {SSL_CB_EXIT, NULL}, {0, NULL},
7764     }, {
7765         /* TLSv1.2 client followed by resumption */
7766         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7767         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7768         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7769         {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7770         {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7771         {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7772         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7773         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7774         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7775         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7776         {SSL_CB_LOOP, "TWCCS"},  {SSL_CB_LOOP, "TWFIN"},
7777         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7778     }, {
7779         /* TLSv1.3 server followed by resumption */
7780         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7781         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7782         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7783         {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7784         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7785         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7786         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7787         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7788         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7789         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7790         {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7791         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7792         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7793     }, {
7794         /* TLSv1.3 client followed by resumption */
7795         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7796         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7797         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7798         {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7799         {SSL_CB_LOOP, "TWFIN"},  {SSL_CB_HANDSHAKE_DONE, NULL},
7800         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7801         {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7802         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7803         {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7804         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7805         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"},  {SSL_CB_LOOP, "TREE"},
7806         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7807         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7808         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7809         {SSL_CB_EXIT, NULL}, {0, NULL},
7810     }, {
7811         /* TLSv1.3 server, early_data */
7812         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7813         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7814         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7815         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7816         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7817         {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7818         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7819         {SSL_CB_EXIT, NULL}, {0, NULL},
7820     }, {
7821         /* TLSv1.3 client, early_data */
7822         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7823         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7824         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7825         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7826         {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7827         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7828         {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7829         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7830         {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7831     }, {
7832         /* TLSv1.3 server, certificate compression, followed by resumption */
7833         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7834         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7835         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7836         {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7837         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7838         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7839         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7840         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7841         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7842         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7843         {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7844         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7845         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7846     }, {
7847         /* TLSv1.3 client, certificate compression, followed by resumption */
7848         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7849         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7850         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7851         {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7852         {SSL_CB_LOOP, "TWFIN"},  {SSL_CB_HANDSHAKE_DONE, NULL},
7853         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7854         {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7855         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7856         {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7857         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7858         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"},  {SSL_CB_LOOP, "TREE"},
7859         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7860         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7861         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7862         {SSL_CB_EXIT, NULL}, {0, NULL},
7863     }, {
7864         {0, NULL},
7865     }
7866 };
7867 
7868 static void sslapi_info_callback(const SSL *s, int where, int ret)
7869 {
7870     struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7871 
7872     /* We do not ever expect a connection to fail in this test */
7873     if (!TEST_false(ret == 0)) {
7874         info_cb_failed = 1;
7875         return;
7876     }
7877 
7878     /*
7879      * Do some sanity checks. We never expect these things to happen in this
7880      * test
7881      */
7882     if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7883             || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7884             || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7885         info_cb_failed = 1;
7886         return;
7887     }
7888 
7889     /* Now check we're in the right state */
7890     if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7891         info_cb_failed = 1;
7892         return;
7893     }
7894     if ((where & SSL_CB_LOOP) != 0
7895             && !TEST_int_eq(strcmp(SSL_state_string(s),
7896                             state[info_cb_this_state].statestr), 0)) {
7897         info_cb_failed = 1;
7898         return;
7899     }
7900 
7901     /*
7902      * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7903      */
7904     if ((where & SSL_CB_HANDSHAKE_DONE)
7905             && SSL_in_init((SSL *)s) != 0) {
7906         info_cb_failed = 1;
7907         return;
7908     }
7909 }
7910 
7911 /*
7912  * Test the info callback gets called when we expect it to.
7913  *
7914  * Test 0: TLSv1.2, server
7915  * Test 1: TLSv1.2, client
7916  * Test 2: TLSv1.3, server
7917  * Test 3: TLSv1.3, client
7918  * Test 4: TLSv1.3, server, early_data
7919  * Test 5: TLSv1.3, client, early_data
7920  * Test 6: TLSv1.3, server, compressed certificate
7921  * Test 7: TLSv1.3, client, compressed certificate
7922  */
7923 static int test_info_callback(int tst)
7924 {
7925     SSL_CTX *cctx = NULL, *sctx = NULL;
7926     SSL *clientssl = NULL, *serverssl = NULL;
7927     SSL_SESSION *clntsess = NULL;
7928     int testresult = 0;
7929     int tlsvers;
7930 
7931     if (tst < 2) {
7932 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7933 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7934                                     || !defined(OPENSSL_NO_DH))
7935         tlsvers = TLS1_2_VERSION;
7936 #else
7937         return 1;
7938 #endif
7939     } else {
7940 #ifndef OSSL_NO_USABLE_TLS1_3
7941         tlsvers = TLS1_3_VERSION;
7942 #else
7943         return 1;
7944 #endif
7945     }
7946 
7947     /* Reset globals */
7948     info_cb_failed = 0;
7949     info_cb_this_state = -1;
7950     info_cb_offset = tst;
7951 
7952 #ifndef OSSL_NO_USABLE_TLS1_3
7953     if (tst >= 4 && tst < 6) {
7954         SSL_SESSION *sess = NULL;
7955         size_t written, readbytes;
7956         unsigned char buf[80];
7957         OSSL_TIME timer;
7958 
7959         /* early_data tests */
7960         if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7961                                             &serverssl, &sess, 0,
7962                                             SHA384_DIGEST_LENGTH)))
7963             goto end;
7964 
7965         /* We don't actually need this reference */
7966         SSL_SESSION_free(sess);
7967 
7968         SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7969                               sslapi_info_callback);
7970 
7971         /* Write and read some early data and then complete the connection */
7972         timer = ossl_time_now();
7973         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7974                                             &written))
7975                 || !TEST_size_t_eq(written, strlen(MSG1)))
7976             goto end;
7977 
7978         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7979                                              sizeof(buf), &readbytes),
7980                          SSL_READ_EARLY_DATA_SUCCESS)) {
7981             testresult = check_early_data_timeout(timer);
7982             goto end;
7983         }
7984 
7985         if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7986                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7987                                 SSL_EARLY_DATA_ACCEPTED)
7988                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7989                                                     SSL_ERROR_NONE))
7990                 || !TEST_false(info_cb_failed))
7991             goto end;
7992 
7993         testresult = 1;
7994         goto end;
7995     }
7996 #endif
7997 
7998     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7999                                        TLS_client_method(),
8000                                        tlsvers, tlsvers, &sctx, &cctx, cert,
8001                                        privkey)))
8002         goto end;
8003 
8004     if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8005         goto end;
8006 
8007     /*
8008      * For even numbered tests we check the server callbacks. For odd numbers we
8009      * check the client.
8010      */
8011     SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
8012                               sslapi_info_callback);
8013     if (tst >= 6) {
8014         if (!SSL_CTX_compress_certs(sctx, 0))
8015             goto end;
8016     }
8017 
8018     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8019                                           &clientssl, NULL, NULL))
8020         || !TEST_true(create_ssl_connection(serverssl, clientssl,
8021                                             SSL_ERROR_NONE))
8022         || !TEST_false(info_cb_failed))
8023     goto end;
8024 
8025 
8026 
8027     clntsess = SSL_get1_session(clientssl);
8028     SSL_shutdown(clientssl);
8029     SSL_shutdown(serverssl);
8030     SSL_free(serverssl);
8031     SSL_free(clientssl);
8032     serverssl = clientssl = NULL;
8033 
8034     /* Now do a resumption */
8035     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8036                                       NULL))
8037             || !TEST_true(SSL_set_session(clientssl, clntsess))
8038             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8039                                                 SSL_ERROR_NONE))
8040             || !TEST_true(SSL_session_reused(clientssl))
8041             || !TEST_false(info_cb_failed))
8042         goto end;
8043 
8044     testresult = 1;
8045 
8046  end:
8047     SSL_free(serverssl);
8048     SSL_free(clientssl);
8049     SSL_SESSION_free(clntsess);
8050     SSL_CTX_free(sctx);
8051     SSL_CTX_free(cctx);
8052     return testresult;
8053 }
8054 
8055 static int test_ssl_pending(int tst)
8056 {
8057     SSL_CTX *cctx = NULL, *sctx = NULL;
8058     SSL *clientssl = NULL, *serverssl = NULL;
8059     int testresult = 0;
8060     char msg[] = "A test message";
8061     char buf[5];
8062     size_t written, readbytes;
8063 
8064     if (tst == 0) {
8065         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8066                                            TLS_client_method(),
8067                                            TLS1_VERSION, 0,
8068                                            &sctx, &cctx, cert, privkey)))
8069             goto end;
8070     } else {
8071 #ifndef OPENSSL_NO_DTLS
8072         if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
8073                                            DTLS_client_method(),
8074                                            DTLS1_VERSION, 0,
8075                                            &sctx, &cctx, cert, privkey)))
8076             goto end;
8077 
8078 # ifdef OPENSSL_NO_DTLS1_2
8079         /* Not supported in the FIPS provider */
8080         if (is_fips) {
8081             testresult = 1;
8082             goto end;
8083         };
8084         /*
8085          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
8086          * level 0
8087          */
8088         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
8089                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
8090                                                     "DEFAULT:@SECLEVEL=0")))
8091             goto end;
8092 # endif
8093 #else
8094         return 1;
8095 #endif
8096     }
8097 
8098     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8099                                              NULL, NULL))
8100             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8101                                                 SSL_ERROR_NONE)))
8102         goto end;
8103 
8104     if (!TEST_int_eq(SSL_pending(clientssl), 0)
8105             || !TEST_false(SSL_has_pending(clientssl))
8106             || !TEST_int_eq(SSL_pending(serverssl), 0)
8107             || !TEST_false(SSL_has_pending(serverssl))
8108             || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8109             || !TEST_size_t_eq(written, sizeof(msg))
8110             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8111             || !TEST_size_t_eq(readbytes, sizeof(buf))
8112             || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8113             || !TEST_true(SSL_has_pending(clientssl)))
8114         goto end;
8115 
8116     testresult = 1;
8117 
8118  end:
8119     SSL_free(serverssl);
8120     SSL_free(clientssl);
8121     SSL_CTX_free(sctx);
8122     SSL_CTX_free(cctx);
8123 
8124     return testresult;
8125 }
8126 
8127 static struct {
8128     unsigned int maxprot;
8129     const char *clntciphers;
8130     const char *clnttls13ciphers;
8131     const char *srvrciphers;
8132     const char *srvrtls13ciphers;
8133     const char *shared;
8134     const char *fipsshared;
8135 } shared_ciphers_data[] = {
8136 /*
8137  * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8138  * TLSv1.3 is enabled but TLSv1.2 is disabled.
8139  */
8140 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
8141     {
8142         TLS1_2_VERSION,
8143         "AES128-SHA:AES256-SHA",
8144         NULL,
8145         "AES256-SHA:DHE-RSA-AES128-SHA",
8146         NULL,
8147         "AES256-SHA",
8148         "AES256-SHA"
8149     },
8150 # if !defined(OPENSSL_NO_CHACHA) \
8151      && !defined(OPENSSL_NO_POLY1305) \
8152      && !defined(OPENSSL_NO_EC)
8153     {
8154         TLS1_2_VERSION,
8155         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8156         NULL,
8157         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8158         NULL,
8159         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8160         "AES128-SHA"
8161     },
8162 # endif
8163     {
8164         TLS1_2_VERSION,
8165         "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8166         NULL,
8167         "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8168         NULL,
8169         "AES128-SHA:AES256-SHA",
8170         "AES128-SHA:AES256-SHA"
8171     },
8172     {
8173         TLS1_2_VERSION,
8174         "AES128-SHA:AES256-SHA",
8175         NULL,
8176         "AES128-SHA:DHE-RSA-AES128-SHA",
8177         NULL,
8178         "AES128-SHA",
8179         "AES128-SHA"
8180     },
8181 #endif
8182 /*
8183  * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8184  * enabled.
8185  */
8186 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
8187     && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
8188     {
8189         TLS1_3_VERSION,
8190         "AES128-SHA:AES256-SHA",
8191         NULL,
8192         "AES256-SHA:AES128-SHA256",
8193         NULL,
8194         "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
8195         "TLS_AES_128_GCM_SHA256:AES256-SHA",
8196         "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
8197     },
8198 #endif
8199 #ifndef OSSL_NO_USABLE_TLS1_3
8200     {
8201         TLS1_3_VERSION,
8202         "AES128-SHA",
8203         "TLS_AES_256_GCM_SHA384",
8204         "AES256-SHA",
8205         "TLS_AES_256_GCM_SHA384",
8206         "TLS_AES_256_GCM_SHA384",
8207         "TLS_AES_256_GCM_SHA384"
8208     },
8209 #endif
8210 };
8211 
8212 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
8213 {
8214     SSL_CTX *cctx = NULL, *sctx = NULL;
8215     SSL *clientssl = NULL, *serverssl = NULL;
8216     int testresult = 0;
8217     char buf[1024];
8218     OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
8219 
8220     if (!TEST_ptr(tmplibctx))
8221         goto end;
8222 
8223     /*
8224      * Regardless of whether we're testing with the FIPS provider loaded into
8225      * libctx, we want one peer to always use the full set of ciphersuites
8226      * available. Therefore we use a separate libctx with the default provider
8227      * loaded into it. We run the same tests twice - once with the client side
8228      * having the full set of ciphersuites and once with the server side.
8229      */
8230     if (clnt) {
8231         cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
8232         if (!TEST_ptr(cctx))
8233             goto end;
8234     } else {
8235         sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
8236         if (!TEST_ptr(sctx))
8237             goto end;
8238     }
8239 
8240     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8241                                        TLS_client_method(),
8242                                        TLS1_VERSION,
8243                                        shared_ciphers_data[tst].maxprot,
8244                                        &sctx, &cctx, cert, privkey)))
8245         goto end;
8246 
8247     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8248                                         shared_ciphers_data[tst].clntciphers))
8249             || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8250                 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8251                                     shared_ciphers_data[tst].clnttls13ciphers)))
8252             || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8253                                         shared_ciphers_data[tst].srvrciphers))
8254             || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8255                 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8256                                     shared_ciphers_data[tst].srvrtls13ciphers))))
8257         goto end;
8258 
8259 
8260     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8261                                              NULL, NULL))
8262             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8263                                                 SSL_ERROR_NONE)))
8264         goto end;
8265 
8266     if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
8267             || !TEST_int_eq(strcmp(buf,
8268                                    is_fips
8269                                    ? shared_ciphers_data[tst].fipsshared
8270                                    : shared_ciphers_data[tst].shared),
8271                                    0)) {
8272         TEST_info("Shared ciphers are: %s\n", buf);
8273         goto end;
8274     }
8275 
8276     testresult = 1;
8277 
8278  end:
8279     SSL_free(serverssl);
8280     SSL_free(clientssl);
8281     SSL_CTX_free(sctx);
8282     SSL_CTX_free(cctx);
8283     OSSL_LIB_CTX_free(tmplibctx);
8284 
8285     return testresult;
8286 }
8287 
8288 static int test_ssl_get_shared_ciphers(int tst)
8289 {
8290     return int_test_ssl_get_shared_ciphers(tst, 0)
8291            && int_test_ssl_get_shared_ciphers(tst, 1);
8292 }
8293 
8294 
8295 static const char *appdata = "Hello World";
8296 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8297 static int tick_key_renew = 0;
8298 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8299 
8300 static int gen_tick_cb(SSL *s, void *arg)
8301 {
8302     gen_tick_called = 1;
8303 
8304     return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8305                                            strlen(appdata));
8306 }
8307 
8308 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8309                                      const unsigned char *keyname,
8310                                      size_t keyname_length,
8311                                      SSL_TICKET_STATUS status,
8312                                      void *arg)
8313 {
8314     void *tickdata;
8315     size_t tickdlen;
8316 
8317     dec_tick_called = 1;
8318 
8319     if (status == SSL_TICKET_EMPTY)
8320         return SSL_TICKET_RETURN_IGNORE_RENEW;
8321 
8322     if (!TEST_true(status == SSL_TICKET_SUCCESS
8323                    || status == SSL_TICKET_SUCCESS_RENEW))
8324         return SSL_TICKET_RETURN_ABORT;
8325 
8326     if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8327                                                    &tickdlen))
8328             || !TEST_size_t_eq(tickdlen, strlen(appdata))
8329             || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
8330         return SSL_TICKET_RETURN_ABORT;
8331 
8332     if (tick_key_cb_called)  {
8333         /* Don't change what the ticket key callback wanted to do */
8334         switch (status) {
8335         case SSL_TICKET_NO_DECRYPT:
8336             return SSL_TICKET_RETURN_IGNORE_RENEW;
8337 
8338         case SSL_TICKET_SUCCESS:
8339             return SSL_TICKET_RETURN_USE;
8340 
8341         case SSL_TICKET_SUCCESS_RENEW:
8342             return SSL_TICKET_RETURN_USE_RENEW;
8343 
8344         default:
8345             return SSL_TICKET_RETURN_ABORT;
8346         }
8347     }
8348     return tick_dec_ret;
8349 
8350 }
8351 
8352 #ifndef OPENSSL_NO_DEPRECATED_3_0
8353 static int tick_key_cb(SSL *s, unsigned char key_name[16],
8354                        unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8355                        HMAC_CTX *hctx, int enc)
8356 {
8357     const unsigned char tick_aes_key[16] = "0123456789abcdef";
8358     const unsigned char tick_hmac_key[16] = "0123456789abcdef";
8359     EVP_CIPHER *aes128cbc;
8360     EVP_MD *sha256;
8361     int ret;
8362 
8363     tick_key_cb_called = 1;
8364 
8365     if (tick_key_renew == -1)
8366         return 0;
8367 
8368     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8369     if (!TEST_ptr(aes128cbc))
8370         return 0;
8371     sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8372     if (!TEST_ptr(sha256)) {
8373         EVP_CIPHER_free(aes128cbc);
8374         return 0;
8375     }
8376 
8377     memset(iv, 0, AES_BLOCK_SIZE);
8378     memset(key_name, 0, 16);
8379     if (aes128cbc == NULL
8380             || sha256 == NULL
8381             || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8382             || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8383                              NULL))
8384         ret = -1;
8385     else
8386         ret = tick_key_renew ? 2 : 1;
8387 
8388     EVP_CIPHER_free(aes128cbc);
8389     EVP_MD_free(sha256);
8390 
8391     return ret;
8392 }
8393 #endif
8394 
8395 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8396                            unsigned char iv[EVP_MAX_IV_LENGTH],
8397                            EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8398 {
8399     const unsigned char tick_aes_key[16] = "0123456789abcdef";
8400     unsigned char tick_hmac_key[16] = "0123456789abcdef";
8401     OSSL_PARAM params[2];
8402     EVP_CIPHER *aes128cbc;
8403     int ret;
8404 
8405     tick_key_cb_called = 1;
8406 
8407     if (tick_key_renew == -1)
8408         return 0;
8409 
8410     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8411     if (!TEST_ptr(aes128cbc))
8412         return 0;
8413 
8414     memset(iv, 0, AES_BLOCK_SIZE);
8415     memset(key_name, 0, 16);
8416     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8417                                                  "SHA256", 0);
8418     params[1] = OSSL_PARAM_construct_end();
8419     if (aes128cbc == NULL
8420             || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8421             || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8422                              params))
8423         ret = -1;
8424     else
8425         ret = tick_key_renew ? 2 : 1;
8426 
8427     EVP_CIPHER_free(aes128cbc);
8428 
8429     return ret;
8430 }
8431 
8432 /*
8433  * Test the various ticket callbacks
8434  * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8435  * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8436  * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8437  * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8438  * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8439  * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8440  * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8441  * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8442  * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8443  * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8444  * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8445  * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8446  * Test 12: TLSv1.2, old ticket key callback, no ticket
8447  * Test 13: TLSv1.3, old ticket key callback, no ticket
8448  * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8449  * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8450  * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8451  * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8452  * Test 18: TLSv1.2, ticket key callback, no ticket
8453  * Test 19: TLSv1.3, ticket key callback, no ticket
8454  */
8455 static int test_ticket_callbacks(int tst)
8456 {
8457     SSL_CTX *cctx = NULL, *sctx = NULL;
8458     SSL *clientssl = NULL, *serverssl = NULL;
8459     SSL_SESSION *clntsess = NULL;
8460     int testresult = 0;
8461 
8462 #ifdef OPENSSL_NO_TLS1_2
8463     if (tst % 2 == 0)
8464         return 1;
8465 #endif
8466 #ifdef OSSL_NO_USABLE_TLS1_3
8467     if (tst % 2 == 1)
8468         return 1;
8469 #endif
8470 #ifdef OPENSSL_NO_DEPRECATED_3_0
8471     if (tst >= 8 && tst <= 13)
8472         return 1;
8473 #endif
8474 
8475     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8476 
8477     /* Which tests the ticket key callback should request renewal for */
8478 
8479     if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8480         tick_key_renew = 1;
8481     else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8482         tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8483     else
8484         tick_key_renew = 0;
8485 
8486     /* Which tests the decrypt ticket callback should request renewal for */
8487     switch (tst) {
8488     case 0:
8489     case 1:
8490         tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8491         break;
8492 
8493     case 2:
8494     case 3:
8495         tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8496         break;
8497 
8498     case 4:
8499     case 5:
8500         tick_dec_ret = SSL_TICKET_RETURN_USE;
8501         break;
8502 
8503     case 6:
8504     case 7:
8505         tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8506         break;
8507 
8508     default:
8509         tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8510     }
8511 
8512     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8513                                        TLS_client_method(),
8514                                        TLS1_VERSION,
8515                                        ((tst % 2) == 0) ? TLS1_2_VERSION
8516                                                         : TLS1_3_VERSION,
8517                                        &sctx, &cctx, cert, privkey)))
8518         goto end;
8519 
8520     /*
8521      * We only want sessions to resume from tickets - not the session cache. So
8522      * switch the cache off.
8523      */
8524     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8525         goto end;
8526 
8527     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8528                                                  NULL)))
8529         goto end;
8530 
8531     if (tst >= 14) {
8532         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8533             goto end;
8534 #ifndef OPENSSL_NO_DEPRECATED_3_0
8535     } else if (tst >= 8) {
8536         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8537             goto end;
8538 #endif
8539     }
8540 
8541     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8542                                              NULL, NULL))
8543             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8544                                                 SSL_ERROR_NONE)))
8545         goto end;
8546 
8547     /*
8548      * The decrypt ticket key callback in TLSv1.2 should be called even though
8549      * we have no ticket yet, because it gets called with a status of
8550      * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8551      * actually send any ticket data). This does not happen in TLSv1.3 because
8552      * it is not valid to send empty ticket data in TLSv1.3.
8553      */
8554     if (!TEST_int_eq(gen_tick_called, 1)
8555             || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8556         goto end;
8557 
8558     gen_tick_called = dec_tick_called = 0;
8559 
8560     clntsess = SSL_get1_session(clientssl);
8561     SSL_shutdown(clientssl);
8562     SSL_shutdown(serverssl);
8563     SSL_free(serverssl);
8564     SSL_free(clientssl);
8565     serverssl = clientssl = NULL;
8566 
8567     /* Now do a resumption */
8568     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8569                                       NULL))
8570             || !TEST_true(SSL_set_session(clientssl, clntsess))
8571             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8572                                                 SSL_ERROR_NONE)))
8573         goto end;
8574 
8575     if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8576             || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8577             || tick_key_renew == -1) {
8578         if (!TEST_false(SSL_session_reused(clientssl)))
8579             goto end;
8580     } else {
8581         if (!TEST_true(SSL_session_reused(clientssl)))
8582             goto end;
8583     }
8584 
8585     if (!TEST_int_eq(gen_tick_called,
8586                      (tick_key_renew
8587                       || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8588                       || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8589                      ? 1 : 0)
8590                /* There is no ticket to decrypt in tests 13 and 19 */
8591             || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8592         goto end;
8593 
8594     testresult = 1;
8595 
8596  end:
8597     SSL_SESSION_free(clntsess);
8598     SSL_free(serverssl);
8599     SSL_free(clientssl);
8600     SSL_CTX_free(sctx);
8601     SSL_CTX_free(cctx);
8602 
8603     return testresult;
8604 }
8605 
8606 /*
8607  * Test incorrect shutdown.
8608  * Test 0: client does not shutdown properly,
8609  *         server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8610  *         server should get SSL_ERROR_SSL
8611  * Test 1: client does not shutdown properly,
8612  *         server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8613  *         server should get SSL_ERROR_ZERO_RETURN
8614  */
8615 static int test_incorrect_shutdown(int tst)
8616 {
8617     SSL_CTX *cctx = NULL, *sctx = NULL;
8618     SSL *clientssl = NULL, *serverssl = NULL;
8619     int testresult = 0;
8620     char buf[80];
8621     BIO *c2s;
8622 
8623     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8624                                        TLS_client_method(), 0, 0,
8625                                        &sctx, &cctx, cert, privkey)))
8626         goto end;
8627 
8628     if (tst == 1)
8629         SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8630 
8631     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8632                                             NULL, NULL)))
8633         goto end;
8634 
8635     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8636                                               SSL_ERROR_NONE)))
8637         goto end;
8638 
8639     c2s = SSL_get_rbio(serverssl);
8640     BIO_set_mem_eof_return(c2s, 0);
8641 
8642     if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8643         goto end;
8644 
8645     if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8646         goto end;
8647     if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8648         goto end;
8649 
8650     testresult = 1;
8651 
8652  end:
8653     SSL_free(serverssl);
8654     SSL_free(clientssl);
8655     SSL_CTX_free(sctx);
8656     SSL_CTX_free(cctx);
8657 
8658     return testresult;
8659 }
8660 
8661 /*
8662  * Test bi-directional shutdown.
8663  * Test 0: TLSv1.2
8664  * Test 1: TLSv1.2, server continues to read/write after client shutdown
8665  * Test 2: TLSv1.3, no pending NewSessionTicket messages
8666  * Test 3: TLSv1.3, pending NewSessionTicket messages
8667  * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8668  *                  sends key update, client reads it
8669  * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8670  *                  sends CertificateRequest, client reads and ignores it
8671  * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8672  *                  doesn't read it
8673  */
8674 static int test_shutdown(int tst)
8675 {
8676     SSL_CTX *cctx = NULL, *sctx = NULL;
8677     SSL *clientssl = NULL, *serverssl = NULL;
8678     int testresult = 0;
8679     char msg[] = "A test message";
8680     char buf[80];
8681     size_t written, readbytes;
8682     SSL_SESSION *sess;
8683 
8684 #ifdef OPENSSL_NO_TLS1_2
8685     if (tst <= 1)
8686         return 1;
8687 #endif
8688 #ifdef OSSL_NO_USABLE_TLS1_3
8689     if (tst >= 2)
8690         return 1;
8691 #endif
8692 
8693     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8694                                        TLS_client_method(),
8695                                        TLS1_VERSION,
8696                                        (tst <= 1) ? TLS1_2_VERSION
8697                                                   : TLS1_3_VERSION,
8698                                        &sctx, &cctx, cert, privkey)))
8699         goto end;
8700 
8701     if (tst == 5)
8702         SSL_CTX_set_post_handshake_auth(cctx, 1);
8703 
8704     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8705                                              NULL, NULL)))
8706         goto end;
8707 
8708     if (tst == 3) {
8709         if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8710                                                   SSL_ERROR_NONE, 1, 0))
8711                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8712                 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8713             goto end;
8714     } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8715                                               SSL_ERROR_NONE))
8716             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8717             || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8718         goto end;
8719     }
8720 
8721     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8722         goto end;
8723 
8724     if (tst >= 4) {
8725         /*
8726          * Reading on the server after the client has sent close_notify should
8727          * fail and provide SSL_ERROR_ZERO_RETURN
8728          */
8729         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8730                 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8731                                 SSL_ERROR_ZERO_RETURN)
8732                 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8733                                 SSL_RECEIVED_SHUTDOWN)
8734                    /*
8735                     * Even though we're shutdown on receive we should still be
8736                     * able to write.
8737                     */
8738                 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8739             goto end;
8740         if (tst == 4
8741                 && !TEST_true(SSL_key_update(serverssl,
8742                                              SSL_KEY_UPDATE_REQUESTED)))
8743             goto end;
8744         if (tst == 5) {
8745             SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8746             if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8747                 goto end;
8748         }
8749         if ((tst == 4 || tst == 5)
8750                 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8751             goto end;
8752         if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8753             goto end;
8754         if (tst == 4 || tst == 5) {
8755             /* Should still be able to read data from server */
8756             if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8757                                        &readbytes))
8758                     || !TEST_size_t_eq(readbytes, sizeof(msg))
8759                     || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8760                     || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8761                                               &readbytes))
8762                     || !TEST_size_t_eq(readbytes, sizeof(msg))
8763                     || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8764                 goto end;
8765         }
8766     }
8767 
8768     /* Writing on the client after sending close_notify shouldn't be possible */
8769     if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8770         goto end;
8771 
8772     if (tst < 4) {
8773         /*
8774          * For these tests the client has sent close_notify but it has not yet
8775          * been received by the server. The server has not sent close_notify
8776          * yet.
8777          */
8778         if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8779                    /*
8780                     * Writing on the server after sending close_notify shouldn't
8781                     * be possible.
8782                     */
8783                 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8784                 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8785                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8786                 || !TEST_true(SSL_SESSION_is_resumable(sess))
8787                 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8788             goto end;
8789     } else if (tst == 4 || tst == 5) {
8790         /*
8791          * In this test the client has sent close_notify and it has been
8792          * received by the server which has responded with a close_notify. The
8793          * client needs to read the close_notify sent by the server.
8794          */
8795         if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8796                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8797                 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8798             goto end;
8799     } else {
8800         /*
8801          * tst == 6
8802          *
8803          * The client has sent close_notify and is expecting a close_notify
8804          * back, but instead there is application data first. The shutdown
8805          * should fail with a fatal error.
8806          */
8807         if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8808                 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8809             goto end;
8810     }
8811 
8812     testresult = 1;
8813 
8814  end:
8815     SSL_free(serverssl);
8816     SSL_free(clientssl);
8817     SSL_CTX_free(sctx);
8818     SSL_CTX_free(cctx);
8819 
8820     return testresult;
8821 }
8822 
8823 /*
8824  * Test that sending close_notify alerts works correctly in the case of a
8825  * retryable write failure.
8826  */
8827 static int test_async_shutdown(void)
8828 {
8829     SSL_CTX *cctx = NULL, *sctx = NULL;
8830     SSL *clientssl = NULL, *serverssl = NULL;
8831     int testresult = 0;
8832     BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8833 
8834     if (!TEST_ptr(bretry))
8835         goto end;
8836 
8837     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8838                                        TLS_client_method(),
8839                                        0, 0,
8840                                        &sctx, &cctx, cert, privkey)))
8841         goto end;
8842 
8843     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8844                                       NULL)))
8845         goto end;
8846 
8847     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8848         goto end;
8849 
8850     /* Close write side of clientssl */
8851     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8852         goto end;
8853 
8854     tmp = SSL_get_wbio(serverssl);
8855     if (!TEST_true(BIO_up_ref(tmp))) {
8856         tmp = NULL;
8857         goto end;
8858     }
8859     SSL_set0_wbio(serverssl, bretry);
8860     bretry = NULL;
8861 
8862     /* First server shutdown should fail because of a retrable write failure */
8863     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8864             || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8865         goto end;
8866 
8867     /* Second server shutdown should fail for the same reason */
8868     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8869             || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8870         goto end;
8871 
8872     SSL_set0_wbio(serverssl, tmp);
8873     tmp = NULL;
8874 
8875     /* Third server shutdown should send close_notify */
8876     if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8877         goto end;
8878 
8879     /* Fourth server shutdown should read close_notify from client and finish */
8880     if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8881         goto end;
8882 
8883     /* Client should also successfully fully shutdown */
8884     if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8885         goto end;
8886 
8887     testresult = 1;
8888  end:
8889     SSL_free(serverssl);
8890     SSL_free(clientssl);
8891     SSL_CTX_free(sctx);
8892     SSL_CTX_free(cctx);
8893     BIO_free(bretry);
8894     BIO_free(tmp);
8895 
8896     return testresult;
8897 }
8898 
8899 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8900 static int cert_cb_cnt;
8901 
8902 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
8903                       STACK_OF(X509) *chain)
8904 {
8905     char *path = test_mk_file_path(certsdir, file);
8906     BIO *in = NULL;
8907     X509 *x = NULL;
8908     int ok = 0;
8909 
8910     if (path == NULL)
8911         return 0;
8912     if ((in = BIO_new(BIO_s_file())) == NULL
8913         || BIO_read_filename(in, path) <= 0)
8914         goto out;
8915     if (pkey == NULL) {
8916         if ((x = X509_new_ex(libctx, NULL)) == NULL
8917             || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
8918             goto out;
8919         if (chain == NULL)
8920             *x509 = x;
8921         else if (!sk_X509_push(chain, x))
8922             goto out;
8923     } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
8924                                           libctx, NULL) == NULL) {
8925         goto out;
8926     }
8927 
8928     x = NULL;
8929     ok = 1;
8930  out:
8931     X509_free(x);
8932     BIO_free(in);
8933     OPENSSL_free(path);
8934     return ok;
8935 }
8936 
8937 static int cert_cb(SSL *s, void *arg)
8938 {
8939     SSL_CTX *ctx = (SSL_CTX *)arg;
8940     EVP_PKEY *pkey = NULL;
8941     X509 *x509 = NULL, *x = NULL;
8942     STACK_OF(X509) *chain = NULL;
8943     int ret = 0;
8944 
8945     if (cert_cb_cnt == 0) {
8946         /* Suspend the handshake */
8947         cert_cb_cnt++;
8948         return -1;
8949     } else if (cert_cb_cnt == 1) {
8950         /*
8951          * Update the SSL_CTX, set the certificate and private key and then
8952          * continue the handshake normally.
8953          */
8954         if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8955             return 0;
8956 
8957         if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8958                 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8959                                                       SSL_FILETYPE_PEM))
8960                 || !TEST_true(SSL_check_private_key(s)))
8961             return 0;
8962         cert_cb_cnt++;
8963         return 1;
8964     } else if (cert_cb_cnt == 3) {
8965         int rv;
8966 
8967         chain = sk_X509_new_null();
8968         if (!TEST_ptr(chain)
8969             || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
8970             || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
8971             || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
8972                                      &x509, NULL))
8973             || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
8974                                      NULL, NULL)))
8975             goto out;
8976         rv = SSL_check_chain(s, x509, pkey, chain);
8977         /*
8978          * If the cert doesn't show as valid here (e.g., because we don't
8979          * have any shared sigalgs), then we will not set it, and there will
8980          * be no certificate at all on the SSL or SSL_CTX.  This, in turn,
8981          * will cause tls_choose_sigalgs() to fail the connection.
8982          */
8983         if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8984                 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8985             if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8986                 goto out;
8987         }
8988 
8989         ret = 1;
8990     }
8991 
8992     /* Abort the handshake */
8993  out:
8994     EVP_PKEY_free(pkey);
8995     X509_free(x509);
8996     X509_free(x);
8997     OSSL_STACK_OF_X509_free(chain);
8998     return ret;
8999 }
9000 
9001 /*
9002  * Test the certificate callback.
9003  * Test 0: Callback fails
9004  * Test 1: Success - no SSL_set_SSL_CTX() in the callback
9005  * Test 2: Success - SSL_set_SSL_CTX() in the callback
9006  * Test 3: Success - Call SSL_check_chain from the callback
9007  * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
9008  *                   chain
9009  * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
9010  */
9011 static int test_cert_cb_int(int prot, int tst)
9012 {
9013     SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
9014     SSL *clientssl = NULL, *serverssl = NULL;
9015     int testresult = 0, ret;
9016 
9017 #ifdef OPENSSL_NO_EC
9018     /* We use an EC cert in these tests, so we skip in a no-ec build */
9019     if (tst >= 3)
9020         return 1;
9021 #endif
9022 
9023     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9024                                        TLS_client_method(),
9025                                        prot,
9026                                        prot,
9027                                        &sctx, &cctx, NULL, NULL)))
9028         goto end;
9029 
9030     if (tst == 0)
9031         cert_cb_cnt = -1;
9032     else if (tst >= 3)
9033         cert_cb_cnt = 3;
9034     else
9035         cert_cb_cnt = 0;
9036 
9037     if (tst == 2) {
9038         snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9039         if (!TEST_ptr(snictx))
9040             goto end;
9041     }
9042 
9043     SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
9044 
9045     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9046                                       NULL, NULL)))
9047         goto end;
9048 
9049     if (tst == 4) {
9050         /*
9051          * We cause SSL_check_chain() to fail by specifying sig_algs that
9052          * the chain doesn't meet (the root uses an RSA cert)
9053          */
9054         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9055                                              "ecdsa_secp256r1_sha256")))
9056             goto end;
9057     } else if (tst == 5) {
9058         /*
9059          * We cause SSL_check_chain() to fail by specifying sig_algs that
9060          * the ee cert doesn't meet (the ee uses an ECDSA cert)
9061          */
9062         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
9063                            "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
9064             goto end;
9065     }
9066 
9067     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
9068     if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
9069             || (tst > 0
9070                 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
9071         goto end;
9072     }
9073 
9074     testresult = 1;
9075 
9076  end:
9077     SSL_free(serverssl);
9078     SSL_free(clientssl);
9079     SSL_CTX_free(sctx);
9080     SSL_CTX_free(cctx);
9081     SSL_CTX_free(snictx);
9082 
9083     return testresult;
9084 }
9085 #endif
9086 
9087 static int test_cert_cb(int tst)
9088 {
9089     int testresult = 1;
9090 
9091 #ifndef OPENSSL_NO_TLS1_2
9092     testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
9093 #endif
9094 #ifndef OSSL_NO_USABLE_TLS1_3
9095     testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
9096 #endif
9097 
9098     return testresult;
9099 }
9100 
9101 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
9102 {
9103     X509 *xcert;
9104     EVP_PKEY *privpkey;
9105     BIO *in = NULL;
9106     BIO *priv_in = NULL;
9107 
9108     /* Check that SSL_get0_peer_certificate() returns something sensible */
9109     if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
9110         return 0;
9111 
9112     in = BIO_new_file(cert, "r");
9113     if (!TEST_ptr(in))
9114         return 0;
9115 
9116     if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
9117             || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9118             || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
9119             || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9120                                                                NULL, NULL,
9121                                                                libctx, NULL)))
9122         goto err;
9123 
9124     *x509 = xcert;
9125     *pkey = privpkey;
9126 
9127     BIO_free(in);
9128     BIO_free(priv_in);
9129     return 1;
9130 err:
9131     X509_free(xcert);
9132     BIO_free(in);
9133     BIO_free(priv_in);
9134     return 0;
9135 }
9136 
9137 static int test_client_cert_cb(int tst)
9138 {
9139     SSL_CTX *cctx = NULL, *sctx = NULL;
9140     SSL *clientssl = NULL, *serverssl = NULL;
9141     int testresult = 0;
9142 
9143 #ifdef OPENSSL_NO_TLS1_2
9144     if (tst == 0)
9145         return 1;
9146 #endif
9147 #ifdef OSSL_NO_USABLE_TLS1_3
9148     if (tst == 1)
9149         return 1;
9150 #endif
9151 
9152     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9153                                        TLS_client_method(),
9154                                        TLS1_VERSION,
9155                                        tst == 0 ? TLS1_2_VERSION
9156                                                 : TLS1_3_VERSION,
9157                                        &sctx, &cctx, cert, privkey)))
9158         goto end;
9159 
9160     /*
9161      * Test that setting a client_cert_cb results in a client certificate being
9162      * sent.
9163      */
9164     SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9165     SSL_CTX_set_verify(sctx,
9166                        SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9167                        verify_cb);
9168 
9169     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9170                                       NULL, NULL))
9171             || !TEST_true(create_ssl_connection(serverssl, clientssl,
9172                                                 SSL_ERROR_NONE)))
9173         goto end;
9174 
9175     testresult = 1;
9176 
9177  end:
9178     SSL_free(serverssl);
9179     SSL_free(clientssl);
9180     SSL_CTX_free(sctx);
9181     SSL_CTX_free(cctx);
9182 
9183     return testresult;
9184 }
9185 
9186 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
9187 /*
9188  * Test setting certificate authorities on both client and server.
9189  *
9190  * Test 0: SSL_CTX_set0_CA_list() only
9191  * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9192  * Test 2: Only SSL_CTX_set_client_CA_list()
9193  */
9194 static int test_ca_names_int(int prot, int tst)
9195 {
9196     SSL_CTX *cctx = NULL, *sctx = NULL;
9197     SSL *clientssl = NULL, *serverssl = NULL;
9198     int testresult = 0;
9199     size_t i;
9200     X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9201     char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9202     STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9203     const STACK_OF(X509_NAME) *sktmp = NULL;
9204 
9205     for (i = 0; i < OSSL_NELEM(name); i++) {
9206         name[i] = X509_NAME_new();
9207         if (!TEST_ptr(name[i])
9208                 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9209                                                          MBSTRING_ASC,
9210                                                          (unsigned char *)
9211                                                          strnames[i],
9212                                                          -1, -1, 0)))
9213             goto end;
9214     }
9215 
9216     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9217                                        TLS_client_method(),
9218                                        TLS1_VERSION,
9219                                        prot,
9220                                        &sctx, &cctx, cert, privkey)))
9221         goto end;
9222 
9223     SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9224 
9225     if (tst == 0 || tst == 1) {
9226         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9227                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9228                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9229                 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9230                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9231                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9232             goto end;
9233 
9234         SSL_CTX_set0_CA_list(sctx, sk1);
9235         SSL_CTX_set0_CA_list(cctx, sk2);
9236         sk1 = sk2 = NULL;
9237     }
9238     if (tst == 1 || tst == 2) {
9239         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9240                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9241                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9242                 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9243                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9244                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9245             goto end;
9246 
9247         SSL_CTX_set_client_CA_list(sctx, sk1);
9248         SSL_CTX_set_client_CA_list(cctx, sk2);
9249         sk1 = sk2 = NULL;
9250     }
9251 
9252     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9253                                       NULL, NULL))
9254             || !TEST_true(create_ssl_connection(serverssl, clientssl,
9255                                                 SSL_ERROR_NONE)))
9256         goto end;
9257 
9258     /*
9259      * We only expect certificate authorities to have been sent to the server
9260      * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9261      */
9262     sktmp = SSL_get0_peer_CA_list(serverssl);
9263     if (prot == TLS1_3_VERSION
9264             && (tst == 0 || tst == 1)) {
9265         if (!TEST_ptr(sktmp)
9266                 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9267                 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9268                                               name[0]), 0)
9269                 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9270                                               name[1]), 0))
9271             goto end;
9272     } else if (!TEST_ptr_null(sktmp)) {
9273         goto end;
9274     }
9275 
9276     /*
9277      * In all tests we expect certificate authorities to have been sent to the
9278      * client. However, SSL_set_client_CA_list() should override
9279      * SSL_set0_CA_list()
9280      */
9281     sktmp = SSL_get0_peer_CA_list(clientssl);
9282     if (!TEST_ptr(sktmp)
9283             || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9284             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9285                                           name[tst == 0 ? 0 : 2]), 0)
9286             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9287                                           name[tst == 0 ? 1 : 3]), 0))
9288         goto end;
9289 
9290     testresult = 1;
9291 
9292  end:
9293     SSL_free(serverssl);
9294     SSL_free(clientssl);
9295     SSL_CTX_free(sctx);
9296     SSL_CTX_free(cctx);
9297     for (i = 0; i < OSSL_NELEM(name); i++)
9298         X509_NAME_free(name[i]);
9299     sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9300     sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9301 
9302     return testresult;
9303 }
9304 #endif
9305 
9306 static int test_ca_names(int tst)
9307 {
9308     int testresult = 1;
9309 
9310 #ifndef OPENSSL_NO_TLS1_2
9311     testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9312 #endif
9313 #ifndef OSSL_NO_USABLE_TLS1_3
9314     testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9315 #endif
9316 
9317     return testresult;
9318 }
9319 
9320 #ifndef OPENSSL_NO_TLS1_2
9321 static const char *multiblock_cipherlist_data[]=
9322 {
9323     "AES128-SHA",
9324     "AES128-SHA256",
9325     "AES256-SHA",
9326     "AES256-SHA256",
9327 };
9328 
9329 /* Reduce the fragment size - so the multiblock test buffer can be small */
9330 # define MULTIBLOCK_FRAGSIZE 512
9331 
9332 static int test_multiblock_write(int test_index)
9333 {
9334     static const char *fetchable_ciphers[]=
9335     {
9336         "AES-128-CBC-HMAC-SHA1",
9337         "AES-128-CBC-HMAC-SHA256",
9338         "AES-256-CBC-HMAC-SHA1",
9339         "AES-256-CBC-HMAC-SHA256"
9340     };
9341     const char *cipherlist = multiblock_cipherlist_data[test_index];
9342     const SSL_METHOD *smeth = TLS_server_method();
9343     const SSL_METHOD *cmeth = TLS_client_method();
9344     int min_version = TLS1_VERSION;
9345     int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9346     SSL_CTX *cctx = NULL, *sctx = NULL;
9347     SSL *clientssl = NULL, *serverssl = NULL;
9348     int testresult = 0;
9349 
9350     /*
9351      * Choose a buffer large enough to perform a multi-block operation
9352      * i.e: write_len >= 4 * frag_size
9353      * 9 * is chosen so that multiple multiblocks are used + some leftover.
9354      */
9355     unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9356     unsigned char buf[sizeof(msg)], *p = buf;
9357     size_t readbytes, written, len;
9358     EVP_CIPHER *ciph = NULL;
9359 
9360     /*
9361      * Check if the cipher exists before attempting to use it since it only has
9362      * a hardware specific implementation.
9363      */
9364     ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
9365     if (ciph == NULL) {
9366         TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9367         return 1;
9368     }
9369     EVP_CIPHER_free(ciph);
9370 
9371     /* Set up a buffer with some data that will be sent to the client */
9372     RAND_bytes(msg, sizeof(msg));
9373 
9374     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9375                                        max_version, &sctx, &cctx, cert,
9376                                        privkey)))
9377         goto end;
9378 
9379     if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9380         goto end;
9381 
9382     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9383                                       NULL, NULL)))
9384             goto end;
9385 
9386     /* settings to force it to use AES-CBC-HMAC_SHA */
9387     SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9388     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9389        goto end;
9390 
9391     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9392         goto end;
9393 
9394     if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9395         || !TEST_size_t_eq(written, sizeof(msg)))
9396         goto end;
9397 
9398     len = written;
9399     while (len > 0) {
9400         if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9401             goto end;
9402         p += readbytes;
9403         len -= readbytes;
9404     }
9405     if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9406         goto end;
9407 
9408     testresult = 1;
9409 end:
9410     SSL_free(serverssl);
9411     SSL_free(clientssl);
9412     SSL_CTX_free(sctx);
9413     SSL_CTX_free(cctx);
9414 
9415     return testresult;
9416 }
9417 #endif /* OPENSSL_NO_TLS1_2 */
9418 
9419 static int test_session_timeout(int test)
9420 {
9421     /*
9422      * Test session ordering and timeout
9423      * Can't explicitly test performance of the new code,
9424      * but can test to see if the ordering of the sessions
9425      * are correct, and they are removed as expected
9426      */
9427     SSL_SESSION *early = NULL;
9428     SSL_SESSION *middle = NULL;
9429     SSL_SESSION *late = NULL;
9430     SSL_CTX *ctx;
9431     int testresult = 0;
9432     time_t now = time(NULL);
9433 #define TIMEOUT 10
9434 
9435     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9436         || !TEST_ptr(early = SSL_SESSION_new())
9437         || !TEST_ptr(middle = SSL_SESSION_new())
9438         || !TEST_ptr(late = SSL_SESSION_new()))
9439         goto end;
9440 
9441     /* assign unique session ids */
9442     early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9443     memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9444     middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9445     memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9446     late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9447     memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9448 
9449     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9450         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9451         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9452         goto end;
9453 
9454     /* Make sure they are all added */
9455     if (!TEST_ptr(early->prev)
9456         || !TEST_ptr(middle->prev)
9457         || !TEST_ptr(late->prev))
9458         goto end;
9459 
9460     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
9461         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
9462         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
9463         goto end;
9464 
9465     if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9466         || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9467         || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9468         goto end;
9469 
9470     /* Make sure they are all still there */
9471     if (!TEST_ptr(early->prev)
9472         || !TEST_ptr(middle->prev)
9473         || !TEST_ptr(late->prev))
9474         goto end;
9475 
9476     /* Make sure they are in the expected order */
9477     if (!TEST_ptr_eq(late->next, middle)
9478         || !TEST_ptr_eq(middle->next, early)
9479         || !TEST_ptr_eq(early->prev, middle)
9480         || !TEST_ptr_eq(middle->prev, late))
9481         goto end;
9482 
9483     /* This should remove "early" */
9484     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
9485     if (!TEST_ptr_null(early->prev)
9486         || !TEST_ptr(middle->prev)
9487         || !TEST_ptr(late->prev))
9488         goto end;
9489 
9490     /* This should remove "middle" */
9491     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
9492     if (!TEST_ptr_null(early->prev)
9493         || !TEST_ptr_null(middle->prev)
9494         || !TEST_ptr(late->prev))
9495         goto end;
9496 
9497     /* This should remove "late" */
9498     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
9499     if (!TEST_ptr_null(early->prev)
9500         || !TEST_ptr_null(middle->prev)
9501         || !TEST_ptr_null(late->prev))
9502         goto end;
9503 
9504     /* Add them back in again */
9505     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9506         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9507         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9508         goto end;
9509 
9510     /* Make sure they are all added */
9511     if (!TEST_ptr(early->prev)
9512         || !TEST_ptr(middle->prev)
9513         || !TEST_ptr(late->prev))
9514         goto end;
9515 
9516     /* This should remove all of them */
9517     SSL_CTX_flush_sessions_ex(ctx, 0);
9518     if (!TEST_ptr_null(early->prev)
9519         || !TEST_ptr_null(middle->prev)
9520         || !TEST_ptr_null(late->prev))
9521         goto end;
9522 
9523     (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9524                                          | SSL_CTX_get_session_cache_mode(ctx));
9525 
9526     /* make sure |now| is NOT  equal to the current time */
9527     now -= 10;
9528     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
9529         || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9530         || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
9531         goto end;
9532 
9533     testresult = 1;
9534  end:
9535     SSL_CTX_free(ctx);
9536     SSL_SESSION_free(early);
9537     SSL_SESSION_free(middle);
9538     SSL_SESSION_free(late);
9539     return testresult;
9540 }
9541 
9542 /*
9543  * Test that a session cache overflow works as expected
9544  * Test 0: TLSv1.3, timeout on new session later than old session
9545  * Test 1: TLSv1.2, timeout on new session later than old session
9546  * Test 2: TLSv1.3, timeout on new session earlier than old session
9547  * Test 3: TLSv1.2, timeout on new session earlier than old session
9548  */
9549 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9550 static int test_session_cache_overflow(int idx)
9551 {
9552     SSL_CTX *sctx = NULL, *cctx = NULL;
9553     SSL *serverssl = NULL, *clientssl = NULL;
9554     int testresult = 0;
9555     SSL_SESSION *sess = NULL;
9556 
9557 #ifdef OSSL_NO_USABLE_TLS1_3
9558     /* If no TLSv1.3 available then do nothing in this case */
9559     if (idx % 2 == 0)
9560         return TEST_skip("No TLSv1.3 available");
9561 #endif
9562 #ifdef OPENSSL_NO_TLS1_2
9563     /* If no TLSv1.2 available then do nothing in this case */
9564     if (idx % 2 == 1)
9565         return TEST_skip("No TLSv1.2 available");
9566 #endif
9567 
9568     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9569                                        TLS_client_method(), TLS1_VERSION,
9570                                        (idx % 2 == 0) ? TLS1_3_VERSION
9571                                                       : TLS1_2_VERSION,
9572                                        &sctx, &cctx, cert, privkey))
9573             || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9574         goto end;
9575 
9576     SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9577     get_sess_val = NULL;
9578 
9579     SSL_CTX_sess_set_cache_size(sctx, 1);
9580 
9581     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9582                                       NULL, NULL)))
9583         goto end;
9584 
9585     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9586         goto end;
9587 
9588     if (idx > 1) {
9589         sess = SSL_get_session(serverssl);
9590         if (!TEST_ptr(sess))
9591             goto end;
9592 
9593         /*
9594          * Cause this session to have a longer timeout than the next session to
9595          * be added.
9596          */
9597         if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9598             sess = NULL;
9599             goto end;
9600         }
9601         sess = NULL;
9602     }
9603 
9604     SSL_shutdown(serverssl);
9605     SSL_shutdown(clientssl);
9606     SSL_free(serverssl);
9607     SSL_free(clientssl);
9608     serverssl = clientssl = NULL;
9609 
9610     /*
9611      * Session cache size is 1 and we already populated the cache with a session
9612      * so the next connection should cause an overflow.
9613      */
9614 
9615     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9616                                       NULL, NULL)))
9617         goto end;
9618 
9619     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9620         goto end;
9621 
9622     /*
9623      * The session we just negotiated may have been already removed from the
9624      * internal cache - but we will return it anyway from our external cache.
9625      */
9626     get_sess_val = SSL_get_session(serverssl);
9627     if (!TEST_ptr(get_sess_val))
9628         goto end;
9629     sess = SSL_get1_session(clientssl);
9630     if (!TEST_ptr(sess))
9631         goto end;
9632 
9633     SSL_shutdown(serverssl);
9634     SSL_shutdown(clientssl);
9635     SSL_free(serverssl);
9636     SSL_free(clientssl);
9637     serverssl = clientssl = NULL;
9638 
9639     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9640                                       NULL, NULL)))
9641         goto end;
9642 
9643     if (!TEST_true(SSL_set_session(clientssl, sess)))
9644         goto end;
9645 
9646     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9647         goto end;
9648 
9649     testresult = 1;
9650 
9651  end:
9652     SSL_free(serverssl);
9653     SSL_free(clientssl);
9654     SSL_CTX_free(sctx);
9655     SSL_CTX_free(cctx);
9656     SSL_SESSION_free(sess);
9657 
9658     return testresult;
9659 }
9660 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9661 
9662 /*
9663  * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9664  * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9665  * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9666  * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9667  * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9668  * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9669  * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9670  * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9671  * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9672  * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9673  */
9674 static int test_servername(int tst)
9675 {
9676     SSL_CTX *cctx = NULL, *sctx = NULL;
9677     SSL *clientssl = NULL, *serverssl = NULL;
9678     int testresult = 0;
9679     SSL_SESSION *sess = NULL;
9680     const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9681 
9682 #ifdef OPENSSL_NO_TLS1_2
9683     if (tst <= 4)
9684         return 1;
9685 #endif
9686 #ifdef OSSL_NO_USABLE_TLS1_3
9687     if (tst >= 5)
9688         return 1;
9689 #endif
9690 
9691     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9692                                        TLS_client_method(),
9693                                        TLS1_VERSION,
9694                                        (tst <= 4) ? TLS1_2_VERSION
9695                                                   : TLS1_3_VERSION,
9696                                        &sctx, &cctx, cert, privkey))
9697             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9698                                              NULL, NULL)))
9699         goto end;
9700 
9701     if (tst != 1 && tst != 6) {
9702         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9703                                                               hostname_cb)))
9704             goto end;
9705     }
9706 
9707     if (tst != 3 && tst != 8) {
9708         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9709             goto end;
9710         sexpectedhost = cexpectedhost = "goodhost";
9711     }
9712 
9713     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9714         goto end;
9715 
9716     if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9717                      cexpectedhost)
9718             || !TEST_str_eq(SSL_get_servername(serverssl,
9719                                                TLSEXT_NAMETYPE_host_name),
9720                             sexpectedhost))
9721         goto end;
9722 
9723     /* Now repeat with a resumption handshake */
9724 
9725     if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9726             || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9727             || !TEST_true(SSL_SESSION_is_resumable(sess))
9728             || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9729         goto end;
9730 
9731     SSL_free(clientssl);
9732     SSL_free(serverssl);
9733     clientssl = serverssl = NULL;
9734 
9735     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9736                                       NULL)))
9737         goto end;
9738 
9739     if (!TEST_true(SSL_set_session(clientssl, sess)))
9740         goto end;
9741 
9742     sexpectedhost = cexpectedhost = "goodhost";
9743     if (tst == 2 || tst == 7) {
9744         /* Set an inconsistent hostname */
9745         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9746             goto end;
9747         /*
9748          * In TLSv1.2 we expect the hostname from the original handshake, in
9749          * TLSv1.3 we expect the hostname from this handshake
9750          */
9751         if (tst == 7)
9752             sexpectedhost = cexpectedhost = "altgoodhost";
9753 
9754         if (!TEST_str_eq(SSL_get_servername(clientssl,
9755                                             TLSEXT_NAMETYPE_host_name),
9756                          "altgoodhost"))
9757             goto end;
9758     } else if (tst == 4 || tst == 9) {
9759         /*
9760          * A TLSv1.3 session does not associate a session with a servername,
9761          * but a TLSv1.2 session does.
9762          */
9763         if (tst == 9)
9764             sexpectedhost = cexpectedhost = NULL;
9765 
9766         if (!TEST_str_eq(SSL_get_servername(clientssl,
9767                                             TLSEXT_NAMETYPE_host_name),
9768                          cexpectedhost))
9769             goto end;
9770     } else {
9771         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9772             goto end;
9773         /*
9774          * In a TLSv1.2 resumption where the hostname was not acknowledged
9775          * we expect the hostname on the server to be empty. On the client we
9776          * return what was requested in this case.
9777          *
9778          * Similarly if the client didn't set a hostname on an original TLSv1.2
9779          * session but is now, the server hostname will be empty, but the client
9780          * is as we set it.
9781          */
9782         if (tst == 1 || tst == 3)
9783             sexpectedhost = NULL;
9784 
9785         if (!TEST_str_eq(SSL_get_servername(clientssl,
9786                                             TLSEXT_NAMETYPE_host_name),
9787                          "goodhost"))
9788             goto end;
9789     }
9790 
9791     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9792         goto end;
9793 
9794     if (!TEST_true(SSL_session_reused(clientssl))
9795             || !TEST_true(SSL_session_reused(serverssl))
9796             || !TEST_str_eq(SSL_get_servername(clientssl,
9797                                                TLSEXT_NAMETYPE_host_name),
9798                             cexpectedhost)
9799             || !TEST_str_eq(SSL_get_servername(serverssl,
9800                                                TLSEXT_NAMETYPE_host_name),
9801                             sexpectedhost))
9802         goto end;
9803 
9804     testresult = 1;
9805 
9806  end:
9807     SSL_SESSION_free(sess);
9808     SSL_free(serverssl);
9809     SSL_free(clientssl);
9810     SSL_CTX_free(sctx);
9811     SSL_CTX_free(cctx);
9812 
9813     return testresult;
9814 }
9815 
9816 static int test_unknown_sigalgs_groups(void)
9817 {
9818     int ret = 0;
9819     SSL_CTX *ctx = NULL;
9820 
9821     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9822         goto end;
9823 
9824     if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9825                                                "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9826                                                0))
9827         goto end;
9828     if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9829         || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9830         || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9831         goto end;
9832 
9833     if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9834                                                       "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9835                                                       0))
9836         goto end;
9837     if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9838         || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9839         || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9840         goto end;
9841 
9842     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9843                                               "nonexistent"),
9844                                               0))
9845         goto end;
9846 
9847     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9848                                               "?nonexistent1:?nonexistent2:?nonexistent3"),
9849                                               0))
9850         goto end;
9851 
9852 #ifndef OPENSSL_NO_EC
9853     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9854                                               "P-256:nonexistent"),
9855                                               0))
9856         goto end;
9857 
9858     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9859                                               "P-384:?nonexistent:?P-521"),
9860                                               0))
9861         goto end;
9862     if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9863         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9864         || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9865         goto end;
9866 #endif
9867 
9868     ret = 1;
9869  end:
9870     SSL_CTX_free(ctx);
9871     return ret;
9872 }
9873 
9874 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
9875 static int test_configuration_of_groups(void)
9876 {
9877     int ret = 0;
9878     SSL_CTX *ctx = NULL;
9879     size_t groups_len;
9880 
9881     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9882         goto end;
9883     groups_len = ctx->ext.supportedgroups_len;
9884 
9885     if (!TEST_size_t_gt(groups_len, 0)
9886         || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
9887         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
9888         goto end;
9889 
9890     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
9891 # if !defined(OPENSSL_NO_EC)
9892         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
9893 # else
9894         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
9895 # endif
9896         )
9897         goto end;
9898 
9899 # if !defined(OPENSSL_NO_EC)
9900     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
9901         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
9902         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1)
9903         )
9904         goto end;
9905 # endif
9906 
9907     ret = 1;
9908 
9909 end:
9910     SSL_CTX_free(ctx);
9911     return ret;
9912 }
9913 #endif
9914 
9915 #if !defined(OPENSSL_NO_EC) \
9916     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9917 /*
9918  * Test that if signature algorithms are not available, then we do not offer or
9919  * accept them.
9920  * Test 0: Two RSA sig algs available: both RSA sig algs shared
9921  * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9922  * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9923  * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9924  * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9925  * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9926  */
9927 static int test_sigalgs_available(int idx)
9928 {
9929     SSL_CTX *cctx = NULL, *sctx = NULL;
9930     SSL *clientssl = NULL, *serverssl = NULL;
9931     int testresult = 0;
9932     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9933     OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9934     OSSL_PROVIDER *filterprov = NULL;
9935     int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
9936     const char *sigalg_name, *signame_expected;
9937 
9938     if (!TEST_ptr(tmpctx))
9939         goto end;
9940 
9941     if (idx != 0 && idx != 3) {
9942         if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9943                                                  filter_provider_init)))
9944             goto end;
9945 
9946         filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9947         if (!TEST_ptr(filterprov))
9948             goto end;
9949 
9950         if (idx < 3) {
9951             /*
9952              * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9953              * or accepted for the peer that uses this libctx. Note that libssl
9954              * *requires* SHA2-256 to be available so we cannot disable that. We
9955              * also need SHA1 for our certificate.
9956              */
9957             if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9958                                                       "SHA2-256:SHA1")))
9959                 goto end;
9960         } else {
9961             if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9962                                                       "ECDSA"))
9963 # ifdef OPENSSL_NO_ECX
9964                     || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9965 # else
9966                     || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9967                                                              "EC:X25519:X448"))
9968 # endif
9969                 )
9970                 goto end;
9971         }
9972 
9973         if (idx == 1 || idx == 4)
9974             clientctx = tmpctx;
9975         else
9976             serverctx = tmpctx;
9977     }
9978 
9979     cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9980     sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9981     if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9982         goto end;
9983 
9984     /* Avoid MLKEM groups that depend on possibly filtered-out digests */
9985     if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
9986                         "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
9987         || !TEST_true(SSL_CTX_set1_groups_list(sctx,
9988                         "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
9989         goto end;
9990 
9991     if (idx != 5) {
9992         /* RSA first server key */
9993         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9994                                            TLS_client_method(),
9995                                            TLS1_VERSION,
9996                                            0,
9997                                            &sctx, &cctx, cert, privkey)))
9998             goto end;
9999     } else {
10000         /* ECDSA P-256 first server key */
10001         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10002                                            TLS_client_method(),
10003                                            TLS1_VERSION,
10004                                            0,
10005                                            &sctx, &cctx, cert2, privkey2)))
10006             goto end;
10007     }
10008 
10009     /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
10010     if (idx < 4) {
10011         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10012                                                "ECDHE-RSA-AES128-GCM-SHA256")))
10013             goto end;
10014     } else {
10015         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
10016                                                "ECDHE-ECDSA-AES128-GCM-SHA256")))
10017             goto end;
10018     }
10019 
10020     if (idx < 3) {
10021         if (!SSL_CTX_set1_sigalgs_list(cctx,
10022                                        "rsa_pss_rsae_sha384"
10023                                        ":rsa_pss_rsae_sha256")
10024                 || !SSL_CTX_set1_sigalgs_list(sctx,
10025                                               "rsa_pss_rsae_sha384"
10026                                               ":rsa_pss_rsae_sha256"))
10027             goto end;
10028     } else {
10029         if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
10030                 || !SSL_CTX_set1_sigalgs_list(sctx,
10031                                               "rsa_pss_rsae_sha256:ECDSA+SHA256"))
10032             goto end;
10033     }
10034 
10035     /* ECDSA P-256 second server key, unless already first */
10036     if (idx != 5
10037         && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
10038                                                       SSL_FILETYPE_PEM), 1)
10039             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10040                                                         privkey2,
10041                                                         SSL_FILETYPE_PEM), 1)
10042             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
10043         goto end;
10044 
10045     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10046                                       NULL, NULL)))
10047         goto end;
10048 
10049     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10050         goto end;
10051 
10052     /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
10053     numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
10054                                         NULL, NULL, NULL);
10055     numshared_expected = 1;
10056     hash_expected = NID_sha256;
10057     sig_expected = NID_rsassaPss;
10058     signame_expected = "rsa_pss_rsae_sha256";
10059     switch (idx) {
10060     case 0:
10061         hash_expected = NID_sha384;
10062         signame_expected = "rsa_pss_rsae_sha384";
10063         /* FALLTHROUGH */
10064     case 3:
10065         numshared_expected = 2;
10066         break;
10067     case 4:
10068     case 5:
10069         sig_expected = EVP_PKEY_EC;
10070         signame_expected = "ecdsa_secp256r1_sha256";
10071         break;
10072     }
10073     if (!TEST_int_eq(numshared, numshared_expected)
10074         || !TEST_int_eq(hash, hash_expected)
10075         || !TEST_int_eq(sig, sig_expected)
10076         || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10077         || !TEST_ptr(sigalg_name)
10078         || !TEST_str_eq(sigalg_name, signame_expected))
10079         goto end;
10080 
10081     testresult = filter_provider_check_clean_finish();
10082 
10083  end:
10084     SSL_free(serverssl);
10085     SSL_free(clientssl);
10086     SSL_CTX_free(sctx);
10087     SSL_CTX_free(cctx);
10088     OSSL_PROVIDER_unload(filterprov);
10089     OSSL_LIB_CTX_free(tmpctx);
10090 
10091     return testresult;
10092 }
10093 #endif /*
10094         * !defined(OPENSSL_NO_EC) \
10095         * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
10096         */
10097 
10098 #ifndef OPENSSL_NO_TLS1_3
10099 /* This test can run in TLSv1.3 even if ec and dh are disabled */
10100 static int test_pluggable_group(int idx)
10101 {
10102     SSL_CTX *cctx = NULL, *sctx = NULL;
10103     SSL *clientssl = NULL, *serverssl = NULL;
10104     int testresult = 0;
10105     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10106     /* Check that we are not impacted by a provider without any groups */
10107     OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
10108     const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
10109 
10110     if (!TEST_ptr(tlsprov))
10111         goto end;
10112 
10113     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10114                                        TLS_client_method(),
10115                                        TLS1_3_VERSION,
10116                                        TLS1_3_VERSION,
10117                                        &sctx, &cctx, cert, privkey))
10118             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10119                                              NULL, NULL)))
10120         goto end;
10121 
10122     /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
10123     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
10124     /* removing a single algorithm from the list makes the test pass */
10125             || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
10126         goto end;
10127 
10128     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10129         goto end;
10130 
10131     if (!TEST_str_eq(group_name,
10132                      SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
10133         goto end;
10134 
10135     if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
10136         || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
10137         goto end;
10138 
10139     testresult = 1;
10140 
10141  end:
10142     SSL_free(serverssl);
10143     SSL_free(clientssl);
10144     SSL_CTX_free(sctx);
10145     SSL_CTX_free(cctx);
10146     OSSL_PROVIDER_unload(tlsprov);
10147     OSSL_PROVIDER_unload(legacyprov);
10148 
10149     return testresult;
10150 }
10151 
10152 /*
10153  * This function triggers encode, decode and sign functions
10154  * of the artificial "xorhmacsig" algorithm implemented in tls-provider
10155  * creating private key and certificate files for use in TLS testing.
10156  */
10157 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
10158 {
10159     EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
10160                              (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
10161     EVP_PKEY *pkey = NULL;
10162     X509 *x509 = X509_new();
10163     X509_NAME *name = NULL;
10164     BIO *keybio = NULL, *certbio = NULL;
10165     int ret = 1;
10166 
10167     if (!TEST_ptr(evpctx)
10168         || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
10169         || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
10170         || !TEST_ptr(pkey)
10171         || !TEST_ptr(x509)
10172         || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
10173         || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
10174         || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
10175         || !TEST_true(X509_set_pubkey(x509, pkey))
10176         || !TEST_ptr(name = X509_get_subject_name(x509))
10177         || !TEST_true(X509_NAME_add_entry_by_txt(name, "C",  MBSTRING_ASC,
10178                            (unsigned char *)"CH", -1, -1, 0))
10179         || !TEST_true(X509_NAME_add_entry_by_txt(name, "O",  MBSTRING_ASC,
10180                            (unsigned char *)"test.org", -1, -1, 0))
10181         || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10182                            (unsigned char *)"localhost", -1, -1, 0))
10183         || !TEST_true(X509_set_issuer_name(x509, name))
10184         || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10185         || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10186         || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10187         || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10188         || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10189         ret = 0;
10190 
10191     EVP_PKEY_free(pkey);
10192     X509_free(x509);
10193     EVP_PKEY_CTX_free(evpctx);
10194     BIO_free(keybio);
10195     BIO_free(certbio);
10196     return ret;
10197 }
10198 
10199 /*
10200  * Test that signature algorithms loaded via the provider interface can
10201  * correctly establish a TLS (1.3) connection.
10202  * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10203  * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
10204  * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
10205  * Test 3: Test 0 using RPK
10206  * Test 4: Test 1 using RPK
10207  * Test 5: Test 2 using RPK
10208  */
10209 static int test_pluggable_signature(int idx)
10210 {
10211     static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
10212     SSL_CTX *cctx = NULL, *sctx = NULL;
10213     SSL *clientssl = NULL, *serverssl = NULL;
10214     int testresult = 0;
10215     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10216     OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10217     char *certfilename = "tls-prov-cert.pem";
10218     char *privkeyfilename = "tls-prov-key.pem";
10219     const char *sigalg_name = NULL, *expected_sigalg_name;
10220     int sigidx = idx % 3;
10221     int rpkidx = idx / 3;
10222     int do_conf_cmd = 0;
10223 
10224     if (sigidx == 2) {
10225         sigidx = 0;
10226         do_conf_cmd = 1;
10227     }
10228 
10229     /* See create_cert_key() above */
10230     expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
10231 
10232     /* create key and certificate for the different algorithm types */
10233     if (!TEST_ptr(tlsprov)
10234         || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
10235         goto end;
10236 
10237     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10238                                        TLS_client_method(),
10239                                        TLS1_3_VERSION,
10240                                        TLS1_3_VERSION,
10241                                        &sctx, &cctx, NULL, NULL)))
10242         goto end;
10243 
10244     if (do_conf_cmd) {
10245         SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
10246 
10247         if (!TEST_ptr(confctx))
10248             goto end;
10249         SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
10250                                         | SSL_CONF_FLAG_SERVER
10251                                         | SSL_CONF_FLAG_CERTIFICATE
10252                                         | SSL_CONF_FLAG_REQUIRE_PRIVATE
10253                                         | SSL_CONF_FLAG_SHOW_ERRORS);
10254         SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
10255         if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
10256                 || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
10257                 || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
10258             SSL_CONF_CTX_free(confctx);
10259             goto end;
10260         }
10261         SSL_CONF_CTX_free(confctx);
10262     } else {
10263         if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
10264                                                       SSL_FILETYPE_PEM), 1)
10265                 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
10266                                                             privkeyfilename,
10267                                                             SSL_FILETYPE_PEM), 1))
10268             goto end;
10269     }
10270     if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
10271         goto end;
10272 
10273     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10274                                       NULL, NULL)))
10275         goto end;
10276 
10277     /* Enable RPK for server cert */
10278     if (rpkidx) {
10279         if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10280                 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10281             goto end;
10282     }
10283 
10284     /* This is necessary to pass minimal setup w/o other groups configured */
10285     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10286             || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10287         goto end;
10288 
10289     /*
10290      * If this connection gets established, it must have been completed
10291      * via the tls-provider-implemented "hmacsig" algorithm, testing
10292      * both sign and verify functions during handshake.
10293      */
10294     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10295         goto end;
10296 
10297     /* If using RPK, make sure we got one */
10298     if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10299         goto end;
10300 
10301     if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
10302         || !TEST_str_eq(sigalg_name, expected_sigalg_name)
10303         || !TEST_ptr(sigalg_name))
10304         goto end;
10305 
10306     testresult = 1;
10307 
10308  end:
10309     SSL_free(serverssl);
10310     SSL_free(clientssl);
10311     SSL_CTX_free(sctx);
10312     SSL_CTX_free(cctx);
10313     OSSL_PROVIDER_unload(tlsprov);
10314     OSSL_PROVIDER_unload(defaultprov);
10315 
10316     return testresult;
10317 }
10318 #endif
10319 
10320 #ifndef OPENSSL_NO_TLS1_2
10321 static int test_ssl_dup(void)
10322 {
10323     SSL_CTX *cctx = NULL, *sctx = NULL;
10324     SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10325     int testresult = 0;
10326     BIO *rbio = NULL, *wbio = NULL;
10327 
10328     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10329                                        TLS_client_method(),
10330                                        0,
10331                                        0,
10332                                        &sctx, &cctx, cert, privkey)))
10333         goto end;
10334 
10335     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10336                                              NULL, NULL)))
10337         goto end;
10338 
10339     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10340             || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10341         goto end;
10342 
10343     client2ssl = SSL_dup(clientssl);
10344     rbio = SSL_get_rbio(clientssl);
10345     if (!TEST_ptr(rbio)
10346             || !TEST_true(BIO_up_ref(rbio)))
10347         goto end;
10348     SSL_set0_rbio(client2ssl, rbio);
10349     rbio = NULL;
10350 
10351     wbio = SSL_get_wbio(clientssl);
10352     if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10353         goto end;
10354     SSL_set0_wbio(client2ssl, wbio);
10355     rbio = NULL;
10356 
10357     if (!TEST_ptr(client2ssl)
10358                /* Handshake not started so pointers should be different */
10359             || !TEST_ptr_ne(clientssl, client2ssl))
10360         goto end;
10361 
10362     if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10363             || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10364         goto end;
10365 
10366     if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10367         goto end;
10368 
10369     SSL_free(clientssl);
10370     clientssl = SSL_dup(client2ssl);
10371     if (!TEST_ptr(clientssl)
10372                /* Handshake has finished so pointers should be the same */
10373             || !TEST_ptr_eq(clientssl, client2ssl))
10374         goto end;
10375 
10376     testresult = 1;
10377 
10378  end:
10379     SSL_free(serverssl);
10380     SSL_free(clientssl);
10381     SSL_free(client2ssl);
10382     SSL_CTX_free(sctx);
10383     SSL_CTX_free(cctx);
10384 
10385     return testresult;
10386 }
10387 
10388 static int secret_cb(SSL *s, void *secretin, int *secret_len,
10389                      STACK_OF(SSL_CIPHER) *peer_ciphers,
10390                      const SSL_CIPHER **cipher, void *arg)
10391 {
10392     int i;
10393     unsigned char *secret = secretin;
10394 
10395     /* Just use a fixed master secret */
10396     for (i = 0; i < *secret_len; i++)
10397         secret[i] = 0xff;
10398 
10399     /* We don't set a preferred cipher */
10400 
10401     return 1;
10402 }
10403 
10404 /*
10405  * Test the session_secret_cb which is designed for use with EAP-FAST
10406  */
10407 static int test_session_secret_cb(void)
10408 {
10409     SSL_CTX *cctx = NULL, *sctx = NULL;
10410     SSL *clientssl = NULL, *serverssl = NULL;
10411     SSL_SESSION *secret_sess = NULL;
10412     int testresult = 0;
10413 
10414     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10415                                        TLS_client_method(),
10416                                        0,
10417                                        0,
10418                                        &sctx, &cctx, cert, privkey)))
10419         goto end;
10420 
10421     /* Create an initial connection and save the session */
10422     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10423                                       NULL, NULL)))
10424         goto end;
10425 
10426     /* session_secret_cb does not support TLSv1.3 */
10427     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10428             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10429         goto end;
10430 
10431     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10432         goto end;
10433 
10434     if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10435         goto end;
10436 
10437     shutdown_ssl_connection(serverssl, clientssl);
10438     serverssl = clientssl = NULL;
10439 
10440     /* Resume the earlier session */
10441     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10442                                       NULL, NULL)))
10443         goto end;
10444 
10445     /*
10446      * No session ids for EAP-FAST - otherwise the state machine gets very
10447      * confused.
10448      */
10449     if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10450         goto end;
10451 
10452     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10453             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10454             || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10455                                                     NULL))
10456             || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10457                                                     NULL))
10458             || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10459         goto end;
10460 
10461     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10462         goto end;
10463 
10464     testresult = 1;
10465 
10466  end:
10467     SSL_SESSION_free(secret_sess);
10468     SSL_free(serverssl);
10469     SSL_free(clientssl);
10470     SSL_CTX_free(sctx);
10471     SSL_CTX_free(cctx);
10472 
10473     return testresult;
10474 }
10475 
10476 # ifndef OPENSSL_NO_DH
10477 
10478 static EVP_PKEY *tmp_dh_params = NULL;
10479 
10480 /* Helper function for the test_set_tmp_dh() tests */
10481 static EVP_PKEY *get_tmp_dh_params(void)
10482 {
10483     if (tmp_dh_params == NULL) {
10484         BIGNUM *p = NULL;
10485         OSSL_PARAM_BLD *tmpl = NULL;
10486         EVP_PKEY_CTX *pctx = NULL;
10487         OSSL_PARAM *params = NULL;
10488         EVP_PKEY *dhpkey = NULL;
10489 
10490         p = BN_get_rfc3526_prime_2048(NULL);
10491         if (!TEST_ptr(p))
10492             goto end;
10493 
10494         pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10495         if (!TEST_ptr(pctx)
10496                 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
10497             goto end;
10498 
10499         tmpl = OSSL_PARAM_BLD_new();
10500         if (!TEST_ptr(tmpl)
10501                 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10502                                                         OSSL_PKEY_PARAM_FFC_P,
10503                                                         p))
10504                 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10505                                                         OSSL_PKEY_PARAM_FFC_G,
10506                                                         2)))
10507             goto end;
10508 
10509         params = OSSL_PARAM_BLD_to_param(tmpl);
10510         if (!TEST_ptr(params)
10511                 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10512                                                   EVP_PKEY_KEY_PARAMETERS,
10513                                                   params), 1))
10514             goto end;
10515 
10516         tmp_dh_params = dhpkey;
10517     end:
10518         BN_free(p);
10519         EVP_PKEY_CTX_free(pctx);
10520         OSSL_PARAM_BLD_free(tmpl);
10521         OSSL_PARAM_free(params);
10522     }
10523 
10524     if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
10525         return NULL;
10526 
10527     return tmp_dh_params;
10528 }
10529 
10530 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10531 /* Callback used by test_set_tmp_dh() */
10532 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10533 {
10534     EVP_PKEY *dhpkey = get_tmp_dh_params();
10535     DH *ret = NULL;
10536 
10537     if (!TEST_ptr(dhpkey))
10538         return NULL;
10539 
10540     /*
10541      * libssl does not free the returned DH, so we free it now knowing that even
10542      * after we free dhpkey, there will still be a reference to the owning
10543      * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10544      * of time we need it for.
10545      */
10546     ret = EVP_PKEY_get1_DH(dhpkey);
10547     DH_free(ret);
10548 
10549     EVP_PKEY_free(dhpkey);
10550 
10551     return ret;
10552 }
10553 #  endif
10554 
10555 /*
10556  * Test the various methods for setting temporary DH parameters
10557  *
10558  * Test  0: Default (no auto) setting
10559  * Test  1: Explicit SSL_CTX auto off
10560  * Test  2: Explicit SSL auto off
10561  * Test  3: Explicit SSL_CTX auto on
10562  * Test  4: Explicit SSL auto on
10563  * Test  5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10564  * Test  6: Explicit SSL auto off, custom DH params via EVP_PKEY
10565  *
10566  * The following are testing deprecated APIs, so we only run them if available
10567  * Test  7: Explicit SSL_CTX auto off, custom DH params via DH
10568  * Test  8: Explicit SSL auto off, custom DH params via DH
10569  * Test  9: Explicit SSL_CTX auto off, custom DH params via callback
10570  * Test 10: Explicit SSL auto off, custom DH params via callback
10571  */
10572 static int test_set_tmp_dh(int idx)
10573 {
10574     SSL_CTX *cctx = NULL, *sctx = NULL;
10575     SSL *clientssl = NULL, *serverssl = NULL;
10576     int testresult = 0;
10577     int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10578     int expected = (idx <= 2) ? 0 : 1;
10579     EVP_PKEY *dhpkey = NULL;
10580 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10581     DH *dh = NULL;
10582 #  else
10583 
10584     if (idx >= 7)
10585         return 1;
10586 #  endif
10587 
10588     if (idx >= 5 && idx <= 8) {
10589         dhpkey = get_tmp_dh_params();
10590         if (!TEST_ptr(dhpkey))
10591             goto end;
10592     }
10593 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10594     if (idx == 7 || idx == 8) {
10595         dh = EVP_PKEY_get1_DH(dhpkey);
10596         if (!TEST_ptr(dh))
10597             goto end;
10598     }
10599 #  endif
10600 
10601     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10602                                        TLS_client_method(),
10603                                        0,
10604                                        0,
10605                                        &sctx, &cctx, cert, privkey)))
10606         goto end;
10607 
10608     if ((idx & 1) == 1) {
10609         if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10610             goto end;
10611     }
10612 
10613     if (idx == 5) {
10614         if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10615             goto end;
10616         dhpkey = NULL;
10617     }
10618 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10619     else if (idx == 7) {
10620         if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10621             goto end;
10622     } else if (idx == 9) {
10623         SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10624     }
10625 #  endif
10626 
10627     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10628                                       NULL, NULL)))
10629         goto end;
10630 
10631     if ((idx & 1) == 0 && idx != 0) {
10632         if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10633             goto end;
10634     }
10635     if (idx == 6) {
10636         if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10637             goto end;
10638         dhpkey = NULL;
10639     }
10640 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10641     else if (idx == 8) {
10642         if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10643             goto end;
10644     } else if (idx == 10) {
10645         SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10646     }
10647 #  endif
10648 
10649     if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10650             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10651             || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10652         goto end;
10653 
10654     /*
10655      * If autoon then we should succeed. Otherwise we expect failure because
10656      * there are no parameters
10657      */
10658     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10659                                            SSL_ERROR_NONE), expected))
10660         goto end;
10661 
10662     testresult = 1;
10663 
10664  end:
10665 #  ifndef OPENSSL_NO_DEPRECATED_3_0
10666     DH_free(dh);
10667 #  endif
10668     SSL_free(serverssl);
10669     SSL_free(clientssl);
10670     SSL_CTX_free(sctx);
10671     SSL_CTX_free(cctx);
10672     EVP_PKEY_free(dhpkey);
10673 
10674     return testresult;
10675 }
10676 
10677 /*
10678  * Test the auto DH keys are appropriately sized
10679  */
10680 static int test_dh_auto(int idx)
10681 {
10682     SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10683     SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10684     SSL *clientssl = NULL, *serverssl = NULL;
10685     int testresult = 0;
10686     EVP_PKEY *tmpkey = NULL;
10687     char *thiscert = NULL, *thiskey = NULL;
10688     size_t expdhsize = 0;
10689     const char *ciphersuite = "DHE-RSA-AES128-SHA";
10690 
10691     if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10692         goto end;
10693 
10694     switch (idx) {
10695     case 0:
10696         /* The FIPS provider doesn't support this DH size - so we ignore it */
10697         if (is_fips) {
10698             testresult = 1;
10699             goto end;
10700         }
10701         thiscert = cert1024;
10702         thiskey = privkey1024;
10703         expdhsize = 1024;
10704         SSL_CTX_set_security_level(sctx, 1);
10705         SSL_CTX_set_security_level(cctx, 1);
10706         break;
10707     case 1:
10708         /* 2048 bit prime */
10709         thiscert = cert;
10710         thiskey = privkey;
10711         expdhsize = 2048;
10712         break;
10713     case 2:
10714         thiscert = cert3072;
10715         thiskey = privkey3072;
10716         expdhsize = 3072;
10717         break;
10718     case 3:
10719         thiscert = cert4096;
10720         thiskey = privkey4096;
10721         expdhsize = 4096;
10722         break;
10723     case 4:
10724         thiscert = cert8192;
10725         thiskey = privkey8192;
10726         expdhsize = 8192;
10727         break;
10728     /* No certificate cases */
10729     case 5:
10730         /* The FIPS provider doesn't support this DH size - so we ignore it */
10731         if (is_fips) {
10732             testresult = 1;
10733             goto end;
10734         }
10735         ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10736         expdhsize = 1024;
10737         break;
10738     case 6:
10739         ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10740         expdhsize = 3072;
10741         break;
10742     default:
10743         TEST_error("Invalid text index");
10744         goto end;
10745     }
10746 
10747     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10748                                        NULL,
10749                                        0,
10750                                        0,
10751                                        &sctx, &cctx, thiscert, thiskey)))
10752         goto end;
10753 
10754     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10755                                       NULL, NULL)))
10756         goto end;
10757 
10758     if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10759             || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10760             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10761             || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10762             || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10763         goto end;
10764 
10765     /*
10766      * Send the server's first flight. At this point the server has created the
10767      * temporary DH key but hasn't finished using it yet. Once used it is
10768      * removed, so we cannot test it.
10769      */
10770     if (!TEST_int_le(SSL_connect(clientssl), 0)
10771             || !TEST_int_le(SSL_accept(serverssl), 0))
10772         goto end;
10773 
10774     if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10775         goto end;
10776     if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
10777         goto end;
10778 
10779     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10780         goto end;
10781 
10782     testresult = 1;
10783 
10784  end:
10785     SSL_free(serverssl);
10786     SSL_free(clientssl);
10787     SSL_CTX_free(sctx);
10788     SSL_CTX_free(cctx);
10789     EVP_PKEY_free(tmpkey);
10790 
10791     return testresult;
10792 
10793 }
10794 # endif /* OPENSSL_NO_DH */
10795 #endif /* OPENSSL_NO_TLS1_2 */
10796 
10797 #ifndef OSSL_NO_USABLE_TLS1_3
10798 /*
10799  * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10800  * that it works even without a certificate configured for the original
10801  * SSL_CTX
10802  */
10803 static int test_sni_tls13(void)
10804 {
10805     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10806     SSL *clientssl = NULL, *serverssl = NULL;
10807     int testresult = 0;
10808 
10809     /* Reset callback counter */
10810     snicb = 0;
10811 
10812     /* Create an initial SSL_CTX with no certificate configured */
10813     sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10814     if (!TEST_ptr(sctx))
10815         goto end;
10816     /* Require TLSv1.3 as a minimum */
10817     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10818                                        TLS_client_method(), TLS1_3_VERSION, 0,
10819                                        &sctx2, &cctx, cert, privkey)))
10820         goto end;
10821 
10822     /* Set up SNI */
10823     if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10824             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10825         goto end;
10826 
10827     /*
10828      * Connection should still succeed because the final SSL_CTX has the right
10829      * certificates configured.
10830      */
10831     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10832                                       &clientssl, NULL, NULL))
10833             || !TEST_true(create_ssl_connection(serverssl, clientssl,
10834                                                 SSL_ERROR_NONE)))
10835         goto end;
10836 
10837     /* We should have had the SNI callback called exactly once */
10838     if (!TEST_int_eq(snicb, 1))
10839         goto end;
10840 
10841     testresult = 1;
10842 
10843 end:
10844     SSL_free(serverssl);
10845     SSL_free(clientssl);
10846     SSL_CTX_free(sctx2);
10847     SSL_CTX_free(sctx);
10848     SSL_CTX_free(cctx);
10849     return testresult;
10850 }
10851 
10852 /*
10853  * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10854  * 0 = TLSv1.2
10855  * 1 = TLSv1.3
10856  */
10857 static int test_ticket_lifetime(int idx)
10858 {
10859     SSL_CTX *cctx = NULL, *sctx = NULL;
10860     SSL *clientssl = NULL, *serverssl = NULL;
10861     int testresult = 0;
10862     int version = TLS1_3_VERSION;
10863 
10864 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10865 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10866 
10867     if (idx == 0) {
10868 #ifdef OPENSSL_NO_TLS1_2
10869         return TEST_skip("TLS 1.2 is disabled.");
10870 #else
10871         version = TLS1_2_VERSION;
10872 #endif
10873     }
10874 
10875     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10876                                        TLS_client_method(), version, version,
10877                                        &sctx, &cctx, cert, privkey)))
10878         goto end;
10879 
10880     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10881                                       &clientssl, NULL, NULL)))
10882         goto end;
10883 
10884     /*
10885      * Set the timeout to be more than 1 week
10886      * make sure the returned value is the default
10887      */
10888     if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10889                       SSL_get_default_timeout(serverssl)))
10890         goto end;
10891 
10892     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10893         goto end;
10894 
10895     if (idx == 0) {
10896         /* TLSv1.2 uses the set value */
10897         if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10898             goto end;
10899     } else {
10900         /* TLSv1.3 uses the limited value */
10901         if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10902             goto end;
10903     }
10904     testresult = 1;
10905 
10906 end:
10907     SSL_free(serverssl);
10908     SSL_free(clientssl);
10909     SSL_CTX_free(sctx);
10910     SSL_CTX_free(cctx);
10911     return testresult;
10912 }
10913 #endif
10914 /*
10915  * Test that setting an ALPN does not violate RFC
10916  */
10917 static int test_set_alpn(void)
10918 {
10919     SSL_CTX *ctx = NULL;
10920     SSL *ssl = NULL;
10921     int testresult = 0;
10922 
10923     unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10924     unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10925     unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10926     unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10927     unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10928     unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10929 
10930     /* Create an initial SSL_CTX with no certificate configured */
10931     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10932     if (!TEST_ptr(ctx))
10933         goto end;
10934 
10935     /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10936     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10937         goto end;
10938     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10939         goto end;
10940     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10941         goto end;
10942     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10943         goto end;
10944     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10945         goto end;
10946     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10947         goto end;
10948     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10949         goto end;
10950     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10951         goto end;
10952     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10953         goto end;
10954 
10955     ssl = SSL_new(ctx);
10956     if (!TEST_ptr(ssl))
10957         goto end;
10958 
10959     if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10960         goto end;
10961     if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10962         goto end;
10963     if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10964         goto end;
10965     if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10966         goto end;
10967     if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10968         goto end;
10969     if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10970         goto end;
10971     if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10972         goto end;
10973     if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10974         goto end;
10975     if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10976         goto end;
10977 
10978     testresult = 1;
10979 
10980 end:
10981     SSL_free(ssl);
10982     SSL_CTX_free(ctx);
10983     return testresult;
10984 }
10985 
10986 /*
10987  * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10988  */
10989 static int test_set_verify_cert_store_ssl_ctx(void)
10990 {
10991    SSL_CTX *ctx = NULL;
10992    int testresult = 0;
10993    X509_STORE *store = NULL, *new_store = NULL,
10994               *cstore = NULL, *new_cstore = NULL;
10995 
10996    /* Create an initial SSL_CTX. */
10997    ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10998    if (!TEST_ptr(ctx))
10999        goto end;
11000 
11001    /* Retrieve verify store pointer. */
11002    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11003        goto end;
11004 
11005    /* Retrieve chain store pointer. */
11006    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11007        goto end;
11008 
11009    /* We haven't set any yet, so this should be NULL. */
11010    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11011        goto end;
11012 
11013    /* Create stores. We use separate stores so pointers are different. */
11014    new_store = X509_STORE_new();
11015    if (!TEST_ptr(new_store))
11016        goto end;
11017 
11018    new_cstore = X509_STORE_new();
11019    if (!TEST_ptr(new_cstore))
11020        goto end;
11021 
11022    /* Set stores. */
11023    if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
11024        goto end;
11025 
11026    if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
11027        goto end;
11028 
11029    /* Should be able to retrieve the same pointer. */
11030    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11031        goto end;
11032 
11033    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11034        goto end;
11035 
11036    if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11037        goto end;
11038 
11039    /* Should be able to unset again. */
11040    if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
11041        goto end;
11042 
11043    if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
11044        goto end;
11045 
11046    /* Should now be NULL. */
11047    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
11048        goto end;
11049 
11050    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
11051        goto end;
11052 
11053    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11054        goto end;
11055 
11056    testresult = 1;
11057 
11058 end:
11059    X509_STORE_free(new_store);
11060    X509_STORE_free(new_cstore);
11061    SSL_CTX_free(ctx);
11062    return testresult;
11063 }
11064 
11065 /*
11066  * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
11067  */
11068 static int test_set_verify_cert_store_ssl(void)
11069 {
11070    SSL_CTX *ctx = NULL;
11071    SSL *ssl = NULL;
11072    int testresult = 0;
11073    X509_STORE *store = NULL, *new_store = NULL,
11074               *cstore = NULL, *new_cstore = NULL;
11075 
11076    /* Create an initial SSL_CTX. */
11077    ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11078    if (!TEST_ptr(ctx))
11079        goto end;
11080 
11081    /* Create an SSL object. */
11082    ssl = SSL_new(ctx);
11083    if (!TEST_ptr(ssl))
11084        goto end;
11085 
11086    /* Retrieve verify store pointer. */
11087    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11088        goto end;
11089 
11090    /* Retrieve chain store pointer. */
11091    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11092        goto end;
11093 
11094    /* We haven't set any yet, so this should be NULL. */
11095    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11096        goto end;
11097 
11098    /* Create stores. We use separate stores so pointers are different. */
11099    new_store = X509_STORE_new();
11100    if (!TEST_ptr(new_store))
11101        goto end;
11102 
11103    new_cstore = X509_STORE_new();
11104    if (!TEST_ptr(new_cstore))
11105        goto end;
11106 
11107    /* Set stores. */
11108    if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
11109        goto end;
11110 
11111    if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
11112        goto end;
11113 
11114    /* Should be able to retrieve the same pointer. */
11115    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11116        goto end;
11117 
11118    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11119        goto end;
11120 
11121    if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
11122        goto end;
11123 
11124    /* Should be able to unset again. */
11125    if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
11126        goto end;
11127 
11128    if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
11129        goto end;
11130 
11131    /* Should now be NULL. */
11132    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
11133        goto end;
11134 
11135    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
11136        goto end;
11137 
11138    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
11139        goto end;
11140 
11141    testresult = 1;
11142 
11143 end:
11144    X509_STORE_free(new_store);
11145    X509_STORE_free(new_cstore);
11146    SSL_free(ssl);
11147    SSL_CTX_free(ctx);
11148    return testresult;
11149 }
11150 
11151 
11152 static int test_inherit_verify_param(void)
11153 {
11154     int testresult = 0;
11155 
11156     SSL_CTX *ctx = NULL;
11157     X509_VERIFY_PARAM *cp = NULL;
11158     SSL *ssl = NULL;
11159     X509_VERIFY_PARAM *sp = NULL;
11160     int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
11161 
11162     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
11163     if (!TEST_ptr(ctx))
11164         goto end;
11165 
11166     cp = SSL_CTX_get0_param(ctx);
11167     if (!TEST_ptr(cp))
11168         goto end;
11169     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
11170         goto end;
11171 
11172     X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
11173 
11174     ssl = SSL_new(ctx);
11175     if (!TEST_ptr(ssl))
11176         goto end;
11177 
11178     sp = SSL_get0_param(ssl);
11179     if (!TEST_ptr(sp))
11180         goto end;
11181     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
11182         goto end;
11183 
11184     testresult = 1;
11185 
11186  end:
11187     SSL_free(ssl);
11188     SSL_CTX_free(ctx);
11189 
11190     return testresult;
11191 }
11192 
11193 static int test_load_dhfile(void)
11194 {
11195 #ifndef OPENSSL_NO_DH
11196     int testresult = 0;
11197 
11198     SSL_CTX *ctx = NULL;
11199     SSL_CONF_CTX *cctx = NULL;
11200 
11201     if (dhfile == NULL)
11202         return 1;
11203 
11204     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
11205         || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
11206         goto end;
11207 
11208     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
11209     SSL_CONF_CTX_set_flags(cctx,
11210                            SSL_CONF_FLAG_CERTIFICATE
11211                            | SSL_CONF_FLAG_SERVER
11212                            | SSL_CONF_FLAG_FILE);
11213 
11214     if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
11215         goto end;
11216 
11217     testresult = 1;
11218 end:
11219     SSL_CONF_CTX_free(cctx);
11220     SSL_CTX_free(ctx);
11221 
11222     return testresult;
11223 #else
11224     return TEST_skip("DH not supported by this build");
11225 #endif
11226 }
11227 
11228 #ifndef OSSL_NO_USABLE_TLS1_3
11229 /* Test that read_ahead works across a key change */
11230 static int test_read_ahead_key_change(void)
11231 {
11232     SSL_CTX *cctx = NULL, *sctx = NULL;
11233     SSL *clientssl = NULL, *serverssl = NULL;
11234     int testresult = 0;
11235     char *msg = "Hello World";
11236     size_t written, readbytes;
11237     char buf[80];
11238     int i;
11239 
11240     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11241                                        TLS_client_method(), TLS1_3_VERSION, 0,
11242                                        &sctx, &cctx, cert, privkey)))
11243         goto end;
11244 
11245     SSL_CTX_set_read_ahead(sctx, 1);
11246 
11247     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11248                                       &clientssl, NULL, NULL)))
11249         goto end;
11250 
11251     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11252         goto end;
11253 
11254     /* Write some data, send a key update, write more data */
11255     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11256         || !TEST_size_t_eq(written, strlen(msg)))
11257         goto end;
11258 
11259     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11260         goto end;
11261 
11262     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11263         || !TEST_size_t_eq(written, strlen(msg)))
11264         goto end;
11265 
11266     /*
11267      * Since read_ahead is on the first read below should read the record with
11268      * the first app data, the second record with the key update message, and
11269      * the third record with the app data all in one go. We should be able to
11270      * still process the read_ahead data correctly even though it crosses
11271      * epochs
11272      */
11273     for (i = 0; i < 2; i++) {
11274         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11275                                     &readbytes)))
11276             goto end;
11277 
11278         buf[readbytes] = '\0';
11279         if (!TEST_str_eq(buf, msg))
11280             goto end;
11281     }
11282 
11283     testresult = 1;
11284 
11285 end:
11286     SSL_free(serverssl);
11287     SSL_free(clientssl);
11288     SSL_CTX_free(sctx);
11289     SSL_CTX_free(cctx);
11290     return testresult;
11291 }
11292 
11293 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11294 {
11295     int *called = arg;
11296 
11297     switch ((*called)++) {
11298     case 0:
11299         /* Add some padding to first record */
11300         return 512;
11301     case 1:
11302         /* Maximally pad the second record */
11303         return SSL3_RT_MAX_PLAIN_LENGTH - len;
11304     case 2:
11305         /*
11306          * Exceeding the maximum padding should be fine. It should just pad to
11307          * the maximum anyway
11308          */
11309         return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11310     case 3:
11311         /*
11312          * Very large padding should also be ok. Should just pad to the maximum
11313          * allowed
11314          */
11315         return SIZE_MAX;
11316     default:
11317         return 0;
11318     }
11319 }
11320 
11321 /*
11322  * Test that setting record padding in TLSv1.3 works as expected
11323  * Test 0: Record padding callback on the SSL_CTX
11324  * Test 1: Record padding callback on the SSL
11325  * Test 2: Record block padding on the SSL_CTX
11326  * Test 3: Record block padding on the SSL
11327  * Test 4: Extended record block padding on the SSL_CTX
11328  * Test 5: Extended record block padding on the SSL
11329  */
11330 static int test_tls13_record_padding(int idx)
11331 {
11332     SSL_CTX *cctx = NULL, *sctx = NULL;
11333     SSL *clientssl = NULL, *serverssl = NULL;
11334     int testresult = 0;
11335     char *msg = "Hello World";
11336     size_t written, readbytes;
11337     char buf[80];
11338     int i;
11339     int called = 0;
11340 
11341     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11342                                        TLS_client_method(), TLS1_3_VERSION, 0,
11343                                        &sctx, &cctx, cert, privkey)))
11344         goto end;
11345 
11346     if (idx == 0) {
11347         SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11348         SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11349         if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11350             goto end;
11351     } else if (idx == 2) {
11352         /* Exceeding the max plain length should fail */
11353         if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11354                                                   SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11355             goto end;
11356         if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11357             goto end;
11358     } else if (idx == 4) {
11359         /* pad only handshake/alert messages */
11360         if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
11361             goto end;
11362     }
11363 
11364     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11365                                       &clientssl, NULL, NULL)))
11366         goto end;
11367 
11368     if (idx == 1) {
11369         SSL_set_record_padding_callback(clientssl, record_pad_cb);
11370         SSL_set_record_padding_callback_arg(clientssl, &called);
11371         if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11372             goto end;
11373     } else if (idx == 3) {
11374         /* Exceeding the max plain length should fail */
11375         if (!TEST_false(SSL_set_block_padding(clientssl,
11376                                               SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11377             goto end;
11378         if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11379             goto end;
11380     } else if (idx == 5) {
11381         /* Exceeding the max plain length should fail */
11382         if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
11383                                                  SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11384             goto end;
11385         /* pad server and client handshake only */
11386         if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
11387             goto end;
11388         if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
11389             goto end;
11390     }
11391 
11392     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11393         goto end;
11394 
11395     called = 0;
11396     /*
11397      * Write some data, then check we can read it. Do this four times to check
11398      * we can continue to write and read padded data after the initial record
11399      * padding has been added. We don't actually check that the padding has
11400      * been applied to the record - just that we can continue to communicate
11401      * normally and that the callback has been called (if appropriate).
11402      */
11403     for (i = 0; i < 4; i++) {
11404         if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11405             || !TEST_size_t_eq(written, strlen(msg)))
11406             goto end;
11407 
11408         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11409                                     &readbytes))
11410                 || !TEST_size_t_eq(written, readbytes))
11411             goto end;
11412 
11413         buf[readbytes] = '\0';
11414         if (!TEST_str_eq(buf, msg))
11415             goto end;
11416     }
11417 
11418     if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11419         goto end;
11420 
11421     testresult = 1;
11422 end:
11423     SSL_free(serverssl);
11424     SSL_free(clientssl);
11425     SSL_CTX_free(sctx);
11426     SSL_CTX_free(cctx);
11427     return testresult;
11428 }
11429 #endif /* OSSL_NO_USABLE_TLS1_3 */
11430 
11431 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11432 /*
11433  * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11434  * support this yet. The only pipeline capable cipher that we have is in the
11435  * dasync engine (providers don't support this yet), so we have to use
11436  * deprecated APIs for this test.
11437  *
11438  * Test 0: Client has pipelining enabled, server does not
11439  * Test 1: Server has pipelining enabled, client does not
11440  * Test 2: Client has pipelining enabled, server does not: not enough data to
11441  *         fill all the pipelines
11442  * Test 3: Client has pipelining enabled, server does not: not enough data to
11443  *         fill all the pipelines by more than a full pipeline's worth
11444  * Test 4: Client has pipelining enabled, server does not: more data than all
11445  *         the available pipelines can take
11446  * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
11447  * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11448  *         is created)
11449  */
11450 static int test_pipelining(int idx)
11451 {
11452     SSL_CTX *cctx = NULL, *sctx = NULL;
11453     SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11454     int testresult = 0, numreads;
11455     /* A 55 byte message */
11456     unsigned char *msg = (unsigned char *)
11457         "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11458     size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11459     size_t expectedreads;
11460     unsigned char *buf = NULL;
11461     ENGINE *e = NULL;
11462 
11463     if (idx != 6) {
11464         e = load_dasync();
11465         if (e == NULL)
11466             return 0;
11467     }
11468 
11469     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11470                                        TLS_client_method(), 0,
11471                                        TLS1_2_VERSION, &sctx, &cctx, cert,
11472                                        privkey)))
11473         goto end;
11474 
11475     if (idx == 6) {
11476         e = load_dasync();
11477         if (e == NULL)
11478             goto end;
11479         /* Now act like test 0 */
11480         idx = 0;
11481     }
11482 
11483     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11484                                       &clientssl, NULL, NULL)))
11485         goto end;
11486 
11487     if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11488         goto end;
11489 
11490     /* peera is always configured for pipelining, while peerb is not. */
11491     if (idx == 1) {
11492         peera = serverssl;
11493         peerb = clientssl;
11494 
11495     } else {
11496         peera = clientssl;
11497         peerb = serverssl;
11498     }
11499 
11500     if (idx == 5) {
11501         numpipes = 2;
11502         /* Maximum allowed fragment size */
11503         fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11504         msglen = fragsize * numpipes;
11505         msg = OPENSSL_malloc(msglen);
11506         if (!TEST_ptr(msg))
11507             goto end;
11508         if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11509             goto end;
11510     } else if (idx == 4) {
11511         msglen = 55;
11512     } else {
11513         msglen = 50;
11514     }
11515     if (idx == 2)
11516         msglen -= 2; /* Send 2 less bytes */
11517     else if (idx == 3)
11518         msglen -= 12; /* Send 12 less bytes */
11519 
11520     buf = OPENSSL_malloc(msglen);
11521     if (!TEST_ptr(buf))
11522         goto end;
11523 
11524     if (idx == 5) {
11525         /*
11526          * Test that setting a split send fragment longer than the maximum
11527          * allowed fails
11528          */
11529         if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11530             goto end;
11531     }
11532 
11533     /*
11534      * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11535      * (50 bytes in total). This is a ridiculously small number of bytes -
11536      * but sufficient for our purposes
11537      */
11538     if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11539             || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11540         goto end;
11541 
11542     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11543         goto end;
11544 
11545     /* Write some data from peera to peerb */
11546     if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11547         || !TEST_size_t_eq(written, msglen))
11548         goto end;
11549 
11550     /*
11551      * If the pipelining code worked, then we expect all |numpipes| pipelines to
11552      * have been used - except in test 3 where only |numpipes - 1| pipelines
11553      * will be used. This will result in |numpipes| records (|numpipes - 1| for
11554      * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11555      * expect this to be read in |numpipes| or |numpipes - 1| separate
11556      * SSL_read_ex calls. In the case of test 4, there is then one additional
11557      * read for left over data that couldn't fit in the previous pipelines
11558      */
11559     for (offset = 0, numreads = 0;
11560          offset < msglen;
11561          offset += readbytes, numreads++) {
11562         if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11563                                    msglen - offset, &readbytes)))
11564             goto end;
11565     }
11566 
11567     expectedreads = idx == 4 ? numpipes + 1
11568                              : (idx == 3 ? numpipes - 1 : numpipes);
11569     if (!TEST_mem_eq(msg, msglen, buf, offset)
11570             || !TEST_int_eq(numreads, expectedreads))
11571         goto end;
11572 
11573     /*
11574      * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11575      * chunks to exercise the read pipelining code on peera.
11576      */
11577     for (offset = 0; offset < msglen; offset += fragsize) {
11578         size_t sendlen = msglen - offset;
11579 
11580         if (sendlen > fragsize)
11581             sendlen = fragsize;
11582         if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11583                 || !TEST_size_t_eq(written, sendlen))
11584             goto end;
11585     }
11586 
11587     /*
11588      * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11589      * separate chunks (depending on which test we are running). If the
11590      * pipelining is working then we expect peera to read up to numpipes chunks
11591      * and process them in parallel, giving back the complete result in a single
11592      * call to SSL_read_ex
11593      */
11594     if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11595             || !TEST_size_t_le(readbytes, msglen))
11596         goto end;
11597 
11598     if (idx == 4) {
11599         size_t readbytes2;
11600 
11601         if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11602                                    msglen - readbytes, &readbytes2)))
11603             goto end;
11604         readbytes += readbytes2;
11605         if (!TEST_size_t_le(readbytes, msglen))
11606             goto end;
11607     }
11608 
11609     if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11610         goto end;
11611 
11612     testresult = 1;
11613 end:
11614     SSL_free(serverssl);
11615     SSL_free(clientssl);
11616     SSL_CTX_free(sctx);
11617     SSL_CTX_free(cctx);
11618     if (e != NULL) {
11619         ENGINE_unregister_ciphers(e);
11620         ENGINE_finish(e);
11621         ENGINE_free(e);
11622     }
11623     OPENSSL_free(buf);
11624     if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
11625         OPENSSL_free(msg);
11626     return testresult;
11627 }
11628 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11629 
11630 static int check_version_string(SSL *s, int version)
11631 {
11632     const char *verstr = NULL;
11633 
11634     switch (version) {
11635     case SSL3_VERSION:
11636         verstr = "SSLv3";
11637         break;
11638     case TLS1_VERSION:
11639         verstr = "TLSv1";
11640         break;
11641     case TLS1_1_VERSION:
11642         verstr = "TLSv1.1";
11643         break;
11644     case TLS1_2_VERSION:
11645         verstr = "TLSv1.2";
11646         break;
11647     case TLS1_3_VERSION:
11648         verstr = "TLSv1.3";
11649         break;
11650     case DTLS1_VERSION:
11651         verstr = "DTLSv1";
11652         break;
11653     case DTLS1_2_VERSION:
11654         verstr = "DTLSv1.2";
11655     }
11656 
11657     return TEST_str_eq(verstr, SSL_get_version(s));
11658 }
11659 
11660 /*
11661  * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11662  * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11663  * test_version() in quicapitest.c which does the same thing for QUIC
11664  * connections.
11665  */
11666 static int test_version(int idx)
11667 {
11668     SSL_CTX *cctx = NULL, *sctx = NULL;
11669     SSL *clientssl = NULL, *serverssl = NULL;
11670     int testresult = 0, version;
11671     const SSL_METHOD *servmeth = TLS_server_method();
11672     const SSL_METHOD *clientmeth = TLS_client_method();
11673 
11674     switch (idx) {
11675 #if !defined(OPENSSL_NO_SSL3)
11676     case 0:
11677         version = SSL3_VERSION;
11678         break;
11679 #endif
11680 #if !defined(OPENSSL_NO_TLS1)
11681     case 1:
11682         version = TLS1_VERSION;
11683         break;
11684 #endif
11685 #if !defined(OPENSSL_NO_TLS1_2)
11686     case 2:
11687         version = TLS1_2_VERSION;
11688         break;
11689 #endif
11690 #if !defined(OSSL_NO_USABLE_TLS1_3)
11691     case 3:
11692         version = TLS1_3_VERSION;
11693         break;
11694 #endif
11695 #if !defined(OPENSSL_NO_DTLS1)
11696     case 4:
11697         version = DTLS1_VERSION;
11698         break;
11699 #endif
11700 #if !defined(OPENSSL_NO_DTLS1_2)
11701     case 5:
11702         version = DTLS1_2_VERSION;
11703         break;
11704 #endif
11705     /*
11706      * NB we do not support QUIC in this test. That is covered by quicapitest.c
11707      * We also don't support DTLS1_BAD_VER since we have no server support for
11708      * that.
11709      */
11710     default:
11711         TEST_skip("Unsupported protocol version");
11712         return 1;
11713     }
11714 
11715     if (is_fips
11716             && (version == SSL3_VERSION
11717                 || version == TLS1_VERSION
11718                 || version == DTLS1_VERSION)) {
11719         TEST_skip("Protocol version not supported with FIPS");
11720         return 1;
11721     }
11722 
11723 #if !defined(OPENSSL_NO_DTLS)
11724     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11725         servmeth = DTLS_server_method();
11726         clientmeth = DTLS_client_method();
11727     }
11728 #endif
11729 
11730     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11731                                        version, &sctx, &cctx, cert, privkey)))
11732         goto end;
11733 
11734     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11735             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11736                                                 "DEFAULT:@SECLEVEL=0")))
11737         goto end;
11738 
11739     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11740                                       &clientssl, NULL, NULL)))
11741         goto end;
11742 
11743     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11744         goto end;
11745 
11746     if (!TEST_int_eq(SSL_version(serverssl), version)
11747             || !TEST_int_eq(SSL_version(clientssl), version)
11748             || !TEST_true(check_version_string(serverssl, version))
11749             || !TEST_true(check_version_string(clientssl, version)))
11750         goto end;
11751 
11752     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11753         if (!TEST_true(SSL_is_dtls(serverssl))
11754                 || !TEST_true(SSL_is_dtls(clientssl))
11755                 || !TEST_false(SSL_is_tls(serverssl))
11756                 || !TEST_false(SSL_is_tls(clientssl))
11757                 || !TEST_false(SSL_is_quic(serverssl))
11758                 || !TEST_false(SSL_is_quic(clientssl)))
11759         goto end;
11760     } else {
11761         if (!TEST_true(SSL_is_tls(serverssl))
11762                 || !TEST_true(SSL_is_tls(clientssl))
11763                 || !TEST_false(SSL_is_dtls(serverssl))
11764                 || !TEST_false(SSL_is_dtls(clientssl))
11765                 || !TEST_false(SSL_is_quic(serverssl))
11766                 || !TEST_false(SSL_is_quic(clientssl)))
11767         goto end;
11768     }
11769 
11770     testresult = 1;
11771 end:
11772     SSL_free(serverssl);
11773     SSL_free(clientssl);
11774     SSL_CTX_free(sctx);
11775     SSL_CTX_free(cctx);
11776     return testresult;
11777 }
11778 
11779 /*
11780  * Test that the SSL_rstate_string*() APIs return sane results
11781  */
11782 static int test_rstate_string(void)
11783 {
11784     SSL_CTX *cctx = NULL, *sctx = NULL;
11785     SSL *clientssl = NULL, *serverssl = NULL;
11786     int testresult = 0, version;
11787     const SSL_METHOD *servmeth = TLS_server_method();
11788     const SSL_METHOD *clientmeth = TLS_client_method();
11789     size_t written, readbytes;
11790     unsigned char buf[2];
11791     unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11792         SSL3_RT_APPLICATION_DATA,
11793         TLS1_2_VERSION_MAJOR,
11794         0, /* To be filled in later */
11795         0,
11796         1
11797     };
11798 
11799     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11800                                        0, &sctx, &cctx, cert, privkey)))
11801         goto end;
11802 
11803     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11804                                       &clientssl, NULL, NULL)))
11805         goto end;
11806 
11807     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11808             || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11809         goto end;
11810 
11811     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11812         goto end;
11813 
11814     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11815             || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11816         goto end;
11817 
11818     /* Fill in the correct version for the record header */
11819     version = SSL_version(serverssl);
11820     if (version == TLS1_3_VERSION)
11821         version = TLS1_2_VERSION;
11822     dummyheader[2] = version & 0xff;
11823 
11824     /*
11825      * Send a dummy header. If we continued to read the body as well this
11826      * would fail with a bad record mac, but we're not going to go that far.
11827      */
11828     if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11829                                 sizeof(dummyheader), &written))
11830             || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11831         goto end;
11832 
11833     if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11834         goto end;
11835 
11836     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11837             || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11838         goto end;
11839 
11840     testresult = 1;
11841 end:
11842     SSL_free(serverssl);
11843     SSL_free(clientssl);
11844     SSL_CTX_free(sctx);
11845     SSL_CTX_free(cctx);
11846     return testresult;
11847 }
11848 
11849 /*
11850  * Force a write retry during handshaking. We test various combinations of
11851  * scenarios. We test a large certificate message which will fill the buffering
11852  * BIO used in the handshake. We try with client auth on and off. Finally we
11853  * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11854  * to indicate retry via -1 - but sometimes BIOs don't do that.
11855  *
11856  * Test 0: Standard certificate message
11857  * Test 1: Large certificate message
11858  * Test 2: Standard cert, verify peer
11859  * Test 3: Large cert, verify peer
11860  * Test 4: Standard cert, BIO returns 0 on retry
11861  * Test 5: Large cert, BIO returns 0 on retry
11862  * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11863  * Test 7: Large cert, verify peer, BIO returns 0 on retry
11864  * Test 8-15: Repeat of above with TLSv1.2
11865  */
11866 static int test_handshake_retry(int idx)
11867 {
11868     SSL_CTX *cctx = NULL, *sctx = NULL;
11869     SSL *clientssl = NULL, *serverssl = NULL;
11870     int testresult = 0;
11871     BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11872     int maxversion = 0;
11873 
11874     if (!TEST_ptr(bretry))
11875         goto end;
11876 
11877 #ifndef OPENSSL_NO_TLS1_2
11878     if ((idx & 8) == 8)
11879         maxversion = TLS1_2_VERSION;
11880 #else
11881     if ((idx & 8) == 8)
11882         return TEST_skip("No TLSv1.2");
11883 #endif
11884 
11885     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11886                                        TLS_client_method(), 0, maxversion,
11887                                        &sctx, &cctx, cert, privkey)))
11888         goto end;
11889 
11890     /*
11891      * Add a large amount of data to fill the buffering BIO used by the SSL
11892      * object
11893      */
11894     if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
11895         goto end;
11896 
11897     /*
11898      * We don't actually configure a client cert, but neither do we fail if one
11899      * isn't present.
11900      */
11901     if ((idx & 2) == 2)
11902         SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11903 
11904     if ((idx & 4) == 4)
11905         set_always_retry_err_val(0);
11906 
11907     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11908                                       &clientssl, NULL, NULL)))
11909         goto end;
11910 
11911     tmp = SSL_get_wbio(serverssl);
11912     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11913         tmp = NULL;
11914         goto end;
11915     }
11916     SSL_set0_wbio(serverssl, bretry);
11917     bretry = NULL;
11918 
11919     if (!TEST_int_eq(SSL_connect(clientssl), -1))
11920         goto end;
11921 
11922     if (!TEST_int_eq(SSL_accept(serverssl), -1)
11923             || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11924         goto end;
11925 
11926     /* Restore a BIO that will let the write succeed */
11927     SSL_set0_wbio(serverssl, tmp);
11928     tmp = NULL;
11929 
11930     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11931         goto end;
11932 
11933     testresult = 1;
11934 end:
11935     SSL_free(serverssl);
11936     SSL_free(clientssl);
11937     SSL_CTX_free(sctx);
11938     SSL_CTX_free(cctx);
11939     BIO_free(bretry);
11940     BIO_free(tmp);
11941     set_always_retry_err_val(-1);
11942     return testresult;
11943 }
11944 
11945 /*
11946  * Test that receiving retries when writing application data works as expected
11947  */
11948 static int test_data_retry(void)
11949 {
11950     SSL_CTX *cctx = NULL, *sctx = NULL;
11951     SSL *clientssl = NULL, *serverssl = NULL;
11952     int testresult = 0;
11953     unsigned char inbuf[1200], outbuf[1200];
11954     size_t i;
11955     BIO *tmp = NULL;
11956     BIO *bretry = BIO_new(bio_s_maybe_retry());
11957     size_t written, readbytes, totread = 0;
11958 
11959     if (!TEST_ptr(bretry))
11960         goto end;
11961 
11962     for (i = 0; i < sizeof(inbuf); i++)
11963         inbuf[i] = (unsigned char)(0xff & i);
11964     memset(outbuf, 0, sizeof(outbuf));
11965 
11966     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11967                                        TLS_client_method(), 0, 0, &sctx, &cctx,
11968                                        cert, privkey)))
11969         goto end;
11970 
11971     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11972                                       NULL)))
11973         goto end;
11974 
11975     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11976         goto end;
11977 
11978     /* Smallest possible max send fragment is 512 */
11979     if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11980         goto end;
11981 
11982     tmp = SSL_get_wbio(clientssl);
11983     if (!TEST_ptr(tmp))
11984         goto end;
11985     if (!TEST_true(BIO_up_ref(tmp)))
11986         goto end;
11987     BIO_push(bretry, tmp);
11988     tmp = NULL;
11989     SSL_set0_wbio(clientssl, bretry);
11990     if (!BIO_up_ref(bretry)) {
11991         bretry = NULL;
11992         goto end;
11993     }
11994 
11995     for (i = 0; i < 3; i++) {
11996         /* We expect this call to make no progress and indicate retry */
11997         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11998             goto end;
11999         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12000             goto end;
12001 
12002         /* Allow one write to progress, but the next one to signal retry */
12003         if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
12004                                 NULL)))
12005             goto end;
12006 
12007         if (i == 2)
12008             break;
12009 
12010         /*
12011          * This call will hopefully make progress but will still indicate retry
12012          * because there is more data than will fit into a single record.
12013          */
12014         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12015             goto end;
12016         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
12017             goto end;
12018     }
12019 
12020     /* The final call should write the last chunk of data and succeed */
12021     if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
12022         goto end;
12023     /* Read all the data available */
12024     while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
12025                        &readbytes))
12026         totread += readbytes;
12027     if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
12028         goto end;
12029 
12030     testresult = 1;
12031 end:
12032     SSL_free(serverssl);
12033     SSL_free(clientssl);
12034     SSL_CTX_free(sctx);
12035     SSL_CTX_free(cctx);
12036     BIO_free_all(bretry);
12037     BIO_free(tmp);
12038     return testresult;
12039 }
12040 
12041 struct resume_servername_cb_data {
12042     int i;
12043     SSL_CTX *cctx;
12044     SSL_CTX *sctx;
12045     SSL_SESSION *sess;
12046     int recurse;
12047 };
12048 
12049 /*
12050  * Servername callback. We use it here to run another complete handshake using
12051  * the same session - and mark the session as not_resuamble at the end
12052  */
12053 static int resume_servername_cb(SSL *s, int *ad, void *arg)
12054 {
12055     struct resume_servername_cb_data *cbdata = arg;
12056     SSL *serverssl = NULL, *clientssl = NULL;
12057     int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
12058 
12059     if (cbdata->recurse)
12060         return SSL_TLSEXT_ERR_ALERT_FATAL;
12061 
12062     if ((cbdata->i % 3) != 1)
12063         return SSL_TLSEXT_ERR_OK;
12064 
12065     cbdata->recurse = 1;
12066 
12067     if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
12068                                       &clientssl, NULL, NULL))
12069             || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
12070         goto end;
12071 
12072     ERR_set_mark();
12073     /*
12074      * We expect this to fail - because the servername cb will fail. This will
12075      * mark the session as not_resumable.
12076      */
12077     if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
12078         ERR_clear_last_mark();
12079         goto end;
12080     }
12081     ERR_pop_to_mark();
12082 
12083     ret = SSL_TLSEXT_ERR_OK;
12084  end:
12085     SSL_free(serverssl);
12086     SSL_free(clientssl);
12087     cbdata->recurse = 0;
12088     return ret;
12089 }
12090 /*
12091  * Test multiple resumptions and cache size handling
12092  * Test 0: TLSv1.3 (max_early_data set)
12093  * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
12094  * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
12095  * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
12096  * Test 4: TLSv1.2
12097  */
12098 static int test_multi_resume(int idx)
12099 {
12100     SSL_CTX *sctx = NULL, *cctx = NULL;
12101     SSL *serverssl = NULL, *clientssl = NULL;
12102     SSL_SESSION *sess = NULL;
12103     int max_version = TLS1_3_VERSION;
12104     int i, testresult = 0;
12105     struct resume_servername_cb_data cbdata;
12106 
12107 #if defined(OPENSSL_NO_TLS1_2)
12108     if (idx == 4)
12109         return TEST_skip("TLSv1.2 is disabled in this build");
12110 #else
12111     if (idx == 4)
12112         max_version = TLS1_2_VERSION;
12113 #endif
12114 #if defined(OSSL_NO_USABLE_TLS1_3)
12115     if (idx != 4)
12116         return TEST_skip("No usable TLSv1.3 in this build");
12117 #endif
12118 
12119     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12120                                        TLS_client_method(), TLS1_VERSION,
12121                                        max_version, &sctx, &cctx, cert,
12122                                        privkey)))
12123         goto end;
12124 
12125     /*
12126      * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
12127      * replay protection), or if SSL_OP_NO_TICKET is in use
12128      */
12129     if (idx == 0 || idx == 2)  {
12130         if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
12131             goto end;
12132     }
12133     if (idx == 1 || idx == 2 || idx == 3)
12134         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
12135 
12136     SSL_CTX_sess_set_cache_size(sctx, 5);
12137 
12138     if (idx == 3) {
12139         SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
12140         SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
12141         cbdata.cctx = cctx;
12142         cbdata.sctx = sctx;
12143         cbdata.recurse = 0;
12144     }
12145 
12146     for (i = 0; i < 30; i++) {
12147         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
12148                                                 NULL, NULL))
12149                 || !TEST_true(SSL_set_session(clientssl, sess)))
12150             goto end;
12151 
12152         /*
12153          * Check simultaneous resumes. We pause the connection part way through
12154          * the handshake by (mis)using the servername_cb. The pause occurs after
12155          * session resumption has already occurred, but before any session
12156          * tickets have been issued. While paused we run another complete
12157          * handshake resuming the same session.
12158          */
12159         if (idx == 3) {
12160             cbdata.i = i;
12161             cbdata.sess = sess;
12162         }
12163 
12164         /*
12165          * Recreate a bug where dynamically changing the max_early_data value
12166          * can cause sessions in the session cache which cannot be deleted.
12167          */
12168         if ((idx == 0 || idx == 2) && (i % 3) == 2)
12169             SSL_set_max_early_data(serverssl, 0);
12170 
12171         if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
12172             goto end;
12173 
12174         if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
12175             if (!TEST_false(SSL_session_reused(clientssl)))
12176                 goto end;
12177         } else {
12178             if (!TEST_true(SSL_session_reused(clientssl)))
12179                 goto end;
12180         }
12181         SSL_SESSION_free(sess);
12182 
12183         /* Do a full handshake, followed by two resumptions */
12184         if ((i % 3) == 2) {
12185             sess = NULL;
12186         } else {
12187             if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
12188                 goto end;
12189         }
12190 
12191         SSL_shutdown(clientssl);
12192         SSL_shutdown(serverssl);
12193         SSL_free(serverssl);
12194         SSL_free(clientssl);
12195         serverssl = clientssl = NULL;
12196     }
12197 
12198     /* We should never exceed the session cache size limit */
12199     if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
12200         goto end;
12201 
12202     testresult = 1;
12203  end:
12204     SSL_free(serverssl);
12205     SSL_free(clientssl);
12206     SSL_CTX_free(sctx);
12207     SSL_CTX_free(cctx);
12208     SSL_SESSION_free(sess);
12209     return testresult;
12210 }
12211 
12212 static struct next_proto_st {
12213     int serverlen;
12214     unsigned char server[40];
12215     int clientlen;
12216     unsigned char client[40];
12217     int expected_ret;
12218     size_t selectedlen;
12219     unsigned char selected[40];
12220 } next_proto_tests[] = {
12221     {
12222         4, { 3, 'a', 'b', 'c' },
12223         4, { 3, 'a', 'b', 'c' },
12224         OPENSSL_NPN_NEGOTIATED,
12225         3, { 'a', 'b', 'c' }
12226     },
12227     {
12228         7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
12229         4, { 3, 'a', 'b', 'c' },
12230         OPENSSL_NPN_NEGOTIATED,
12231         3, { 'a', 'b', 'c' }
12232     },
12233     {
12234         7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
12235         4, { 3, 'a', 'b', 'c' },
12236         OPENSSL_NPN_NEGOTIATED,
12237         3, { 'a', 'b', 'c' }
12238     },
12239     {
12240         4, { 3, 'a', 'b', 'c' },
12241         7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
12242         OPENSSL_NPN_NEGOTIATED,
12243         3, { 'a', 'b', 'c' }
12244     },
12245     {
12246         4, { 3, 'a', 'b', 'c' },
12247         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12248         OPENSSL_NPN_NEGOTIATED,
12249         3, { 'a', 'b', 'c' }
12250     },
12251     {
12252         7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
12253         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12254         OPENSSL_NPN_NEGOTIATED,
12255         3, { 'a', 'b', 'c' }
12256     },
12257     {
12258         10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
12259         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
12260         OPENSSL_NPN_NEGOTIATED,
12261         3, { 'a', 'b', 'c' }
12262     },
12263     {
12264         4, { 3, 'b', 'c', 'd' },
12265         4, { 3, 'a', 'b', 'c' },
12266         OPENSSL_NPN_NO_OVERLAP,
12267         3, { 'a', 'b', 'c' }
12268     },
12269     {
12270         0, { 0 },
12271         4, { 3, 'a', 'b', 'c' },
12272         OPENSSL_NPN_NO_OVERLAP,
12273         3, { 'a', 'b', 'c' }
12274     },
12275     {
12276         -1, { 0 },
12277         4, { 3, 'a', 'b', 'c' },
12278         OPENSSL_NPN_NO_OVERLAP,
12279         3, { 'a', 'b', 'c' }
12280     },
12281     {
12282         4, { 3, 'a', 'b', 'c' },
12283         0, { 0 },
12284         OPENSSL_NPN_NO_OVERLAP,
12285         0, { 0 }
12286     },
12287     {
12288         4, { 3, 'a', 'b', 'c' },
12289         -1, { 0 },
12290         OPENSSL_NPN_NO_OVERLAP,
12291         0, { 0 }
12292     },
12293     {
12294         3, { 3, 'a', 'b', 'c' },
12295         4, { 3, 'a', 'b', 'c' },
12296         OPENSSL_NPN_NO_OVERLAP,
12297         3, { 'a', 'b', 'c' }
12298     },
12299     {
12300         4, { 3, 'a', 'b', 'c' },
12301         3, { 3, 'a', 'b', 'c' },
12302         OPENSSL_NPN_NO_OVERLAP,
12303         0, { 0 }
12304     }
12305 };
12306 
12307 static int test_select_next_proto(int idx)
12308 {
12309     struct next_proto_st *np = &next_proto_tests[idx];
12310     int ret = 0;
12311     unsigned char *out, *client, *server;
12312     unsigned char outlen;
12313     unsigned int clientlen, serverlen;
12314 
12315     if (np->clientlen == -1) {
12316         client = NULL;
12317         clientlen = 0;
12318     } else {
12319         client = np->client;
12320         clientlen = (unsigned int)np->clientlen;
12321     }
12322     if (np->serverlen == -1) {
12323         server = NULL;
12324         serverlen = 0;
12325     } else {
12326         server = np->server;
12327         serverlen = (unsigned int)np->serverlen;
12328     }
12329 
12330     if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
12331                                            client, clientlen),
12332                      np->expected_ret))
12333         goto err;
12334 
12335     if (np->selectedlen == 0) {
12336         if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
12337             goto err;
12338     } else {
12339         if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
12340             goto err;
12341     }
12342 
12343     ret = 1;
12344  err:
12345     return ret;
12346 }
12347 
12348 static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
12349 static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
12350 
12351 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
12352 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
12353                          unsigned int *outlen, void *arg)
12354 {
12355     int *idx = (int *)arg;
12356 
12357     switch (*idx) {
12358     default:
12359     case 0:
12360         *out = fooprot;
12361         *outlen = sizeof(fooprot);
12362         return SSL_TLSEXT_ERR_OK;
12363 
12364     case 1:
12365         *out = NULL;
12366         *outlen = 0;
12367         return SSL_TLSEXT_ERR_OK;
12368 
12369     case 2:
12370         return SSL_TLSEXT_ERR_NOACK;
12371     }
12372 }
12373 
12374 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
12375                          const unsigned char *in, unsigned int inlen, void *arg)
12376 {
12377     int *idx = (int *)arg;
12378 
12379     switch (*idx) {
12380     case 0:
12381     case 1:
12382         *out = (unsigned char *)(fooprot + 1);
12383         *outlen = *fooprot;
12384         return SSL_TLSEXT_ERR_OK;
12385 
12386     case 3:
12387         *out = (unsigned char *)(barprot + 1);
12388         *outlen = *barprot;
12389         return SSL_TLSEXT_ERR_OK;
12390 
12391     case 4:
12392         *outlen = 0;
12393         return SSL_TLSEXT_ERR_OK;
12394 
12395     default:
12396     case 2:
12397         return SSL_TLSEXT_ERR_ALERT_FATAL;
12398     }
12399 }
12400 
12401 /*
12402  * Test the NPN callbacks
12403  * Test 0: advert = foo, select = foo
12404  * Test 1: advert = <empty>, select = foo
12405  * Test 2: no advert
12406  * Test 3: advert = foo, select = bar
12407  * Test 4: advert = foo, select = <empty> (should fail)
12408  */
12409 static int test_npn(int idx)
12410 {
12411     SSL_CTX *sctx = NULL, *cctx = NULL;
12412     SSL *serverssl = NULL, *clientssl = NULL;
12413     int testresult = 0;
12414 
12415     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12416                                        TLS_client_method(), 0, TLS1_2_VERSION,
12417                                        &sctx, &cctx, cert, privkey)))
12418         goto end;
12419 
12420     SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
12421     SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
12422 
12423     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12424                                       NULL)))
12425         goto end;
12426 
12427     if (idx == 4) {
12428         /* We don't allow empty selection of NPN, so this should fail */
12429         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12430                                               SSL_ERROR_NONE)))
12431             goto end;
12432     } else {
12433         const unsigned char *prot;
12434         unsigned int protlen;
12435 
12436         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12437                                              SSL_ERROR_NONE)))
12438             goto end;
12439 
12440         SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
12441         switch (idx) {
12442         case 0:
12443         case 1:
12444             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12445                 goto end;
12446             break;
12447         case 2:
12448             if (!TEST_uint_eq(protlen, 0))
12449                 goto end;
12450             break;
12451         case 3:
12452             if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
12453                 goto end;
12454             break;
12455         default:
12456             TEST_error("Should not get here");
12457             goto end;
12458         }
12459     }
12460 
12461     testresult = 1;
12462  end:
12463     SSL_free(serverssl);
12464     SSL_free(clientssl);
12465     SSL_CTX_free(sctx);
12466     SSL_CTX_free(cctx);
12467 
12468     return testresult;
12469 }
12470 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
12471 
12472 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
12473                            unsigned char *outlen, const unsigned char *in,
12474                            unsigned int inlen, void *arg)
12475 {
12476     int *idx = (int *)arg;
12477 
12478     switch (*idx) {
12479     case 0:
12480         *out = (unsigned char *)(fooprot + 1);
12481         *outlen = *fooprot;
12482         return SSL_TLSEXT_ERR_OK;
12483 
12484     case 2:
12485         *out = (unsigned char *)(barprot + 1);
12486         *outlen = *barprot;
12487         return SSL_TLSEXT_ERR_OK;
12488 
12489     case 3:
12490         *outlen = 0;
12491         return SSL_TLSEXT_ERR_OK;
12492 
12493     default:
12494     case 1:
12495         return SSL_TLSEXT_ERR_ALERT_FATAL;
12496     }
12497     return 0;
12498 }
12499 
12500 /*
12501  * Test the ALPN callbacks
12502  * Test 0: client = foo, select = foo
12503  * Test 1: client = <empty>, select = none
12504  * Test 2: client = foo, select = bar (should fail)
12505  * Test 3: client = foo, select = <empty> (should fail)
12506  */
12507 static int test_alpn(int idx)
12508 {
12509     SSL_CTX *sctx = NULL, *cctx = NULL;
12510     SSL *serverssl = NULL, *clientssl = NULL;
12511     int testresult = 0;
12512     const unsigned char *prots = fooprot;
12513     unsigned int protslen = sizeof(fooprot);
12514 
12515     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12516                                        TLS_client_method(), 0, 0,
12517                                        &sctx, &cctx, cert, privkey)))
12518         goto end;
12519 
12520     SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
12521 
12522     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12523                                       NULL)))
12524         goto end;
12525 
12526     if (idx == 1) {
12527         prots = NULL;
12528         protslen = 0;
12529     }
12530 
12531     /* SSL_set_alpn_protos returns 0 for success! */
12532     if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
12533         goto end;
12534 
12535     if (idx == 2 || idx == 3) {
12536         /* We don't allow empty selection of NPN, so this should fail */
12537         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
12538                                               SSL_ERROR_NONE)))
12539             goto end;
12540     } else {
12541         const unsigned char *prot;
12542         unsigned int protlen;
12543 
12544         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
12545                                              SSL_ERROR_NONE)))
12546             goto end;
12547 
12548         SSL_get0_alpn_selected(clientssl, &prot, &protlen);
12549         switch (idx) {
12550         case 0:
12551             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
12552                 goto end;
12553             break;
12554         case 1:
12555             if (!TEST_uint_eq(protlen, 0))
12556                 goto end;
12557             break;
12558         default:
12559             TEST_error("Should not get here");
12560             goto end;
12561         }
12562     }
12563 
12564     testresult = 1;
12565  end:
12566     SSL_free(serverssl);
12567     SSL_free(clientssl);
12568     SSL_CTX_free(sctx);
12569     SSL_CTX_free(cctx);
12570 
12571     return testresult;
12572 }
12573 
12574 #if !defined(OSSL_NO_USABLE_TLS1_3)
12575 struct quic_tls_test_data {
12576     struct quic_tls_test_data *peer;
12577     uint32_t renc_level;
12578     uint32_t wenc_level;
12579     unsigned char rcd_data[4][2048];
12580     size_t rcd_data_len[4];
12581     unsigned char rsecret[3][48];
12582     size_t rsecret_len[3];
12583     unsigned char wsecret[3][48];
12584     size_t wsecret_len[3];
12585     unsigned char params[3];
12586     size_t params_len;
12587     int alert;
12588     int err;
12589     int forcefail;
12590     int sm_count;
12591 };
12592 
12593 static int clientquicdata = 0xff, serverquicdata = 0xfe;
12594 
12595 static int check_app_data(SSL *s)
12596 {
12597     int *data, *comparedata;
12598 
12599     /* Check app data works */
12600     data = (int *)SSL_get_app_data(s);
12601     comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
12602 
12603     if (!TEST_true(comparedata == data))
12604         return 0;
12605 
12606     return 1;
12607 }
12608 
12609 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
12610                           size_t *consumed, void *arg)
12611 {
12612     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12613     struct quic_tls_test_data *peer = data->peer;
12614     size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
12615                      - peer->rcd_data_len[data->wenc_level];
12616 
12617     if (!check_app_data(s)) {
12618         data->err = 1;
12619         return 0;
12620     }
12621 
12622     if (buf_len > max_len)
12623         buf_len = max_len;
12624 
12625     if (buf_len == 0) {
12626         *consumed = 0;
12627         return 1;
12628     }
12629 
12630     memcpy(peer->rcd_data[data->wenc_level]
12631            + peer->rcd_data_len[data->wenc_level], buf, buf_len);
12632     peer->rcd_data_len[data->wenc_level] += buf_len;
12633 
12634     *consumed = buf_len;
12635     return 1;
12636 }
12637 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
12638                               size_t *bytes_read, void *arg)
12639 {
12640     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12641 
12642     if (!check_app_data(s)) {
12643         data->err = 1;
12644         return 0;
12645     }
12646 
12647     *bytes_read = data->rcd_data_len[data->renc_level];
12648     *buf = data->rcd_data[data->renc_level];
12649     return 1;
12650 }
12651 
12652 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
12653 {
12654     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12655 
12656     if (!check_app_data(s)) {
12657         data->err = 1;
12658         return 0;
12659     }
12660 
12661     /* See if we need to force a failure in this callback */
12662     if (data->forcefail) {
12663         data->forcefail = 0;
12664         data->err = 1;
12665         return 0;
12666     }
12667 
12668     if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
12669             || !TEST_size_t_gt(bytes_read, 0)) {
12670         data->err = 1;
12671         return 0;
12672     }
12673     data->rcd_data_len[data->renc_level] = 0;
12674 
12675     return 1;
12676 }
12677 
12678 struct secret_yield_entry {
12679     uint8_t recorded;
12680     int prot_level;
12681     int direction;
12682     int sm_generation;
12683     SSL *ssl;
12684 };
12685 
12686 static struct secret_yield_entry secret_history[16];
12687 static int secret_history_idx = 0;
12688 /*
12689  * Note, this enum needs to match the direction values passed
12690  * to yield_secret_cb
12691  */
12692 typedef enum {
12693     LAST_DIR_READ = 0,
12694     LAST_DIR_WRITE = 1,
12695     LAST_DIR_UNSET = 2
12696 } last_dir_history_state;
12697 
12698 static int check_secret_history(SSL *s)
12699 {
12700     int i;
12701     int ret = 0;
12702     last_dir_history_state last_state = LAST_DIR_UNSET;
12703     int last_prot_level = 0;
12704     int last_generation = 0;
12705 
12706     TEST_info("Checking history for %p\n", (void *)s);
12707     for (i = 0; secret_history[i].recorded == 1; i++) {
12708         if (secret_history[i].ssl != s)
12709             continue;
12710         TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
12711                   secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
12712                   secret_history[i].prot_level, last_prot_level, last_state,
12713                   secret_history[i].sm_generation);
12714 
12715         if (last_state == LAST_DIR_UNSET) {
12716             last_prot_level = secret_history[i].prot_level;
12717             last_state = secret_history[i].direction;
12718             last_generation = secret_history[i].sm_generation;
12719             continue;
12720         }
12721 
12722         switch(secret_history[i].direction) {
12723         case 1:
12724             /*
12725              * write case
12726              * NOTE: There is an odd corner case here.  It may occur that
12727              * in a single iteration of the state machine, the read key is yielded
12728              * prior to the write key for the same level.  This is undesireable
12729              * for quic, but it is ok, as the general implementation of every 3rd
12730              * party quic stack while prefering write keys before read, allows
12731              * for read before write if both keys are yielded in the same call
12732              * to SSL_do_handshake, as the tls adaptation code for that quic stack
12733              * can then cache keys until both are available, so we allow read before
12734              * write here iff they occur in the same iteration of SSL_do_handshake
12735              * as represented by the recorded sm_generation value.
12736              */
12737             if (last_prot_level == secret_history[i].prot_level
12738                 && last_state == LAST_DIR_READ) {
12739                 if (last_generation == secret_history[i].sm_generation) {
12740                     TEST_info("Read before write key in same SSL state machine iteration is ok");
12741                 } else {
12742                     TEST_error("Got read key before write key");
12743                     goto end;
12744                 }
12745             }
12746             /* FALLTHROUGH */
12747         case 0:
12748             /*
12749              * Read case
12750              */
12751             break;
12752         default:
12753             TEST_error("Unknown direction");
12754             goto end;
12755         }
12756         last_prot_level = secret_history[i].prot_level;
12757         last_state = secret_history[i].direction;
12758         last_generation = secret_history[i].sm_generation;
12759     }
12760 
12761     ret = 1;
12762 end:
12763     return ret;
12764 }
12765 
12766 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
12767                            const unsigned char *secret, size_t secret_len,
12768                            void *arg)
12769 {
12770     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12771 
12772     if (!check_app_data(s))
12773         goto err;
12774 
12775     if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
12776             || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
12777         goto err;
12778 
12779     switch (direction) {
12780     case 0: /* read */
12781         if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
12782             goto err;
12783         data->renc_level = prot_level;
12784         memcpy(data->rsecret[prot_level - 1], secret, secret_len);
12785         data->rsecret_len[prot_level - 1] = secret_len;
12786         break;
12787 
12788     case 1: /* write */
12789         if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
12790             goto err;
12791         data->wenc_level = prot_level;
12792         memcpy(data->wsecret[prot_level - 1], secret, secret_len);
12793         data->wsecret_len[prot_level - 1] = secret_len;
12794         break;
12795 
12796     default:
12797         goto err;
12798     }
12799 
12800     secret_history[secret_history_idx].direction = direction;
12801     secret_history[secret_history_idx].prot_level = (int)prot_level;
12802     secret_history[secret_history_idx].recorded = 1;
12803     secret_history[secret_history_idx].ssl = s;
12804     secret_history[secret_history_idx].sm_generation = data->sm_count;
12805     secret_history_idx++;
12806     return 1;
12807  err:
12808     data->err = 1;
12809     return 0;
12810 }
12811 
12812 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
12813                                 const unsigned char *secret, size_t secret_len,
12814                                 void *arg)
12815 {
12816     (void)s;
12817     (void)prot_level;
12818     (void)direction;
12819     (void)secret;
12820     (void)secret_len;
12821     (void)arg;
12822     /*
12823      * This callback is to test double free in quic tls
12824      */
12825     return 0;
12826 }
12827 
12828 static int got_transport_params_cb(SSL *s, const unsigned char *params,
12829                                    size_t params_len,
12830                                    void *arg)
12831 {
12832     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12833 
12834     if (!check_app_data(s)) {
12835         data->err = 1;
12836         return 0;
12837     }
12838 
12839     if (!TEST_size_t_le(params_len, sizeof(data->params))) {
12840         data->err = 1;
12841         return 0;
12842     }
12843 
12844     memcpy(data->params, params, params_len);
12845     data->params_len = params_len;
12846 
12847     return 1;
12848 }
12849 
12850 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
12851 {
12852     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
12853 
12854     if (!check_app_data(s)) {
12855         data->err = 1;
12856         return 0;
12857     }
12858 
12859     data->alert = 1;
12860     return 1;
12861 }
12862 
12863 /*
12864  * Test the QUIC TLS API
12865  * Test 0: Normal run
12866  * Test 1: Force a failure
12867  * Test 3: Use a CCM based ciphersuite
12868  * Test 4: fail yield_secret_cb to see double free
12869  * Test 5: Normal run with SNI
12870  */
12871 static int test_quic_tls(int idx)
12872 {
12873     SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
12874     SSL *serverssl = NULL, *clientssl = NULL;
12875     int testresult = 0;
12876     OSSL_DISPATCH qtdis[] = {
12877         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
12878         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
12879          (void (*)(void))crypto_recv_rcd_cb},
12880         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
12881          (void (*)(void))crypto_release_rcd_cb},
12882         {OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
12883          (void (*)(void))yield_secret_cb},
12884         {OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
12885          (void (*)(void))got_transport_params_cb},
12886         {OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb},
12887         {0, NULL}
12888     };
12889     struct quic_tls_test_data sdata, cdata;
12890     const unsigned char cparams[] = {
12891         0xff, 0x01, 0x00
12892     };
12893     const unsigned char sparams[] = {
12894         0xfe, 0x01, 0x00
12895     };
12896     int i;
12897 
12898     if (idx == 4)
12899         qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
12900 
12901     snicb = 0;
12902     memset(secret_history, 0, sizeof(secret_history));
12903     secret_history_idx = 0;
12904     memset(&sdata, 0, sizeof(sdata));
12905     memset(&cdata, 0, sizeof(cdata));
12906     sdata.peer = &cdata;
12907     cdata.peer = &sdata;
12908     if (idx == 1)
12909         sdata.forcefail = 1;
12910 
12911     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
12912                                        TLS_client_method(), TLS1_3_VERSION, 0,
12913                                        &sctx, &cctx, cert, privkey)))
12914         goto end;
12915 
12916     if (idx == 5) {
12917         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
12918                                            TLS1_3_VERSION, 0,
12919                                            &sctx2, NULL, cert, privkey)))
12920             goto end;
12921 
12922         /* Set up SNI */
12923         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
12924                 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
12925             goto end;
12926     }
12927 
12928     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
12929                                       NULL)))
12930         goto end;
12931 
12932     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
12933     SSL_set_bio(serverssl, NULL, NULL);
12934     SSL_set_bio(clientssl, NULL, NULL);
12935 
12936     if (idx == 2) {
12937         if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
12938                 || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
12939             goto end;
12940     }
12941 
12942     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
12943             || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
12944         goto end;
12945 
12946     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
12947             || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
12948             || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
12949                                                             sizeof(cparams)))
12950             || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
12951                                                             sizeof(sparams))))
12952         goto end;
12953 
12954     if (idx != 1 && idx != 4) {
12955         if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
12956                                                 &cdata.sm_count, &sdata.sm_count)))
12957             goto end;
12958     } else {
12959         /* We expect this connection to fail */
12960         if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
12961                                                  &cdata.sm_count, &sdata.sm_count)))
12962             goto end;
12963         testresult = 1;
12964         sdata.err = 0;
12965         goto end;
12966     }
12967 
12968     /* We should have had the SNI callback called exactly once */
12969     if (idx == 5) {
12970         if (!TEST_int_eq(snicb, 1))
12971             goto end;
12972     }
12973 
12974     /* Check no problems during the handshake */
12975     if (!TEST_false(sdata.alert)
12976             || !TEST_false(cdata.alert)
12977             || !TEST_false(sdata.err)
12978             || !TEST_false(cdata.err))
12979         goto end;
12980 
12981     /* Check the secrets all match */
12982     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
12983          i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
12984          i++) {
12985         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
12986                          cdata.rsecret[i], cdata.rsecret_len[i]))
12987             goto end;
12988     }
12989 
12990     /*
12991      * Check that our secret history yields write secrets before read secrets
12992      */
12993     if (!TEST_int_eq(check_secret_history(serverssl), 1))
12994         goto end;
12995     if (!TEST_int_eq(check_secret_history(clientssl), 1))
12996         goto end;
12997 
12998     /* Check the transport params */
12999     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13000             || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13001                             sizeof(sparams)))
13002         goto end;
13003 
13004     /* Check the encryption levels are what we expect them to be */
13005     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13006             || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13007             || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13008             || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13009         goto end;
13010 
13011     testresult = 1;
13012  end:
13013     SSL_free(serverssl);
13014     SSL_free(clientssl);
13015     SSL_CTX_free(sctx2);
13016     SSL_CTX_free(sctx);
13017     SSL_CTX_free(cctx);
13018 
13019     /* Check that we didn't suddenly hit an unexpected failure during cleanup */
13020     if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
13021         testresult = 0;
13022 
13023     return testresult;
13024 }
13025 
13026 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
13027                                         const void *buf, size_t msglen, SSL *ssl, void *arg)
13028 {
13029     const unsigned char *msg = buf;
13030 
13031     if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
13032         end_of_early_data = 1;
13033 }
13034 
13035 static int test_quic_tls_early_data(void)
13036 {
13037     SSL_CTX *sctx = NULL, *cctx = NULL;
13038     SSL *serverssl = NULL, *clientssl = NULL;
13039     int testresult = 0;
13040     SSL_SESSION *sess = NULL;
13041     const OSSL_DISPATCH qtdis[] = {
13042         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
13043         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
13044          (void (*)(void))crypto_recv_rcd_cb},
13045         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
13046          (void (*)(void))crypto_release_rcd_cb},
13047         {OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
13048          (void (*)(void))yield_secret_cb},
13049         {OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
13050          (void (*)(void))got_transport_params_cb},
13051         {OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb},
13052         {0, NULL}
13053     };
13054     struct quic_tls_test_data sdata, cdata;
13055     const unsigned char cparams[] = {
13056         0xff, 0x01, 0x00
13057     };
13058     const unsigned char sparams[] = {
13059         0xfe, 0x01, 0x00
13060     };
13061     int i;
13062 
13063     memset(secret_history, 0, sizeof(secret_history));
13064     secret_history_idx = 0;
13065     memset(&sdata, 0, sizeof(sdata));
13066     memset(&cdata, 0, sizeof(cdata));
13067     sdata.peer = &cdata;
13068     cdata.peer = &sdata;
13069     end_of_early_data = 0;
13070 
13071     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
13072                                        TLS_client_method(), TLS1_3_VERSION, 0,
13073                                        &sctx, &cctx, cert, privkey)))
13074         goto end;
13075 
13076     SSL_CTX_set_max_early_data(sctx, 0xffffffff);
13077     SSL_CTX_set_max_early_data(cctx, 0xffffffff);
13078 
13079     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13080                                       NULL)))
13081         goto end;
13082 
13083     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13084         goto end;
13085 
13086     sess = SSL_get1_session(clientssl);
13087     SSL_shutdown(clientssl);
13088     SSL_shutdown(serverssl);
13089     SSL_free(serverssl);
13090     SSL_free(clientssl);
13091     serverssl = clientssl = NULL;
13092 
13093     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
13094                                       &clientssl, NULL, NULL))
13095             || !TEST_true(SSL_set_session(clientssl, sess)))
13096         goto end;
13097 
13098     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
13099     SSL_set_bio(serverssl, NULL, NULL);
13100     SSL_set_bio(clientssl, NULL, NULL);
13101 
13102     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
13103         || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
13104         goto end;
13105 
13106     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
13107             || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
13108             || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
13109                                                             sizeof(cparams)))
13110             || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
13111                                                             sizeof(sparams))))
13112         goto end;
13113 
13114     /*
13115      * Reset our secret history so we get the record of the second connection
13116      */
13117     memset(secret_history, 0, sizeof(secret_history));
13118     secret_history_idx = 0;
13119 
13120     SSL_set_quic_tls_early_data_enabled(serverssl, 1);
13121     SSL_set_quic_tls_early_data_enabled(clientssl, 1);
13122 
13123     SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
13124     SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
13125 
13126     if (!TEST_int_eq(SSL_connect(clientssl), -1)
13127             || !TEST_int_eq(SSL_accept(serverssl), -1)
13128             || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
13129             || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
13130             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
13131         goto end;
13132 
13133     /* Check the encryption levels are what we expect them to be */
13134     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
13135             || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13136             || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
13137             || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
13138         goto end;
13139 
13140     sdata.sm_count = 0;
13141     cdata.sm_count = 0;
13142     if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
13143                                             &cdata.sm_count, &sdata.sm_count)))
13144         goto end;
13145 
13146     /* Check no problems during the handshake */
13147     if (!TEST_false(sdata.alert)
13148             || !TEST_false(cdata.alert)
13149             || !TEST_false(sdata.err)
13150             || !TEST_false(cdata.err))
13151         goto end;
13152 
13153     /* Check the secrets all match */
13154     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
13155          i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
13156          i++) {
13157         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
13158                          cdata.rsecret[i], cdata.rsecret_len[i]))
13159             goto end;
13160     }
13161 
13162     if (!TEST_int_eq(check_secret_history(serverssl), 1))
13163         goto end;
13164     if (!TEST_int_eq(check_secret_history(clientssl), 1))
13165         goto end;
13166 
13167     /* Check the transport params */
13168     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
13169             || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
13170                             sizeof(sparams)))
13171         goto end;
13172 
13173     /* Check the encryption levels are what we expect them to be */
13174     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13175             || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13176             || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
13177             || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
13178         goto end;
13179 
13180     /* Check there is no EndOfEearlyData in handshake */
13181     if (!TEST_int_eq(end_of_early_data, 0))
13182         goto end;
13183 
13184     testresult = 1;
13185  end:
13186     SSL_SESSION_free(sess);
13187     SSL_SESSION_free(clientpsk);
13188     SSL_SESSION_free(serverpsk);
13189     clientpsk = serverpsk = NULL;
13190     SSL_free(serverssl);
13191     SSL_free(clientssl);
13192     SSL_CTX_free(sctx);
13193     SSL_CTX_free(cctx);
13194 
13195     return testresult;
13196 }
13197 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
13198 
13199 static int test_no_renegotiation(int idx)
13200 {
13201     SSL_CTX *sctx = NULL, *cctx = NULL;
13202     SSL *serverssl = NULL, *clientssl = NULL;
13203     int testresult = 0, ret;
13204     int max_proto;
13205     const SSL_METHOD *sm, *cm;
13206     unsigned char buf[5];
13207 
13208     if (idx == 0) {
13209 #ifndef OPENSSL_NO_TLS1_2
13210         max_proto = TLS1_2_VERSION;
13211         sm = TLS_server_method();
13212         cm = TLS_client_method();
13213 #else
13214         return TEST_skip("TLSv1.2 is disabled in this build");
13215 #endif
13216     } else {
13217 #ifndef OPENSSL_NO_DTLS1_2
13218         max_proto = DTLS1_2_VERSION;
13219         sm = DTLS_server_method();
13220         cm = DTLS_client_method();
13221 #else
13222         return TEST_skip("DTLSv1.2 is disabled in this build");
13223 #endif
13224     }
13225     if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
13226                                        &sctx, &cctx, cert, privkey)))
13227         goto end;
13228 
13229     SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
13230 
13231     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
13232                                       NULL)))
13233         goto end;
13234 
13235     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
13236         goto end;
13237 
13238     if (!TEST_true(SSL_renegotiate(clientssl))
13239             || !TEST_int_le(ret = SSL_connect(clientssl), 0)
13240             || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
13241         goto end;
13242 
13243     /*
13244      * We've not sent any application data, so we expect this to fail. It should
13245      * also read the renegotiation attempt, and send back a no_renegotiation
13246      * warning alert because we have renegotiation disabled.
13247      */
13248     if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
13249         goto end;
13250     if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
13251         goto end;
13252 
13253     /*
13254      * The client should now see the no_renegotiation warning and fail the
13255      * connection
13256      */
13257     if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
13258             || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
13259             || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
13260         goto end;
13261 
13262     testresult = 1;
13263  end:
13264     SSL_free(serverssl);
13265     SSL_free(clientssl);
13266     SSL_CTX_free(sctx);
13267     SSL_CTX_free(cctx);
13268 
13269     return testresult;
13270 }
13271 
13272 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
13273 
13274 int setup_tests(void)
13275 {
13276     char *modulename;
13277     char *configfile;
13278 
13279     libctx = OSSL_LIB_CTX_new();
13280     if (!TEST_ptr(libctx))
13281         return 0;
13282 
13283     defctxnull = OSSL_PROVIDER_load(NULL, "null");
13284 
13285     /*
13286      * Verify that the default and fips providers in the default libctx are not
13287      * available
13288      */
13289     if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
13290             || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
13291         return 0;
13292 
13293     if (!test_skip_common_options()) {
13294         TEST_error("Error parsing test options\n");
13295         return 0;
13296     }
13297 
13298     if (!TEST_ptr(certsdir = test_get_argument(0))
13299             || !TEST_ptr(srpvfile = test_get_argument(1))
13300             || !TEST_ptr(tmpfilename = test_get_argument(2))
13301             || !TEST_ptr(modulename = test_get_argument(3))
13302             || !TEST_ptr(configfile = test_get_argument(4))
13303             || !TEST_ptr(dhfile = test_get_argument(5)))
13304         return 0;
13305 
13306     if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
13307         return 0;
13308 
13309     /* Check we have the expected provider available */
13310     if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
13311         return 0;
13312 
13313     /* Check the default provider is not available */
13314     if (strcmp(modulename, "default") != 0
13315             && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
13316         return 0;
13317 
13318     if (strcmp(modulename, "fips") == 0) {
13319         OSSL_PROVIDER *prov = NULL;
13320         OSSL_PARAM params[2];
13321 
13322         is_fips = 1;
13323 
13324         prov = OSSL_PROVIDER_load(libctx, "fips");
13325         if (prov != NULL) {
13326             /* Query the fips provider to check if the check ems option is enabled */
13327             params[0] =
13328                 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
13329                                          &fips_ems_check);
13330             params[1] = OSSL_PARAM_construct_end();
13331             OSSL_PROVIDER_get_params(prov, params);
13332             OSSL_PROVIDER_unload(prov);
13333         }
13334     }
13335 
13336     /*
13337      * We add, but don't load the test "tls-provider". We'll load it when we
13338      * need it.
13339      */
13340     if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
13341                                              tls_provider_init)))
13342         return 0;
13343 
13344 
13345     if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
13346 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
13347         TEST_error("not supported in this build");
13348         return 0;
13349 #else
13350         int i, mcount, rcount, fcount;
13351 
13352         for (i = 0; i < 4; i++)
13353             test_export_key_mat(i);
13354         CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
13355         test_printf_stdout("malloc %d realloc %d free %d\n",
13356                 mcount, rcount, fcount);
13357         return 1;
13358 #endif
13359     }
13360 
13361     cert = test_mk_file_path(certsdir, "servercert.pem");
13362     if (cert == NULL)
13363         goto err;
13364 
13365     privkey = test_mk_file_path(certsdir, "serverkey.pem");
13366     if (privkey == NULL)
13367         goto err;
13368 
13369     cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
13370     if (cert2 == NULL)
13371         goto err;
13372 
13373     privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
13374     if (privkey2 == NULL)
13375         goto err;
13376 
13377     cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
13378     if (cert1024 == NULL)
13379         goto err;
13380 
13381     privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
13382     if (privkey1024 == NULL)
13383         goto err;
13384 
13385     cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
13386     if (cert3072 == NULL)
13387         goto err;
13388 
13389     privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
13390     if (privkey3072 == NULL)
13391         goto err;
13392 
13393     cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
13394     if (cert4096 == NULL)
13395         goto err;
13396 
13397     privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
13398     if (privkey4096 == NULL)
13399         goto err;
13400 
13401     cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
13402     if (cert8192 == NULL)
13403         goto err;
13404 
13405     privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
13406     if (privkey8192 == NULL)
13407         goto err;
13408 
13409     if (fips_ems_check) {
13410 #ifndef OPENSSL_NO_TLS1_2
13411         ADD_TEST(test_no_ems);
13412 #endif
13413         return 1;
13414     }
13415 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
13416 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
13417     ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
13418     ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
13419 # endif
13420 #endif
13421     ADD_TEST(test_large_message_tls);
13422     ADD_TEST(test_large_message_tls_read_ahead);
13423 #ifndef OPENSSL_NO_DTLS
13424     ADD_TEST(test_large_message_dtls);
13425 #endif
13426     ADD_ALL_TESTS(test_large_app_data, 28);
13427     ADD_TEST(test_cleanse_plaintext);
13428 #ifndef OPENSSL_NO_OCSP
13429     ADD_TEST(test_tlsext_status_type);
13430 #endif
13431     ADD_TEST(test_session_with_only_int_cache);
13432     ADD_TEST(test_session_with_only_ext_cache);
13433     ADD_TEST(test_session_with_both_cache);
13434     ADD_TEST(test_session_wo_ca_names);
13435 #ifndef OSSL_NO_USABLE_TLS1_3
13436     ADD_ALL_TESTS(test_stateful_tickets, 3);
13437     ADD_ALL_TESTS(test_stateless_tickets, 3);
13438     ADD_TEST(test_psk_tickets);
13439     ADD_ALL_TESTS(test_extra_tickets, 6);
13440 #endif
13441     ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
13442     ADD_TEST(test_ssl_bio_pop_next_bio);
13443     ADD_TEST(test_ssl_bio_pop_ssl_bio);
13444     ADD_TEST(test_ssl_bio_change_rbio);
13445     ADD_TEST(test_ssl_bio_change_wbio);
13446 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
13447     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
13448     ADD_TEST(test_keylog);
13449 #endif
13450 #ifndef OSSL_NO_USABLE_TLS1_3
13451     ADD_TEST(test_keylog_no_master_key);
13452 #endif
13453     ADD_TEST(test_client_cert_verify_cb);
13454     ADD_TEST(test_ssl_build_cert_chain);
13455     ADD_TEST(test_ssl_ctx_build_cert_chain);
13456 #ifndef OPENSSL_NO_TLS1_2
13457     ADD_TEST(test_client_hello_cb);
13458     ADD_TEST(test_no_ems);
13459     ADD_TEST(test_ccs_change_cipher);
13460 #endif
13461 #ifndef OSSL_NO_USABLE_TLS1_3
13462     ADD_ALL_TESTS(test_early_data_read_write, 6);
13463     /*
13464      * We don't do replay tests for external PSK. Replay protection isn't used
13465      * in that scenario.
13466      */
13467     ADD_ALL_TESTS(test_early_data_replay, 2);
13468     ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
13469     ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
13470     ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
13471     ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
13472     ADD_ALL_TESTS(test_early_data_not_sent, 3);
13473     ADD_ALL_TESTS(test_early_data_psk, 8);
13474     ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
13475     ADD_ALL_TESTS(test_early_data_not_expected, 3);
13476 # ifndef OPENSSL_NO_TLS1_2
13477     ADD_ALL_TESTS(test_early_data_tls1_2, 3);
13478 # endif
13479 #endif
13480 #ifndef OSSL_NO_USABLE_TLS1_3
13481     ADD_ALL_TESTS(test_set_ciphersuite, 10);
13482     ADD_TEST(test_ciphersuite_change);
13483     ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
13484 # ifdef OPENSSL_NO_PSK
13485     ADD_ALL_TESTS(test_tls13_psk, 1);
13486 # else
13487     ADD_ALL_TESTS(test_tls13_psk, 4);
13488 # endif  /* OPENSSL_NO_PSK */
13489 #ifndef OSSL_NO_USABLE_TLS1_3
13490     ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
13491 #endif /* OSSL_NO_USABLE_TLS1_3 */
13492 # ifndef OPENSSL_NO_TLS1_2
13493     /* Test with both TLSv1.3 and 1.2 versions */
13494     ADD_ALL_TESTS(test_key_exchange, 21);
13495 #  if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
13496     ADD_ALL_TESTS(test_negotiated_group,
13497                   4 * (OSSL_NELEM(ecdhe_kexch_groups)
13498                        + OSSL_NELEM(ffdhe_kexch_groups)));
13499 #  endif
13500 # else
13501     /* Test with only TLSv1.3 versions */
13502     ADD_ALL_TESTS(test_key_exchange, 18);
13503 # endif
13504     ADD_ALL_TESTS(test_custom_exts, 6);
13505     ADD_TEST(test_stateless);
13506     ADD_TEST(test_pha_key_update);
13507 #else
13508     ADD_ALL_TESTS(test_custom_exts, 3);
13509 #endif
13510     ADD_ALL_TESTS(test_export_key_mat, 6);
13511 #ifndef OSSL_NO_USABLE_TLS1_3
13512     ADD_ALL_TESTS(test_export_key_mat_early, 3);
13513     ADD_TEST(test_key_update);
13514     ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
13515     ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
13516     ADD_ALL_TESTS(test_key_update_local_in_write, 2);
13517     ADD_ALL_TESTS(test_key_update_local_in_read, 2);
13518 #endif
13519     ADD_ALL_TESTS(test_ssl_clear, 8);
13520     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
13521 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
13522     ADD_ALL_TESTS(test_srp, 6);
13523 #endif
13524 #if !defined(OPENSSL_NO_COMP_ALG)
13525     /* Add compression case */
13526     ADD_ALL_TESTS(test_info_callback, 8);
13527 #else
13528     ADD_ALL_TESTS(test_info_callback, 6);
13529 #endif
13530     ADD_ALL_TESTS(test_ssl_pending, 2);
13531     ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
13532     ADD_ALL_TESTS(test_ticket_callbacks, 20);
13533     ADD_ALL_TESTS(test_shutdown, 7);
13534     ADD_TEST(test_async_shutdown);
13535     ADD_ALL_TESTS(test_incorrect_shutdown, 2);
13536     ADD_ALL_TESTS(test_cert_cb, 6);
13537     ADD_ALL_TESTS(test_client_cert_cb, 2);
13538     ADD_ALL_TESTS(test_ca_names, 3);
13539 #ifndef OPENSSL_NO_TLS1_2
13540     ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
13541 #endif
13542     ADD_ALL_TESTS(test_servername, 10);
13543     ADD_TEST(test_unknown_sigalgs_groups);
13544 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
13545     ADD_TEST(test_configuration_of_groups);
13546 #endif
13547 #if !defined(OPENSSL_NO_EC) \
13548     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
13549     ADD_ALL_TESTS(test_sigalgs_available, 6);
13550 #endif
13551 #ifndef OPENSSL_NO_TLS1_3
13552     ADD_ALL_TESTS(test_pluggable_group, 2);
13553     ADD_ALL_TESTS(test_pluggable_signature, 6);
13554 #endif
13555 #ifndef OPENSSL_NO_TLS1_2
13556     ADD_TEST(test_ssl_dup);
13557     ADD_TEST(test_session_secret_cb);
13558 # ifndef OPENSSL_NO_DH
13559     ADD_ALL_TESTS(test_set_tmp_dh, 11);
13560     ADD_ALL_TESTS(test_dh_auto, 7);
13561 # endif
13562 #endif
13563 #ifndef OSSL_NO_USABLE_TLS1_3
13564     ADD_TEST(test_sni_tls13);
13565     ADD_ALL_TESTS(test_ticket_lifetime, 2);
13566 #endif
13567     ADD_TEST(test_inherit_verify_param);
13568     ADD_TEST(test_set_alpn);
13569     ADD_TEST(test_set_verify_cert_store_ssl_ctx);
13570     ADD_TEST(test_set_verify_cert_store_ssl);
13571     ADD_ALL_TESTS(test_session_timeout, 1);
13572 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
13573     ADD_ALL_TESTS(test_session_cache_overflow, 4);
13574 #endif
13575     ADD_TEST(test_load_dhfile);
13576 #ifndef OSSL_NO_USABLE_TLS1_3
13577     ADD_TEST(test_read_ahead_key_change);
13578     ADD_ALL_TESTS(test_tls13_record_padding, 6);
13579 #endif
13580 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
13581     ADD_ALL_TESTS(test_serverinfo_custom, 4);
13582 #endif
13583 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
13584     ADD_ALL_TESTS(test_pipelining, 7);
13585 #endif
13586     ADD_ALL_TESTS(test_version, 6);
13587     ADD_TEST(test_rstate_string);
13588     ADD_ALL_TESTS(test_handshake_retry, 16);
13589     ADD_TEST(test_data_retry);
13590     ADD_ALL_TESTS(test_multi_resume, 5);
13591     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
13592 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
13593     ADD_ALL_TESTS(test_npn, 5);
13594 #endif
13595     ADD_ALL_TESTS(test_alpn, 4);
13596 #if !defined(OSSL_NO_USABLE_TLS1_3)
13597     ADD_ALL_TESTS(test_quic_tls, 6);
13598     ADD_TEST(test_quic_tls_early_data);
13599 #endif
13600     ADD_ALL_TESTS(test_no_renegotiation, 2);
13601     return 1;
13602 
13603  err:
13604     OPENSSL_free(cert);
13605     OPENSSL_free(privkey);
13606     OPENSSL_free(cert2);
13607     OPENSSL_free(privkey2);
13608     return 0;
13609 }
13610 
13611 void cleanup_tests(void)
13612 {
13613 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
13614     EVP_PKEY_free(tmp_dh_params);
13615 #endif
13616     OPENSSL_free(cert);
13617     OPENSSL_free(privkey);
13618     OPENSSL_free(cert2);
13619     OPENSSL_free(privkey2);
13620     OPENSSL_free(cert1024);
13621     OPENSSL_free(privkey1024);
13622     OPENSSL_free(cert3072);
13623     OPENSSL_free(privkey3072);
13624     OPENSSL_free(cert4096);
13625     OPENSSL_free(privkey4096);
13626     OPENSSL_free(cert8192);
13627     OPENSSL_free(privkey8192);
13628     bio_s_mempacket_test_free();
13629     bio_s_always_retry_free();
13630     bio_s_maybe_retry_free();
13631     OSSL_PROVIDER_unload(defctxnull);
13632     OSSL_LIB_CTX_free(libctx);
13633 }
13634