xref: /freebsd/crypto/openssl/test/sslapitest.c (revision 96190b4fef3b4a0cc3ca0606b0c4e3e69a5e6717)
1 /*
2  * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * We need access to the deprecated low level HMAC APIs for legacy purposes
12  * when the deprecated calls are not hidden
13  */
14 #ifndef OPENSSL_NO_DEPRECATED_3_0
15 # define OPENSSL_SUPPRESS_DEPRECATED
16 #endif
17 
18 #include <stdio.h>
19 #include <string.h>
20 
21 #include <openssl/opensslconf.h>
22 #include <openssl/bio.h>
23 #include <openssl/crypto.h>
24 #include <openssl/ssl.h>
25 #include <openssl/ocsp.h>
26 #include <openssl/srp.h>
27 #include <openssl/txt_db.h>
28 #include <openssl/aes.h>
29 #include <openssl/rand.h>
30 #include <openssl/core_names.h>
31 #include <openssl/core_dispatch.h>
32 #include <openssl/provider.h>
33 #include <openssl/param_build.h>
34 #include <openssl/x509v3.h>
35 #include <openssl/dh.h>
36 #include <openssl/engine.h>
37 
38 #include "helpers/ssltestlib.h"
39 #include "testutil.h"
40 #include "testutil/output.h"
41 #include "internal/nelem.h"
42 #include "internal/ktls.h"
43 #include "../ssl/ssl_local.h"
44 #include "filterprov.h"
45 
46 #undef OSSL_NO_USABLE_TLS1_3
47 #if defined(OPENSSL_NO_TLS1_3) \
48     || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49 /*
50  * If we don't have ec or dh then there are no built-in groups that are usable
51  * with TLSv1.3
52  */
53 # define OSSL_NO_USABLE_TLS1_3
54 #endif
55 
56 /* Defined in tls-provider.c */
57 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58                       const OSSL_DISPATCH *in,
59                       const OSSL_DISPATCH **out,
60                       void **provctx);
61 
62 static OSSL_LIB_CTX *libctx = NULL;
63 static OSSL_PROVIDER *defctxnull = NULL;
64 
65 #ifndef OSSL_NO_USABLE_TLS1_3
66 
67 static SSL_SESSION *clientpsk = NULL;
68 static SSL_SESSION *serverpsk = NULL;
69 static const char *pskid = "Identity";
70 static const char *srvid;
71 
72 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73                           size_t *idlen, SSL_SESSION **sess);
74 static int find_session_cb(SSL *ssl, const unsigned char *identity,
75                            size_t identity_len, SSL_SESSION **sess);
76 
77 static int use_session_cb_cnt = 0;
78 static int find_session_cb_cnt = 0;
79 
80 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
81 #endif
82 
83 static char *certsdir = NULL;
84 static char *cert = NULL;
85 static char *privkey = NULL;
86 static char *cert2 = NULL;
87 static char *privkey2 = NULL;
88 static char *cert1024 = NULL;
89 static char *privkey1024 = NULL;
90 static char *cert3072 = NULL;
91 static char *privkey3072 = NULL;
92 static char *cert4096 = NULL;
93 static char *privkey4096 = NULL;
94 static char *cert8192 = NULL;
95 static char *privkey8192 = NULL;
96 static char *srpvfile = NULL;
97 static char *tmpfilename = NULL;
98 static char *dhfile = NULL;
99 
100 static int is_fips = 0;
101 
102 #define LOG_BUFFER_SIZE 2048
103 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
104 static size_t server_log_buffer_index = 0;
105 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
106 static size_t client_log_buffer_index = 0;
107 static int error_writing_log = 0;
108 
109 #ifndef OPENSSL_NO_OCSP
110 static const unsigned char orespder[] = "Dummy OCSP Response";
111 static int ocsp_server_called = 0;
112 static int ocsp_client_called = 0;
113 
114 static int cdummyarg = 1;
115 static X509 *ocspcert = NULL;
116 #endif
117 
118 #define NUM_EXTRA_CERTS 40
119 #define CLIENT_VERSION_LEN      2
120 
121 /*
122  * This structure is used to validate that the correct number of log messages
123  * of various types are emitted when emitting secret logs.
124  */
125 struct sslapitest_log_counts {
126     unsigned int rsa_key_exchange_count;
127     unsigned int master_secret_count;
128     unsigned int client_early_secret_count;
129     unsigned int client_handshake_secret_count;
130     unsigned int server_handshake_secret_count;
131     unsigned int client_application_secret_count;
132     unsigned int server_application_secret_count;
133     unsigned int early_exporter_secret_count;
134     unsigned int exporter_secret_count;
135 };
136 
137 
138 static int hostname_cb(SSL *s, int *al, void *arg)
139 {
140     const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141 
142     if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143                              || strcmp(hostname, "altgoodhost") == 0))
144         return  SSL_TLSEXT_ERR_OK;
145 
146     return SSL_TLSEXT_ERR_NOACK;
147 }
148 
149 static void client_keylog_callback(const SSL *ssl, const char *line)
150 {
151     int line_length = strlen(line);
152 
153     /* If the log doesn't fit, error out. */
154     if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155         TEST_info("Client log too full");
156         error_writing_log = 1;
157         return;
158     }
159 
160     strcat(client_log_buffer, line);
161     client_log_buffer_index += line_length;
162     client_log_buffer[client_log_buffer_index++] = '\n';
163 }
164 
165 static void server_keylog_callback(const SSL *ssl, const char *line)
166 {
167     int line_length = strlen(line);
168 
169     /* If the log doesn't fit, error out. */
170     if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
171         TEST_info("Server log too full");
172         error_writing_log = 1;
173         return;
174     }
175 
176     strcat(server_log_buffer, line);
177     server_log_buffer_index += line_length;
178     server_log_buffer[server_log_buffer_index++] = '\n';
179 }
180 
181 static int compare_hex_encoded_buffer(const char *hex_encoded,
182                                       size_t hex_length,
183                                       const uint8_t *raw,
184                                       size_t raw_length)
185 {
186     size_t i, j;
187     char hexed[3];
188 
189     if (!TEST_size_t_eq(raw_length * 2, hex_length))
190         return 1;
191 
192     for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
193         sprintf(hexed, "%02x", raw[i]);
194         if (!TEST_int_eq(hexed[0], hex_encoded[j])
195                 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
196             return 1;
197     }
198 
199     return 0;
200 }
201 
202 static int test_keylog_output(char *buffer, const SSL *ssl,
203                               const SSL_SESSION *session,
204                               struct sslapitest_log_counts *expected)
205 {
206     char *token = NULL;
207     unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208     size_t client_random_size = SSL3_RANDOM_SIZE;
209     unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210     size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
211     unsigned int rsa_key_exchange_count = 0;
212     unsigned int master_secret_count = 0;
213     unsigned int client_early_secret_count = 0;
214     unsigned int client_handshake_secret_count = 0;
215     unsigned int server_handshake_secret_count = 0;
216     unsigned int client_application_secret_count = 0;
217     unsigned int server_application_secret_count = 0;
218     unsigned int early_exporter_secret_count = 0;
219     unsigned int exporter_secret_count = 0;
220 
221     for (token = strtok(buffer, " \n"); token != NULL;
222          token = strtok(NULL, " \n")) {
223         if (strcmp(token, "RSA") == 0) {
224             /*
225              * Premaster secret. Tokens should be: 16 ASCII bytes of
226              * hex-encoded encrypted secret, then the hex-encoded pre-master
227              * secret.
228              */
229             if (!TEST_ptr(token = strtok(NULL, " \n")))
230                 return 0;
231             if (!TEST_size_t_eq(strlen(token), 16))
232                 return 0;
233             if (!TEST_ptr(token = strtok(NULL, " \n")))
234                 return 0;
235             /*
236              * We can't sensibly check the log because the premaster secret is
237              * transient, and OpenSSL doesn't keep hold of it once the master
238              * secret is generated.
239              */
240             rsa_key_exchange_count++;
241         } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
242             /*
243              * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
244              * client random, then the hex-encoded master secret.
245              */
246             client_random_size = SSL_get_client_random(ssl,
247                                                        actual_client_random,
248                                                        SSL3_RANDOM_SIZE);
249             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
250                 return 0;
251 
252             if (!TEST_ptr(token = strtok(NULL, " \n")))
253                 return 0;
254             if (!TEST_size_t_eq(strlen(token), 64))
255                 return 0;
256             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257                                                        actual_client_random,
258                                                        client_random_size)))
259                 return 0;
260 
261             if (!TEST_ptr(token = strtok(NULL, " \n")))
262                 return 0;
263             master_key_size = SSL_SESSION_get_master_key(session,
264                                                          actual_master_key,
265                                                          master_key_size);
266             if (!TEST_size_t_ne(master_key_size, 0))
267                 return 0;
268             if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269                                                        actual_master_key,
270                                                        master_key_size)))
271                 return 0;
272             master_secret_count++;
273         } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274                     || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
275                     || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276                     || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
277                     || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
278                     || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
279                     || strcmp(token, "EXPORTER_SECRET") == 0) {
280             /*
281              * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282              * client random, and then the hex-encoded secret. In this case,
283              * we treat all of these secrets identically and then just
284              * distinguish between them when counting what we saw.
285              */
286             if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287                 client_early_secret_count++;
288             else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
289                 client_handshake_secret_count++;
290             else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291                 server_handshake_secret_count++;
292             else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293                 client_application_secret_count++;
294             else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295                 server_application_secret_count++;
296             else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297                 early_exporter_secret_count++;
298             else if (strcmp(token, "EXPORTER_SECRET") == 0)
299                 exporter_secret_count++;
300 
301             client_random_size = SSL_get_client_random(ssl,
302                                                        actual_client_random,
303                                                        SSL3_RANDOM_SIZE);
304             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
305                 return 0;
306 
307             if (!TEST_ptr(token = strtok(NULL, " \n")))
308                 return 0;
309             if (!TEST_size_t_eq(strlen(token), 64))
310                 return 0;
311             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312                                                        actual_client_random,
313                                                        client_random_size)))
314                 return 0;
315 
316             if (!TEST_ptr(token = strtok(NULL, " \n")))
317                 return 0;
318         } else {
319             TEST_info("Unexpected token %s\n", token);
320             return 0;
321         }
322     }
323 
324     /* Got what we expected? */
325     if (!TEST_size_t_eq(rsa_key_exchange_count,
326                         expected->rsa_key_exchange_count)
327             || !TEST_size_t_eq(master_secret_count,
328                                expected->master_secret_count)
329             || !TEST_size_t_eq(client_early_secret_count,
330                                expected->client_early_secret_count)
331             || !TEST_size_t_eq(client_handshake_secret_count,
332                                expected->client_handshake_secret_count)
333             || !TEST_size_t_eq(server_handshake_secret_count,
334                                expected->server_handshake_secret_count)
335             || !TEST_size_t_eq(client_application_secret_count,
336                                expected->client_application_secret_count)
337             || !TEST_size_t_eq(server_application_secret_count,
338                                expected->server_application_secret_count)
339             || !TEST_size_t_eq(early_exporter_secret_count,
340                                expected->early_exporter_secret_count)
341             || !TEST_size_t_eq(exporter_secret_count,
342                                expected->exporter_secret_count))
343         return 0;
344     return 1;
345 }
346 
347 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
348 static int test_keylog(void)
349 {
350     SSL_CTX *cctx = NULL, *sctx = NULL;
351     SSL *clientssl = NULL, *serverssl = NULL;
352     int testresult = 0;
353     struct sslapitest_log_counts expected;
354 
355     /* Clean up logging space */
356     memset(&expected, 0, sizeof(expected));
357     memset(client_log_buffer, 0, sizeof(client_log_buffer));
358     memset(server_log_buffer, 0, sizeof(server_log_buffer));
359     client_log_buffer_index = 0;
360     server_log_buffer_index = 0;
361     error_writing_log = 0;
362 
363     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
364                                        TLS_client_method(),
365                                        TLS1_VERSION, 0,
366                                        &sctx, &cctx, cert, privkey)))
367         return 0;
368 
369     /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370     SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371     SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372 
373     /* We also want to ensure that we use RSA-based key exchange. */
374     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
375         goto end;
376 
377     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378             || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
379         goto end;
380     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
381     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382                    == client_keylog_callback))
383         goto end;
384     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
385     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386                    == server_keylog_callback))
387         goto end;
388 
389     /* Now do a handshake and check that the logs have been written to. */
390     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391                                       &clientssl, NULL, NULL))
392             || !TEST_true(create_ssl_connection(serverssl, clientssl,
393                                                 SSL_ERROR_NONE))
394             || !TEST_false(error_writing_log)
395             || !TEST_int_gt(client_log_buffer_index, 0)
396             || !TEST_int_gt(server_log_buffer_index, 0))
397         goto end;
398 
399     /*
400      * Now we want to test that our output data was vaguely sensible. We
401      * do that by using strtok and confirming that we have more or less the
402      * data we expect. For both client and server, we expect to see one master
403      * secret. The client should also see an RSA key exchange.
404      */
405     expected.rsa_key_exchange_count = 1;
406     expected.master_secret_count = 1;
407     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408                                       SSL_get_session(clientssl), &expected)))
409         goto end;
410 
411     expected.rsa_key_exchange_count = 0;
412     if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413                                       SSL_get_session(serverssl), &expected)))
414         goto end;
415 
416     testresult = 1;
417 
418 end:
419     SSL_free(serverssl);
420     SSL_free(clientssl);
421     SSL_CTX_free(sctx);
422     SSL_CTX_free(cctx);
423 
424     return testresult;
425 }
426 #endif
427 
428 #ifndef OSSL_NO_USABLE_TLS1_3
429 static int test_keylog_no_master_key(void)
430 {
431     SSL_CTX *cctx = NULL, *sctx = NULL;
432     SSL *clientssl = NULL, *serverssl = NULL;
433     SSL_SESSION *sess = NULL;
434     int testresult = 0;
435     struct sslapitest_log_counts expected;
436     unsigned char buf[1];
437     size_t readbytes, written;
438 
439     /* Clean up logging space */
440     memset(&expected, 0, sizeof(expected));
441     memset(client_log_buffer, 0, sizeof(client_log_buffer));
442     memset(server_log_buffer, 0, sizeof(server_log_buffer));
443     client_log_buffer_index = 0;
444     server_log_buffer_index = 0;
445     error_writing_log = 0;
446 
447     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448                                        TLS_client_method(), TLS1_VERSION, 0,
449                                        &sctx, &cctx, cert, privkey))
450         || !TEST_true(SSL_CTX_set_max_early_data(sctx,
451                                                  SSL3_RT_MAX_PLAIN_LENGTH)))
452         return 0;
453 
454     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455             || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
456         goto end;
457 
458     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
459     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460                    == client_keylog_callback))
461         goto end;
462 
463     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
464     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465                    == server_keylog_callback))
466         goto end;
467 
468     /* Now do a handshake and check that the logs have been written to. */
469     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470                                       &clientssl, NULL, NULL))
471             || !TEST_true(create_ssl_connection(serverssl, clientssl,
472                                                 SSL_ERROR_NONE))
473             || !TEST_false(error_writing_log))
474         goto end;
475 
476     /*
477      * Now we want to test that our output data was vaguely sensible. For this
478      * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
479      * TLSv1.3, but we do expect both client and server to emit keys.
480      */
481     expected.client_handshake_secret_count = 1;
482     expected.server_handshake_secret_count = 1;
483     expected.client_application_secret_count = 1;
484     expected.server_application_secret_count = 1;
485     expected.exporter_secret_count = 1;
486     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487                                       SSL_get_session(clientssl), &expected))
488             || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489                                              SSL_get_session(serverssl),
490                                              &expected)))
491         goto end;
492 
493     /* Terminate old session and resume with early data. */
494     sess = SSL_get1_session(clientssl);
495     SSL_shutdown(clientssl);
496     SSL_shutdown(serverssl);
497     SSL_free(serverssl);
498     SSL_free(clientssl);
499     serverssl = clientssl = NULL;
500 
501     /* Reset key log */
502     memset(client_log_buffer, 0, sizeof(client_log_buffer));
503     memset(server_log_buffer, 0, sizeof(server_log_buffer));
504     client_log_buffer_index = 0;
505     server_log_buffer_index = 0;
506 
507     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508                                       &clientssl, NULL, NULL))
509             || !TEST_true(SSL_set_session(clientssl, sess))
510             /* Here writing 0 length early data is enough. */
511             || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513                                                 &readbytes),
514                             SSL_READ_EARLY_DATA_ERROR)
515             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516                             SSL_EARLY_DATA_ACCEPTED)
517             || !TEST_true(create_ssl_connection(serverssl, clientssl,
518                           SSL_ERROR_NONE))
519             || !TEST_true(SSL_session_reused(clientssl)))
520         goto end;
521 
522     /* In addition to the previous entries, expect early secrets. */
523     expected.client_early_secret_count = 1;
524     expected.early_exporter_secret_count = 1;
525     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526                                       SSL_get_session(clientssl), &expected))
527             || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528                                              SSL_get_session(serverssl),
529                                              &expected)))
530         goto end;
531 
532     testresult = 1;
533 
534 end:
535     SSL_SESSION_free(sess);
536     SSL_free(serverssl);
537     SSL_free(clientssl);
538     SSL_CTX_free(sctx);
539     SSL_CTX_free(cctx);
540 
541     return testresult;
542 }
543 #endif
544 
545 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546 {
547     int res = X509_verify_cert(ctx);
548     int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549     SSL *ssl;
550 
551     /* this should not happen but check anyway */
552     if (idx < 0
553         || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554         return 0;
555 
556     if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
558         /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559         return SSL_set_retry_verify(ssl);
560 
561     return res;
562 }
563 
564 static int test_client_cert_verify_cb(void)
565 {
566     /* server key, cert, chain, and root */
567     char *skey = test_mk_file_path(certsdir, "leaf.key");
568     char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569     char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570     char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571     char *root = test_mk_file_path(certsdir, "rootCA.pem");
572     X509 *crt1 = NULL, *crt2 = NULL;
573     STACK_OF(X509) *server_chain;
574     SSL_CTX *cctx = NULL, *sctx = NULL;
575     SSL *clientssl = NULL, *serverssl = NULL;
576     int testresult = 0;
577 
578     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579                                        TLS_client_method(), TLS1_VERSION, 0,
580                                        &sctx, &cctx, NULL, NULL)))
581         goto end;
582     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584                                                         SSL_FILETYPE_PEM), 1)
585             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586         goto end;
587     if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588         goto end;
589     SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590     SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592                                       &clientssl, NULL, NULL)))
593         goto end;
594 
595     /* attempt SSL_connect() with incomplete server chain */
596     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597                                           SSL_ERROR_WANT_RETRY_VERIFY)))
598         goto end;
599 
600     /* application provides intermediate certs needed to verify server cert */
601     if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602         || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603         || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604         goto end;
605     /* add certs in reverse order to demonstrate real chain building */
606     if (!TEST_true(sk_X509_push(server_chain, crt1)))
607         goto end;
608     crt1 = NULL;
609     if (!TEST_true(sk_X509_push(server_chain, crt2)))
610         goto end;
611     crt2 = NULL;
612 
613     /* continue SSL_connect(), must now succeed with completed server chain */
614     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615                                          SSL_ERROR_NONE)))
616         goto end;
617 
618     testresult = 1;
619 
620 end:
621     X509_free(crt1);
622     X509_free(crt2);
623     if (clientssl != NULL) {
624         SSL_shutdown(clientssl);
625         SSL_free(clientssl);
626     }
627     if (serverssl != NULL) {
628         SSL_shutdown(serverssl);
629         SSL_free(serverssl);
630     }
631     SSL_CTX_free(sctx);
632     SSL_CTX_free(cctx);
633 
634     OPENSSL_free(skey);
635     OPENSSL_free(leaf);
636     OPENSSL_free(int2);
637     OPENSSL_free(int1);
638     OPENSSL_free(root);
639 
640     return testresult;
641 }
642 
643 static int test_ssl_build_cert_chain(void)
644 {
645     int ret = 0;
646     SSL_CTX *ssl_ctx = NULL;
647     SSL *ssl = NULL;
648     char *skey = test_mk_file_path(certsdir, "leaf.key");
649     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650 
651     if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652         goto end;
653     if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654         goto end;
655     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656     if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657         || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658         || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659         goto end;
660     if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661                                              | SSL_BUILD_CHAIN_FLAG_CHECK)))
662         goto end;
663     ret = 1;
664 end:
665     SSL_free(ssl);
666     SSL_CTX_free(ssl_ctx);
667     OPENSSL_free(leaf_chain);
668     OPENSSL_free(skey);
669     return ret;
670 }
671 
672 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673 {
674     static const char pass[] = "testpass";
675 
676     if (!TEST_int_eq(size, PEM_BUFSIZE))
677         return -1;
678 
679     memcpy(buf, pass, sizeof(pass) - 1);
680     return sizeof(pass) - 1;
681 }
682 
683 static int test_ssl_ctx_build_cert_chain(void)
684 {
685     int ret = 0;
686     SSL_CTX *ctx = NULL;
687     char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
688     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689 
690     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691         goto end;
692     SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
693     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696                                                     SSL_FILETYPE_PEM), 1)
697         || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698         goto end;
699     if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700                                                 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701         goto end;
702     ret = 1;
703 end:
704     SSL_CTX_free(ctx);
705     OPENSSL_free(leaf_chain);
706     OPENSSL_free(skey);
707     return ret;
708 }
709 
710 #ifndef OPENSSL_NO_TLS1_2
711 static int full_client_hello_callback(SSL *s, int *al, void *arg)
712 {
713     int *ctr = arg;
714     const unsigned char *p;
715     int *exts;
716     /* We only configure two ciphers, but the SCSV is added automatically. */
717 #ifdef OPENSSL_NO_EC
718     const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719 #else
720     const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721                                               0x2c, 0x00, 0xff};
722 #endif
723     const int expected_extensions[] = {
724 #ifndef OPENSSL_NO_EC
725                                        11, 10,
726 #endif
727                                        35, 22, 23, 13};
728     size_t len;
729 
730     /* Make sure we can defer processing and get called back. */
731     if ((*ctr)++ == 0)
732         return SSL_CLIENT_HELLO_RETRY;
733 
734     len = SSL_client_hello_get0_ciphers(s, &p);
735     if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
736             || !TEST_size_t_eq(
737                        SSL_client_hello_get0_compression_methods(s, &p), 1)
738             || !TEST_int_eq(*p, 0))
739         return SSL_CLIENT_HELLO_ERROR;
740     if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
741         return SSL_CLIENT_HELLO_ERROR;
742     if (len != OSSL_NELEM(expected_extensions) ||
743         memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
744         printf("ClientHello callback expected extensions mismatch\n");
745         OPENSSL_free(exts);
746         return SSL_CLIENT_HELLO_ERROR;
747     }
748     OPENSSL_free(exts);
749     return SSL_CLIENT_HELLO_SUCCESS;
750 }
751 
752 static int test_client_hello_cb(void)
753 {
754     SSL_CTX *cctx = NULL, *sctx = NULL;
755     SSL *clientssl = NULL, *serverssl = NULL;
756     int testctr = 0, testresult = 0;
757 
758     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759                                        TLS_client_method(), TLS1_VERSION, 0,
760                                        &sctx, &cctx, cert, privkey)))
761         goto end;
762     SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
763 
764     /* The gimpy cipher list we configure can't do TLS 1.3. */
765     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
766 
767     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768                         "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770                                              &clientssl, NULL, NULL))
771             || !TEST_false(create_ssl_connection(serverssl, clientssl,
772                         SSL_ERROR_WANT_CLIENT_HELLO_CB))
773                 /*
774                  * Passing a -1 literal is a hack since
775                  * the real value was lost.
776                  * */
777             || !TEST_int_eq(SSL_get_error(serverssl, -1),
778                             SSL_ERROR_WANT_CLIENT_HELLO_CB)
779             || !TEST_true(create_ssl_connection(serverssl, clientssl,
780                                                 SSL_ERROR_NONE)))
781         goto end;
782 
783     testresult = 1;
784 
785 end:
786     SSL_free(serverssl);
787     SSL_free(clientssl);
788     SSL_CTX_free(sctx);
789     SSL_CTX_free(cctx);
790 
791     return testresult;
792 }
793 
794 static int test_no_ems(void)
795 {
796     SSL_CTX *cctx = NULL, *sctx = NULL;
797     SSL *clientssl = NULL, *serverssl = NULL;
798     int testresult = 0;
799 
800     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
801                              TLS1_VERSION, TLS1_2_VERSION,
802                              &sctx, &cctx, cert, privkey)) {
803         printf("Unable to create SSL_CTX pair\n");
804         goto end;
805     }
806 
807     SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808 
809     if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810         printf("Unable to create SSL objects\n");
811         goto end;
812     }
813 
814     if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
815         printf("Creating SSL connection failed\n");
816         goto end;
817     }
818 
819     if (SSL_get_extms_support(serverssl)) {
820         printf("Server reports Extended Master Secret support\n");
821         goto end;
822     }
823 
824     if (SSL_get_extms_support(clientssl)) {
825         printf("Client reports Extended Master Secret support\n");
826         goto end;
827     }
828     testresult = 1;
829 
830 end:
831     SSL_free(serverssl);
832     SSL_free(clientssl);
833     SSL_CTX_free(sctx);
834     SSL_CTX_free(cctx);
835 
836     return testresult;
837 }
838 
839 /*
840  * Very focused test to exercise a single case in the server-side state
841  * machine, when the ChangeCipherState message needs to actually change
842  * from one cipher to a different cipher (i.e., not changing from null
843  * encryption to real encryption).
844  */
845 static int test_ccs_change_cipher(void)
846 {
847     SSL_CTX *cctx = NULL, *sctx = NULL;
848     SSL *clientssl = NULL, *serverssl = NULL;
849     SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850     int testresult = 0;
851     int i;
852     unsigned char buf;
853     size_t readbytes;
854 
855     /*
856      * Create a conection so we can resume and potentially (but not) use
857      * a different cipher in the second connection.
858      */
859     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
860                                        TLS_client_method(),
861                                        TLS1_VERSION, TLS1_2_VERSION,
862                                        &sctx, &cctx, cert, privkey))
863             || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
864             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
865                           NULL, NULL))
866             || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
867             || !TEST_true(create_ssl_connection(serverssl, clientssl,
868                                                 SSL_ERROR_NONE))
869             || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
870             || !TEST_ptr(sess = SSL_get1_session(clientssl)))
871         goto end;
872 
873     shutdown_ssl_connection(serverssl, clientssl);
874     serverssl = clientssl = NULL;
875 
876     /* Resume, preferring a different cipher. Our server will force the
877      * same cipher to be used as the initial handshake. */
878     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879                           NULL, NULL))
880             || !TEST_true(SSL_set_session(clientssl, sess))
881             || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882             || !TEST_true(create_ssl_connection(serverssl, clientssl,
883                                                 SSL_ERROR_NONE))
884             || !TEST_true(SSL_session_reused(clientssl))
885             || !TEST_true(SSL_session_reused(serverssl))
886             || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
887             || !TEST_ptr_eq(sesspre, sesspost)
888             || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
889                             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
890         goto end;
891     shutdown_ssl_connection(serverssl, clientssl);
892     serverssl = clientssl = NULL;
893 
894     /*
895      * Now create a fresh connection and try to renegotiate a different
896      * cipher on it.
897      */
898     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
899                                       NULL, NULL))
900             || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
901             || !TEST_true(create_ssl_connection(serverssl, clientssl,
902                                                 SSL_ERROR_NONE))
903             || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
904             || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
905             || !TEST_true(SSL_renegotiate(clientssl))
906             || !TEST_true(SSL_renegotiate_pending(clientssl)))
907         goto end;
908     /* Actually drive the renegotiation. */
909     for (i = 0; i < 3; i++) {
910         if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
911             if (!TEST_ulong_eq(readbytes, 0))
912                 goto end;
913         } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
914                                 SSL_ERROR_WANT_READ)) {
915             goto end;
916         }
917         if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
918             if (!TEST_ulong_eq(readbytes, 0))
919                 goto end;
920         } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
921                                 SSL_ERROR_WANT_READ)) {
922             goto end;
923         }
924     }
925     /* sesspre and sesspost should be different since the cipher changed. */
926     if (!TEST_false(SSL_renegotiate_pending(clientssl))
927             || !TEST_false(SSL_session_reused(clientssl))
928             || !TEST_false(SSL_session_reused(serverssl))
929             || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
930             || !TEST_ptr_ne(sesspre, sesspost)
931             || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
932                             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
933         goto end;
934 
935     shutdown_ssl_connection(serverssl, clientssl);
936     serverssl = clientssl = NULL;
937 
938     testresult = 1;
939 
940 end:
941     SSL_free(serverssl);
942     SSL_free(clientssl);
943     SSL_CTX_free(sctx);
944     SSL_CTX_free(cctx);
945     SSL_SESSION_free(sess);
946 
947     return testresult;
948 }
949 #endif
950 
951 static int add_large_cert_chain(SSL_CTX *sctx)
952 {
953     BIO *certbio = NULL;
954     X509 *chaincert = NULL;
955     int certlen;
956     int ret = 0;
957     int i;
958 
959     if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
960         goto end;
961 
962     if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
963         goto end;
964 
965     if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
966         goto end;
967     BIO_free(certbio);
968     certbio = NULL;
969 
970     /*
971      * We assume the supplied certificate is big enough so that if we add
972      * NUM_EXTRA_CERTS it will make the overall message large enough. The
973      * default buffer size is requested to be 16k, but due to the way BUF_MEM
974      * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
975      * test we need to have a message larger than that.
976      */
977     certlen = i2d_X509(chaincert, NULL);
978     OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
979                    (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
980     for (i = 0; i < NUM_EXTRA_CERTS; i++) {
981         if (!X509_up_ref(chaincert))
982             goto end;
983         if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
984             X509_free(chaincert);
985             goto end;
986         }
987     }
988 
989     ret = 1;
990  end:
991     BIO_free(certbio);
992     X509_free(chaincert);
993     return ret;
994 }
995 
996 static int execute_test_large_message(const SSL_METHOD *smeth,
997                                       const SSL_METHOD *cmeth,
998                                       int min_version, int max_version,
999                                       int read_ahead)
1000 {
1001     SSL_CTX *cctx = NULL, *sctx = NULL;
1002     SSL *clientssl = NULL, *serverssl = NULL;
1003     int testresult = 0;
1004 
1005     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
1006                                        max_version, &sctx, &cctx, cert,
1007                                        privkey)))
1008         goto end;
1009 
1010 #ifdef OPENSSL_NO_DTLS1_2
1011     if (smeth == DTLS_server_method()) {
1012         /*
1013          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1014          * level 0
1015          */
1016         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1017                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1018                                                     "DEFAULT:@SECLEVEL=0")))
1019             goto end;
1020     }
1021 #endif
1022 
1023     if (read_ahead) {
1024         /*
1025          * Test that read_ahead works correctly when dealing with large
1026          * records
1027          */
1028         SSL_CTX_set_read_ahead(cctx, 1);
1029     }
1030 
1031     if (!add_large_cert_chain(sctx))
1032         goto end;
1033 
1034     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1035                                       NULL, NULL))
1036             || !TEST_true(create_ssl_connection(serverssl, clientssl,
1037                                                 SSL_ERROR_NONE)))
1038         goto end;
1039 
1040     /*
1041      * Calling SSL_clear() first is not required but this tests that SSL_clear()
1042      * doesn't leak.
1043      */
1044     if (!TEST_true(SSL_clear(serverssl)))
1045         goto end;
1046 
1047     testresult = 1;
1048  end:
1049     SSL_free(serverssl);
1050     SSL_free(clientssl);
1051     SSL_CTX_free(sctx);
1052     SSL_CTX_free(cctx);
1053 
1054     return testresult;
1055 }
1056 
1057 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
1058     !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
1059 /* sock must be connected */
1060 static int ktls_chk_platform(int sock)
1061 {
1062     if (!ktls_enable(sock))
1063         return 0;
1064     return 1;
1065 }
1066 
1067 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
1068 {
1069     static char count = 1;
1070     unsigned char cbuf[16000] = {0};
1071     unsigned char sbuf[16000];
1072     size_t err = 0;
1073     char crec_wseq_before[SEQ_NUM_SIZE];
1074     char crec_wseq_after[SEQ_NUM_SIZE];
1075     char crec_rseq_before[SEQ_NUM_SIZE];
1076     char crec_rseq_after[SEQ_NUM_SIZE];
1077     char srec_wseq_before[SEQ_NUM_SIZE];
1078     char srec_wseq_after[SEQ_NUM_SIZE];
1079     char srec_rseq_before[SEQ_NUM_SIZE];
1080     char srec_rseq_after[SEQ_NUM_SIZE];
1081 
1082     cbuf[0] = count++;
1083     memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1084     memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1085     memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086     memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087 
1088     if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1089         goto end;
1090 
1091     while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1092         if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1093             goto end;
1094         }
1095     }
1096 
1097     if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1098         goto end;
1099 
1100     while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1101         if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1102             goto end;
1103         }
1104     }
1105 
1106     memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1107     memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1108     memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1109     memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1110 
1111     /* verify the payload */
1112     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1113         goto end;
1114 
1115     /*
1116      * If ktls is used then kernel sequences are used instead of
1117      * OpenSSL sequences
1118      */
1119     if (!BIO_get_ktls_send(clientssl->wbio)) {
1120         if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1121                          crec_wseq_after, SEQ_NUM_SIZE))
1122             goto end;
1123     } else {
1124         if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1125                          crec_wseq_after, SEQ_NUM_SIZE))
1126             goto end;
1127     }
1128 
1129     if (!BIO_get_ktls_send(serverssl->wbio)) {
1130         if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1131                          srec_wseq_after, SEQ_NUM_SIZE))
1132             goto end;
1133     } else {
1134         if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1135                          srec_wseq_after, SEQ_NUM_SIZE))
1136             goto end;
1137     }
1138 
1139     if (!BIO_get_ktls_recv(clientssl->wbio)) {
1140         if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1141                          crec_rseq_after, SEQ_NUM_SIZE))
1142             goto end;
1143     } else {
1144         if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1145                          crec_rseq_after, SEQ_NUM_SIZE))
1146             goto end;
1147     }
1148 
1149     if (!BIO_get_ktls_recv(serverssl->wbio)) {
1150         if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1151                          srec_rseq_after, SEQ_NUM_SIZE))
1152             goto end;
1153     } else {
1154         if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1155                          srec_rseq_after, SEQ_NUM_SIZE))
1156             goto end;
1157     }
1158 
1159     return 1;
1160 end:
1161     return 0;
1162 }
1163 
1164 static int execute_test_ktls(int cis_ktls, int sis_ktls,
1165                              int tls_version, const char *cipher)
1166 {
1167     SSL_CTX *cctx = NULL, *sctx = NULL;
1168     SSL *clientssl = NULL, *serverssl = NULL;
1169     int ktls_used = 0, testresult = 0;
1170     int cfd = -1, sfd = -1;
1171     int rx_supported;
1172 
1173     if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1174         goto end;
1175 
1176     /* Skip this test if the platform does not support ktls */
1177     if (!ktls_chk_platform(cfd)) {
1178         testresult = TEST_skip("Kernel does not support KTLS");
1179         goto end;
1180     }
1181 
1182     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1183         testresult = TEST_skip("CHACHA is not supported in FIPS");
1184         goto end;
1185     }
1186 
1187     /* Create a session based on SHA-256 */
1188     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1189                                        TLS_client_method(),
1190                                        tls_version, tls_version,
1191                                        &sctx, &cctx, cert, privkey)))
1192         goto end;
1193 
1194     if (tls_version == TLS1_3_VERSION) {
1195         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1196             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1197             goto end;
1198     } else {
1199         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1200             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1201             goto end;
1202     }
1203 
1204     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1205                                        &clientssl, sfd, cfd)))
1206         goto end;
1207 
1208     if (cis_ktls) {
1209         if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
1210             goto end;
1211     }
1212 
1213     if (sis_ktls) {
1214         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1215             goto end;
1216     }
1217 
1218     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1219         goto end;
1220 
1221     /*
1222      * The running kernel may not support a given cipher suite
1223      * or direction, so just check that KTLS isn't used when it
1224      * isn't enabled.
1225      */
1226     if (!cis_ktls) {
1227         if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1228             goto end;
1229     } else {
1230         if (BIO_get_ktls_send(clientssl->wbio))
1231             ktls_used = 1;
1232     }
1233 
1234     if (!sis_ktls) {
1235         if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1236             goto end;
1237     } else {
1238         if (BIO_get_ktls_send(serverssl->wbio))
1239             ktls_used = 1;
1240     }
1241 
1242 #if defined(OPENSSL_NO_KTLS_RX)
1243     rx_supported = 0;
1244 #else
1245     rx_supported = (tls_version != TLS1_3_VERSION);
1246 #endif
1247     if (!cis_ktls || !rx_supported) {
1248         if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1249             goto end;
1250     } else {
1251         if (BIO_get_ktls_send(clientssl->rbio))
1252             ktls_used = 1;
1253     }
1254 
1255     if (!sis_ktls || !rx_supported) {
1256         if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1257             goto end;
1258     } else {
1259         if (BIO_get_ktls_send(serverssl->rbio))
1260             ktls_used = 1;
1261     }
1262 
1263     if ((cis_ktls || sis_ktls) && !ktls_used) {
1264         testresult = TEST_skip("KTLS not supported for %s cipher %s",
1265                                tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1266                                "TLS 1.2", cipher);
1267         goto end;
1268     }
1269 
1270     if (!TEST_true(ping_pong_query(clientssl, serverssl)))
1271         goto end;
1272 
1273     testresult = 1;
1274 end:
1275     if (clientssl) {
1276         SSL_shutdown(clientssl);
1277         SSL_free(clientssl);
1278     }
1279     if (serverssl) {
1280         SSL_shutdown(serverssl);
1281         SSL_free(serverssl);
1282     }
1283     SSL_CTX_free(sctx);
1284     SSL_CTX_free(cctx);
1285     serverssl = clientssl = NULL;
1286     if (cfd != -1)
1287         close(cfd);
1288     if (sfd != -1)
1289         close(sfd);
1290     return testresult;
1291 }
1292 
1293 #define SENDFILE_SZ                     (16 * 4096)
1294 #define SENDFILE_CHUNK                  (4 * 4096)
1295 #define min(a,b)                        ((a) > (b) ? (b) : (a))
1296 
1297 static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
1298 {
1299     SSL_CTX *cctx = NULL, *sctx = NULL;
1300     SSL *clientssl = NULL, *serverssl = NULL;
1301     unsigned char *buf, *buf_dst;
1302     BIO *out = NULL, *in = NULL;
1303     int cfd = -1, sfd = -1, ffd, err;
1304     ssize_t chunk_size = 0;
1305     off_t chunk_off = 0;
1306     int testresult = 0;
1307     FILE *ffdp;
1308 
1309     buf = OPENSSL_zalloc(SENDFILE_SZ);
1310     buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1311     if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1312         || !TEST_true(create_test_sockets(&cfd, &sfd)))
1313         goto end;
1314 
1315     /* Skip this test if the platform does not support ktls */
1316     if (!ktls_chk_platform(sfd)) {
1317         testresult = TEST_skip("Kernel does not support KTLS");
1318         goto end;
1319     }
1320 
1321     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1322         testresult = TEST_skip("CHACHA is not supported in FIPS");
1323         goto end;
1324     }
1325 
1326     /* Create a session based on SHA-256 */
1327     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1328                                        TLS_client_method(),
1329                                        tls_version, tls_version,
1330                                        &sctx, &cctx, cert, privkey)))
1331         goto end;
1332 
1333     if (tls_version == TLS1_3_VERSION) {
1334         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1335             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1336             goto end;
1337     } else {
1338         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1339             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1340             goto end;
1341     }
1342 
1343     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1344                                        &clientssl, sfd, cfd)))
1345         goto end;
1346 
1347     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
1348         goto end;
1349 
1350     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1351                                          SSL_ERROR_NONE)))
1352         goto end;
1353 
1354     if (!BIO_get_ktls_send(serverssl->wbio)) {
1355         testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1356                                tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1357                                "TLS 1.2", cipher);
1358         goto end;
1359     }
1360 
1361     if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
1362         goto end;
1363 
1364     out = BIO_new_file(tmpfilename, "wb");
1365     if (!TEST_ptr(out))
1366         goto end;
1367 
1368     if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1369         goto end;
1370 
1371     BIO_free(out);
1372     out = NULL;
1373     in = BIO_new_file(tmpfilename, "rb");
1374     BIO_get_fp(in, &ffdp);
1375     ffd = fileno(ffdp);
1376 
1377     while (chunk_off < SENDFILE_SZ) {
1378         chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1379         while ((err = SSL_sendfile(serverssl,
1380                                    ffd,
1381                                    chunk_off,
1382                                    chunk_size,
1383                                    0)) != chunk_size) {
1384             if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1385                 goto end;
1386         }
1387         while ((err = SSL_read(clientssl,
1388                                buf_dst + chunk_off,
1389                                chunk_size)) != chunk_size) {
1390             if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1391                 goto end;
1392         }
1393 
1394         /* verify the payload */
1395         if (!TEST_mem_eq(buf_dst + chunk_off,
1396                          chunk_size,
1397                          buf + chunk_off,
1398                          chunk_size))
1399             goto end;
1400 
1401         chunk_off += chunk_size;
1402     }
1403 
1404     testresult = 1;
1405 end:
1406     if (clientssl) {
1407         SSL_shutdown(clientssl);
1408         SSL_free(clientssl);
1409     }
1410     if (serverssl) {
1411         SSL_shutdown(serverssl);
1412         SSL_free(serverssl);
1413     }
1414     SSL_CTX_free(sctx);
1415     SSL_CTX_free(cctx);
1416     serverssl = clientssl = NULL;
1417     BIO_free(out);
1418     BIO_free(in);
1419     if (cfd != -1)
1420         close(cfd);
1421     if (sfd != -1)
1422         close(sfd);
1423     OPENSSL_free(buf);
1424     OPENSSL_free(buf_dst);
1425     return testresult;
1426 }
1427 
1428 static struct ktls_test_cipher {
1429     int tls_version;
1430     const char *cipher;
1431 } ktls_test_ciphers[] = {
1432 # if !defined(OPENSSL_NO_TLS1_2)
1433 #  ifdef OPENSSL_KTLS_AES_GCM_128
1434     { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1435 #  endif
1436 #  ifdef OPENSSL_KTLS_AES_CCM_128
1437     { TLS1_2_VERSION, "AES128-CCM"},
1438 #  endif
1439 #  ifdef OPENSSL_KTLS_AES_GCM_256
1440     { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1441 #  endif
1442 #  ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1443 #    ifndef OPENSSL_NO_EC
1444     { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1445 #    endif
1446 #  endif
1447 # endif
1448 # if !defined(OSSL_NO_USABLE_TLS1_3)
1449 #  ifdef OPENSSL_KTLS_AES_GCM_128
1450     { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451 #  endif
1452 #  ifdef OPENSSL_KTLS_AES_CCM_128
1453     { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454 #  endif
1455 #  ifdef OPENSSL_KTLS_AES_GCM_256
1456     { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457 #  endif
1458 #  ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1459     { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1460 #  endif
1461 # endif
1462 };
1463 
1464 #define NUM_KTLS_TEST_CIPHERS \
1465     (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466 
1467 static int test_ktls(int test)
1468 {
1469     struct ktls_test_cipher *cipher;
1470     int cis_ktls, sis_ktls;
1471 
1472     OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
1473     cipher = &ktls_test_ciphers[test / 4];
1474 
1475     cis_ktls = (test & 1) != 0;
1476     sis_ktls = (test & 2) != 0;
1477 
1478     return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1479                              cipher->cipher);
1480 }
1481 
1482 static int test_ktls_sendfile(int tst)
1483 {
1484     struct ktls_test_cipher *cipher;
1485 
1486     OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
1487     cipher = &ktls_test_ciphers[tst];
1488 
1489     return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
1490 }
1491 #endif
1492 
1493 static int test_large_message_tls(void)
1494 {
1495     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1496                                       TLS1_VERSION, 0, 0);
1497 }
1498 
1499 static int test_large_message_tls_read_ahead(void)
1500 {
1501     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
1502                                       TLS1_VERSION, 0, 1);
1503 }
1504 
1505 #ifndef OPENSSL_NO_DTLS
1506 static int test_large_message_dtls(void)
1507 {
1508 # ifdef OPENSSL_NO_DTLS1_2
1509     /* Not supported in the FIPS provider */
1510     if (is_fips)
1511         return 1;
1512 # endif
1513     /*
1514      * read_ahead is not relevant to DTLS because DTLS always acts as if
1515      * read_ahead is set.
1516      */
1517     return execute_test_large_message(DTLS_server_method(),
1518                                       DTLS_client_method(),
1519                                       DTLS1_VERSION, 0, 0);
1520 }
1521 #endif
1522 
1523 /*
1524  * Test we can successfully send the maximum amount of application data. We
1525  * test each protocol version individually, each with and without EtM enabled.
1526  * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1527  * simpler this way. We also test all combinations with and without the
1528  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1529  * underlying buffer.
1530  */
1531 static int test_large_app_data(int tst)
1532 {
1533     SSL_CTX *cctx = NULL, *sctx = NULL;
1534     SSL *clientssl = NULL, *serverssl = NULL;
1535     int testresult = 0, prot;
1536     unsigned char *msg, *buf = NULL;
1537     size_t written, readbytes;
1538     const SSL_METHOD *smeth = TLS_server_method();
1539     const SSL_METHOD *cmeth = TLS_client_method();
1540 
1541     switch (tst >> 2) {
1542     case 0:
1543 #ifndef OSSL_NO_USABLE_TLS1_3
1544         prot = TLS1_3_VERSION;
1545         break;
1546 #else
1547         return 1;
1548 #endif
1549 
1550     case 1:
1551 #ifndef OPENSSL_NO_TLS1_2
1552         prot = TLS1_2_VERSION;
1553         break;
1554 #else
1555         return 1;
1556 #endif
1557 
1558     case 2:
1559 #ifndef OPENSSL_NO_TLS1_1
1560         prot = TLS1_1_VERSION;
1561         break;
1562 #else
1563         return 1;
1564 #endif
1565 
1566     case 3:
1567 #ifndef OPENSSL_NO_TLS1
1568         prot = TLS1_VERSION;
1569         break;
1570 #else
1571         return 1;
1572 #endif
1573 
1574     case 4:
1575 #ifndef OPENSSL_NO_SSL3
1576         prot = SSL3_VERSION;
1577         break;
1578 #else
1579         return 1;
1580 #endif
1581 
1582     case 5:
1583 #ifndef OPENSSL_NO_DTLS1_2
1584         prot = DTLS1_2_VERSION;
1585         smeth = DTLS_server_method();
1586         cmeth = DTLS_client_method();
1587         break;
1588 #else
1589         return 1;
1590 #endif
1591 
1592     case 6:
1593 #ifndef OPENSSL_NO_DTLS1
1594         prot = DTLS1_VERSION;
1595         smeth = DTLS_server_method();
1596         cmeth = DTLS_client_method();
1597         break;
1598 #else
1599         return 1;
1600 #endif
1601 
1602     default:
1603         /* Shouldn't happen */
1604         return 0;
1605     }
1606 
1607     if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
1608         return 1;
1609 
1610     /* Maximal sized message of zeros */
1611     msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1612     if (!TEST_ptr(msg))
1613         goto end;
1614 
1615     buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1616     if (!TEST_ptr(buf))
1617         goto end;
1618     /* Set whole buffer to all bits set */
1619     memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1620 
1621     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
1622                                        &sctx, &cctx, cert, privkey)))
1623         goto end;
1624 
1625     if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
1626         /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1627         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1628                 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1629                                                       "DEFAULT:@SECLEVEL=0")))
1630         goto end;
1631     }
1632 
1633     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1634                                       &clientssl, NULL, NULL)))
1635         goto end;
1636 
1637     if ((tst & 1) != 0) {
1638         /* Setting this option gives us a minimally sized underlying buffer */
1639         if (!TEST_true(SSL_set_options(serverssl,
1640                                        SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1641                 || !TEST_true(SSL_set_options(clientssl,
1642                                               SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1643             goto end;
1644     }
1645 
1646     if ((tst & 2) != 0) {
1647         /*
1648          * Setting this option means the MAC is added before encryption
1649          * giving us a larger record for the encryption process
1650          */
1651         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1652                 || !TEST_true(SSL_set_options(clientssl,
1653                                               SSL_OP_NO_ENCRYPT_THEN_MAC)))
1654             goto end;
1655     }
1656 
1657     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1658         goto end;
1659 
1660     if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1661                                 &written))
1662             || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1663         goto end;
1664 
1665     /* We provide a buffer slightly larger than what we are actually expecting */
1666     if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1667                                &readbytes)))
1668         goto end;
1669 
1670     if (!TEST_mem_eq(msg, written, buf, readbytes))
1671         goto end;
1672 
1673     testresult = 1;
1674 end:
1675     OPENSSL_free(msg);
1676     OPENSSL_free(buf);
1677     SSL_free(serverssl);
1678     SSL_free(clientssl);
1679     SSL_CTX_free(sctx);
1680     SSL_CTX_free(cctx);
1681     return testresult;
1682 }
1683 
1684 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1685     || !defined(OPENSSL_NO_DTLS)
1686 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1687                                      const SSL_METHOD *cmeth,
1688                                      int min_version, int max_version)
1689 {
1690     size_t i;
1691     SSL_CTX *cctx = NULL, *sctx = NULL;
1692     SSL *clientssl = NULL, *serverssl = NULL;
1693     int testresult = 0;
1694     SSL3_RECORD *rr;
1695     void *zbuf;
1696 
1697     static unsigned char cbuf[16000];
1698     static unsigned char sbuf[16000];
1699 
1700     if (!TEST_true(create_ssl_ctx_pair(libctx,
1701                                        smeth, cmeth,
1702                                        min_version, max_version,
1703                                        &sctx, &cctx, cert,
1704                                        privkey)))
1705         goto end;
1706 
1707 # ifdef OPENSSL_NO_DTLS1_2
1708     if (smeth == DTLS_server_method()) {
1709         /* Not supported in the FIPS provider */
1710         if (is_fips) {
1711             testresult = 1;
1712             goto end;
1713         };
1714         /*
1715          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1716          * level 0
1717          */
1718         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1719                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1720                                                     "DEFAULT:@SECLEVEL=0")))
1721             goto end;
1722     }
1723 # endif
1724 
1725     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1726                                       NULL, NULL)))
1727         goto end;
1728 
1729     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1730         goto end;
1731 
1732     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1733                                          SSL_ERROR_NONE)))
1734         goto end;
1735 
1736     for (i = 0; i < sizeof(cbuf); i++) {
1737         cbuf[i] = i & 0xff;
1738     }
1739 
1740     if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1741         goto end;
1742 
1743     if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1744         goto end;
1745 
1746     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1747         goto end;
1748 
1749     /*
1750      * Since we called SSL_peek(), we know the data in the record
1751      * layer is a plaintext record. We can gather the pointer to check
1752      * for zeroization after SSL_read().
1753      */
1754     rr = serverssl->rlayer.rrec;
1755     zbuf = &rr->data[rr->off];
1756     if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1757         goto end;
1758 
1759     /*
1760      * After SSL_peek() the plaintext must still be stored in the
1761      * record.
1762      */
1763     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1764         goto end;
1765 
1766     memset(sbuf, 0, sizeof(sbuf));
1767     if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1768         goto end;
1769 
1770     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1771         goto end;
1772 
1773     /* Check if rbuf is cleansed */
1774     memset(cbuf, 0, sizeof(cbuf));
1775     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1776         goto end;
1777 
1778     testresult = 1;
1779  end:
1780     SSL_free(serverssl);
1781     SSL_free(clientssl);
1782     SSL_CTX_free(sctx);
1783     SSL_CTX_free(cctx);
1784 
1785     return testresult;
1786 }
1787 #endif /*
1788         * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1789         * || !defined(OPENSSL_NO_DTLS)
1790         */
1791 
1792 static int test_cleanse_plaintext(void)
1793 {
1794 #if !defined(OPENSSL_NO_TLS1_2)
1795     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1796                                              TLS_client_method(),
1797                                              TLS1_2_VERSION,
1798                                              TLS1_2_VERSION)))
1799         return 0;
1800 
1801 #endif
1802 
1803 #if !defined(OSSL_NO_USABLE_TLS1_3)
1804     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1805                                              TLS_client_method(),
1806                                              TLS1_3_VERSION,
1807                                              TLS1_3_VERSION)))
1808         return 0;
1809 #endif
1810 
1811 #if !defined(OPENSSL_NO_DTLS)
1812 
1813     if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1814                                              DTLS_client_method(),
1815                                              DTLS1_VERSION,
1816                                              0)))
1817         return 0;
1818 #endif
1819     return 1;
1820 }
1821 
1822 #ifndef OPENSSL_NO_OCSP
1823 static int ocsp_server_cb(SSL *s, void *arg)
1824 {
1825     int *argi = (int *)arg;
1826     unsigned char *copy = NULL;
1827     STACK_OF(OCSP_RESPID) *ids = NULL;
1828     OCSP_RESPID *id = NULL;
1829 
1830     if (*argi == 2) {
1831         /* In this test we are expecting exactly 1 OCSP_RESPID */
1832         SSL_get_tlsext_status_ids(s, &ids);
1833         if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1834             return SSL_TLSEXT_ERR_ALERT_FATAL;
1835 
1836         id = sk_OCSP_RESPID_value(ids, 0);
1837         if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
1838             return SSL_TLSEXT_ERR_ALERT_FATAL;
1839     } else if (*argi != 1) {
1840         return SSL_TLSEXT_ERR_ALERT_FATAL;
1841     }
1842 
1843     if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
1844         return SSL_TLSEXT_ERR_ALERT_FATAL;
1845 
1846     if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1847                                                    sizeof(orespder)))) {
1848         OPENSSL_free(copy);
1849         return SSL_TLSEXT_ERR_ALERT_FATAL;
1850     }
1851     ocsp_server_called = 1;
1852     return SSL_TLSEXT_ERR_OK;
1853 }
1854 
1855 static int ocsp_client_cb(SSL *s, void *arg)
1856 {
1857     int *argi = (int *)arg;
1858     const unsigned char *respderin;
1859     size_t len;
1860 
1861     if (*argi != 1 && *argi != 2)
1862         return 0;
1863 
1864     len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
1865     if (!TEST_mem_eq(orespder, len, respderin, len))
1866         return 0;
1867 
1868     ocsp_client_called = 1;
1869     return 1;
1870 }
1871 
1872 static int test_tlsext_status_type(void)
1873 {
1874     SSL_CTX *cctx = NULL, *sctx = NULL;
1875     SSL *clientssl = NULL, *serverssl = NULL;
1876     int testresult = 0;
1877     STACK_OF(OCSP_RESPID) *ids = NULL;
1878     OCSP_RESPID *id = NULL;
1879     BIO *certbio = NULL;
1880 
1881     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
1882                              TLS1_VERSION, 0,
1883                              &sctx, &cctx, cert, privkey))
1884         return 0;
1885 
1886     if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
1887         goto end;
1888 
1889     /* First just do various checks getting and setting tlsext_status_type */
1890 
1891     clientssl = SSL_new(cctx);
1892     if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1893             || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1894                                                       TLSEXT_STATUSTYPE_ocsp))
1895             || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1896                             TLSEXT_STATUSTYPE_ocsp))
1897         goto end;
1898 
1899     SSL_free(clientssl);
1900     clientssl = NULL;
1901 
1902     if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1903      || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
1904         goto end;
1905 
1906     clientssl = SSL_new(cctx);
1907     if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
1908         goto end;
1909     SSL_free(clientssl);
1910     clientssl = NULL;
1911 
1912     /*
1913      * Now actually do a handshake and check OCSP information is exchanged and
1914      * the callbacks get called
1915      */
1916     SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1917     SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1918     SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1919     SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
1920     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1921                                       &clientssl, NULL, NULL))
1922             || !TEST_true(create_ssl_connection(serverssl, clientssl,
1923                                                 SSL_ERROR_NONE))
1924             || !TEST_true(ocsp_client_called)
1925             || !TEST_true(ocsp_server_called))
1926         goto end;
1927     SSL_free(serverssl);
1928     SSL_free(clientssl);
1929     serverssl = NULL;
1930     clientssl = NULL;
1931 
1932     /* Try again but this time force the server side callback to fail */
1933     ocsp_client_called = 0;
1934     ocsp_server_called = 0;
1935     cdummyarg = 0;
1936     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1937                                       &clientssl, NULL, NULL))
1938                 /* This should fail because the callback will fail */
1939             || !TEST_false(create_ssl_connection(serverssl, clientssl,
1940                                                  SSL_ERROR_NONE))
1941             || !TEST_false(ocsp_client_called)
1942             || !TEST_false(ocsp_server_called))
1943         goto end;
1944     SSL_free(serverssl);
1945     SSL_free(clientssl);
1946     serverssl = NULL;
1947     clientssl = NULL;
1948 
1949     /*
1950      * This time we'll get the client to send an OCSP_RESPID that it will
1951      * accept.
1952      */
1953     ocsp_client_called = 0;
1954     ocsp_server_called = 0;
1955     cdummyarg = 2;
1956     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1957                                       &clientssl, NULL, NULL)))
1958         goto end;
1959 
1960     /*
1961      * We'll just use any old cert for this test - it doesn't have to be an OCSP
1962      * specific one. We'll use the server cert.
1963      */
1964     if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1965             || !TEST_ptr(id = OCSP_RESPID_new())
1966             || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1967             || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
1968             || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
1969             || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
1970             || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
1971         goto end;
1972     id = NULL;
1973     SSL_set_tlsext_status_ids(clientssl, ids);
1974     /* Control has been transferred */
1975     ids = NULL;
1976 
1977     BIO_free(certbio);
1978     certbio = NULL;
1979 
1980     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1981                                          SSL_ERROR_NONE))
1982             || !TEST_true(ocsp_client_called)
1983             || !TEST_true(ocsp_server_called))
1984         goto end;
1985 
1986     testresult = 1;
1987 
1988  end:
1989     SSL_free(serverssl);
1990     SSL_free(clientssl);
1991     SSL_CTX_free(sctx);
1992     SSL_CTX_free(cctx);
1993     sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1994     OCSP_RESPID_free(id);
1995     BIO_free(certbio);
1996     X509_free(ocspcert);
1997     ocspcert = NULL;
1998 
1999     return testresult;
2000 }
2001 #endif
2002 
2003 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
2004 static int new_called, remove_called, get_called;
2005 
2006 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2007 {
2008     new_called++;
2009     /*
2010      * sess has been up-refed for us, but we don't actually need it so free it
2011      * immediately.
2012      */
2013     SSL_SESSION_free(sess);
2014     return 1;
2015 }
2016 
2017 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2018 {
2019     remove_called++;
2020 }
2021 
2022 static SSL_SESSION *get_sess_val = NULL;
2023 
2024 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2025                                    int *copy)
2026 {
2027     get_called++;
2028     *copy = 1;
2029     return get_sess_val;
2030 }
2031 
2032 static int execute_test_session(int maxprot, int use_int_cache,
2033                                 int use_ext_cache, long s_options)
2034 {
2035     SSL_CTX *sctx = NULL, *cctx = NULL;
2036     SSL *serverssl1 = NULL, *clientssl1 = NULL;
2037     SSL *serverssl2 = NULL, *clientssl2 = NULL;
2038 # ifndef OPENSSL_NO_TLS1_1
2039     SSL *serverssl3 = NULL, *clientssl3 = NULL;
2040 # endif
2041     SSL_SESSION *sess1 = NULL, *sess2 = NULL;
2042     int testresult = 0, numnewsesstick = 1;
2043 
2044     new_called = remove_called = 0;
2045 
2046     /* TLSv1.3 sends 2 NewSessionTickets */
2047     if (maxprot == TLS1_3_VERSION)
2048         numnewsesstick = 2;
2049 
2050     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2051                                        TLS_client_method(), TLS1_VERSION, 0,
2052                                        &sctx, &cctx, cert, privkey)))
2053         return 0;
2054 
2055     /*
2056      * Only allow the max protocol version so we can force a connection failure
2057      * later
2058      */
2059     SSL_CTX_set_min_proto_version(cctx, maxprot);
2060     SSL_CTX_set_max_proto_version(cctx, maxprot);
2061 
2062     /* Set up session cache */
2063     if (use_ext_cache) {
2064         SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2065         SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2066     }
2067     if (use_int_cache) {
2068         /* Also covers instance where both are set */
2069         SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2070     } else {
2071         SSL_CTX_set_session_cache_mode(cctx,
2072                                        SSL_SESS_CACHE_CLIENT
2073                                        | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2074     }
2075 
2076     if (s_options) {
2077         SSL_CTX_set_options(sctx, s_options);
2078     }
2079 
2080     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2081                                       NULL, NULL))
2082             || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2083                                                 SSL_ERROR_NONE))
2084             || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2085         goto end;
2086 
2087     /* Should fail because it should already be in the cache */
2088     if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
2089         goto end;
2090     if (use_ext_cache
2091             && (!TEST_int_eq(new_called, numnewsesstick)
2092 
2093                 || !TEST_int_eq(remove_called, 0)))
2094         goto end;
2095 
2096     new_called = remove_called = 0;
2097     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2098                                       &clientssl2, NULL, NULL))
2099             || !TEST_true(SSL_set_session(clientssl2, sess1))
2100             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2101                                                 SSL_ERROR_NONE))
2102             || !TEST_true(SSL_session_reused(clientssl2)))
2103         goto end;
2104 
2105     if (maxprot == TLS1_3_VERSION) {
2106         /*
2107          * In TLSv1.3 we should have created a new session even though we have
2108          * resumed. Since we attempted a resume we should also have removed the
2109          * old ticket from the cache so that we try to only use tickets once.
2110          */
2111         if (use_ext_cache
2112                 && (!TEST_int_eq(new_called, 1)
2113                     || !TEST_int_eq(remove_called, 1)))
2114             goto end;
2115     } else {
2116         /*
2117          * In TLSv1.2 we expect to have resumed so no sessions added or
2118          * removed.
2119          */
2120         if (use_ext_cache
2121                 && (!TEST_int_eq(new_called, 0)
2122                     || !TEST_int_eq(remove_called, 0)))
2123             goto end;
2124     }
2125 
2126     SSL_SESSION_free(sess1);
2127     if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2128         goto end;
2129     shutdown_ssl_connection(serverssl2, clientssl2);
2130     serverssl2 = clientssl2 = NULL;
2131 
2132     new_called = remove_called = 0;
2133     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2134                                       &clientssl2, NULL, NULL))
2135             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2136                                                 SSL_ERROR_NONE)))
2137         goto end;
2138 
2139     if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2140         goto end;
2141 
2142     if (use_ext_cache
2143             && (!TEST_int_eq(new_called, numnewsesstick)
2144                 || !TEST_int_eq(remove_called, 0)))
2145         goto end;
2146 
2147     new_called = remove_called = 0;
2148     /*
2149      * This should clear sess2 from the cache because it is a "bad" session.
2150      * See SSL_set_session() documentation.
2151      */
2152     if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2153         goto end;
2154     if (use_ext_cache
2155             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2156         goto end;
2157     if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2158         goto end;
2159 
2160     if (use_int_cache) {
2161         /* Should succeeded because it should not already be in the cache */
2162         if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2163                 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
2164             goto end;
2165     }
2166 
2167     new_called = remove_called = 0;
2168     /* This shouldn't be in the cache so should fail */
2169     if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2170         goto end;
2171 
2172     if (use_ext_cache
2173             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2174         goto end;
2175 
2176 # if !defined(OPENSSL_NO_TLS1_1)
2177     new_called = remove_called = 0;
2178     /* Force a connection failure */
2179     SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
2180     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2181                                       &clientssl3, NULL, NULL))
2182             || !TEST_true(SSL_set_session(clientssl3, sess1))
2183             /* This should fail because of the mismatched protocol versions */
2184             || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2185                                                  SSL_ERROR_NONE)))
2186         goto end;
2187 
2188     /* We should have automatically removed the session from the cache */
2189     if (use_ext_cache
2190             && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2191         goto end;
2192 
2193     /* Should succeed because it should not already be in the cache */
2194     if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
2195         goto end;
2196 # endif
2197 
2198     /* Now do some tests for server side caching */
2199     if (use_ext_cache) {
2200         SSL_CTX_sess_set_new_cb(cctx, NULL);
2201         SSL_CTX_sess_set_remove_cb(cctx, NULL);
2202         SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2203         SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2204         SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2205         get_sess_val = NULL;
2206     }
2207 
2208     SSL_CTX_set_session_cache_mode(cctx, 0);
2209     /* Internal caching is the default on the server side */
2210     if (!use_int_cache)
2211         SSL_CTX_set_session_cache_mode(sctx,
2212                                        SSL_SESS_CACHE_SERVER
2213                                        | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2214 
2215     SSL_free(serverssl1);
2216     SSL_free(clientssl1);
2217     serverssl1 = clientssl1 = NULL;
2218     SSL_free(serverssl2);
2219     SSL_free(clientssl2);
2220     serverssl2 = clientssl2 = NULL;
2221     SSL_SESSION_free(sess1);
2222     sess1 = NULL;
2223     SSL_SESSION_free(sess2);
2224     sess2 = NULL;
2225 
2226     SSL_CTX_set_max_proto_version(sctx, maxprot);
2227     if (maxprot == TLS1_2_VERSION)
2228         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
2229     new_called = remove_called = get_called = 0;
2230     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2231                                       NULL, NULL))
2232             || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2233                                                 SSL_ERROR_NONE))
2234             || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2235             || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2236         goto end;
2237 
2238     if (use_int_cache) {
2239         if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2240             /*
2241              * In TLSv1.3 it should not have been added to the internal cache,
2242              * except in the case where we also have an external cache (in that
2243              * case it gets added to the cache in order to generate remove
2244              * events after timeout).
2245              */
2246             if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2247                 goto end;
2248         } else {
2249             /* Should fail because it should already be in the cache */
2250             if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2251                 goto end;
2252         }
2253     }
2254 
2255     if (use_ext_cache) {
2256         SSL_SESSION *tmp = sess2;
2257 
2258         if (!TEST_int_eq(new_called, numnewsesstick)
2259                 || !TEST_int_eq(remove_called, 0)
2260                 || !TEST_int_eq(get_called, 0))
2261             goto end;
2262         /*
2263          * Delete the session from the internal cache to force a lookup from
2264          * the external cache. We take a copy first because
2265          * SSL_CTX_remove_session() also marks the session as non-resumable.
2266          */
2267         if (use_int_cache && maxprot != TLS1_3_VERSION) {
2268             if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2269                 || !TEST_true(sess2->owner != NULL)
2270                 || !TEST_true(tmp->owner == NULL)
2271                 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2272                 goto end;
2273             SSL_SESSION_free(sess2);
2274         }
2275         sess2 = tmp;
2276     }
2277 
2278     new_called = remove_called = get_called = 0;
2279     get_sess_val = sess2;
2280     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2281                                       &clientssl2, NULL, NULL))
2282             || !TEST_true(SSL_set_session(clientssl2, sess1))
2283             || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2284                                                 SSL_ERROR_NONE))
2285             || !TEST_true(SSL_session_reused(clientssl2)))
2286         goto end;
2287 
2288     if (use_ext_cache) {
2289         if (!TEST_int_eq(remove_called, 0))
2290             goto end;
2291 
2292         if (maxprot == TLS1_3_VERSION) {
2293             if (!TEST_int_eq(new_called, 1)
2294                     || !TEST_int_eq(get_called, 0))
2295                 goto end;
2296         } else {
2297             if (!TEST_int_eq(new_called, 0)
2298                     || !TEST_int_eq(get_called, 1))
2299                 goto end;
2300         }
2301     }
2302     /*
2303      * Make a small cache, force out all other sessions but
2304      * sess2, try to add sess1, which should succeed. Then
2305      * make sure it's there by checking the owners. Despite
2306      * the timeouts, sess1 should have kicked out sess2
2307      */
2308 
2309     /* Make sess1 expire before sess2 */
2310     if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2311             || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2312             || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2313             || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2314         goto end;
2315 
2316     if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2317         goto end;
2318 
2319     /* Don't care about results - cache should only be sess2 at end */
2320     SSL_CTX_add_session(sctx, sess1);
2321     SSL_CTX_add_session(sctx, sess2);
2322 
2323     /* Now add sess1, and make sure it remains, despite timeout */
2324     if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2325             || !TEST_ptr(sess1->owner)
2326             || !TEST_ptr_null(sess2->owner))
2327         goto end;
2328 
2329     testresult = 1;
2330 
2331  end:
2332     SSL_free(serverssl1);
2333     SSL_free(clientssl1);
2334     SSL_free(serverssl2);
2335     SSL_free(clientssl2);
2336 # ifndef OPENSSL_NO_TLS1_1
2337     SSL_free(serverssl3);
2338     SSL_free(clientssl3);
2339 # endif
2340     SSL_SESSION_free(sess1);
2341     SSL_SESSION_free(sess2);
2342     SSL_CTX_free(sctx);
2343     SSL_CTX_free(cctx);
2344 
2345     return testresult;
2346 }
2347 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2348 
2349 static int test_session_with_only_int_cache(void)
2350 {
2351 #ifndef OSSL_NO_USABLE_TLS1_3
2352     if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
2353         return 0;
2354 #endif
2355 
2356 #ifndef OPENSSL_NO_TLS1_2
2357     return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
2358 #else
2359     return 1;
2360 #endif
2361 }
2362 
2363 static int test_session_with_only_ext_cache(void)
2364 {
2365 #ifndef OSSL_NO_USABLE_TLS1_3
2366     if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
2367         return 0;
2368 #endif
2369 
2370 #ifndef OPENSSL_NO_TLS1_2
2371     return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
2372 #else
2373     return 1;
2374 #endif
2375 }
2376 
2377 static int test_session_with_both_cache(void)
2378 {
2379 #ifndef OSSL_NO_USABLE_TLS1_3
2380     if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2381         return 0;
2382 #endif
2383 
2384 #ifndef OPENSSL_NO_TLS1_2
2385     return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2386 #else
2387     return 1;
2388 #endif
2389 }
2390 
2391 static int test_session_wo_ca_names(void)
2392 {
2393 #ifndef OSSL_NO_USABLE_TLS1_3
2394     if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
2395         return 0;
2396 #endif
2397 
2398 #ifndef OPENSSL_NO_TLS1_2
2399     return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
2400 #else
2401     return 1;
2402 #endif
2403 }
2404 
2405 #ifndef OSSL_NO_USABLE_TLS1_3
2406 static SSL_SESSION *sesscache[6];
2407 static int do_cache;
2408 
2409 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2410 {
2411     if (do_cache) {
2412         sesscache[new_called] = sess;
2413     } else {
2414         /* We don't need the reference to the session, so free it */
2415         SSL_SESSION_free(sess);
2416     }
2417     new_called++;
2418 
2419     return 1;
2420 }
2421 
2422 static int post_handshake_verify(SSL *sssl, SSL *cssl)
2423 {
2424     SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2425     if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2426         return 0;
2427 
2428     /* Start handshake on the server and client */
2429     if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2430             || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2431             || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2432             || !TEST_true(create_ssl_connection(sssl, cssl,
2433                                                 SSL_ERROR_NONE)))
2434         return 0;
2435 
2436     return 1;
2437 }
2438 
2439 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
2440                              SSL_CTX **cctx)
2441 {
2442     int sess_id_ctx = 1;
2443 
2444     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2445                                        TLS_client_method(), TLS1_VERSION, 0,
2446                                        sctx, cctx, cert, privkey))
2447             || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2448             || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2449                                                          (void *)&sess_id_ctx,
2450                                                          sizeof(sess_id_ctx))))
2451         return 0;
2452 
2453     if (stateful)
2454         SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2455 
2456     SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2457                                           | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2458     SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2459 
2460     return 1;
2461 }
2462 
2463 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2464 {
2465     SSL *serverssl = NULL, *clientssl = NULL;
2466     int i;
2467 
2468     /* Test that we can resume with all the tickets we got given */
2469     for (i = 0; i < idx * 2; i++) {
2470         new_called = 0;
2471         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2472                                               &clientssl, NULL, NULL))
2473                 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2474             goto end;
2475 
2476         SSL_set_post_handshake_auth(clientssl, 1);
2477 
2478         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2479                                                     SSL_ERROR_NONE)))
2480             goto end;
2481 
2482         /*
2483          * Following a successful resumption we only get 1 ticket. After a
2484          * failed one we should get idx tickets.
2485          */
2486         if (succ) {
2487             if (!TEST_true(SSL_session_reused(clientssl))
2488                     || !TEST_int_eq(new_called, 1))
2489                 goto end;
2490         } else {
2491             if (!TEST_false(SSL_session_reused(clientssl))
2492                     || !TEST_int_eq(new_called, idx))
2493                 goto end;
2494         }
2495 
2496         new_called = 0;
2497         /* After a post-handshake authentication we should get 1 new ticket */
2498         if (succ
2499                 && (!post_handshake_verify(serverssl, clientssl)
2500                     || !TEST_int_eq(new_called, 1)))
2501             goto end;
2502 
2503         SSL_shutdown(clientssl);
2504         SSL_shutdown(serverssl);
2505         SSL_free(serverssl);
2506         SSL_free(clientssl);
2507         serverssl = clientssl = NULL;
2508         SSL_SESSION_free(sesscache[i]);
2509         sesscache[i] = NULL;
2510     }
2511 
2512     return 1;
2513 
2514  end:
2515     SSL_free(clientssl);
2516     SSL_free(serverssl);
2517     return 0;
2518 }
2519 
2520 static int test_tickets(int stateful, int idx)
2521 {
2522     SSL_CTX *sctx = NULL, *cctx = NULL;
2523     SSL *serverssl = NULL, *clientssl = NULL;
2524     int testresult = 0;
2525     size_t j;
2526 
2527     /* idx is the test number, but also the number of tickets we want */
2528 
2529     new_called = 0;
2530     do_cache = 1;
2531 
2532     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2533         goto end;
2534 
2535     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2536                                           &clientssl, NULL, NULL)))
2537         goto end;
2538 
2539     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2540                                                 SSL_ERROR_NONE))
2541                /* Check we got the number of tickets we were expecting */
2542             || !TEST_int_eq(idx, new_called))
2543         goto end;
2544 
2545     SSL_shutdown(clientssl);
2546     SSL_shutdown(serverssl);
2547     SSL_free(serverssl);
2548     SSL_free(clientssl);
2549     SSL_CTX_free(sctx);
2550     SSL_CTX_free(cctx);
2551     clientssl = serverssl = NULL;
2552     sctx = cctx = NULL;
2553 
2554     /*
2555      * Now we try to resume with the tickets we previously created. The
2556      * resumption attempt is expected to fail (because we're now using a new
2557      * SSL_CTX). We should see idx number of tickets issued again.
2558      */
2559 
2560     /* Stop caching sessions - just count them */
2561     do_cache = 0;
2562 
2563     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2564         goto end;
2565 
2566     if (!check_resumption(idx, sctx, cctx, 0))
2567         goto end;
2568 
2569     /* Start again with caching sessions */
2570     new_called = 0;
2571     do_cache = 1;
2572     SSL_CTX_free(sctx);
2573     SSL_CTX_free(cctx);
2574     sctx = cctx = NULL;
2575 
2576     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
2577         goto end;
2578 
2579     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2580                                           &clientssl, NULL, NULL)))
2581         goto end;
2582 
2583     SSL_set_post_handshake_auth(clientssl, 1);
2584 
2585     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2586                                                 SSL_ERROR_NONE))
2587                /* Check we got the number of tickets we were expecting */
2588             || !TEST_int_eq(idx, new_called))
2589         goto end;
2590 
2591     /* After a post-handshake authentication we should get new tickets issued */
2592     if (!post_handshake_verify(serverssl, clientssl)
2593             || !TEST_int_eq(idx * 2, new_called))
2594         goto end;
2595 
2596     SSL_shutdown(clientssl);
2597     SSL_shutdown(serverssl);
2598     SSL_free(serverssl);
2599     SSL_free(clientssl);
2600     serverssl = clientssl = NULL;
2601 
2602     /* Stop caching sessions - just count them */
2603     do_cache = 0;
2604 
2605     /*
2606      * Check we can resume with all the tickets we created. This time around the
2607      * resumptions should all be successful.
2608      */
2609     if (!check_resumption(idx, sctx, cctx, 1))
2610         goto end;
2611 
2612     testresult = 1;
2613 
2614  end:
2615     SSL_free(serverssl);
2616     SSL_free(clientssl);
2617     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
2618         SSL_SESSION_free(sesscache[j]);
2619         sesscache[j] = NULL;
2620     }
2621     SSL_CTX_free(sctx);
2622     SSL_CTX_free(cctx);
2623 
2624     return testresult;
2625 }
2626 
2627 static int test_stateless_tickets(int idx)
2628 {
2629     return test_tickets(0, idx);
2630 }
2631 
2632 static int test_stateful_tickets(int idx)
2633 {
2634     return test_tickets(1, idx);
2635 }
2636 
2637 static int test_psk_tickets(void)
2638 {
2639     SSL_CTX *sctx = NULL, *cctx = NULL;
2640     SSL *serverssl = NULL, *clientssl = NULL;
2641     int testresult = 0;
2642     int sess_id_ctx = 1;
2643 
2644     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2645                                        TLS_client_method(), TLS1_VERSION, 0,
2646                                        &sctx, &cctx, NULL, NULL))
2647             || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2648                                                          (void *)&sess_id_ctx,
2649                                                          sizeof(sess_id_ctx))))
2650         goto end;
2651 
2652     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2653                                          | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2654     SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2655     SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2656     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2657     use_session_cb_cnt = 0;
2658     find_session_cb_cnt = 0;
2659     srvid = pskid;
2660     new_called = 0;
2661 
2662     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2663                                       NULL, NULL)))
2664         goto end;
2665     clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
2666     if (!TEST_ptr(clientpsk))
2667         goto end;
2668     SSL_SESSION_up_ref(clientpsk);
2669 
2670     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2671                                                 SSL_ERROR_NONE))
2672             || !TEST_int_eq(1, find_session_cb_cnt)
2673             || !TEST_int_eq(1, use_session_cb_cnt)
2674                /* We should always get 1 ticket when using external PSK */
2675             || !TEST_int_eq(1, new_called))
2676         goto end;
2677 
2678     testresult = 1;
2679 
2680  end:
2681     SSL_free(serverssl);
2682     SSL_free(clientssl);
2683     SSL_CTX_free(sctx);
2684     SSL_CTX_free(cctx);
2685     SSL_SESSION_free(clientpsk);
2686     SSL_SESSION_free(serverpsk);
2687     clientpsk = serverpsk = NULL;
2688 
2689     return testresult;
2690 }
2691 
2692 static int test_extra_tickets(int idx)
2693 {
2694     SSL_CTX *sctx = NULL, *cctx = NULL;
2695     SSL *serverssl = NULL, *clientssl = NULL;
2696     BIO *bretry = BIO_new(bio_s_always_retry());
2697     BIO *tmp = NULL;
2698     int testresult = 0;
2699     int stateful = 0;
2700     size_t nbytes;
2701     unsigned char c, buf[1];
2702 
2703     new_called = 0;
2704     do_cache = 1;
2705 
2706     if (idx >= 3) {
2707         idx -= 3;
2708         stateful = 1;
2709     }
2710 
2711     if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2712         goto end;
2713     SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2714     /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2715     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2716 
2717     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2718                                           &clientssl, NULL, NULL)))
2719         goto end;
2720 
2721     /*
2722      * Note that we have new_session_cb on both sctx and cctx, so new_called is
2723      * incremented by both client and server.
2724      */
2725     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2726                                                 SSL_ERROR_NONE))
2727                /* Check we got the number of tickets we were expecting */
2728             || !TEST_int_eq(idx * 2, new_called)
2729             || !TEST_true(SSL_new_session_ticket(serverssl))
2730             || !TEST_true(SSL_new_session_ticket(serverssl))
2731             || !TEST_int_eq(idx * 2, new_called))
2732         goto end;
2733 
2734     /* Now try a (real) write to actually send the tickets */
2735     c = '1';
2736     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2737             || !TEST_size_t_eq(1, nbytes)
2738             || !TEST_int_eq(idx * 2 + 2, new_called)
2739             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2740             || !TEST_int_eq(idx * 2 + 4, new_called)
2741             || !TEST_int_eq(sizeof(buf), nbytes)
2742             || !TEST_int_eq(c, buf[0])
2743             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2744         goto end;
2745 
2746     /* Try with only requesting one new ticket, too */
2747     c = '2';
2748     new_called = 0;
2749     if (!TEST_true(SSL_new_session_ticket(serverssl))
2750             || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2751             || !TEST_size_t_eq(sizeof(c), nbytes)
2752             || !TEST_int_eq(1, new_called)
2753             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2754             || !TEST_int_eq(2, new_called)
2755             || !TEST_size_t_eq(sizeof(buf), nbytes)
2756             || !TEST_int_eq(c, buf[0]))
2757         goto end;
2758 
2759     /* Do it again but use dummy writes to drive the ticket generation */
2760     c = '3';
2761     new_called = 0;
2762     if (!TEST_true(SSL_new_session_ticket(serverssl))
2763             || !TEST_true(SSL_new_session_ticket(serverssl))
2764             || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2765             || !TEST_size_t_eq(0, nbytes)
2766             || !TEST_int_eq(2, new_called)
2767             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2768             || !TEST_int_eq(4, new_called))
2769         goto end;
2770 
2771     /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2772     c = '4';
2773     new_called = 0;
2774     if (!TEST_true(SSL_new_session_ticket(serverssl))
2775             || !TEST_true(SSL_new_session_ticket(serverssl))
2776             || !TEST_true(SSL_do_handshake(serverssl))
2777             || !TEST_int_eq(2, new_called)
2778             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2779             || !TEST_int_eq(4, new_called))
2780         goto end;
2781 
2782     /*
2783      * Use the always-retry BIO to exercise the logic that forces ticket
2784      * generation to wait until a record boundary.
2785      */
2786     c = '5';
2787     new_called = 0;
2788     tmp = SSL_get_wbio(serverssl);
2789     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2790         tmp = NULL;
2791         goto end;
2792     }
2793     SSL_set0_wbio(serverssl, bretry);
2794     bretry = NULL;
2795     if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2796             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2797             || !TEST_size_t_eq(nbytes, 0))
2798         goto end;
2799     /* Restore a BIO that will let the write succeed */
2800     SSL_set0_wbio(serverssl, tmp);
2801     tmp = NULL;
2802     /*
2803      * These calls should just queue the request and not send anything
2804      * even if we explicitly try to hit the state machine.
2805      */
2806     if (!TEST_true(SSL_new_session_ticket(serverssl))
2807             || !TEST_true(SSL_new_session_ticket(serverssl))
2808             || !TEST_int_eq(0, new_called)
2809             || !TEST_true(SSL_do_handshake(serverssl))
2810             || !TEST_int_eq(0, new_called))
2811         goto end;
2812     /* Re-do the write; still no tickets sent */
2813     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2814             || !TEST_size_t_eq(1, nbytes)
2815             || !TEST_int_eq(0, new_called)
2816             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2817             || !TEST_int_eq(0, new_called)
2818             || !TEST_int_eq(sizeof(buf), nbytes)
2819             || !TEST_int_eq(c, buf[0])
2820             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2821         goto end;
2822     /* Even trying to hit the state machine now will still not send tickets */
2823     if (!TEST_true(SSL_do_handshake(serverssl))
2824             || !TEST_int_eq(0, new_called))
2825         goto end;
2826     /* Now the *next* write should send the tickets */
2827     c = '6';
2828     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2829             || !TEST_size_t_eq(1, nbytes)
2830             || !TEST_int_eq(2, new_called)
2831             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2832             || !TEST_int_eq(4, new_called)
2833             || !TEST_int_eq(sizeof(buf), nbytes)
2834             || !TEST_int_eq(c, buf[0])
2835             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2836         goto end;
2837 
2838     SSL_shutdown(clientssl);
2839     SSL_shutdown(serverssl);
2840     testresult = 1;
2841 
2842  end:
2843     BIO_free(bretry);
2844     BIO_free(tmp);
2845     SSL_free(serverssl);
2846     SSL_free(clientssl);
2847     SSL_CTX_free(sctx);
2848     SSL_CTX_free(cctx);
2849     clientssl = serverssl = NULL;
2850     sctx = cctx = NULL;
2851     return testresult;
2852 }
2853 #endif
2854 
2855 #define USE_NULL            0
2856 #define USE_BIO_1           1
2857 #define USE_BIO_2           2
2858 #define USE_DEFAULT         3
2859 
2860 #define CONNTYPE_CONNECTION_SUCCESS  0
2861 #define CONNTYPE_CONNECTION_FAIL     1
2862 #define CONNTYPE_NO_CONNECTION       2
2863 
2864 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS         (3 * 3 * 3 * 3)
2865 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS    (2 * 2)
2866 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2867 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       (2 * 2)
2868 #else
2869 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       0
2870 #endif
2871 
2872 #define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2873                                 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2874                                 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
2875 
2876 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2877 {
2878     switch (type) {
2879     case USE_NULL:
2880         *res = NULL;
2881         break;
2882     case USE_BIO_1:
2883         *res = bio1;
2884         break;
2885     case USE_BIO_2:
2886         *res = bio2;
2887         break;
2888     }
2889 }
2890 
2891 
2892 /*
2893  * Tests calls to SSL_set_bio() under various conditions.
2894  *
2895  * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2896  * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2897  * then do more tests where we create a successful connection first using our
2898  * standard connection setup functions, and then call SSL_set_bio() with
2899  * various combinations of valid BIOs or NULL. We then repeat these tests
2900  * following a failed connection. In this last case we are looking to check that
2901  * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2902  */
2903 static int test_ssl_set_bio(int idx)
2904 {
2905     SSL_CTX *sctx = NULL, *cctx = NULL;
2906     BIO *bio1 = NULL;
2907     BIO *bio2 = NULL;
2908     BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
2909     SSL *serverssl = NULL, *clientssl = NULL;
2910     int initrbio, initwbio, newrbio, newwbio, conntype;
2911     int testresult = 0;
2912 
2913     if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2914         initrbio = idx % 3;
2915         idx /= 3;
2916         initwbio = idx % 3;
2917         idx /= 3;
2918         newrbio = idx % 3;
2919         idx /= 3;
2920         newwbio = idx % 3;
2921         conntype = CONNTYPE_NO_CONNECTION;
2922     } else {
2923         idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2924         initrbio = initwbio = USE_DEFAULT;
2925         newrbio = idx % 2;
2926         idx /= 2;
2927         newwbio = idx % 2;
2928         idx /= 2;
2929         conntype = idx % 2;
2930     }
2931 
2932     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2933                                        TLS_client_method(), TLS1_VERSION, 0,
2934                                        &sctx, &cctx, cert, privkey)))
2935         goto end;
2936 
2937     if (conntype == CONNTYPE_CONNECTION_FAIL) {
2938         /*
2939          * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2940          * because we reduced the number of tests in the definition of
2941          * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2942          * mismatched protocol versions we will force a connection failure.
2943          */
2944         SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2945         SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2946     }
2947 
2948     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2949                                       NULL, NULL)))
2950         goto end;
2951 
2952     if (initrbio == USE_BIO_1
2953             || initwbio == USE_BIO_1
2954             || newrbio == USE_BIO_1
2955             || newwbio == USE_BIO_1) {
2956         if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
2957             goto end;
2958     }
2959 
2960     if (initrbio == USE_BIO_2
2961             || initwbio == USE_BIO_2
2962             || newrbio == USE_BIO_2
2963             || newwbio == USE_BIO_2) {
2964         if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
2965             goto end;
2966     }
2967 
2968     if (initrbio != USE_DEFAULT) {
2969         setupbio(&irbio, bio1, bio2, initrbio);
2970         setupbio(&iwbio, bio1, bio2, initwbio);
2971         SSL_set_bio(clientssl, irbio, iwbio);
2972 
2973         /*
2974          * We want to maintain our own refs to these BIO, so do an up ref for
2975          * each BIO that will have ownership transferred in the SSL_set_bio()
2976          * call
2977          */
2978         if (irbio != NULL)
2979             BIO_up_ref(irbio);
2980         if (iwbio != NULL && iwbio != irbio)
2981             BIO_up_ref(iwbio);
2982     }
2983 
2984     if (conntype != CONNTYPE_NO_CONNECTION
2985             && !TEST_true(create_ssl_connection(serverssl, clientssl,
2986                                                 SSL_ERROR_NONE)
2987                           == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2988         goto end;
2989 
2990     setupbio(&nrbio, bio1, bio2, newrbio);
2991     setupbio(&nwbio, bio1, bio2, newwbio);
2992 
2993     /*
2994      * We will (maybe) transfer ownership again so do more up refs.
2995      * SSL_set_bio() has some really complicated ownership rules where BIOs have
2996      * already been set!
2997      */
2998     if (nrbio != NULL
2999             && nrbio != irbio
3000             && (nwbio != iwbio || nrbio != nwbio))
3001         BIO_up_ref(nrbio);
3002     if (nwbio != NULL
3003             && nwbio != nrbio
3004             && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
3005         BIO_up_ref(nwbio);
3006 
3007     SSL_set_bio(clientssl, nrbio, nwbio);
3008 
3009     testresult = 1;
3010 
3011  end:
3012     BIO_free(bio1);
3013     BIO_free(bio2);
3014 
3015     /*
3016      * This test is checking that the ref counting for SSL_set_bio is correct.
3017      * If we get here and we did too many frees then we will fail in the above
3018      * functions.
3019      */
3020     SSL_free(serverssl);
3021     SSL_free(clientssl);
3022     SSL_CTX_free(sctx);
3023     SSL_CTX_free(cctx);
3024     return testresult;
3025 }
3026 
3027 typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
3028 
3029 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
3030 {
3031     BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
3032     SSL_CTX *ctx;
3033     SSL *ssl = NULL;
3034     int testresult = 0;
3035 
3036     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
3037             || !TEST_ptr(ssl = SSL_new(ctx))
3038             || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3039             || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
3040         goto end;
3041 
3042     BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3043 
3044     /*
3045      * If anything goes wrong here then we could leak memory.
3046      */
3047     BIO_push(sslbio, membio1);
3048 
3049     /* Verify changing the rbio/wbio directly does not cause leaks */
3050     if (change_bio != NO_BIO_CHANGE) {
3051         if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3052             ssl = NULL;
3053             goto end;
3054         }
3055         if (change_bio == CHANGE_RBIO)
3056             SSL_set0_rbio(ssl, membio2);
3057         else
3058             SSL_set0_wbio(ssl, membio2);
3059     }
3060     ssl = NULL;
3061 
3062     if (pop_ssl)
3063         BIO_pop(sslbio);
3064     else
3065         BIO_pop(membio1);
3066 
3067     testresult = 1;
3068  end:
3069     BIO_free(membio1);
3070     BIO_free(sslbio);
3071     SSL_free(ssl);
3072     SSL_CTX_free(ctx);
3073 
3074     return testresult;
3075 }
3076 
3077 static int test_ssl_bio_pop_next_bio(void)
3078 {
3079     return execute_test_ssl_bio(0, NO_BIO_CHANGE);
3080 }
3081 
3082 static int test_ssl_bio_pop_ssl_bio(void)
3083 {
3084     return execute_test_ssl_bio(1, NO_BIO_CHANGE);
3085 }
3086 
3087 static int test_ssl_bio_change_rbio(void)
3088 {
3089     return execute_test_ssl_bio(0, CHANGE_RBIO);
3090 }
3091 
3092 static int test_ssl_bio_change_wbio(void)
3093 {
3094     return execute_test_ssl_bio(0, CHANGE_WBIO);
3095 }
3096 
3097 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
3098 typedef struct {
3099     /* The list of sig algs */
3100     const int *list;
3101     /* The length of the list */
3102     size_t listlen;
3103     /* A sigalgs list in string format */
3104     const char *liststr;
3105     /* Whether setting the list should succeed */
3106     int valid;
3107     /* Whether creating a connection with the list should succeed */
3108     int connsuccess;
3109 } sigalgs_list;
3110 
3111 static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
3112 # ifndef OPENSSL_NO_EC
3113 static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3114 static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
3115 # endif
3116 static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3117 static const int invalidlist2[] = {NID_sha256, NID_undef};
3118 static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3119 static const int invalidlist4[] = {NID_sha256};
3120 static const sigalgs_list testsigalgs[] = {
3121     {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
3122 # ifndef OPENSSL_NO_EC
3123     {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3124     {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
3125 # endif
3126     {NULL, 0, "RSA+SHA256", 1, 1},
3127 # ifndef OPENSSL_NO_EC
3128     {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3129     {NULL, 0, "ECDSA+SHA512", 1, 0},
3130 # endif
3131     {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3132     {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3133     {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3134     {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3135     {NULL, 0, "RSA", 0, 0},
3136     {NULL, 0, "SHA256", 0, 0},
3137     {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
3138     {NULL, 0, "Invalid", 0, 0}
3139 };
3140 
3141 static int test_set_sigalgs(int idx)
3142 {
3143     SSL_CTX *cctx = NULL, *sctx = NULL;
3144     SSL *clientssl = NULL, *serverssl = NULL;
3145     int testresult = 0;
3146     const sigalgs_list *curr;
3147     int testctx;
3148 
3149     /* Should never happen */
3150     if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
3151         return 0;
3152 
3153     testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3154     curr = testctx ? &testsigalgs[idx]
3155                    : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3156 
3157     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3158                                        TLS_client_method(), TLS1_VERSION, 0,
3159                                        &sctx, &cctx, cert, privkey)))
3160         return 0;
3161 
3162     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3163 
3164     if (testctx) {
3165         int ret;
3166 
3167         if (curr->list != NULL)
3168             ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3169         else
3170             ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3171 
3172         if (!ret) {
3173             if (curr->valid)
3174                 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
3175             else
3176                 testresult = 1;
3177             goto end;
3178         }
3179         if (!curr->valid) {
3180             TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
3181             goto end;
3182         }
3183     }
3184 
3185     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3186                                       &clientssl, NULL, NULL)))
3187         goto end;
3188 
3189     if (!testctx) {
3190         int ret;
3191 
3192         if (curr->list != NULL)
3193             ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3194         else
3195             ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3196         if (!ret) {
3197             if (curr->valid)
3198                 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
3199             else
3200                 testresult = 1;
3201             goto end;
3202         }
3203         if (!curr->valid)
3204             goto end;
3205     }
3206 
3207     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3208                                            SSL_ERROR_NONE),
3209                 curr->connsuccess))
3210         goto end;
3211 
3212     testresult = 1;
3213 
3214  end:
3215     SSL_free(serverssl);
3216     SSL_free(clientssl);
3217     SSL_CTX_free(sctx);
3218     SSL_CTX_free(cctx);
3219 
3220     return testresult;
3221 }
3222 #endif
3223 
3224 #ifndef OSSL_NO_USABLE_TLS1_3
3225 static int psk_client_cb_cnt = 0;
3226 static int psk_server_cb_cnt = 0;
3227 
3228 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3229                           size_t *idlen, SSL_SESSION **sess)
3230 {
3231     switch (++use_session_cb_cnt) {
3232     case 1:
3233         /* The first call should always have a NULL md */
3234         if (md != NULL)
3235             return 0;
3236         break;
3237 
3238     case 2:
3239         /* The second call should always have an md */
3240         if (md == NULL)
3241             return 0;
3242         break;
3243 
3244     default:
3245         /* We should only be called a maximum of twice */
3246         return 0;
3247     }
3248 
3249     if (clientpsk != NULL)
3250         SSL_SESSION_up_ref(clientpsk);
3251 
3252     *sess = clientpsk;
3253     *id = (const unsigned char *)pskid;
3254     *idlen = strlen(pskid);
3255 
3256     return 1;
3257 }
3258 
3259 #ifndef OPENSSL_NO_PSK
3260 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3261                                   unsigned int max_id_len,
3262                                   unsigned char *psk,
3263                                   unsigned int max_psk_len)
3264 {
3265     unsigned int psklen = 0;
3266 
3267     psk_client_cb_cnt++;
3268 
3269     if (strlen(pskid) + 1 > max_id_len)
3270         return 0;
3271 
3272     /* We should only ever be called a maximum of twice per connection */
3273     if (psk_client_cb_cnt > 2)
3274         return 0;
3275 
3276     if (clientpsk == NULL)
3277         return 0;
3278 
3279     /* We'll reuse the PSK we set up for TLSv1.3 */
3280     if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3281         return 0;
3282     psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3283     strncpy(id, pskid, max_id_len);
3284 
3285     return psklen;
3286 }
3287 #endif /* OPENSSL_NO_PSK */
3288 
3289 static int find_session_cb(SSL *ssl, const unsigned char *identity,
3290                            size_t identity_len, SSL_SESSION **sess)
3291 {
3292     find_session_cb_cnt++;
3293 
3294     /* We should only ever be called a maximum of twice per connection */
3295     if (find_session_cb_cnt > 2)
3296         return 0;
3297 
3298     if (serverpsk == NULL)
3299         return 0;
3300 
3301     /* Identity should match that set by the client */
3302     if (strlen(srvid) != identity_len
3303             || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3304         /* No PSK found, continue but without a PSK */
3305         *sess = NULL;
3306         return 1;
3307     }
3308 
3309     SSL_SESSION_up_ref(serverpsk);
3310     *sess = serverpsk;
3311 
3312     return 1;
3313 }
3314 
3315 #ifndef OPENSSL_NO_PSK
3316 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3317                                   unsigned char *psk, unsigned int max_psk_len)
3318 {
3319     unsigned int psklen = 0;
3320 
3321     psk_server_cb_cnt++;
3322 
3323     /* We should only ever be called a maximum of twice per connection */
3324     if (find_session_cb_cnt > 2)
3325         return 0;
3326 
3327     if (serverpsk == NULL)
3328         return 0;
3329 
3330     /* Identity should match that set by the client */
3331     if (strcmp(srvid, identity) != 0) {
3332         return 0;
3333     }
3334 
3335     /* We'll reuse the PSK we set up for TLSv1.3 */
3336     if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3337         return 0;
3338     psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3339 
3340     return psklen;
3341 }
3342 #endif /* OPENSSL_NO_PSK */
3343 
3344 #define MSG1    "Hello"
3345 #define MSG2    "World."
3346 #define MSG3    "This"
3347 #define MSG4    "is"
3348 #define MSG5    "a"
3349 #define MSG6    "test"
3350 #define MSG7    "message."
3351 
3352 #define TLS13_AES_128_GCM_SHA256_BYTES  ((const unsigned char *)"\x13\x01")
3353 #define TLS13_AES_256_GCM_SHA384_BYTES  ((const unsigned char *)"\x13\x02")
3354 #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3355 #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3356 #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
3357 
3358 
3359 static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
3360 {
3361     const SSL_CIPHER *cipher = NULL;
3362     const unsigned char key[] = {
3363         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3364         0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3365         0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3366         0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3367         0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */
3368     };
3369     SSL_SESSION *sess = NULL;
3370 
3371     if (mdsize == SHA384_DIGEST_LENGTH) {
3372         cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3373     } else if (mdsize == SHA256_DIGEST_LENGTH) {
3374         /*
3375          * Any ciphersuite using SHA256 will do - it will be compatible with
3376          * the actual ciphersuite selected as long as it too is based on SHA256
3377          */
3378         cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES);
3379     } else {
3380         /* Should not happen */
3381         return NULL;
3382     }
3383     sess = SSL_SESSION_new();
3384     if (!TEST_ptr(sess)
3385             || !TEST_ptr(cipher)
3386             || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize))
3387             || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3388             || !TEST_true(
3389                     SSL_SESSION_set_protocol_version(sess,
3390                                                      TLS1_3_VERSION))) {
3391         SSL_SESSION_free(sess);
3392         return NULL;
3393     }
3394     return sess;
3395 }
3396 
3397 /*
3398  * Helper method to setup objects for early data test. Caller frees objects on
3399  * error.
3400  */
3401 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3402                                 SSL **serverssl, SSL_SESSION **sess, int idx,
3403                                 size_t mdsize)
3404 {
3405     if (*sctx == NULL
3406             && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3407                                               TLS_client_method(),
3408                                               TLS1_VERSION, 0,
3409                                               sctx, cctx, cert, privkey)))
3410         return 0;
3411 
3412     if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
3413         return 0;
3414 
3415     if (idx == 1) {
3416         /* When idx == 1 we repeat the tests with read_ahead set */
3417         SSL_CTX_set_read_ahead(*cctx, 1);
3418         SSL_CTX_set_read_ahead(*sctx, 1);
3419     } else if (idx == 2) {
3420         /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3421         SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3422         SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3423         use_session_cb_cnt = 0;
3424         find_session_cb_cnt = 0;
3425         srvid = pskid;
3426     }
3427 
3428     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
3429                                       NULL, NULL)))
3430         return 0;
3431 
3432     /*
3433      * For one of the run throughs (doesn't matter which one), we'll try sending
3434      * some SNI data in the initial ClientHello. This will be ignored (because
3435      * there is no SNI cb set up by the server), so it should not impact
3436      * early_data.
3437      */
3438     if (idx == 1
3439             && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3440         return 0;
3441 
3442     if (idx == 2) {
3443         clientpsk = create_a_psk(*clientssl, mdsize);
3444         if (!TEST_ptr(clientpsk)
3445                    /*
3446                     * We just choose an arbitrary value for max_early_data which
3447                     * should be big enough for testing purposes.
3448                     */
3449                 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3450                                                              0x100))
3451                 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3452             SSL_SESSION_free(clientpsk);
3453             clientpsk = NULL;
3454             return 0;
3455         }
3456         serverpsk = clientpsk;
3457 
3458         if (sess != NULL) {
3459             if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460                 SSL_SESSION_free(clientpsk);
3461                 SSL_SESSION_free(serverpsk);
3462                 clientpsk = serverpsk = NULL;
3463                 return 0;
3464             }
3465             *sess = clientpsk;
3466         }
3467         return 1;
3468     }
3469 
3470     if (sess == NULL)
3471         return 1;
3472 
3473     if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3474                                          SSL_ERROR_NONE)))
3475         return 0;
3476 
3477     *sess = SSL_get1_session(*clientssl);
3478     SSL_shutdown(*clientssl);
3479     SSL_shutdown(*serverssl);
3480     SSL_free(*serverssl);
3481     SSL_free(*clientssl);
3482     *serverssl = *clientssl = NULL;
3483 
3484     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3485                                       clientssl, NULL, NULL))
3486             || !TEST_true(SSL_set_session(*clientssl, *sess)))
3487         return 0;
3488 
3489     return 1;
3490 }
3491 
3492 static int check_early_data_timeout(time_t timer)
3493 {
3494     int res = 0;
3495 
3496     /*
3497      * Early data is time sensitive. We have an approx 8 second allowance
3498      * between writing the early data and reading it. If we exceed that time
3499      * then this test will fail. This can sometimes (rarely) occur in normal CI
3500      * operation. We can try and detect this and just ignore the result of this
3501      * test if it has taken too long. We assume anything over 7 seconds is too
3502      * long
3503      */
3504     timer = time(NULL) - timer;
3505     if (timer >= 7)
3506         res = TEST_skip("Test took too long, ignoring result");
3507 
3508     return res;
3509 }
3510 
3511 static int test_early_data_read_write(int idx)
3512 {
3513     SSL_CTX *cctx = NULL, *sctx = NULL;
3514     SSL *clientssl = NULL, *serverssl = NULL;
3515     int testresult = 0;
3516     SSL_SESSION *sess = NULL;
3517     unsigned char buf[20], data[1024];
3518     size_t readbytes, written, eoedlen, rawread, rawwritten;
3519     BIO *rbio;
3520     time_t timer;
3521 
3522     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3523                                         &serverssl, &sess, idx,
3524                                         SHA384_DIGEST_LENGTH)))
3525         goto end;
3526 
3527     /* Write and read some early data */
3528     timer = time(NULL);
3529     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3530                                         &written))
3531             || !TEST_size_t_eq(written, strlen(MSG1)))
3532         goto end;
3533 
3534     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3535                                          &readbytes),
3536                      SSL_READ_EARLY_DATA_SUCCESS)) {
3537         testresult = check_early_data_timeout(timer);
3538         goto end;
3539     }
3540 
3541     if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3542             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3543                             SSL_EARLY_DATA_ACCEPTED))
3544         goto end;
3545 
3546     /*
3547      * Server should be able to write data, and client should be able to
3548      * read it.
3549      */
3550     if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3551                                         &written))
3552             || !TEST_size_t_eq(written, strlen(MSG2))
3553             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3554             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3555         goto end;
3556 
3557     /* Even after reading normal data, client should be able write early data */
3558     if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3559                                         &written))
3560             || !TEST_size_t_eq(written, strlen(MSG3)))
3561         goto end;
3562 
3563     /* Server should still be able read early data after writing data */
3564     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3565                                          &readbytes),
3566                      SSL_READ_EARLY_DATA_SUCCESS)
3567             || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
3568         goto end;
3569 
3570     /* Write more data from server and read it from client */
3571     if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3572                                         &written))
3573             || !TEST_size_t_eq(written, strlen(MSG4))
3574             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3575             || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
3576         goto end;
3577 
3578     /*
3579      * If client writes normal data it should mean writing early data is no
3580      * longer possible.
3581      */
3582     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3583             || !TEST_size_t_eq(written, strlen(MSG5))
3584             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3585                             SSL_EARLY_DATA_ACCEPTED))
3586         goto end;
3587 
3588     /*
3589      * At this point the client has written EndOfEarlyData, ClientFinished and
3590      * normal (fully protected) data. We are going to cause a delay between the
3591      * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3592      * in the read BIO, and then just put back the EndOfEarlyData message.
3593      */
3594     rbio = SSL_get_rbio(serverssl);
3595     if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3596             || !TEST_size_t_lt(rawread, sizeof(data))
3597             || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
3598         goto end;
3599 
3600     /* Record length is in the 4th and 5th bytes of the record header */
3601     eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
3602     if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3603             || !TEST_size_t_eq(rawwritten, eoedlen))
3604         goto end;
3605 
3606     /* Server should be told that there is no more early data */
3607     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3608                                          &readbytes),
3609                      SSL_READ_EARLY_DATA_FINISH)
3610             || !TEST_size_t_eq(readbytes, 0))
3611         goto end;
3612 
3613     /*
3614      * Server has not finished init yet, so should still be able to write early
3615      * data.
3616      */
3617     if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3618                                         &written))
3619             || !TEST_size_t_eq(written, strlen(MSG6)))
3620         goto end;
3621 
3622     /* Push the ClientFinished and the normal data back into the server rbio */
3623     if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3624                                 &rawwritten))
3625             || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
3626         goto end;
3627 
3628     /* Server should be able to read normal data */
3629     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3630             || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3631         goto end;
3632 
3633     /* Client and server should not be able to write/read early data now */
3634     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3635                                          &written)))
3636         goto end;
3637     ERR_clear_error();
3638     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3639                                          &readbytes),
3640                      SSL_READ_EARLY_DATA_ERROR))
3641         goto end;
3642     ERR_clear_error();
3643 
3644     /* Client should be able to read the data sent by the server */
3645     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3646             || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
3647         goto end;
3648 
3649     /*
3650      * Make sure we process the two NewSessionTickets. These arrive
3651      * post-handshake. We attempt reads which we do not expect to return any
3652      * data.
3653      */
3654     if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3655             || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3656                            &readbytes)))
3657         goto end;
3658 
3659     /* Server should be able to write normal data */
3660     if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3661             || !TEST_size_t_eq(written, strlen(MSG7))
3662             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3663             || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
3664         goto end;
3665 
3666     SSL_SESSION_free(sess);
3667     sess = SSL_get1_session(clientssl);
3668     use_session_cb_cnt = 0;
3669     find_session_cb_cnt = 0;
3670 
3671     SSL_shutdown(clientssl);
3672     SSL_shutdown(serverssl);
3673     SSL_free(serverssl);
3674     SSL_free(clientssl);
3675     serverssl = clientssl = NULL;
3676     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3677                                       &clientssl, NULL, NULL))
3678             || !TEST_true(SSL_set_session(clientssl, sess)))
3679         goto end;
3680 
3681     /* Write and read some early data */
3682     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3683                                         &written))
3684             || !TEST_size_t_eq(written, strlen(MSG1))
3685             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3686                                                 &readbytes),
3687                             SSL_READ_EARLY_DATA_SUCCESS)
3688             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
3689         goto end;
3690 
3691     if (!TEST_int_gt(SSL_connect(clientssl), 0)
3692             || !TEST_int_gt(SSL_accept(serverssl), 0))
3693         goto end;
3694 
3695     /* Client and server should not be able to write/read early data now */
3696     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3697                                          &written)))
3698         goto end;
3699     ERR_clear_error();
3700     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3701                                          &readbytes),
3702                      SSL_READ_EARLY_DATA_ERROR))
3703         goto end;
3704     ERR_clear_error();
3705 
3706     /* Client and server should be able to write/read normal data */
3707     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3708             || !TEST_size_t_eq(written, strlen(MSG5))
3709             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3710             || !TEST_size_t_eq(readbytes, strlen(MSG5)))
3711         goto end;
3712 
3713     testresult = 1;
3714 
3715  end:
3716     SSL_SESSION_free(sess);
3717     SSL_SESSION_free(clientpsk);
3718     SSL_SESSION_free(serverpsk);
3719     clientpsk = serverpsk = NULL;
3720     SSL_free(serverssl);
3721     SSL_free(clientssl);
3722     SSL_CTX_free(sctx);
3723     SSL_CTX_free(cctx);
3724     return testresult;
3725 }
3726 
3727 static int allow_ed_cb_called = 0;
3728 
3729 static int allow_early_data_cb(SSL *s, void *arg)
3730 {
3731     int *usecb = (int *)arg;
3732 
3733     allow_ed_cb_called++;
3734 
3735     if (*usecb == 1)
3736         return 0;
3737 
3738     return 1;
3739 }
3740 
3741 /*
3742  * idx == 0: Standard early_data setup
3743  * idx == 1: early_data setup using read_ahead
3744  * usecb == 0: Don't use a custom early data callback
3745  * usecb == 1: Use a custom early data callback and reject the early data
3746  * usecb == 2: Use a custom early data callback and accept the early data
3747  * confopt == 0: Configure anti-replay directly
3748  * confopt == 1: Configure anti-replay using SSL_CONF
3749  */
3750 static int test_early_data_replay_int(int idx, int usecb, int confopt)
3751 {
3752     SSL_CTX *cctx = NULL, *sctx = NULL;
3753     SSL *clientssl = NULL, *serverssl = NULL;
3754     int testresult = 0;
3755     SSL_SESSION *sess = NULL;
3756     size_t readbytes, written;
3757     unsigned char buf[20];
3758     time_t timer;
3759 
3760     allow_ed_cb_called = 0;
3761 
3762     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3763                                        TLS_client_method(), TLS1_VERSION, 0,
3764                                        &sctx, &cctx, cert, privkey)))
3765         return 0;
3766 
3767     if (usecb > 0) {
3768         if (confopt == 0) {
3769             SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3770         } else {
3771             SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3772 
3773             if (!TEST_ptr(confctx))
3774                 goto end;
3775             SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3776                                             | SSL_CONF_FLAG_SERVER);
3777             SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3778             if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3779                              2)) {
3780                 SSL_CONF_CTX_free(confctx);
3781                 goto end;
3782             }
3783             SSL_CONF_CTX_free(confctx);
3784         }
3785         SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3786     }
3787 
3788     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3789                                         &serverssl, &sess, idx,
3790                                         SHA384_DIGEST_LENGTH)))
3791         goto end;
3792 
3793     /*
3794      * The server is configured to accept early data. Create a connection to
3795      * "use up" the ticket
3796      */
3797     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3798             || !TEST_true(SSL_session_reused(clientssl)))
3799         goto end;
3800 
3801     SSL_shutdown(clientssl);
3802     SSL_shutdown(serverssl);
3803     SSL_free(serverssl);
3804     SSL_free(clientssl);
3805     serverssl = clientssl = NULL;
3806 
3807     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3808                                       &clientssl, NULL, NULL))
3809             || !TEST_true(SSL_set_session(clientssl, sess)))
3810         goto end;
3811 
3812     /* Write and read some early data */
3813     timer = time(NULL);
3814     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3815                                         &written))
3816             || !TEST_size_t_eq(written, strlen(MSG1)))
3817         goto end;
3818 
3819     if (usecb <= 1) {
3820         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3821                                              &readbytes),
3822                          SSL_READ_EARLY_DATA_FINISH)
3823                    /*
3824                     * The ticket was reused, so the we should have rejected the
3825                     * early data
3826                     */
3827                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3828                                 SSL_EARLY_DATA_REJECTED))
3829             goto end;
3830     } else {
3831         /* In this case the callback decides to accept the early data */
3832         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3833                                              &readbytes),
3834                          SSL_READ_EARLY_DATA_SUCCESS)) {
3835             testresult = check_early_data_timeout(timer);
3836             goto end;
3837         }
3838         if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3839                    /*
3840                     * Server will have sent its flight so client can now send
3841                     * end of early data and complete its half of the handshake
3842                     */
3843                 || !TEST_int_gt(SSL_connect(clientssl), 0)
3844                 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3845                                              &readbytes),
3846                                 SSL_READ_EARLY_DATA_FINISH)
3847                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3848                                 SSL_EARLY_DATA_ACCEPTED))
3849             goto end;
3850     }
3851 
3852     /* Complete the connection */
3853     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3854             || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3855             || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
3856         goto end;
3857 
3858     testresult = 1;
3859 
3860  end:
3861     SSL_SESSION_free(sess);
3862     SSL_SESSION_free(clientpsk);
3863     SSL_SESSION_free(serverpsk);
3864     clientpsk = serverpsk = NULL;
3865     SSL_free(serverssl);
3866     SSL_free(clientssl);
3867     SSL_CTX_free(sctx);
3868     SSL_CTX_free(cctx);
3869     return testresult;
3870 }
3871 
3872 static int test_early_data_replay(int idx)
3873 {
3874     int ret = 1, usecb, confopt;
3875 
3876     for (usecb = 0; usecb < 3; usecb++) {
3877         for (confopt = 0; confopt < 2; confopt++)
3878             ret &= test_early_data_replay_int(idx, usecb, confopt);
3879     }
3880 
3881     return ret;
3882 }
3883 
3884 static const char *ciphersuites[] = {
3885     "TLS_AES_128_CCM_8_SHA256",
3886     "TLS_AES_128_GCM_SHA256",
3887     "TLS_AES_256_GCM_SHA384",
3888     "TLS_AES_128_CCM_SHA256",
3889 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3890     "TLS_CHACHA20_POLY1305_SHA256"
3891 #endif
3892 };
3893 
3894 /*
3895  * Helper function to test that a server attempting to read early data can
3896  * handle a connection from a client where the early data should be skipped.
3897  * testtype: 0 == No HRR
3898  * testtype: 1 == HRR
3899  * testtype: 2 == HRR, invalid early_data sent after HRR
3900  * testtype: 3 == recv_max_early_data set to 0
3901  */
3902 static int early_data_skip_helper(int testtype, int cipher, int idx)
3903 {
3904     SSL_CTX *cctx = NULL, *sctx = NULL;
3905     SSL *clientssl = NULL, *serverssl = NULL;
3906     int testresult = 0;
3907     SSL_SESSION *sess = NULL;
3908     unsigned char buf[20];
3909     size_t readbytes, written;
3910 
3911     if (is_fips && cipher == 4)
3912         return 1;
3913 
3914     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3915                                               TLS_client_method(),
3916                                               TLS1_VERSION, 0,
3917                                               &sctx, &cctx, cert, privkey)))
3918         goto end;
3919 
3920     if (cipher == 0) {
3921         SSL_CTX_set_security_level(sctx, 0);
3922         SSL_CTX_set_security_level(cctx, 0);
3923     }
3924 
3925     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3926             || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3927         goto end;
3928 
3929     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3930                                         &serverssl, &sess, idx,
3931                                         cipher == 2 ? SHA384_DIGEST_LENGTH
3932                                                     : SHA256_DIGEST_LENGTH)))
3933         goto end;
3934 
3935     if (testtype == 1 || testtype == 2) {
3936         /* Force an HRR to occur */
3937 #if defined(OPENSSL_NO_EC)
3938         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3939             goto end;
3940 #else
3941         if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
3942             goto end;
3943 #endif
3944     } else if (idx == 2) {
3945         /*
3946          * We force early_data rejection by ensuring the PSK identity is
3947          * unrecognised
3948          */
3949         srvid = "Dummy Identity";
3950     } else {
3951         /*
3952          * Deliberately corrupt the creation time. We take 20 seconds off the
3953          * time. It could be any value as long as it is not within tolerance.
3954          * This should mean the ticket is rejected.
3955          */
3956         if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
3957             goto end;
3958     }
3959 
3960     if (testtype == 3
3961             && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3962         goto end;
3963 
3964     /* Write some early data */
3965     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3966                                         &written))
3967             || !TEST_size_t_eq(written, strlen(MSG1)))
3968         goto end;
3969 
3970     /* Server should reject the early data */
3971     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3972                                          &readbytes),
3973                      SSL_READ_EARLY_DATA_FINISH)
3974             || !TEST_size_t_eq(readbytes, 0)
3975             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3976                             SSL_EARLY_DATA_REJECTED))
3977         goto end;
3978 
3979     switch (testtype) {
3980     case 0:
3981         /* Nothing to do */
3982         break;
3983 
3984     case 1:
3985         /*
3986          * Finish off the handshake. We perform the same writes and reads as
3987          * further down but we expect them to fail due to the incomplete
3988          * handshake.
3989          */
3990         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3991                 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3992                                &readbytes)))
3993             goto end;
3994         break;
3995 
3996     case 2:
3997         {
3998             BIO *wbio = SSL_get_wbio(clientssl);
3999             /* A record that will appear as bad early_data */
4000             const unsigned char bad_early_data[] = {
4001                 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4002             };
4003 
4004             /*
4005              * We force the client to attempt a write. This will fail because
4006              * we're still in the handshake. It will cause the second
4007              * ClientHello to be sent.
4008              */
4009             if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4010                                          &written)))
4011                 goto end;
4012 
4013             /*
4014              * Inject some early_data after the second ClientHello. This should
4015              * cause the server to fail
4016              */
4017             if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4018                                         sizeof(bad_early_data), &written)))
4019                 goto end;
4020         }
4021         /* fallthrough */
4022 
4023     case 3:
4024         /*
4025          * This client has sent more early_data than we are willing to skip
4026          * (case 3) or sent invalid early_data (case 2) so the connection should
4027          * abort.
4028          */
4029         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4030                 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4031             goto end;
4032 
4033         /* Connection has failed - nothing more to do */
4034         testresult = 1;
4035         goto end;
4036 
4037     default:
4038         TEST_error("Invalid test type");
4039         goto end;
4040     }
4041 
4042     ERR_clear_error();
4043     /*
4044      * Should be able to send normal data despite rejection of early data. The
4045      * early_data should be skipped.
4046      */
4047     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4048             || !TEST_size_t_eq(written, strlen(MSG2))
4049             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4050                             SSL_EARLY_DATA_REJECTED)
4051             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4052             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4053         goto end;
4054 
4055     /*
4056      * Failure to decrypt early data records should not leave spurious errors
4057      * on the error stack
4058      */
4059     if (!TEST_long_eq(ERR_peek_error(), 0))
4060         goto end;
4061 
4062     testresult = 1;
4063 
4064  end:
4065     SSL_SESSION_free(clientpsk);
4066     SSL_SESSION_free(serverpsk);
4067     clientpsk = serverpsk = NULL;
4068     SSL_SESSION_free(sess);
4069     SSL_free(serverssl);
4070     SSL_free(clientssl);
4071     SSL_CTX_free(sctx);
4072     SSL_CTX_free(cctx);
4073     return testresult;
4074 }
4075 
4076 /*
4077  * Test that a server attempting to read early data can handle a connection
4078  * from a client where the early data is not acceptable.
4079  */
4080 static int test_early_data_skip(int idx)
4081 {
4082     return early_data_skip_helper(0,
4083                                   idx % OSSL_NELEM(ciphersuites),
4084                                   idx / OSSL_NELEM(ciphersuites));
4085 }
4086 
4087 /*
4088  * Test that a server attempting to read early data can handle a connection
4089  * from a client where an HRR occurs.
4090  */
4091 static int test_early_data_skip_hrr(int idx)
4092 {
4093     return early_data_skip_helper(1,
4094                                   idx % OSSL_NELEM(ciphersuites),
4095                                   idx / OSSL_NELEM(ciphersuites));
4096 }
4097 
4098 /*
4099  * Test that a server attempting to read early data can handle a connection
4100  * from a client where an HRR occurs and correctly fails if early_data is sent
4101  * after the HRR
4102  */
4103 static int test_early_data_skip_hrr_fail(int idx)
4104 {
4105     return early_data_skip_helper(2,
4106                                   idx % OSSL_NELEM(ciphersuites),
4107                                   idx / OSSL_NELEM(ciphersuites));
4108 }
4109 
4110 /*
4111  * Test that a server attempting to read early data will abort if it tries to
4112  * skip over too much.
4113  */
4114 static int test_early_data_skip_abort(int idx)
4115 {
4116     return early_data_skip_helper(3,
4117                                   idx % OSSL_NELEM(ciphersuites),
4118                                   idx / OSSL_NELEM(ciphersuites));
4119 }
4120 
4121 /*
4122  * Test that a server attempting to read early data can handle a connection
4123  * from a client that doesn't send any.
4124  */
4125 static int test_early_data_not_sent(int idx)
4126 {
4127     SSL_CTX *cctx = NULL, *sctx = NULL;
4128     SSL *clientssl = NULL, *serverssl = NULL;
4129     int testresult = 0;
4130     SSL_SESSION *sess = NULL;
4131     unsigned char buf[20];
4132     size_t readbytes, written;
4133 
4134     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4135                                         &serverssl, &sess, idx,
4136                                         SHA384_DIGEST_LENGTH)))
4137         goto end;
4138 
4139     /* Write some data - should block due to handshake with server */
4140     SSL_set_connect_state(clientssl);
4141     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4142         goto end;
4143 
4144     /* Server should detect that early data has not been sent */
4145     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4146                                          &readbytes),
4147                      SSL_READ_EARLY_DATA_FINISH)
4148             || !TEST_size_t_eq(readbytes, 0)
4149             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4150                             SSL_EARLY_DATA_NOT_SENT)
4151             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4152                             SSL_EARLY_DATA_NOT_SENT))
4153         goto end;
4154 
4155     /* Continue writing the message we started earlier */
4156     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4157             || !TEST_size_t_eq(written, strlen(MSG1))
4158             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4159             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4160             || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4161             || !TEST_size_t_eq(written, strlen(MSG2)))
4162         goto end;
4163 
4164     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4165             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4166         goto end;
4167 
4168     testresult = 1;
4169 
4170  end:
4171     SSL_SESSION_free(sess);
4172     SSL_SESSION_free(clientpsk);
4173     SSL_SESSION_free(serverpsk);
4174     clientpsk = serverpsk = NULL;
4175     SSL_free(serverssl);
4176     SSL_free(clientssl);
4177     SSL_CTX_free(sctx);
4178     SSL_CTX_free(cctx);
4179     return testresult;
4180 }
4181 
4182 static const char *servalpn;
4183 
4184 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4185                           unsigned char *outlen, const unsigned char *in,
4186                           unsigned int inlen, void *arg)
4187 {
4188     unsigned int protlen = 0;
4189     const unsigned char *prot;
4190 
4191     for (prot = in; prot < in + inlen; prot += protlen) {
4192         protlen = *prot++;
4193         if (in + inlen < prot + protlen)
4194             return SSL_TLSEXT_ERR_NOACK;
4195 
4196         if (protlen == strlen(servalpn)
4197                 && memcmp(prot, servalpn, protlen) == 0) {
4198             *out = prot;
4199             *outlen = protlen;
4200             return SSL_TLSEXT_ERR_OK;
4201         }
4202     }
4203 
4204     return SSL_TLSEXT_ERR_NOACK;
4205 }
4206 
4207 /* Test that a PSK can be used to send early_data */
4208 static int test_early_data_psk(int idx)
4209 {
4210     SSL_CTX *cctx = NULL, *sctx = NULL;
4211     SSL *clientssl = NULL, *serverssl = NULL;
4212     int testresult = 0;
4213     SSL_SESSION *sess = NULL;
4214     unsigned char alpnlist[] = {
4215         0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4216         'l', 'p', 'n'
4217     };
4218 #define GOODALPNLEN     9
4219 #define BADALPNLEN      8
4220 #define GOODALPN        (alpnlist)
4221 #define BADALPN         (alpnlist + GOODALPNLEN)
4222     int err = 0;
4223     unsigned char buf[20];
4224     size_t readbytes, written;
4225     int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
4226     int edstatus = SSL_EARLY_DATA_ACCEPTED;
4227 
4228     /* We always set this up with a final parameter of "2" for PSK */
4229     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4230                                         &serverssl, &sess, 2,
4231                                         SHA384_DIGEST_LENGTH)))
4232         goto end;
4233 
4234     servalpn = "goodalpn";
4235 
4236     /*
4237      * Note: There is no test for inconsistent SNI with late client detection.
4238      * This is because servers do not acknowledge SNI even if they are using
4239      * it in a resumption handshake - so it is not actually possible for a
4240      * client to detect a problem.
4241      */
4242     switch (idx) {
4243     case 0:
4244         /* Set inconsistent SNI (early client detection) */
4245         err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4246         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4247                 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4248             goto end;
4249         break;
4250 
4251     case 1:
4252         /* Set inconsistent ALPN (early client detection) */
4253         err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4254         /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
4255         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4256                                                       GOODALPNLEN))
4257                 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4258                                                    BADALPNLEN)))
4259             goto end;
4260         break;
4261 
4262     case 2:
4263         /*
4264          * Set invalid protocol version. Technically this affects PSKs without
4265          * early_data too, but we test it here because it is similar to the
4266          * SNI/ALPN consistency tests.
4267          */
4268         err = SSL_R_BAD_PSK;
4269         if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4270             goto end;
4271         break;
4272 
4273     case 3:
4274         /*
4275          * Set inconsistent SNI (server side). In this case the connection
4276          * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4277          * is associated with each handshake - not the session. Therefore it
4278          * should not matter that we used a different server name last time.
4279          */
4280         SSL_SESSION_free(serverpsk);
4281         serverpsk = SSL_SESSION_dup(clientpsk);
4282         if (!TEST_ptr(serverpsk)
4283                 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4284             goto end;
4285         /* Fall through */
4286     case 4:
4287         /* Set consistent SNI */
4288         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4289                 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4290                 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4291                                 hostname_cb)))
4292             goto end;
4293         break;
4294 
4295     case 5:
4296         /*
4297          * Set inconsistent ALPN (server detected). In this case the connection
4298          * will succeed but reject early_data.
4299          */
4300         servalpn = "badalpn";
4301         edstatus = SSL_EARLY_DATA_REJECTED;
4302         readearlyres = SSL_READ_EARLY_DATA_FINISH;
4303         /* Fall through */
4304     case 6:
4305         /*
4306          * Set consistent ALPN.
4307          * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4308          * accepts a list of protos (each one length prefixed).
4309          * SSL_set1_alpn_selected accepts a single protocol (not length
4310          * prefixed)
4311          */
4312         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4313                                                       GOODALPNLEN - 1))
4314                 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4315                                                    GOODALPNLEN)))
4316             goto end;
4317 
4318         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4319         break;
4320 
4321     case 7:
4322         /* Set inconsistent ALPN (late client detection) */
4323         SSL_SESSION_free(serverpsk);
4324         serverpsk = SSL_SESSION_dup(clientpsk);
4325         if (!TEST_ptr(serverpsk)
4326                 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4327                                                              BADALPN + 1,
4328                                                              BADALPNLEN - 1))
4329                 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4330                                                              GOODALPN + 1,
4331                                                              GOODALPNLEN - 1))
4332                 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4333                                                    sizeof(alpnlist))))
4334             goto end;
4335         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4336         edstatus = SSL_EARLY_DATA_ACCEPTED;
4337         readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4338         /* SSL_connect() call should fail */
4339         connectres = -1;
4340         break;
4341 
4342     default:
4343         TEST_error("Bad test index");
4344         goto end;
4345     }
4346 
4347     SSL_set_connect_state(clientssl);
4348     if (err != 0) {
4349         if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4350                                             &written))
4351                 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4352                 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4353             goto end;
4354     } else {
4355         time_t timer = time(NULL);
4356 
4357         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4358                                             &written)))
4359             goto end;
4360 
4361         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4362                                              &readbytes), readearlyres)) {
4363             testresult = check_early_data_timeout(timer);
4364             goto end;
4365         }
4366 
4367         if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4368                     && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
4369                 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4370                 || !TEST_int_eq(SSL_connect(clientssl), connectres))
4371             goto end;
4372     }
4373 
4374     testresult = 1;
4375 
4376  end:
4377     SSL_SESSION_free(sess);
4378     SSL_SESSION_free(clientpsk);
4379     SSL_SESSION_free(serverpsk);
4380     clientpsk = serverpsk = NULL;
4381     SSL_free(serverssl);
4382     SSL_free(clientssl);
4383     SSL_CTX_free(sctx);
4384     SSL_CTX_free(cctx);
4385     return testresult;
4386 }
4387 
4388 /*
4389  * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4390  * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4391  * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4392  * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4393  * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4394  * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4395  */
4396 static int test_early_data_psk_with_all_ciphers(int idx)
4397 {
4398     SSL_CTX *cctx = NULL, *sctx = NULL;
4399     SSL *clientssl = NULL, *serverssl = NULL;
4400     int testresult = 0;
4401     SSL_SESSION *sess = NULL;
4402     unsigned char buf[20];
4403     size_t readbytes, written;
4404     const SSL_CIPHER *cipher;
4405     time_t timer;
4406     const char *cipher_str[] = {
4407         TLS1_3_RFC_AES_128_GCM_SHA256,
4408         TLS1_3_RFC_AES_256_GCM_SHA384,
4409 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4410         TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4411 # else
4412         NULL,
4413 # endif
4414         TLS1_3_RFC_AES_128_CCM_SHA256,
4415         TLS1_3_RFC_AES_128_CCM_8_SHA256
4416     };
4417     const unsigned char *cipher_bytes[] = {
4418         TLS13_AES_128_GCM_SHA256_BYTES,
4419         TLS13_AES_256_GCM_SHA384_BYTES,
4420 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4421         TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4422 # else
4423         NULL,
4424 # endif
4425         TLS13_AES_128_CCM_SHA256_BYTES,
4426         TLS13_AES_128_CCM_8_SHA256_BYTES
4427     };
4428 
4429     if (cipher_str[idx] == NULL)
4430         return 1;
4431     /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4432     if (idx == 2 && is_fips == 1)
4433         return 1;
4434 
4435     /* We always set this up with a final parameter of "2" for PSK */
4436     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4437                                         &serverssl, &sess, 2,
4438                                         SHA384_DIGEST_LENGTH)))
4439         goto end;
4440 
4441     if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4442             || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4443         goto end;
4444 
4445     /*
4446      * 'setupearly_data_test' creates only one instance of SSL_SESSION
4447      * and assigns to both client and server with incremented reference
4448      * and the same instance is updated in 'sess'.
4449      * So updating ciphersuite in 'sess' which will get reflected in
4450      * PSK handshake using psk use sess and find sess cb.
4451      */
4452     cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4453     if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4454         goto end;
4455 
4456     SSL_set_connect_state(clientssl);
4457     timer = time(NULL);
4458     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4459                                         &written)))
4460         goto end;
4461 
4462     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4463                                          &readbytes),
4464                                          SSL_READ_EARLY_DATA_SUCCESS)) {
4465         testresult = check_early_data_timeout(timer);
4466         goto end;
4467     }
4468 
4469     if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4470             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4471                                                       SSL_EARLY_DATA_ACCEPTED)
4472             || !TEST_int_eq(SSL_connect(clientssl), 1)
4473             || !TEST_int_eq(SSL_accept(serverssl), 1))
4474         goto end;
4475 
4476     /* Send some normal data from client to server */
4477     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4478             || !TEST_size_t_eq(written, strlen(MSG2)))
4479         goto end;
4480 
4481     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4482             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4483         goto end;
4484 
4485     testresult = 1;
4486  end:
4487     SSL_SESSION_free(sess);
4488     SSL_SESSION_free(clientpsk);
4489     SSL_SESSION_free(serverpsk);
4490     clientpsk = serverpsk = NULL;
4491     if (clientssl != NULL)
4492         SSL_shutdown(clientssl);
4493     if (serverssl != NULL)
4494         SSL_shutdown(serverssl);
4495     SSL_free(serverssl);
4496     SSL_free(clientssl);
4497     SSL_CTX_free(sctx);
4498     SSL_CTX_free(cctx);
4499     return testresult;
4500 }
4501 
4502 /*
4503  * Test that a server that doesn't try to read early data can handle a
4504  * client sending some.
4505  */
4506 static int test_early_data_not_expected(int idx)
4507 {
4508     SSL_CTX *cctx = NULL, *sctx = NULL;
4509     SSL *clientssl = NULL, *serverssl = NULL;
4510     int testresult = 0;
4511     SSL_SESSION *sess = NULL;
4512     unsigned char buf[20];
4513     size_t readbytes, written;
4514 
4515     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4516                                         &serverssl, &sess, idx,
4517                                         SHA384_DIGEST_LENGTH)))
4518         goto end;
4519 
4520     /* Write some early data */
4521     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4522                                         &written)))
4523         goto end;
4524 
4525     /*
4526      * Server should skip over early data and then block waiting for client to
4527      * continue handshake
4528      */
4529     if (!TEST_int_le(SSL_accept(serverssl), 0)
4530      || !TEST_int_gt(SSL_connect(clientssl), 0)
4531      || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4532                      SSL_EARLY_DATA_REJECTED)
4533      || !TEST_int_gt(SSL_accept(serverssl), 0)
4534      || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4535                      SSL_EARLY_DATA_REJECTED))
4536         goto end;
4537 
4538     /* Send some normal data from client to server */
4539     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4540             || !TEST_size_t_eq(written, strlen(MSG2)))
4541         goto end;
4542 
4543     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4544             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4545         goto end;
4546 
4547     testresult = 1;
4548 
4549  end:
4550     SSL_SESSION_free(sess);
4551     SSL_SESSION_free(clientpsk);
4552     SSL_SESSION_free(serverpsk);
4553     clientpsk = serverpsk = NULL;
4554     SSL_free(serverssl);
4555     SSL_free(clientssl);
4556     SSL_CTX_free(sctx);
4557     SSL_CTX_free(cctx);
4558     return testresult;
4559 }
4560 
4561 
4562 # ifndef OPENSSL_NO_TLS1_2
4563 /*
4564  * Test that a server attempting to read early data can handle a connection
4565  * from a TLSv1.2 client.
4566  */
4567 static int test_early_data_tls1_2(int idx)
4568 {
4569     SSL_CTX *cctx = NULL, *sctx = NULL;
4570     SSL *clientssl = NULL, *serverssl = NULL;
4571     int testresult = 0;
4572     unsigned char buf[20];
4573     size_t readbytes, written;
4574 
4575     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4576                                         &serverssl, NULL, idx,
4577                                         SHA384_DIGEST_LENGTH)))
4578         goto end;
4579 
4580     /* Write some data - should block due to handshake with server */
4581     SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4582     SSL_set_connect_state(clientssl);
4583     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
4584         goto end;
4585 
4586     /*
4587      * Server should do TLSv1.2 handshake. First it will block waiting for more
4588      * messages from client after ServerDone. Then SSL_read_early_data should
4589      * finish and detect that early data has not been sent
4590      */
4591     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4592                                          &readbytes),
4593                      SSL_READ_EARLY_DATA_ERROR))
4594         goto end;
4595 
4596     /*
4597      * Continue writing the message we started earlier. Will still block waiting
4598      * for the CCS/Finished from server
4599      */
4600     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4601             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4602                                                 &readbytes),
4603                             SSL_READ_EARLY_DATA_FINISH)
4604             || !TEST_size_t_eq(readbytes, 0)
4605             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4606                             SSL_EARLY_DATA_NOT_SENT))
4607         goto end;
4608 
4609     /* Continue writing the message we started earlier */
4610     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4611             || !TEST_size_t_eq(written, strlen(MSG1))
4612             || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4613                             SSL_EARLY_DATA_NOT_SENT)
4614             || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4615             || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4616             || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4617             || !TEST_size_t_eq(written, strlen(MSG2))
4618             || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4619             || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4620         goto end;
4621 
4622     testresult = 1;
4623 
4624  end:
4625     SSL_SESSION_free(clientpsk);
4626     SSL_SESSION_free(serverpsk);
4627     clientpsk = serverpsk = NULL;
4628     SSL_free(serverssl);
4629     SSL_free(clientssl);
4630     SSL_CTX_free(sctx);
4631     SSL_CTX_free(cctx);
4632 
4633     return testresult;
4634 }
4635 # endif /* OPENSSL_NO_TLS1_2 */
4636 
4637 /*
4638  * Test configuring the TLSv1.3 ciphersuites
4639  *
4640  * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4641  * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4642  * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4643  * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4644  * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4645  * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4646  * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4647  * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4648  * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4649  * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4650  */
4651 static int test_set_ciphersuite(int idx)
4652 {
4653     SSL_CTX *cctx = NULL, *sctx = NULL;
4654     SSL *clientssl = NULL, *serverssl = NULL;
4655     int testresult = 0;
4656 
4657     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4658                                        TLS_client_method(), TLS1_VERSION, 0,
4659                                        &sctx, &cctx, cert, privkey))
4660             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4661                            "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4662         goto end;
4663 
4664     if (idx >=4 && idx <= 7) {
4665         /* SSL_CTX explicit cipher list */
4666         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4667             goto end;
4668     }
4669 
4670     if (idx == 0 || idx == 4) {
4671         /* Default ciphersuite */
4672         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4673                                                 "TLS_AES_128_GCM_SHA256")))
4674             goto end;
4675     } else if (idx == 1 || idx == 5) {
4676         /* Non default ciphersuite */
4677         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4678                                                 "TLS_AES_128_CCM_SHA256")))
4679             goto end;
4680     }
4681 
4682     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4683                                           &clientssl, NULL, NULL)))
4684         goto end;
4685 
4686     if (idx == 8 || idx == 9) {
4687         /* SSL explicit cipher list */
4688         if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4689             goto end;
4690     }
4691 
4692     if (idx == 2 || idx == 6 || idx == 8) {
4693         /* Default ciphersuite */
4694         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4695                                             "TLS_AES_128_GCM_SHA256")))
4696             goto end;
4697     } else if (idx == 3 || idx == 7 || idx == 9) {
4698         /* Non default ciphersuite */
4699         if (!TEST_true(SSL_set_ciphersuites(clientssl,
4700                                             "TLS_AES_128_CCM_SHA256")))
4701             goto end;
4702     }
4703 
4704     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4705         goto end;
4706 
4707     testresult = 1;
4708 
4709  end:
4710     SSL_free(serverssl);
4711     SSL_free(clientssl);
4712     SSL_CTX_free(sctx);
4713     SSL_CTX_free(cctx);
4714 
4715     return testresult;
4716 }
4717 
4718 static int test_ciphersuite_change(void)
4719 {
4720     SSL_CTX *cctx = NULL, *sctx = NULL;
4721     SSL *clientssl = NULL, *serverssl = NULL;
4722     SSL_SESSION *clntsess = NULL;
4723     int testresult = 0;
4724     const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4725 
4726     /* Create a session based on SHA-256 */
4727     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4728                                        TLS_client_method(), TLS1_VERSION, 0,
4729                                        &sctx, &cctx, cert, privkey))
4730             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4731                                                    "TLS_AES_128_GCM_SHA256:"
4732                                                    "TLS_AES_256_GCM_SHA384:"
4733                                                    "TLS_AES_128_CCM_SHA256"))
4734             || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4735                                                    "TLS_AES_128_GCM_SHA256"))
4736             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4737                                           &clientssl, NULL, NULL))
4738             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4739                                                 SSL_ERROR_NONE)))
4740         goto end;
4741 
4742     clntsess = SSL_get1_session(clientssl);
4743     /* Save for later */
4744     aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4745     SSL_shutdown(clientssl);
4746     SSL_shutdown(serverssl);
4747     SSL_free(serverssl);
4748     SSL_free(clientssl);
4749     serverssl = clientssl = NULL;
4750 
4751     /* Check we can resume a session with a different SHA-256 ciphersuite */
4752     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4753                                             "TLS_AES_128_CCM_SHA256"))
4754             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4755                                              &clientssl, NULL, NULL))
4756             || !TEST_true(SSL_set_session(clientssl, clntsess))
4757             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4758                                                 SSL_ERROR_NONE))
4759             || !TEST_true(SSL_session_reused(clientssl)))
4760         goto end;
4761 
4762     SSL_SESSION_free(clntsess);
4763     clntsess = SSL_get1_session(clientssl);
4764     SSL_shutdown(clientssl);
4765     SSL_shutdown(serverssl);
4766     SSL_free(serverssl);
4767     SSL_free(clientssl);
4768     serverssl = clientssl = NULL;
4769 
4770     /*
4771      * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
4772      * succeeds but does not resume.
4773      */
4774     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4775             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4776                                              NULL, NULL))
4777             || !TEST_true(SSL_set_session(clientssl, clntsess))
4778             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4779                                                 SSL_ERROR_SSL))
4780             || !TEST_false(SSL_session_reused(clientssl)))
4781         goto end;
4782 
4783     SSL_SESSION_free(clntsess);
4784     clntsess = NULL;
4785     SSL_shutdown(clientssl);
4786     SSL_shutdown(serverssl);
4787     SSL_free(serverssl);
4788     SSL_free(clientssl);
4789     serverssl = clientssl = NULL;
4790 
4791     /* Create a session based on SHA384 */
4792     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
4793             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4794                                           &clientssl, NULL, NULL))
4795             || !TEST_true(create_ssl_connection(serverssl, clientssl,
4796                                                 SSL_ERROR_NONE)))
4797         goto end;
4798 
4799     clntsess = SSL_get1_session(clientssl);
4800     SSL_shutdown(clientssl);
4801     SSL_shutdown(serverssl);
4802     SSL_free(serverssl);
4803     SSL_free(clientssl);
4804     serverssl = clientssl = NULL;
4805 
4806     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4807                    "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4808             || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4809                                                    "TLS_AES_256_GCM_SHA384"))
4810             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4811                                              NULL, NULL))
4812             || !TEST_true(SSL_set_session(clientssl, clntsess))
4813                /*
4814                 * We use SSL_ERROR_WANT_READ below so that we can pause the
4815                 * connection after the initial ClientHello has been sent to
4816                 * enable us to make some session changes.
4817                 */
4818             || !TEST_false(create_ssl_connection(serverssl, clientssl,
4819                                                 SSL_ERROR_WANT_READ)))
4820         goto end;
4821 
4822     /* Trick the client into thinking this session is for a different digest */
4823     clntsess->cipher = aes_128_gcm_sha256;
4824     clntsess->cipher_id = clntsess->cipher->id;
4825 
4826     /*
4827      * Continue the previously started connection. Server has selected a SHA-384
4828      * ciphersuite, but client thinks the session is for SHA-256, so it should
4829      * bail out.
4830      */
4831     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4832                                                 SSL_ERROR_SSL))
4833             || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4834                             SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4835         goto end;
4836 
4837     testresult = 1;
4838 
4839  end:
4840     SSL_SESSION_free(clntsess);
4841     SSL_free(serverssl);
4842     SSL_free(clientssl);
4843     SSL_CTX_free(sctx);
4844     SSL_CTX_free(cctx);
4845 
4846     return testresult;
4847 }
4848 
4849 /*
4850  * Test TLSv1.3 Key exchange
4851  * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4852  * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4853  * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4854  * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4855  * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4856  * Test 5 = Test NID_X448 with TLSv1.3 client and server
4857  * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4858  * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4859  * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4860  * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4861  * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4862  * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4863  * Test 12 = Test all ECDHE with TLSv1.2 client and server
4864  * Test 13 = Test all FFDHE with TLSv1.2 client and server
4865  */
4866 # ifndef OPENSSL_NO_EC
4867 static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4868                                    NID_secp521r1, NID_X25519, NID_X448};
4869 # endif
4870 # ifndef OPENSSL_NO_DH
4871 static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4872                                    NID_ffdhe6144, NID_ffdhe8192};
4873 # endif
4874 static int test_key_exchange(int idx)
4875 {
4876     SSL_CTX *sctx = NULL, *cctx = NULL;
4877     SSL *serverssl = NULL, *clientssl = NULL;
4878     int testresult = 0;
4879     int kexch_alg;
4880     int *kexch_groups = &kexch_alg;
4881     int kexch_groups_size = 1;
4882     int max_version = TLS1_3_VERSION;
4883     char *kexch_name0 = NULL;
4884 
4885     switch (idx) {
4886 # ifndef OPENSSL_NO_EC
4887 # ifndef OPENSSL_NO_TLS1_2
4888         case 12:
4889             max_version = TLS1_2_VERSION;
4890 # endif
4891             /* Fall through */
4892         case 0:
4893             kexch_groups = ecdhe_kexch_groups;
4894             kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4895             kexch_name0 = "secp256r1";
4896             break;
4897         case 1:
4898             kexch_alg = NID_X9_62_prime256v1;
4899             kexch_name0 = "secp256r1";
4900             break;
4901         case 2:
4902             kexch_alg = NID_secp384r1;
4903             kexch_name0 = "secp384r1";
4904             break;
4905         case 3:
4906             kexch_alg = NID_secp521r1;
4907             kexch_name0 = "secp521r1";
4908             break;
4909         case 4:
4910             if (is_fips)
4911                 return TEST_skip("X25519 might not be supported by fips provider.");
4912             kexch_alg = NID_X25519;
4913             kexch_name0 = "x25519";
4914             break;
4915         case 5:
4916             if (is_fips)
4917                 return TEST_skip("X448 might not be supported by fips provider.");
4918             kexch_alg = NID_X448;
4919             kexch_name0 = "x448";
4920             break;
4921 # endif
4922 # ifndef OPENSSL_NO_DH
4923 # ifndef OPENSSL_NO_TLS1_2
4924         case 13:
4925             max_version = TLS1_2_VERSION;
4926             kexch_name0 = "ffdhe2048";
4927 # endif
4928             /* Fall through */
4929         case 6:
4930             kexch_groups = ffdhe_kexch_groups;
4931             kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4932             kexch_name0 = "ffdhe2048";
4933             break;
4934         case 7:
4935             kexch_alg = NID_ffdhe2048;
4936             kexch_name0 = "ffdhe2048";
4937             break;
4938         case 8:
4939             kexch_alg = NID_ffdhe3072;
4940             kexch_name0 = "ffdhe3072";
4941             break;
4942         case 9:
4943             kexch_alg = NID_ffdhe4096;
4944             kexch_name0 = "ffdhe4096";
4945             break;
4946         case 10:
4947             kexch_alg = NID_ffdhe6144;
4948             kexch_name0 = "ffdhe6144";
4949             break;
4950         case 11:
4951             kexch_alg = NID_ffdhe8192;
4952             kexch_name0 = "ffdhe8192";
4953             break;
4954 # endif
4955         default:
4956             /* We're skipping this test */
4957             return 1;
4958     }
4959 
4960     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4961                                        TLS_client_method(), TLS1_VERSION,
4962                                        max_version, &sctx, &cctx, cert,
4963                                        privkey)))
4964         goto end;
4965 
4966     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4967                    TLS1_3_RFC_AES_128_GCM_SHA256)))
4968         goto end;
4969 
4970     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4971                    TLS1_3_RFC_AES_128_GCM_SHA256)))
4972         goto end;
4973 
4974     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4975                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4976                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4977             || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4978         goto end;
4979 
4980     /*
4981      * Must include an EC ciphersuite so that we send supported groups in
4982      * TLSv1.2
4983      */
4984 # ifndef OPENSSL_NO_TLS1_2
4985     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4986                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4987                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4988         goto end;
4989 # endif
4990 
4991     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4992                                              NULL, NULL)))
4993         goto end;
4994 
4995     if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4996         || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4997         goto end;
4998 
4999     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5000         goto end;
5001 
5002     /*
5003      * If Handshake succeeds the negotiated kexch alg should be the first one in
5004      * configured, except in the case of FFDHE groups (idx 13), which are
5005      * TLSv1.3 only so we expect no shared group to exist.
5006      */
5007     if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5008                      idx == 13 ? 0 : kexch_groups[0]))
5009         goto end;
5010 
5011     if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5012                      kexch_name0))
5013         goto end;
5014 
5015     /* We don't implement RFC 7919 named groups for TLS 1.2. */
5016     if (idx != 13) {
5017         if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5018             goto end;
5019         if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5020             goto end;
5021     }
5022 
5023     testresult = 1;
5024  end:
5025     SSL_free(serverssl);
5026     SSL_free(clientssl);
5027     SSL_CTX_free(sctx);
5028     SSL_CTX_free(cctx);
5029     return testresult;
5030 }
5031 
5032 # if !defined(OPENSSL_NO_TLS1_2) \
5033      && !defined(OPENSSL_NO_EC)  \
5034      && !defined(OPENSSL_NO_DH)
5035 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5036                           int isecdhe, int idx)
5037 {
5038     int kexch_alg;
5039     int *kexch_groups = &kexch_alg;
5040     int numec, numff;
5041 
5042     numec = OSSL_NELEM(ecdhe_kexch_groups);
5043     numff = OSSL_NELEM(ffdhe_kexch_groups);
5044     if (isecdhe)
5045         kexch_alg = ecdhe_kexch_groups[idx];
5046     else
5047         kexch_alg = ffdhe_kexch_groups[idx];
5048 
5049     if (clientmulti) {
5050         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5051             return 0;
5052         if (isecdhe) {
5053             if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5054                                            numec)))
5055                 return 0;
5056         } else {
5057             if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5058                                            numff)))
5059                 return 0;
5060         }
5061     } else {
5062         if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5063             return 0;
5064         if (isecdhe) {
5065             if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5066                                            numec)))
5067                 return 0;
5068         } else {
5069             if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5070                                            numff)))
5071                 return 0;
5072         }
5073     }
5074     return 1;
5075 }
5076 
5077 /*-
5078  * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5079  * Run through both the ECDHE and FFDHE group lists used in the previous
5080  * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5081  * confirming the expected result; then perform a resumption handshake
5082  * while offering the same group list, and another resumption handshake
5083  * offering a different group list.  The returned value should be the
5084  * negotiated group for the initial handshake; for TLS 1.3 resumption
5085  * handshakes the returned value will be negotiated on the resumption
5086  * handshake itself, but for TLS 1.2 resumption handshakes the value will
5087  * be cached in the session from the original handshake, regardless of what
5088  * was offered in the resumption ClientHello.
5089  *
5090  * Using E for the number of EC groups and F for the number of FF groups:
5091  * E tests of ECDHE with TLS 1.3, server only has one group
5092  * F tests of FFDHE with TLS 1.3, server only has one group
5093  * E tests of ECDHE with TLS 1.2, server only has one group
5094  * F tests of FFDHE with TLS 1.2, server only has one group
5095  * E tests of ECDHE with TLS 1.3, client sends only one group
5096  * F tests of FFDHE with TLS 1.3, client sends only one group
5097  * E tests of ECDHE with TLS 1.2, client sends only one group
5098  * F tests of FFDHE with TLS 1.2, client sends only one group
5099  */
5100 static int test_negotiated_group(int idx)
5101 {
5102     int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5103     int expectednid;
5104     SSL_CTX *sctx = NULL, *cctx = NULL;
5105     SSL *serverssl = NULL, *clientssl = NULL;
5106     SSL_SESSION *origsess = NULL;
5107     int testresult = 0;
5108     int kexch_alg;
5109     int max_version = TLS1_3_VERSION;
5110 
5111     numec = OSSL_NELEM(ecdhe_kexch_groups);
5112     numff = OSSL_NELEM(ffdhe_kexch_groups);
5113     numgroups = numec + numff;
5114     clientmulti = (idx < 2 * numgroups);
5115     idx = idx % (2 * numgroups);
5116     istls13 = (idx < numgroups);
5117     idx = idx % numgroups;
5118     isecdhe = (idx < numec);
5119     if (!isecdhe)
5120         idx -= numec;
5121     /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5122     if (isecdhe)
5123         kexch_alg = ecdhe_kexch_groups[idx];
5124     else
5125         kexch_alg = ffdhe_kexch_groups[idx];
5126     /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5127     if (!istls13 && !isecdhe)
5128         expectednid = NID_undef;
5129     else
5130         expectednid = kexch_alg;
5131 
5132     if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
5133         return TEST_skip("X25519 and X448 might not be available in fips provider.");
5134 
5135     if (!istls13)
5136         max_version = TLS1_2_VERSION;
5137 
5138     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5139                                        TLS_client_method(), TLS1_VERSION,
5140                                        max_version, &sctx, &cctx, cert,
5141                                        privkey)))
5142         goto end;
5143 
5144     /*
5145      * Force (EC)DHE ciphers for TLS 1.2.
5146      * Be sure to enable auto tmp DH so that FFDHE can succeed.
5147      */
5148     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5149                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5150                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5151             || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5152         goto end;
5153     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5154                    TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5155                    TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5156         goto end;
5157 
5158     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5159                                              NULL, NULL)))
5160         goto end;
5161 
5162     if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5163                                   idx)))
5164         goto end;
5165 
5166     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5167         goto end;
5168 
5169     /* Initial handshake; always the configured one */
5170     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5171             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5172         goto end;
5173 
5174     if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5175         goto end;
5176 
5177     SSL_shutdown(clientssl);
5178     SSL_shutdown(serverssl);
5179     SSL_free(serverssl);
5180     SSL_free(clientssl);
5181     serverssl = clientssl = NULL;
5182 
5183     /* First resumption attempt; use the same config as initial handshake */
5184     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5185                                              NULL, NULL))
5186             || !TEST_true(SSL_set_session(clientssl, origsess))
5187             || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5188                                          isecdhe, idx)))
5189         goto end;
5190 
5191     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5192             || !TEST_true(SSL_session_reused(clientssl)))
5193         goto end;
5194 
5195     /* Still had better agree, since nothing changed... */
5196     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5197             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5198         goto end;
5199 
5200     SSL_shutdown(clientssl);
5201     SSL_shutdown(serverssl);
5202     SSL_free(serverssl);
5203     SSL_free(clientssl);
5204     serverssl = clientssl = NULL;
5205 
5206     /*-
5207      * Second resumption attempt
5208      * The party that picks one group changes it, which we effectuate by
5209      * changing 'idx' and updating what we expect.
5210      */
5211     if (idx == 0)
5212         idx = 1;
5213     else
5214         idx--;
5215     if (istls13) {
5216         if (isecdhe)
5217             expectednid = ecdhe_kexch_groups[idx];
5218         else
5219             expectednid = ffdhe_kexch_groups[idx];
5220         /* Verify that we are changing what we expect. */
5221         if (!TEST_int_ne(expectednid, kexch_alg))
5222             goto end;
5223     } else {
5224         /* TLS 1.2 only supports named groups for ECDHE. */
5225         if (isecdhe)
5226             expectednid = kexch_alg;
5227         else
5228             expectednid = 0;
5229     }
5230     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5231                                              NULL, NULL))
5232             || !TEST_true(SSL_set_session(clientssl, origsess))
5233             || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5234                                          isecdhe, idx)))
5235         goto end;
5236 
5237     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5238             || !TEST_true(SSL_session_reused(clientssl)))
5239         goto end;
5240 
5241     /* Check that we get what we expected */
5242     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5243             || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5244         goto end;
5245 
5246     testresult = 1;
5247  end:
5248     SSL_free(serverssl);
5249     SSL_free(clientssl);
5250     SSL_CTX_free(sctx);
5251     SSL_CTX_free(cctx);
5252     SSL_SESSION_free(origsess);
5253     return testresult;
5254 }
5255 # endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5256 
5257 /*
5258  * Test TLSv1.3 Cipher Suite
5259  * Test 0 = Set TLS1.3 cipher on context
5260  * Test 1 = Set TLS1.3 cipher on SSL
5261  * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5262  * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5263  */
5264 static int test_tls13_ciphersuite(int idx)
5265 {
5266     SSL_CTX *sctx = NULL, *cctx = NULL;
5267     SSL *serverssl = NULL, *clientssl = NULL;
5268     static const struct {
5269         const char *ciphername;
5270         int fipscapable;
5271     } t13_ciphers[] = {
5272         { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
5273         { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
5274         { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5275 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
5276         { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5277         { TLS1_3_RFC_AES_256_GCM_SHA384
5278           ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5279 # endif
5280         { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5281     };
5282     const char *t13_cipher = NULL;
5283     const char *t12_cipher = NULL;
5284     const char *negotiated_scipher;
5285     const char *negotiated_ccipher;
5286     int set_at_ctx = 0;
5287     int set_at_ssl = 0;
5288     int testresult = 0;
5289     int max_ver;
5290     size_t i;
5291 
5292     switch (idx) {
5293         case 0:
5294             set_at_ctx = 1;
5295             break;
5296         case 1:
5297             set_at_ssl = 1;
5298             break;
5299         case 2:
5300             set_at_ctx = 1;
5301             t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5302             break;
5303         case 3:
5304             set_at_ssl = 1;
5305             t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5306             break;
5307     }
5308 
5309     for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5310 # ifdef OPENSSL_NO_TLS1_2
5311         if (max_ver == TLS1_2_VERSION)
5312             continue;
5313 # endif
5314         for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
5315             if (is_fips && !t13_ciphers[i].fipscapable)
5316                 continue;
5317             t13_cipher = t13_ciphers[i].ciphername;
5318             if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5319                                                TLS_client_method(),
5320                                                TLS1_VERSION, max_ver,
5321                                                &sctx, &cctx, cert, privkey)))
5322                 goto end;
5323 
5324             if (set_at_ctx) {
5325                 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5326                     || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5327                     goto end;
5328                 if (t12_cipher != NULL) {
5329                     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5330                         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5331                                                               t12_cipher)))
5332                         goto end;
5333                 }
5334             }
5335 
5336             if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5337                                               &clientssl, NULL, NULL)))
5338                 goto end;
5339 
5340             if (set_at_ssl) {
5341                 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5342                     || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5343                     goto end;
5344                 if (t12_cipher != NULL) {
5345                     if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5346                         || !TEST_true(SSL_set_cipher_list(clientssl,
5347                                                           t12_cipher)))
5348                         goto end;
5349                 }
5350             }
5351 
5352             if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5353                                                  SSL_ERROR_NONE)))
5354                 goto end;
5355 
5356             negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5357                                                                  serverssl));
5358             negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5359                                                                  clientssl));
5360             if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5361                 goto end;
5362 
5363             /*
5364              * TEST_strn_eq is used below because t13_cipher can contain
5365              * multiple ciphersuites
5366              */
5367             if (max_ver == TLS1_3_VERSION
5368                 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5369                                  strlen(negotiated_scipher)))
5370                 goto end;
5371 
5372 # ifndef OPENSSL_NO_TLS1_2
5373             /* Below validation is not done when t12_cipher is NULL */
5374             if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5375                 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5376                 goto end;
5377 # endif
5378 
5379             SSL_free(serverssl);
5380             serverssl = NULL;
5381             SSL_free(clientssl);
5382             clientssl = NULL;
5383             SSL_CTX_free(sctx);
5384             sctx = NULL;
5385             SSL_CTX_free(cctx);
5386             cctx = NULL;
5387         }
5388     }
5389 
5390     testresult = 1;
5391  end:
5392     SSL_free(serverssl);
5393     SSL_free(clientssl);
5394     SSL_CTX_free(sctx);
5395     SSL_CTX_free(cctx);
5396     return testresult;
5397 }
5398 
5399 /*
5400  * Test TLSv1.3 PSKs
5401  * Test 0 = Test new style callbacks
5402  * Test 1 = Test both new and old style callbacks
5403  * Test 2 = Test old style callbacks
5404  * Test 3 = Test old style callbacks with no certificate
5405  */
5406 static int test_tls13_psk(int idx)
5407 {
5408     SSL_CTX *sctx = NULL, *cctx = NULL;
5409     SSL *serverssl = NULL, *clientssl = NULL;
5410     const SSL_CIPHER *cipher = NULL;
5411     const unsigned char key[] = {
5412         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5413         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
5414         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5415         0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
5416     };
5417     int testresult = 0;
5418 
5419     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5420                                        TLS_client_method(), TLS1_VERSION, 0,
5421                                        &sctx, &cctx, idx == 3 ? NULL : cert,
5422                                        idx == 3 ? NULL : privkey)))
5423         goto end;
5424 
5425     if (idx != 3) {
5426         /*
5427          * We use a ciphersuite with SHA256 to ease testing old style PSK
5428          * callbacks which will always default to SHA256. This should not be
5429          * necessary if we have no cert/priv key. In that case the server should
5430          * prefer SHA256 automatically.
5431          */
5432         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5433                                                 "TLS_AES_128_GCM_SHA256")))
5434             goto end;
5435     } else {
5436         /*
5437          * As noted above the server should prefer SHA256 automatically. However
5438          * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5439          * code works even if we are testing with only the FIPS provider loaded.
5440          */
5441         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5442                                                 "TLS_AES_256_GCM_SHA384:"
5443                                                 "TLS_AES_128_GCM_SHA256")))
5444             goto end;
5445     }
5446 
5447     /*
5448      * Test 0: New style callbacks only
5449      * Test 1: New and old style callbacks (only the new ones should be used)
5450      * Test 2: Old style callbacks only
5451      */
5452     if (idx == 0 || idx == 1) {
5453         SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5454         SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5455     }
5456 #ifndef OPENSSL_NO_PSK
5457     if (idx >= 1) {
5458         SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5459         SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5460     }
5461 #endif
5462     srvid = pskid;
5463     use_session_cb_cnt = 0;
5464     find_session_cb_cnt = 0;
5465     psk_client_cb_cnt = 0;
5466     psk_server_cb_cnt = 0;
5467 
5468     if (idx != 3) {
5469         /*
5470          * Check we can create a connection if callback decides not to send a
5471          * PSK
5472          */
5473         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5474                                                  NULL, NULL))
5475                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5476                                                     SSL_ERROR_NONE))
5477                 || !TEST_false(SSL_session_reused(clientssl))
5478                 || !TEST_false(SSL_session_reused(serverssl)))
5479             goto end;
5480 
5481         if (idx == 0 || idx == 1) {
5482             if (!TEST_true(use_session_cb_cnt == 1)
5483                     || !TEST_true(find_session_cb_cnt == 0)
5484                        /*
5485                         * If no old style callback then below should be 0
5486                         * otherwise 1
5487                         */
5488                     || !TEST_true(psk_client_cb_cnt == idx)
5489                     || !TEST_true(psk_server_cb_cnt == 0))
5490                 goto end;
5491         } else {
5492             if (!TEST_true(use_session_cb_cnt == 0)
5493                     || !TEST_true(find_session_cb_cnt == 0)
5494                     || !TEST_true(psk_client_cb_cnt == 1)
5495                     || !TEST_true(psk_server_cb_cnt == 0))
5496                 goto end;
5497         }
5498 
5499         shutdown_ssl_connection(serverssl, clientssl);
5500         serverssl = clientssl = NULL;
5501         use_session_cb_cnt = psk_client_cb_cnt = 0;
5502     }
5503 
5504     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5505                                              NULL, NULL)))
5506         goto end;
5507 
5508     /* Create the PSK */
5509     cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
5510     clientpsk = SSL_SESSION_new();
5511     if (!TEST_ptr(clientpsk)
5512             || !TEST_ptr(cipher)
5513             || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5514                                                       sizeof(key)))
5515             || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5516             || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5517                                                            TLS1_3_VERSION))
5518             || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
5519         goto end;
5520     serverpsk = clientpsk;
5521 
5522     /* Check we can create a connection and the PSK is used */
5523     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5524             || !TEST_true(SSL_session_reused(clientssl))
5525             || !TEST_true(SSL_session_reused(serverssl)))
5526         goto end;
5527 
5528     if (idx == 0 || idx == 1) {
5529         if (!TEST_true(use_session_cb_cnt == 1)
5530                 || !TEST_true(find_session_cb_cnt == 1)
5531                 || !TEST_true(psk_client_cb_cnt == 0)
5532                 || !TEST_true(psk_server_cb_cnt == 0))
5533             goto end;
5534     } else {
5535         if (!TEST_true(use_session_cb_cnt == 0)
5536                 || !TEST_true(find_session_cb_cnt == 0)
5537                 || !TEST_true(psk_client_cb_cnt == 1)
5538                 || !TEST_true(psk_server_cb_cnt == 1))
5539             goto end;
5540     }
5541 
5542     shutdown_ssl_connection(serverssl, clientssl);
5543     serverssl = clientssl = NULL;
5544     use_session_cb_cnt = find_session_cb_cnt = 0;
5545     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5546 
5547     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5548                                              NULL, NULL)))
5549         goto end;
5550 
5551     /* Force an HRR */
5552 #if defined(OPENSSL_NO_EC)
5553     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5554         goto end;
5555 #else
5556     if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
5557         goto end;
5558 #endif
5559 
5560     /*
5561      * Check we can create a connection, the PSK is used and the callbacks are
5562      * called twice.
5563      */
5564     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5565             || !TEST_true(SSL_session_reused(clientssl))
5566             || !TEST_true(SSL_session_reused(serverssl)))
5567         goto end;
5568 
5569     if (idx == 0 || idx == 1) {
5570         if (!TEST_true(use_session_cb_cnt == 2)
5571                 || !TEST_true(find_session_cb_cnt == 2)
5572                 || !TEST_true(psk_client_cb_cnt == 0)
5573                 || !TEST_true(psk_server_cb_cnt == 0))
5574             goto end;
5575     } else {
5576         if (!TEST_true(use_session_cb_cnt == 0)
5577                 || !TEST_true(find_session_cb_cnt == 0)
5578                 || !TEST_true(psk_client_cb_cnt == 2)
5579                 || !TEST_true(psk_server_cb_cnt == 2))
5580             goto end;
5581     }
5582 
5583     shutdown_ssl_connection(serverssl, clientssl);
5584     serverssl = clientssl = NULL;
5585     use_session_cb_cnt = find_session_cb_cnt = 0;
5586     psk_client_cb_cnt = psk_server_cb_cnt = 0;
5587 
5588     if (idx != 3) {
5589         /*
5590          * Check that if the server rejects the PSK we can still connect, but with
5591          * a full handshake
5592          */
5593         srvid = "Dummy Identity";
5594         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5595                                                  NULL, NULL))
5596                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5597                                                     SSL_ERROR_NONE))
5598                 || !TEST_false(SSL_session_reused(clientssl))
5599                 || !TEST_false(SSL_session_reused(serverssl)))
5600             goto end;
5601 
5602         if (idx == 0 || idx == 1) {
5603             if (!TEST_true(use_session_cb_cnt == 1)
5604                     || !TEST_true(find_session_cb_cnt == 1)
5605                     || !TEST_true(psk_client_cb_cnt == 0)
5606                        /*
5607                         * If no old style callback then below should be 0
5608                         * otherwise 1
5609                         */
5610                     || !TEST_true(psk_server_cb_cnt == idx))
5611                 goto end;
5612         } else {
5613             if (!TEST_true(use_session_cb_cnt == 0)
5614                     || !TEST_true(find_session_cb_cnt == 0)
5615                     || !TEST_true(psk_client_cb_cnt == 1)
5616                     || !TEST_true(psk_server_cb_cnt == 1))
5617                 goto end;
5618         }
5619 
5620         shutdown_ssl_connection(serverssl, clientssl);
5621         serverssl = clientssl = NULL;
5622     }
5623     testresult = 1;
5624 
5625  end:
5626     SSL_SESSION_free(clientpsk);
5627     SSL_SESSION_free(serverpsk);
5628     clientpsk = serverpsk = NULL;
5629     SSL_free(serverssl);
5630     SSL_free(clientssl);
5631     SSL_CTX_free(sctx);
5632     SSL_CTX_free(cctx);
5633     return testresult;
5634 }
5635 
5636 static unsigned char cookie_magic_value[] = "cookie magic";
5637 
5638 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5639                                     unsigned int *cookie_len)
5640 {
5641     /*
5642      * Not suitable as a real cookie generation function but good enough for
5643      * testing!
5644      */
5645     memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5646     *cookie_len = sizeof(cookie_magic_value) - 1;
5647 
5648     return 1;
5649 }
5650 
5651 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5652                                   unsigned int cookie_len)
5653 {
5654     if (cookie_len == sizeof(cookie_magic_value) - 1
5655         && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5656         return 1;
5657 
5658     return 0;
5659 }
5660 
5661 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5662                                         size_t *cookie_len)
5663 {
5664     unsigned int temp;
5665     int res = generate_cookie_callback(ssl, cookie, &temp);
5666     *cookie_len = temp;
5667     return res;
5668 }
5669 
5670 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5671                                       size_t cookie_len)
5672 {
5673     return verify_cookie_callback(ssl, cookie, cookie_len);
5674 }
5675 
5676 static int test_stateless(void)
5677 {
5678     SSL_CTX *sctx = NULL, *cctx = NULL;
5679     SSL *serverssl = NULL, *clientssl = NULL;
5680     int testresult = 0;
5681 
5682     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5683                                        TLS_client_method(), TLS1_VERSION, 0,
5684                                        &sctx, &cctx, cert, privkey)))
5685         goto end;
5686 
5687     /* The arrival of CCS messages can confuse the test */
5688     SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5689 
5690     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5691                                       NULL, NULL))
5692                /* Send the first ClientHello */
5693             || !TEST_false(create_ssl_connection(serverssl, clientssl,
5694                                                  SSL_ERROR_WANT_READ))
5695                /*
5696                 * This should fail with a -1 return because we have no callbacks
5697                 * set up
5698                 */
5699             || !TEST_int_eq(SSL_stateless(serverssl), -1))
5700         goto end;
5701 
5702     /* Fatal error so abandon the connection from this client */
5703     SSL_free(clientssl);
5704     clientssl = NULL;
5705 
5706     /* Set up the cookie generation and verification callbacks */
5707     SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5708     SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
5709 
5710     /*
5711      * Create a new connection from the client (we can reuse the server SSL
5712      * object).
5713      */
5714     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5715                                              NULL, NULL))
5716                /* Send the first ClientHello */
5717             || !TEST_false(create_ssl_connection(serverssl, clientssl,
5718                                                 SSL_ERROR_WANT_READ))
5719                /* This should fail because there is no cookie */
5720             || !TEST_int_eq(SSL_stateless(serverssl), 0))
5721         goto end;
5722 
5723     /* Abandon the connection from this client */
5724     SSL_free(clientssl);
5725     clientssl = NULL;
5726 
5727     /*
5728      * Now create a connection from a new client but with the same server SSL
5729      * object
5730      */
5731     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5732                                              NULL, NULL))
5733                /* Send the first ClientHello */
5734             || !TEST_false(create_ssl_connection(serverssl, clientssl,
5735                                                 SSL_ERROR_WANT_READ))
5736                /* This should fail because there is no cookie */
5737             || !TEST_int_eq(SSL_stateless(serverssl), 0)
5738                /* Send the second ClientHello */
5739             || !TEST_false(create_ssl_connection(serverssl, clientssl,
5740                                                 SSL_ERROR_WANT_READ))
5741                /* This should succeed because a cookie is now present */
5742             || !TEST_int_eq(SSL_stateless(serverssl), 1)
5743                /* Complete the connection */
5744             || !TEST_true(create_ssl_connection(serverssl, clientssl,
5745                                                 SSL_ERROR_NONE)))
5746         goto end;
5747 
5748     shutdown_ssl_connection(serverssl, clientssl);
5749     serverssl = clientssl = NULL;
5750     testresult = 1;
5751 
5752  end:
5753     SSL_free(serverssl);
5754     SSL_free(clientssl);
5755     SSL_CTX_free(sctx);
5756     SSL_CTX_free(cctx);
5757     return testresult;
5758 
5759 }
5760 #endif /* OSSL_NO_USABLE_TLS1_3 */
5761 
5762 static int clntaddoldcb = 0;
5763 static int clntparseoldcb = 0;
5764 static int srvaddoldcb = 0;
5765 static int srvparseoldcb = 0;
5766 static int clntaddnewcb = 0;
5767 static int clntparsenewcb = 0;
5768 static int srvaddnewcb = 0;
5769 static int srvparsenewcb = 0;
5770 static int snicb = 0;
5771 
5772 #define TEST_EXT_TYPE1  0xff00
5773 
5774 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5775                       size_t *outlen, int *al, void *add_arg)
5776 {
5777     int *server = (int *)add_arg;
5778     unsigned char *data;
5779 
5780     if (SSL_is_server(s))
5781         srvaddoldcb++;
5782     else
5783         clntaddoldcb++;
5784 
5785     if (*server != SSL_is_server(s)
5786             || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5787         return -1;
5788 
5789     *data = 1;
5790     *out = data;
5791     *outlen = sizeof(char);
5792     return 1;
5793 }
5794 
5795 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5796                         void *add_arg)
5797 {
5798     OPENSSL_free((unsigned char *)out);
5799 }
5800 
5801 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5802                         size_t inlen, int *al, void *parse_arg)
5803 {
5804     int *server = (int *)parse_arg;
5805 
5806     if (SSL_is_server(s))
5807         srvparseoldcb++;
5808     else
5809         clntparseoldcb++;
5810 
5811     if (*server != SSL_is_server(s)
5812             || inlen != sizeof(char)
5813             || *in != 1)
5814         return -1;
5815 
5816     return 1;
5817 }
5818 
5819 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5820                       const unsigned char **out, size_t *outlen, X509 *x,
5821                       size_t chainidx, int *al, void *add_arg)
5822 {
5823     int *server = (int *)add_arg;
5824     unsigned char *data;
5825 
5826     if (SSL_is_server(s))
5827         srvaddnewcb++;
5828     else
5829         clntaddnewcb++;
5830 
5831     if (*server != SSL_is_server(s)
5832             || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
5833         return -1;
5834 
5835     *data = 1;
5836     *out = data;
5837     *outlen = sizeof(*data);
5838     return 1;
5839 }
5840 
5841 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5842                         const unsigned char *out, void *add_arg)
5843 {
5844     OPENSSL_free((unsigned char *)out);
5845 }
5846 
5847 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5848                         const unsigned char *in, size_t inlen, X509 *x,
5849                         size_t chainidx, int *al, void *parse_arg)
5850 {
5851     int *server = (int *)parse_arg;
5852 
5853     if (SSL_is_server(s))
5854         srvparsenewcb++;
5855     else
5856         clntparsenewcb++;
5857 
5858     if (*server != SSL_is_server(s)
5859             || inlen != sizeof(char) || *in != 1)
5860         return -1;
5861 
5862     return 1;
5863 }
5864 
5865 static int sni_cb(SSL *s, int *al, void *arg)
5866 {
5867     SSL_CTX *ctx = (SSL_CTX *)arg;
5868 
5869     if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5870         *al = SSL_AD_INTERNAL_ERROR;
5871         return SSL_TLSEXT_ERR_ALERT_FATAL;
5872     }
5873     snicb++;
5874     return SSL_TLSEXT_ERR_OK;
5875 }
5876 
5877 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5878 {
5879     return 1;
5880 }
5881 
5882 /*
5883  * Custom call back tests.
5884  * Test 0: Old style callbacks in TLSv1.2
5885  * Test 1: New style callbacks in TLSv1.2
5886  * Test 2: New style callbacks in TLSv1.2 with SNI
5887  * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5888  * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
5889  * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
5890  */
5891 static int test_custom_exts(int tst)
5892 {
5893     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5894     SSL *clientssl = NULL, *serverssl = NULL;
5895     int testresult = 0;
5896     static int server = 1;
5897     static int client = 0;
5898     SSL_SESSION *sess = NULL;
5899     unsigned int context;
5900 
5901 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
5902     /* Skip tests for TLSv1.2 and below in this case */
5903     if (tst < 3)
5904         return 1;
5905 #endif
5906 
5907     /* Reset callback counters */
5908     clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5909     clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
5910     snicb = 0;
5911 
5912     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5913                                        TLS_client_method(), TLS1_VERSION, 0,
5914                                        &sctx, &cctx, cert, privkey)))
5915         goto end;
5916 
5917     if (tst == 2
5918             && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5919                                               TLS1_VERSION, 0,
5920                                               &sctx2, NULL, cert, privkey)))
5921         goto end;
5922 
5923 
5924     if (tst < 3) {
5925         SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5926         SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
5927         if (sctx2 != NULL)
5928             SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
5929     }
5930 
5931     if (tst == 5) {
5932         context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5933                   | SSL_EXT_TLS1_3_CERTIFICATE;
5934         SSL_CTX_set_verify(sctx,
5935                            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5936                            verify_cb);
5937         if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5938                                                       SSL_FILETYPE_PEM), 1)
5939                 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5940                                                             SSL_FILETYPE_PEM), 1)
5941                 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5942             goto end;
5943     } else if (tst == 4) {
5944         context = SSL_EXT_CLIENT_HELLO
5945                   | SSL_EXT_TLS1_2_SERVER_HELLO
5946                   | SSL_EXT_TLS1_3_SERVER_HELLO
5947                   | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5948                   | SSL_EXT_TLS1_3_CERTIFICATE
5949                   | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5950     } else {
5951         context = SSL_EXT_CLIENT_HELLO
5952                   | SSL_EXT_TLS1_2_SERVER_HELLO
5953                   | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5954     }
5955 
5956     /* Create a client side custom extension */
5957     if (tst == 0) {
5958         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5959                                                      old_add_cb, old_free_cb,
5960                                                      &client, old_parse_cb,
5961                                                      &client)))
5962             goto end;
5963     } else {
5964         if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5965                                               new_add_cb, new_free_cb,
5966                                               &client, new_parse_cb, &client)))
5967             goto end;
5968     }
5969 
5970     /* Should not be able to add duplicates */
5971     if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5972                                                   old_add_cb, old_free_cb,
5973                                                   &client, old_parse_cb,
5974                                                   &client))
5975             || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5976                                                   context, new_add_cb,
5977                                                   new_free_cb, &client,
5978                                                   new_parse_cb, &client)))
5979         goto end;
5980 
5981     /* Create a server side custom extension */
5982     if (tst == 0) {
5983         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5984                                                      old_add_cb, old_free_cb,
5985                                                      &server, old_parse_cb,
5986                                                      &server)))
5987             goto end;
5988     } else {
5989         if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5990                                               new_add_cb, new_free_cb,
5991                                               &server, new_parse_cb, &server)))
5992             goto end;
5993         if (sctx2 != NULL
5994                 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5995                                                      context, new_add_cb,
5996                                                      new_free_cb, &server,
5997                                                      new_parse_cb, &server)))
5998             goto end;
5999     }
6000 
6001     /* Should not be able to add duplicates */
6002     if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6003                                                   old_add_cb, old_free_cb,
6004                                                   &server, old_parse_cb,
6005                                                   &server))
6006             || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6007                                                   context, new_add_cb,
6008                                                   new_free_cb, &server,
6009                                                   new_parse_cb, &server)))
6010         goto end;
6011 
6012     if (tst == 2) {
6013         /* Set up SNI */
6014         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6015                 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6016             goto end;
6017     }
6018 
6019     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6020                                       &clientssl, NULL, NULL))
6021             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6022                                                 SSL_ERROR_NONE)))
6023         goto end;
6024 
6025     if (tst == 0) {
6026         if (clntaddoldcb != 1
6027                 || clntparseoldcb != 1
6028                 || srvaddoldcb != 1
6029                 || srvparseoldcb != 1)
6030             goto end;
6031     } else if (tst == 1 || tst == 2 || tst == 3) {
6032         if (clntaddnewcb != 1
6033                 || clntparsenewcb != 1
6034                 || srvaddnewcb != 1
6035                 || srvparsenewcb != 1
6036                 || (tst != 2 && snicb != 0)
6037                 || (tst == 2 && snicb != 1))
6038             goto end;
6039     } else if (tst == 5) {
6040         if (clntaddnewcb != 1
6041                 || clntparsenewcb != 1
6042                 || srvaddnewcb != 1
6043                 || srvparsenewcb != 1)
6044             goto end;
6045     } else {
6046         /* In this case there 2 NewSessionTicket messages created */
6047         if (clntaddnewcb != 1
6048                 || clntparsenewcb != 5
6049                 || srvaddnewcb != 5
6050                 || srvparsenewcb != 1)
6051             goto end;
6052     }
6053 
6054     sess = SSL_get1_session(clientssl);
6055     SSL_shutdown(clientssl);
6056     SSL_shutdown(serverssl);
6057     SSL_free(serverssl);
6058     SSL_free(clientssl);
6059     serverssl = clientssl = NULL;
6060 
6061     if (tst == 3 || tst == 5) {
6062         /* We don't bother with the resumption aspects for these tests */
6063         testresult = 1;
6064         goto end;
6065     }
6066 
6067     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6068                                       NULL, NULL))
6069             || !TEST_true(SSL_set_session(clientssl, sess))
6070             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6071                                                SSL_ERROR_NONE)))
6072         goto end;
6073 
6074     /*
6075      * For a resumed session we expect to add the ClientHello extension. For the
6076      * old style callbacks we ignore it on the server side because they set
6077      * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6078      * them.
6079      */
6080     if (tst == 0) {
6081         if (clntaddoldcb != 2
6082                 || clntparseoldcb != 1
6083                 || srvaddoldcb != 1
6084                 || srvparseoldcb != 1)
6085             goto end;
6086     } else if (tst == 1 || tst == 2 || tst == 3) {
6087         if (clntaddnewcb != 2
6088                 || clntparsenewcb != 2
6089                 || srvaddnewcb != 2
6090                 || srvparsenewcb != 2)
6091             goto end;
6092     } else {
6093         /*
6094          * No Certificate message extensions in the resumption handshake,
6095          * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6096          */
6097         if (clntaddnewcb != 2
6098                 || clntparsenewcb != 8
6099                 || srvaddnewcb != 8
6100                 || srvparsenewcb != 2)
6101             goto end;
6102     }
6103 
6104     testresult = 1;
6105 
6106 end:
6107     SSL_SESSION_free(sess);
6108     SSL_free(serverssl);
6109     SSL_free(clientssl);
6110     SSL_CTX_free(sctx2);
6111     SSL_CTX_free(sctx);
6112     SSL_CTX_free(cctx);
6113     return testresult;
6114 }
6115 
6116 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
6117 
6118 #define  SYNTHV1CONTEXT     (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6119                              | SSL_EXT_CLIENT_HELLO \
6120                              | SSL_EXT_TLS1_2_SERVER_HELLO \
6121                              | SSL_EXT_IGNORE_ON_RESUMPTION)
6122 
6123 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6124                       | SSL_EXT_TLS1_2_SERVER_HELLO \
6125                       | SSL_EXT_CLIENT_HELLO)
6126 
6127 #define SERVERINFO_CUSTOM                                 \
6128     0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6129     0x00, 0x03,                                           \
6130     0x04, 0x05, 0x06                                      \
6131 
6132 static const unsigned char serverinfo_custom_tls13[] = {
6133     0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6134     SERVERINFO_CUSTOM
6135 };
6136 static const unsigned char serverinfo_custom_v2[] = {
6137     0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff,  SYNTHV1CONTEXT & 0xff,
6138     SERVERINFO_CUSTOM
6139 };
6140 static const unsigned char serverinfo_custom_v1[] = {
6141     SERVERINFO_CUSTOM
6142 };
6143 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6144 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6145 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6146 
6147 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6148                                       unsigned int context,
6149                                       const unsigned char *in,
6150                                       size_t inlen, X509 *x,
6151                                       size_t chainidx, int *al,
6152                                       void *parse_arg)
6153 {
6154     const size_t len = serverinfo_custom_v1_len;
6155     const unsigned char *si = &serverinfo_custom_v1[len - 3];
6156     int *p_cb_result = (int*)parse_arg;
6157     *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6158     return 1;
6159 }
6160 
6161 static int test_serverinfo_custom(const int idx)
6162 {
6163     SSL_CTX *sctx = NULL, *cctx = NULL;
6164     SSL *clientssl = NULL, *serverssl = NULL;
6165     int testresult = 0;
6166     int cb_result = 0;
6167 
6168     /*
6169      * Following variables are set in the switch statement
6170      *  according to the test iteration.
6171      * Default values do not make much sense: test would fail with them.
6172      */
6173     int serverinfo_version = 0;
6174     int protocol_version = 0;
6175     unsigned int extension_context = 0;
6176     const unsigned char *si = NULL;
6177     size_t si_len = 0;
6178 
6179     const int call_use_serverinfo_ex = idx > 0;
6180     switch (idx) {
6181     case 0: /* FALLTHROUGH */
6182     case 1:
6183         serverinfo_version = SSL_SERVERINFOV1;
6184         protocol_version = TLS1_2_VERSION;
6185         extension_context = SYNTHV1CONTEXT;
6186         si = serverinfo_custom_v1;
6187         si_len = serverinfo_custom_v1_len;
6188         break;
6189     case 2:
6190         serverinfo_version = SSL_SERVERINFOV2;
6191         protocol_version = TLS1_2_VERSION;
6192         extension_context = SYNTHV1CONTEXT;
6193         si = serverinfo_custom_v2;
6194         si_len = serverinfo_custom_v2_len;
6195         break;
6196     case 3:
6197         serverinfo_version = SSL_SERVERINFOV2;
6198         protocol_version = TLS1_3_VERSION;
6199         extension_context = TLS13CONTEXT;
6200         si = serverinfo_custom_tls13;
6201         si_len = serverinfo_custom_tls13_len;
6202         break;
6203     }
6204 
6205     if (!TEST_true(create_ssl_ctx_pair(libctx,
6206                                        TLS_method(),
6207                                        TLS_method(),
6208                                        protocol_version,
6209                                        protocol_version,
6210                                        &sctx, &cctx, cert, privkey)))
6211         goto end;
6212 
6213     if (call_use_serverinfo_ex) {
6214         if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6215                                                  si, si_len)))
6216             goto end;
6217     } else {
6218         if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6219             goto end;
6220     }
6221 
6222     if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6223                                           extension_context,
6224                                           NULL, NULL, NULL,
6225                                           serverinfo_custom_parse_cb,
6226                                           &cb_result))
6227         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6228                                          NULL, NULL))
6229         || !TEST_true(create_ssl_connection(serverssl, clientssl,
6230                                             SSL_ERROR_NONE))
6231         || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6232         goto end;
6233 
6234     if (!TEST_true(cb_result))
6235         goto end;
6236 
6237     testresult = 1;
6238 
6239  end:
6240     SSL_free(serverssl);
6241     SSL_free(clientssl);
6242     SSL_CTX_free(sctx);
6243     SSL_CTX_free(cctx);
6244 
6245     return testresult;
6246 }
6247 #endif
6248 
6249 /*
6250  * Test that SSL_export_keying_material() produces expected results. There are
6251  * no test vectors so all we do is test that both sides of the communication
6252  * produce the same results for different protocol versions.
6253  */
6254 #define SMALL_LABEL_LEN 10
6255 #define LONG_LABEL_LEN  249
6256 static int test_export_key_mat(int tst)
6257 {
6258     int testresult = 0;
6259     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6260     SSL *clientssl = NULL, *serverssl = NULL;
6261     const char label[LONG_LABEL_LEN + 1] = "test label";
6262     const unsigned char context[] = "context";
6263     const unsigned char *emptycontext = NULL;
6264     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6265     unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
6266     size_t labellen;
6267     const int protocols[] = {
6268         TLS1_VERSION,
6269         TLS1_1_VERSION,
6270         TLS1_2_VERSION,
6271         TLS1_3_VERSION,
6272         TLS1_3_VERSION,
6273         TLS1_3_VERSION
6274     };
6275 
6276 #ifdef OPENSSL_NO_TLS1
6277     if (tst == 0)
6278         return 1;
6279 #endif
6280 #ifdef OPENSSL_NO_TLS1_1
6281     if (tst == 1)
6282         return 1;
6283 #endif
6284     if (is_fips && (tst == 0 || tst == 1))
6285         return 1;
6286 #ifdef OPENSSL_NO_TLS1_2
6287     if (tst == 2)
6288         return 1;
6289 #endif
6290 #ifdef OSSL_NO_USABLE_TLS1_3
6291     if (tst >= 3)
6292         return 1;
6293 #endif
6294     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6295                                        TLS_client_method(), TLS1_VERSION, 0,
6296                                        &sctx, &cctx, cert, privkey)))
6297         goto end;
6298 
6299     OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6300     SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6301     SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
6302     if ((protocols[tst] < TLS1_2_VERSION) &&
6303         (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6304         || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6305         goto end;
6306 
6307     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6308                                       NULL)))
6309         goto end;
6310 
6311     /*
6312      * Premature call of SSL_export_keying_material should just fail.
6313      */
6314     if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6315                                                 sizeof(ckeymat1), label,
6316                                                 SMALL_LABEL_LEN + 1, context,
6317                                                 sizeof(context) - 1, 1), 0))
6318         goto end;
6319 
6320     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6321                                          SSL_ERROR_NONE)))
6322         goto end;
6323 
6324     if (tst == 5) {
6325         /*
6326          * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6327          * go over that.
6328          */
6329         if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6330                                                     sizeof(ckeymat1), label,
6331                                                     LONG_LABEL_LEN + 1, context,
6332                                                     sizeof(context) - 1, 1), 0))
6333             goto end;
6334 
6335         testresult = 1;
6336         goto end;
6337     } else if (tst == 4) {
6338         labellen = LONG_LABEL_LEN;
6339     } else {
6340         labellen = SMALL_LABEL_LEN;
6341     }
6342 
6343     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6344                                                 sizeof(ckeymat1), label,
6345                                                 labellen, context,
6346                                                 sizeof(context) - 1, 1), 1)
6347             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6348                                                        sizeof(ckeymat2), label,
6349                                                        labellen,
6350                                                        emptycontext,
6351                                                        0, 1), 1)
6352             || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6353                                                        sizeof(ckeymat3), label,
6354                                                        labellen,
6355                                                        NULL, 0, 0), 1)
6356             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6357                                                        sizeof(skeymat1), label,
6358                                                        labellen,
6359                                                        context,
6360                                                        sizeof(context) -1, 1),
6361                             1)
6362             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6363                                                        sizeof(skeymat2), label,
6364                                                        labellen,
6365                                                        emptycontext,
6366                                                        0, 1), 1)
6367             || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6368                                                        sizeof(skeymat3), label,
6369                                                        labellen,
6370                                                        NULL, 0, 0), 1)
6371                /*
6372                 * Check that both sides created the same key material with the
6373                 * same context.
6374                 */
6375             || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6376                             sizeof(skeymat1))
6377                /*
6378                 * Check that both sides created the same key material with an
6379                 * empty context.
6380                 */
6381             || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6382                             sizeof(skeymat2))
6383                /*
6384                 * Check that both sides created the same key material without a
6385                 * context.
6386                 */
6387             || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6388                             sizeof(skeymat3))
6389                /* Different contexts should produce different results */
6390             || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6391                             sizeof(ckeymat2)))
6392         goto end;
6393 
6394     /*
6395      * Check that an empty context and no context produce different results in
6396      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6397      */
6398     if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
6399                                   sizeof(ckeymat3)))
6400             || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6401                                          sizeof(ckeymat3))))
6402         goto end;
6403 
6404     testresult = 1;
6405 
6406  end:
6407     SSL_free(serverssl);
6408     SSL_free(clientssl);
6409     SSL_CTX_free(sctx2);
6410     SSL_CTX_free(sctx);
6411     SSL_CTX_free(cctx);
6412 
6413     return testresult;
6414 }
6415 
6416 #ifndef OSSL_NO_USABLE_TLS1_3
6417 /*
6418  * Test that SSL_export_keying_material_early() produces expected
6419  * results. There are no test vectors so all we do is test that both
6420  * sides of the communication produce the same results for different
6421  * protocol versions.
6422  */
6423 static int test_export_key_mat_early(int idx)
6424 {
6425     static const char label[] = "test label";
6426     static const unsigned char context[] = "context";
6427     int testresult = 0;
6428     SSL_CTX *cctx = NULL, *sctx = NULL;
6429     SSL *clientssl = NULL, *serverssl = NULL;
6430     SSL_SESSION *sess = NULL;
6431     const unsigned char *emptycontext = NULL;
6432     unsigned char ckeymat1[80], ckeymat2[80];
6433     unsigned char skeymat1[80], skeymat2[80];
6434     unsigned char buf[1];
6435     size_t readbytes, written;
6436 
6437     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6438                                         &sess, idx, SHA384_DIGEST_LENGTH)))
6439         goto end;
6440 
6441     /* Here writing 0 length early data is enough. */
6442     if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6443             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6444                                                 &readbytes),
6445                             SSL_READ_EARLY_DATA_ERROR)
6446             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6447                             SSL_EARLY_DATA_ACCEPTED))
6448         goto end;
6449 
6450     if (!TEST_int_eq(SSL_export_keying_material_early(
6451                      clientssl, ckeymat1, sizeof(ckeymat1), label,
6452                      sizeof(label) - 1, context, sizeof(context) - 1), 1)
6453             || !TEST_int_eq(SSL_export_keying_material_early(
6454                             clientssl, ckeymat2, sizeof(ckeymat2), label,
6455                             sizeof(label) - 1, emptycontext, 0), 1)
6456             || !TEST_int_eq(SSL_export_keying_material_early(
6457                             serverssl, skeymat1, sizeof(skeymat1), label,
6458                             sizeof(label) - 1, context, sizeof(context) - 1), 1)
6459             || !TEST_int_eq(SSL_export_keying_material_early(
6460                             serverssl, skeymat2, sizeof(skeymat2), label,
6461                             sizeof(label) - 1, emptycontext, 0), 1)
6462                /*
6463                 * Check that both sides created the same key material with the
6464                 * same context.
6465                 */
6466             || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6467                             sizeof(skeymat1))
6468                /*
6469                 * Check that both sides created the same key material with an
6470                 * empty context.
6471                 */
6472             || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6473                             sizeof(skeymat2))
6474                /* Different contexts should produce different results */
6475             || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6476                             sizeof(ckeymat2)))
6477         goto end;
6478 
6479     testresult = 1;
6480 
6481  end:
6482     SSL_SESSION_free(sess);
6483     SSL_SESSION_free(clientpsk);
6484     SSL_SESSION_free(serverpsk);
6485     clientpsk = serverpsk = NULL;
6486     SSL_free(serverssl);
6487     SSL_free(clientssl);
6488     SSL_CTX_free(sctx);
6489     SSL_CTX_free(cctx);
6490 
6491     return testresult;
6492 }
6493 
6494 #define NUM_KEY_UPDATE_MESSAGES 40
6495 /*
6496  * Test KeyUpdate.
6497  */
6498 static int test_key_update(void)
6499 {
6500     SSL_CTX *cctx = NULL, *sctx = NULL;
6501     SSL *clientssl = NULL, *serverssl = NULL;
6502     int testresult = 0, i, j;
6503     char buf[20];
6504     static char *mess = "A test message";
6505 
6506     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6507                                        TLS_client_method(),
6508                                        TLS1_3_VERSION,
6509                                        0,
6510                                        &sctx, &cctx, cert, privkey))
6511             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6512                                              NULL, NULL))
6513             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6514                                                 SSL_ERROR_NONE)))
6515         goto end;
6516 
6517     for (j = 0; j < 2; j++) {
6518         /* Send lots of KeyUpdate messages */
6519         for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6520             if (!TEST_true(SSL_key_update(clientssl,
6521                                           (j == 0)
6522                                           ? SSL_KEY_UPDATE_NOT_REQUESTED
6523                                           : SSL_KEY_UPDATE_REQUESTED))
6524                     || !TEST_true(SSL_do_handshake(clientssl)))
6525                 goto end;
6526         }
6527 
6528         /* Check that sending and receiving app data is ok */
6529         if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6530                 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6531                                          strlen(mess)))
6532             goto end;
6533 
6534         if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6535                 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6536                                          strlen(mess)))
6537             goto end;
6538     }
6539 
6540     testresult = 1;
6541 
6542  end:
6543     SSL_free(serverssl);
6544     SSL_free(clientssl);
6545     SSL_CTX_free(sctx);
6546     SSL_CTX_free(cctx);
6547 
6548     return testresult;
6549 }
6550 
6551 /*
6552  * Test we can handle a KeyUpdate (update requested) message while
6553  * write data is pending in peer.
6554  * Test 0: Client sends KeyUpdate while Server is writing
6555  * Test 1: Server sends KeyUpdate while Client is writing
6556  */
6557 static int test_key_update_peer_in_write(int tst)
6558 {
6559     SSL_CTX *cctx = NULL, *sctx = NULL;
6560     SSL *clientssl = NULL, *serverssl = NULL;
6561     int testresult = 0;
6562     char buf[20];
6563     static char *mess = "A test message";
6564     BIO *bretry = BIO_new(bio_s_always_retry());
6565     BIO *tmp = NULL;
6566     SSL *peerupdate = NULL, *peerwrite = NULL;
6567 
6568     if (!TEST_ptr(bretry)
6569             || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6570                                               TLS_client_method(),
6571                                               TLS1_3_VERSION,
6572                                               0,
6573                                               &sctx, &cctx, cert, privkey))
6574             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6575                                              NULL, NULL))
6576             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6577                                                 SSL_ERROR_NONE)))
6578         goto end;
6579 
6580     peerupdate = tst == 0 ? clientssl : serverssl;
6581     peerwrite = tst == 0 ? serverssl : clientssl;
6582 
6583     if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6584             || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
6585         goto end;
6586 
6587     /* Swap the writing endpoint's write BIO to force a retry */
6588     tmp = SSL_get_wbio(peerwrite);
6589     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6590         tmp = NULL;
6591         goto end;
6592     }
6593     SSL_set0_wbio(peerwrite, bretry);
6594     bretry = NULL;
6595 
6596     /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6597     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6598             || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6599         goto end;
6600 
6601     /* Reinstate the original writing endpoint's write BIO */
6602     SSL_set0_wbio(peerwrite, tmp);
6603     tmp = NULL;
6604 
6605     /* Now read some data - we will read the key update */
6606     if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6607             || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6608         goto end;
6609 
6610     /*
6611      * Complete the write we started previously and read it from the other
6612      * endpoint
6613      */
6614     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6615             || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6616         goto end;
6617 
6618     /* Write more data to ensure we send the KeyUpdate message back */
6619     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6620             || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6621         goto end;
6622 
6623     testresult = 1;
6624 
6625  end:
6626     SSL_free(serverssl);
6627     SSL_free(clientssl);
6628     SSL_CTX_free(sctx);
6629     SSL_CTX_free(cctx);
6630     BIO_free(bretry);
6631     BIO_free(tmp);
6632 
6633     return testresult;
6634 }
6635 
6636 /*
6637  * Test we can handle a KeyUpdate (update requested) message while
6638  * peer read data is pending after peer accepted keyupdate(the msg header
6639  * had been read 5 bytes).
6640  * Test 0: Client sends KeyUpdate while Server is reading
6641  * Test 1: Server sends KeyUpdate while Client is reading
6642  */
6643 static int test_key_update_peer_in_read(int tst)
6644 {
6645     SSL_CTX *cctx = NULL, *sctx = NULL;
6646     SSL *clientssl = NULL, *serverssl = NULL;
6647     int testresult = 0;
6648     char prbuf[515], lwbuf[515] = {0};
6649     static char *mess = "A test message";
6650     BIO *lbio = NULL, *pbio = NULL;
6651     SSL *local = NULL, *peer = NULL;
6652 
6653     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6654                                               TLS_client_method(),
6655                                               TLS1_3_VERSION,
6656                                               0,
6657                                               &sctx, &cctx, cert, privkey))
6658             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6659                                              NULL, NULL))
6660             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6661                                                 SSL_ERROR_NONE)))
6662         goto end;
6663 
6664     local = tst == 0 ? clientssl : serverssl;
6665     peer = tst == 0 ? serverssl : clientssl;
6666 
6667     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6668         goto end;
6669 
6670     SSL_set_bio(local, lbio, lbio);
6671     SSL_set_bio(peer, pbio, pbio);
6672 
6673     /*
6674      * we first write keyupdate msg then appdata in local
6675      * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6676      * lwbuf app data msg size + key updata msg size > 512(the size of
6677      * the bio pair buffer)
6678      */
6679     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6680             || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6681             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6682         goto end;
6683 
6684     /*
6685      * first read keyupdate msg in peer in peer
6686      * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6687      */
6688     if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6689             || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6690         goto end;
6691 
6692     /* Now write some data in peer - we will write the key update */
6693     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6694         goto end;
6695 
6696     /*
6697      * write data in local previously that we will complete
6698      * read data in peer previously that we will complete
6699      */
6700     if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6701             || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6702         goto end;
6703 
6704     /* check that sending and receiving appdata ok */
6705     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6706             || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6707         goto end;
6708 
6709     testresult = 1;
6710 
6711  end:
6712     SSL_free(serverssl);
6713     SSL_free(clientssl);
6714     SSL_CTX_free(sctx);
6715     SSL_CTX_free(cctx);
6716 
6717     return testresult;
6718 }
6719 
6720 /*
6721  * Test we can't send a KeyUpdate (update requested) message while
6722  * local write data is pending.
6723  * Test 0: Client sends KeyUpdate while Client is writing
6724  * Test 1: Server sends KeyUpdate while Server is writing
6725  */
6726 static int test_key_update_local_in_write(int tst)
6727 {
6728     SSL_CTX *cctx = NULL, *sctx = NULL;
6729     SSL *clientssl = NULL, *serverssl = NULL;
6730     int testresult = 0;
6731     char buf[20];
6732     static char *mess = "A test message";
6733     BIO *bretry = BIO_new(bio_s_always_retry());
6734     BIO *tmp = NULL;
6735     SSL *local = NULL, *peer = NULL;
6736 
6737     if (!TEST_ptr(bretry)
6738             || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6739                                               TLS_client_method(),
6740                                               TLS1_3_VERSION,
6741                                               0,
6742                                               &sctx, &cctx, cert, privkey))
6743             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6744                                              NULL, NULL))
6745             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6746                                                 SSL_ERROR_NONE)))
6747         goto end;
6748 
6749     local = tst == 0 ? clientssl : serverssl;
6750     peer = tst == 0 ? serverssl : clientssl;
6751 
6752     /* Swap the writing endpoint's write BIO to force a retry */
6753     tmp = SSL_get_wbio(local);
6754     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6755         tmp = NULL;
6756         goto end;
6757     }
6758     SSL_set0_wbio(local, bretry);
6759     bretry = NULL;
6760 
6761     /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6762     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6763             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6764         goto end;
6765 
6766     /* Reinstate the original writing endpoint's write BIO */
6767     SSL_set0_wbio(local, tmp);
6768     tmp = NULL;
6769 
6770     /* SSL_key_update will fail, because writing in local*/
6771     if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6772         || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6773     goto end;
6774 
6775     ERR_clear_error();
6776     /* write data in local previously that we will complete */
6777     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6778         goto end;
6779 
6780     /* SSL_key_update will succeed because there is no pending write data */
6781     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6782         || !TEST_int_eq(SSL_do_handshake(local), 1))
6783         goto end;
6784 
6785     /*
6786      * we write some appdata in local
6787      * read data in peer - we will read the keyupdate msg
6788      */
6789     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6790         || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6791         goto end;
6792 
6793     /* Write more peer more data to ensure we send the keyupdate message back */
6794     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6795             || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6796         goto end;
6797 
6798     testresult = 1;
6799 
6800  end:
6801     SSL_free(serverssl);
6802     SSL_free(clientssl);
6803     SSL_CTX_free(sctx);
6804     SSL_CTX_free(cctx);
6805     BIO_free(bretry);
6806     BIO_free(tmp);
6807 
6808     return testresult;
6809 }
6810 
6811 /*
6812  * Test we can handle a KeyUpdate (update requested) message while
6813  * local read data is pending(the msg header had been read 5 bytes).
6814  * Test 0: Client sends KeyUpdate while Client is reading
6815  * Test 1: Server sends KeyUpdate while Server is reading
6816  */
6817 static int test_key_update_local_in_read(int tst)
6818 {
6819     SSL_CTX *cctx = NULL, *sctx = NULL;
6820     SSL *clientssl = NULL, *serverssl = NULL;
6821     int testresult = 0;
6822     char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6823     static char *mess = "A test message";
6824     BIO *lbio = NULL, *pbio = NULL;
6825     SSL *local = NULL, *peer = NULL;
6826 
6827     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6828                                               TLS_client_method(),
6829                                               TLS1_3_VERSION,
6830                                               0,
6831                                               &sctx, &cctx, cert, privkey))
6832             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6833                                              NULL, NULL))
6834             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6835                                                 SSL_ERROR_NONE)))
6836         goto end;
6837 
6838     local = tst == 0 ? clientssl : serverssl;
6839     peer = tst == 0 ? serverssl : clientssl;
6840 
6841     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6842         goto end;
6843 
6844     SSL_set_bio(local, lbio, lbio);
6845     SSL_set_bio(peer, pbio, pbio);
6846 
6847     /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6848     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6849         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6850         goto end;
6851 
6852     /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6853     if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6854             || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6855         goto end;
6856 
6857     /* SSL_do_handshake will send keyupdate msg */
6858     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6859             || !TEST_int_eq(SSL_do_handshake(local), 1))
6860         goto end;
6861 
6862     /*
6863      * write data in peer previously that we will complete
6864      * read data in local previously that we will complete
6865      */
6866     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6867         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6868         goto end;
6869 
6870     /*
6871      * write data in local
6872      * read data in peer - we will read the key update
6873      */
6874     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6875         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6876         goto end;
6877 
6878   /* Write more peer data to ensure we send the keyupdate message back */
6879     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6880             || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6881         goto end;
6882 
6883     testresult = 1;
6884 
6885  end:
6886     SSL_free(serverssl);
6887     SSL_free(clientssl);
6888     SSL_CTX_free(sctx);
6889     SSL_CTX_free(cctx);
6890 
6891     return testresult;
6892 }
6893 #endif /* OSSL_NO_USABLE_TLS1_3 */
6894 
6895 static int test_ssl_clear(int idx)
6896 {
6897     SSL_CTX *cctx = NULL, *sctx = NULL;
6898     SSL *clientssl = NULL, *serverssl = NULL;
6899     int testresult = 0;
6900 
6901 #ifdef OPENSSL_NO_TLS1_2
6902     if (idx == 1)
6903         return 1;
6904 #endif
6905 
6906     /* Create an initial connection */
6907     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6908                                        TLS_client_method(), TLS1_VERSION, 0,
6909                                        &sctx, &cctx, cert, privkey))
6910             || (idx == 1
6911                 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6912                                                             TLS1_2_VERSION)))
6913             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6914                                           &clientssl, NULL, NULL))
6915             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6916                                                 SSL_ERROR_NONE)))
6917         goto end;
6918 
6919     SSL_shutdown(clientssl);
6920     SSL_shutdown(serverssl);
6921     SSL_free(serverssl);
6922     serverssl = NULL;
6923 
6924     /* Clear clientssl - we're going to reuse the object */
6925     if (!TEST_true(SSL_clear(clientssl)))
6926         goto end;
6927 
6928     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6929                                              NULL, NULL))
6930             || !TEST_true(create_ssl_connection(serverssl, clientssl,
6931                                                 SSL_ERROR_NONE))
6932             || !TEST_true(SSL_session_reused(clientssl)))
6933         goto end;
6934 
6935     SSL_shutdown(clientssl);
6936     SSL_shutdown(serverssl);
6937 
6938     testresult = 1;
6939 
6940  end:
6941     SSL_free(serverssl);
6942     SSL_free(clientssl);
6943     SSL_CTX_free(sctx);
6944     SSL_CTX_free(cctx);
6945 
6946     return testresult;
6947 }
6948 
6949 /* Parse CH and retrieve any MFL extension value if present */
6950 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6951 {
6952     long len;
6953     unsigned char *data;
6954     PACKET pkt, pkt2, pkt3;
6955     unsigned int MFL_code = 0, type = 0;
6956 
6957     if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6958         goto end;
6959 
6960     memset(&pkt, 0, sizeof(pkt));
6961     memset(&pkt2, 0, sizeof(pkt2));
6962     memset(&pkt3, 0, sizeof(pkt3));
6963 
6964     if (!TEST_long_gt(len, 0)
6965             || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
6966                /* Skip the record header */
6967             || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6968                /* Skip the handshake message header */
6969             || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6970                /* Skip client version and random */
6971             || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6972                                                + SSL3_RANDOM_SIZE))
6973                /* Skip session id */
6974             || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6975                /* Skip ciphers */
6976             || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6977                /* Skip compression */
6978             || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6979                /* Extensions len */
6980             || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6981         goto end;
6982 
6983     /* Loop through all extensions */
6984     while (PACKET_remaining(&pkt2)) {
6985         if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6986                 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6987             goto end;
6988 
6989         if (type == TLSEXT_TYPE_max_fragment_length) {
6990             if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6991                     || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6992                 goto end;
6993 
6994             *mfl_codemfl_code = MFL_code;
6995             return 1;
6996         }
6997     }
6998 
6999  end:
7000     return 0;
7001 }
7002 
7003 /* Maximum-Fragment-Length TLS extension mode to test */
7004 static const unsigned char max_fragment_len_test[] = {
7005     TLSEXT_max_fragment_length_512,
7006     TLSEXT_max_fragment_length_1024,
7007     TLSEXT_max_fragment_length_2048,
7008     TLSEXT_max_fragment_length_4096
7009 };
7010 
7011 static int test_max_fragment_len_ext(int idx_tst)
7012 {
7013     SSL_CTX *ctx = NULL;
7014     SSL *con = NULL;
7015     int testresult = 0, MFL_mode = 0;
7016     BIO *rbio, *wbio;
7017 
7018     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7019                                        TLS1_VERSION, 0, NULL, &ctx, NULL,
7020                                        NULL)))
7021         return 0;
7022 
7023     if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7024                    ctx, max_fragment_len_test[idx_tst])))
7025         goto end;
7026 
7027     con = SSL_new(ctx);
7028     if (!TEST_ptr(con))
7029         goto end;
7030 
7031     rbio = BIO_new(BIO_s_mem());
7032     wbio = BIO_new(BIO_s_mem());
7033     if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7034         BIO_free(rbio);
7035         BIO_free(wbio);
7036         goto end;
7037     }
7038 
7039     SSL_set_bio(con, rbio, wbio);
7040 
7041     if (!TEST_int_le(SSL_connect(con), 0)) {
7042         /* This shouldn't succeed because we don't have a server! */
7043         goto end;
7044     }
7045 
7046     if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7047         /* no MFL in client hello */
7048         goto end;
7049     if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7050         goto end;
7051 
7052     testresult = 1;
7053 
7054 end:
7055     SSL_free(con);
7056     SSL_CTX_free(ctx);
7057 
7058     return testresult;
7059 }
7060 
7061 #ifndef OSSL_NO_USABLE_TLS1_3
7062 static int test_pha_key_update(void)
7063 {
7064     SSL_CTX *cctx = NULL, *sctx = NULL;
7065     SSL *clientssl = NULL, *serverssl = NULL;
7066     int testresult = 0;
7067 
7068     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7069                                        TLS_client_method(), TLS1_VERSION, 0,
7070                                        &sctx, &cctx, cert, privkey)))
7071         return 0;
7072 
7073     if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7074         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7075         || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7076         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7077         goto end;
7078 
7079     SSL_CTX_set_post_handshake_auth(cctx, 1);
7080 
7081     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7082                                       NULL, NULL)))
7083         goto end;
7084 
7085     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7086                                          SSL_ERROR_NONE)))
7087         goto end;
7088 
7089     SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7090     if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7091         goto end;
7092 
7093     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7094         goto end;
7095 
7096     /* Start handshake on the server */
7097     if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7098         goto end;
7099 
7100     /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7101     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7102                                          SSL_ERROR_NONE)))
7103         goto end;
7104 
7105     SSL_shutdown(clientssl);
7106     SSL_shutdown(serverssl);
7107 
7108     testresult = 1;
7109 
7110  end:
7111     SSL_free(serverssl);
7112     SSL_free(clientssl);
7113     SSL_CTX_free(sctx);
7114     SSL_CTX_free(cctx);
7115     return testresult;
7116 }
7117 #endif
7118 
7119 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7120 
7121 static SRP_VBASE *vbase = NULL;
7122 
7123 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7124 {
7125     int ret = SSL3_AL_FATAL;
7126     char *username;
7127     SRP_user_pwd *user = NULL;
7128 
7129     username = SSL_get_srp_username(s);
7130     if (username == NULL) {
7131         *ad = SSL_AD_INTERNAL_ERROR;
7132         goto err;
7133     }
7134 
7135     user = SRP_VBASE_get1_by_user(vbase, username);
7136     if (user == NULL) {
7137         *ad = SSL_AD_INTERNAL_ERROR;
7138         goto err;
7139     }
7140 
7141     if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7142                                  user->info) <= 0) {
7143         *ad = SSL_AD_INTERNAL_ERROR;
7144         goto err;
7145     }
7146 
7147     ret = 0;
7148 
7149  err:
7150     SRP_user_pwd_free(user);
7151     return ret;
7152 }
7153 
7154 static int create_new_vfile(char *userid, char *password, const char *filename)
7155 {
7156     char *gNid = NULL;
7157     OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7158     TXT_DB *db = NULL;
7159     int ret = 0;
7160     BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7161     size_t i;
7162 
7163     if (!TEST_ptr(dummy) || !TEST_ptr(row))
7164         goto end;
7165 
7166     gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
7167                                   &row[DB_srpverifier], NULL, NULL, libctx, NULL);
7168     if (!TEST_ptr(gNid))
7169         goto end;
7170 
7171     /*
7172      * The only way to create an empty TXT_DB is to provide a BIO with no data
7173      * in it!
7174      */
7175     db = TXT_DB_read(dummy, DB_NUMBER);
7176     if (!TEST_ptr(db))
7177         goto end;
7178 
7179     out = BIO_new_file(filename, "w");
7180     if (!TEST_ptr(out))
7181         goto end;
7182 
7183     row[DB_srpid] = OPENSSL_strdup(userid);
7184     row[DB_srptype] = OPENSSL_strdup("V");
7185     row[DB_srpgN] = OPENSSL_strdup(gNid);
7186 
7187     if (!TEST_ptr(row[DB_srpid])
7188             || !TEST_ptr(row[DB_srptype])
7189             || !TEST_ptr(row[DB_srpgN])
7190             || !TEST_true(TXT_DB_insert(db, row)))
7191         goto end;
7192 
7193     row = NULL;
7194 
7195     if (TXT_DB_write(out, db) <= 0)
7196         goto end;
7197 
7198     ret = 1;
7199  end:
7200     if (row != NULL) {
7201         for (i = 0; i < DB_NUMBER; i++)
7202             OPENSSL_free(row[i]);
7203     }
7204     OPENSSL_free(row);
7205     BIO_free(dummy);
7206     BIO_free(out);
7207     TXT_DB_free(db);
7208 
7209     return ret;
7210 }
7211 
7212 static int create_new_vbase(char *userid, char *password)
7213 {
7214     BIGNUM *verifier = NULL, *salt = NULL;
7215     const SRP_gN *lgN = NULL;
7216     SRP_user_pwd *user_pwd = NULL;
7217     int ret = 0;
7218 
7219     lgN = SRP_get_default_gN(NULL);
7220     if (!TEST_ptr(lgN))
7221         goto end;
7222 
7223     if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
7224                                              lgN->N, lgN->g, libctx, NULL)))
7225         goto end;
7226 
7227     user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7228     if (!TEST_ptr(user_pwd))
7229         goto end;
7230 
7231     user_pwd->N = lgN->N;
7232     user_pwd->g = lgN->g;
7233     user_pwd->id = OPENSSL_strdup(userid);
7234     if (!TEST_ptr(user_pwd->id))
7235         goto end;
7236 
7237     user_pwd->v = verifier;
7238     user_pwd->s = salt;
7239     verifier = salt = NULL;
7240 
7241     if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7242         goto end;
7243     user_pwd = NULL;
7244 
7245     ret = 1;
7246 end:
7247     SRP_user_pwd_free(user_pwd);
7248     BN_free(salt);
7249     BN_free(verifier);
7250 
7251     return ret;
7252 }
7253 
7254 /*
7255  * SRP tests
7256  *
7257  * Test 0: Simple successful SRP connection, new vbase
7258  * Test 1: Connection failure due to bad password, new vbase
7259  * Test 2: Simple successful SRP connection, vbase loaded from existing file
7260  * Test 3: Connection failure due to bad password, vbase loaded from existing
7261  *         file
7262  * Test 4: Simple successful SRP connection, vbase loaded from new file
7263  * Test 5: Connection failure due to bad password, vbase loaded from new file
7264  */
7265 static int test_srp(int tst)
7266 {
7267     char *userid = "test", *password = "password", *tstsrpfile;
7268     SSL_CTX *cctx = NULL, *sctx = NULL;
7269     SSL *clientssl = NULL, *serverssl = NULL;
7270     int ret, testresult = 0;
7271 
7272     vbase = SRP_VBASE_new(NULL);
7273     if (!TEST_ptr(vbase))
7274         goto end;
7275 
7276     if (tst == 0 || tst == 1) {
7277         if (!TEST_true(create_new_vbase(userid, password)))
7278             goto end;
7279     } else {
7280         if (tst == 4 || tst == 5) {
7281             if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7282                 goto end;
7283             tstsrpfile = tmpfilename;
7284         } else {
7285             tstsrpfile = srpvfile;
7286         }
7287         if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7288             goto end;
7289     }
7290 
7291     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7292                                        TLS_client_method(), TLS1_VERSION, 0,
7293                                        &sctx, &cctx, cert, privkey)))
7294         goto end;
7295 
7296     if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7297             || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7298             || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7299             || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7300             || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7301         goto end;
7302 
7303     if (tst % 2 == 1) {
7304         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7305             goto end;
7306     } else {
7307         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7308             goto end;
7309     }
7310 
7311     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7312                                       NULL, NULL)))
7313         goto end;
7314 
7315     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7316     if (ret) {
7317         if (!TEST_true(tst % 2 == 0))
7318             goto end;
7319     } else {
7320         if (!TEST_true(tst % 2 == 1))
7321             goto end;
7322     }
7323 
7324     testresult = 1;
7325 
7326  end:
7327     SRP_VBASE_free(vbase);
7328     vbase = NULL;
7329     SSL_free(serverssl);
7330     SSL_free(clientssl);
7331     SSL_CTX_free(sctx);
7332     SSL_CTX_free(cctx);
7333 
7334     return testresult;
7335 }
7336 #endif
7337 
7338 static int info_cb_failed = 0;
7339 static int info_cb_offset = 0;
7340 static int info_cb_this_state = -1;
7341 
7342 static struct info_cb_states_st {
7343     int where;
7344     const char *statestr;
7345 } info_cb_states[][60] = {
7346     {
7347         /* TLSv1.2 server followed by resumption */
7348         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7349         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7350         {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7351         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7352         {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7353         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7354         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7355         {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7356         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
7357         {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7358         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7359         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7360         {SSL_CB_EXIT, NULL}, {0, NULL},
7361     }, {
7362         /* TLSv1.2 client followed by resumption */
7363         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7364         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7365         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7366         {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7367         {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7368         {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7369         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7370         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7371         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7372         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7373         {SSL_CB_LOOP, "TWCCS"},  {SSL_CB_LOOP, "TWFIN"},
7374         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7375     }, {
7376         /* TLSv1.3 server followed by resumption */
7377         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7378         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7379         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
7380         {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7381         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7382         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7383         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7384         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7385         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7386         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7387         {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7388         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7389         {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7390     }, {
7391         /* TLSv1.3 client followed by resumption */
7392         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7393         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7394         {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7395         {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7396         {SSL_CB_LOOP, "TWFIN"},  {SSL_CB_HANDSHAKE_DONE, NULL},
7397         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7398         {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7399         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7400         {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7401         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7402         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"},  {SSL_CB_LOOP, "TREE"},
7403         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7404         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7405         {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7406         {SSL_CB_EXIT, NULL}, {0, NULL},
7407     }, {
7408         /* TLSv1.3 server, early_data */
7409         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7410         {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7411         {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7412         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7413         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7414         {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
7415         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7416         {SSL_CB_EXIT, NULL}, {0, NULL},
7417     }, {
7418         /* TLSv1.3 client, early_data */
7419         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7420         {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7421         {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7422         {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7423         {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7424         {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7425         {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7426         {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7427         {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7428     }, {
7429         {0, NULL},
7430     }
7431 };
7432 
7433 static void sslapi_info_callback(const SSL *s, int where, int ret)
7434 {
7435     struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7436 
7437     /* We do not ever expect a connection to fail in this test */
7438     if (!TEST_false(ret == 0)) {
7439         info_cb_failed = 1;
7440         return;
7441     }
7442 
7443     /*
7444      * Do some sanity checks. We never expect these things to happen in this
7445      * test
7446      */
7447     if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7448             || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7449             || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7450         info_cb_failed = 1;
7451         return;
7452     }
7453 
7454     /* Now check we're in the right state */
7455     if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7456         info_cb_failed = 1;
7457         return;
7458     }
7459     if ((where & SSL_CB_LOOP) != 0
7460             && !TEST_int_eq(strcmp(SSL_state_string(s),
7461                             state[info_cb_this_state].statestr), 0)) {
7462         info_cb_failed = 1;
7463         return;
7464     }
7465 
7466     /*
7467      * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7468      */
7469     if ((where & SSL_CB_HANDSHAKE_DONE)
7470             && SSL_in_init((SSL *)s) != 0) {
7471         info_cb_failed = 1;
7472         return;
7473     }
7474 }
7475 
7476 /*
7477  * Test the info callback gets called when we expect it to.
7478  *
7479  * Test 0: TLSv1.2, server
7480  * Test 1: TLSv1.2, client
7481  * Test 2: TLSv1.3, server
7482  * Test 3: TLSv1.3, client
7483  * Test 4: TLSv1.3, server, early_data
7484  * Test 5: TLSv1.3, client, early_data
7485  */
7486 static int test_info_callback(int tst)
7487 {
7488     SSL_CTX *cctx = NULL, *sctx = NULL;
7489     SSL *clientssl = NULL, *serverssl = NULL;
7490     SSL_SESSION *clntsess = NULL;
7491     int testresult = 0;
7492     int tlsvers;
7493 
7494     if (tst < 2) {
7495 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
7496 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7497                                     || !defined(OPENSSL_NO_DH))
7498         tlsvers = TLS1_2_VERSION;
7499 #else
7500         return 1;
7501 #endif
7502     } else {
7503 #ifndef OSSL_NO_USABLE_TLS1_3
7504         tlsvers = TLS1_3_VERSION;
7505 #else
7506         return 1;
7507 #endif
7508     }
7509 
7510     /* Reset globals */
7511     info_cb_failed = 0;
7512     info_cb_this_state = -1;
7513     info_cb_offset = tst;
7514 
7515 #ifndef OSSL_NO_USABLE_TLS1_3
7516     if (tst >= 4) {
7517         SSL_SESSION *sess = NULL;
7518         size_t written, readbytes;
7519         unsigned char buf[80];
7520         time_t timer;
7521 
7522         /* early_data tests */
7523         if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7524                                             &serverssl, &sess, 0,
7525                                             SHA384_DIGEST_LENGTH)))
7526             goto end;
7527 
7528         /* We don't actually need this reference */
7529         SSL_SESSION_free(sess);
7530 
7531         SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7532                               sslapi_info_callback);
7533 
7534         /* Write and read some early data and then complete the connection */
7535         timer = time(NULL);
7536         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7537                                             &written))
7538                 || !TEST_size_t_eq(written, strlen(MSG1)))
7539             goto end;
7540 
7541         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7542                                              sizeof(buf), &readbytes),
7543                          SSL_READ_EARLY_DATA_SUCCESS)) {
7544             testresult = check_early_data_timeout(timer);
7545             goto end;
7546         }
7547 
7548         if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7549                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7550                                 SSL_EARLY_DATA_ACCEPTED)
7551                 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7552                                                     SSL_ERROR_NONE))
7553                 || !TEST_false(info_cb_failed))
7554             goto end;
7555 
7556         testresult = 1;
7557         goto end;
7558     }
7559 #endif
7560 
7561     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7562                                        TLS_client_method(),
7563                                        tlsvers, tlsvers, &sctx, &cctx, cert,
7564                                        privkey)))
7565         goto end;
7566 
7567     if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7568         goto end;
7569 
7570     /*
7571      * For even numbered tests we check the server callbacks. For odd numbers we
7572      * check the client.
7573      */
7574     SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7575                               sslapi_info_callback);
7576 
7577     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7578                                           &clientssl, NULL, NULL))
7579         || !TEST_true(create_ssl_connection(serverssl, clientssl,
7580                                             SSL_ERROR_NONE))
7581         || !TEST_false(info_cb_failed))
7582     goto end;
7583 
7584 
7585 
7586     clntsess = SSL_get1_session(clientssl);
7587     SSL_shutdown(clientssl);
7588     SSL_shutdown(serverssl);
7589     SSL_free(serverssl);
7590     SSL_free(clientssl);
7591     serverssl = clientssl = NULL;
7592 
7593     /* Now do a resumption */
7594     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7595                                       NULL))
7596             || !TEST_true(SSL_set_session(clientssl, clntsess))
7597             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7598                                                 SSL_ERROR_NONE))
7599             || !TEST_true(SSL_session_reused(clientssl))
7600             || !TEST_false(info_cb_failed))
7601         goto end;
7602 
7603     testresult = 1;
7604 
7605  end:
7606     SSL_free(serverssl);
7607     SSL_free(clientssl);
7608     SSL_SESSION_free(clntsess);
7609     SSL_CTX_free(sctx);
7610     SSL_CTX_free(cctx);
7611     return testresult;
7612 }
7613 
7614 static int test_ssl_pending(int tst)
7615 {
7616     SSL_CTX *cctx = NULL, *sctx = NULL;
7617     SSL *clientssl = NULL, *serverssl = NULL;
7618     int testresult = 0;
7619     char msg[] = "A test message";
7620     char buf[5];
7621     size_t written, readbytes;
7622 
7623     if (tst == 0) {
7624         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7625                                            TLS_client_method(),
7626                                            TLS1_VERSION, 0,
7627                                            &sctx, &cctx, cert, privkey)))
7628             goto end;
7629     } else {
7630 #ifndef OPENSSL_NO_DTLS
7631         if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
7632                                            DTLS_client_method(),
7633                                            DTLS1_VERSION, 0,
7634                                            &sctx, &cctx, cert, privkey)))
7635             goto end;
7636 
7637 # ifdef OPENSSL_NO_DTLS1_2
7638         /* Not supported in the FIPS provider */
7639         if (is_fips) {
7640             testresult = 1;
7641             goto end;
7642         };
7643         /*
7644          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7645          * level 0
7646          */
7647         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7648                 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7649                                                     "DEFAULT:@SECLEVEL=0")))
7650             goto end;
7651 # endif
7652 #else
7653         return 1;
7654 #endif
7655     }
7656 
7657     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7658                                              NULL, NULL))
7659             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7660                                                 SSL_ERROR_NONE)))
7661         goto end;
7662 
7663     if (!TEST_int_eq(SSL_pending(clientssl), 0)
7664             || !TEST_false(SSL_has_pending(clientssl))
7665             || !TEST_int_eq(SSL_pending(serverssl), 0)
7666             || !TEST_false(SSL_has_pending(serverssl))
7667             || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7668             || !TEST_size_t_eq(written, sizeof(msg))
7669             || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7670             || !TEST_size_t_eq(readbytes, sizeof(buf))
7671             || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7672             || !TEST_true(SSL_has_pending(clientssl)))
7673         goto end;
7674 
7675     testresult = 1;
7676 
7677  end:
7678     SSL_free(serverssl);
7679     SSL_free(clientssl);
7680     SSL_CTX_free(sctx);
7681     SSL_CTX_free(cctx);
7682 
7683     return testresult;
7684 }
7685 
7686 static struct {
7687     unsigned int maxprot;
7688     const char *clntciphers;
7689     const char *clnttls13ciphers;
7690     const char *srvrciphers;
7691     const char *srvrtls13ciphers;
7692     const char *shared;
7693     const char *fipsshared;
7694 } shared_ciphers_data[] = {
7695 /*
7696  * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7697  * TLSv1.3 is enabled but TLSv1.2 is disabled.
7698  */
7699 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
7700     {
7701         TLS1_2_VERSION,
7702         "AES128-SHA:AES256-SHA",
7703         NULL,
7704         "AES256-SHA:DHE-RSA-AES128-SHA",
7705         NULL,
7706         "AES256-SHA",
7707         "AES256-SHA"
7708     },
7709 # if !defined(OPENSSL_NO_CHACHA) \
7710      && !defined(OPENSSL_NO_POLY1305) \
7711      && !defined(OPENSSL_NO_EC)
7712     {
7713         TLS1_2_VERSION,
7714         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7715         NULL,
7716         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7717         NULL,
7718         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7719         "AES128-SHA"
7720     },
7721 # endif
7722     {
7723         TLS1_2_VERSION,
7724         "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7725         NULL,
7726         "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7727         NULL,
7728         "AES128-SHA:AES256-SHA",
7729         "AES128-SHA:AES256-SHA"
7730     },
7731     {
7732         TLS1_2_VERSION,
7733         "AES128-SHA:AES256-SHA",
7734         NULL,
7735         "AES128-SHA:DHE-RSA-AES128-SHA",
7736         NULL,
7737         "AES128-SHA",
7738         "AES128-SHA"
7739     },
7740 #endif
7741 /*
7742  * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7743  * enabled.
7744  */
7745 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
7746     && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
7747     {
7748         TLS1_3_VERSION,
7749         "AES128-SHA:AES256-SHA",
7750         NULL,
7751         "AES256-SHA:AES128-SHA256",
7752         NULL,
7753         "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
7754         "TLS_AES_128_GCM_SHA256:AES256-SHA",
7755         "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
7756     },
7757 #endif
7758 #ifndef OSSL_NO_USABLE_TLS1_3
7759     {
7760         TLS1_3_VERSION,
7761         "AES128-SHA",
7762         "TLS_AES_256_GCM_SHA384",
7763         "AES256-SHA",
7764         "TLS_AES_256_GCM_SHA384",
7765         "TLS_AES_256_GCM_SHA384",
7766         "TLS_AES_256_GCM_SHA384"
7767     },
7768 #endif
7769 };
7770 
7771 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
7772 {
7773     SSL_CTX *cctx = NULL, *sctx = NULL;
7774     SSL *clientssl = NULL, *serverssl = NULL;
7775     int testresult = 0;
7776     char buf[1024];
7777     OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
7778 
7779     if (!TEST_ptr(tmplibctx))
7780         goto end;
7781 
7782     /*
7783      * Regardless of whether we're testing with the FIPS provider loaded into
7784      * libctx, we want one peer to always use the full set of ciphersuites
7785      * available. Therefore we use a separate libctx with the default provider
7786      * loaded into it. We run the same tests twice - once with the client side
7787      * having the full set of ciphersuites and once with the server side.
7788      */
7789     if (clnt) {
7790         cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
7791         if (!TEST_ptr(cctx))
7792             goto end;
7793     } else {
7794         sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
7795         if (!TEST_ptr(sctx))
7796             goto end;
7797     }
7798 
7799     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7800                                        TLS_client_method(),
7801                                        TLS1_VERSION,
7802                                        shared_ciphers_data[tst].maxprot,
7803                                        &sctx, &cctx, cert, privkey)))
7804         goto end;
7805 
7806     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7807                                         shared_ciphers_data[tst].clntciphers))
7808             || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7809                 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7810                                     shared_ciphers_data[tst].clnttls13ciphers)))
7811             || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7812                                         shared_ciphers_data[tst].srvrciphers))
7813             || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7814                 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7815                                     shared_ciphers_data[tst].srvrtls13ciphers))))
7816         goto end;
7817 
7818 
7819     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7820                                              NULL, NULL))
7821             || !TEST_true(create_ssl_connection(serverssl, clientssl,
7822                                                 SSL_ERROR_NONE)))
7823         goto end;
7824 
7825     if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
7826             || !TEST_int_eq(strcmp(buf,
7827                                    is_fips
7828                                    ? shared_ciphers_data[tst].fipsshared
7829                                    : shared_ciphers_data[tst].shared),
7830                                    0)) {
7831         TEST_info("Shared ciphers are: %s\n", buf);
7832         goto end;
7833     }
7834 
7835     testresult = 1;
7836 
7837  end:
7838     SSL_free(serverssl);
7839     SSL_free(clientssl);
7840     SSL_CTX_free(sctx);
7841     SSL_CTX_free(cctx);
7842     OSSL_LIB_CTX_free(tmplibctx);
7843 
7844     return testresult;
7845 }
7846 
7847 static int test_ssl_get_shared_ciphers(int tst)
7848 {
7849     return int_test_ssl_get_shared_ciphers(tst, 0)
7850            && int_test_ssl_get_shared_ciphers(tst, 1);
7851 }
7852 
7853 
7854 static const char *appdata = "Hello World";
7855 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7856 static int tick_key_renew = 0;
7857 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7858 
7859 static int gen_tick_cb(SSL *s, void *arg)
7860 {
7861     gen_tick_called = 1;
7862 
7863     return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7864                                            strlen(appdata));
7865 }
7866 
7867 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7868                                      const unsigned char *keyname,
7869                                      size_t keyname_length,
7870                                      SSL_TICKET_STATUS status,
7871                                      void *arg)
7872 {
7873     void *tickdata;
7874     size_t tickdlen;
7875 
7876     dec_tick_called = 1;
7877 
7878     if (status == SSL_TICKET_EMPTY)
7879         return SSL_TICKET_RETURN_IGNORE_RENEW;
7880 
7881     if (!TEST_true(status == SSL_TICKET_SUCCESS
7882                    || status == SSL_TICKET_SUCCESS_RENEW))
7883         return SSL_TICKET_RETURN_ABORT;
7884 
7885     if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7886                                                    &tickdlen))
7887             || !TEST_size_t_eq(tickdlen, strlen(appdata))
7888             || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
7889         return SSL_TICKET_RETURN_ABORT;
7890 
7891     if (tick_key_cb_called)  {
7892         /* Don't change what the ticket key callback wanted to do */
7893         switch (status) {
7894         case SSL_TICKET_NO_DECRYPT:
7895             return SSL_TICKET_RETURN_IGNORE_RENEW;
7896 
7897         case SSL_TICKET_SUCCESS:
7898             return SSL_TICKET_RETURN_USE;
7899 
7900         case SSL_TICKET_SUCCESS_RENEW:
7901             return SSL_TICKET_RETURN_USE_RENEW;
7902 
7903         default:
7904             return SSL_TICKET_RETURN_ABORT;
7905         }
7906     }
7907     return tick_dec_ret;
7908 
7909 }
7910 
7911 #ifndef OPENSSL_NO_DEPRECATED_3_0
7912 static int tick_key_cb(SSL *s, unsigned char key_name[16],
7913                        unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7914                        HMAC_CTX *hctx, int enc)
7915 {
7916     const unsigned char tick_aes_key[16] = "0123456789abcdef";
7917     const unsigned char tick_hmac_key[16] = "0123456789abcdef";
7918     EVP_CIPHER *aes128cbc;
7919     EVP_MD *sha256;
7920     int ret;
7921 
7922     tick_key_cb_called = 1;
7923 
7924     if (tick_key_renew == -1)
7925         return 0;
7926 
7927     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7928     if (!TEST_ptr(aes128cbc))
7929         return 0;
7930     sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7931     if (!TEST_ptr(sha256)) {
7932         EVP_CIPHER_free(aes128cbc);
7933         return 0;
7934     }
7935 
7936     memset(iv, 0, AES_BLOCK_SIZE);
7937     memset(key_name, 0, 16);
7938     if (aes128cbc == NULL
7939             || sha256 == NULL
7940             || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7941             || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7942                              NULL))
7943         ret = -1;
7944     else
7945         ret = tick_key_renew ? 2 : 1;
7946 
7947     EVP_CIPHER_free(aes128cbc);
7948     EVP_MD_free(sha256);
7949 
7950     return ret;
7951 }
7952 #endif
7953 
7954 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7955                            unsigned char iv[EVP_MAX_IV_LENGTH],
7956                            EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7957 {
7958     const unsigned char tick_aes_key[16] = "0123456789abcdef";
7959     unsigned char tick_hmac_key[16] = "0123456789abcdef";
7960     OSSL_PARAM params[2];
7961     EVP_CIPHER *aes128cbc;
7962     int ret;
7963 
7964     tick_key_cb_called = 1;
7965 
7966     if (tick_key_renew == -1)
7967         return 0;
7968 
7969     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7970     if (!TEST_ptr(aes128cbc))
7971         return 0;
7972 
7973     memset(iv, 0, AES_BLOCK_SIZE);
7974     memset(key_name, 0, 16);
7975     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7976                                                  "SHA256", 0);
7977     params[1] = OSSL_PARAM_construct_end();
7978     if (aes128cbc == NULL
7979             || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7980             || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7981                              params))
7982         ret = -1;
7983     else
7984         ret = tick_key_renew ? 2 : 1;
7985 
7986     EVP_CIPHER_free(aes128cbc);
7987 
7988     return ret;
7989 }
7990 
7991 /*
7992  * Test the various ticket callbacks
7993  * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7994  * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7995  * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7996  * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7997  * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7998  * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7999  * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8000  * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
8001  * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8002  * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8003  * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8004  * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
8005  * Test 12: TLSv1.2, old ticket key callback, no ticket
8006  * Test 13: TLSv1.3, old ticket key callback, no ticket
8007  * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8008  * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8009  * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8010  * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8011  * Test 18: TLSv1.2, ticket key callback, no ticket
8012  * Test 19: TLSv1.3, ticket key callback, no ticket
8013  */
8014 static int test_ticket_callbacks(int tst)
8015 {
8016     SSL_CTX *cctx = NULL, *sctx = NULL;
8017     SSL *clientssl = NULL, *serverssl = NULL;
8018     SSL_SESSION *clntsess = NULL;
8019     int testresult = 0;
8020 
8021 #ifdef OPENSSL_NO_TLS1_2
8022     if (tst % 2 == 0)
8023         return 1;
8024 #endif
8025 #ifdef OSSL_NO_USABLE_TLS1_3
8026     if (tst % 2 == 1)
8027         return 1;
8028 #endif
8029 #ifdef OPENSSL_NO_DEPRECATED_3_0
8030     if (tst >= 8 && tst <= 13)
8031         return 1;
8032 #endif
8033 
8034     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
8035 
8036     /* Which tests the ticket key callback should request renewal for */
8037 
8038     if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
8039         tick_key_renew = 1;
8040     else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8041         tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
8042     else
8043         tick_key_renew = 0;
8044 
8045     /* Which tests the decrypt ticket callback should request renewal for */
8046     switch (tst) {
8047     case 0:
8048     case 1:
8049         tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8050         break;
8051 
8052     case 2:
8053     case 3:
8054         tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8055         break;
8056 
8057     case 4:
8058     case 5:
8059         tick_dec_ret = SSL_TICKET_RETURN_USE;
8060         break;
8061 
8062     case 6:
8063     case 7:
8064         tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8065         break;
8066 
8067     default:
8068         tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8069     }
8070 
8071     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8072                                        TLS_client_method(),
8073                                        TLS1_VERSION,
8074                                        ((tst % 2) == 0) ? TLS1_2_VERSION
8075                                                         : TLS1_3_VERSION,
8076                                        &sctx, &cctx, cert, privkey)))
8077         goto end;
8078 
8079     /*
8080      * We only want sessions to resume from tickets - not the session cache. So
8081      * switch the cache off.
8082      */
8083     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8084         goto end;
8085 
8086     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8087                                                  NULL)))
8088         goto end;
8089 
8090     if (tst >= 14) {
8091         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8092             goto end;
8093 #ifndef OPENSSL_NO_DEPRECATED_3_0
8094     } else if (tst >= 8) {
8095         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8096             goto end;
8097 #endif
8098     }
8099 
8100     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8101                                              NULL, NULL))
8102             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8103                                                 SSL_ERROR_NONE)))
8104         goto end;
8105 
8106     /*
8107      * The decrypt ticket key callback in TLSv1.2 should be called even though
8108      * we have no ticket yet, because it gets called with a status of
8109      * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8110      * actually send any ticket data). This does not happen in TLSv1.3 because
8111      * it is not valid to send empty ticket data in TLSv1.3.
8112      */
8113     if (!TEST_int_eq(gen_tick_called, 1)
8114             || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
8115         goto end;
8116 
8117     gen_tick_called = dec_tick_called = 0;
8118 
8119     clntsess = SSL_get1_session(clientssl);
8120     SSL_shutdown(clientssl);
8121     SSL_shutdown(serverssl);
8122     SSL_free(serverssl);
8123     SSL_free(clientssl);
8124     serverssl = clientssl = NULL;
8125 
8126     /* Now do a resumption */
8127     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8128                                       NULL))
8129             || !TEST_true(SSL_set_session(clientssl, clntsess))
8130             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8131                                                 SSL_ERROR_NONE)))
8132         goto end;
8133 
8134     if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
8135             || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8136             || tick_key_renew == -1) {
8137         if (!TEST_false(SSL_session_reused(clientssl)))
8138             goto end;
8139     } else {
8140         if (!TEST_true(SSL_session_reused(clientssl)))
8141             goto end;
8142     }
8143 
8144     if (!TEST_int_eq(gen_tick_called,
8145                      (tick_key_renew
8146                       || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8147                       || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8148                      ? 1 : 0)
8149                /* There is no ticket to decrypt in tests 13 and 19 */
8150             || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
8151         goto end;
8152 
8153     testresult = 1;
8154 
8155  end:
8156     SSL_SESSION_free(clntsess);
8157     SSL_free(serverssl);
8158     SSL_free(clientssl);
8159     SSL_CTX_free(sctx);
8160     SSL_CTX_free(cctx);
8161 
8162     return testresult;
8163 }
8164 
8165 /*
8166  * Test incorrect shutdown.
8167  * Test 0: client does not shutdown properly,
8168  *         server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8169  *         server should get SSL_ERROR_SSL
8170  * Test 1: client does not shutdown properly,
8171  *         server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8172  *         server should get SSL_ERROR_ZERO_RETURN
8173  */
8174 static int test_incorrect_shutdown(int tst)
8175 {
8176     SSL_CTX *cctx = NULL, *sctx = NULL;
8177     SSL *clientssl = NULL, *serverssl = NULL;
8178     int testresult = 0;
8179     char buf[80];
8180     BIO *c2s;
8181 
8182     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8183                                        TLS_client_method(), 0, 0,
8184                                        &sctx, &cctx, cert, privkey)))
8185         goto end;
8186 
8187     if (tst == 1)
8188         SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8189 
8190     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8191                                             NULL, NULL)))
8192         goto end;
8193 
8194     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8195                                               SSL_ERROR_NONE)))
8196         goto end;
8197 
8198     c2s = SSL_get_rbio(serverssl);
8199     BIO_set_mem_eof_return(c2s, 0);
8200 
8201     if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8202         goto end;
8203 
8204     if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8205         goto end;
8206     if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8207         goto end;
8208 
8209     testresult = 1;
8210 
8211  end:
8212     SSL_free(serverssl);
8213     SSL_free(clientssl);
8214     SSL_CTX_free(sctx);
8215     SSL_CTX_free(cctx);
8216 
8217     return testresult;
8218 }
8219 
8220 /*
8221  * Test bi-directional shutdown.
8222  * Test 0: TLSv1.2
8223  * Test 1: TLSv1.2, server continues to read/write after client shutdown
8224  * Test 2: TLSv1.3, no pending NewSessionTicket messages
8225  * Test 3: TLSv1.3, pending NewSessionTicket messages
8226  * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8227  *                  sends key update, client reads it
8228  * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8229  *                  sends CertificateRequest, client reads and ignores it
8230  * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
8231  *                  doesn't read it
8232  */
8233 static int test_shutdown(int tst)
8234 {
8235     SSL_CTX *cctx = NULL, *sctx = NULL;
8236     SSL *clientssl = NULL, *serverssl = NULL;
8237     int testresult = 0;
8238     char msg[] = "A test message";
8239     char buf[80];
8240     size_t written, readbytes;
8241     SSL_SESSION *sess;
8242 
8243 #ifdef OPENSSL_NO_TLS1_2
8244     if (tst <= 1)
8245         return 1;
8246 #endif
8247 #ifdef OSSL_NO_USABLE_TLS1_3
8248     if (tst >= 2)
8249         return 1;
8250 #endif
8251 
8252     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8253                                        TLS_client_method(),
8254                                        TLS1_VERSION,
8255                                        (tst <= 1) ? TLS1_2_VERSION
8256                                                   : TLS1_3_VERSION,
8257                                        &sctx, &cctx, cert, privkey)))
8258         goto end;
8259 
8260     if (tst == 5)
8261         SSL_CTX_set_post_handshake_auth(cctx, 1);
8262 
8263     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8264                                              NULL, NULL)))
8265         goto end;
8266 
8267     if (tst == 3) {
8268         if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
8269                                                   SSL_ERROR_NONE, 1))
8270                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8271                 || !TEST_false(SSL_SESSION_is_resumable(sess)))
8272             goto end;
8273     } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8274                                               SSL_ERROR_NONE))
8275             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8276             || !TEST_true(SSL_SESSION_is_resumable(sess))) {
8277         goto end;
8278     }
8279 
8280     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8281         goto end;
8282 
8283     if (tst >= 4) {
8284         /*
8285          * Reading on the server after the client has sent close_notify should
8286          * fail and provide SSL_ERROR_ZERO_RETURN
8287          */
8288         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8289                 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8290                                 SSL_ERROR_ZERO_RETURN)
8291                 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8292                                 SSL_RECEIVED_SHUTDOWN)
8293                    /*
8294                     * Even though we're shutdown on receive we should still be
8295                     * able to write.
8296                     */
8297                 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8298             goto end;
8299         if (tst == 4
8300                 && !TEST_true(SSL_key_update(serverssl,
8301                                              SSL_KEY_UPDATE_REQUESTED)))
8302             goto end;
8303         if (tst == 5) {
8304             SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8305             if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8306                 goto end;
8307         }
8308         if ((tst == 4 || tst == 5)
8309                 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8310             goto end;
8311         if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8312             goto end;
8313         if (tst == 4 || tst == 5) {
8314             /* Should still be able to read data from server */
8315             if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8316                                        &readbytes))
8317                     || !TEST_size_t_eq(readbytes, sizeof(msg))
8318                     || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8319                     || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8320                                               &readbytes))
8321                     || !TEST_size_t_eq(readbytes, sizeof(msg))
8322                     || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8323                 goto end;
8324         }
8325     }
8326 
8327     /* Writing on the client after sending close_notify shouldn't be possible */
8328     if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
8329         goto end;
8330 
8331     if (tst < 4) {
8332         /*
8333          * For these tests the client has sent close_notify but it has not yet
8334          * been received by the server. The server has not sent close_notify
8335          * yet.
8336          */
8337         if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
8338                    /*
8339                     * Writing on the server after sending close_notify shouldn't
8340                     * be possible.
8341                     */
8342                 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8343                 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
8344                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8345                 || !TEST_true(SSL_SESSION_is_resumable(sess))
8346                 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8347             goto end;
8348     } else if (tst == 4 || tst == 5) {
8349         /*
8350          * In this test the client has sent close_notify and it has been
8351          * received by the server which has responded with a close_notify. The
8352          * client needs to read the close_notify sent by the server.
8353          */
8354         if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8355                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8356                 || !TEST_true(SSL_SESSION_is_resumable(sess)))
8357             goto end;
8358     } else {
8359         /*
8360          * tst == 6
8361          *
8362          * The client has sent close_notify and is expecting a close_notify
8363          * back, but instead there is application data first. The shutdown
8364          * should fail with a fatal error.
8365          */
8366         if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8367                 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8368             goto end;
8369     }
8370 
8371     testresult = 1;
8372 
8373  end:
8374     SSL_free(serverssl);
8375     SSL_free(clientssl);
8376     SSL_CTX_free(sctx);
8377     SSL_CTX_free(cctx);
8378 
8379     return testresult;
8380 }
8381 
8382 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8383 static int cert_cb_cnt;
8384 
8385 static int cert_cb(SSL *s, void *arg)
8386 {
8387     SSL_CTX *ctx = (SSL_CTX *)arg;
8388     BIO *in = NULL;
8389     EVP_PKEY *pkey = NULL;
8390     X509 *x509 = NULL, *rootx = NULL;
8391     STACK_OF(X509) *chain = NULL;
8392     char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8393     int ret = 0;
8394 
8395     if (cert_cb_cnt == 0) {
8396         /* Suspend the handshake */
8397         cert_cb_cnt++;
8398         return -1;
8399     } else if (cert_cb_cnt == 1) {
8400         /*
8401          * Update the SSL_CTX, set the certificate and private key and then
8402          * continue the handshake normally.
8403          */
8404         if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8405             return 0;
8406 
8407         if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8408                 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8409                                                       SSL_FILETYPE_PEM))
8410                 || !TEST_true(SSL_check_private_key(s)))
8411             return 0;
8412         cert_cb_cnt++;
8413         return 1;
8414     } else if (cert_cb_cnt == 3) {
8415         int rv;
8416 
8417         rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8418         ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8419         ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8420         if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8421             goto out;
8422         chain = sk_X509_new_null();
8423         if (!TEST_ptr(chain))
8424             goto out;
8425         if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8426                 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
8427                 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
8428                 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
8429                 || !TEST_true(sk_X509_push(chain, rootx)))
8430             goto out;
8431         rootx = NULL;
8432         BIO_free(in);
8433         if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8434                 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
8435                 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
8436                 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
8437             goto out;
8438         BIO_free(in);
8439         if (!TEST_ptr(in = BIO_new(BIO_s_file()))
8440                 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
8441                 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8442                                                                NULL, NULL,
8443                                                                libctx, NULL)))
8444             goto out;
8445         rv = SSL_check_chain(s, x509, pkey, chain);
8446         /*
8447          * If the cert doesn't show as valid here (e.g., because we don't
8448          * have any shared sigalgs), then we will not set it, and there will
8449          * be no certificate at all on the SSL or SSL_CTX.  This, in turn,
8450          * will cause tls_choose_sigalgs() to fail the connection.
8451          */
8452         if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8453                 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
8454             if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8455                 goto out;
8456         }
8457 
8458         ret = 1;
8459     }
8460 
8461     /* Abort the handshake */
8462  out:
8463     OPENSSL_free(ecdsacert);
8464     OPENSSL_free(ecdsakey);
8465     OPENSSL_free(rootfile);
8466     BIO_free(in);
8467     EVP_PKEY_free(pkey);
8468     X509_free(x509);
8469     X509_free(rootx);
8470     sk_X509_pop_free(chain, X509_free);
8471     return ret;
8472 }
8473 
8474 /*
8475  * Test the certificate callback.
8476  * Test 0: Callback fails
8477  * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8478  * Test 2: Success - SSL_set_SSL_CTX() in the callback
8479  * Test 3: Success - Call SSL_check_chain from the callback
8480  * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8481  *                   chain
8482  * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
8483  */
8484 static int test_cert_cb_int(int prot, int tst)
8485 {
8486     SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8487     SSL *clientssl = NULL, *serverssl = NULL;
8488     int testresult = 0, ret;
8489 
8490 #ifdef OPENSSL_NO_EC
8491     /* We use an EC cert in these tests, so we skip in a no-ec build */
8492     if (tst >= 3)
8493         return 1;
8494 #endif
8495 
8496     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8497                                        TLS_client_method(),
8498                                        TLS1_VERSION,
8499                                        prot,
8500                                        &sctx, &cctx, NULL, NULL)))
8501         goto end;
8502 
8503     if (tst == 0)
8504         cert_cb_cnt = -1;
8505     else if (tst >= 3)
8506         cert_cb_cnt = 3;
8507     else
8508         cert_cb_cnt = 0;
8509 
8510     if (tst == 2) {
8511         snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8512         if (!TEST_ptr(snictx))
8513             goto end;
8514     }
8515 
8516     SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8517 
8518     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8519                                       NULL, NULL)))
8520         goto end;
8521 
8522     if (tst == 4) {
8523         /*
8524          * We cause SSL_check_chain() to fail by specifying sig_algs that
8525          * the chain doesn't meet (the root uses an RSA cert)
8526          */
8527         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8528                                              "ecdsa_secp256r1_sha256")))
8529             goto end;
8530     } else if (tst == 5) {
8531         /*
8532          * We cause SSL_check_chain() to fail by specifying sig_algs that
8533          * the ee cert doesn't meet (the ee uses an ECDSA cert)
8534          */
8535         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8536                            "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8537             goto end;
8538     }
8539 
8540     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
8541     if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
8542             || (tst > 0
8543                 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
8544         goto end;
8545     }
8546 
8547     testresult = 1;
8548 
8549  end:
8550     SSL_free(serverssl);
8551     SSL_free(clientssl);
8552     SSL_CTX_free(sctx);
8553     SSL_CTX_free(cctx);
8554     SSL_CTX_free(snictx);
8555 
8556     return testresult;
8557 }
8558 #endif
8559 
8560 static int test_cert_cb(int tst)
8561 {
8562     int testresult = 1;
8563 
8564 #ifndef OPENSSL_NO_TLS1_2
8565     testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8566 #endif
8567 #ifndef OSSL_NO_USABLE_TLS1_3
8568     testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8569 #endif
8570 
8571     return testresult;
8572 }
8573 
8574 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8575 {
8576     X509 *xcert;
8577     EVP_PKEY *privpkey;
8578     BIO *in = NULL;
8579     BIO *priv_in = NULL;
8580 
8581     /* Check that SSL_get0_peer_certificate() returns something sensible */
8582     if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
8583         return 0;
8584 
8585     in = BIO_new_file(cert, "r");
8586     if (!TEST_ptr(in))
8587         return 0;
8588 
8589     if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
8590             || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8591             || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
8592             || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8593                                                                NULL, NULL,
8594                                                                libctx, NULL)))
8595         goto err;
8596 
8597     *x509 = xcert;
8598     *pkey = privpkey;
8599 
8600     BIO_free(in);
8601     BIO_free(priv_in);
8602     return 1;
8603 err:
8604     X509_free(xcert);
8605     BIO_free(in);
8606     BIO_free(priv_in);
8607     return 0;
8608 }
8609 
8610 static int test_client_cert_cb(int tst)
8611 {
8612     SSL_CTX *cctx = NULL, *sctx = NULL;
8613     SSL *clientssl = NULL, *serverssl = NULL;
8614     int testresult = 0;
8615 
8616 #ifdef OPENSSL_NO_TLS1_2
8617     if (tst == 0)
8618         return 1;
8619 #endif
8620 #ifdef OSSL_NO_USABLE_TLS1_3
8621     if (tst == 1)
8622         return 1;
8623 #endif
8624 
8625     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8626                                        TLS_client_method(),
8627                                        TLS1_VERSION,
8628                                        tst == 0 ? TLS1_2_VERSION
8629                                                 : TLS1_3_VERSION,
8630                                        &sctx, &cctx, cert, privkey)))
8631         goto end;
8632 
8633     /*
8634      * Test that setting a client_cert_cb results in a client certificate being
8635      * sent.
8636      */
8637     SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8638     SSL_CTX_set_verify(sctx,
8639                        SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8640                        verify_cb);
8641 
8642     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8643                                       NULL, NULL))
8644             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8645                                                 SSL_ERROR_NONE)))
8646         goto end;
8647 
8648     testresult = 1;
8649 
8650  end:
8651     SSL_free(serverssl);
8652     SSL_free(clientssl);
8653     SSL_CTX_free(sctx);
8654     SSL_CTX_free(cctx);
8655 
8656     return testresult;
8657 }
8658 
8659 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
8660 /*
8661  * Test setting certificate authorities on both client and server.
8662  *
8663  * Test 0: SSL_CTX_set0_CA_list() only
8664  * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8665  * Test 2: Only SSL_CTX_set_client_CA_list()
8666  */
8667 static int test_ca_names_int(int prot, int tst)
8668 {
8669     SSL_CTX *cctx = NULL, *sctx = NULL;
8670     SSL *clientssl = NULL, *serverssl = NULL;
8671     int testresult = 0;
8672     size_t i;
8673     X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8674     char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8675     STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8676     const STACK_OF(X509_NAME) *sktmp = NULL;
8677 
8678     for (i = 0; i < OSSL_NELEM(name); i++) {
8679         name[i] = X509_NAME_new();
8680         if (!TEST_ptr(name[i])
8681                 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8682                                                          MBSTRING_ASC,
8683                                                          (unsigned char *)
8684                                                          strnames[i],
8685                                                          -1, -1, 0)))
8686             goto end;
8687     }
8688 
8689     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8690                                        TLS_client_method(),
8691                                        TLS1_VERSION,
8692                                        prot,
8693                                        &sctx, &cctx, cert, privkey)))
8694         goto end;
8695 
8696     SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8697 
8698     if (tst == 0 || tst == 1) {
8699         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8700                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8701                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8702                 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8703                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8704                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8705             goto end;
8706 
8707         SSL_CTX_set0_CA_list(sctx, sk1);
8708         SSL_CTX_set0_CA_list(cctx, sk2);
8709         sk1 = sk2 = NULL;
8710     }
8711     if (tst == 1 || tst == 2) {
8712         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8713                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8714                 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8715                 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8716                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8717                 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8718             goto end;
8719 
8720         SSL_CTX_set_client_CA_list(sctx, sk1);
8721         SSL_CTX_set_client_CA_list(cctx, sk2);
8722         sk1 = sk2 = NULL;
8723     }
8724 
8725     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8726                                       NULL, NULL))
8727             || !TEST_true(create_ssl_connection(serverssl, clientssl,
8728                                                 SSL_ERROR_NONE)))
8729         goto end;
8730 
8731     /*
8732      * We only expect certificate authorities to have been sent to the server
8733      * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8734      */
8735     sktmp = SSL_get0_peer_CA_list(serverssl);
8736     if (prot == TLS1_3_VERSION
8737             && (tst == 0 || tst == 1)) {
8738         if (!TEST_ptr(sktmp)
8739                 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8740                 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8741                                               name[0]), 0)
8742                 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8743                                               name[1]), 0))
8744             goto end;
8745     } else if (!TEST_ptr_null(sktmp)) {
8746         goto end;
8747     }
8748 
8749     /*
8750      * In all tests we expect certificate authorities to have been sent to the
8751      * client. However, SSL_set_client_CA_list() should override
8752      * SSL_set0_CA_list()
8753      */
8754     sktmp = SSL_get0_peer_CA_list(clientssl);
8755     if (!TEST_ptr(sktmp)
8756             || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8757             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8758                                           name[tst == 0 ? 0 : 2]), 0)
8759             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8760                                           name[tst == 0 ? 1 : 3]), 0))
8761         goto end;
8762 
8763     testresult = 1;
8764 
8765  end:
8766     SSL_free(serverssl);
8767     SSL_free(clientssl);
8768     SSL_CTX_free(sctx);
8769     SSL_CTX_free(cctx);
8770     for (i = 0; i < OSSL_NELEM(name); i++)
8771         X509_NAME_free(name[i]);
8772     sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8773     sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8774 
8775     return testresult;
8776 }
8777 #endif
8778 
8779 static int test_ca_names(int tst)
8780 {
8781     int testresult = 1;
8782 
8783 #ifndef OPENSSL_NO_TLS1_2
8784     testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8785 #endif
8786 #ifndef OSSL_NO_USABLE_TLS1_3
8787     testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8788 #endif
8789 
8790     return testresult;
8791 }
8792 
8793 #ifndef OPENSSL_NO_TLS1_2
8794 static const char *multiblock_cipherlist_data[]=
8795 {
8796     "AES128-SHA",
8797     "AES128-SHA256",
8798     "AES256-SHA",
8799     "AES256-SHA256",
8800 };
8801 
8802 /* Reduce the fragment size - so the multiblock test buffer can be small */
8803 # define MULTIBLOCK_FRAGSIZE 512
8804 
8805 static int test_multiblock_write(int test_index)
8806 {
8807     static const char *fetchable_ciphers[]=
8808     {
8809         "AES-128-CBC-HMAC-SHA1",
8810         "AES-128-CBC-HMAC-SHA256",
8811         "AES-256-CBC-HMAC-SHA1",
8812         "AES-256-CBC-HMAC-SHA256"
8813     };
8814     const char *cipherlist = multiblock_cipherlist_data[test_index];
8815     const SSL_METHOD *smeth = TLS_server_method();
8816     const SSL_METHOD *cmeth = TLS_client_method();
8817     int min_version = TLS1_VERSION;
8818     int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8819     SSL_CTX *cctx = NULL, *sctx = NULL;
8820     SSL *clientssl = NULL, *serverssl = NULL;
8821     int testresult = 0;
8822 
8823     /*
8824      * Choose a buffer large enough to perform a multi-block operation
8825      * i.e: write_len >= 4 * frag_size
8826      * 9 * is chosen so that multiple multiblocks are used + some leftover.
8827      */
8828     unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8829     unsigned char buf[sizeof(msg)], *p = buf;
8830     size_t readbytes, written, len;
8831     EVP_CIPHER *ciph = NULL;
8832 
8833     /*
8834      * Check if the cipher exists before attempting to use it since it only has
8835      * a hardware specific implementation.
8836      */
8837     ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
8838     if (ciph == NULL) {
8839         TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8840         return 1;
8841     }
8842     EVP_CIPHER_free(ciph);
8843 
8844     /* Set up a buffer with some data that will be sent to the client */
8845     RAND_bytes(msg, sizeof(msg));
8846 
8847     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8848                                        max_version, &sctx, &cctx, cert,
8849                                        privkey)))
8850         goto end;
8851 
8852     if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8853         goto end;
8854 
8855     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8856                                       NULL, NULL)))
8857             goto end;
8858 
8859     /* settings to force it to use AES-CBC-HMAC_SHA */
8860     SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8861     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8862        goto end;
8863 
8864     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8865         goto end;
8866 
8867     if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8868         || !TEST_size_t_eq(written, sizeof(msg)))
8869         goto end;
8870 
8871     len = written;
8872     while (len > 0) {
8873         if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8874             goto end;
8875         p += readbytes;
8876         len -= readbytes;
8877     }
8878     if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8879         goto end;
8880 
8881     testresult = 1;
8882 end:
8883     SSL_free(serverssl);
8884     SSL_free(clientssl);
8885     SSL_CTX_free(sctx);
8886     SSL_CTX_free(cctx);
8887 
8888     return testresult;
8889 }
8890 #endif /* OPENSSL_NO_TLS1_2 */
8891 
8892 static int test_session_timeout(int test)
8893 {
8894     /*
8895      * Test session ordering and timeout
8896      * Can't explicitly test performance of the new code,
8897      * but can test to see if the ordering of the sessions
8898      * are correct, and they they are removed as expected
8899      */
8900     SSL_SESSION *early = NULL;
8901     SSL_SESSION *middle = NULL;
8902     SSL_SESSION *late = NULL;
8903     SSL_CTX *ctx;
8904     int testresult = 0;
8905     long now = (long)time(NULL);
8906 #define TIMEOUT 10
8907 
8908     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8909         || !TEST_ptr(early = SSL_SESSION_new())
8910         || !TEST_ptr(middle = SSL_SESSION_new())
8911         || !TEST_ptr(late = SSL_SESSION_new()))
8912         goto end;
8913 
8914     /* assign unique session ids */
8915     early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8916     memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8917     middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8918     memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8919     late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8920     memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8921 
8922     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8923         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8924         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8925         goto end;
8926 
8927     /* Make sure they are all added */
8928     if (!TEST_ptr(early->prev)
8929         || !TEST_ptr(middle->prev)
8930         || !TEST_ptr(late->prev))
8931         goto end;
8932 
8933     if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8934         || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8935         || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8936         goto end;
8937 
8938     if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8939         || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8940         || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8941         goto end;
8942 
8943     /* Make sure they are all still there */
8944     if (!TEST_ptr(early->prev)
8945         || !TEST_ptr(middle->prev)
8946         || !TEST_ptr(late->prev))
8947         goto end;
8948 
8949     /* Make sure they are in the expected order */
8950     if (!TEST_ptr_eq(late->next, middle)
8951         || !TEST_ptr_eq(middle->next, early)
8952         || !TEST_ptr_eq(early->prev, middle)
8953         || !TEST_ptr_eq(middle->prev, late))
8954         goto end;
8955 
8956     /* This should remove "early" */
8957     SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8958     if (!TEST_ptr_null(early->prev)
8959         || !TEST_ptr(middle->prev)
8960         || !TEST_ptr(late->prev))
8961         goto end;
8962 
8963     /* This should remove "middle" */
8964     SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8965     if (!TEST_ptr_null(early->prev)
8966         || !TEST_ptr_null(middle->prev)
8967         || !TEST_ptr(late->prev))
8968         goto end;
8969 
8970     /* This should remove "late" */
8971     SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8972     if (!TEST_ptr_null(early->prev)
8973         || !TEST_ptr_null(middle->prev)
8974         || !TEST_ptr_null(late->prev))
8975         goto end;
8976 
8977     /* Add them back in again */
8978     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8979         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8980         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8981         goto end;
8982 
8983     /* Make sure they are all added */
8984     if (!TEST_ptr(early->prev)
8985         || !TEST_ptr(middle->prev)
8986         || !TEST_ptr(late->prev))
8987         goto end;
8988 
8989     /* This should remove all of them */
8990     SSL_CTX_flush_sessions(ctx, 0);
8991     if (!TEST_ptr_null(early->prev)
8992         || !TEST_ptr_null(middle->prev)
8993         || !TEST_ptr_null(late->prev))
8994         goto end;
8995 
8996     (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8997                                          | SSL_CTX_get_session_cache_mode(ctx));
8998 
8999     /* make sure |now| is NOT  equal to the current time */
9000     now -= 10;
9001     if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9002         || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9003         || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9004         goto end;
9005 
9006     testresult = 1;
9007  end:
9008     SSL_CTX_free(ctx);
9009     SSL_SESSION_free(early);
9010     SSL_SESSION_free(middle);
9011     SSL_SESSION_free(late);
9012     return testresult;
9013 }
9014 
9015 /*
9016  * Test that a session cache overflow works as expected
9017  * Test 0: TLSv1.3, timeout on new session later than old session
9018  * Test 1: TLSv1.2, timeout on new session later than old session
9019  * Test 2: TLSv1.3, timeout on new session earlier than old session
9020  * Test 3: TLSv1.2, timeout on new session earlier than old session
9021  */
9022 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9023 static int test_session_cache_overflow(int idx)
9024 {
9025     SSL_CTX *sctx = NULL, *cctx = NULL;
9026     SSL *serverssl = NULL, *clientssl = NULL;
9027     int testresult = 0;
9028     SSL_SESSION *sess = NULL;
9029 
9030 #ifdef OSSL_NO_USABLE_TLS1_3
9031     /* If no TLSv1.3 available then do nothing in this case */
9032     if (idx % 2 == 0)
9033         return TEST_skip("No TLSv1.3 available");
9034 #endif
9035 #ifdef OPENSSL_NO_TLS1_2
9036     /* If no TLSv1.2 available then do nothing in this case */
9037     if (idx % 2 == 1)
9038         return TEST_skip("No TLSv1.2 available");
9039 #endif
9040 
9041     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9042                                        TLS_client_method(), TLS1_VERSION,
9043                                        (idx % 2 == 0) ? TLS1_3_VERSION
9044                                                       : TLS1_2_VERSION,
9045                                        &sctx, &cctx, cert, privkey))
9046             || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9047         goto end;
9048 
9049     SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9050     get_sess_val = NULL;
9051 
9052     SSL_CTX_sess_set_cache_size(sctx, 1);
9053 
9054     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9055                                       NULL, NULL)))
9056         goto end;
9057 
9058     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9059         goto end;
9060 
9061     if (idx > 1) {
9062         sess = SSL_get_session(serverssl);
9063         if (!TEST_ptr(sess))
9064             goto end;
9065 
9066         /*
9067          * Cause this session to have a longer timeout than the next session to
9068          * be added.
9069          */
9070         if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
9071             sess = NULL;
9072             goto end;
9073         }
9074         sess = NULL;
9075     }
9076 
9077     SSL_shutdown(serverssl);
9078     SSL_shutdown(clientssl);
9079     SSL_free(serverssl);
9080     SSL_free(clientssl);
9081     serverssl = clientssl = NULL;
9082 
9083     /*
9084      * Session cache size is 1 and we already populated the cache with a session
9085      * so the next connection should cause an overflow.
9086      */
9087 
9088     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9089                                       NULL, NULL)))
9090         goto end;
9091 
9092     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9093         goto end;
9094 
9095     /*
9096      * The session we just negotiated may have been already removed from the
9097      * internal cache - but we will return it anyway from our external cache.
9098      */
9099     get_sess_val = SSL_get_session(serverssl);
9100     if (!TEST_ptr(get_sess_val))
9101         goto end;
9102     sess = SSL_get1_session(clientssl);
9103     if (!TEST_ptr(sess))
9104         goto end;
9105 
9106     SSL_shutdown(serverssl);
9107     SSL_shutdown(clientssl);
9108     SSL_free(serverssl);
9109     SSL_free(clientssl);
9110     serverssl = clientssl = NULL;
9111 
9112     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9113                                       NULL, NULL)))
9114         goto end;
9115 
9116     if (!TEST_true(SSL_set_session(clientssl, sess)))
9117         goto end;
9118 
9119     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9120         goto end;
9121 
9122     testresult = 1;
9123 
9124  end:
9125     SSL_free(serverssl);
9126     SSL_free(clientssl);
9127     SSL_CTX_free(sctx);
9128     SSL_CTX_free(cctx);
9129     SSL_SESSION_free(sess);
9130 
9131     return testresult;
9132 }
9133 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9134 
9135 /*
9136  * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9137  * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9138  * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9139  * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9140  * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9141  * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9142  * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9143  * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9144  * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9145  * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9146  */
9147 static int test_servername(int tst)
9148 {
9149     SSL_CTX *cctx = NULL, *sctx = NULL;
9150     SSL *clientssl = NULL, *serverssl = NULL;
9151     int testresult = 0;
9152     SSL_SESSION *sess = NULL;
9153     const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9154 
9155 #ifdef OPENSSL_NO_TLS1_2
9156     if (tst <= 4)
9157         return 1;
9158 #endif
9159 #ifdef OSSL_NO_USABLE_TLS1_3
9160     if (tst >= 5)
9161         return 1;
9162 #endif
9163 
9164     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9165                                        TLS_client_method(),
9166                                        TLS1_VERSION,
9167                                        (tst <= 4) ? TLS1_2_VERSION
9168                                                   : TLS1_3_VERSION,
9169                                        &sctx, &cctx, cert, privkey))
9170             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9171                                              NULL, NULL)))
9172         goto end;
9173 
9174     if (tst != 1 && tst != 6) {
9175         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9176                                                               hostname_cb)))
9177             goto end;
9178     }
9179 
9180     if (tst != 3 && tst != 8) {
9181         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9182             goto end;
9183         sexpectedhost = cexpectedhost = "goodhost";
9184     }
9185 
9186     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9187         goto end;
9188 
9189     if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9190                      cexpectedhost)
9191             || !TEST_str_eq(SSL_get_servername(serverssl,
9192                                                TLSEXT_NAMETYPE_host_name),
9193                             sexpectedhost))
9194         goto end;
9195 
9196     /* Now repeat with a resumption handshake */
9197 
9198     if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9199             || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9200             || !TEST_true(SSL_SESSION_is_resumable(sess))
9201             || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9202         goto end;
9203 
9204     SSL_free(clientssl);
9205     SSL_free(serverssl);
9206     clientssl = serverssl = NULL;
9207 
9208     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9209                                       NULL)))
9210         goto end;
9211 
9212     if (!TEST_true(SSL_set_session(clientssl, sess)))
9213         goto end;
9214 
9215     sexpectedhost = cexpectedhost = "goodhost";
9216     if (tst == 2 || tst == 7) {
9217         /* Set an inconsistent hostname */
9218         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9219             goto end;
9220         /*
9221          * In TLSv1.2 we expect the hostname from the original handshake, in
9222          * TLSv1.3 we expect the hostname from this handshake
9223          */
9224         if (tst == 7)
9225             sexpectedhost = cexpectedhost = "altgoodhost";
9226 
9227         if (!TEST_str_eq(SSL_get_servername(clientssl,
9228                                             TLSEXT_NAMETYPE_host_name),
9229                          "altgoodhost"))
9230             goto end;
9231     } else if (tst == 4 || tst == 9) {
9232         /*
9233          * A TLSv1.3 session does not associate a session with a servername,
9234          * but a TLSv1.2 session does.
9235          */
9236         if (tst == 9)
9237             sexpectedhost = cexpectedhost = NULL;
9238 
9239         if (!TEST_str_eq(SSL_get_servername(clientssl,
9240                                             TLSEXT_NAMETYPE_host_name),
9241                          cexpectedhost))
9242             goto end;
9243     } else {
9244         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9245             goto end;
9246         /*
9247          * In a TLSv1.2 resumption where the hostname was not acknowledged
9248          * we expect the hostname on the server to be empty. On the client we
9249          * return what was requested in this case.
9250          *
9251          * Similarly if the client didn't set a hostname on an original TLSv1.2
9252          * session but is now, the server hostname will be empty, but the client
9253          * is as we set it.
9254          */
9255         if (tst == 1 || tst == 3)
9256             sexpectedhost = NULL;
9257 
9258         if (!TEST_str_eq(SSL_get_servername(clientssl,
9259                                             TLSEXT_NAMETYPE_host_name),
9260                          "goodhost"))
9261             goto end;
9262     }
9263 
9264     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9265         goto end;
9266 
9267     if (!TEST_true(SSL_session_reused(clientssl))
9268             || !TEST_true(SSL_session_reused(serverssl))
9269             || !TEST_str_eq(SSL_get_servername(clientssl,
9270                                                TLSEXT_NAMETYPE_host_name),
9271                             cexpectedhost)
9272             || !TEST_str_eq(SSL_get_servername(serverssl,
9273                                                TLSEXT_NAMETYPE_host_name),
9274                             sexpectedhost))
9275         goto end;
9276 
9277     testresult = 1;
9278 
9279  end:
9280     SSL_SESSION_free(sess);
9281     SSL_free(serverssl);
9282     SSL_free(clientssl);
9283     SSL_CTX_free(sctx);
9284     SSL_CTX_free(cctx);
9285 
9286     return testresult;
9287 }
9288 
9289 #if !defined(OPENSSL_NO_EC) \
9290     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9291 /*
9292  * Test that if signature algorithms are not available, then we do not offer or
9293  * accept them.
9294  * Test 0: Two RSA sig algs available: both RSA sig algs shared
9295  * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9296  * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9297  * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9298  * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9299  * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9300  */
9301 static int test_sigalgs_available(int idx)
9302 {
9303     SSL_CTX *cctx = NULL, *sctx = NULL;
9304     SSL *clientssl = NULL, *serverssl = NULL;
9305     int testresult = 0;
9306     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9307     OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
9308     OSSL_PROVIDER *filterprov = NULL;
9309     int sig, hash;
9310 
9311     if (!TEST_ptr(tmpctx))
9312         goto end;
9313 
9314     if (idx != 0 && idx != 3) {
9315         if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9316                                                  filter_provider_init)))
9317             goto end;
9318 
9319         filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9320         if (!TEST_ptr(filterprov))
9321             goto end;
9322 
9323         if (idx < 3) {
9324             /*
9325              * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9326              * or accepted for the peer that uses this libctx. Note that libssl
9327              * *requires* SHA2-256 to be available so we cannot disable that. We
9328              * also need SHA1 for our certificate.
9329              */
9330             if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9331                                                       "SHA2-256:SHA1")))
9332                 goto end;
9333         } else {
9334             if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9335                                                       "ECDSA"))
9336                     || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
9337                                                              "EC:X25519:X448")))
9338                 goto end;
9339         }
9340 
9341         if (idx == 1 || idx == 4)
9342             clientctx = tmpctx;
9343         else
9344             serverctx = tmpctx;
9345     }
9346 
9347     cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9348     sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9349     if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9350         goto end;
9351 
9352     if (idx != 5) {
9353         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9354                                            TLS_client_method(),
9355                                            TLS1_VERSION,
9356                                            0,
9357                                            &sctx, &cctx, cert, privkey)))
9358             goto end;
9359     } else {
9360         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9361                                            TLS_client_method(),
9362                                            TLS1_VERSION,
9363                                            0,
9364                                            &sctx, &cctx, cert2, privkey2)))
9365             goto end;
9366     }
9367 
9368     /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9369     if (idx < 4) {
9370         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9371                                                "ECDHE-RSA-AES128-GCM-SHA256")))
9372             goto end;
9373     } else {
9374         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9375                                                "ECDHE-ECDSA-AES128-GCM-SHA256")))
9376             goto end;
9377     }
9378 
9379     if (idx < 3) {
9380         if (!SSL_CTX_set1_sigalgs_list(cctx,
9381                                        "rsa_pss_rsae_sha384"
9382                                        ":rsa_pss_rsae_sha256")
9383                 || !SSL_CTX_set1_sigalgs_list(sctx,
9384                                               "rsa_pss_rsae_sha384"
9385                                               ":rsa_pss_rsae_sha256"))
9386             goto end;
9387     } else {
9388         if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9389                 || !SSL_CTX_set1_sigalgs_list(sctx,
9390                                               "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9391             goto end;
9392     }
9393 
9394     if (idx != 5
9395         && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9396                                                       SSL_FILETYPE_PEM), 1)
9397             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9398                                                         privkey2,
9399                                                         SSL_FILETYPE_PEM), 1)
9400             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
9401         goto end;
9402 
9403     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9404                                       NULL, NULL)))
9405         goto end;
9406 
9407     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9408         goto end;
9409 
9410     /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9411     if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9412                                             NULL, NULL),
9413                      (idx == 0 || idx == 3) ? 2 : 1))
9414         goto end;
9415 
9416     if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9417         goto end;
9418 
9419     if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9420                                                  : NID_rsassaPss))
9421         goto end;
9422 
9423     testresult = filter_provider_check_clean_finish();
9424 
9425  end:
9426     SSL_free(serverssl);
9427     SSL_free(clientssl);
9428     SSL_CTX_free(sctx);
9429     SSL_CTX_free(cctx);
9430     OSSL_PROVIDER_unload(filterprov);
9431     OSSL_LIB_CTX_free(tmpctx);
9432 
9433     return testresult;
9434 }
9435 #endif /*
9436         * !defined(OPENSSL_NO_EC) \
9437         * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
9438         */
9439 
9440 #ifndef OPENSSL_NO_TLS1_3
9441 /* This test can run in TLSv1.3 even if ec and dh are disabled */
9442 static int test_pluggable_group(int idx)
9443 {
9444     SSL_CTX *cctx = NULL, *sctx = NULL;
9445     SSL *clientssl = NULL, *serverssl = NULL;
9446     int testresult = 0;
9447     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9448     /* Check that we are not impacted by a provider without any groups */
9449     OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
9450     const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
9451 
9452     if (!TEST_ptr(tlsprov))
9453         goto end;
9454 
9455     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9456                                        TLS_client_method(),
9457                                        TLS1_3_VERSION,
9458                                        TLS1_3_VERSION,
9459                                        &sctx, &cctx, cert, privkey))
9460             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9461                                              NULL, NULL)))
9462         goto end;
9463 
9464     /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9465     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9466     /* removing a single algorithm from the list makes the test pass */
9467             || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
9468         goto end;
9469 
9470     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9471         goto end;
9472 
9473     if (!TEST_str_eq(group_name,
9474                      SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9475         goto end;
9476 
9477     testresult = 1;
9478 
9479  end:
9480     SSL_free(serverssl);
9481     SSL_free(clientssl);
9482     SSL_CTX_free(sctx);
9483     SSL_CTX_free(cctx);
9484     OSSL_PROVIDER_unload(tlsprov);
9485     OSSL_PROVIDER_unload(legacyprov);
9486 
9487     return testresult;
9488 }
9489 #endif
9490 
9491 #ifndef OPENSSL_NO_TLS1_2
9492 static int test_ssl_dup(void)
9493 {
9494     SSL_CTX *cctx = NULL, *sctx = NULL;
9495     SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9496     int testresult = 0;
9497     BIO *rbio = NULL, *wbio = NULL;
9498 
9499     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9500                                        TLS_client_method(),
9501                                        0,
9502                                        0,
9503                                        &sctx, &cctx, cert, privkey)))
9504         goto end;
9505 
9506     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9507                                              NULL, NULL)))
9508         goto end;
9509 
9510     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9511             || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9512         goto end;
9513 
9514     client2ssl = SSL_dup(clientssl);
9515     rbio = SSL_get_rbio(clientssl);
9516     if (!TEST_ptr(rbio)
9517             || !TEST_true(BIO_up_ref(rbio)))
9518         goto end;
9519     SSL_set0_rbio(client2ssl, rbio);
9520     rbio = NULL;
9521 
9522     wbio = SSL_get_wbio(clientssl);
9523     if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9524         goto end;
9525     SSL_set0_wbio(client2ssl, wbio);
9526     rbio = NULL;
9527 
9528     if (!TEST_ptr(client2ssl)
9529                /* Handshake not started so pointers should be different */
9530             || !TEST_ptr_ne(clientssl, client2ssl))
9531         goto end;
9532 
9533     if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9534             || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9535         goto end;
9536 
9537     if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9538         goto end;
9539 
9540     SSL_free(clientssl);
9541     clientssl = SSL_dup(client2ssl);
9542     if (!TEST_ptr(clientssl)
9543                /* Handshake has finished so pointers should be the same */
9544             || !TEST_ptr_eq(clientssl, client2ssl))
9545         goto end;
9546 
9547     testresult = 1;
9548 
9549  end:
9550     SSL_free(serverssl);
9551     SSL_free(clientssl);
9552     SSL_free(client2ssl);
9553     SSL_CTX_free(sctx);
9554     SSL_CTX_free(cctx);
9555 
9556     return testresult;
9557 }
9558 
9559 # ifndef OPENSSL_NO_DH
9560 
9561 static EVP_PKEY *tmp_dh_params = NULL;
9562 
9563 /* Helper function for the test_set_tmp_dh() tests */
9564 static EVP_PKEY *get_tmp_dh_params(void)
9565 {
9566     if (tmp_dh_params == NULL) {
9567         BIGNUM *p = NULL;
9568         OSSL_PARAM_BLD *tmpl = NULL;
9569         EVP_PKEY_CTX *pctx = NULL;
9570         OSSL_PARAM *params = NULL;
9571         EVP_PKEY *dhpkey = NULL;
9572 
9573         p = BN_get_rfc3526_prime_2048(NULL);
9574         if (!TEST_ptr(p))
9575             goto end;
9576 
9577         pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9578         if (!TEST_ptr(pctx)
9579                 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
9580             goto end;
9581 
9582         tmpl = OSSL_PARAM_BLD_new();
9583         if (!TEST_ptr(tmpl)
9584                 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9585                                                         OSSL_PKEY_PARAM_FFC_P,
9586                                                         p))
9587                 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9588                                                         OSSL_PKEY_PARAM_FFC_G,
9589                                                         2)))
9590             goto end;
9591 
9592         params = OSSL_PARAM_BLD_to_param(tmpl);
9593         if (!TEST_ptr(params)
9594                 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9595                                                   EVP_PKEY_KEY_PARAMETERS,
9596                                                   params), 1))
9597             goto end;
9598 
9599         tmp_dh_params = dhpkey;
9600     end:
9601         BN_free(p);
9602         EVP_PKEY_CTX_free(pctx);
9603         OSSL_PARAM_BLD_free(tmpl);
9604         OSSL_PARAM_free(params);
9605     }
9606 
9607     if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
9608         return NULL;
9609 
9610     return tmp_dh_params;
9611 }
9612 
9613 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9614 /* Callback used by test_set_tmp_dh() */
9615 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9616 {
9617     EVP_PKEY *dhpkey = get_tmp_dh_params();
9618     DH *ret = NULL;
9619 
9620     if (!TEST_ptr(dhpkey))
9621         return NULL;
9622 
9623     /*
9624      * libssl does not free the returned DH, so we free it now knowing that even
9625      * after we free dhpkey, there will still be a reference to the owning
9626      * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9627      * of time we need it for.
9628      */
9629     ret = EVP_PKEY_get1_DH(dhpkey);
9630     DH_free(ret);
9631 
9632     EVP_PKEY_free(dhpkey);
9633 
9634     return ret;
9635 }
9636 #  endif
9637 
9638 /*
9639  * Test the various methods for setting temporary DH parameters
9640  *
9641  * Test  0: Default (no auto) setting
9642  * Test  1: Explicit SSL_CTX auto off
9643  * Test  2: Explicit SSL auto off
9644  * Test  3: Explicit SSL_CTX auto on
9645  * Test  4: Explicit SSL auto on
9646  * Test  5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9647  * Test  6: Explicit SSL auto off, custom DH params via EVP_PKEY
9648  *
9649  * The following are testing deprecated APIs, so we only run them if available
9650  * Test  7: Explicit SSL_CTX auto off, custom DH params via DH
9651  * Test  8: Explicit SSL auto off, custom DH params via DH
9652  * Test  9: Explicit SSL_CTX auto off, custom DH params via callback
9653  * Test 10: Explicit SSL auto off, custom DH params via callback
9654  */
9655 static int test_set_tmp_dh(int idx)
9656 {
9657     SSL_CTX *cctx = NULL, *sctx = NULL;
9658     SSL *clientssl = NULL, *serverssl = NULL;
9659     int testresult = 0;
9660     int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9661     int expected = (idx <= 2) ? 0 : 1;
9662     EVP_PKEY *dhpkey = NULL;
9663 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9664     DH *dh = NULL;
9665 #  else
9666 
9667     if (idx >= 7)
9668         return 1;
9669 #  endif
9670 
9671     if (idx >= 5 && idx <= 8) {
9672         dhpkey = get_tmp_dh_params();
9673         if (!TEST_ptr(dhpkey))
9674             goto end;
9675     }
9676 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9677     if (idx == 7 || idx == 8) {
9678         dh = EVP_PKEY_get1_DH(dhpkey);
9679         if (!TEST_ptr(dh))
9680             goto end;
9681     }
9682 #  endif
9683 
9684     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9685                                        TLS_client_method(),
9686                                        0,
9687                                        0,
9688                                        &sctx, &cctx, cert, privkey)))
9689         goto end;
9690 
9691     if ((idx & 1) == 1) {
9692         if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9693             goto end;
9694     }
9695 
9696     if (idx == 5) {
9697         if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9698             goto end;
9699         dhpkey = NULL;
9700     }
9701 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9702     else if (idx == 7) {
9703         if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9704             goto end;
9705     } else if (idx == 9) {
9706         SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9707     }
9708 #  endif
9709 
9710     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9711                                       NULL, NULL)))
9712         goto end;
9713 
9714     if ((idx & 1) == 0 && idx != 0) {
9715         if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9716             goto end;
9717     }
9718     if (idx == 6) {
9719         if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9720             goto end;
9721         dhpkey = NULL;
9722     }
9723 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9724     else if (idx == 8) {
9725         if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9726             goto end;
9727     } else if (idx == 10) {
9728         SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9729     }
9730 #  endif
9731 
9732     if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9733             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9734             || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9735         goto end;
9736 
9737     /*
9738      * If autoon then we should succeed. Otherwise we expect failure because
9739      * there are no parameters
9740      */
9741     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9742                                            SSL_ERROR_NONE), expected))
9743         goto end;
9744 
9745     testresult = 1;
9746 
9747  end:
9748 #  ifndef OPENSSL_NO_DEPRECATED_3_0
9749     DH_free(dh);
9750 #  endif
9751     SSL_free(serverssl);
9752     SSL_free(clientssl);
9753     SSL_CTX_free(sctx);
9754     SSL_CTX_free(cctx);
9755     EVP_PKEY_free(dhpkey);
9756 
9757     return testresult;
9758 }
9759 
9760 /*
9761  * Test the auto DH keys are appropriately sized
9762  */
9763 static int test_dh_auto(int idx)
9764 {
9765     SSL_CTX *cctx = NULL, *sctx = NULL;
9766     SSL *clientssl = NULL, *serverssl = NULL;
9767     int testresult = 0;
9768     EVP_PKEY *tmpkey = NULL;
9769     char *thiscert = NULL, *thiskey = NULL;
9770     size_t expdhsize = 0;
9771     const char *ciphersuite = "DHE-RSA-AES128-SHA";
9772 
9773     switch (idx) {
9774     case 0:
9775         /* The FIPS provider doesn't support this DH size - so we ignore it */
9776         if (is_fips)
9777             return 1;
9778         thiscert = cert1024;
9779         thiskey = privkey1024;
9780         expdhsize = 1024;
9781         break;
9782     case 1:
9783         /* 2048 bit prime */
9784         thiscert = cert;
9785         thiskey = privkey;
9786         expdhsize = 2048;
9787         break;
9788     case 2:
9789         thiscert = cert3072;
9790         thiskey = privkey3072;
9791         expdhsize = 3072;
9792         break;
9793     case 3:
9794         thiscert = cert4096;
9795         thiskey = privkey4096;
9796         expdhsize = 4096;
9797         break;
9798     case 4:
9799         thiscert = cert8192;
9800         thiskey = privkey8192;
9801         expdhsize = 8192;
9802         break;
9803     /* No certificate cases */
9804     case 5:
9805         /* The FIPS provider doesn't support this DH size - so we ignore it */
9806         if (is_fips)
9807             return 1;
9808         ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9809         expdhsize = 1024;
9810         break;
9811     case 6:
9812         ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9813         expdhsize = 3072;
9814         break;
9815     default:
9816         TEST_error("Invalid text index");
9817         goto end;
9818     }
9819 
9820     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9821                                        TLS_client_method(),
9822                                        0,
9823                                        0,
9824                                        &sctx, &cctx, thiscert, thiskey)))
9825         goto end;
9826 
9827     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9828                                       NULL, NULL)))
9829         goto end;
9830 
9831     if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9832             || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9833             || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9834             || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9835             || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9836         goto end;
9837 
9838     /*
9839      * Send the server's first flight. At this point the server has created the
9840      * temporary DH key but hasn't finished using it yet. Once used it is
9841      * removed, so we cannot test it.
9842      */
9843     if (!TEST_int_le(SSL_connect(clientssl), 0)
9844             || !TEST_int_le(SSL_accept(serverssl), 0))
9845         goto end;
9846 
9847     if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9848         goto end;
9849     if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
9850         goto end;
9851 
9852     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9853         goto end;
9854 
9855     testresult = 1;
9856 
9857  end:
9858     SSL_free(serverssl);
9859     SSL_free(clientssl);
9860     SSL_CTX_free(sctx);
9861     SSL_CTX_free(cctx);
9862     EVP_PKEY_free(tmpkey);
9863 
9864     return testresult;
9865 
9866 }
9867 # endif /* OPENSSL_NO_DH */
9868 #endif /* OPENSSL_NO_TLS1_2 */
9869 
9870 #ifndef OSSL_NO_USABLE_TLS1_3
9871 /*
9872  * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9873  * that it works even without a certificate configured for the original
9874  * SSL_CTX
9875  */
9876 static int test_sni_tls13(void)
9877 {
9878     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9879     SSL *clientssl = NULL, *serverssl = NULL;
9880     int testresult = 0;
9881 
9882     /* Reset callback counter */
9883     snicb = 0;
9884 
9885     /* Create an initial SSL_CTX with no certificate configured */
9886     sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9887     if (!TEST_ptr(sctx))
9888         goto end;
9889     /* Require TLSv1.3 as a minimum */
9890     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9891                                        TLS_client_method(), TLS1_3_VERSION, 0,
9892                                        &sctx2, &cctx, cert, privkey)))
9893         goto end;
9894 
9895     /* Set up SNI */
9896     if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9897             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9898         goto end;
9899 
9900     /*
9901      * Connection should still succeed because the final SSL_CTX has the right
9902      * certificates configured.
9903      */
9904     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9905                                       &clientssl, NULL, NULL))
9906             || !TEST_true(create_ssl_connection(serverssl, clientssl,
9907                                                 SSL_ERROR_NONE)))
9908         goto end;
9909 
9910     /* We should have had the SNI callback called exactly once */
9911     if (!TEST_int_eq(snicb, 1))
9912         goto end;
9913 
9914     testresult = 1;
9915 
9916 end:
9917     SSL_free(serverssl);
9918     SSL_free(clientssl);
9919     SSL_CTX_free(sctx2);
9920     SSL_CTX_free(sctx);
9921     SSL_CTX_free(cctx);
9922     return testresult;
9923 }
9924 
9925 /*
9926  * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9927  * 0 = TLSv1.2
9928  * 1 = TLSv1.3
9929  */
9930 static int test_ticket_lifetime(int idx)
9931 {
9932     SSL_CTX *cctx = NULL, *sctx = NULL;
9933     SSL *clientssl = NULL, *serverssl = NULL;
9934     int testresult = 0;
9935     int version = TLS1_3_VERSION;
9936 
9937 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9938 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9939 
9940     if (idx == 0) {
9941 #ifdef OPENSSL_NO_TLS1_2
9942         return TEST_skip("TLS 1.2 is disabled.");
9943 #else
9944         version = TLS1_2_VERSION;
9945 #endif
9946     }
9947 
9948     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9949                                        TLS_client_method(), version, version,
9950                                        &sctx, &cctx, cert, privkey)))
9951         goto end;
9952 
9953     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9954                                       &clientssl, NULL, NULL)))
9955         goto end;
9956 
9957     /*
9958      * Set the timeout to be more than 1 week
9959      * make sure the returned value is the default
9960      */
9961     if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9962                       SSL_get_default_timeout(serverssl)))
9963         goto end;
9964 
9965     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9966         goto end;
9967 
9968     if (idx == 0) {
9969         /* TLSv1.2 uses the set value */
9970         if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9971             goto end;
9972     } else {
9973         /* TLSv1.3 uses the limited value */
9974         if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9975             goto end;
9976     }
9977     testresult = 1;
9978 
9979 end:
9980     SSL_free(serverssl);
9981     SSL_free(clientssl);
9982     SSL_CTX_free(sctx);
9983     SSL_CTX_free(cctx);
9984     return testresult;
9985 }
9986 #endif
9987 /*
9988  * Test that setting an ALPN does not violate RFC
9989  */
9990 static int test_set_alpn(void)
9991 {
9992     SSL_CTX *ctx = NULL;
9993     SSL *ssl = NULL;
9994     int testresult = 0;
9995 
9996     unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9997     unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9998     unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9999     unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10000     unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10001     unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10002 
10003     /* Create an initial SSL_CTX with no certificate configured */
10004     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10005     if (!TEST_ptr(ctx))
10006         goto end;
10007 
10008     /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10009     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10010         goto end;
10011     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10012         goto end;
10013     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10014         goto end;
10015     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10016         goto end;
10017     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10018         goto end;
10019     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10020         goto end;
10021     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10022         goto end;
10023     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10024         goto end;
10025     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10026         goto end;
10027 
10028     ssl = SSL_new(ctx);
10029     if (!TEST_ptr(ssl))
10030         goto end;
10031 
10032     if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10033         goto end;
10034     if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10035         goto end;
10036     if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10037         goto end;
10038     if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10039         goto end;
10040     if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10041         goto end;
10042     if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10043         goto end;
10044     if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10045         goto end;
10046     if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10047         goto end;
10048     if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10049         goto end;
10050 
10051     testresult = 1;
10052 
10053 end:
10054     SSL_free(ssl);
10055     SSL_CTX_free(ctx);
10056     return testresult;
10057 }
10058 
10059 /*
10060  * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10061  */
10062 static int test_set_verify_cert_store_ssl_ctx(void)
10063 {
10064    SSL_CTX *ctx = NULL;
10065    int testresult = 0;
10066    X509_STORE *store = NULL, *new_store = NULL,
10067               *cstore = NULL, *new_cstore = NULL;
10068 
10069    /* Create an initial SSL_CTX. */
10070    ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10071    if (!TEST_ptr(ctx))
10072        goto end;
10073 
10074    /* Retrieve verify store pointer. */
10075    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10076        goto end;
10077 
10078    /* Retrieve chain store pointer. */
10079    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10080        goto end;
10081 
10082    /* We haven't set any yet, so this should be NULL. */
10083    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10084        goto end;
10085 
10086    /* Create stores. We use separate stores so pointers are different. */
10087    new_store = X509_STORE_new();
10088    if (!TEST_ptr(new_store))
10089        goto end;
10090 
10091    new_cstore = X509_STORE_new();
10092    if (!TEST_ptr(new_cstore))
10093        goto end;
10094 
10095    /* Set stores. */
10096    if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10097        goto end;
10098 
10099    if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10100        goto end;
10101 
10102    /* Should be able to retrieve the same pointer. */
10103    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10104        goto end;
10105 
10106    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10107        goto end;
10108 
10109    if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10110        goto end;
10111 
10112    /* Should be able to unset again. */
10113    if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10114        goto end;
10115 
10116    if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10117        goto end;
10118 
10119    /* Should now be NULL. */
10120    if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10121        goto end;
10122 
10123    if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10124        goto end;
10125 
10126    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10127        goto end;
10128 
10129    testresult = 1;
10130 
10131 end:
10132    X509_STORE_free(new_store);
10133    X509_STORE_free(new_cstore);
10134    SSL_CTX_free(ctx);
10135    return testresult;
10136 }
10137 
10138 /*
10139  * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10140  */
10141 static int test_set_verify_cert_store_ssl(void)
10142 {
10143    SSL_CTX *ctx = NULL;
10144    SSL *ssl = NULL;
10145    int testresult = 0;
10146    X509_STORE *store = NULL, *new_store = NULL,
10147               *cstore = NULL, *new_cstore = NULL;
10148 
10149    /* Create an initial SSL_CTX. */
10150    ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10151    if (!TEST_ptr(ctx))
10152        goto end;
10153 
10154    /* Create an SSL object. */
10155    ssl = SSL_new(ctx);
10156    if (!TEST_ptr(ssl))
10157        goto end;
10158 
10159    /* Retrieve verify store pointer. */
10160    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10161        goto end;
10162 
10163    /* Retrieve chain store pointer. */
10164    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10165        goto end;
10166 
10167    /* We haven't set any yet, so this should be NULL. */
10168    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10169        goto end;
10170 
10171    /* Create stores. We use separate stores so pointers are different. */
10172    new_store = X509_STORE_new();
10173    if (!TEST_ptr(new_store))
10174        goto end;
10175 
10176    new_cstore = X509_STORE_new();
10177    if (!TEST_ptr(new_cstore))
10178        goto end;
10179 
10180    /* Set stores. */
10181    if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10182        goto end;
10183 
10184    if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10185        goto end;
10186 
10187    /* Should be able to retrieve the same pointer. */
10188    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10189        goto end;
10190 
10191    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10192        goto end;
10193 
10194    if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10195        goto end;
10196 
10197    /* Should be able to unset again. */
10198    if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10199        goto end;
10200 
10201    if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10202        goto end;
10203 
10204    /* Should now be NULL. */
10205    if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10206        goto end;
10207 
10208    if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10209        goto end;
10210 
10211    if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10212        goto end;
10213 
10214    testresult = 1;
10215 
10216 end:
10217    X509_STORE_free(new_store);
10218    X509_STORE_free(new_cstore);
10219    SSL_free(ssl);
10220    SSL_CTX_free(ctx);
10221    return testresult;
10222 }
10223 
10224 
10225 static int test_inherit_verify_param(void)
10226 {
10227     int testresult = 0;
10228 
10229     SSL_CTX *ctx = NULL;
10230     X509_VERIFY_PARAM *cp = NULL;
10231     SSL *ssl = NULL;
10232     X509_VERIFY_PARAM *sp = NULL;
10233     int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10234 
10235     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10236     if (!TEST_ptr(ctx))
10237         goto end;
10238 
10239     cp = SSL_CTX_get0_param(ctx);
10240     if (!TEST_ptr(cp))
10241         goto end;
10242     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10243         goto end;
10244 
10245     X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10246 
10247     ssl = SSL_new(ctx);
10248     if (!TEST_ptr(ssl))
10249         goto end;
10250 
10251     sp = SSL_get0_param(ssl);
10252     if (!TEST_ptr(sp))
10253         goto end;
10254     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10255         goto end;
10256 
10257     testresult = 1;
10258 
10259  end:
10260     SSL_free(ssl);
10261     SSL_CTX_free(ctx);
10262 
10263     return testresult;
10264 }
10265 
10266 static int test_load_dhfile(void)
10267 {
10268 #ifndef OPENSSL_NO_DH
10269     int testresult = 0;
10270 
10271     SSL_CTX *ctx = NULL;
10272     SSL_CONF_CTX *cctx = NULL;
10273 
10274     if (dhfile == NULL)
10275         return 1;
10276 
10277     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10278         || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10279         goto end;
10280 
10281     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10282     SSL_CONF_CTX_set_flags(cctx,
10283                            SSL_CONF_FLAG_CERTIFICATE
10284                            | SSL_CONF_FLAG_SERVER
10285                            | SSL_CONF_FLAG_FILE);
10286 
10287     if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10288         goto end;
10289 
10290     testresult = 1;
10291 end:
10292     SSL_CONF_CTX_free(cctx);
10293     SSL_CTX_free(ctx);
10294 
10295     return testresult;
10296 #else
10297     return TEST_skip("DH not supported by this build");
10298 #endif
10299 }
10300 
10301 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
10302 /*
10303  * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10304  * support this yet. The only pipeline capable cipher that we have is in the
10305  * dasync engine (providers don't support this yet), so we have to use
10306  * deprecated APIs for this test.
10307  *
10308  * Test 0: Client has pipelining enabled, server does not
10309  * Test 1: Server has pipelining enabled, client does not
10310  * Test 2: Client has pipelining enabled, server does not: not enough data to
10311  *         fill all the pipelines
10312  * Test 3: Client has pipelining enabled, server does not: not enough data to
10313  *         fill all the pipelines by more than a full pipeline's worth
10314  * Test 4: Client has pipelining enabled, server does not: more data than all
10315  *         the available pipelines can take
10316  * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
10317  * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10318  *         is created)
10319  */
10320 static int test_pipelining(int idx)
10321 {
10322     SSL_CTX *cctx = NULL, *sctx = NULL;
10323     SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10324     int testresult = 0, numreads;
10325     /* A 55 byte message */
10326     unsigned char *msg = (unsigned char *)
10327         "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10328     size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10329     size_t expectedreads;
10330     unsigned char *buf = NULL;
10331     ENGINE *e = NULL;
10332 
10333     if (idx != 6) {
10334         e = load_dasync();
10335         if (e == NULL)
10336             return 0;
10337     }
10338 
10339     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10340                                        TLS_client_method(), 0,
10341                                        TLS1_2_VERSION, &sctx, &cctx, cert,
10342                                        privkey)))
10343         goto end;
10344 
10345     if (idx == 6) {
10346         e = load_dasync();
10347         if (e == NULL)
10348             goto end;
10349         /* Now act like test 0 */
10350         idx = 0;
10351     }
10352 
10353     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10354                                       &clientssl, NULL, NULL)))
10355         goto end;
10356 
10357     if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10358         goto end;
10359 
10360     /* peera is always configured for pipelining, while peerb is not. */
10361     if (idx == 1) {
10362         peera = serverssl;
10363         peerb = clientssl;
10364 
10365     } else {
10366         peera = clientssl;
10367         peerb = serverssl;
10368     }
10369 
10370     if (idx == 5) {
10371         numpipes = 2;
10372         /* Maximum allowed fragment size */
10373         fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10374         msglen = fragsize * numpipes;
10375         msg = OPENSSL_malloc(msglen);
10376         if (!TEST_ptr(msg))
10377             goto end;
10378         if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10379             goto end;
10380     } else if (idx == 4) {
10381         msglen = 55;
10382     } else {
10383         msglen = 50;
10384     }
10385     if (idx == 2)
10386         msglen -= 2; /* Send 2 less bytes */
10387     else if (idx == 3)
10388         msglen -= 12; /* Send 12 less bytes */
10389 
10390     buf = OPENSSL_malloc(msglen);
10391     if (!TEST_ptr(buf))
10392         goto end;
10393 
10394     if (idx == 5) {
10395         /*
10396          * Test that setting a split send fragment longer than the maximum
10397          * allowed fails
10398          */
10399         if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10400             goto end;
10401     }
10402 
10403     /*
10404      * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10405      * (50 bytes in total). This is a ridiculously small number of bytes -
10406      * but sufficient for our purposes
10407      */
10408     if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10409             || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10410         goto end;
10411 
10412     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10413         goto end;
10414 
10415     /* Write some data from peera to peerb */
10416     if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10417         || !TEST_size_t_eq(written, msglen))
10418         goto end;
10419 
10420     /*
10421      * If the pipelining code worked, then we expect all |numpipes| pipelines to
10422      * have been used - except in test 3 where only |numpipes - 1| pipelines
10423      * will be used. This will result in |numpipes| records (|numpipes - 1| for
10424      * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10425      * expect this to be read in |numpipes| or |numpipes - 1| separate
10426      * SSL_read_ex calls. In the case of test 4, there is then one additional
10427      * read for left over data that couldn't fit in the previous pipelines
10428      */
10429     for (offset = 0, numreads = 0;
10430          offset < msglen;
10431          offset += readbytes, numreads++) {
10432         if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10433                                    msglen - offset, &readbytes)))
10434             goto end;
10435     }
10436 
10437     expectedreads = idx == 4 ? numpipes + 1
10438                              : (idx == 3 ? numpipes - 1 : numpipes);
10439     if (!TEST_mem_eq(msg, msglen, buf, offset)
10440             || !TEST_int_eq(numreads, expectedreads))
10441         goto end;
10442 
10443     /*
10444      * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10445      * chunks to exercise the read pipelining code on peera.
10446      */
10447     for (offset = 0; offset < msglen; offset += fragsize) {
10448         size_t sendlen = msglen - offset;
10449 
10450         if (sendlen > fragsize)
10451             sendlen = fragsize;
10452         if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10453                 || !TEST_size_t_eq(written, sendlen))
10454             goto end;
10455     }
10456 
10457     /*
10458      * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10459      * separate chunks (depending on which test we are running). If the
10460      * pipelining is working then we expect peera to read up to numpipes chunks
10461      * and process them in parallel, giving back the complete result in a single
10462      * call to SSL_read_ex
10463      */
10464     if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10465             || !TEST_size_t_le(readbytes, msglen))
10466         goto end;
10467 
10468     if (idx == 4) {
10469         size_t readbytes2;
10470 
10471         if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10472                                    msglen - readbytes, &readbytes2)))
10473             goto end;
10474         readbytes += readbytes2;
10475         if (!TEST_size_t_le(readbytes, msglen))
10476             goto end;
10477     }
10478 
10479     if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10480         goto end;
10481 
10482     testresult = 1;
10483 end:
10484     SSL_free(serverssl);
10485     SSL_free(clientssl);
10486     SSL_CTX_free(sctx);
10487     SSL_CTX_free(cctx);
10488     if (e != NULL) {
10489         ENGINE_unregister_ciphers(e);
10490         ENGINE_finish(e);
10491         ENGINE_free(e);
10492     }
10493     OPENSSL_free(buf);
10494     if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
10495         OPENSSL_free(msg);
10496     return testresult;
10497 }
10498 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10499 
10500 /*
10501  * Force a write retry during handshaking. We test various combinations of
10502  * scenarios. We test a large certificate message which will fill the buffering
10503  * BIO used in the handshake. We try with client auth on and off. Finally we
10504  * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
10505  * to indicate retry via -1 - but sometimes BIOs don't do that.
10506  *
10507  * Test 0: Standard certificate message
10508  * Test 1: Large certificate message
10509  * Test 2: Standard cert, verify peer
10510  * Test 3: Large cert, verify peer
10511  * Test 4: Standard cert, BIO returns 0 on retry
10512  * Test 5: Large cert, BIO returns 0 on retry
10513  * Test 6: Standard cert, verify peer, BIO returns 0 on retry
10514  * Test 7: Large cert, verify peer, BIO returns 0 on retry
10515  * Test 8-15: Repeat of above with TLSv1.2
10516  */
10517 static int test_handshake_retry(int idx)
10518 {
10519     SSL_CTX *cctx = NULL, *sctx = NULL;
10520     SSL *clientssl = NULL, *serverssl = NULL;
10521     int testresult = 0;
10522     BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
10523     int maxversion = 0;
10524 
10525     if (!TEST_ptr(bretry))
10526         goto end;
10527 
10528 #ifndef OPENSSL_NO_TLS1_2
10529     if ((idx & 8) == 8)
10530         maxversion = TLS1_2_VERSION;
10531 #else
10532     if ((idx & 8) == 8)
10533         return TEST_skip("No TLSv1.2");
10534 #endif
10535 
10536     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10537                                        TLS_client_method(), 0, maxversion,
10538                                        &sctx, &cctx, cert, privkey)))
10539         goto end;
10540 
10541     /*
10542      * Add a large amount of data to fill the buffering BIO used by the SSL
10543      * object
10544      */
10545     if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
10546         goto end;
10547 
10548     /*
10549      * We don't actually configure a client cert, but neither do we fail if one
10550      * isn't present.
10551      */
10552     if ((idx & 2) == 2)
10553         SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
10554 
10555     if ((idx & 4) == 4)
10556         set_always_retry_err_val(0);
10557 
10558     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10559                                       &clientssl, NULL, NULL)))
10560         goto end;
10561 
10562     tmp = SSL_get_wbio(serverssl);
10563     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
10564         tmp = NULL;
10565         goto end;
10566     }
10567     SSL_set0_wbio(serverssl, bretry);
10568     bretry = NULL;
10569 
10570     if (!TEST_int_eq(SSL_connect(clientssl), -1))
10571         goto end;
10572 
10573     if (!TEST_int_eq(SSL_accept(serverssl), -1)
10574             || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
10575         goto end;
10576 
10577     /* Restore a BIO that will let the write succeed */
10578     SSL_set0_wbio(serverssl, tmp);
10579     tmp = NULL;
10580 
10581     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10582         goto end;
10583 
10584     testresult = 1;
10585 end:
10586     SSL_free(serverssl);
10587     SSL_free(clientssl);
10588     SSL_CTX_free(sctx);
10589     SSL_CTX_free(cctx);
10590     BIO_free(bretry);
10591     BIO_free(tmp);
10592     set_always_retry_err_val(-1);
10593     return testresult;
10594 }
10595 
10596 struct resume_servername_cb_data {
10597     int i;
10598     SSL_CTX *cctx;
10599     SSL_CTX *sctx;
10600     SSL_SESSION *sess;
10601     int recurse;
10602 };
10603 
10604 /*
10605  * Servername callback. We use it here to run another complete handshake using
10606  * the same session - and mark the session as not_resuamble at the end
10607  */
10608 static int resume_servername_cb(SSL *s, int *ad, void *arg)
10609 {
10610     struct resume_servername_cb_data *cbdata = arg;
10611     SSL *serverssl = NULL, *clientssl = NULL;
10612     int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
10613 
10614     if (cbdata->recurse)
10615         return SSL_TLSEXT_ERR_ALERT_FATAL;
10616 
10617     if ((cbdata->i % 3) != 1)
10618         return SSL_TLSEXT_ERR_OK;
10619 
10620     cbdata->recurse = 1;
10621 
10622     if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
10623                                       &clientssl, NULL, NULL))
10624             || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
10625         goto end;
10626 
10627     ERR_set_mark();
10628     /*
10629      * We expect this to fail - because the servername cb will fail. This will
10630      * mark the session as not_resumable.
10631      */
10632     if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
10633         ERR_clear_last_mark();
10634         goto end;
10635     }
10636     ERR_pop_to_mark();
10637 
10638     ret = SSL_TLSEXT_ERR_OK;
10639  end:
10640     SSL_free(serverssl);
10641     SSL_free(clientssl);
10642     cbdata->recurse = 0;
10643     return ret;
10644 }
10645 
10646 /*
10647  * Test multiple resumptions and cache size handling
10648  * Test 0: TLSv1.3 (max_early_data set)
10649  * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
10650  * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
10651  * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
10652  * Test 4: TLSv1.2
10653  */
10654 static int test_multi_resume(int idx)
10655 {
10656     SSL_CTX *sctx = NULL, *cctx = NULL;
10657     SSL *serverssl = NULL, *clientssl = NULL;
10658     SSL_SESSION *sess = NULL;
10659     int max_version = TLS1_3_VERSION;
10660     int i, testresult = 0;
10661     struct resume_servername_cb_data cbdata;
10662 
10663 #if defined(OPENSSL_NO_TLS1_2)
10664     if (idx == 4)
10665         return TEST_skip("TLSv1.2 is disabled in this build");
10666 #else
10667     if (idx == 4)
10668         max_version = TLS1_2_VERSION;
10669 #endif
10670 #if defined(OSSL_NO_USABLE_TLS1_3)
10671     if (idx != 4)
10672         return TEST_skip("No usable TLSv1.3 in this build");
10673 #endif
10674 
10675     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10676                                        TLS_client_method(), TLS1_VERSION,
10677                                        max_version, &sctx, &cctx, cert,
10678                                        privkey)))
10679         goto end;
10680 
10681     /*
10682      * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
10683      * replay protection), or if SSL_OP_NO_TICKET is in use
10684      */
10685     if (idx == 0 || idx == 2)  {
10686         if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
10687             goto end;
10688     }
10689     if (idx == 1 || idx == 2 || idx == 3)
10690         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
10691 
10692     SSL_CTX_sess_set_cache_size(sctx, 5);
10693 
10694     if (idx == 3) {
10695         SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
10696         SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
10697         cbdata.cctx = cctx;
10698         cbdata.sctx = sctx;
10699         cbdata.recurse = 0;
10700     }
10701 
10702     for (i = 0; i < 30; i++) {
10703         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10704                                                 NULL, NULL))
10705                 || !TEST_true(SSL_set_session(clientssl, sess)))
10706             goto end;
10707 
10708         /*
10709          * Check simultaneous resumes. We pause the connection part way through
10710          * the handshake by (mis)using the servername_cb. The pause occurs after
10711          * session resumption has already occurred, but before any session
10712          * tickets have been issued. While paused we run another complete
10713          * handshake resuming the same session.
10714          */
10715         if (idx == 3) {
10716             cbdata.i = i;
10717             cbdata.sess = sess;
10718         }
10719 
10720         /*
10721          * Recreate a bug where dynamically changing the max_early_data value
10722          * can cause sessions in the session cache which cannot be deleted.
10723          */
10724         if ((idx == 0 || idx == 2) && (i % 3) == 2)
10725             SSL_set_max_early_data(serverssl, 0);
10726 
10727         if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10728             goto end;
10729 
10730         if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
10731             if (!TEST_false(SSL_session_reused(clientssl)))
10732                 goto end;
10733         } else {
10734             if (!TEST_true(SSL_session_reused(clientssl)))
10735                 goto end;
10736         }
10737         SSL_SESSION_free(sess);
10738 
10739         /* Do a full handshake, followed by two resumptions */
10740         if ((i % 3) == 2) {
10741             sess = NULL;
10742         } else {
10743             if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
10744                 goto end;
10745         }
10746 
10747         SSL_shutdown(clientssl);
10748         SSL_shutdown(serverssl);
10749         SSL_free(serverssl);
10750         SSL_free(clientssl);
10751         serverssl = clientssl = NULL;
10752     }
10753 
10754     /* We should never exceed the session cache size limit */
10755     if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
10756         goto end;
10757 
10758     testresult = 1;
10759  end:
10760     SSL_free(serverssl);
10761     SSL_free(clientssl);
10762     SSL_CTX_free(sctx);
10763     SSL_CTX_free(cctx);
10764     SSL_SESSION_free(sess);
10765     return testresult;
10766 }
10767 
10768 static struct next_proto_st {
10769     int serverlen;
10770     unsigned char server[40];
10771     int clientlen;
10772     unsigned char client[40];
10773     int expected_ret;
10774     size_t selectedlen;
10775     unsigned char selected[40];
10776 } next_proto_tests[] = {
10777     {
10778         4, { 3, 'a', 'b', 'c' },
10779         4, { 3, 'a', 'b', 'c' },
10780         OPENSSL_NPN_NEGOTIATED,
10781         3, { 'a', 'b', 'c' }
10782     },
10783     {
10784         7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
10785         4, { 3, 'a', 'b', 'c' },
10786         OPENSSL_NPN_NEGOTIATED,
10787         3, { 'a', 'b', 'c' }
10788     },
10789     {
10790         7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
10791         4, { 3, 'a', 'b', 'c' },
10792         OPENSSL_NPN_NEGOTIATED,
10793         3, { 'a', 'b', 'c' }
10794     },
10795     {
10796         4, { 3, 'a', 'b', 'c' },
10797         7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
10798         OPENSSL_NPN_NEGOTIATED,
10799         3, { 'a', 'b', 'c' }
10800     },
10801     {
10802         4, { 3, 'a', 'b', 'c' },
10803         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10804         OPENSSL_NPN_NEGOTIATED,
10805         3, { 'a', 'b', 'c' }
10806     },
10807     {
10808         7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
10809         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10810         OPENSSL_NPN_NEGOTIATED,
10811         3, { 'a', 'b', 'c' }
10812     },
10813     {
10814         10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
10815         7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
10816         OPENSSL_NPN_NEGOTIATED,
10817         3, { 'a', 'b', 'c' }
10818     },
10819     {
10820         4, { 3, 'b', 'c', 'd' },
10821         4, { 3, 'a', 'b', 'c' },
10822         OPENSSL_NPN_NO_OVERLAP,
10823         3, { 'a', 'b', 'c' }
10824     },
10825     {
10826         0, { 0 },
10827         4, { 3, 'a', 'b', 'c' },
10828         OPENSSL_NPN_NO_OVERLAP,
10829         3, { 'a', 'b', 'c' }
10830     },
10831     {
10832         -1, { 0 },
10833         4, { 3, 'a', 'b', 'c' },
10834         OPENSSL_NPN_NO_OVERLAP,
10835         3, { 'a', 'b', 'c' }
10836     },
10837     {
10838         4, { 3, 'a', 'b', 'c' },
10839         0, { 0 },
10840         OPENSSL_NPN_NO_OVERLAP,
10841         0, { 0 }
10842     },
10843     {
10844         4, { 3, 'a', 'b', 'c' },
10845         -1, { 0 },
10846         OPENSSL_NPN_NO_OVERLAP,
10847         0, { 0 }
10848     },
10849     {
10850         3, { 3, 'a', 'b', 'c' },
10851         4, { 3, 'a', 'b', 'c' },
10852         OPENSSL_NPN_NO_OVERLAP,
10853         3, { 'a', 'b', 'c' }
10854     },
10855     {
10856         4, { 3, 'a', 'b', 'c' },
10857         3, { 3, 'a', 'b', 'c' },
10858         OPENSSL_NPN_NO_OVERLAP,
10859         0, { 0 }
10860     }
10861 };
10862 
10863 static int test_select_next_proto(int idx)
10864 {
10865     struct next_proto_st *np = &next_proto_tests[idx];
10866     int ret = 0;
10867     unsigned char *out, *client, *server;
10868     unsigned char outlen;
10869     unsigned int clientlen, serverlen;
10870 
10871     if (np->clientlen == -1) {
10872         client = NULL;
10873         clientlen = 0;
10874     } else {
10875         client = np->client;
10876         clientlen = (unsigned int)np->clientlen;
10877     }
10878     if (np->serverlen == -1) {
10879         server = NULL;
10880         serverlen = 0;
10881     } else {
10882         server = np->server;
10883         serverlen = (unsigned int)np->serverlen;
10884     }
10885 
10886     if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
10887                                            client, clientlen),
10888                      np->expected_ret))
10889         goto err;
10890 
10891     if (np->selectedlen == 0) {
10892         if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
10893             goto err;
10894     } else {
10895         if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
10896             goto err;
10897     }
10898 
10899     ret = 1;
10900  err:
10901     return ret;
10902 }
10903 
10904 static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
10905 static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
10906 
10907 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
10908 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
10909                          unsigned int *outlen, void *arg)
10910 {
10911     int *idx = (int *)arg;
10912 
10913     switch (*idx) {
10914     default:
10915     case 0:
10916         *out = fooprot;
10917         *outlen = sizeof(fooprot);
10918         return SSL_TLSEXT_ERR_OK;
10919 
10920     case 1:
10921         *outlen = 0;
10922         return SSL_TLSEXT_ERR_OK;
10923 
10924     case 2:
10925         return SSL_TLSEXT_ERR_NOACK;
10926     }
10927 }
10928 
10929 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
10930                          const unsigned char *in, unsigned int inlen, void *arg)
10931 {
10932     int *idx = (int *)arg;
10933 
10934     switch (*idx) {
10935     case 0:
10936     case 1:
10937         *out = (unsigned char *)(fooprot + 1);
10938         *outlen = *fooprot;
10939         return SSL_TLSEXT_ERR_OK;
10940 
10941     case 3:
10942         *out = (unsigned char *)(barprot + 1);
10943         *outlen = *barprot;
10944         return SSL_TLSEXT_ERR_OK;
10945 
10946     case 4:
10947         *outlen = 0;
10948         return SSL_TLSEXT_ERR_OK;
10949 
10950     default:
10951     case 2:
10952         return SSL_TLSEXT_ERR_ALERT_FATAL;
10953     }
10954 }
10955 
10956 /*
10957  * Test the NPN callbacks
10958  * Test 0: advert = foo, select = foo
10959  * Test 1: advert = <empty>, select = foo
10960  * Test 2: no advert
10961  * Test 3: advert = foo, select = bar
10962  * Test 4: advert = foo, select = <empty> (should fail)
10963  */
10964 static int test_npn(int idx)
10965 {
10966     SSL_CTX *sctx = NULL, *cctx = NULL;
10967     SSL *serverssl = NULL, *clientssl = NULL;
10968     int testresult = 0;
10969 
10970     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10971                                        TLS_client_method(), 0, TLS1_2_VERSION,
10972                                        &sctx, &cctx, cert, privkey)))
10973         goto end;
10974 
10975     SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
10976     SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
10977 
10978     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
10979                                       NULL)))
10980         goto end;
10981 
10982     if (idx == 4) {
10983         /* We don't allow empty selection of NPN, so this should fail */
10984         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
10985                                               SSL_ERROR_NONE)))
10986             goto end;
10987     } else {
10988         const unsigned char *prot;
10989         unsigned int protlen;
10990 
10991         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
10992                                              SSL_ERROR_NONE)))
10993             goto end;
10994 
10995         SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
10996         switch (idx) {
10997         case 0:
10998         case 1:
10999             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11000                 goto end;
11001             break;
11002         case 2:
11003             if (!TEST_uint_eq(protlen, 0))
11004                 goto end;
11005             break;
11006         case 3:
11007             if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
11008                 goto end;
11009             break;
11010         default:
11011             TEST_error("Should not get here");
11012             goto end;
11013         }
11014     }
11015 
11016     testresult = 1;
11017  end:
11018     SSL_free(serverssl);
11019     SSL_free(clientssl);
11020     SSL_CTX_free(sctx);
11021     SSL_CTX_free(cctx);
11022 
11023     return testresult;
11024 }
11025 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
11026 
11027 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
11028                            unsigned char *outlen, const unsigned char *in,
11029                            unsigned int inlen, void *arg)
11030 {
11031     int *idx = (int *)arg;
11032 
11033     switch (*idx) {
11034     case 0:
11035         *out = (unsigned char *)(fooprot + 1);
11036         *outlen = *fooprot;
11037         return SSL_TLSEXT_ERR_OK;
11038 
11039     case 2:
11040         *out = (unsigned char *)(barprot + 1);
11041         *outlen = *barprot;
11042         return SSL_TLSEXT_ERR_OK;
11043 
11044     case 3:
11045         *outlen = 0;
11046         return SSL_TLSEXT_ERR_OK;
11047 
11048     default:
11049     case 1:
11050         return SSL_TLSEXT_ERR_ALERT_FATAL;
11051     }
11052     return 0;
11053 }
11054 
11055 /*
11056  * Test the ALPN callbacks
11057  * Test 0: client = foo, select = foo
11058  * Test 1: client = <empty>, select = none
11059  * Test 2: client = foo, select = bar (should fail)
11060  * Test 3: client = foo, select = <empty> (should fail)
11061  */
11062 static int test_alpn(int idx)
11063 {
11064     SSL_CTX *sctx = NULL, *cctx = NULL;
11065     SSL *serverssl = NULL, *clientssl = NULL;
11066     int testresult = 0;
11067     const unsigned char *prots = fooprot;
11068     unsigned int protslen = sizeof(fooprot);
11069 
11070     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11071                                        TLS_client_method(), 0, 0,
11072                                        &sctx, &cctx, cert, privkey)))
11073         goto end;
11074 
11075     SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
11076 
11077     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11078                                       NULL)))
11079         goto end;
11080 
11081     if (idx == 1) {
11082         prots = NULL;
11083         protslen = 0;
11084     }
11085 
11086     /* SSL_set_alpn_protos returns 0 for success! */
11087     if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
11088         goto end;
11089 
11090     if (idx == 2 || idx == 3) {
11091         /* We don't allow empty selection of NPN, so this should fail */
11092         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
11093                                               SSL_ERROR_NONE)))
11094             goto end;
11095     } else {
11096         const unsigned char *prot;
11097         unsigned int protlen;
11098 
11099         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
11100                                              SSL_ERROR_NONE)))
11101             goto end;
11102 
11103         SSL_get0_alpn_selected(clientssl, &prot, &protlen);
11104         switch (idx) {
11105         case 0:
11106             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
11107                 goto end;
11108             break;
11109         case 1:
11110             if (!TEST_uint_eq(protlen, 0))
11111                 goto end;
11112             break;
11113         default:
11114             TEST_error("Should not get here");
11115             goto end;
11116         }
11117     }
11118 
11119     testresult = 1;
11120  end:
11121     SSL_free(serverssl);
11122     SSL_free(clientssl);
11123     SSL_CTX_free(sctx);
11124     SSL_CTX_free(cctx);
11125 
11126     return testresult;
11127 }
11128 
11129 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
11130 
11131 int setup_tests(void)
11132 {
11133     char *modulename;
11134     char *configfile;
11135 
11136     libctx = OSSL_LIB_CTX_new();
11137     if (!TEST_ptr(libctx))
11138         return 0;
11139 
11140     defctxnull = OSSL_PROVIDER_load(NULL, "null");
11141 
11142     /*
11143      * Verify that the default and fips providers in the default libctx are not
11144      * available
11145      */
11146     if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11147             || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11148         return 0;
11149 
11150     if (!test_skip_common_options()) {
11151         TEST_error("Error parsing test options\n");
11152         return 0;
11153     }
11154 
11155     if (!TEST_ptr(certsdir = test_get_argument(0))
11156             || !TEST_ptr(srpvfile = test_get_argument(1))
11157             || !TEST_ptr(tmpfilename = test_get_argument(2))
11158             || !TEST_ptr(modulename = test_get_argument(3))
11159             || !TEST_ptr(configfile = test_get_argument(4))
11160             || !TEST_ptr(dhfile = test_get_argument(5)))
11161         return 0;
11162 
11163     if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
11164         return 0;
11165 
11166     /* Check we have the expected provider available */
11167     if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11168         return 0;
11169 
11170     /* Check the default provider is not available */
11171     if (strcmp(modulename, "default") != 0
11172             && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
11173         return 0;
11174 
11175     if (strcmp(modulename, "fips") == 0)
11176         is_fips = 1;
11177 
11178     /*
11179      * We add, but don't load the test "tls-provider". We'll load it when we
11180      * need it.
11181      */
11182     if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11183                                              tls_provider_init)))
11184         return 0;
11185 
11186 
11187     if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11188 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
11189         TEST_error("not supported in this build");
11190         return 0;
11191 #else
11192         int i, mcount, rcount, fcount;
11193 
11194         for (i = 0; i < 4; i++)
11195             test_export_key_mat(i);
11196         CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11197         test_printf_stdout("malloc %d realloc %d free %d\n",
11198                 mcount, rcount, fcount);
11199         return 1;
11200 #endif
11201     }
11202 
11203     cert = test_mk_file_path(certsdir, "servercert.pem");
11204     if (cert == NULL)
11205         goto err;
11206 
11207     privkey = test_mk_file_path(certsdir, "serverkey.pem");
11208     if (privkey == NULL)
11209         goto err;
11210 
11211     cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11212     if (cert2 == NULL)
11213         goto err;
11214 
11215     privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11216     if (privkey2 == NULL)
11217         goto err;
11218 
11219     cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11220     if (cert1024 == NULL)
11221         goto err;
11222 
11223     privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11224     if (privkey1024 == NULL)
11225         goto err;
11226 
11227     cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11228     if (cert3072 == NULL)
11229         goto err;
11230 
11231     privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11232     if (privkey3072 == NULL)
11233         goto err;
11234 
11235     cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11236     if (cert4096 == NULL)
11237         goto err;
11238 
11239     privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11240     if (privkey4096 == NULL)
11241         goto err;
11242 
11243     cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11244     if (cert8192 == NULL)
11245         goto err;
11246 
11247     privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11248     if (privkey8192 == NULL)
11249         goto err;
11250 
11251 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
11252 # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
11253     ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
11254     ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
11255 # endif
11256 #endif
11257     ADD_TEST(test_large_message_tls);
11258     ADD_TEST(test_large_message_tls_read_ahead);
11259 #ifndef OPENSSL_NO_DTLS
11260     ADD_TEST(test_large_message_dtls);
11261 #endif
11262     ADD_ALL_TESTS(test_large_app_data, 28);
11263     ADD_TEST(test_cleanse_plaintext);
11264 #ifndef OPENSSL_NO_OCSP
11265     ADD_TEST(test_tlsext_status_type);
11266 #endif
11267     ADD_TEST(test_session_with_only_int_cache);
11268     ADD_TEST(test_session_with_only_ext_cache);
11269     ADD_TEST(test_session_with_both_cache);
11270     ADD_TEST(test_session_wo_ca_names);
11271 #ifndef OSSL_NO_USABLE_TLS1_3
11272     ADD_ALL_TESTS(test_stateful_tickets, 3);
11273     ADD_ALL_TESTS(test_stateless_tickets, 3);
11274     ADD_TEST(test_psk_tickets);
11275     ADD_ALL_TESTS(test_extra_tickets, 6);
11276 #endif
11277     ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
11278     ADD_TEST(test_ssl_bio_pop_next_bio);
11279     ADD_TEST(test_ssl_bio_pop_ssl_bio);
11280     ADD_TEST(test_ssl_bio_change_rbio);
11281     ADD_TEST(test_ssl_bio_change_wbio);
11282 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
11283     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
11284     ADD_TEST(test_keylog);
11285 #endif
11286 #ifndef OSSL_NO_USABLE_TLS1_3
11287     ADD_TEST(test_keylog_no_master_key);
11288 #endif
11289     ADD_TEST(test_client_cert_verify_cb);
11290     ADD_TEST(test_ssl_build_cert_chain);
11291     ADD_TEST(test_ssl_ctx_build_cert_chain);
11292 #ifndef OPENSSL_NO_TLS1_2
11293     ADD_TEST(test_client_hello_cb);
11294     ADD_TEST(test_no_ems);
11295     ADD_TEST(test_ccs_change_cipher);
11296 #endif
11297 #ifndef OSSL_NO_USABLE_TLS1_3
11298     ADD_ALL_TESTS(test_early_data_read_write, 6);
11299     /*
11300      * We don't do replay tests for external PSK. Replay protection isn't used
11301      * in that scenario.
11302      */
11303     ADD_ALL_TESTS(test_early_data_replay, 2);
11304     ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11305     ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11306     ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11307     ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
11308     ADD_ALL_TESTS(test_early_data_not_sent, 3);
11309     ADD_ALL_TESTS(test_early_data_psk, 8);
11310     ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
11311     ADD_ALL_TESTS(test_early_data_not_expected, 3);
11312 # ifndef OPENSSL_NO_TLS1_2
11313     ADD_ALL_TESTS(test_early_data_tls1_2, 3);
11314 # endif
11315 #endif
11316 #ifndef OSSL_NO_USABLE_TLS1_3
11317     ADD_ALL_TESTS(test_set_ciphersuite, 10);
11318     ADD_TEST(test_ciphersuite_change);
11319     ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11320 # ifdef OPENSSL_NO_PSK
11321     ADD_ALL_TESTS(test_tls13_psk, 1);
11322 # else
11323     ADD_ALL_TESTS(test_tls13_psk, 4);
11324 # endif  /* OPENSSL_NO_PSK */
11325 # ifndef OPENSSL_NO_TLS1_2
11326     /* Test with both TLSv1.3 and 1.2 versions */
11327     ADD_ALL_TESTS(test_key_exchange, 14);
11328 #  if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11329     ADD_ALL_TESTS(test_negotiated_group,
11330                   4 * (OSSL_NELEM(ecdhe_kexch_groups)
11331                        + OSSL_NELEM(ffdhe_kexch_groups)));
11332 #  endif
11333 # else
11334     /* Test with only TLSv1.3 versions */
11335     ADD_ALL_TESTS(test_key_exchange, 12);
11336 # endif
11337     ADD_ALL_TESTS(test_custom_exts, 6);
11338     ADD_TEST(test_stateless);
11339     ADD_TEST(test_pha_key_update);
11340 #else
11341     ADD_ALL_TESTS(test_custom_exts, 3);
11342 #endif
11343     ADD_ALL_TESTS(test_export_key_mat, 6);
11344 #ifndef OSSL_NO_USABLE_TLS1_3
11345     ADD_ALL_TESTS(test_export_key_mat_early, 3);
11346     ADD_TEST(test_key_update);
11347     ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11348     ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11349     ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11350     ADD_ALL_TESTS(test_key_update_local_in_read, 2);
11351 #endif
11352     ADD_ALL_TESTS(test_ssl_clear, 2);
11353     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
11354 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11355     ADD_ALL_TESTS(test_srp, 6);
11356 #endif
11357     ADD_ALL_TESTS(test_info_callback, 6);
11358     ADD_ALL_TESTS(test_ssl_pending, 2);
11359     ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
11360     ADD_ALL_TESTS(test_ticket_callbacks, 20);
11361     ADD_ALL_TESTS(test_shutdown, 7);
11362     ADD_ALL_TESTS(test_incorrect_shutdown, 2);
11363     ADD_ALL_TESTS(test_cert_cb, 6);
11364     ADD_ALL_TESTS(test_client_cert_cb, 2);
11365     ADD_ALL_TESTS(test_ca_names, 3);
11366 #ifndef OPENSSL_NO_TLS1_2
11367     ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11368 #endif
11369     ADD_ALL_TESTS(test_servername, 10);
11370 #if !defined(OPENSSL_NO_EC) \
11371     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
11372     ADD_ALL_TESTS(test_sigalgs_available, 6);
11373 #endif
11374 #ifndef OPENSSL_NO_TLS1_3
11375     ADD_ALL_TESTS(test_pluggable_group, 2);
11376 #endif
11377 #ifndef OPENSSL_NO_TLS1_2
11378     ADD_TEST(test_ssl_dup);
11379 # ifndef OPENSSL_NO_DH
11380     ADD_ALL_TESTS(test_set_tmp_dh, 11);
11381     ADD_ALL_TESTS(test_dh_auto, 7);
11382 # endif
11383 #endif
11384 #ifndef OSSL_NO_USABLE_TLS1_3
11385     ADD_TEST(test_sni_tls13);
11386     ADD_ALL_TESTS(test_ticket_lifetime, 2);
11387 #endif
11388     ADD_TEST(test_inherit_verify_param);
11389     ADD_TEST(test_set_alpn);
11390     ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11391     ADD_TEST(test_set_verify_cert_store_ssl);
11392     ADD_ALL_TESTS(test_session_timeout, 1);
11393 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
11394     ADD_ALL_TESTS(test_session_cache_overflow, 4);
11395 #endif
11396     ADD_TEST(test_load_dhfile);
11397 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11398     ADD_ALL_TESTS(test_serverinfo_custom, 4);
11399 #endif
11400 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
11401     ADD_ALL_TESTS(test_pipelining, 7);
11402 #endif
11403     ADD_ALL_TESTS(test_handshake_retry, 16);
11404     ADD_ALL_TESTS(test_multi_resume, 5);
11405     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
11406 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
11407     ADD_ALL_TESTS(test_npn, 5);
11408 #endif
11409     ADD_ALL_TESTS(test_alpn, 4);
11410     return 1;
11411 
11412  err:
11413     OPENSSL_free(cert);
11414     OPENSSL_free(privkey);
11415     OPENSSL_free(cert2);
11416     OPENSSL_free(privkey2);
11417     return 0;
11418 }
11419 
11420 void cleanup_tests(void)
11421 {
11422 # if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
11423     EVP_PKEY_free(tmp_dh_params);
11424 #endif
11425     OPENSSL_free(cert);
11426     OPENSSL_free(privkey);
11427     OPENSSL_free(cert2);
11428     OPENSSL_free(privkey2);
11429     OPENSSL_free(cert1024);
11430     OPENSSL_free(privkey1024);
11431     OPENSSL_free(cert3072);
11432     OPENSSL_free(privkey3072);
11433     OPENSSL_free(cert4096);
11434     OPENSSL_free(privkey4096);
11435     OPENSSL_free(cert8192);
11436     OPENSSL_free(privkey8192);
11437     bio_s_mempacket_test_free();
11438     bio_s_always_retry_free();
11439     OSSL_PROVIDER_unload(defctxnull);
11440     OSSL_LIB_CTX_free(libctx);
11441 }
11442