Home | History | Annotate | Line # | Download | only in test 
      1 /*
      2  * Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved.
      3  *
      4  * Licensed under the Apache License 2.0 (the "License").  You may not use
      5  * this file except in compliance with the License.  You can obtain a copy
      6  * in the file LICENSE in the source distribution or at
      7  * https://www.openssl.org/source/license.html
      8  */
      9 
     10 /*
     11  * We need access to the deprecated low level HMAC APIs for legacy purposes
     12  * when the deprecated calls are not hidden
     13  */
     14 #ifndef OPENSSL_NO_DEPRECATED_3_0
     15 #define OPENSSL_SUPPRESS_DEPRECATED
     16 #endif
     17 
     18 #include <stdio.h>
     19 #include <string.h>
     20 
     21 #include <openssl/opensslconf.h>
     22 #include <openssl/bio.h>
     23 #include <openssl/crypto.h>
     24 #include <openssl/ssl.h>
     25 #include <openssl/ocsp.h>
     26 #include <openssl/srp.h>
     27 #include <openssl/txt_db.h>
     28 #include <openssl/aes.h>
     29 #include <openssl/rand.h>
     30 #include <openssl/core_names.h>
     31 #include <openssl/core_dispatch.h>
     32 #include <openssl/provider.h>
     33 #include <openssl/param_build.h>
     34 #include <openssl/x509v3.h>
     35 #include <openssl/dh.h>
     36 #include <openssl/engine.h>
     37 
     38 #include "helpers/ssltestlib.h"
     39 #include "testutil.h"
     40 #include "testutil/output.h"
     41 #include "internal/nelem.h"
     42 #include "internal/tlsgroups.h"
     43 #include "internal/ktls.h"
     44 #include "internal/ssl_unwrap.h"
     45 #include "../ssl/ssl_local.h"
     46 #include "../ssl/record/methods/recmethod_local.h"
     47 #include "filterprov.h"
     48 
     49 #undef OSSL_NO_USABLE_TLS1_3
     50 #if defined(OPENSSL_NO_TLS1_3) \
     51     || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
     52 /*
     53  * If we don't have ec or dh then there are no built-in groups that are usable
     54  * with TLSv1.3
     55  */
     56 #define OSSL_NO_USABLE_TLS1_3
     57 #endif
     58 
     59 /* Defined in tls-provider.c */
     60 int tls_provider_init(const OSSL_CORE_HANDLE *handle,
     61     const OSSL_DISPATCH *in,
     62     const OSSL_DISPATCH **out,
     63     void **provctx);
     64 
     65 static OSSL_LIB_CTX *libctx = NULL;
     66 static OSSL_PROVIDER *defctxnull = NULL;
     67 
     68 #ifndef OSSL_NO_USABLE_TLS1_3
     69 
     70 static SSL_SESSION *clientpsk = NULL;
     71 static SSL_SESSION *serverpsk = NULL;
     72 static const char *pskid = "Identity";
     73 static const char *srvid;
     74 
     75 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
     76     size_t *idlen, SSL_SESSION **sess);
     77 static int find_session_cb(SSL *ssl, const unsigned char *identity,
     78     size_t identity_len, SSL_SESSION **sess);
     79 
     80 static int use_session_cb_cnt = 0;
     81 static int find_session_cb_cnt = 0;
     82 static int end_of_early_data = 0;
     83 #endif
     84 
     85 static char *certsdir = NULL;
     86 static char *cert = NULL;
     87 static char *privkey = NULL;
     88 static char *cert2 = NULL;
     89 static char *privkey2 = NULL;
     90 static char *cert1024 = NULL;
     91 static char *privkey1024 = NULL;
     92 static char *cert3072 = NULL;
     93 static char *privkey3072 = NULL;
     94 static char *cert4096 = NULL;
     95 static char *privkey4096 = NULL;
     96 static char *cert8192 = NULL;
     97 static char *privkey8192 = NULL;
     98 static char *srpvfile = NULL;
     99 static char *tmpfilename = NULL;
    100 static char *dhfile = NULL;
    101 static char *datadir = NULL;
    102 
    103 static int is_fips = 0;
    104 static int fips_ems_check = 0;
    105 
    106 #define LOG_BUFFER_SIZE 2048
    107 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
    108 static size_t server_log_buffer_index = 0;
    109 static char client_log_buffer[LOG_BUFFER_SIZE + 1] = { 0 };
    110 static size_t client_log_buffer_index = 0;
    111 static int error_writing_log = 0;
    112 
    113 #ifndef OPENSSL_NO_OCSP
    114 static const unsigned char orespder[] = "Dummy OCSP Response";
    115 static int ocsp_server_called = 0;
    116 static int ocsp_client_called = 0;
    117 
    118 static int cdummyarg = 1;
    119 static X509 *ocspcert = NULL;
    120 #endif
    121 
    122 #define CLIENT_VERSION_LEN 2
    123 
    124 /* The ssltrace test assumes some options are switched on/off */
    125 #if !defined(OPENSSL_NO_SSL_TRACE)                                \
    126     && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD)     \
    127     && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH)        \
    128     && !defined(OPENSSL_NO_ML_DSA) && !defined(OPENSSL_NO_ML_KEM) \
    129     && !defined(OPENSSL_NO_TLS1_3)
    130 #define DO_SSL_TRACE_TEST
    131 #endif
    132 
    133 /*
    134  * This structure is used to validate that the correct number of log messages
    135  * of various types are emitted when emitting secret logs.
    136  */
    137 struct sslapitest_log_counts {
    138     unsigned int rsa_key_exchange_count;
    139     unsigned int master_secret_count;
    140     unsigned int client_early_secret_count;
    141     unsigned int client_handshake_secret_count;
    142     unsigned int server_handshake_secret_count;
    143     unsigned int client_application_secret_count;
    144     unsigned int server_application_secret_count;
    145     unsigned int early_exporter_secret_count;
    146     unsigned int exporter_secret_count;
    147 };
    148 
    149 static int hostname_cb(SSL *s, int *al, void *arg)
    150 {
    151     const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
    152 
    153     if (hostname != NULL && (strcmp(hostname, "goodhost") == 0 || strcmp(hostname, "altgoodhost") == 0))
    154         return SSL_TLSEXT_ERR_OK;
    155 
    156     return SSL_TLSEXT_ERR_NOACK;
    157 }
    158 
    159 static void client_keylog_callback(const SSL *ssl, const char *line)
    160 {
    161     int line_length = strlen(line);
    162 
    163     /* If the log doesn't fit, error out. */
    164     if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
    165         TEST_info("Client log too full");
    166         error_writing_log = 1;
    167         return;
    168     }
    169 
    170     strcat(client_log_buffer, line);
    171     client_log_buffer_index += line_length;
    172     client_log_buffer[client_log_buffer_index++] = '\n';
    173 }
    174 
    175 static void server_keylog_callback(const SSL *ssl, const char *line)
    176 {
    177     int line_length = strlen(line);
    178 
    179     /* If the log doesn't fit, error out. */
    180     if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
    181         TEST_info("Server log too full");
    182         error_writing_log = 1;
    183         return;
    184     }
    185 
    186     strcat(server_log_buffer, line);
    187     server_log_buffer_index += line_length;
    188     server_log_buffer[server_log_buffer_index++] = '\n';
    189 }
    190 
    191 static int compare_hex_encoded_buffer(const char *hex_encoded,
    192     size_t hex_length,
    193     const uint8_t *raw,
    194     size_t raw_length)
    195 {
    196     size_t i, j;
    197     char hexed[3];
    198 
    199     if (!TEST_size_t_eq(raw_length * 2, hex_length))
    200         return 1;
    201 
    202     for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
    203         BIO_snprintf(hexed, sizeof(hexed), "%02x", raw[i]);
    204         if (!TEST_int_eq(hexed[0], hex_encoded[j])
    205             || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
    206             return 1;
    207     }
    208 
    209     return 0;
    210 }
    211 
    212 static int test_keylog_output(char *buffer, const SSL *ssl,
    213     const SSL_SESSION *session,
    214     struct sslapitest_log_counts *expected)
    215 {
    216     char *token = NULL;
    217     unsigned char actual_client_random[SSL3_RANDOM_SIZE] = { 0 };
    218     size_t client_random_size = SSL3_RANDOM_SIZE;
    219     unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = { 0 };
    220     size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
    221     unsigned int rsa_key_exchange_count = 0;
    222     unsigned int master_secret_count = 0;
    223     unsigned int client_early_secret_count = 0;
    224     unsigned int client_handshake_secret_count = 0;
    225     unsigned int server_handshake_secret_count = 0;
    226     unsigned int client_application_secret_count = 0;
    227     unsigned int server_application_secret_count = 0;
    228     unsigned int early_exporter_secret_count = 0;
    229     unsigned int exporter_secret_count = 0;
    230 
    231     for (token = strtok(buffer, " \n"); token != NULL;
    232         token = strtok(NULL, " \n")) {
    233         if (strcmp(token, "RSA") == 0) {
    234             /*
    235              * Premaster secret. Tokens should be: 16 ASCII bytes of
    236              * hex-encoded encrypted secret, then the hex-encoded pre-master
    237              * secret.
    238              */
    239             if (!TEST_ptr(token = strtok(NULL, " \n")))
    240                 return 0;
    241             if (!TEST_size_t_eq(strlen(token), 16))
    242                 return 0;
    243             if (!TEST_ptr(token = strtok(NULL, " \n")))
    244                 return 0;
    245             /*
    246              * We can't sensibly check the log because the premaster secret is
    247              * transient, and OpenSSL doesn't keep hold of it once the master
    248              * secret is generated.
    249              */
    250             rsa_key_exchange_count++;
    251         } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
    252             /*
    253              * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
    254              * client random, then the hex-encoded master secret.
    255              */
    256             client_random_size = SSL_get_client_random(ssl,
    257                 actual_client_random,
    258                 SSL3_RANDOM_SIZE);
    259             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
    260                 return 0;
    261 
    262             if (!TEST_ptr(token = strtok(NULL, " \n")))
    263                 return 0;
    264             if (!TEST_size_t_eq(strlen(token), 64))
    265                 return 0;
    266             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
    267                     actual_client_random,
    268                     client_random_size)))
    269                 return 0;
    270 
    271             if (!TEST_ptr(token = strtok(NULL, " \n")))
    272                 return 0;
    273             master_key_size = SSL_SESSION_get_master_key(session,
    274                 actual_master_key,
    275                 master_key_size);
    276             if (!TEST_size_t_ne(master_key_size, 0))
    277                 return 0;
    278             if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
    279                     actual_master_key,
    280                     master_key_size)))
    281                 return 0;
    282             master_secret_count++;
    283         } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
    284             || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
    285             || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
    286             || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
    287             || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
    288             || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
    289             || strcmp(token, "EXPORTER_SECRET") == 0) {
    290             /*
    291              * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
    292              * client random, and then the hex-encoded secret. In this case,
    293              * we treat all of these secrets identically and then just
    294              * distinguish between them when counting what we saw.
    295              */
    296             if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
    297                 client_early_secret_count++;
    298             else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
    299                 client_handshake_secret_count++;
    300             else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
    301                 server_handshake_secret_count++;
    302             else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
    303                 client_application_secret_count++;
    304             else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
    305                 server_application_secret_count++;
    306             else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
    307                 early_exporter_secret_count++;
    308             else if (strcmp(token, "EXPORTER_SECRET") == 0)
    309                 exporter_secret_count++;
    310 
    311             client_random_size = SSL_get_client_random(ssl,
    312                 actual_client_random,
    313                 SSL3_RANDOM_SIZE);
    314             if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
    315                 return 0;
    316 
    317             if (!TEST_ptr(token = strtok(NULL, " \n")))
    318                 return 0;
    319             if (!TEST_size_t_eq(strlen(token), 64))
    320                 return 0;
    321             if (!TEST_false(compare_hex_encoded_buffer(token, 64,
    322                     actual_client_random,
    323                     client_random_size)))
    324                 return 0;
    325 
    326             if (!TEST_ptr(token = strtok(NULL, " \n")))
    327                 return 0;
    328         } else {
    329             TEST_info("Unexpected token %s\n", token);
    330             return 0;
    331         }
    332     }
    333 
    334     /* Got what we expected? */
    335     if (!TEST_size_t_eq(rsa_key_exchange_count,
    336             expected->rsa_key_exchange_count)
    337         || !TEST_size_t_eq(master_secret_count,
    338             expected->master_secret_count)
    339         || !TEST_size_t_eq(client_early_secret_count,
    340             expected->client_early_secret_count)
    341         || !TEST_size_t_eq(client_handshake_secret_count,
    342             expected->client_handshake_secret_count)
    343         || !TEST_size_t_eq(server_handshake_secret_count,
    344             expected->server_handshake_secret_count)
    345         || !TEST_size_t_eq(client_application_secret_count,
    346             expected->client_application_secret_count)
    347         || !TEST_size_t_eq(server_application_secret_count,
    348             expected->server_application_secret_count)
    349         || !TEST_size_t_eq(early_exporter_secret_count,
    350             expected->early_exporter_secret_count)
    351         || !TEST_size_t_eq(exporter_secret_count,
    352             expected->exporter_secret_count))
    353         return 0;
    354     return 1;
    355 }
    356 
    357 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
    358 static int test_keylog(void)
    359 {
    360     SSL_CTX *cctx = NULL, *sctx = NULL;
    361     SSL *clientssl = NULL, *serverssl = NULL;
    362     int testresult = 0;
    363     struct sslapitest_log_counts expected;
    364 
    365     /* Clean up logging space */
    366     memset(&expected, 0, sizeof(expected));
    367     memset(client_log_buffer, 0, sizeof(client_log_buffer));
    368     memset(server_log_buffer, 0, sizeof(server_log_buffer));
    369     client_log_buffer_index = 0;
    370     server_log_buffer_index = 0;
    371     error_writing_log = 0;
    372 
    373     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
    374             TLS_client_method(),
    375             TLS1_VERSION, 0,
    376             &sctx, &cctx, cert, privkey)))
    377         return 0;
    378 
    379     /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
    380     SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
    381     SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
    382 
    383     /* We also want to ensure that we use RSA-based key exchange. */
    384     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
    385         goto end;
    386 
    387     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
    388         || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
    389         goto end;
    390     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
    391     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
    392             == client_keylog_callback))
    393         goto end;
    394     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
    395     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
    396             == server_keylog_callback))
    397         goto end;
    398 
    399     /* Now do a handshake and check that the logs have been written to. */
    400     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
    401             &clientssl, NULL, NULL))
    402         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    403             SSL_ERROR_NONE))
    404         || !TEST_false(error_writing_log)
    405         || !TEST_int_gt(client_log_buffer_index, 0)
    406         || !TEST_int_gt(server_log_buffer_index, 0))
    407         goto end;
    408 
    409     /*
    410      * Now we want to test that our output data was vaguely sensible. We
    411      * do that by using strtok and confirming that we have more or less the
    412      * data we expect. For both client and server, we expect to see one master
    413      * secret. The client should also see an RSA key exchange.
    414      */
    415     expected.rsa_key_exchange_count = 1;
    416     expected.master_secret_count = 1;
    417     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
    418             SSL_get_session(clientssl), &expected)))
    419         goto end;
    420 
    421     expected.rsa_key_exchange_count = 0;
    422     if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
    423             SSL_get_session(serverssl), &expected)))
    424         goto end;
    425 
    426     testresult = 1;
    427 
    428 end:
    429     SSL_free(serverssl);
    430     SSL_free(clientssl);
    431     SSL_CTX_free(sctx);
    432     SSL_CTX_free(cctx);
    433 
    434     return testresult;
    435 }
    436 #endif
    437 
    438 #ifndef OSSL_NO_USABLE_TLS1_3
    439 static int test_keylog_no_master_key(void)
    440 {
    441     SSL_CTX *cctx = NULL, *sctx = NULL;
    442     SSL *clientssl = NULL, *serverssl = NULL;
    443     SSL_SESSION *sess = NULL;
    444     int testresult = 0;
    445     struct sslapitest_log_counts expected;
    446     unsigned char buf[1];
    447     size_t readbytes, written;
    448 
    449     /* Clean up logging space */
    450     memset(&expected, 0, sizeof(expected));
    451     memset(client_log_buffer, 0, sizeof(client_log_buffer));
    452     memset(server_log_buffer, 0, sizeof(server_log_buffer));
    453     client_log_buffer_index = 0;
    454     server_log_buffer_index = 0;
    455     error_writing_log = 0;
    456 
    457     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
    458             TLS_client_method(), TLS1_VERSION, 0,
    459             &sctx, &cctx, cert, privkey))
    460         || !TEST_true(SSL_CTX_set_max_early_data(sctx,
    461             SSL3_RT_MAX_PLAIN_LENGTH)))
    462         return 0;
    463 
    464     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
    465         || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
    466         goto end;
    467 
    468     SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
    469     if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
    470             == client_keylog_callback))
    471         goto end;
    472 
    473     SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
    474     if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
    475             == server_keylog_callback))
    476         goto end;
    477 
    478     /* Now do a handshake and check that the logs have been written to. */
    479     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
    480             &clientssl, NULL, NULL))
    481         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    482             SSL_ERROR_NONE))
    483         || !TEST_false(error_writing_log))
    484         goto end;
    485 
    486     /*
    487      * Now we want to test that our output data was vaguely sensible. For this
    488      * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
    489      * TLSv1.3, but we do expect both client and server to emit keys.
    490      */
    491     expected.client_handshake_secret_count = 1;
    492     expected.server_handshake_secret_count = 1;
    493     expected.client_application_secret_count = 1;
    494     expected.server_application_secret_count = 1;
    495     expected.exporter_secret_count = 1;
    496     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
    497             SSL_get_session(clientssl), &expected))
    498         || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
    499             SSL_get_session(serverssl),
    500             &expected)))
    501         goto end;
    502 
    503     /* Terminate old session and resume with early data. */
    504     sess = SSL_get1_session(clientssl);
    505     SSL_shutdown(clientssl);
    506     SSL_shutdown(serverssl);
    507     SSL_free(serverssl);
    508     SSL_free(clientssl);
    509     serverssl = clientssl = NULL;
    510 
    511     /* Reset key log */
    512     memset(client_log_buffer, 0, sizeof(client_log_buffer));
    513     memset(server_log_buffer, 0, sizeof(server_log_buffer));
    514     client_log_buffer_index = 0;
    515     server_log_buffer_index = 0;
    516 
    517     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
    518             &clientssl, NULL, NULL))
    519         || !TEST_true(SSL_set_session(clientssl, sess))
    520         /* Here writing 0 length early data is enough. */
    521         || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
    522         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
    523                             &readbytes),
    524             SSL_READ_EARLY_DATA_ERROR)
    525         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
    526             SSL_EARLY_DATA_ACCEPTED)
    527         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    528             SSL_ERROR_NONE))
    529         || !TEST_true(SSL_session_reused(clientssl)))
    530         goto end;
    531 
    532     /* In addition to the previous entries, expect early secrets. */
    533     expected.client_early_secret_count = 1;
    534     expected.early_exporter_secret_count = 1;
    535     if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
    536             SSL_get_session(clientssl), &expected))
    537         || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
    538             SSL_get_session(serverssl),
    539             &expected)))
    540         goto end;
    541 
    542     testresult = 1;
    543 
    544 end:
    545     SSL_SESSION_free(sess);
    546     SSL_free(serverssl);
    547     SSL_free(clientssl);
    548     SSL_CTX_free(sctx);
    549     SSL_CTX_free(cctx);
    550 
    551     return testresult;
    552 }
    553 #endif
    554 
    555 static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
    556 {
    557     int res = X509_verify_cert(ctx);
    558     int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
    559     SSL *ssl;
    560 
    561     /* this should not happen but check anyway */
    562     if (idx < 0
    563         || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
    564         return 0;
    565 
    566     if (res == 0 && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
    567         /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
    568         return SSL_set_retry_verify(ssl);
    569 
    570     return res;
    571 }
    572 
    573 static int test_client_cert_verify_cb(void)
    574 {
    575     /* server key, cert, chain, and root */
    576     char *skey = test_mk_file_path(certsdir, "leaf.key");
    577     char *leaf = test_mk_file_path(certsdir, "leaf.pem");
    578     char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
    579     char *int1 = test_mk_file_path(certsdir, "interCA.pem");
    580     char *root = test_mk_file_path(certsdir, "rootCA.pem");
    581     X509 *crt1 = NULL, *crt2 = NULL;
    582     STACK_OF(X509) *server_chain;
    583     SSL_CTX *cctx = NULL, *sctx = NULL;
    584     SSL *clientssl = NULL, *serverssl = NULL;
    585     int testresult = 0;
    586 
    587     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
    588             TLS_client_method(), TLS1_VERSION, 0,
    589             &sctx, &cctx, NULL, NULL)))
    590         goto end;
    591     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
    592         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
    593                             SSL_FILETYPE_PEM),
    594             1)
    595         || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
    596         goto end;
    597     if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
    598         goto end;
    599     SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
    600     SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
    601     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
    602             &clientssl, NULL, NULL)))
    603         goto end;
    604 
    605     /* attempt SSL_connect() with incomplete server chain */
    606     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
    607             SSL_ERROR_WANT_RETRY_VERIFY)))
    608         goto end;
    609 
    610     /* application provides intermediate certs needed to verify server cert */
    611     if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
    612         || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
    613         || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
    614         goto end;
    615     /* add certs in reverse order to demonstrate real chain building */
    616     if (!TEST_true(sk_X509_push(server_chain, crt1)))
    617         goto end;
    618     crt1 = NULL;
    619     if (!TEST_true(sk_X509_push(server_chain, crt2)))
    620         goto end;
    621     crt2 = NULL;
    622 
    623     /* continue SSL_connect(), must now succeed with completed server chain */
    624     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
    625             SSL_ERROR_NONE)))
    626         goto end;
    627 
    628     testresult = 1;
    629 
    630 end:
    631     X509_free(crt1);
    632     X509_free(crt2);
    633     if (clientssl != NULL) {
    634         SSL_shutdown(clientssl);
    635         SSL_free(clientssl);
    636     }
    637     if (serverssl != NULL) {
    638         SSL_shutdown(serverssl);
    639         SSL_free(serverssl);
    640     }
    641     SSL_CTX_free(sctx);
    642     SSL_CTX_free(cctx);
    643 
    644     OPENSSL_free(skey);
    645     OPENSSL_free(leaf);
    646     OPENSSL_free(int2);
    647     OPENSSL_free(int1);
    648     OPENSSL_free(root);
    649 
    650     return testresult;
    651 }
    652 
    653 static int test_ssl_build_cert_chain(void)
    654 {
    655     int ret = 0;
    656     SSL_CTX *ssl_ctx = NULL;
    657     SSL *ssl = NULL;
    658     char *skey = test_mk_file_path(certsdir, "leaf.key");
    659     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
    660 
    661     if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
    662         goto end;
    663     if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
    664         goto end;
    665     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
    666     if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
    667         || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
    668         || !TEST_int_eq(SSL_check_private_key(ssl), 1))
    669         goto end;
    670     if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
    671         goto end;
    672     ret = 1;
    673 end:
    674     SSL_free(ssl);
    675     SSL_CTX_free(ssl_ctx);
    676     OPENSSL_free(leaf_chain);
    677     OPENSSL_free(skey);
    678     return ret;
    679 }
    680 
    681 static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
    682 {
    683     static const char pass[] = "testpass";
    684 
    685     if (!TEST_int_eq(size, PEM_BUFSIZE))
    686         return -1;
    687 
    688     memcpy(buf, pass, sizeof(pass) - 1);
    689     return sizeof(pass) - 1;
    690 }
    691 
    692 static int test_ssl_ctx_build_cert_chain(void)
    693 {
    694     int ret = 0;
    695     SSL_CTX *ctx = NULL;
    696     char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
    697     char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
    698 
    699     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
    700         goto end;
    701     SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
    702     /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
    703     if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
    704         || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
    705                             SSL_FILETYPE_PEM),
    706             1)
    707         || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
    708         goto end;
    709     if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT | SSL_BUILD_CHAIN_FLAG_CHECK)))
    710         goto end;
    711     ret = 1;
    712 end:
    713     SSL_CTX_free(ctx);
    714     OPENSSL_free(leaf_chain);
    715     OPENSSL_free(skey);
    716     return ret;
    717 }
    718 
    719 #ifndef OPENSSL_NO_TLS1_2
    720 static int full_client_hello_callback(SSL *s, int *al, void *arg)
    721 {
    722     int *ctr = arg;
    723     const unsigned char *p;
    724     int *exts;
    725 #ifdef OPENSSL_NO_EC
    726     const unsigned char expected_ciphers[] = { 0x00, 0x9d };
    727 #else
    728     const unsigned char expected_ciphers[] = { 0x00, 0x9d, 0xc0,
    729         0x2c };
    730 #endif
    731     const int expected_extensions[] = {
    732         65281,
    733 #ifndef OPENSSL_NO_EC
    734         11, 10,
    735 #endif
    736         35, 22, 23, 13
    737     };
    738     size_t len;
    739 
    740     /* Make sure we can defer processing and get called back. */
    741     if ((*ctr)++ == 0)
    742         return SSL_CLIENT_HELLO_RETRY;
    743 
    744     len = SSL_client_hello_get0_ciphers(s, &p);
    745     if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
    746         || !TEST_size_t_eq(
    747             SSL_client_hello_get0_compression_methods(s, &p), 1)
    748         || !TEST_int_eq(*p, 0))
    749         return SSL_CLIENT_HELLO_ERROR;
    750     if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
    751         return SSL_CLIENT_HELLO_ERROR;
    752     if (len != OSSL_NELEM(expected_extensions) || memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
    753         printf("ClientHello callback expected extensions mismatch\n");
    754         OPENSSL_free(exts);
    755         return SSL_CLIENT_HELLO_ERROR;
    756     }
    757     OPENSSL_free(exts);
    758     return SSL_CLIENT_HELLO_SUCCESS;
    759 }
    760 
    761 static int test_client_hello_cb(void)
    762 {
    763     SSL_CTX *cctx = NULL, *sctx = NULL;
    764     SSL *clientssl = NULL, *serverssl = NULL;
    765     int testctr = 0, testresult = 0;
    766 
    767     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
    768             TLS_client_method(), TLS1_VERSION, 0,
    769             &sctx, &cctx, cert, privkey)))
    770         goto end;
    771     SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
    772 
    773     /* The gimpy cipher list we configure can't do TLS 1.3. */
    774     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
    775     /* Avoid problems where the default seclevel has been changed */
    776     SSL_CTX_set_security_level(cctx, 2);
    777     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
    778             "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
    779         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
    780             &clientssl, NULL, NULL))
    781         || !TEST_false(create_ssl_connection(serverssl, clientssl,
    782             SSL_ERROR_WANT_CLIENT_HELLO_CB))
    783         /*
    784          * Passing a -1 literal is a hack since
    785          * the real value was lost.
    786          * */
    787         || !TEST_int_eq(SSL_get_error(serverssl, -1),
    788             SSL_ERROR_WANT_CLIENT_HELLO_CB)
    789         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    790             SSL_ERROR_NONE)))
    791         goto end;
    792 
    793     testresult = 1;
    794 
    795 end:
    796     SSL_free(serverssl);
    797     SSL_free(clientssl);
    798     SSL_CTX_free(sctx);
    799     SSL_CTX_free(cctx);
    800 
    801     return testresult;
    802 }
    803 
    804 static int test_no_ems(void)
    805 {
    806     SSL_CTX *cctx = NULL, *sctx = NULL;
    807     SSL *clientssl = NULL, *serverssl = NULL;
    808     int testresult = 0, status;
    809 
    810     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
    811             TLS1_VERSION, TLS1_2_VERSION,
    812             &sctx, &cctx, cert, privkey)) {
    813         printf("Unable to create SSL_CTX pair\n");
    814         goto end;
    815     }
    816 
    817     SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
    818 
    819     if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
    820         printf("Unable to create SSL objects\n");
    821         goto end;
    822     }
    823 
    824     status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
    825     if (fips_ems_check) {
    826         if (status == 1) {
    827             printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
    828             goto end;
    829         }
    830     } else {
    831         if (!status) {
    832             printf("Creating SSL connection failed\n");
    833             goto end;
    834         }
    835         if (SSL_get_extms_support(serverssl)) {
    836             printf("Server reports Extended Master Secret support\n");
    837             goto end;
    838         }
    839         if (SSL_get_extms_support(clientssl)) {
    840             printf("Client reports Extended Master Secret support\n");
    841             goto end;
    842         }
    843     }
    844     testresult = 1;
    845 
    846 end:
    847     SSL_free(serverssl);
    848     SSL_free(clientssl);
    849     SSL_CTX_free(sctx);
    850     SSL_CTX_free(cctx);
    851 
    852     return testresult;
    853 }
    854 
    855 /*
    856  * Very focused test to exercise a single case in the server-side state
    857  * machine, when the ChangeCipherState message needs to actually change
    858  * from one cipher to a different cipher (i.e., not changing from null
    859  * encryption to real encryption).
    860  */
    861 static int test_ccs_change_cipher(void)
    862 {
    863     SSL_CTX *cctx = NULL, *sctx = NULL;
    864     SSL *clientssl = NULL, *serverssl = NULL;
    865     SSL_SESSION *sess = NULL, *sesspre, *sesspost;
    866     int testresult = 0;
    867     int i;
    868     unsigned char buf;
    869     size_t readbytes;
    870 
    871     /*
    872      * Create a connection so we can resume and potentially (but not) use
    873      * a different cipher in the second connection.
    874      */
    875     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
    876             TLS_client_method(),
    877             TLS1_VERSION, TLS1_2_VERSION,
    878             &sctx, &cctx, cert, privkey))
    879         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
    880         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
    881             NULL, NULL))
    882         || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
    883         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    884             SSL_ERROR_NONE))
    885         || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
    886         || !TEST_ptr(sess = SSL_get1_session(clientssl)))
    887         goto end;
    888 
    889     shutdown_ssl_connection(serverssl, clientssl);
    890     serverssl = clientssl = NULL;
    891 
    892     /* Resume, preferring a different cipher. Our server will force the
    893      * same cipher to be used as the initial handshake. */
    894     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
    895             NULL, NULL))
    896         || !TEST_true(SSL_set_session(clientssl, sess))
    897         || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
    898         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    899             SSL_ERROR_NONE))
    900         || !TEST_true(SSL_session_reused(clientssl))
    901         || !TEST_true(SSL_session_reused(serverssl))
    902         || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
    903         || !TEST_ptr_eq(sesspre, sesspost)
    904         || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
    905             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
    906         goto end;
    907     shutdown_ssl_connection(serverssl, clientssl);
    908     serverssl = clientssl = NULL;
    909 
    910     /*
    911      * Now create a fresh connection and try to renegotiate a different
    912      * cipher on it.
    913      */
    914     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
    915             NULL, NULL))
    916         || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
    917         || !TEST_true(create_ssl_connection(serverssl, clientssl,
    918             SSL_ERROR_NONE))
    919         || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
    920         || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
    921         || !TEST_true(SSL_renegotiate(clientssl))
    922         || !TEST_true(SSL_renegotiate_pending(clientssl)))
    923         goto end;
    924     /* Actually drive the renegotiation. */
    925     for (i = 0; i < 3; i++) {
    926         if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
    927             if (!TEST_ulong_eq(readbytes, 0))
    928                 goto end;
    929         } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
    930                        SSL_ERROR_WANT_READ)) {
    931             goto end;
    932         }
    933         if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
    934             if (!TEST_ulong_eq(readbytes, 0))
    935                 goto end;
    936         } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
    937                        SSL_ERROR_WANT_READ)) {
    938             goto end;
    939         }
    940     }
    941     /* sesspre and sesspost should be different since the cipher changed. */
    942     if (!TEST_false(SSL_renegotiate_pending(clientssl))
    943         || !TEST_false(SSL_session_reused(clientssl))
    944         || !TEST_false(SSL_session_reused(serverssl))
    945         || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
    946         || !TEST_ptr_ne(sesspre, sesspost)
    947         || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
    948             SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
    949         goto end;
    950 
    951     shutdown_ssl_connection(serverssl, clientssl);
    952     serverssl = clientssl = NULL;
    953 
    954     testresult = 1;
    955 
    956 end:
    957     SSL_free(serverssl);
    958     SSL_free(clientssl);
    959     SSL_CTX_free(sctx);
    960     SSL_CTX_free(cctx);
    961     SSL_SESSION_free(sess);
    962 
    963     return testresult;
    964 }
    965 #endif
    966 
    967 static int execute_test_large_message(const SSL_METHOD *smeth,
    968     const SSL_METHOD *cmeth,
    969     int min_version, int max_version,
    970     int read_ahead)
    971 {
    972     SSL_CTX *cctx = NULL, *sctx = NULL;
    973     SSL *clientssl = NULL, *serverssl = NULL;
    974     int testresult = 0;
    975 
    976     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
    977             max_version, &sctx, &cctx, cert,
    978             privkey)))
    979         goto end;
    980 
    981 #ifdef OPENSSL_NO_DTLS1_2
    982     if (smeth == DTLS_server_method()) {
    983         /*
    984          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
    985          * level 0
    986          */
    987         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
    988             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
    989                 "DEFAULT:@SECLEVEL=0")))
    990             goto end;
    991     }
    992 #endif
    993 
    994     if (read_ahead) {
    995         /*
    996          * Test that read_ahead works correctly when dealing with large
    997          * records
    998          */
    999         SSL_CTX_set_read_ahead(cctx, 1);
   1000     }
   1001 
   1002     if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
   1003         goto end;
   1004 
   1005     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   1006             NULL, NULL))
   1007         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   1008             SSL_ERROR_NONE)))
   1009         goto end;
   1010 
   1011     /*
   1012      * Calling SSL_clear() first is not required but this tests that SSL_clear()
   1013      * doesn't leak.
   1014      */
   1015     if (!TEST_true(SSL_clear(serverssl)))
   1016         goto end;
   1017 
   1018     testresult = 1;
   1019 end:
   1020     SSL_free(serverssl);
   1021     SSL_free(clientssl);
   1022     SSL_CTX_free(sctx);
   1023     SSL_CTX_free(cctx);
   1024 
   1025     return testresult;
   1026 }
   1027 
   1028 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
   1029 /* sock must be connected */
   1030 static int ktls_chk_platform(int sock)
   1031 {
   1032     if (!ktls_enable(sock))
   1033         return 0;
   1034     return 1;
   1035 }
   1036 
   1037 static int ping_pong_query(SSL *clientssl, SSL *serverssl)
   1038 {
   1039     static char count = 1;
   1040     unsigned char cbuf[16000] = { 0 };
   1041     unsigned char sbuf[16000];
   1042     size_t err = 0;
   1043     char crec_wseq_before[SEQ_NUM_SIZE];
   1044     char crec_wseq_after[SEQ_NUM_SIZE];
   1045     char crec_rseq_before[SEQ_NUM_SIZE];
   1046     char crec_rseq_after[SEQ_NUM_SIZE];
   1047     char srec_wseq_before[SEQ_NUM_SIZE];
   1048     char srec_wseq_after[SEQ_NUM_SIZE];
   1049     char srec_rseq_before[SEQ_NUM_SIZE];
   1050     char srec_rseq_after[SEQ_NUM_SIZE];
   1051     SSL_CONNECTION *clientsc, *serversc;
   1052 
   1053     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
   1054         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
   1055         goto end;
   1056 
   1057     cbuf[0] = count++;
   1058     memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
   1059     memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
   1060     memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
   1061     memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
   1062 
   1063     if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
   1064         goto end;
   1065 
   1066     while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
   1067         if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
   1068             goto end;
   1069         }
   1070     }
   1071 
   1072     if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
   1073         goto end;
   1074 
   1075     while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
   1076         if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
   1077             goto end;
   1078         }
   1079     }
   1080 
   1081     memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
   1082     memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
   1083     memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
   1084     memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
   1085 
   1086     /* verify the payload */
   1087     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
   1088         goto end;
   1089 
   1090     /*
   1091      * If ktls is used then kernel sequences are used instead of
   1092      * OpenSSL sequences
   1093      */
   1094     if (!BIO_get_ktls_send(clientsc->wbio)) {
   1095         if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
   1096                 crec_wseq_after, SEQ_NUM_SIZE))
   1097             goto end;
   1098     } else {
   1099         if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
   1100                 crec_wseq_after, SEQ_NUM_SIZE))
   1101             goto end;
   1102     }
   1103 
   1104     if (!BIO_get_ktls_send(serversc->wbio)) {
   1105         if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
   1106                 srec_wseq_after, SEQ_NUM_SIZE))
   1107             goto end;
   1108     } else {
   1109         if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
   1110                 srec_wseq_after, SEQ_NUM_SIZE))
   1111             goto end;
   1112     }
   1113 
   1114     if (!BIO_get_ktls_recv(clientsc->wbio)) {
   1115         if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
   1116                 crec_rseq_after, SEQ_NUM_SIZE))
   1117             goto end;
   1118     } else {
   1119         if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
   1120                 crec_rseq_after, SEQ_NUM_SIZE))
   1121             goto end;
   1122     }
   1123 
   1124     if (!BIO_get_ktls_recv(serversc->wbio)) {
   1125         if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
   1126                 srec_rseq_after, SEQ_NUM_SIZE))
   1127             goto end;
   1128     } else {
   1129         if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
   1130                 srec_rseq_after, SEQ_NUM_SIZE))
   1131             goto end;
   1132     }
   1133 
   1134     return 1;
   1135 end:
   1136     return 0;
   1137 }
   1138 
   1139 static int execute_test_ktls(int cis_ktls, int sis_ktls,
   1140     int tls_version, const char *cipher)
   1141 {
   1142     SSL_CTX *cctx = NULL, *sctx = NULL;
   1143     SSL *clientssl = NULL, *serverssl = NULL;
   1144     int ktls_used = 0, testresult = 0;
   1145     int cfd = -1, sfd = -1;
   1146     int rx_supported;
   1147     SSL_CONNECTION *clientsc, *serversc;
   1148     unsigned char *buf = NULL;
   1149     const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
   1150     int ret;
   1151     size_t offset = 0, i;
   1152 
   1153     if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
   1154         goto end;
   1155 
   1156     /* Skip this test if the platform does not support ktls */
   1157     if (!ktls_chk_platform(cfd)) {
   1158         testresult = TEST_skip("Kernel does not support KTLS");
   1159         goto end;
   1160     }
   1161 
   1162     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
   1163         testresult = TEST_skip("CHACHA is not supported in FIPS");
   1164         goto end;
   1165     }
   1166 
   1167     /* Create a session based on SHA-256 */
   1168     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   1169             TLS_client_method(),
   1170             tls_version, tls_version,
   1171             &sctx, &cctx, cert, privkey)))
   1172         goto end;
   1173 
   1174     if (tls_version == TLS1_3_VERSION) {
   1175         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
   1176             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
   1177             goto end;
   1178     } else {
   1179         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
   1180             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
   1181             goto end;
   1182     }
   1183 
   1184     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
   1185             &clientssl, sfd, cfd)))
   1186         goto end;
   1187 
   1188     if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
   1189         || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
   1190         goto end;
   1191 
   1192     if (cis_ktls) {
   1193         if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
   1194             goto end;
   1195     }
   1196 
   1197     if (sis_ktls) {
   1198         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
   1199             goto end;
   1200     }
   1201 
   1202     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   1203         goto end;
   1204 
   1205     /*
   1206      * The running kernel may not support a given cipher suite
   1207      * or direction, so just check that KTLS isn't used when it
   1208      * isn't enabled.
   1209      */
   1210     if (!cis_ktls) {
   1211         if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
   1212             goto end;
   1213     } else {
   1214         if (BIO_get_ktls_send(clientsc->wbio))
   1215             ktls_used = 1;
   1216     }
   1217 
   1218     if (!sis_ktls) {
   1219         if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
   1220             goto end;
   1221     } else {
   1222         if (BIO_get_ktls_send(serversc->wbio))
   1223             ktls_used = 1;
   1224     }
   1225 
   1226 #if defined(OPENSSL_NO_KTLS_RX)
   1227     rx_supported = 0;
   1228 #else
   1229     rx_supported = 1;
   1230 #endif
   1231     if (!cis_ktls || !rx_supported) {
   1232         if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
   1233             goto end;
   1234     } else {
   1235         if (BIO_get_ktls_send(clientsc->rbio))
   1236             ktls_used = 1;
   1237     }
   1238 
   1239     if (!sis_ktls || !rx_supported) {
   1240         if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
   1241             goto end;
   1242     } else {
   1243         if (BIO_get_ktls_send(serversc->rbio))
   1244             ktls_used = 1;
   1245     }
   1246 
   1247     if ((cis_ktls || sis_ktls) && !ktls_used) {
   1248         testresult = TEST_skip("KTLS not supported for %s cipher %s",
   1249             tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
   1250         goto end;
   1251     }
   1252 
   1253     if (!TEST_true(ping_pong_query(clientssl, serverssl)))
   1254         goto end;
   1255 
   1256     buf = OPENSSL_zalloc(bufsz);
   1257     if (!TEST_ptr(buf))
   1258         goto end;
   1259 
   1260     /*
   1261      * Write some data that exceeds the maximum record length. KTLS may choose
   1262      * to coalesce this data into a single buffer when we read it again.
   1263      */
   1264     while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
   1265         if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
   1266             goto end;
   1267     }
   1268 
   1269     /* Now check that we can read all the data we wrote */
   1270     do {
   1271         ret = SSL_read(serverssl, buf + offset, bufsz - offset);
   1272         if (ret <= 0) {
   1273             if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
   1274                 goto end;
   1275         } else {
   1276             offset += ret;
   1277         }
   1278     } while (offset < bufsz);
   1279 
   1280     if (!TEST_true(offset == bufsz))
   1281         goto end;
   1282     for (i = 0; i < bufsz; i++)
   1283         if (!TEST_true(buf[i] == 0))
   1284             goto end;
   1285 
   1286     testresult = 1;
   1287 end:
   1288     OPENSSL_free(buf);
   1289     if (clientssl) {
   1290         SSL_shutdown(clientssl);
   1291         SSL_free(clientssl);
   1292     }
   1293     if (serverssl) {
   1294         SSL_shutdown(serverssl);
   1295         SSL_free(serverssl);
   1296     }
   1297     SSL_CTX_free(sctx);
   1298     SSL_CTX_free(cctx);
   1299     serverssl = clientssl = NULL;
   1300     if (cfd != -1)
   1301         close(cfd);
   1302     if (sfd != -1)
   1303         close(sfd);
   1304     return testresult;
   1305 }
   1306 
   1307 #define SENDFILE_SZ (16 * 4096)
   1308 #define SENDFILE_CHUNK (4 * 4096)
   1309 #define min(a, b) ((a) > (b) ? (b) : (a))
   1310 
   1311 static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
   1312     int zerocopy)
   1313 {
   1314     SSL_CTX *cctx = NULL, *sctx = NULL;
   1315     SSL *clientssl = NULL, *serverssl = NULL;
   1316     unsigned char *buf, *buf_dst;
   1317     BIO *out = NULL, *in = NULL;
   1318     int cfd = -1, sfd = -1, ffd, err;
   1319     ssize_t chunk_size = 0;
   1320     off_t chunk_off = 0;
   1321     int testresult = 0;
   1322     FILE *ffdp;
   1323     SSL_CONNECTION *serversc;
   1324 
   1325     buf = OPENSSL_zalloc(SENDFILE_SZ);
   1326     buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
   1327     if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
   1328         || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
   1329         goto end;
   1330 
   1331     /* Skip this test if the platform does not support ktls */
   1332     if (!ktls_chk_platform(sfd)) {
   1333         testresult = TEST_skip("Kernel does not support KTLS");
   1334         goto end;
   1335     }
   1336 
   1337     if (is_fips && strstr(cipher, "CHACHA") != NULL) {
   1338         testresult = TEST_skip("CHACHA is not supported in FIPS");
   1339         goto end;
   1340     }
   1341 
   1342     /* Create a session based on SHA-256 */
   1343     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   1344             TLS_client_method(),
   1345             tls_version, tls_version,
   1346             &sctx, &cctx, cert, privkey)))
   1347         goto end;
   1348 
   1349     if (tls_version == TLS1_3_VERSION) {
   1350         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
   1351             || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
   1352             goto end;
   1353     } else {
   1354         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
   1355             || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
   1356             goto end;
   1357     }
   1358 
   1359     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
   1360             &clientssl, sfd, cfd)))
   1361         goto end;
   1362 
   1363     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
   1364         goto end;
   1365 
   1366     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
   1367         goto end;
   1368 
   1369     if (zerocopy) {
   1370         if (!TEST_true(SSL_set_options(serverssl,
   1371                 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
   1372             goto end;
   1373     }
   1374 
   1375     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   1376             SSL_ERROR_NONE)))
   1377         goto end;
   1378 
   1379     if (!BIO_get_ktls_send(serversc->wbio)) {
   1380         testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
   1381             tls_version == TLS1_3_VERSION ? "TLS 1.3" : "TLS 1.2", cipher);
   1382         goto end;
   1383     }
   1384 
   1385     if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
   1386         goto end;
   1387 
   1388     out = BIO_new_file(tmpfilename, "wb");
   1389     if (!TEST_ptr(out))
   1390         goto end;
   1391 
   1392     if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
   1393         goto end;
   1394 
   1395     BIO_free(out);
   1396     out = NULL;
   1397     in = BIO_new_file(tmpfilename, "rb");
   1398     BIO_get_fp(in, &ffdp);
   1399     ffd = fileno(ffdp);
   1400 
   1401     while (chunk_off < SENDFILE_SZ) {
   1402         chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
   1403         while ((err = SSL_sendfile(serverssl,
   1404                     ffd,
   1405                     chunk_off,
   1406                     chunk_size,
   1407                     0))
   1408             != chunk_size) {
   1409             if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
   1410                 goto end;
   1411         }
   1412         while ((err = SSL_read(clientssl,
   1413                     buf_dst + chunk_off,
   1414                     chunk_size))
   1415             != chunk_size) {
   1416             if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
   1417                 goto end;
   1418         }
   1419 
   1420         /* verify the payload */
   1421         if (!TEST_mem_eq(buf_dst + chunk_off,
   1422                 chunk_size,
   1423                 buf + chunk_off,
   1424                 chunk_size))
   1425             goto end;
   1426 
   1427         chunk_off += chunk_size;
   1428     }
   1429 
   1430     testresult = 1;
   1431 end:
   1432     if (clientssl) {
   1433         SSL_shutdown(clientssl);
   1434         SSL_free(clientssl);
   1435     }
   1436     if (serverssl) {
   1437         SSL_shutdown(serverssl);
   1438         SSL_free(serverssl);
   1439     }
   1440     SSL_CTX_free(sctx);
   1441     SSL_CTX_free(cctx);
   1442     serverssl = clientssl = NULL;
   1443     BIO_free(out);
   1444     BIO_free(in);
   1445     if (cfd != -1)
   1446         close(cfd);
   1447     if (sfd != -1)
   1448         close(sfd);
   1449     OPENSSL_free(buf);
   1450     OPENSSL_free(buf_dst);
   1451     return testresult;
   1452 }
   1453 
   1454 #ifndef OSSL_NO_USABLE_TLS1_3
   1455 /*
   1456  * Test kTLS with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: retry SSL_write() after
   1457  * SSL_ERROR_WANT_WRITE using a different buffer pointer (same content) and
   1458  * verify that the data arrives intact.
   1459  */
   1460 static int test_ktls_moving_write_buffer(void)
   1461 {
   1462     SSL_CTX *cctx = NULL, *sctx = NULL;
   1463     SSL *clientssl = NULL, *serverssl = NULL;
   1464     BIO *bio_retry = NULL, *bio_orig = NULL;
   1465     int testresult = 0, cfd = -1, sfd = -1;
   1466     unsigned char *buf_orig = NULL, *buf_retry = NULL;
   1467     unsigned char outbuf[1024];
   1468     const size_t bufsz = sizeof(outbuf);
   1469     size_t written, readbytes, totread = 0, i;
   1470 
   1471     /* kTLS requires real sockets */
   1472     if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
   1473         goto end;
   1474 
   1475     /* Skip if the kernel does not support kTLS */
   1476     if (!ktls_chk_platform(cfd)) {
   1477         testresult = TEST_skip("Kernel does not support KTLS");
   1478         goto end;
   1479     }
   1480 
   1481     if (!TEST_true(create_ssl_ctx_pair(libctx,
   1482             TLS_server_method(), TLS_client_method(),
   1483             TLS1_3_VERSION, TLS1_3_VERSION,
   1484             &sctx, &cctx, cert, privkey)))
   1485         goto end;
   1486 
   1487     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256"))
   1488         || !TEST_true(SSL_CTX_set_ciphersuites(sctx, "TLS_AES_128_GCM_SHA256")))
   1489         goto end;
   1490 
   1491     if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
   1492             &clientssl, sfd, cfd)))
   1493         goto end;
   1494 
   1495     /* Enable kTLS on the writing side (client) */
   1496     if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
   1497         goto end;
   1498 
   1499     SSL_set_mode(clientssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
   1500     SSL_set_mode(clientssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
   1501 
   1502     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   1503         goto end;
   1504 
   1505     /* Get a reference to the original BIO to replace it later. */
   1506     bio_orig = SSL_get_wbio(clientssl);
   1507     if (!TEST_ptr(bio_orig) || !TEST_true(BIO_up_ref(bio_orig))) {
   1508         bio_orig = NULL;
   1509         goto end;
   1510     }
   1511 
   1512     /* Skip if kTLS TX was not activated for this cipher */
   1513     if (!BIO_get_ktls_send(bio_orig)) {
   1514         testresult = TEST_skip("kTLS send not supported");
   1515         goto end;
   1516     }
   1517 
   1518     /* Swap write BIO to force WANT_WRITE */
   1519     bio_retry = BIO_new(bio_s_always_retry());
   1520     if (!TEST_ptr(bio_retry))
   1521         goto end;
   1522 
   1523     SSL_set0_wbio(clientssl, bio_retry);
   1524     bio_retry = NULL; /* ownership transferred to clientssl */
   1525 
   1526     /* Allocate two buffers with identical content but different addresses */
   1527     buf_orig = OPENSSL_malloc(bufsz);
   1528     buf_retry = OPENSSL_malloc(bufsz);
   1529     if (!TEST_ptr(buf_orig) || !TEST_ptr(buf_retry))
   1530         goto end;
   1531 
   1532     for (i = 0; i < bufsz; i++)
   1533         buf_orig[i] = buf_retry[i] = (unsigned char)(i & 0xff);
   1534 
   1535     /* First write attempt - will fail with WANT_WRITE */
   1536     if (!TEST_false(SSL_write_ex(clientssl, buf_orig, bufsz, &written))
   1537         || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
   1538         goto end;
   1539 
   1540     /* Restore the real socket BIO so the retry can actually send data */
   1541     SSL_set0_wbio(clientssl, bio_orig);
   1542     bio_orig = NULL;
   1543 
   1544     /* Poison and free the original buffer */
   1545     memset(buf_orig, 0xDE, bufsz);
   1546     OPENSSL_free(buf_orig);
   1547     buf_orig = NULL;
   1548 
   1549     /* Retry with a different buffer pointer */
   1550     if (!TEST_true(SSL_write_ex(clientssl, buf_retry, bufsz, &written)))
   1551         goto end;
   1552 
   1553     /* Read the data on the server side */
   1554     totread = 0;
   1555     while (totread < bufsz) {
   1556         if (!SSL_read_ex(serverssl, outbuf + totread, bufsz - totread,
   1557                 &readbytes)) {
   1558             if (!TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
   1559                 goto end;
   1560         } else {
   1561             totread += readbytes;
   1562         }
   1563     }
   1564 
   1565     /* Verify data integrity */
   1566     if (!TEST_mem_eq(buf_retry, bufsz, outbuf, totread))
   1567         goto end;
   1568 
   1569     testresult = 1;
   1570 end:
   1571     OPENSSL_free(buf_orig);
   1572     OPENSSL_free(buf_retry);
   1573     if (clientssl != NULL) {
   1574         SSL_shutdown(clientssl);
   1575         SSL_free(clientssl);
   1576     }
   1577     if (serverssl != NULL) {
   1578         SSL_shutdown(serverssl);
   1579         SSL_free(serverssl);
   1580     }
   1581     SSL_CTX_free(sctx);
   1582     SSL_CTX_free(cctx);
   1583     BIO_free_all(bio_orig);
   1584     if (cfd != -1)
   1585         close(cfd);
   1586     if (sfd != -1)
   1587         close(sfd);
   1588     return testresult;
   1589 }
   1590 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
   1591 
   1592 static struct ktls_test_cipher {
   1593     int tls_version;
   1594     const char *cipher;
   1595 } ktls_test_ciphers[] = {
   1596 #if !defined(OPENSSL_NO_TLS1_2)
   1597 #ifdef OPENSSL_KTLS_AES_GCM_128
   1598     { TLS1_2_VERSION, "AES128-GCM-SHA256" },
   1599 #endif
   1600 #ifdef OPENSSL_KTLS_AES_CCM_128
   1601     { TLS1_2_VERSION, "AES128-CCM" },
   1602 #endif
   1603 #ifdef OPENSSL_KTLS_AES_GCM_256
   1604     { TLS1_2_VERSION, "AES256-GCM-SHA384" },
   1605 #endif
   1606 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
   1607 #ifndef OPENSSL_NO_EC
   1608     { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305" },
   1609 #endif
   1610 #endif
   1611 #endif
   1612 #if !defined(OSSL_NO_USABLE_TLS1_3)
   1613 #ifdef OPENSSL_KTLS_AES_GCM_128
   1614     { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
   1615 #endif
   1616 #ifdef OPENSSL_KTLS_AES_CCM_128
   1617     { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
   1618 #endif
   1619 #ifdef OPENSSL_KTLS_AES_GCM_256
   1620     { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
   1621 #endif
   1622 #ifdef OPENSSL_KTLS_CHACHA20_POLY1305
   1623     { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
   1624 #endif
   1625 #endif
   1626 };
   1627 
   1628 #define NUM_KTLS_TEST_CIPHERS OSSL_NELEM(ktls_test_ciphers)
   1629 
   1630 static int test_ktls(int test)
   1631 {
   1632     struct ktls_test_cipher *cipher;
   1633     int cis_ktls, sis_ktls;
   1634 
   1635     OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
   1636     cipher = &ktls_test_ciphers[test / 4];
   1637 
   1638     cis_ktls = (test & 1) != 0;
   1639     sis_ktls = (test & 2) != 0;
   1640 
   1641     return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
   1642         cipher->cipher);
   1643 }
   1644 
   1645 static int test_ktls_sendfile(int test)
   1646 {
   1647     struct ktls_test_cipher *cipher;
   1648     int tst = test >> 1;
   1649 
   1650     OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
   1651     cipher = &ktls_test_ciphers[tst];
   1652 
   1653     return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
   1654         test & 1);
   1655 }
   1656 #endif
   1657 
   1658 static int test_large_message_tls(void)
   1659 {
   1660     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
   1661         TLS1_VERSION, 0, 0);
   1662 }
   1663 
   1664 static int test_large_message_tls_read_ahead(void)
   1665 {
   1666     return execute_test_large_message(TLS_server_method(), TLS_client_method(),
   1667         TLS1_VERSION, 0, 1);
   1668 }
   1669 
   1670 #ifndef OPENSSL_NO_DTLS
   1671 static int test_large_message_dtls(void)
   1672 {
   1673 #ifdef OPENSSL_NO_DTLS1_2
   1674     /* Not supported in the FIPS provider */
   1675     if (is_fips)
   1676         return 1;
   1677 #endif
   1678     /*
   1679      * read_ahead is not relevant to DTLS because DTLS always acts as if
   1680      * read_ahead is set.
   1681      */
   1682     return execute_test_large_message(DTLS_server_method(),
   1683         DTLS_client_method(),
   1684         DTLS1_VERSION, 0, 0);
   1685 }
   1686 #endif
   1687 
   1688 /*
   1689  * Test we can successfully send the maximum amount of application data. We
   1690  * test each protocol version individually, each with and without EtM enabled.
   1691  * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
   1692  * simpler this way. We also test all combinations with and without the
   1693  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
   1694  * underlying buffer.
   1695  */
   1696 static int test_large_app_data(int tst)
   1697 {
   1698     SSL_CTX *cctx = NULL, *sctx = NULL;
   1699     SSL *clientssl = NULL, *serverssl = NULL;
   1700     int testresult = 0, prot;
   1701     unsigned char *msg, *buf = NULL;
   1702     size_t written, readbytes;
   1703     const SSL_METHOD *smeth = TLS_server_method();
   1704     const SSL_METHOD *cmeth = TLS_client_method();
   1705 
   1706     switch (tst >> 2) {
   1707     case 0:
   1708 #ifndef OSSL_NO_USABLE_TLS1_3
   1709         prot = TLS1_3_VERSION;
   1710         break;
   1711 #else
   1712         return TEST_skip("TLS 1.3 not supported");
   1713 #endif
   1714 
   1715     case 1:
   1716 #ifndef OPENSSL_NO_TLS1_2
   1717         prot = TLS1_2_VERSION;
   1718         break;
   1719 #else
   1720         return TEST_skip("TLS 1.2 not supported");
   1721 #endif
   1722 
   1723     case 2:
   1724 #ifndef OPENSSL_NO_TLS1_1
   1725         prot = TLS1_1_VERSION;
   1726         break;
   1727 #else
   1728         return TEST_skip("TLS 1.1 not supported");
   1729 #endif
   1730 
   1731     case 3:
   1732 #ifndef OPENSSL_NO_TLS1
   1733         prot = TLS1_VERSION;
   1734         break;
   1735 #else
   1736         return TEST_skip("TLS 1 not supported");
   1737 #endif
   1738 
   1739     case 4:
   1740 #ifndef OPENSSL_NO_SSL3
   1741         prot = SSL3_VERSION;
   1742         break;
   1743 #else
   1744         return TEST_skip("SSL 3 not supported");
   1745 #endif
   1746 
   1747     case 5:
   1748 #ifndef OPENSSL_NO_DTLS1_2
   1749         prot = DTLS1_2_VERSION;
   1750         smeth = DTLS_server_method();
   1751         cmeth = DTLS_client_method();
   1752         break;
   1753 #else
   1754         return TEST_skip("DTLS 1.2 not supported");
   1755 #endif
   1756 
   1757     case 6:
   1758 #ifndef OPENSSL_NO_DTLS1
   1759         if (is_fips)
   1760             return TEST_skip("DTLS 1 not supported by FIPS provider");
   1761         prot = DTLS1_VERSION;
   1762         smeth = DTLS_server_method();
   1763         cmeth = DTLS_client_method();
   1764         break;
   1765 #else
   1766         return TEST_skip("DTLS 1 not supported");
   1767 #endif
   1768 
   1769     default:
   1770         /* Shouldn't happen */
   1771         return 0;
   1772     }
   1773 
   1774     if (is_fips && prot < TLS1_2_VERSION)
   1775         return TEST_skip("TLS versions < 1.2 not supported by FIPS provider");
   1776 
   1777     /* Maximal sized message of zeros */
   1778     msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
   1779     if (!TEST_ptr(msg))
   1780         goto end;
   1781 
   1782     buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
   1783     if (!TEST_ptr(buf))
   1784         goto end;
   1785     /* Set whole buffer to all bits set */
   1786     memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
   1787 
   1788     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
   1789             &sctx, &cctx, cert, privkey)))
   1790         goto end;
   1791 
   1792     if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
   1793         /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
   1794         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
   1795             || !TEST_true(SSL_CTX_set_cipher_list(sctx,
   1796                 "DEFAULT:@SECLEVEL=0")))
   1797             goto end;
   1798     }
   1799 
   1800     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   1801             &clientssl, NULL, NULL)))
   1802         goto end;
   1803 
   1804     if ((tst & 1) != 0) {
   1805         /* Setting this option gives us a minimally sized underlying buffer */
   1806         if (!TEST_true(SSL_set_options(serverssl,
   1807                 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
   1808             || !TEST_true(SSL_set_options(clientssl,
   1809                 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
   1810             goto end;
   1811     }
   1812 
   1813     if ((tst & 2) != 0) {
   1814         /*
   1815          * Setting this option means the MAC is added before encryption
   1816          * giving us a larger record for the encryption process
   1817          */
   1818         if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
   1819             || !TEST_true(SSL_set_options(clientssl,
   1820                 SSL_OP_NO_ENCRYPT_THEN_MAC)))
   1821             goto end;
   1822     }
   1823 
   1824     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   1825         goto end;
   1826 
   1827     if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
   1828             &written))
   1829         || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
   1830         goto end;
   1831 
   1832     /* We provide a buffer slightly larger than what we are actually expecting */
   1833     if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
   1834             &readbytes)))
   1835         goto end;
   1836 
   1837     if (!TEST_mem_eq(msg, written, buf, readbytes))
   1838         goto end;
   1839 
   1840     testresult = 1;
   1841 end:
   1842     OPENSSL_free(msg);
   1843     OPENSSL_free(buf);
   1844     SSL_free(serverssl);
   1845     SSL_free(clientssl);
   1846     SSL_CTX_free(sctx);
   1847     SSL_CTX_free(cctx);
   1848     return testresult;
   1849 }
   1850 
   1851 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
   1852     || !defined(OPENSSL_NO_DTLS)
   1853 static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
   1854     const SSL_METHOD *cmeth,
   1855     int min_version, int max_version)
   1856 {
   1857     size_t i;
   1858     SSL_CTX *cctx = NULL, *sctx = NULL;
   1859     SSL *clientssl = NULL, *serverssl = NULL;
   1860     int testresult = 0;
   1861     const unsigned char *zbuf;
   1862     SSL_CONNECTION *serversc;
   1863     TLS_RECORD *rr;
   1864 
   1865     static unsigned char cbuf[16000];
   1866     static unsigned char sbuf[16000];
   1867 
   1868     if (!TEST_true(create_ssl_ctx_pair(libctx,
   1869             smeth, cmeth,
   1870             min_version, max_version,
   1871             &sctx, &cctx, cert,
   1872             privkey)))
   1873         goto end;
   1874 
   1875 #ifdef OPENSSL_NO_DTLS1_2
   1876     if (smeth == DTLS_server_method()) {
   1877         /* Not supported in the FIPS provider */
   1878         if (is_fips) {
   1879             testresult = 1;
   1880             goto end;
   1881         };
   1882         /*
   1883          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
   1884          * level 0
   1885          */
   1886         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
   1887             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
   1888                 "DEFAULT:@SECLEVEL=0")))
   1889             goto end;
   1890     }
   1891 #endif
   1892 
   1893     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   1894             NULL, NULL)))
   1895         goto end;
   1896 
   1897     if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
   1898         goto end;
   1899 
   1900     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   1901             SSL_ERROR_NONE)))
   1902         goto end;
   1903 
   1904     for (i = 0; i < sizeof(cbuf); i++) {
   1905         cbuf[i] = i & 0xff;
   1906     }
   1907 
   1908     if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
   1909         goto end;
   1910 
   1911     if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
   1912         goto end;
   1913 
   1914     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
   1915         goto end;
   1916 
   1917     /*
   1918      * Since we called SSL_peek(), we know the data in the record
   1919      * layer is a plaintext record. We can gather the pointer to check
   1920      * for zeroization after SSL_read().
   1921      */
   1922     if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
   1923         goto end;
   1924     rr = serversc->rlayer.tlsrecs;
   1925 
   1926     zbuf = &rr->data[rr->off];
   1927     if (!TEST_int_eq(rr->length, sizeof(cbuf)))
   1928         goto end;
   1929 
   1930     /*
   1931      * After SSL_peek() the plaintext must still be stored in the
   1932      * record.
   1933      */
   1934     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
   1935         goto end;
   1936 
   1937     memset(sbuf, 0, sizeof(sbuf));
   1938     if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
   1939         goto end;
   1940 
   1941     if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
   1942         goto end;
   1943 
   1944     /* Check if rbuf is cleansed */
   1945     memset(cbuf, 0, sizeof(cbuf));
   1946     if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
   1947         goto end;
   1948 
   1949     testresult = 1;
   1950 end:
   1951     SSL_free(serverssl);
   1952     SSL_free(clientssl);
   1953     SSL_CTX_free(sctx);
   1954     SSL_CTX_free(cctx);
   1955 
   1956     return testresult;
   1957 }
   1958 #endif /*                                                                \
   1959         * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
   1960         * || !defined(OPENSSL_NO_DTLS)                                   \
   1961         */
   1962 
   1963 static int test_cleanse_plaintext(void)
   1964 {
   1965 #if !defined(OPENSSL_NO_TLS1_2)
   1966     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
   1967             TLS_client_method(),
   1968             TLS1_2_VERSION,
   1969             TLS1_2_VERSION)))
   1970         return 0;
   1971 
   1972 #endif
   1973 
   1974 #if !defined(OSSL_NO_USABLE_TLS1_3)
   1975     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
   1976             TLS_client_method(),
   1977             TLS1_3_VERSION,
   1978             TLS1_3_VERSION)))
   1979         return 0;
   1980 #endif
   1981 
   1982 #if !defined(OPENSSL_NO_DTLS)
   1983 
   1984     if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
   1985             DTLS_client_method(),
   1986             DTLS1_VERSION,
   1987             0)))
   1988         return 0;
   1989 #endif
   1990     return 1;
   1991 }
   1992 
   1993 #ifndef OPENSSL_NO_OCSP
   1994 static int ocsp_server_cb(SSL *s, void *arg)
   1995 {
   1996     int *argi = (int *)arg;
   1997     unsigned char *copy = NULL;
   1998     STACK_OF(OCSP_RESPID) *ids = NULL;
   1999     OCSP_RESPID *id = NULL;
   2000 
   2001     if (*argi == 2) {
   2002         /* In this test we are expecting exactly 1 OCSP_RESPID */
   2003         SSL_get_tlsext_status_ids(s, &ids);
   2004         if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
   2005             return SSL_TLSEXT_ERR_ALERT_FATAL;
   2006 
   2007         id = sk_OCSP_RESPID_value(ids, 0);
   2008         if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
   2009             return SSL_TLSEXT_ERR_ALERT_FATAL;
   2010     } else if (*argi != 1) {
   2011         return SSL_TLSEXT_ERR_ALERT_FATAL;
   2012     }
   2013 
   2014     if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
   2015         return SSL_TLSEXT_ERR_ALERT_FATAL;
   2016 
   2017     if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
   2018             sizeof(orespder)))) {
   2019         OPENSSL_free(copy);
   2020         return SSL_TLSEXT_ERR_ALERT_FATAL;
   2021     }
   2022     ocsp_server_called = 1;
   2023     return SSL_TLSEXT_ERR_OK;
   2024 }
   2025 
   2026 static int ocsp_client_cb(SSL *s, void *arg)
   2027 {
   2028     int *argi = (int *)arg;
   2029     const unsigned char *respderin;
   2030     size_t len;
   2031 
   2032     if (*argi != 1 && *argi != 2)
   2033         return 0;
   2034 
   2035     len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
   2036     if (!TEST_mem_eq(orespder, len, respderin, len))
   2037         return 0;
   2038 
   2039     ocsp_client_called = 1;
   2040     return 1;
   2041 }
   2042 
   2043 static int test_tlsext_status_type(void)
   2044 {
   2045     SSL_CTX *cctx = NULL, *sctx = NULL;
   2046     SSL *clientssl = NULL, *serverssl = NULL;
   2047     int testresult = 0;
   2048     STACK_OF(OCSP_RESPID) *ids = NULL;
   2049     OCSP_RESPID *id = NULL;
   2050     BIO *certbio = NULL;
   2051 
   2052     if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
   2053             TLS1_VERSION, 0,
   2054             &sctx, &cctx, cert, privkey))
   2055         return 0;
   2056 
   2057     if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
   2058         goto end;
   2059 
   2060     /* First just do various checks getting and setting tlsext_status_type */
   2061 
   2062     clientssl = SSL_new(cctx);
   2063     if (!TEST_ptr(clientssl))
   2064         goto end;
   2065     if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
   2066         || !TEST_true(SSL_set_tlsext_status_type(clientssl,
   2067             TLSEXT_STATUSTYPE_ocsp))
   2068         || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
   2069             TLSEXT_STATUSTYPE_ocsp))
   2070         goto end;
   2071 
   2072     SSL_free(clientssl);
   2073     clientssl = NULL;
   2074 
   2075     if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
   2076         || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
   2077         goto end;
   2078 
   2079     clientssl = SSL_new(cctx);
   2080     if (!TEST_ptr(clientssl))
   2081         goto end;
   2082     if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
   2083         goto end;
   2084     SSL_free(clientssl);
   2085     clientssl = NULL;
   2086 
   2087     /*
   2088      * Now actually do a handshake and check OCSP information is exchanged and
   2089      * the callbacks get called
   2090      */
   2091     SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
   2092     SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
   2093     SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
   2094     SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
   2095     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2096             &clientssl, NULL, NULL))
   2097         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   2098             SSL_ERROR_NONE))
   2099         || !TEST_true(ocsp_client_called)
   2100         || !TEST_true(ocsp_server_called))
   2101         goto end;
   2102     SSL_free(serverssl);
   2103     SSL_free(clientssl);
   2104     serverssl = NULL;
   2105     clientssl = NULL;
   2106 
   2107     /* Try again but this time force the server side callback to fail */
   2108     ocsp_client_called = 0;
   2109     ocsp_server_called = 0;
   2110     cdummyarg = 0;
   2111     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2112             &clientssl, NULL, NULL))
   2113         /* This should fail because the callback will fail */
   2114         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   2115             SSL_ERROR_NONE))
   2116         || !TEST_false(ocsp_client_called)
   2117         || !TEST_false(ocsp_server_called))
   2118         goto end;
   2119     SSL_free(serverssl);
   2120     SSL_free(clientssl);
   2121     serverssl = NULL;
   2122     clientssl = NULL;
   2123 
   2124     /*
   2125      * This time we'll get the client to send an OCSP_RESPID that it will
   2126      * accept.
   2127      */
   2128     ocsp_client_called = 0;
   2129     ocsp_server_called = 0;
   2130     cdummyarg = 2;
   2131     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2132             &clientssl, NULL, NULL)))
   2133         goto end;
   2134 
   2135     /*
   2136      * We'll just use any old cert for this test - it doesn't have to be an OCSP
   2137      * specific one. We'll use the server cert.
   2138      */
   2139     if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
   2140         || !TEST_ptr(id = OCSP_RESPID_new())
   2141         || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
   2142         || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
   2143         || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
   2144         || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
   2145         || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
   2146         goto end;
   2147     id = NULL;
   2148     SSL_set_tlsext_status_ids(clientssl, ids);
   2149     /* Control has been transferred */
   2150     ids = NULL;
   2151 
   2152     BIO_free(certbio);
   2153     certbio = NULL;
   2154 
   2155     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2156             SSL_ERROR_NONE))
   2157         || !TEST_true(ocsp_client_called)
   2158         || !TEST_true(ocsp_server_called))
   2159         goto end;
   2160 
   2161     testresult = 1;
   2162 
   2163 end:
   2164     SSL_free(serverssl);
   2165     SSL_free(clientssl);
   2166     SSL_CTX_free(sctx);
   2167     SSL_CTX_free(cctx);
   2168     sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
   2169     OCSP_RESPID_free(id);
   2170     BIO_free(certbio);
   2171     X509_free(ocspcert);
   2172     ocspcert = NULL;
   2173 
   2174     return testresult;
   2175 }
   2176 #endif
   2177 
   2178 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
   2179 static int new_called, remove_called, get_called;
   2180 
   2181 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
   2182 {
   2183     new_called++;
   2184     /*
   2185      * sess has been up-refed for us, but we don't actually need it so free it
   2186      * immediately.
   2187      */
   2188     SSL_SESSION_free(sess);
   2189     return 1;
   2190 }
   2191 
   2192 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
   2193 {
   2194     remove_called++;
   2195 }
   2196 
   2197 static SSL_SESSION *get_sess_val = NULL;
   2198 
   2199 static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
   2200     int *copy)
   2201 {
   2202     get_called++;
   2203     *copy = 1;
   2204     return get_sess_val;
   2205 }
   2206 
   2207 static int execute_test_session(int maxprot, int use_int_cache,
   2208     int use_ext_cache, long s_options)
   2209 {
   2210     SSL_CTX *sctx = NULL, *cctx = NULL;
   2211     SSL *serverssl1 = NULL, *clientssl1 = NULL;
   2212     SSL *serverssl2 = NULL, *clientssl2 = NULL;
   2213 #ifndef OPENSSL_NO_TLS1_1
   2214     SSL *serverssl3 = NULL, *clientssl3 = NULL;
   2215 #endif
   2216     SSL_SESSION *sess1 = NULL, *sess2 = NULL;
   2217     int testresult = 0, numnewsesstick = 1;
   2218 
   2219     new_called = remove_called = 0;
   2220 
   2221     /* TLSv1.3 sends 2 NewSessionTickets */
   2222     if (maxprot == TLS1_3_VERSION)
   2223         numnewsesstick = 2;
   2224 
   2225     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   2226             TLS_client_method(), TLS1_VERSION, 0,
   2227             &sctx, &cctx, cert, privkey)))
   2228         return 0;
   2229 
   2230     /*
   2231      * Only allow the max protocol version so we can force a connection failure
   2232      * later
   2233      */
   2234     SSL_CTX_set_min_proto_version(cctx, maxprot);
   2235     SSL_CTX_set_max_proto_version(cctx, maxprot);
   2236 
   2237     /* Set up session cache */
   2238     if (use_ext_cache) {
   2239         SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
   2240         SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
   2241     }
   2242     if (use_int_cache) {
   2243         /* Also covers instance where both are set */
   2244         SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
   2245     } else {
   2246         SSL_CTX_set_session_cache_mode(cctx,
   2247             SSL_SESS_CACHE_CLIENT
   2248                 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
   2249     }
   2250 
   2251     if (s_options) {
   2252         SSL_CTX_set_options(sctx, s_options);
   2253     }
   2254 
   2255     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
   2256             NULL, NULL))
   2257         || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
   2258             SSL_ERROR_NONE))
   2259         || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
   2260         goto end;
   2261 
   2262     /* Should fail because it should already be in the cache */
   2263     if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
   2264         goto end;
   2265     if (use_ext_cache
   2266         && (!TEST_int_eq(new_called, numnewsesstick)
   2267 
   2268             || !TEST_int_eq(remove_called, 0)))
   2269         goto end;
   2270 
   2271     new_called = remove_called = 0;
   2272     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
   2273             &clientssl2, NULL, NULL))
   2274         || !TEST_true(SSL_set_session(clientssl2, sess1))
   2275         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
   2276             SSL_ERROR_NONE))
   2277         || !TEST_true(SSL_session_reused(clientssl2)))
   2278         goto end;
   2279 
   2280     if (maxprot == TLS1_3_VERSION) {
   2281         /*
   2282          * In TLSv1.3 we should have created a new session even though we have
   2283          * resumed. Since we attempted a resume we should also have removed the
   2284          * old ticket from the cache so that we try to only use tickets once.
   2285          */
   2286         if (use_ext_cache
   2287             && (!TEST_int_eq(new_called, 1)
   2288                 || !TEST_int_eq(remove_called, 1)))
   2289             goto end;
   2290     } else {
   2291         /*
   2292          * In TLSv1.2 we expect to have resumed so no sessions added or
   2293          * removed.
   2294          */
   2295         if (use_ext_cache
   2296             && (!TEST_int_eq(new_called, 0)
   2297                 || !TEST_int_eq(remove_called, 0)))
   2298             goto end;
   2299     }
   2300 
   2301     SSL_SESSION_free(sess1);
   2302     if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
   2303         goto end;
   2304     shutdown_ssl_connection(serverssl2, clientssl2);
   2305     serverssl2 = clientssl2 = NULL;
   2306 
   2307     new_called = remove_called = 0;
   2308     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
   2309             &clientssl2, NULL, NULL))
   2310         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
   2311             SSL_ERROR_NONE)))
   2312         goto end;
   2313 
   2314     if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
   2315         goto end;
   2316 
   2317     if (use_ext_cache
   2318         && (!TEST_int_eq(new_called, numnewsesstick)
   2319             || !TEST_int_eq(remove_called, 0)))
   2320         goto end;
   2321 
   2322     new_called = remove_called = 0;
   2323     /*
   2324      * This should clear sess2 from the cache because it is a "bad" session.
   2325      * See SSL_set_session() documentation.
   2326      */
   2327     if (!TEST_true(SSL_set_session(clientssl2, sess1)))
   2328         goto end;
   2329     if (use_ext_cache
   2330         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
   2331         goto end;
   2332     if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
   2333         goto end;
   2334 
   2335     if (use_int_cache) {
   2336         /* Should succeeded because it should not already be in the cache */
   2337         if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
   2338             || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
   2339             goto end;
   2340     }
   2341 
   2342     new_called = remove_called = 0;
   2343     /* This shouldn't be in the cache so should fail */
   2344     if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
   2345         goto end;
   2346 
   2347     if (use_ext_cache
   2348         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
   2349         goto end;
   2350 
   2351 #if !defined(OPENSSL_NO_TLS1_1)
   2352     new_called = remove_called = 0;
   2353     /* Force a connection failure */
   2354     SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
   2355     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
   2356             &clientssl3, NULL, NULL))
   2357         || !TEST_true(SSL_set_session(clientssl3, sess1))
   2358         /* This should fail because of the mismatched protocol versions */
   2359         || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
   2360             SSL_ERROR_NONE)))
   2361         goto end;
   2362 
   2363     /* We should have automatically removed the session from the cache */
   2364     if (use_ext_cache
   2365         && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
   2366         goto end;
   2367 
   2368     /* Should succeed because it should not already be in the cache */
   2369     if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
   2370         goto end;
   2371 #endif
   2372 
   2373     /* Now do some tests for server side caching */
   2374     if (use_ext_cache) {
   2375         SSL_CTX_sess_set_new_cb(cctx, NULL);
   2376         SSL_CTX_sess_set_remove_cb(cctx, NULL);
   2377         SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
   2378         SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
   2379         SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
   2380         get_sess_val = NULL;
   2381     }
   2382 
   2383     SSL_CTX_set_session_cache_mode(cctx, 0);
   2384     /* Internal caching is the default on the server side */
   2385     if (!use_int_cache)
   2386         SSL_CTX_set_session_cache_mode(sctx,
   2387             SSL_SESS_CACHE_SERVER
   2388                 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
   2389 
   2390     SSL_free(serverssl1);
   2391     SSL_free(clientssl1);
   2392     serverssl1 = clientssl1 = NULL;
   2393     SSL_free(serverssl2);
   2394     SSL_free(clientssl2);
   2395     serverssl2 = clientssl2 = NULL;
   2396     SSL_SESSION_free(sess1);
   2397     sess1 = NULL;
   2398     SSL_SESSION_free(sess2);
   2399     sess2 = NULL;
   2400 
   2401     SSL_CTX_set_max_proto_version(sctx, maxprot);
   2402     if (maxprot == TLS1_2_VERSION)
   2403         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
   2404     new_called = remove_called = get_called = 0;
   2405     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
   2406             NULL, NULL))
   2407         || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
   2408             SSL_ERROR_NONE))
   2409         || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
   2410         || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
   2411         goto end;
   2412 
   2413     if (use_int_cache) {
   2414         if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
   2415             /*
   2416              * In TLSv1.3 it should not have been added to the internal cache,
   2417              * except in the case where we also have an external cache (in that
   2418              * case it gets added to the cache in order to generate remove
   2419              * events after timeout).
   2420              */
   2421             if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
   2422                 goto end;
   2423         } else {
   2424             /* Should fail because it should already be in the cache */
   2425             if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
   2426                 goto end;
   2427         }
   2428     }
   2429 
   2430     if (use_ext_cache) {
   2431         SSL_SESSION *tmp = sess2;
   2432 
   2433         if (!TEST_int_eq(new_called, numnewsesstick)
   2434             || !TEST_int_eq(remove_called, 0)
   2435             || !TEST_int_eq(get_called, 0))
   2436             goto end;
   2437         /*
   2438          * Delete the session from the internal cache to force a lookup from
   2439          * the external cache. We take a copy first because
   2440          * SSL_CTX_remove_session() also marks the session as non-resumable.
   2441          */
   2442         if (use_int_cache && maxprot != TLS1_3_VERSION) {
   2443             if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
   2444                 || !TEST_true(sess2->owner != NULL)
   2445                 || !TEST_true(tmp->owner == NULL)
   2446                 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
   2447                 goto end;
   2448             SSL_SESSION_free(sess2);
   2449         }
   2450         sess2 = tmp;
   2451     }
   2452 
   2453     new_called = remove_called = get_called = 0;
   2454     get_sess_val = sess2;
   2455     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
   2456             &clientssl2, NULL, NULL))
   2457         || !TEST_true(SSL_set_session(clientssl2, sess1))
   2458         || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
   2459             SSL_ERROR_NONE))
   2460         || !TEST_true(SSL_session_reused(clientssl2)))
   2461         goto end;
   2462 
   2463     if (use_ext_cache) {
   2464         if (!TEST_int_eq(remove_called, 0))
   2465             goto end;
   2466 
   2467         if (maxprot == TLS1_3_VERSION) {
   2468             if (!TEST_int_eq(new_called, 1)
   2469                 || !TEST_int_eq(get_called, 0))
   2470                 goto end;
   2471         } else {
   2472             if (!TEST_int_eq(new_called, 0)
   2473                 || !TEST_int_eq(get_called, 1))
   2474                 goto end;
   2475         }
   2476     }
   2477     /*
   2478      * Make a small cache, force out all other sessions but
   2479      * sess2, try to add sess1, which should succeed. Then
   2480      * make sure it's there by checking the owners. Despite
   2481      * the timeouts, sess1 should have kicked out sess2
   2482      */
   2483 
   2484     /* Make sess1 expire before sess2 */
   2485     if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
   2486         || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
   2487         || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
   2488         || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
   2489         goto end;
   2490 
   2491     if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
   2492         goto end;
   2493 
   2494     /* Don't care about results - cache should only be sess2 at end */
   2495     SSL_CTX_add_session(sctx, sess1);
   2496     SSL_CTX_add_session(sctx, sess2);
   2497 
   2498     /* Now add sess1, and make sure it remains, despite timeout */
   2499     if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
   2500         || !TEST_ptr(sess1->owner)
   2501         || !TEST_ptr_null(sess2->owner))
   2502         goto end;
   2503 
   2504     testresult = 1;
   2505 
   2506 end:
   2507     SSL_free(serverssl1);
   2508     SSL_free(clientssl1);
   2509     SSL_free(serverssl2);
   2510     SSL_free(clientssl2);
   2511 #ifndef OPENSSL_NO_TLS1_1
   2512     SSL_free(serverssl3);
   2513     SSL_free(clientssl3);
   2514 #endif
   2515     SSL_SESSION_free(sess1);
   2516     SSL_SESSION_free(sess2);
   2517     SSL_CTX_free(sctx);
   2518     SSL_CTX_free(cctx);
   2519 
   2520     return testresult;
   2521 }
   2522 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
   2523 
   2524 static int test_session_with_only_int_cache(void)
   2525 {
   2526 #ifndef OSSL_NO_USABLE_TLS1_3
   2527     if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
   2528         return 0;
   2529 #endif
   2530 
   2531 #ifndef OPENSSL_NO_TLS1_2
   2532     return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
   2533 #else
   2534     return 1;
   2535 #endif
   2536 }
   2537 
   2538 static int test_session_with_only_ext_cache(void)
   2539 {
   2540 #ifndef OSSL_NO_USABLE_TLS1_3
   2541     if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
   2542         return 0;
   2543 #endif
   2544 
   2545 #ifndef OPENSSL_NO_TLS1_2
   2546     return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
   2547 #else
   2548     return 1;
   2549 #endif
   2550 }
   2551 
   2552 static int test_session_with_both_cache(void)
   2553 {
   2554 #ifndef OSSL_NO_USABLE_TLS1_3
   2555     if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
   2556         return 0;
   2557 #endif
   2558 
   2559 #ifndef OPENSSL_NO_TLS1_2
   2560     return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
   2561 #else
   2562     return 1;
   2563 #endif
   2564 }
   2565 
   2566 static int test_session_wo_ca_names(void)
   2567 {
   2568 #ifndef OSSL_NO_USABLE_TLS1_3
   2569     if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
   2570         return 0;
   2571 #endif
   2572 
   2573 #ifndef OPENSSL_NO_TLS1_2
   2574     return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
   2575 #else
   2576     return 1;
   2577 #endif
   2578 }
   2579 
   2580 #ifndef OSSL_NO_USABLE_TLS1_3
   2581 static SSL_SESSION *sesscache[6];
   2582 static int do_cache;
   2583 
   2584 static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
   2585 {
   2586     if (do_cache) {
   2587         sesscache[new_called] = sess;
   2588     } else {
   2589         /* We don't need the reference to the session, so free it */
   2590         SSL_SESSION_free(sess);
   2591     }
   2592     new_called++;
   2593 
   2594     return 1;
   2595 }
   2596 
   2597 static int post_handshake_verify(SSL *sssl, SSL *cssl)
   2598 {
   2599     SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
   2600     if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
   2601         return 0;
   2602 
   2603     /* Start handshake on the server and client */
   2604     if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
   2605         || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
   2606         || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
   2607         || !TEST_true(create_ssl_connection(sssl, cssl,
   2608             SSL_ERROR_NONE)))
   2609         return 0;
   2610 
   2611     return 1;
   2612 }
   2613 
   2614 static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
   2615     SSL_CTX **cctx)
   2616 {
   2617     int sess_id_ctx = 1;
   2618 
   2619     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   2620             TLS_client_method(), TLS1_VERSION, 0,
   2621             sctx, cctx, cert, privkey))
   2622         || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
   2623         || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
   2624             (void *)&sess_id_ctx,
   2625             sizeof(sess_id_ctx))))
   2626         return 0;
   2627 
   2628     if (stateful)
   2629         SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
   2630 
   2631     SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
   2632     SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
   2633 
   2634     return 1;
   2635 }
   2636 
   2637 static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
   2638 {
   2639     SSL *serverssl = NULL, *clientssl = NULL;
   2640     int i;
   2641 
   2642     /* Test that we can resume with all the tickets we got given */
   2643     for (i = 0; i < idx * 2; i++) {
   2644         new_called = 0;
   2645         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2646                 &clientssl, NULL, NULL))
   2647             || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
   2648             goto end;
   2649 
   2650         SSL_set_post_handshake_auth(clientssl, 1);
   2651 
   2652         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2653                 SSL_ERROR_NONE)))
   2654             goto end;
   2655 
   2656         /*
   2657          * Following a successful resumption we only get 1 ticket. After a
   2658          * failed one we should get idx tickets.
   2659          */
   2660         if (succ) {
   2661             if (!TEST_true(SSL_session_reused(clientssl))
   2662                 || !TEST_int_eq(new_called, 1))
   2663                 goto end;
   2664         } else {
   2665             if (!TEST_false(SSL_session_reused(clientssl))
   2666                 || !TEST_int_eq(new_called, idx))
   2667                 goto end;
   2668         }
   2669 
   2670         new_called = 0;
   2671         /* After a post-handshake authentication we should get 1 new ticket */
   2672         if (succ
   2673             && (!post_handshake_verify(serverssl, clientssl)
   2674                 || !TEST_int_eq(new_called, 1)))
   2675             goto end;
   2676 
   2677         SSL_shutdown(clientssl);
   2678         SSL_shutdown(serverssl);
   2679         SSL_free(serverssl);
   2680         SSL_free(clientssl);
   2681         serverssl = clientssl = NULL;
   2682         SSL_SESSION_free(sesscache[i]);
   2683         sesscache[i] = NULL;
   2684     }
   2685 
   2686     return 1;
   2687 
   2688 end:
   2689     SSL_free(clientssl);
   2690     SSL_free(serverssl);
   2691     return 0;
   2692 }
   2693 
   2694 static int test_tickets(int stateful, int idx)
   2695 {
   2696     SSL_CTX *sctx = NULL, *cctx = NULL;
   2697     SSL *serverssl = NULL, *clientssl = NULL;
   2698     int testresult = 0;
   2699     size_t j;
   2700 
   2701     /* idx is the test number, but also the number of tickets we want */
   2702 
   2703     new_called = 0;
   2704     do_cache = 1;
   2705 
   2706     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
   2707         goto end;
   2708 
   2709     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2710             &clientssl, NULL, NULL)))
   2711         goto end;
   2712 
   2713     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2714             SSL_ERROR_NONE))
   2715         /* Check we got the number of tickets we were expecting */
   2716         || !TEST_int_eq(idx, new_called))
   2717         goto end;
   2718 
   2719     SSL_shutdown(clientssl);
   2720     SSL_shutdown(serverssl);
   2721     SSL_free(serverssl);
   2722     SSL_free(clientssl);
   2723     SSL_CTX_free(sctx);
   2724     SSL_CTX_free(cctx);
   2725     clientssl = serverssl = NULL;
   2726     sctx = cctx = NULL;
   2727 
   2728     /*
   2729      * Now we try to resume with the tickets we previously created. The
   2730      * resumption attempt is expected to fail (because we're now using a new
   2731      * SSL_CTX). We should see idx number of tickets issued again.
   2732      */
   2733 
   2734     /* Stop caching sessions - just count them */
   2735     do_cache = 0;
   2736 
   2737     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
   2738         goto end;
   2739 
   2740     if (!check_resumption(idx, sctx, cctx, 0))
   2741         goto end;
   2742 
   2743     /* Start again with caching sessions */
   2744     new_called = 0;
   2745     do_cache = 1;
   2746     SSL_CTX_free(sctx);
   2747     SSL_CTX_free(cctx);
   2748     sctx = cctx = NULL;
   2749 
   2750     if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
   2751         goto end;
   2752 
   2753     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2754             &clientssl, NULL, NULL)))
   2755         goto end;
   2756 
   2757     SSL_set_post_handshake_auth(clientssl, 1);
   2758 
   2759     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2760             SSL_ERROR_NONE))
   2761         /* Check we got the number of tickets we were expecting */
   2762         || !TEST_int_eq(idx, new_called))
   2763         goto end;
   2764 
   2765     /* After a post-handshake authentication we should get new tickets issued */
   2766     if (!post_handshake_verify(serverssl, clientssl)
   2767         || !TEST_int_eq(idx * 2, new_called))
   2768         goto end;
   2769 
   2770     SSL_shutdown(clientssl);
   2771     SSL_shutdown(serverssl);
   2772     SSL_free(serverssl);
   2773     SSL_free(clientssl);
   2774     serverssl = clientssl = NULL;
   2775 
   2776     /* Stop caching sessions - just count them */
   2777     do_cache = 0;
   2778 
   2779     /*
   2780      * Check we can resume with all the tickets we created. This time around the
   2781      * resumptions should all be successful.
   2782      */
   2783     if (!check_resumption(idx, sctx, cctx, 1))
   2784         goto end;
   2785 
   2786     testresult = 1;
   2787 
   2788 end:
   2789     SSL_free(serverssl);
   2790     SSL_free(clientssl);
   2791     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
   2792         SSL_SESSION_free(sesscache[j]);
   2793         sesscache[j] = NULL;
   2794     }
   2795     SSL_CTX_free(sctx);
   2796     SSL_CTX_free(cctx);
   2797 
   2798     return testresult;
   2799 }
   2800 
   2801 static int test_stateless_tickets(int idx)
   2802 {
   2803     return test_tickets(0, idx);
   2804 }
   2805 
   2806 static int test_stateful_tickets(int idx)
   2807 {
   2808     return test_tickets(1, idx);
   2809 }
   2810 
   2811 static int test_psk_tickets(void)
   2812 {
   2813     SSL_CTX *sctx = NULL, *cctx = NULL;
   2814     SSL *serverssl = NULL, *clientssl = NULL;
   2815     int testresult = 0;
   2816     int sess_id_ctx = 1;
   2817 
   2818     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   2819             TLS_client_method(), TLS1_VERSION, 0,
   2820             &sctx, &cctx, NULL, NULL))
   2821         || !TEST_true(SSL_CTX_set_session_id_context(sctx,
   2822             (void *)&sess_id_ctx,
   2823             sizeof(sess_id_ctx))))
   2824         goto end;
   2825 
   2826     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
   2827     SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
   2828     SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
   2829     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
   2830     use_session_cb_cnt = 0;
   2831     find_session_cb_cnt = 0;
   2832     srvid = pskid;
   2833     new_called = 0;
   2834 
   2835     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   2836             NULL, NULL)))
   2837         goto end;
   2838     clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
   2839     if (!TEST_ptr(clientpsk) || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
   2840         goto end;
   2841 
   2842     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2843             SSL_ERROR_NONE))
   2844         || !TEST_int_eq(1, find_session_cb_cnt)
   2845         || !TEST_int_eq(1, use_session_cb_cnt)
   2846         /* We should always get 1 ticket when using external PSK */
   2847         || !TEST_int_eq(1, new_called))
   2848         goto end;
   2849 
   2850     testresult = 1;
   2851 
   2852 end:
   2853     SSL_free(serverssl);
   2854     SSL_free(clientssl);
   2855     SSL_CTX_free(sctx);
   2856     SSL_CTX_free(cctx);
   2857     SSL_SESSION_free(clientpsk);
   2858     SSL_SESSION_free(serverpsk);
   2859     clientpsk = serverpsk = NULL;
   2860 
   2861     return testresult;
   2862 }
   2863 
   2864 static int test_extra_tickets(int idx)
   2865 {
   2866     SSL_CTX *sctx = NULL, *cctx = NULL;
   2867     SSL *serverssl = NULL, *clientssl = NULL;
   2868     BIO *bretry = BIO_new(bio_s_always_retry());
   2869     BIO *tmp = NULL;
   2870     int testresult = 0;
   2871     int stateful = 0;
   2872     size_t nbytes;
   2873     unsigned char c, buf[1];
   2874 
   2875     new_called = 0;
   2876     do_cache = 1;
   2877 
   2878     if (idx >= 3) {
   2879         idx -= 3;
   2880         stateful = 1;
   2881     }
   2882 
   2883     if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
   2884         goto end;
   2885     SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
   2886     /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
   2887     SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
   2888 
   2889     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   2890             &clientssl, NULL, NULL)))
   2891         goto end;
   2892 
   2893     /*
   2894      * Note that we have new_session_cb on both sctx and cctx, so new_called is
   2895      * incremented by both client and server.
   2896      */
   2897     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   2898             SSL_ERROR_NONE))
   2899         /* Check we got the number of tickets we were expecting */
   2900         || !TEST_int_eq(idx * 2, new_called)
   2901         || !TEST_true(SSL_new_session_ticket(serverssl))
   2902         || !TEST_true(SSL_new_session_ticket(serverssl))
   2903         || !TEST_int_eq(idx * 2, new_called))
   2904         goto end;
   2905 
   2906     /* Now try a (real) write to actually send the tickets */
   2907     c = '1';
   2908     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
   2909         || !TEST_size_t_eq(1, nbytes)
   2910         || !TEST_int_eq(idx * 2 + 2, new_called)
   2911         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   2912         || !TEST_int_eq(idx * 2 + 4, new_called)
   2913         || !TEST_int_eq(sizeof(buf), nbytes)
   2914         || !TEST_int_eq(c, buf[0])
   2915         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
   2916         goto end;
   2917 
   2918     /* Try with only requesting one new ticket, too */
   2919     c = '2';
   2920     new_called = 0;
   2921     if (!TEST_true(SSL_new_session_ticket(serverssl))
   2922         || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
   2923         || !TEST_size_t_eq(sizeof(c), nbytes)
   2924         || !TEST_int_eq(1, new_called)
   2925         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   2926         || !TEST_int_eq(2, new_called)
   2927         || !TEST_size_t_eq(sizeof(buf), nbytes)
   2928         || !TEST_int_eq(c, buf[0]))
   2929         goto end;
   2930 
   2931     /* Do it again but use dummy writes to drive the ticket generation */
   2932     c = '3';
   2933     new_called = 0;
   2934     if (!TEST_true(SSL_new_session_ticket(serverssl))
   2935         || !TEST_true(SSL_new_session_ticket(serverssl))
   2936         || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
   2937         || !TEST_size_t_eq(0, nbytes)
   2938         || !TEST_int_eq(2, new_called)
   2939         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   2940         || !TEST_int_eq(4, new_called))
   2941         goto end;
   2942 
   2943     /* Once more, but with SSL_do_handshake() to drive the ticket generation */
   2944     c = '4';
   2945     new_called = 0;
   2946     if (!TEST_true(SSL_new_session_ticket(serverssl))
   2947         || !TEST_true(SSL_new_session_ticket(serverssl))
   2948         || !TEST_true(SSL_do_handshake(serverssl))
   2949         || !TEST_int_eq(2, new_called)
   2950         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   2951         || !TEST_int_eq(4, new_called))
   2952         goto end;
   2953 
   2954     /*
   2955      * Use the always-retry BIO to exercise the logic that forces ticket
   2956      * generation to wait until a record boundary.
   2957      */
   2958     c = '5';
   2959     new_called = 0;
   2960     tmp = SSL_get_wbio(serverssl);
   2961     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
   2962         tmp = NULL;
   2963         goto end;
   2964     }
   2965     SSL_set0_wbio(serverssl, bretry);
   2966     bretry = NULL;
   2967     if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
   2968         || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
   2969         || !TEST_size_t_eq(nbytes, 0))
   2970         goto end;
   2971     /* Restore a BIO that will let the write succeed */
   2972     SSL_set0_wbio(serverssl, tmp);
   2973     tmp = NULL;
   2974     /*
   2975      * These calls should just queue the request and not send anything
   2976      * even if we explicitly try to hit the state machine.
   2977      */
   2978     if (!TEST_true(SSL_new_session_ticket(serverssl))
   2979         || !TEST_true(SSL_new_session_ticket(serverssl))
   2980         || !TEST_int_eq(0, new_called)
   2981         || !TEST_true(SSL_do_handshake(serverssl))
   2982         || !TEST_int_eq(0, new_called))
   2983         goto end;
   2984     /* Re-do the write; still no tickets sent */
   2985     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
   2986         || !TEST_size_t_eq(1, nbytes)
   2987         || !TEST_int_eq(0, new_called)
   2988         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   2989         || !TEST_int_eq(0, new_called)
   2990         || !TEST_int_eq(sizeof(buf), nbytes)
   2991         || !TEST_int_eq(c, buf[0])
   2992         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
   2993         goto end;
   2994     /* Even trying to hit the state machine now will still not send tickets */
   2995     if (!TEST_true(SSL_do_handshake(serverssl))
   2996         || !TEST_int_eq(0, new_called))
   2997         goto end;
   2998     /* Now the *next* write should send the tickets */
   2999     c = '6';
   3000     if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
   3001         || !TEST_size_t_eq(1, nbytes)
   3002         || !TEST_int_eq(2, new_called)
   3003         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
   3004         || !TEST_int_eq(4, new_called)
   3005         || !TEST_int_eq(sizeof(buf), nbytes)
   3006         || !TEST_int_eq(c, buf[0])
   3007         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
   3008         goto end;
   3009 
   3010     SSL_shutdown(clientssl);
   3011     SSL_shutdown(serverssl);
   3012     testresult = 1;
   3013 
   3014 end:
   3015     BIO_free(bretry);
   3016     BIO_free(tmp);
   3017     SSL_free(serverssl);
   3018     SSL_free(clientssl);
   3019     SSL_CTX_free(sctx);
   3020     SSL_CTX_free(cctx);
   3021     clientssl = serverssl = NULL;
   3022     sctx = cctx = NULL;
   3023     return testresult;
   3024 }
   3025 #endif
   3026 
   3027 #define USE_NULL 0
   3028 #define USE_BIO_1 1
   3029 #define USE_BIO_2 2
   3030 #define USE_DEFAULT 3
   3031 
   3032 #define CONNTYPE_CONNECTION_SUCCESS 0
   3033 #define CONNTYPE_CONNECTION_FAIL 1
   3034 #define CONNTYPE_NO_CONNECTION 2
   3035 
   3036 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
   3037 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
   3038 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
   3039 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
   3040 #else
   3041 #define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
   3042 #endif
   3043 
   3044 #define TOTAL_SSL_SET_BIO_TESTS           \
   3045     TOTAL_NO_CONN_SSL_SET_BIO_TESTS       \
   3046     +TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
   3047         + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
   3048 
   3049 static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
   3050 {
   3051     switch (type) {
   3052     case USE_NULL:
   3053         *res = NULL;
   3054         break;
   3055     case USE_BIO_1:
   3056         *res = bio1;
   3057         break;
   3058     case USE_BIO_2:
   3059         *res = bio2;
   3060         break;
   3061     }
   3062 }
   3063 
   3064 /*
   3065  * Tests calls to SSL_set_bio() under various conditions.
   3066  *
   3067  * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
   3068  * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
   3069  * then do more tests where we create a successful connection first using our
   3070  * standard connection setup functions, and then call SSL_set_bio() with
   3071  * various combinations of valid BIOs or NULL. We then repeat these tests
   3072  * following a failed connection. In this last case we are looking to check that
   3073  * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
   3074  */
   3075 static int test_ssl_set_bio(int idx)
   3076 {
   3077     SSL_CTX *sctx = NULL, *cctx = NULL;
   3078     BIO *bio1 = NULL;
   3079     BIO *bio2 = NULL;
   3080     BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
   3081     SSL *serverssl = NULL, *clientssl = NULL;
   3082     int initrbio, initwbio, newrbio, newwbio, conntype;
   3083     int testresult = 0;
   3084 
   3085     if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
   3086         initrbio = idx % 3;
   3087         idx /= 3;
   3088         initwbio = idx % 3;
   3089         idx /= 3;
   3090         newrbio = idx % 3;
   3091         idx /= 3;
   3092         newwbio = idx % 3;
   3093         conntype = CONNTYPE_NO_CONNECTION;
   3094     } else {
   3095         idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
   3096         initrbio = initwbio = USE_DEFAULT;
   3097         newrbio = idx % 2;
   3098         idx /= 2;
   3099         newwbio = idx % 2;
   3100         idx /= 2;
   3101         conntype = idx % 2;
   3102     }
   3103 
   3104     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   3105             TLS_client_method(), TLS1_VERSION, 0,
   3106             &sctx, &cctx, cert, privkey)))
   3107         goto end;
   3108 
   3109     if (conntype == CONNTYPE_CONNECTION_FAIL) {
   3110         /*
   3111          * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
   3112          * because we reduced the number of tests in the definition of
   3113          * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
   3114          * mismatched protocol versions we will force a connection failure.
   3115          */
   3116         SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
   3117         SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
   3118     }
   3119 
   3120     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   3121             NULL, NULL)))
   3122         goto end;
   3123 
   3124     if (initrbio == USE_BIO_1
   3125         || initwbio == USE_BIO_1
   3126         || newrbio == USE_BIO_1
   3127         || newwbio == USE_BIO_1) {
   3128         if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
   3129             goto end;
   3130     }
   3131 
   3132     if (initrbio == USE_BIO_2
   3133         || initwbio == USE_BIO_2
   3134         || newrbio == USE_BIO_2
   3135         || newwbio == USE_BIO_2) {
   3136         if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
   3137             goto end;
   3138     }
   3139 
   3140     if (initrbio != USE_DEFAULT) {
   3141         setupbio(&irbio, bio1, bio2, initrbio);
   3142         setupbio(&iwbio, bio1, bio2, initwbio);
   3143         SSL_set_bio(clientssl, irbio, iwbio);
   3144 
   3145         /*
   3146          * We want to maintain our own refs to these BIO, so do an up ref for
   3147          * each BIO that will have ownership transferred in the SSL_set_bio()
   3148          * call
   3149          */
   3150         if (irbio != NULL && !BIO_up_ref(irbio))
   3151             goto end;
   3152         if (iwbio != NULL && iwbio != irbio && !BIO_up_ref(iwbio)) {
   3153             BIO_free(irbio);
   3154             goto end;
   3155         }
   3156     }
   3157 
   3158     if (conntype != CONNTYPE_NO_CONNECTION
   3159         && !TEST_true(create_ssl_connection(serverssl, clientssl,
   3160                           SSL_ERROR_NONE)
   3161             == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
   3162         goto end;
   3163 
   3164     setupbio(&nrbio, bio1, bio2, newrbio);
   3165     setupbio(&nwbio, bio1, bio2, newwbio);
   3166 
   3167     /*
   3168      * We will (maybe) transfer ownership again so do more up refs.
   3169      * SSL_set_bio() has some really complicated ownership rules where BIOs have
   3170      * already been set!
   3171      */
   3172     if (nrbio != NULL
   3173         && nrbio != irbio
   3174         && (nwbio != iwbio || nrbio != nwbio))
   3175         if (!TEST_true(BIO_up_ref(nrbio)))
   3176             goto end;
   3177     if (nwbio != NULL
   3178         && nwbio != nrbio
   3179         && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
   3180         if (!TEST_true(BIO_up_ref(nwbio))) {
   3181             if (nrbio != irbio
   3182                 && (nwbio != iwbio || nrbio != nwbio))
   3183                 BIO_free(nrbio);
   3184             goto end;
   3185         }
   3186 
   3187     SSL_set_bio(clientssl, nrbio, nwbio);
   3188 
   3189     testresult = 1;
   3190 
   3191 end:
   3192     BIO_free(bio1);
   3193     BIO_free(bio2);
   3194 
   3195     /*
   3196      * This test is checking that the ref counting for SSL_set_bio is correct.
   3197      * If we get here and we did too many frees then we will fail in the above
   3198      * functions.
   3199      */
   3200     SSL_free(serverssl);
   3201     SSL_free(clientssl);
   3202     SSL_CTX_free(sctx);
   3203     SSL_CTX_free(cctx);
   3204     return testresult;
   3205 }
   3206 
   3207 typedef enum { NO_BIO_CHANGE,
   3208     CHANGE_RBIO,
   3209     CHANGE_WBIO } bio_change_t;
   3210 
   3211 static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
   3212 {
   3213     BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
   3214     SSL_CTX *ctx;
   3215     SSL *ssl = NULL;
   3216     int testresult = 0;
   3217 
   3218     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
   3219         || !TEST_ptr(ssl = SSL_new(ctx))
   3220         || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
   3221         || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
   3222         goto end;
   3223 
   3224     BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
   3225 
   3226     /*
   3227      * If anything goes wrong here then we could leak memory.
   3228      */
   3229     BIO_push(sslbio, membio1);
   3230 
   3231     /* Verify changing the rbio/wbio directly does not cause leaks */
   3232     if (change_bio != NO_BIO_CHANGE) {
   3233         if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
   3234             ssl = NULL;
   3235             goto end;
   3236         }
   3237         if (change_bio == CHANGE_RBIO)
   3238             SSL_set0_rbio(ssl, membio2);
   3239         else
   3240             SSL_set0_wbio(ssl, membio2);
   3241     }
   3242     ssl = NULL;
   3243 
   3244     if (pop_ssl)
   3245         BIO_pop(sslbio);
   3246     else
   3247         BIO_pop(membio1);
   3248 
   3249     testresult = 1;
   3250 end:
   3251     BIO_free(membio1);
   3252     BIO_free(sslbio);
   3253     SSL_free(ssl);
   3254     SSL_CTX_free(ctx);
   3255 
   3256     return testresult;
   3257 }
   3258 
   3259 static int test_ssl_bio_pop_next_bio(void)
   3260 {
   3261     return execute_test_ssl_bio(0, NO_BIO_CHANGE);
   3262 }
   3263 
   3264 static int test_ssl_bio_pop_ssl_bio(void)
   3265 {
   3266     return execute_test_ssl_bio(1, NO_BIO_CHANGE);
   3267 }
   3268 
   3269 static int test_ssl_bio_change_rbio(void)
   3270 {
   3271     return execute_test_ssl_bio(0, CHANGE_RBIO);
   3272 }
   3273 
   3274 static int test_ssl_bio_change_wbio(void)
   3275 {
   3276     return execute_test_ssl_bio(0, CHANGE_WBIO);
   3277 }
   3278 
   3279 /*
   3280  * Regression for GH #30458: tls_set1_bio() must BIO_free_all the old chain
   3281  * when the write BIO is replaced, not only the top BIO.
   3282  */
   3283 static int test_ssl_set_wbio_chain_no_leak(void)
   3284 {
   3285     SSL_CTX *ctx = NULL;
   3286     SSL *ssl = NULL;
   3287     BIO *bio = NULL, *filter = NULL, *chain1 = NULL;
   3288     int testresult = 0;
   3289 
   3290     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())))
   3291         goto end;
   3292     if (!TEST_ptr(ssl = SSL_new(ctx)))
   3293         goto end;
   3294 
   3295     if (!TEST_ptr(filter = BIO_new(BIO_f_nbio_test())))
   3296         goto end;
   3297     if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) {
   3298         BIO_free(filter);
   3299         filter = NULL;
   3300         goto end;
   3301     }
   3302     if (!TEST_ptr(chain1 = BIO_push(filter, bio))) {
   3303         BIO_free_all(filter);
   3304         filter = bio = NULL;
   3305         goto end;
   3306     }
   3307     filter = bio = NULL;
   3308 
   3309     SSL_set0_wbio(ssl, chain1);
   3310     chain1 = NULL;
   3311     SSL_set0_wbio(ssl, NULL);
   3312 
   3313     testresult = 1;
   3314 
   3315 end:
   3316     BIO_free(filter);
   3317     BIO_free(bio);
   3318     BIO_free(chain1);
   3319     SSL_free(ssl);
   3320     SSL_CTX_free(ctx);
   3321 
   3322     return testresult;
   3323 }
   3324 
   3325 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
   3326 typedef struct {
   3327     /* The list of sig algs */
   3328     const int *list;
   3329     /* The length of the list */
   3330     size_t listlen;
   3331     /* A sigalgs list in string format */
   3332     const char *liststr;
   3333     /* Whether setting the list should succeed */
   3334     int valid;
   3335     /* Whether creating a connection with the list should succeed */
   3336     int connsuccess;
   3337 } sigalgs_list;
   3338 
   3339 static const int validlist1[] = { NID_sha256, EVP_PKEY_RSA };
   3340 #ifndef OPENSSL_NO_EC
   3341 static const int validlist2[] = { NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC };
   3342 static const int validlist3[] = { NID_sha512, EVP_PKEY_EC };
   3343 #endif
   3344 static const int invalidlist1[] = { NID_undef, EVP_PKEY_RSA };
   3345 static const int invalidlist2[] = { NID_sha256, NID_undef };
   3346 static const int invalidlist3[] = { NID_sha256, EVP_PKEY_RSA, NID_sha256 };
   3347 static const int invalidlist4[] = { NID_sha256 };
   3348 static const sigalgs_list testsigalgs[] = {
   3349     { validlist1, OSSL_NELEM(validlist1), NULL, 1, 1 },
   3350 #ifndef OPENSSL_NO_EC
   3351     { validlist2, OSSL_NELEM(validlist2), NULL, 1, 1 },
   3352     { validlist3, OSSL_NELEM(validlist3), NULL, 1, 0 },
   3353 #endif
   3354     { NULL, 0, "RSA+SHA256", 1, 1 },
   3355     { NULL, 0, "RSA+SHA256:?Invalid", 1, 1 },
   3356 #ifndef OPENSSL_NO_EC
   3357     { NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1 },
   3358     { NULL, 0, "ECDSA+SHA512", 1, 0 },
   3359 #endif
   3360     { invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0 },
   3361     { invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0 },
   3362     { invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0 },
   3363     { invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0 },
   3364     { NULL, 0, "RSA", 0, 0 },
   3365     { NULL, 0, "SHA256", 0, 0 },
   3366     { NULL, 0, "RSA+SHA256:SHA256", 0, 0 },
   3367     { NULL, 0, "Invalid", 0, 0 }
   3368 };
   3369 
   3370 static int test_set_sigalgs(int idx)
   3371 {
   3372     SSL_CTX *cctx = NULL, *sctx = NULL;
   3373     SSL *clientssl = NULL, *serverssl = NULL;
   3374     int testresult = 0;
   3375     const sigalgs_list *curr;
   3376     int testctx;
   3377 
   3378     /* Should never happen */
   3379     if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
   3380         return 0;
   3381 
   3382     testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
   3383     curr = testctx ? &testsigalgs[idx]
   3384                    : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
   3385 
   3386     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   3387             TLS_client_method(), TLS1_VERSION, 0,
   3388             &sctx, &cctx, cert, privkey)))
   3389         return 0;
   3390 
   3391     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
   3392 
   3393     if (testctx) {
   3394         int ret;
   3395 
   3396         if (curr->list != NULL)
   3397             ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
   3398         else
   3399             ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
   3400 
   3401         if (!ret) {
   3402             if (curr->valid)
   3403                 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
   3404             else
   3405                 testresult = 1;
   3406             goto end;
   3407         }
   3408         if (!curr->valid) {
   3409             TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
   3410             goto end;
   3411         }
   3412     }
   3413 
   3414     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   3415             &clientssl, NULL, NULL)))
   3416         goto end;
   3417 
   3418     if (!testctx) {
   3419         int ret;
   3420 
   3421         if (curr->list != NULL)
   3422             ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
   3423         else
   3424             ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
   3425         if (!ret) {
   3426             if (curr->valid)
   3427                 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
   3428             else
   3429                 testresult = 1;
   3430             goto end;
   3431         }
   3432         if (!curr->valid)
   3433             goto end;
   3434     }
   3435 
   3436     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
   3437                          SSL_ERROR_NONE),
   3438             curr->connsuccess))
   3439         goto end;
   3440 
   3441     testresult = 1;
   3442 
   3443 end:
   3444     SSL_free(serverssl);
   3445     SSL_free(clientssl);
   3446     SSL_CTX_free(sctx);
   3447     SSL_CTX_free(cctx);
   3448 
   3449     return testresult;
   3450 }
   3451 #endif
   3452 
   3453 #ifndef OSSL_NO_USABLE_TLS1_3
   3454 static int psk_client_cb_cnt = 0;
   3455 static int psk_server_cb_cnt = 0;
   3456 
   3457 static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
   3458     size_t *idlen, SSL_SESSION **sess)
   3459 {
   3460     switch (++use_session_cb_cnt) {
   3461     case 1:
   3462         /* The first call should always have a NULL md */
   3463         if (md != NULL)
   3464             return 0;
   3465         break;
   3466 
   3467     case 2:
   3468         /* The second call should always have an md */
   3469         if (md == NULL)
   3470             return 0;
   3471         break;
   3472 
   3473     default:
   3474         /* We should only be called a maximum of twice */
   3475         return 0;
   3476     }
   3477 
   3478     if (clientpsk != NULL && !SSL_SESSION_up_ref(clientpsk))
   3479         return 0;
   3480 
   3481     *sess = clientpsk;
   3482     *id = (const unsigned char *)pskid;
   3483     *idlen = strlen(pskid);
   3484 
   3485     return 1;
   3486 }
   3487 
   3488 #ifndef OPENSSL_NO_PSK
   3489 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
   3490     unsigned int max_id_len,
   3491     unsigned char *psk,
   3492     unsigned int max_psk_len)
   3493 {
   3494     unsigned int psklen = 0;
   3495 
   3496     psk_client_cb_cnt++;
   3497 
   3498     if (strlen(pskid) + 1 > max_id_len)
   3499         return 0;
   3500 
   3501     /* We should only ever be called a maximum of twice per connection */
   3502     if (psk_client_cb_cnt > 2)
   3503         return 0;
   3504 
   3505     if (clientpsk == NULL)
   3506         return 0;
   3507 
   3508     /* We'll reuse the PSK we set up for TLSv1.3 */
   3509     if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
   3510         return 0;
   3511     psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
   3512     strncpy(id, pskid, max_id_len);
   3513 
   3514     return psklen;
   3515 }
   3516 #endif /* OPENSSL_NO_PSK */
   3517 
   3518 static int find_session_cb(SSL *ssl, const unsigned char *identity,
   3519     size_t identity_len, SSL_SESSION **sess)
   3520 {
   3521     find_session_cb_cnt++;
   3522 
   3523     /* We should only ever be called a maximum of twice per connection */
   3524     if (find_session_cb_cnt > 2)
   3525         return 0;
   3526 
   3527     if (serverpsk == NULL)
   3528         return 0;
   3529 
   3530     /* Identity should match that set by the client */
   3531     if (strlen(srvid) != identity_len
   3532         || strncmp(srvid, (const char *)identity, identity_len) != 0) {
   3533         /* No PSK found, continue but without a PSK */
   3534         *sess = NULL;
   3535         return 1;
   3536     }
   3537 
   3538     if (!SSL_SESSION_up_ref(serverpsk))
   3539         return 0;
   3540 
   3541     *sess = serverpsk;
   3542 
   3543     return 1;
   3544 }
   3545 
   3546 #ifndef OPENSSL_NO_PSK
   3547 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
   3548     unsigned char *psk, unsigned int max_psk_len)
   3549 {
   3550     unsigned int psklen = 0;
   3551 
   3552     psk_server_cb_cnt++;
   3553 
   3554     /* We should only ever be called a maximum of twice per connection */
   3555     if (find_session_cb_cnt > 2)
   3556         return 0;
   3557 
   3558     if (serverpsk == NULL)
   3559         return 0;
   3560 
   3561     /* Identity should match that set by the client */
   3562     if (strcmp(srvid, identity) != 0) {
   3563         return 0;
   3564     }
   3565 
   3566     /* We'll reuse the PSK we set up for TLSv1.3 */
   3567     if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
   3568         return 0;
   3569     psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
   3570 
   3571     return psklen;
   3572 }
   3573 #endif /* OPENSSL_NO_PSK */
   3574 
   3575 #define MSG1 "Hello"
   3576 #define MSG2 "World."
   3577 #define MSG3 "This"
   3578 #define MSG4 "is"
   3579 #define MSG5 "a"
   3580 #define MSG6 "test"
   3581 #define MSG7 "message."
   3582 
   3583 static int artificial_ticket_time = 0;
   3584 
   3585 static int sub_session_time(SSL_SESSION *sess)
   3586 {
   3587     OSSL_TIME tick_time;
   3588 
   3589     tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
   3590     tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
   3591 
   3592     return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
   3593 }
   3594 
   3595 static int ed_gen_cb(SSL *s, void *arg)
   3596 {
   3597     SSL_SESSION *sess = SSL_get0_session(s);
   3598 
   3599     if (sess == NULL)
   3600         return 0;
   3601 
   3602     /*
   3603      * Artificially give the ticket some age. Just do it for the number of
   3604      * tickets we've been told to do.
   3605      */
   3606     if (artificial_ticket_time == 0)
   3607         return 1;
   3608     artificial_ticket_time--;
   3609 
   3610     return sub_session_time(sess);
   3611 }
   3612 
   3613 /*
   3614  * Helper method to setup objects for early data test. Caller frees objects on
   3615  * error.
   3616  */
   3617 static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
   3618     SSL **serverssl, SSL_SESSION **sess, int idx,
   3619     size_t mdsize)
   3620 {
   3621     int artificial = (artificial_ticket_time > 0);
   3622 
   3623     if (*sctx == NULL
   3624         && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   3625             TLS_client_method(),
   3626             TLS1_VERSION, 0,
   3627             sctx, cctx, cert, privkey)))
   3628         return 0;
   3629 
   3630     if (artificial)
   3631         SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
   3632 
   3633     if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
   3634         return 0;
   3635 
   3636     if (idx == 1) {
   3637         /* When idx == 1 we repeat the tests with read_ahead set */
   3638         SSL_CTX_set_read_ahead(*cctx, 1);
   3639         SSL_CTX_set_read_ahead(*sctx, 1);
   3640     } else if (idx == 2) {
   3641         /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
   3642         SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
   3643         SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
   3644         use_session_cb_cnt = 0;
   3645         find_session_cb_cnt = 0;
   3646         srvid = pskid;
   3647     }
   3648 
   3649     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
   3650             NULL, NULL)))
   3651         return 0;
   3652 
   3653     /*
   3654      * For one of the run throughs (doesn't matter which one), we'll try sending
   3655      * some SNI data in the initial ClientHello. This will be ignored (because
   3656      * there is no SNI cb set up by the server), so it should not impact
   3657      * early_data.
   3658      */
   3659     if (idx == 1
   3660         && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
   3661         return 0;
   3662 
   3663     if (idx == 2) {
   3664         clientpsk = create_a_psk(*clientssl, mdsize);
   3665         if (!TEST_ptr(clientpsk)
   3666             /*
   3667              * We just choose an arbitrary value for max_early_data which
   3668              * should be big enough for testing purposes.
   3669              */
   3670             || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
   3671                 0x100))
   3672             || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
   3673             SSL_SESSION_free(clientpsk);
   3674             clientpsk = NULL;
   3675             return 0;
   3676         }
   3677         serverpsk = clientpsk;
   3678 
   3679         if (sess != NULL) {
   3680             if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
   3681                 SSL_SESSION_free(clientpsk);
   3682                 SSL_SESSION_free(serverpsk);
   3683                 clientpsk = serverpsk = NULL;
   3684                 return 0;
   3685             }
   3686             *sess = clientpsk;
   3687         }
   3688         return 1;
   3689     }
   3690 
   3691     if (sess == NULL)
   3692         return 1;
   3693 
   3694     if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
   3695             SSL_ERROR_NONE)))
   3696         return 0;
   3697 
   3698     *sess = SSL_get1_session(*clientssl);
   3699     SSL_shutdown(*clientssl);
   3700     SSL_shutdown(*serverssl);
   3701     SSL_free(*serverssl);
   3702     SSL_free(*clientssl);
   3703     *serverssl = *clientssl = NULL;
   3704 
   3705     /*
   3706      * Artificially give the ticket some age to match the artificial age we
   3707      * gave it on the server side
   3708      */
   3709     if (artificial
   3710         && !TEST_true(sub_session_time(*sess)))
   3711         return 0;
   3712 
   3713     if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
   3714             clientssl, NULL, NULL))
   3715         || !TEST_true(SSL_set_session(*clientssl, *sess)))
   3716         return 0;
   3717 
   3718     return 1;
   3719 }
   3720 
   3721 static int check_early_data_timeout(OSSL_TIME timer)
   3722 {
   3723     int res = 0;
   3724 
   3725     /*
   3726      * Early data is time sensitive. We have an approx 8 second allowance
   3727      * between writing the early data and reading it. If we exceed that time
   3728      * then this test will fail. This can sometimes (rarely) occur in normal CI
   3729      * operation. We can try and detect this and just ignore the result of this
   3730      * test if it has taken too long. We assume anything over 7 seconds is too
   3731      * long
   3732      */
   3733     timer = ossl_time_subtract(ossl_time_now(), timer);
   3734     if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
   3735         res = TEST_skip("Test took too long, ignoring result");
   3736 
   3737     return res;
   3738 }
   3739 
   3740 static int test_early_data_read_write(int idx)
   3741 {
   3742     SSL_CTX *cctx = NULL, *sctx = NULL;
   3743     SSL *clientssl = NULL, *serverssl = NULL;
   3744     int testresult = 0;
   3745     SSL_SESSION *sess = NULL;
   3746     unsigned char buf[20], data[1024];
   3747     size_t readbytes, written, eoedlen, rawread, rawwritten;
   3748     BIO *rbio;
   3749     OSSL_TIME timer;
   3750 
   3751     /* Artificially give the next 2 tickets some age for non PSK sessions */
   3752     if (idx != 2)
   3753         artificial_ticket_time = 2;
   3754     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   3755             &serverssl, &sess, idx,
   3756             SHA384_DIGEST_LENGTH))) {
   3757         artificial_ticket_time = 0;
   3758         goto end;
   3759     }
   3760     artificial_ticket_time = 0;
   3761 
   3762     /* Write and read some early data */
   3763     timer = ossl_time_now();
   3764     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   3765             &written))
   3766         || !TEST_size_t_eq(written, strlen(MSG1)))
   3767         goto end;
   3768 
   3769     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3770                          &readbytes),
   3771             SSL_READ_EARLY_DATA_SUCCESS)) {
   3772         testresult = check_early_data_timeout(timer);
   3773         goto end;
   3774     }
   3775 
   3776     if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
   3777         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   3778             SSL_EARLY_DATA_ACCEPTED))
   3779         goto end;
   3780 
   3781     /*
   3782      * Server should be able to write data, and client should be able to
   3783      * read it.
   3784      */
   3785     if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
   3786             &written))
   3787         || !TEST_size_t_eq(written, strlen(MSG2))
   3788         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   3789         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   3790         goto end;
   3791 
   3792     /* Even after reading normal data, client should be able write early data */
   3793     if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
   3794             &written))
   3795         || !TEST_size_t_eq(written, strlen(MSG3)))
   3796         goto end;
   3797 
   3798     /* Server should still be able read early data after writing data */
   3799     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3800                          &readbytes),
   3801             SSL_READ_EARLY_DATA_SUCCESS)
   3802         || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
   3803         goto end;
   3804 
   3805     /* Write more data from server and read it from client */
   3806     if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
   3807             &written))
   3808         || !TEST_size_t_eq(written, strlen(MSG4))
   3809         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   3810         || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
   3811         goto end;
   3812 
   3813     /*
   3814      * If client writes normal data it should mean writing early data is no
   3815      * longer possible.
   3816      */
   3817     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
   3818         || !TEST_size_t_eq(written, strlen(MSG5))
   3819         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
   3820             SSL_EARLY_DATA_ACCEPTED))
   3821         goto end;
   3822 
   3823     /*
   3824      * At this point the client has written EndOfEarlyData, ClientFinished and
   3825      * normal (fully protected) data. We are going to cause a delay between the
   3826      * arrival of EndOfEarlyData and ClientFinished. We read out all the data
   3827      * in the read BIO, and then just put back the EndOfEarlyData message.
   3828      */
   3829     rbio = SSL_get_rbio(serverssl);
   3830     if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
   3831         || !TEST_size_t_lt(rawread, sizeof(data))
   3832         || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
   3833         goto end;
   3834 
   3835     /* Record length is in the 4th and 5th bytes of the record header */
   3836     eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
   3837     if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
   3838         || !TEST_size_t_eq(rawwritten, eoedlen))
   3839         goto end;
   3840 
   3841     /* Server should be told that there is no more early data */
   3842     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3843                          &readbytes),
   3844             SSL_READ_EARLY_DATA_FINISH)
   3845         || !TEST_size_t_eq(readbytes, 0))
   3846         goto end;
   3847 
   3848     /*
   3849      * Server has not finished init yet, so should still be able to write early
   3850      * data.
   3851      */
   3852     if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
   3853             &written))
   3854         || !TEST_size_t_eq(written, strlen(MSG6)))
   3855         goto end;
   3856 
   3857     /* Push the ClientFinished and the normal data back into the server rbio */
   3858     if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
   3859             &rawwritten))
   3860         || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
   3861         goto end;
   3862 
   3863     /* Server should be able to read normal data */
   3864     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   3865         || !TEST_size_t_eq(readbytes, strlen(MSG5)))
   3866         goto end;
   3867 
   3868     /* Client and server should not be able to write/read early data now */
   3869     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
   3870             &written)))
   3871         goto end;
   3872     ERR_clear_error();
   3873     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3874                          &readbytes),
   3875             SSL_READ_EARLY_DATA_ERROR))
   3876         goto end;
   3877     ERR_clear_error();
   3878 
   3879     /* Client should be able to read the data sent by the server */
   3880     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   3881         || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
   3882         goto end;
   3883 
   3884     /*
   3885      * Make sure we process the two NewSessionTickets. These arrive
   3886      * post-handshake. We attempt reads which we do not expect to return any
   3887      * data.
   3888      */
   3889     if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   3890         || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
   3891             &readbytes)))
   3892         goto end;
   3893 
   3894     /* Server should be able to write normal data */
   3895     if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
   3896         || !TEST_size_t_eq(written, strlen(MSG7))
   3897         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   3898         || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
   3899         goto end;
   3900 
   3901     SSL_SESSION_free(sess);
   3902     sess = SSL_get1_session(clientssl);
   3903     use_session_cb_cnt = 0;
   3904     find_session_cb_cnt = 0;
   3905 
   3906     SSL_shutdown(clientssl);
   3907     SSL_shutdown(serverssl);
   3908     SSL_free(serverssl);
   3909     SSL_free(clientssl);
   3910     serverssl = clientssl = NULL;
   3911     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   3912             &clientssl, NULL, NULL))
   3913         || !TEST_true(SSL_set_session(clientssl, sess)))
   3914         goto end;
   3915 
   3916     /* Write and read some early data */
   3917     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   3918             &written))
   3919         || !TEST_size_t_eq(written, strlen(MSG1))
   3920         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3921                             &readbytes),
   3922             SSL_READ_EARLY_DATA_SUCCESS)
   3923         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
   3924         goto end;
   3925 
   3926     if (!TEST_int_gt(SSL_connect(clientssl), 0)
   3927         || !TEST_int_gt(SSL_accept(serverssl), 0))
   3928         goto end;
   3929 
   3930     /* Client and server should not be able to write/read early data now */
   3931     if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
   3932             &written)))
   3933         goto end;
   3934     ERR_clear_error();
   3935     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   3936                          &readbytes),
   3937             SSL_READ_EARLY_DATA_ERROR))
   3938         goto end;
   3939     ERR_clear_error();
   3940 
   3941     /* Client and server should be able to write/read normal data */
   3942     if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
   3943         || !TEST_size_t_eq(written, strlen(MSG5))
   3944         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   3945         || !TEST_size_t_eq(readbytes, strlen(MSG5)))
   3946         goto end;
   3947 
   3948     testresult = 1;
   3949 
   3950 end:
   3951     SSL_SESSION_free(sess);
   3952     SSL_SESSION_free(clientpsk);
   3953     SSL_SESSION_free(serverpsk);
   3954     clientpsk = serverpsk = NULL;
   3955     SSL_free(serverssl);
   3956     SSL_free(clientssl);
   3957     SSL_CTX_free(sctx);
   3958     SSL_CTX_free(cctx);
   3959     return testresult;
   3960 }
   3961 
   3962 static int allow_ed_cb_called = 0;
   3963 
   3964 static int allow_early_data_cb(SSL *s, void *arg)
   3965 {
   3966     int *usecb = (int *)arg;
   3967 
   3968     allow_ed_cb_called++;
   3969 
   3970     if (*usecb == 1)
   3971         return 0;
   3972 
   3973     return 1;
   3974 }
   3975 
   3976 /*
   3977  * idx == 0: Standard early_data setup
   3978  * idx == 1: early_data setup using read_ahead
   3979  * usecb == 0: Don't use a custom early data callback
   3980  * usecb == 1: Use a custom early data callback and reject the early data
   3981  * usecb == 2: Use a custom early data callback and accept the early data
   3982  * confopt == 0: Configure anti-replay directly
   3983  * confopt == 1: Configure anti-replay using SSL_CONF
   3984  */
   3985 static int test_early_data_replay_int(int idx, int usecb, int confopt)
   3986 {
   3987     SSL_CTX *cctx = NULL, *sctx = NULL;
   3988     SSL *clientssl = NULL, *serverssl = NULL;
   3989     int testresult = 0;
   3990     SSL_SESSION *sess = NULL;
   3991     size_t readbytes, written;
   3992     unsigned char buf[20];
   3993     OSSL_TIME timer;
   3994 
   3995     allow_ed_cb_called = 0;
   3996 
   3997     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   3998             TLS_client_method(), TLS1_VERSION, 0,
   3999             &sctx, &cctx, cert, privkey)))
   4000         return 0;
   4001 
   4002     if (usecb > 0) {
   4003         if (confopt == 0) {
   4004             SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
   4005         } else {
   4006             SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
   4007 
   4008             if (!TEST_ptr(confctx))
   4009                 goto end;
   4010             SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER);
   4011             SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
   4012             if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
   4013                     2)) {
   4014                 SSL_CONF_CTX_free(confctx);
   4015                 goto end;
   4016             }
   4017             SSL_CONF_CTX_free(confctx);
   4018         }
   4019         SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
   4020     }
   4021 
   4022     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4023             &serverssl, &sess, idx,
   4024             SHA384_DIGEST_LENGTH)))
   4025         goto end;
   4026 
   4027     /*
   4028      * The server is configured to accept early data. Create a connection to
   4029      * "use up" the ticket
   4030      */
   4031     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   4032         || !TEST_true(SSL_session_reused(clientssl)))
   4033         goto end;
   4034 
   4035     SSL_shutdown(clientssl);
   4036     SSL_shutdown(serverssl);
   4037     SSL_free(serverssl);
   4038     SSL_free(clientssl);
   4039     serverssl = clientssl = NULL;
   4040 
   4041     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   4042             &clientssl, NULL, NULL))
   4043         || !TEST_true(SSL_set_session(clientssl, sess)))
   4044         goto end;
   4045 
   4046     /* Write and read some early data */
   4047     timer = ossl_time_now();
   4048     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4049             &written))
   4050         || !TEST_size_t_eq(written, strlen(MSG1)))
   4051         goto end;
   4052 
   4053     if (usecb <= 1) {
   4054         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4055                              &readbytes),
   4056                 SSL_READ_EARLY_DATA_FINISH)
   4057             /*
   4058              * The ticket was reused, so the we should have rejected the
   4059              * early data
   4060              */
   4061             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4062                 SSL_EARLY_DATA_REJECTED))
   4063             goto end;
   4064     } else {
   4065         /* In this case the callback decides to accept the early data */
   4066         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4067                              &readbytes),
   4068                 SSL_READ_EARLY_DATA_SUCCESS)) {
   4069             testresult = check_early_data_timeout(timer);
   4070             goto end;
   4071         }
   4072         if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
   4073             /*
   4074              * Server will have sent its flight so client can now send
   4075              * end of early data and complete its half of the handshake
   4076              */
   4077             || !TEST_int_gt(SSL_connect(clientssl), 0)
   4078             || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4079                                 &readbytes),
   4080                 SSL_READ_EARLY_DATA_FINISH)
   4081             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4082                 SSL_EARLY_DATA_ACCEPTED))
   4083             goto end;
   4084     }
   4085 
   4086     /* Complete the connection */
   4087     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   4088         || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
   4089         || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
   4090         goto end;
   4091 
   4092     testresult = 1;
   4093 
   4094 end:
   4095     SSL_SESSION_free(sess);
   4096     SSL_SESSION_free(clientpsk);
   4097     SSL_SESSION_free(serverpsk);
   4098     clientpsk = serverpsk = NULL;
   4099     SSL_free(serverssl);
   4100     SSL_free(clientssl);
   4101     SSL_CTX_free(sctx);
   4102     SSL_CTX_free(cctx);
   4103     return testresult;
   4104 }
   4105 
   4106 static int test_early_data_replay(int idx)
   4107 {
   4108     int ret = 1, usecb, confopt;
   4109 
   4110     for (usecb = 0; usecb < 3; usecb++) {
   4111         for (confopt = 0; confopt < 2; confopt++)
   4112             ret &= test_early_data_replay_int(idx, usecb, confopt);
   4113     }
   4114 
   4115     return ret;
   4116 }
   4117 
   4118 static const char *ciphersuites[] = {
   4119     "TLS_AES_128_CCM_8_SHA256",
   4120     "TLS_AES_128_GCM_SHA256",
   4121     "TLS_AES_256_GCM_SHA384",
   4122     "TLS_AES_128_CCM_SHA256",
   4123 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
   4124     "TLS_CHACHA20_POLY1305_SHA256",
   4125 #else
   4126     NULL,
   4127 #endif
   4128 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
   4129     "TLS_SHA256_SHA256",
   4130     "TLS_SHA384_SHA384"
   4131 #endif
   4132 };
   4133 
   4134 /*
   4135  * Helper function to test that a server attempting to read early data can
   4136  * handle a connection from a client where the early data should be skipped.
   4137  * testtype: 0 == No HRR
   4138  * testtype: 1 == HRR
   4139  * testtype: 2 == HRR, invalid early_data sent after HRR
   4140  * testtype: 3 == recv_max_early_data set to 0
   4141  */
   4142 static int early_data_skip_helper(int testtype, int cipher, int idx)
   4143 {
   4144     SSL_CTX *cctx = NULL, *sctx = NULL;
   4145     SSL *clientssl = NULL, *serverssl = NULL;
   4146     int testresult = 0;
   4147     SSL_SESSION *sess = NULL;
   4148     unsigned char buf[20];
   4149     size_t readbytes, written;
   4150 
   4151     if (is_fips && cipher >= 4)
   4152         return 1;
   4153 
   4154     if (ciphersuites[cipher] == NULL)
   4155         return TEST_skip("Cipher not supported");
   4156 
   4157     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   4158             TLS_client_method(),
   4159             TLS1_VERSION, 0,
   4160             &sctx, &cctx, cert, privkey)))
   4161         goto end;
   4162 
   4163     if (cipher == 0 || cipher == 5 || cipher == 6) {
   4164         SSL_CTX_set_security_level(sctx, 0);
   4165         SSL_CTX_set_security_level(cctx, 0);
   4166     }
   4167 
   4168     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
   4169         || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
   4170         goto end;
   4171 
   4172     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4173             &serverssl, &sess, idx,
   4174             (cipher == 2 || cipher == 6)
   4175                 ? SHA384_DIGEST_LENGTH
   4176                 : SHA256_DIGEST_LENGTH)))
   4177         goto end;
   4178 
   4179     if (testtype == 1 || testtype == 2) {
   4180         /* Force an HRR to occur */
   4181 #if defined(OPENSSL_NO_EC)
   4182         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
   4183             goto end;
   4184 #else
   4185         if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
   4186             goto end;
   4187 #endif
   4188     } else if (idx == 2) {
   4189         /*
   4190          * We force early_data rejection by ensuring the PSK identity is
   4191          * unrecognised
   4192          */
   4193         srvid = "Dummy Identity";
   4194     } else {
   4195         /*
   4196          * Deliberately corrupt the creation time. We take 20 seconds off the
   4197          * time. It could be any value as long as it is not within tolerance.
   4198          * This should mean the ticket is rejected.
   4199          */
   4200         if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
   4201             goto end;
   4202     }
   4203 
   4204     if (testtype == 3
   4205         && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
   4206         goto end;
   4207 
   4208     /* Write some early data */
   4209     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4210             &written))
   4211         || !TEST_size_t_eq(written, strlen(MSG1)))
   4212         goto end;
   4213 
   4214     /* Server should reject the early data */
   4215     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4216                          &readbytes),
   4217             SSL_READ_EARLY_DATA_FINISH)
   4218         || !TEST_size_t_eq(readbytes, 0)
   4219         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4220             SSL_EARLY_DATA_REJECTED))
   4221         goto end;
   4222 
   4223     switch (testtype) {
   4224     case 0:
   4225         /* Nothing to do */
   4226         break;
   4227 
   4228     case 1:
   4229         /*
   4230          * Finish off the handshake. We perform the same writes and reads as
   4231          * further down but we expect them to fail due to the incomplete
   4232          * handshake.
   4233          */
   4234         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
   4235             || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
   4236                 &readbytes)))
   4237             goto end;
   4238         break;
   4239 
   4240     case 2: {
   4241         BIO *wbio = SSL_get_wbio(clientssl);
   4242         /* A record that will appear as bad early_data */
   4243         const unsigned char bad_early_data[] = {
   4244             0x17, 0x03, 0x03, 0x00, 0x01, 0x00
   4245         };
   4246 
   4247         /*
   4248          * We force the client to attempt a write. This will fail because
   4249          * we're still in the handshake. It will cause the second
   4250          * ClientHello to be sent.
   4251          */
   4252         if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
   4253                 &written)))
   4254             goto end;
   4255 
   4256         /*
   4257          * Inject some early_data after the second ClientHello. This should
   4258          * cause the server to fail
   4259          */
   4260         if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
   4261                 sizeof(bad_early_data), &written)))
   4262             goto end;
   4263     }
   4264         /* FALLTHROUGH */
   4265 
   4266     case 3:
   4267         /*
   4268          * This client has sent more early_data than we are willing to skip
   4269          * (case 3) or sent invalid early_data (case 2) so the connection should
   4270          * abort.
   4271          */
   4272         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4273             || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
   4274             goto end;
   4275 
   4276         /* Connection has failed - nothing more to do */
   4277         testresult = 1;
   4278         goto end;
   4279 
   4280     default:
   4281         TEST_error("Invalid test type");
   4282         goto end;
   4283     }
   4284 
   4285     ERR_clear_error();
   4286     /*
   4287      * Should be able to send normal data despite rejection of early data. The
   4288      * early_data should be skipped.
   4289      */
   4290     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
   4291         || !TEST_size_t_eq(written, strlen(MSG2))
   4292         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
   4293             SSL_EARLY_DATA_REJECTED)
   4294         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4295         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   4296         goto end;
   4297 
   4298     /*
   4299      * Failure to decrypt early data records should not leave spurious errors
   4300      * on the error stack
   4301      */
   4302     if (!TEST_long_eq(ERR_peek_error(), 0))
   4303         goto end;
   4304 
   4305     testresult = 1;
   4306 
   4307 end:
   4308     SSL_SESSION_free(clientpsk);
   4309     SSL_SESSION_free(serverpsk);
   4310     clientpsk = serverpsk = NULL;
   4311     SSL_SESSION_free(sess);
   4312     SSL_free(serverssl);
   4313     SSL_free(clientssl);
   4314     SSL_CTX_free(sctx);
   4315     SSL_CTX_free(cctx);
   4316     return testresult;
   4317 }
   4318 
   4319 /*
   4320  * Test that a server attempting to read early data can handle a connection
   4321  * from a client where the early data is not acceptable.
   4322  */
   4323 static int test_early_data_skip(int idx)
   4324 {
   4325     return early_data_skip_helper(0,
   4326         idx % OSSL_NELEM(ciphersuites),
   4327         idx / OSSL_NELEM(ciphersuites));
   4328 }
   4329 
   4330 /*
   4331  * Test that a server attempting to read early data can handle a connection
   4332  * from a client where an HRR occurs.
   4333  */
   4334 static int test_early_data_skip_hrr(int idx)
   4335 {
   4336     return early_data_skip_helper(1,
   4337         idx % OSSL_NELEM(ciphersuites),
   4338         idx / OSSL_NELEM(ciphersuites));
   4339 }
   4340 
   4341 /*
   4342  * Test that a server attempting to read early data can handle a connection
   4343  * from a client where an HRR occurs and correctly fails if early_data is sent
   4344  * after the HRR
   4345  */
   4346 static int test_early_data_skip_hrr_fail(int idx)
   4347 {
   4348     return early_data_skip_helper(2,
   4349         idx % OSSL_NELEM(ciphersuites),
   4350         idx / OSSL_NELEM(ciphersuites));
   4351 }
   4352 
   4353 /*
   4354  * Test that a server attempting to read early data will abort if it tries to
   4355  * skip over too much.
   4356  */
   4357 static int test_early_data_skip_abort(int idx)
   4358 {
   4359     return early_data_skip_helper(3,
   4360         idx % OSSL_NELEM(ciphersuites),
   4361         idx / OSSL_NELEM(ciphersuites));
   4362 }
   4363 
   4364 /*
   4365  * Test that a server attempting to read early data can handle a connection
   4366  * from a client that doesn't send any.
   4367  */
   4368 static int test_early_data_not_sent(int idx)
   4369 {
   4370     SSL_CTX *cctx = NULL, *sctx = NULL;
   4371     SSL *clientssl = NULL, *serverssl = NULL;
   4372     int testresult = 0;
   4373     SSL_SESSION *sess = NULL;
   4374     unsigned char buf[20];
   4375     size_t readbytes, written;
   4376 
   4377     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4378             &serverssl, &sess, idx,
   4379             SHA384_DIGEST_LENGTH)))
   4380         goto end;
   4381 
   4382     /* Write some data - should block due to handshake with server */
   4383     SSL_set_connect_state(clientssl);
   4384     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
   4385         goto end;
   4386 
   4387     /* Server should detect that early data has not been sent */
   4388     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4389                          &readbytes),
   4390             SSL_READ_EARLY_DATA_FINISH)
   4391         || !TEST_size_t_eq(readbytes, 0)
   4392         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4393             SSL_EARLY_DATA_NOT_SENT)
   4394         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
   4395             SSL_EARLY_DATA_NOT_SENT))
   4396         goto end;
   4397 
   4398     /* Continue writing the message we started earlier */
   4399     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
   4400         || !TEST_size_t_eq(written, strlen(MSG1))
   4401         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4402         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
   4403         || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
   4404         || !TEST_size_t_eq(written, strlen(MSG2)))
   4405         goto end;
   4406 
   4407     if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   4408         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   4409         goto end;
   4410 
   4411     testresult = 1;
   4412 
   4413 end:
   4414     SSL_SESSION_free(sess);
   4415     SSL_SESSION_free(clientpsk);
   4416     SSL_SESSION_free(serverpsk);
   4417     clientpsk = serverpsk = NULL;
   4418     SSL_free(serverssl);
   4419     SSL_free(clientssl);
   4420     SSL_CTX_free(sctx);
   4421     SSL_CTX_free(cctx);
   4422     return testresult;
   4423 }
   4424 
   4425 static const char *servalpn;
   4426 
   4427 static int alpn_select_cb(SSL *ssl, const unsigned char **out,
   4428     unsigned char *outlen, const unsigned char *in,
   4429     unsigned int inlen, void *arg)
   4430 {
   4431     unsigned int protlen = 0;
   4432     const unsigned char *prot;
   4433 
   4434     for (prot = in; prot < in + inlen; prot += protlen) {
   4435         protlen = *prot++;
   4436         if (in + inlen < prot + protlen)
   4437             return SSL_TLSEXT_ERR_NOACK;
   4438 
   4439         if (protlen == strlen(servalpn)
   4440             && memcmp(prot, servalpn, protlen) == 0) {
   4441             *out = prot;
   4442             *outlen = protlen;
   4443             return SSL_TLSEXT_ERR_OK;
   4444         }
   4445     }
   4446 
   4447     return SSL_TLSEXT_ERR_NOACK;
   4448 }
   4449 
   4450 /* Test that a PSK can be used to send early_data */
   4451 static int test_early_data_psk(int idx)
   4452 {
   4453     SSL_CTX *cctx = NULL, *sctx = NULL;
   4454     SSL *clientssl = NULL, *serverssl = NULL;
   4455     int testresult = 0;
   4456     SSL_SESSION *sess = NULL;
   4457     unsigned char alpnlist[] = {
   4458         0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
   4459         'l', 'p', 'n'
   4460     };
   4461 #define GOODALPNLEN 9
   4462 #define BADALPNLEN 8
   4463 #define GOODALPN (alpnlist)
   4464 #define BADALPN (alpnlist + GOODALPNLEN)
   4465     int err = 0;
   4466     unsigned char buf[20];
   4467     size_t readbytes, written;
   4468     int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
   4469     int edstatus = SSL_EARLY_DATA_ACCEPTED;
   4470 
   4471     /* We always set this up with a final parameter of "2" for PSK */
   4472     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4473             &serverssl, &sess, 2,
   4474             SHA384_DIGEST_LENGTH)))
   4475         goto end;
   4476 
   4477     servalpn = "goodalpn";
   4478 
   4479     /*
   4480      * Note: There is no test for inconsistent SNI with late client detection.
   4481      * This is because servers do not acknowledge SNI even if they are using
   4482      * it in a resumption handshake - so it is not actually possible for a
   4483      * client to detect a problem.
   4484      */
   4485     switch (idx) {
   4486     case 0:
   4487         /* Set inconsistent SNI (early client detection) */
   4488         err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
   4489         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
   4490             || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
   4491             goto end;
   4492         break;
   4493 
   4494     case 1:
   4495         /* Set inconsistent ALPN (early client detection) */
   4496         err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
   4497         /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
   4498         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
   4499                 GOODALPNLEN))
   4500             || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
   4501                 BADALPNLEN)))
   4502             goto end;
   4503         break;
   4504 
   4505     case 2:
   4506         /*
   4507          * Set invalid protocol version. Technically this affects PSKs without
   4508          * early_data too, but we test it here because it is similar to the
   4509          * SNI/ALPN consistency tests.
   4510          */
   4511         err = SSL_R_BAD_PSK;
   4512         if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
   4513             goto end;
   4514         break;
   4515 
   4516     case 3:
   4517         /*
   4518          * Set inconsistent SNI (server side). In this case the connection
   4519          * will succeed and accept early_data. In TLSv1.3 on the server side SNI
   4520          * is associated with each handshake - not the session. Therefore it
   4521          * should not matter that we used a different server name last time.
   4522          */
   4523         SSL_SESSION_free(serverpsk);
   4524         serverpsk = SSL_SESSION_dup(clientpsk);
   4525         if (!TEST_ptr(serverpsk)
   4526             || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
   4527             goto end;
   4528         /* Fall through */
   4529     case 4:
   4530         /* Set consistent SNI */
   4531         if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
   4532             || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
   4533             || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
   4534                 hostname_cb)))
   4535             goto end;
   4536         break;
   4537 
   4538     case 5:
   4539         /*
   4540          * Set inconsistent ALPN (server detected). In this case the connection
   4541          * will succeed but reject early_data.
   4542          */
   4543         servalpn = "badalpn";
   4544         edstatus = SSL_EARLY_DATA_REJECTED;
   4545         readearlyres = SSL_READ_EARLY_DATA_FINISH;
   4546         /* Fall through */
   4547     case 6:
   4548         /*
   4549          * Set consistent ALPN.
   4550          * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
   4551          * accepts a list of protos (each one length prefixed).
   4552          * SSL_set1_alpn_selected accepts a single protocol (not length
   4553          * prefixed)
   4554          */
   4555         if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
   4556                 GOODALPNLEN - 1))
   4557             || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
   4558                 GOODALPNLEN)))
   4559             goto end;
   4560 
   4561         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
   4562         break;
   4563 
   4564     case 7:
   4565         /* Set inconsistent ALPN (late client detection) */
   4566         SSL_SESSION_free(serverpsk);
   4567         serverpsk = SSL_SESSION_dup(clientpsk);
   4568         if (!TEST_ptr(serverpsk)
   4569             || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
   4570                 BADALPN + 1,
   4571                 BADALPNLEN - 1))
   4572             || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
   4573                 GOODALPN + 1,
   4574                 GOODALPNLEN - 1))
   4575             || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
   4576                 sizeof(alpnlist))))
   4577             goto end;
   4578         SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
   4579         edstatus = SSL_EARLY_DATA_ACCEPTED;
   4580         readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
   4581         /* SSL_connect() call should fail */
   4582         connectres = -1;
   4583         break;
   4584 
   4585     default:
   4586         TEST_error("Bad test index");
   4587         goto end;
   4588     }
   4589 
   4590     SSL_set_connect_state(clientssl);
   4591     if (err != 0) {
   4592         if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4593                 &written))
   4594             || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
   4595             || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
   4596             goto end;
   4597     } else {
   4598         OSSL_TIME timer = ossl_time_now();
   4599 
   4600         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4601                 &written)))
   4602             goto end;
   4603 
   4604         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4605                              &readbytes),
   4606                 readearlyres)) {
   4607             testresult = check_early_data_timeout(timer);
   4608             goto end;
   4609         }
   4610 
   4611         if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
   4612                 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
   4613             || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
   4614             || !TEST_int_eq(SSL_connect(clientssl), connectres))
   4615             goto end;
   4616     }
   4617 
   4618     testresult = 1;
   4619 
   4620 end:
   4621     SSL_SESSION_free(sess);
   4622     SSL_SESSION_free(clientpsk);
   4623     SSL_SESSION_free(serverpsk);
   4624     clientpsk = serverpsk = NULL;
   4625     SSL_free(serverssl);
   4626     SSL_free(clientssl);
   4627     SSL_CTX_free(sctx);
   4628     SSL_CTX_free(cctx);
   4629     return testresult;
   4630 }
   4631 
   4632 /*
   4633  * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
   4634  * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
   4635  * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
   4636  * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
   4637  * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
   4638  * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
   4639  * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
   4640  * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
   4641  */
   4642 static int test_early_data_psk_with_all_ciphers(int idx)
   4643 {
   4644     SSL_CTX *cctx = NULL, *sctx = NULL;
   4645     SSL *clientssl = NULL, *serverssl = NULL;
   4646     int testresult = 0;
   4647     SSL_SESSION *sess = NULL;
   4648     unsigned char buf[20];
   4649     size_t readbytes, written;
   4650     const SSL_CIPHER *cipher;
   4651     OSSL_TIME timer;
   4652     const char *cipher_str[] = {
   4653         TLS1_3_RFC_AES_128_GCM_SHA256,
   4654         TLS1_3_RFC_AES_256_GCM_SHA384,
   4655 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
   4656         TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
   4657 #else
   4658         NULL,
   4659 #endif
   4660         TLS1_3_RFC_AES_128_CCM_SHA256,
   4661         TLS1_3_RFC_AES_128_CCM_8_SHA256,
   4662 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
   4663         TLS1_3_RFC_SHA256_SHA256,
   4664         TLS1_3_RFC_SHA384_SHA384
   4665 #else
   4666         NULL,
   4667         NULL
   4668 #endif
   4669     };
   4670     const unsigned char *cipher_bytes[] = {
   4671         TLS13_AES_128_GCM_SHA256_BYTES,
   4672         TLS13_AES_256_GCM_SHA384_BYTES,
   4673 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
   4674         TLS13_CHACHA20_POLY1305_SHA256_BYTES,
   4675 #else
   4676         NULL,
   4677 #endif
   4678         TLS13_AES_128_CCM_SHA256_BYTES,
   4679         TLS13_AES_128_CCM_8_SHA256_BYTES,
   4680 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
   4681         TLS13_SHA256_SHA256_BYTES,
   4682         TLS13_SHA384_SHA384_BYTES
   4683 #else
   4684         NULL,
   4685         NULL
   4686 #endif
   4687     };
   4688 
   4689     if (cipher_str[idx] == NULL)
   4690         return 1;
   4691     /*
   4692      * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
   4693      * as currently FIPS module does not support them.
   4694      */
   4695     if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
   4696         return 1;
   4697 
   4698     /* We always set this up with a final parameter of "2" for PSK */
   4699     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4700             &serverssl, &sess, 2,
   4701             SHA384_DIGEST_LENGTH)))
   4702         goto end;
   4703 
   4704     if (idx == 4 || idx == 5 || idx == 6) {
   4705         /*
   4706          * CCM8 ciphers are considered low security due to their short tag.
   4707          * Integrity-only cipher do not provide any confidentiality.
   4708          */
   4709         SSL_set_security_level(clientssl, 0);
   4710         SSL_set_security_level(serverssl, 0);
   4711     }
   4712 
   4713     if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
   4714         || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
   4715         goto end;
   4716 
   4717     /*
   4718      * 'setupearly_data_test' creates only one instance of SSL_SESSION
   4719      * and assigns to both client and server with incremented reference
   4720      * and the same instance is updated in 'sess'.
   4721      * So updating ciphersuite in 'sess' which will get reflected in
   4722      * PSK handshake using psk use sess and find sess cb.
   4723      */
   4724     cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
   4725     if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
   4726         goto end;
   4727 
   4728     SSL_set_connect_state(clientssl);
   4729     timer = ossl_time_now();
   4730     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4731             &written)))
   4732         goto end;
   4733 
   4734     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4735                          &readbytes),
   4736             SSL_READ_EARLY_DATA_SUCCESS)) {
   4737         testresult = check_early_data_timeout(timer);
   4738         goto end;
   4739     }
   4740 
   4741     if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
   4742         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4743             SSL_EARLY_DATA_ACCEPTED)
   4744         || !TEST_int_eq(SSL_connect(clientssl), 1)
   4745         || !TEST_int_eq(SSL_accept(serverssl), 1))
   4746         goto end;
   4747 
   4748     /* Send some normal data from client to server */
   4749     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
   4750         || !TEST_size_t_eq(written, strlen(MSG2)))
   4751         goto end;
   4752 
   4753     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4754         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   4755         goto end;
   4756 
   4757     testresult = 1;
   4758 end:
   4759     SSL_SESSION_free(sess);
   4760     SSL_SESSION_free(clientpsk);
   4761     SSL_SESSION_free(serverpsk);
   4762     clientpsk = serverpsk = NULL;
   4763     if (clientssl != NULL)
   4764         SSL_shutdown(clientssl);
   4765     if (serverssl != NULL)
   4766         SSL_shutdown(serverssl);
   4767     SSL_free(serverssl);
   4768     SSL_free(clientssl);
   4769     SSL_CTX_free(sctx);
   4770     SSL_CTX_free(cctx);
   4771     return testresult;
   4772 }
   4773 
   4774 /*
   4775  * Test that a server that doesn't try to read early data can handle a
   4776  * client sending some.
   4777  */
   4778 static int test_early_data_not_expected(int idx)
   4779 {
   4780     SSL_CTX *cctx = NULL, *sctx = NULL;
   4781     SSL *clientssl = NULL, *serverssl = NULL;
   4782     int testresult = 0;
   4783     SSL_SESSION *sess = NULL;
   4784     unsigned char buf[20];
   4785     size_t readbytes, written;
   4786 
   4787     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4788             &serverssl, &sess, idx,
   4789             SHA384_DIGEST_LENGTH)))
   4790         goto end;
   4791 
   4792     /* Write some early data */
   4793     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   4794             &written)))
   4795         goto end;
   4796 
   4797     /*
   4798      * Server should skip over early data and then block waiting for client to
   4799      * continue handshake
   4800      */
   4801     if (!TEST_int_le(SSL_accept(serverssl), 0)
   4802         || !TEST_int_gt(SSL_connect(clientssl), 0)
   4803         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4804             SSL_EARLY_DATA_REJECTED)
   4805         || !TEST_int_gt(SSL_accept(serverssl), 0)
   4806         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
   4807             SSL_EARLY_DATA_REJECTED))
   4808         goto end;
   4809 
   4810     /* Send some normal data from client to server */
   4811     if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
   4812         || !TEST_size_t_eq(written, strlen(MSG2)))
   4813         goto end;
   4814 
   4815     if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4816         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   4817         goto end;
   4818 
   4819     testresult = 1;
   4820 
   4821 end:
   4822     SSL_SESSION_free(sess);
   4823     SSL_SESSION_free(clientpsk);
   4824     SSL_SESSION_free(serverpsk);
   4825     clientpsk = serverpsk = NULL;
   4826     SSL_free(serverssl);
   4827     SSL_free(clientssl);
   4828     SSL_CTX_free(sctx);
   4829     SSL_CTX_free(cctx);
   4830     return testresult;
   4831 }
   4832 
   4833 #ifndef OPENSSL_NO_TLS1_2
   4834 /*
   4835  * Test that a server attempting to read early data can handle a connection
   4836  * from a TLSv1.2 client.
   4837  */
   4838 static int test_early_data_tls1_2(int idx)
   4839 {
   4840     SSL_CTX *cctx = NULL, *sctx = NULL;
   4841     SSL *clientssl = NULL, *serverssl = NULL;
   4842     int testresult = 0;
   4843     unsigned char buf[20];
   4844     size_t readbytes, written;
   4845 
   4846     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   4847             &serverssl, NULL, idx,
   4848             SHA384_DIGEST_LENGTH)))
   4849         goto end;
   4850 
   4851     /* Write some data - should block due to handshake with server */
   4852     SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
   4853     SSL_set_connect_state(clientssl);
   4854     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
   4855         goto end;
   4856 
   4857     /*
   4858      * Server should do TLSv1.2 handshake. First it will block waiting for more
   4859      * messages from client after ServerDone. Then SSL_read_early_data should
   4860      * finish and detect that early data has not been sent
   4861      */
   4862     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4863                          &readbytes),
   4864             SSL_READ_EARLY_DATA_ERROR))
   4865         goto end;
   4866 
   4867     /*
   4868      * Continue writing the message we started earlier. Will still block waiting
   4869      * for the CCS/Finished from server
   4870      */
   4871     if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
   4872         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   4873                             &readbytes),
   4874             SSL_READ_EARLY_DATA_FINISH)
   4875         || !TEST_size_t_eq(readbytes, 0)
   4876         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   4877             SSL_EARLY_DATA_NOT_SENT))
   4878         goto end;
   4879 
   4880     /* Continue writing the message we started earlier */
   4881     if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
   4882         || !TEST_size_t_eq(written, strlen(MSG1))
   4883         || !TEST_int_eq(SSL_get_early_data_status(clientssl),
   4884             SSL_EARLY_DATA_NOT_SENT)
   4885         || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   4886         || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
   4887         || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
   4888         || !TEST_size_t_eq(written, strlen(MSG2))
   4889         || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
   4890         || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
   4891         goto end;
   4892 
   4893     testresult = 1;
   4894 
   4895 end:
   4896     SSL_SESSION_free(clientpsk);
   4897     SSL_SESSION_free(serverpsk);
   4898     clientpsk = serverpsk = NULL;
   4899     SSL_free(serverssl);
   4900     SSL_free(clientssl);
   4901     SSL_CTX_free(sctx);
   4902     SSL_CTX_free(cctx);
   4903 
   4904     return testresult;
   4905 }
   4906 #endif /* OPENSSL_NO_TLS1_2 */
   4907 
   4908 /*
   4909  * Test configuring the TLSv1.3 ciphersuites
   4910  *
   4911  * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
   4912  * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
   4913  * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
   4914  * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
   4915  * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
   4916  * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
   4917  * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
   4918  * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
   4919  * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
   4920  * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
   4921  */
   4922 static int test_set_ciphersuite(int idx)
   4923 {
   4924     SSL_CTX *cctx = NULL, *sctx = NULL;
   4925     SSL *clientssl = NULL, *serverssl = NULL;
   4926     int testresult = 0;
   4927 
   4928     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   4929             TLS_client_method(), TLS1_VERSION, 0,
   4930             &sctx, &cctx, cert, privkey))
   4931         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
   4932             "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
   4933         goto end;
   4934 
   4935     if (idx >= 4 && idx <= 7) {
   4936         /* SSL_CTX explicit cipher list */
   4937         if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
   4938             goto end;
   4939     }
   4940 
   4941     if (idx == 0 || idx == 4) {
   4942         /* Default ciphersuite */
   4943         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   4944                 "TLS_AES_128_GCM_SHA256")))
   4945             goto end;
   4946     } else if (idx == 1 || idx == 5) {
   4947         /* Non default ciphersuite */
   4948         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   4949                 "TLS_AES_128_CCM_SHA256")))
   4950             goto end;
   4951     }
   4952 
   4953     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   4954             &clientssl, NULL, NULL)))
   4955         goto end;
   4956 
   4957     if (idx == 8 || idx == 9) {
   4958         /* SSL explicit cipher list */
   4959         if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
   4960             goto end;
   4961     }
   4962 
   4963     if (idx == 2 || idx == 6 || idx == 8) {
   4964         /* Default ciphersuite */
   4965         if (!TEST_true(SSL_set_ciphersuites(clientssl,
   4966                 "TLS_AES_128_GCM_SHA256")))
   4967             goto end;
   4968     } else if (idx == 3 || idx == 7 || idx == 9) {
   4969         /* Non default ciphersuite */
   4970         if (!TEST_true(SSL_set_ciphersuites(clientssl,
   4971                 "TLS_AES_128_CCM_SHA256")))
   4972             goto end;
   4973     }
   4974 
   4975     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   4976         goto end;
   4977 
   4978     testresult = 1;
   4979 
   4980 end:
   4981     SSL_free(serverssl);
   4982     SSL_free(clientssl);
   4983     SSL_CTX_free(sctx);
   4984     SSL_CTX_free(cctx);
   4985 
   4986     return testresult;
   4987 }
   4988 
   4989 static int test_ciphersuite_change(void)
   4990 {
   4991     SSL_CTX *cctx = NULL, *sctx = NULL;
   4992     SSL *clientssl = NULL, *serverssl = NULL;
   4993     SSL_SESSION *clntsess = NULL;
   4994     int testresult = 0;
   4995     const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
   4996 
   4997     /* Create a session based on SHA-256 */
   4998     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   4999             TLS_client_method(), TLS1_VERSION, 0,
   5000             &sctx, &cctx, cert, privkey))
   5001         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
   5002             "TLS_AES_128_GCM_SHA256:"
   5003             "TLS_AES_256_GCM_SHA384:"
   5004             "TLS_AES_128_CCM_SHA256"))
   5005         || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5006             "TLS_AES_128_GCM_SHA256")))
   5007         goto end;
   5008 
   5009     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5010             NULL, NULL))
   5011         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5012             SSL_ERROR_NONE)))
   5013         goto end;
   5014 
   5015     clntsess = SSL_get1_session(clientssl);
   5016     /* Save for later */
   5017     aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
   5018     SSL_shutdown(clientssl);
   5019     SSL_shutdown(serverssl);
   5020     SSL_free(serverssl);
   5021     SSL_free(clientssl);
   5022     serverssl = clientssl = NULL;
   5023 
   5024     /* Check we can resume a session with a different SHA-256 ciphersuite */
   5025     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5026             "TLS_AES_128_CCM_SHA256"))
   5027         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   5028             &clientssl, NULL, NULL))
   5029         || !TEST_true(SSL_set_session(clientssl, clntsess))
   5030         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5031             SSL_ERROR_NONE))
   5032         || !TEST_true(SSL_session_reused(clientssl)))
   5033         goto end;
   5034 
   5035     SSL_SESSION_free(clntsess);
   5036     clntsess = SSL_get1_session(clientssl);
   5037     SSL_shutdown(clientssl);
   5038     SSL_shutdown(serverssl);
   5039     SSL_free(serverssl);
   5040     SSL_free(clientssl);
   5041     serverssl = clientssl = NULL;
   5042 
   5043     /*
   5044      * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
   5045      * succeeds but does not resume.
   5046      */
   5047     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
   5048         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5049             NULL, NULL))
   5050         || !TEST_true(SSL_set_session(clientssl, clntsess))
   5051         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5052             SSL_ERROR_SSL))
   5053         || !TEST_false(SSL_session_reused(clientssl)))
   5054         goto end;
   5055 
   5056     SSL_SESSION_free(clntsess);
   5057     clntsess = NULL;
   5058     SSL_shutdown(clientssl);
   5059     SSL_shutdown(serverssl);
   5060     SSL_free(serverssl);
   5061     SSL_free(clientssl);
   5062     serverssl = clientssl = NULL;
   5063 
   5064     /* Create a session based on SHA384 */
   5065     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
   5066         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   5067             &clientssl, NULL, NULL))
   5068         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5069             SSL_ERROR_NONE)))
   5070         goto end;
   5071 
   5072     clntsess = SSL_get1_session(clientssl);
   5073     SSL_shutdown(clientssl);
   5074     SSL_shutdown(serverssl);
   5075     SSL_free(serverssl);
   5076     SSL_free(clientssl);
   5077     serverssl = clientssl = NULL;
   5078 
   5079     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5080             "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
   5081         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
   5082             "TLS_AES_256_GCM_SHA384"))
   5083         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5084             NULL, NULL))
   5085         || !TEST_true(SSL_set_session(clientssl, clntsess))
   5086         /*
   5087          * We use SSL_ERROR_WANT_READ below so that we can pause the
   5088          * connection after the initial ClientHello has been sent to
   5089          * enable us to make some session changes.
   5090          */
   5091         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   5092             SSL_ERROR_WANT_READ)))
   5093         goto end;
   5094 
   5095     /* Trick the client into thinking this session is for a different digest */
   5096     clntsess->cipher = aes_128_gcm_sha256;
   5097     clntsess->cipher_id = clntsess->cipher->id;
   5098 
   5099     /*
   5100      * Continue the previously started connection. Server has selected a SHA-384
   5101      * ciphersuite, but client thinks the session is for SHA-256, so it should
   5102      * bail out.
   5103      */
   5104     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
   5105             SSL_ERROR_SSL))
   5106         || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
   5107             SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
   5108         goto end;
   5109 
   5110     testresult = 1;
   5111 
   5112 end:
   5113     SSL_SESSION_free(clntsess);
   5114     SSL_free(serverssl);
   5115     SSL_free(clientssl);
   5116     SSL_CTX_free(sctx);
   5117     SSL_CTX_free(cctx);
   5118 
   5119     return testresult;
   5120 }
   5121 
   5122 /*
   5123  * Test TLSv1.3 Key exchange
   5124  * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
   5125  * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
   5126  * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
   5127  * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
   5128  * Test 4 = Test NID_X25519 with TLSv1.3 client and server
   5129  * Test 5 = Test NID_X448 with TLSv1.3 client and server
   5130  * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
   5131  * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
   5132  * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
   5133  * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
   5134  * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
   5135  * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
   5136  * Test 12 = Test all ML-KEM with TLSv1.3 client and server
   5137  * Test 13 = Test MLKEM512
   5138  * Test 14 = Test MLKEM768
   5139  * Test 15 = Test MLKEM1024
   5140  * Test 16 = Test X25519MLKEM768
   5141  * Test 17 = Test SecP256r1MLKEM768
   5142  * Test 18 = Test SecP384r1MLKEM1024
   5143  * Test 19 = Test all ML-KEM with TLSv1.2 client and server
   5144  * Test 20 = Test all FFDHE with TLSv1.2 client and server
   5145  * Test 21 = Test all ECDHE with TLSv1.2 client and server
   5146  */
   5147 #ifndef OPENSSL_NO_EC
   5148 static int ecdhe_kexch_groups[] = { NID_X9_62_prime256v1, NID_secp384r1,
   5149     NID_secp521r1,
   5150 #ifndef OPENSSL_NO_ECX
   5151     NID_X25519, NID_X448
   5152 #endif
   5153 };
   5154 #endif
   5155 #ifndef OPENSSL_NO_DH
   5156 static int ffdhe_kexch_groups[] = { NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
   5157     NID_ffdhe6144, NID_ffdhe8192 };
   5158 #endif
   5159 static int test_key_exchange(int idx)
   5160 {
   5161     SSL_CTX *sctx = NULL, *cctx = NULL;
   5162     SSL *serverssl = NULL, *clientssl = NULL;
   5163     int testresult = 0;
   5164     int kexch_alg = NID_undef;
   5165     int *kexch_groups = &kexch_alg;
   5166     int kexch_groups_size = 1;
   5167     int max_version = TLS1_3_VERSION;
   5168     char *kexch_name0 = NULL;
   5169     const char *kexch_names = NULL;
   5170     int shared_group0;
   5171 
   5172     switch (idx) {
   5173 #ifndef OPENSSL_NO_EC
   5174 #ifndef OPENSSL_NO_TLS1_2
   5175     case 21:
   5176         max_version = TLS1_2_VERSION;
   5177 #endif
   5178         /* Fall through */
   5179     case 0:
   5180         kexch_groups = ecdhe_kexch_groups;
   5181         kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
   5182         kexch_name0 = "secp256r1";
   5183         break;
   5184     case 1:
   5185         kexch_alg = NID_X9_62_prime256v1;
   5186         kexch_name0 = "secp256r1";
   5187         break;
   5188     case 2:
   5189         kexch_alg = NID_secp384r1;
   5190         kexch_name0 = "secp384r1";
   5191         break;
   5192     case 3:
   5193         kexch_alg = NID_secp521r1;
   5194         kexch_name0 = "secp521r1";
   5195         break;
   5196 #ifndef OPENSSL_NO_ECX
   5197     case 4:
   5198         if (is_fips)
   5199             return TEST_skip("X25519 might not be supported by fips provider.");
   5200         kexch_alg = NID_X25519;
   5201         kexch_name0 = "x25519";
   5202         break;
   5203     case 5:
   5204         if (is_fips)
   5205             return TEST_skip("X448 might not be supported by fips provider.");
   5206         kexch_alg = NID_X448;
   5207         kexch_name0 = "x448";
   5208         break;
   5209 #endif
   5210 #endif
   5211 #ifndef OPENSSL_NO_DH
   5212 #ifndef OPENSSL_NO_TLS1_2
   5213     case 20:
   5214         max_version = TLS1_2_VERSION;
   5215         kexch_name0 = "ffdhe2048";
   5216 #endif
   5217         /* Fall through */
   5218     case 6:
   5219         kexch_groups = ffdhe_kexch_groups;
   5220         kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
   5221         kexch_name0 = "ffdhe2048";
   5222         break;
   5223     case 7:
   5224         kexch_alg = NID_ffdhe2048;
   5225         kexch_name0 = "ffdhe2048";
   5226         break;
   5227     case 8:
   5228         kexch_alg = NID_ffdhe3072;
   5229         kexch_name0 = "ffdhe3072";
   5230         break;
   5231     case 9:
   5232         kexch_alg = NID_ffdhe4096;
   5233         kexch_name0 = "ffdhe4096";
   5234         break;
   5235     case 10:
   5236         kexch_alg = NID_ffdhe6144;
   5237         kexch_name0 = "ffdhe6144";
   5238         break;
   5239     case 11:
   5240         kexch_alg = NID_ffdhe8192;
   5241         kexch_name0 = "ffdhe8192";
   5242         break;
   5243 #endif
   5244 #ifndef OPENSSL_NO_ML_KEM
   5245 #if !defined(OPENSSL_NO_TLS1_2)
   5246     case 19:
   5247         max_version = TLS1_2_VERSION;
   5248 #if !defined(OPENSSL_NO_EC)
   5249         /* Set at least one EC group so the handshake completes */
   5250         kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
   5251 #elif !defined(OPENSSL_NO_DH)
   5252         kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
   5253 #else
   5254         /* With neither EC nor DH TLS 1.2 can't happen */
   5255         return 1;
   5256 #endif
   5257 #endif
   5258         /* Fall through */
   5259     case 12:
   5260         kexch_groups = NULL;
   5261         if (kexch_names == NULL)
   5262             kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
   5263         kexch_name0 = "MLKEM512";
   5264         break;
   5265     case 13:
   5266         kexch_groups = NULL;
   5267         kexch_name0 = "MLKEM512";
   5268         kexch_names = kexch_name0;
   5269         break;
   5270     case 14:
   5271         kexch_groups = NULL;
   5272         kexch_name0 = "MLKEM768";
   5273         kexch_names = kexch_name0;
   5274         break;
   5275     case 15:
   5276         kexch_groups = NULL;
   5277         kexch_name0 = "MLKEM1024";
   5278         kexch_names = kexch_name0;
   5279         break;
   5280 #ifndef OPENSSL_NO_EC
   5281 #ifndef OPENSSL_NO_ECX
   5282     case 16:
   5283         kexch_groups = NULL;
   5284         kexch_name0 = "X25519MLKEM768";
   5285         kexch_names = kexch_name0;
   5286         break;
   5287 #endif
   5288     case 17:
   5289         kexch_groups = NULL;
   5290         kexch_name0 = "SecP256r1MLKEM768";
   5291         kexch_names = kexch_name0;
   5292         break;
   5293     case 18:
   5294         kexch_groups = NULL;
   5295         kexch_name0 = "SecP384r1MLKEM1024";
   5296         kexch_names = kexch_name0;
   5297         break;
   5298 #endif
   5299 #endif
   5300     default:
   5301         /* We're skipping this test */
   5302         return 1;
   5303     }
   5304 
   5305     if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
   5306         && idx >= 12 && idx <= 19)
   5307         return TEST_skip("ML-KEM not supported in this version of fips provider");
   5308 
   5309     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   5310             TLS_client_method(), TLS1_VERSION,
   5311             max_version, &sctx, &cctx, cert,
   5312             privkey)))
   5313         goto end;
   5314 
   5315     if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
   5316             TLS1_3_RFC_AES_128_GCM_SHA256)))
   5317         goto end;
   5318 
   5319     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5320             TLS1_3_RFC_AES_128_GCM_SHA256)))
   5321         goto end;
   5322 
   5323     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
   5324             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
   5325         || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
   5326         goto end;
   5327 
   5328     /*
   5329      * Must include an EC ciphersuite so that we send supported groups in
   5330      * TLSv1.2
   5331      */
   5332 #ifndef OPENSSL_NO_TLS1_2
   5333     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
   5334             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
   5335         goto end;
   5336 #endif
   5337 
   5338     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5339             NULL, NULL)))
   5340         goto end;
   5341 
   5342     if (kexch_groups != NULL) {
   5343         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
   5344             || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
   5345             goto end;
   5346     } else {
   5347         if (!TEST_true(SSL_set1_groups_list(serverssl, kexch_names))
   5348             || !TEST_true(SSL_set1_groups_list(clientssl, kexch_names)))
   5349             goto end;
   5350     }
   5351 
   5352     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   5353         goto end;
   5354 
   5355     /*
   5356      * If the handshake succeeds the negotiated kexch alg should be the first
   5357      * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
   5358      * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
   5359      * group to exist.
   5360      */
   5361     shared_group0 = SSL_get_shared_group(serverssl, 0);
   5362     switch (idx) {
   5363     case 19:
   5364 #if !defined(OPENSSL_NO_EC)
   5365         /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
   5366         if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
   5367             goto end;
   5368         break;
   5369 #endif
   5370         /* Fall through */
   5371     case 20:
   5372         if (!TEST_int_eq(shared_group0, 0))
   5373             goto end;
   5374         break;
   5375     default:
   5376         if (kexch_groups != NULL
   5377             && !TEST_int_eq(shared_group0, kexch_groups[0]))
   5378             goto end;
   5379         if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
   5380                 kexch_name0))
   5381             goto end;
   5382         if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
   5383             || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
   5384             goto end;
   5385         if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
   5386             goto end;
   5387         if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
   5388             goto end;
   5389         break;
   5390     }
   5391 
   5392     testresult = 1;
   5393 end:
   5394     SSL_free(serverssl);
   5395     SSL_free(clientssl);
   5396     SSL_CTX_free(sctx);
   5397     SSL_CTX_free(cctx);
   5398     return testresult;
   5399 }
   5400 
   5401 #if !defined(OPENSSL_NO_TLS1_2) \
   5402     && !defined(OPENSSL_NO_EC)  \
   5403     && !defined(OPENSSL_NO_DH)
   5404 static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
   5405     int isecdhe, int idx)
   5406 {
   5407     int kexch_alg;
   5408     int *kexch_groups = &kexch_alg;
   5409     int numec, numff;
   5410 
   5411     numec = OSSL_NELEM(ecdhe_kexch_groups);
   5412     numff = OSSL_NELEM(ffdhe_kexch_groups);
   5413     if (isecdhe)
   5414         kexch_alg = ecdhe_kexch_groups[idx];
   5415     else
   5416         kexch_alg = ffdhe_kexch_groups[idx];
   5417 
   5418     if (clientmulti) {
   5419         if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
   5420             return 0;
   5421         if (isecdhe) {
   5422             if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
   5423                     numec)))
   5424                 return 0;
   5425         } else {
   5426             if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
   5427                     numff)))
   5428                 return 0;
   5429         }
   5430     } else {
   5431         if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
   5432             return 0;
   5433         if (isecdhe) {
   5434             if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
   5435                     numec)))
   5436                 return 0;
   5437         } else {
   5438             if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
   5439                     numff)))
   5440                 return 0;
   5441         }
   5442     }
   5443     return 1;
   5444 }
   5445 
   5446 /*-
   5447  * Test the SSL_get_negotiated_group() API across a battery of scenarios.
   5448  * Run through both the ECDHE and FFDHE group lists used in the previous
   5449  * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
   5450  * confirming the expected result; then perform a resumption handshake
   5451  * while offering the same group list, and another resumption handshake
   5452  * offering a different group list.  The returned value should be the
   5453  * negotiated group for the initial handshake; for TLS 1.3 resumption
   5454  * handshakes the returned value will be negotiated on the resumption
   5455  * handshake itself, but for TLS 1.2 resumption handshakes the value will
   5456  * be cached in the session from the original handshake, regardless of what
   5457  * was offered in the resumption ClientHello.
   5458  *
   5459  * Using E for the number of EC groups and F for the number of FF groups:
   5460  * E tests of ECDHE with TLS 1.3, server only has one group
   5461  * F tests of FFDHE with TLS 1.3, server only has one group
   5462  * E tests of ECDHE with TLS 1.2, server only has one group
   5463  * F tests of FFDHE with TLS 1.2, server only has one group
   5464  * E tests of ECDHE with TLS 1.3, client sends only one group
   5465  * F tests of FFDHE with TLS 1.3, client sends only one group
   5466  * E tests of ECDHE with TLS 1.2, client sends only one group
   5467  * F tests of FFDHE with TLS 1.2, client sends only one group
   5468  */
   5469 static int test_negotiated_group(int idx)
   5470 {
   5471     int clientmulti, istls13, isecdhe, numec, numff, numgroups;
   5472     int expectednid;
   5473     SSL_CTX *sctx = NULL, *cctx = NULL;
   5474     SSL *serverssl = NULL, *clientssl = NULL;
   5475     SSL_SESSION *origsess = NULL;
   5476     int testresult = 0;
   5477     int kexch_alg;
   5478     int max_version = TLS1_3_VERSION;
   5479 
   5480     numec = OSSL_NELEM(ecdhe_kexch_groups);
   5481     numff = OSSL_NELEM(ffdhe_kexch_groups);
   5482     numgroups = numec + numff;
   5483     clientmulti = (idx < 2 * numgroups);
   5484     idx = idx % (2 * numgroups);
   5485     istls13 = (idx < numgroups);
   5486     idx = idx % numgroups;
   5487     isecdhe = (idx < numec);
   5488     if (!isecdhe)
   5489         idx -= numec;
   5490     /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
   5491     if (isecdhe)
   5492         kexch_alg = ecdhe_kexch_groups[idx];
   5493     else
   5494         kexch_alg = ffdhe_kexch_groups[idx];
   5495     /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
   5496     if (!istls13 && !isecdhe)
   5497         expectednid = NID_undef;
   5498     else
   5499         expectednid = kexch_alg;
   5500 
   5501     if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
   5502         return TEST_skip("X25519 and X448 might not be available in fips provider.");
   5503 
   5504     if (!istls13)
   5505         max_version = TLS1_2_VERSION;
   5506 
   5507     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   5508             TLS_client_method(), TLS1_VERSION,
   5509             max_version, &sctx, &cctx, cert,
   5510             privkey)))
   5511         goto end;
   5512 
   5513     /*
   5514      * Force (EC)DHE ciphers for TLS 1.2.
   5515      * Be sure to enable auto tmp DH so that FFDHE can succeed.
   5516      */
   5517     if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
   5518             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
   5519         || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
   5520         goto end;
   5521     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
   5522             TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
   5523         goto end;
   5524 
   5525     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5526             NULL, NULL)))
   5527         goto end;
   5528 
   5529     if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
   5530             idx)))
   5531         goto end;
   5532 
   5533     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   5534         goto end;
   5535 
   5536     /* Initial handshake; always the configured one */
   5537     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
   5538         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
   5539         goto end;
   5540 
   5541     if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
   5542         goto end;
   5543 
   5544     SSL_shutdown(clientssl);
   5545     SSL_shutdown(serverssl);
   5546     SSL_free(serverssl);
   5547     SSL_free(clientssl);
   5548     serverssl = clientssl = NULL;
   5549 
   5550     /* First resumption attempt; use the same config as initial handshake */
   5551     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5552             NULL, NULL))
   5553         || !TEST_true(SSL_set_session(clientssl, origsess))
   5554         || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
   5555             isecdhe, idx)))
   5556         goto end;
   5557 
   5558     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   5559         || !TEST_true(SSL_session_reused(clientssl)))
   5560         goto end;
   5561 
   5562     /* Still had better agree, since nothing changed... */
   5563     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
   5564         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
   5565         goto end;
   5566 
   5567     SSL_shutdown(clientssl);
   5568     SSL_shutdown(serverssl);
   5569     SSL_free(serverssl);
   5570     SSL_free(clientssl);
   5571     serverssl = clientssl = NULL;
   5572 
   5573     /*-
   5574      * Second resumption attempt
   5575      * The party that picks one group changes it, which we effectuate by
   5576      * changing 'idx' and updating what we expect.
   5577      */
   5578     if (idx == 0)
   5579         idx = 1;
   5580     else
   5581         idx--;
   5582     if (istls13) {
   5583         if (isecdhe)
   5584             expectednid = ecdhe_kexch_groups[idx];
   5585         else
   5586             expectednid = ffdhe_kexch_groups[idx];
   5587         /* Verify that we are changing what we expect. */
   5588         if (!TEST_int_ne(expectednid, kexch_alg))
   5589             goto end;
   5590     } else {
   5591         /* TLS 1.2 only supports named groups for ECDHE. */
   5592         if (isecdhe)
   5593             expectednid = kexch_alg;
   5594         else
   5595             expectednid = 0;
   5596     }
   5597     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5598             NULL, NULL))
   5599         || !TEST_true(SSL_set_session(clientssl, origsess))
   5600         || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
   5601             isecdhe, idx)))
   5602         goto end;
   5603 
   5604     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   5605         || !TEST_true(SSL_session_reused(clientssl)))
   5606         goto end;
   5607 
   5608     /* Check that we get what we expected */
   5609     if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
   5610         || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
   5611         goto end;
   5612 
   5613     testresult = 1;
   5614 end:
   5615     SSL_free(serverssl);
   5616     SSL_free(clientssl);
   5617     SSL_CTX_free(sctx);
   5618     SSL_CTX_free(cctx);
   5619     SSL_SESSION_free(origsess);
   5620     return testresult;
   5621 }
   5622 #endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
   5623 
   5624 /*
   5625  * Test TLSv1.3 Cipher Suite
   5626  * Test 0 = Set TLS1.3 cipher on context
   5627  * Test 1 = Set TLS1.3 cipher on SSL
   5628  * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
   5629  * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
   5630  */
   5631 static int test_tls13_ciphersuite(int idx)
   5632 {
   5633     SSL_CTX *sctx = NULL, *cctx = NULL;
   5634     SSL *serverssl = NULL, *clientssl = NULL;
   5635     static const struct {
   5636         const char *ciphername;
   5637         int fipscapable;
   5638         int low_security;
   5639     } t13_ciphers[] = {
   5640         { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
   5641         { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
   5642         { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
   5643 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
   5644         { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
   5645         { TLS1_3_RFC_AES_256_GCM_SHA384
   5646             ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
   5647             0, 0 },
   5648 #endif
   5649         /* CCM8 ciphers are considered low security due to their short tag */
   5650         { TLS1_3_RFC_AES_128_CCM_8_SHA256
   5651             ":" TLS1_3_RFC_AES_128_CCM_SHA256,
   5652             1, 1 },
   5653 #if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
   5654         /* Integrity-only cipher do not provide any confidentiality */
   5655         { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
   5656         { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
   5657 #endif
   5658     };
   5659     const char *t13_cipher = NULL;
   5660     const char *t12_cipher = NULL;
   5661     const char *negotiated_scipher;
   5662     const char *negotiated_ccipher;
   5663     int set_at_ctx = 0;
   5664     int set_at_ssl = 0;
   5665     int testresult = 0;
   5666     int max_ver;
   5667     size_t i;
   5668 
   5669     switch (idx) {
   5670     case 0:
   5671         set_at_ctx = 1;
   5672         break;
   5673     case 1:
   5674         set_at_ssl = 1;
   5675         break;
   5676     case 2:
   5677         set_at_ctx = 1;
   5678         t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
   5679         break;
   5680     case 3:
   5681         set_at_ssl = 1;
   5682         t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
   5683         break;
   5684     }
   5685 
   5686     for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
   5687 #ifdef OPENSSL_NO_TLS1_2
   5688         if (max_ver == TLS1_2_VERSION)
   5689             continue;
   5690 #endif
   5691         for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
   5692             if (is_fips && !t13_ciphers[i].fipscapable)
   5693                 continue;
   5694             t13_cipher = t13_ciphers[i].ciphername;
   5695             if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   5696                     TLS_client_method(),
   5697                     TLS1_VERSION, max_ver,
   5698                     &sctx, &cctx, cert, privkey)))
   5699                 goto end;
   5700 
   5701             if (t13_ciphers[i].low_security) {
   5702                 SSL_CTX_set_security_level(sctx, 0);
   5703                 SSL_CTX_set_security_level(cctx, 0);
   5704             }
   5705 
   5706             if (set_at_ctx) {
   5707                 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
   5708                     || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
   5709                     goto end;
   5710                 if (t12_cipher != NULL) {
   5711                     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
   5712                         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
   5713                             t12_cipher)))
   5714                         goto end;
   5715                 }
   5716             }
   5717 
   5718             if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   5719                     &clientssl, NULL, NULL)))
   5720                 goto end;
   5721 
   5722             if (set_at_ssl) {
   5723                 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
   5724                     || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
   5725                     goto end;
   5726                 if (t12_cipher != NULL) {
   5727                     if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
   5728                         || !TEST_true(SSL_set_cipher_list(clientssl,
   5729                             t12_cipher)))
   5730                         goto end;
   5731                 }
   5732             }
   5733 
   5734             if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   5735                     SSL_ERROR_NONE)))
   5736                 goto end;
   5737 
   5738             negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
   5739                 serverssl));
   5740             negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
   5741                 clientssl));
   5742             if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
   5743                 goto end;
   5744 
   5745             /*
   5746              * TEST_strn_eq is used below because t13_cipher can contain
   5747              * multiple ciphersuites
   5748              */
   5749             if (max_ver == TLS1_3_VERSION
   5750                 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
   5751                     strlen(negotiated_scipher)))
   5752                 goto end;
   5753 
   5754 #ifndef OPENSSL_NO_TLS1_2
   5755             /* Below validation is not done when t12_cipher is NULL */
   5756             if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
   5757                 && !TEST_str_eq(t12_cipher, negotiated_scipher))
   5758                 goto end;
   5759 #endif
   5760 
   5761             SSL_free(serverssl);
   5762             serverssl = NULL;
   5763             SSL_free(clientssl);
   5764             clientssl = NULL;
   5765             SSL_CTX_free(sctx);
   5766             sctx = NULL;
   5767             SSL_CTX_free(cctx);
   5768             cctx = NULL;
   5769         }
   5770     }
   5771 
   5772     testresult = 1;
   5773 end:
   5774     SSL_free(serverssl);
   5775     SSL_free(clientssl);
   5776     SSL_CTX_free(sctx);
   5777     SSL_CTX_free(cctx);
   5778     return testresult;
   5779 }
   5780 
   5781 /*
   5782  * Test TLSv1.3 PSKs
   5783  * Test 0 = Test new style callbacks
   5784  * Test 1 = Test both new and old style callbacks
   5785  * Test 2 = Test old style callbacks
   5786  * Test 3 = Test old style callbacks with no certificate
   5787  */
   5788 static int test_tls13_psk(int idx)
   5789 {
   5790     SSL_CTX *sctx = NULL, *cctx = NULL;
   5791     SSL *serverssl = NULL, *clientssl = NULL;
   5792     const SSL_CIPHER *cipher = NULL;
   5793     const unsigned char key[] = {
   5794         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
   5795         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
   5796         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
   5797         0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
   5798     };
   5799     int testresult = 0;
   5800 
   5801     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   5802             TLS_client_method(), TLS1_VERSION, 0,
   5803             &sctx, &cctx, idx == 3 ? NULL : cert,
   5804             idx == 3 ? NULL : privkey)))
   5805         goto end;
   5806 
   5807     if (idx != 3) {
   5808         /*
   5809          * We use a ciphersuite with SHA256 to ease testing old style PSK
   5810          * callbacks which will always default to SHA256. This should not be
   5811          * necessary if we have no cert/priv key. In that case the server should
   5812          * prefer SHA256 automatically.
   5813          */
   5814         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5815                 "TLS_AES_128_GCM_SHA256")))
   5816             goto end;
   5817     } else {
   5818         /*
   5819          * As noted above the server should prefer SHA256 automatically. However
   5820          * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
   5821          * code works even if we are testing with only the FIPS provider loaded.
   5822          */
   5823         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
   5824                 "TLS_AES_256_GCM_SHA384:"
   5825                 "TLS_AES_128_GCM_SHA256")))
   5826             goto end;
   5827     }
   5828 
   5829     /*
   5830      * Test 0: New style callbacks only
   5831      * Test 1: New and old style callbacks (only the new ones should be used)
   5832      * Test 2: Old style callbacks only
   5833      */
   5834     if (idx == 0 || idx == 1) {
   5835         SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
   5836         SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
   5837     }
   5838 #ifndef OPENSSL_NO_PSK
   5839     if (idx >= 1) {
   5840         SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
   5841         SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
   5842     }
   5843 #endif
   5844     srvid = pskid;
   5845     use_session_cb_cnt = 0;
   5846     find_session_cb_cnt = 0;
   5847     psk_client_cb_cnt = 0;
   5848     psk_server_cb_cnt = 0;
   5849 
   5850     if (idx != 3) {
   5851         /*
   5852          * Check we can create a connection if callback decides not to send a
   5853          * PSK
   5854          */
   5855         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5856                 NULL, NULL))
   5857             || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5858                 SSL_ERROR_NONE))
   5859             || !TEST_false(SSL_session_reused(clientssl))
   5860             || !TEST_false(SSL_session_reused(serverssl)))
   5861             goto end;
   5862 
   5863         if (idx == 0 || idx == 1) {
   5864             if (!TEST_true(use_session_cb_cnt == 1)
   5865                 || !TEST_true(find_session_cb_cnt == 0)
   5866                 /*
   5867                  * If no old style callback then below should be 0
   5868                  * otherwise 1
   5869                  */
   5870                 || !TEST_true(psk_client_cb_cnt == idx)
   5871                 || !TEST_true(psk_server_cb_cnt == 0))
   5872                 goto end;
   5873         } else {
   5874             if (!TEST_true(use_session_cb_cnt == 0)
   5875                 || !TEST_true(find_session_cb_cnt == 0)
   5876                 || !TEST_true(psk_client_cb_cnt == 1)
   5877                 || !TEST_true(psk_server_cb_cnt == 0))
   5878                 goto end;
   5879         }
   5880 
   5881         shutdown_ssl_connection(serverssl, clientssl);
   5882         serverssl = clientssl = NULL;
   5883         use_session_cb_cnt = psk_client_cb_cnt = 0;
   5884     }
   5885 
   5886     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5887             NULL, NULL)))
   5888         goto end;
   5889 
   5890     /* Create the PSK */
   5891     cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
   5892     clientpsk = SSL_SESSION_new();
   5893     if (!TEST_ptr(clientpsk)
   5894         || !TEST_ptr(cipher)
   5895         || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
   5896             sizeof(key)))
   5897         || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
   5898         || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
   5899             TLS1_3_VERSION))
   5900         || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
   5901         goto end;
   5902     serverpsk = clientpsk;
   5903 
   5904     /* Check we can create a connection and the PSK is used */
   5905     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   5906         || !TEST_true(SSL_session_reused(clientssl))
   5907         || !TEST_true(SSL_session_reused(serverssl)))
   5908         goto end;
   5909 
   5910     if (idx == 0 || idx == 1) {
   5911         if (!TEST_true(use_session_cb_cnt == 1)
   5912             || !TEST_true(find_session_cb_cnt == 1)
   5913             || !TEST_true(psk_client_cb_cnt == 0)
   5914             || !TEST_true(psk_server_cb_cnt == 0))
   5915             goto end;
   5916     } else {
   5917         if (!TEST_true(use_session_cb_cnt == 0)
   5918             || !TEST_true(find_session_cb_cnt == 0)
   5919             || !TEST_true(psk_client_cb_cnt == 1)
   5920             || !TEST_true(psk_server_cb_cnt == 1))
   5921             goto end;
   5922     }
   5923 
   5924     shutdown_ssl_connection(serverssl, clientssl);
   5925     serverssl = clientssl = NULL;
   5926     use_session_cb_cnt = find_session_cb_cnt = 0;
   5927     psk_client_cb_cnt = psk_server_cb_cnt = 0;
   5928 
   5929     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5930             NULL, NULL)))
   5931         goto end;
   5932 
   5933     /* Force an HRR */
   5934 #if defined(OPENSSL_NO_EC)
   5935     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
   5936         goto end;
   5937 #else
   5938     if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
   5939         goto end;
   5940 #endif
   5941 
   5942     /*
   5943      * Check we can create a connection, the PSK is used and the callbacks are
   5944      * called twice.
   5945      */
   5946     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
   5947         || !TEST_true(SSL_session_reused(clientssl))
   5948         || !TEST_true(SSL_session_reused(serverssl)))
   5949         goto end;
   5950 
   5951     if (idx == 0 || idx == 1) {
   5952         if (!TEST_true(use_session_cb_cnt == 2)
   5953             || !TEST_true(find_session_cb_cnt == 2)
   5954             || !TEST_true(psk_client_cb_cnt == 0)
   5955             || !TEST_true(psk_server_cb_cnt == 0))
   5956             goto end;
   5957     } else {
   5958         if (!TEST_true(use_session_cb_cnt == 0)
   5959             || !TEST_true(find_session_cb_cnt == 0)
   5960             || !TEST_true(psk_client_cb_cnt == 2)
   5961             || !TEST_true(psk_server_cb_cnt == 2))
   5962             goto end;
   5963     }
   5964 
   5965     shutdown_ssl_connection(serverssl, clientssl);
   5966     serverssl = clientssl = NULL;
   5967     use_session_cb_cnt = find_session_cb_cnt = 0;
   5968     psk_client_cb_cnt = psk_server_cb_cnt = 0;
   5969 
   5970     if (idx != 3) {
   5971         /*
   5972          * Check that if the server rejects the PSK we can still connect, but with
   5973          * a full handshake
   5974          */
   5975         srvid = "Dummy Identity";
   5976         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   5977                 NULL, NULL))
   5978             || !TEST_true(create_ssl_connection(serverssl, clientssl,
   5979                 SSL_ERROR_NONE))
   5980             || !TEST_false(SSL_session_reused(clientssl))
   5981             || !TEST_false(SSL_session_reused(serverssl)))
   5982             goto end;
   5983 
   5984         if (idx == 0 || idx == 1) {
   5985             if (!TEST_true(use_session_cb_cnt == 1)
   5986                 || !TEST_true(find_session_cb_cnt == 1)
   5987                 || !TEST_true(psk_client_cb_cnt == 0)
   5988                 /*
   5989                  * If no old style callback then below should be 0
   5990                  * otherwise 1
   5991                  */
   5992                 || !TEST_true(psk_server_cb_cnt == idx))
   5993                 goto end;
   5994         } else {
   5995             if (!TEST_true(use_session_cb_cnt == 0)
   5996                 || !TEST_true(find_session_cb_cnt == 0)
   5997                 || !TEST_true(psk_client_cb_cnt == 1)
   5998                 || !TEST_true(psk_server_cb_cnt == 1))
   5999                 goto end;
   6000         }
   6001 
   6002         shutdown_ssl_connection(serverssl, clientssl);
   6003         serverssl = clientssl = NULL;
   6004     }
   6005     testresult = 1;
   6006 
   6007 end:
   6008     SSL_SESSION_free(clientpsk);
   6009     SSL_SESSION_free(serverpsk);
   6010     clientpsk = serverpsk = NULL;
   6011     SSL_free(serverssl);
   6012     SSL_free(clientssl);
   6013     SSL_CTX_free(sctx);
   6014     SSL_CTX_free(cctx);
   6015     return testresult;
   6016 }
   6017 
   6018 #ifndef OSSL_NO_USABLE_TLS1_3
   6019 /*
   6020  * Test TLS1.3 connection establishment succeeds with various configurations of
   6021  * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
   6022  * The verification of whether the right KEX mode is chosen is not covered by
   6023  * this test but by `test_tls13kexmodes`.
   6024  *
   6025  * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
   6026  * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
   6027  * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
   6028  */
   6029 static int test_tls13_no_dhe_kex(const int idx)
   6030 {
   6031     SSL_CTX *sctx = NULL, *cctx = NULL;
   6032     SSL *serverssl = NULL, *clientssl = NULL;
   6033     int testresult = 0;
   6034     size_t j;
   6035     SSL_SESSION *saved_session;
   6036 
   6037     int server_allow_no_dhe = (idx & 1) != 0;
   6038     int server_prefer_no_dhe = (idx & 2) != 0;
   6039     int client_allow_no_dhe = (idx & 4) != 0;
   6040 
   6041     uint64_t server_options = 0
   6042         | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
   6043         | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
   6044 
   6045     uint64_t client_options = 0
   6046         | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
   6047 
   6048     new_called = 0;
   6049     do_cache = 1;
   6050 
   6051     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   6052             TLS_client_method(), TLS1_3_VERSION, 0,
   6053             &sctx, &cctx, cert, privkey)))
   6054         goto end;
   6055 
   6056     SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
   6057 
   6058     SSL_CTX_set_options(sctx, server_options);
   6059     SSL_CTX_set_options(cctx, client_options);
   6060 
   6061     SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
   6062 
   6063     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   6064             &clientssl, NULL, NULL)))
   6065         goto end;
   6066 
   6067     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   6068             SSL_ERROR_NONE))
   6069         /* Check we got the number of tickets we were expecting */
   6070         || !TEST_int_eq(2, new_called))
   6071         goto end;
   6072 
   6073     /* We'll reuse the last ticket. */
   6074     saved_session = sesscache[new_called - 1];
   6075 
   6076     SSL_shutdown(clientssl);
   6077     SSL_shutdown(serverssl);
   6078     SSL_free(serverssl);
   6079     SSL_free(clientssl);
   6080     SSL_CTX_free(cctx);
   6081     clientssl = serverssl = NULL;
   6082     cctx = NULL;
   6083 
   6084     /*
   6085      * Now we resume with the last ticket we created.
   6086      */
   6087 
   6088     /* The server context already exists, so we only create the client. */
   6089     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   6090             TLS_client_method(), TLS1_3_VERSION, 0,
   6091             NULL, &cctx, cert, privkey)))
   6092         goto end;
   6093 
   6094     SSL_CTX_set_options(cctx, client_options);
   6095 
   6096     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   6097             &clientssl, NULL, NULL))
   6098         || !TEST_true(SSL_set_session(clientssl, saved_session)))
   6099         goto end;
   6100 
   6101     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   6102             SSL_ERROR_NONE)))
   6103         goto end;
   6104 
   6105     /*
   6106      * Make sure, the session was resumed.
   6107      */
   6108     if (!TEST_true(SSL_session_reused(clientssl)))
   6109         goto end;
   6110 
   6111     SSL_shutdown(clientssl);
   6112     SSL_shutdown(serverssl);
   6113 
   6114     testresult = 1;
   6115 
   6116 end:
   6117     SSL_free(serverssl);
   6118     SSL_free(clientssl);
   6119     for (j = 0; j < OSSL_NELEM(sesscache); j++) {
   6120         SSL_SESSION_free(sesscache[j]);
   6121         sesscache[j] = NULL;
   6122     }
   6123     SSL_CTX_free(sctx);
   6124     SSL_CTX_free(cctx);
   6125 
   6126     return testresult;
   6127 }
   6128 #endif /* OSSL_NO_USABLE_TLS1_3 */
   6129 
   6130 static unsigned char cookie_magic_value[] = "cookie magic";
   6131 
   6132 static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
   6133     unsigned int *cookie_len)
   6134 {
   6135     /*
   6136      * Not suitable as a real cookie generation function but good enough for
   6137      * testing!
   6138      */
   6139     memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
   6140     *cookie_len = sizeof(cookie_magic_value) - 1;
   6141 
   6142     return 1;
   6143 }
   6144 
   6145 static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
   6146     unsigned int cookie_len)
   6147 {
   6148     if (cookie_len == sizeof(cookie_magic_value) - 1
   6149         && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
   6150         return 1;
   6151 
   6152     return 0;
   6153 }
   6154 
   6155 static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
   6156     size_t *cookie_len)
   6157 {
   6158     unsigned int temp;
   6159     int res = generate_cookie_callback(ssl, cookie, &temp);
   6160     *cookie_len = temp;
   6161     return res;
   6162 }
   6163 
   6164 static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
   6165     size_t cookie_len)
   6166 {
   6167     return verify_cookie_callback(ssl, cookie, cookie_len);
   6168 }
   6169 
   6170 static int test_stateless(void)
   6171 {
   6172     SSL_CTX *sctx = NULL, *cctx = NULL;
   6173     SSL *serverssl = NULL, *clientssl = NULL;
   6174     int testresult = 0;
   6175 
   6176     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   6177             TLS_client_method(), TLS1_VERSION, 0,
   6178             &sctx, &cctx, cert, privkey)))
   6179         goto end;
   6180 
   6181     /* The arrival of CCS messages can confuse the test */
   6182     SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
   6183 
   6184     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   6185             NULL, NULL))
   6186         /* Send the first ClientHello */
   6187         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   6188             SSL_ERROR_WANT_READ))
   6189         /*
   6190          * This should fail with a -1 return because we have no callbacks
   6191          * set up
   6192          */
   6193         || !TEST_int_eq(SSL_stateless(serverssl), -1))
   6194         goto end;
   6195 
   6196     /* Fatal error so abandon the connection from this client */
   6197     SSL_free(clientssl);
   6198     clientssl = NULL;
   6199 
   6200     /* Set up the cookie generation and verification callbacks */
   6201     SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
   6202     SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
   6203 
   6204     /*
   6205      * Create a new connection from the client (we can reuse the server SSL
   6206      * object).
   6207      */
   6208     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   6209             NULL, NULL))
   6210         /* Send the first ClientHello */
   6211         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   6212             SSL_ERROR_WANT_READ))
   6213         /* This should fail because there is no cookie */
   6214         || !TEST_int_eq(SSL_stateless(serverssl), 0))
   6215         goto end;
   6216 
   6217     /* Abandon the connection from this client */
   6218     SSL_free(clientssl);
   6219     clientssl = NULL;
   6220 
   6221     /*
   6222      * Now create a connection from a new client but with the same server SSL
   6223      * object
   6224      */
   6225     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   6226             NULL, NULL))
   6227         /* Send the first ClientHello */
   6228         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   6229             SSL_ERROR_WANT_READ))
   6230         /* This should fail because there is no cookie */
   6231         || !TEST_int_eq(SSL_stateless(serverssl), 0)
   6232         /* Send the second ClientHello */
   6233         || !TEST_false(create_ssl_connection(serverssl, clientssl,
   6234             SSL_ERROR_WANT_READ))
   6235         /* This should succeed because a cookie is now present */
   6236         || !TEST_int_eq(SSL_stateless(serverssl), 1)
   6237         /* Complete the connection */
   6238         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   6239             SSL_ERROR_NONE)))
   6240         goto end;
   6241 
   6242     shutdown_ssl_connection(serverssl, clientssl);
   6243     serverssl = clientssl = NULL;
   6244     testresult = 1;
   6245 
   6246 end:
   6247     SSL_free(serverssl);
   6248     SSL_free(clientssl);
   6249     SSL_CTX_free(sctx);
   6250     SSL_CTX_free(cctx);
   6251     return testresult;
   6252 }
   6253 #endif /* OSSL_NO_USABLE_TLS1_3 */
   6254 
   6255 static int clntaddoldcb = 0;
   6256 static int clntparseoldcb = 0;
   6257 static int srvaddoldcb = 0;
   6258 static int srvparseoldcb = 0;
   6259 static int clntaddnewcb = 0;
   6260 static int clntparsenewcb = 0;
   6261 static int srvaddnewcb = 0;
   6262 static int srvparsenewcb = 0;
   6263 static int snicb = 0;
   6264 
   6265 #define TEST_EXT_TYPE1 0xff00
   6266 
   6267 static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
   6268     size_t *outlen, int *al, void *add_arg)
   6269 {
   6270     int *server = (int *)add_arg;
   6271     unsigned char *data;
   6272 
   6273     if (SSL_is_server(s))
   6274         srvaddoldcb++;
   6275     else
   6276         clntaddoldcb++;
   6277 
   6278     if (*server != SSL_is_server(s)
   6279         || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
   6280         return -1;
   6281 
   6282     *data = 1;
   6283     *out = data;
   6284     *outlen = sizeof(char);
   6285     return 1;
   6286 }
   6287 
   6288 static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
   6289     void *add_arg)
   6290 {
   6291     OPENSSL_free((unsigned char *)out);
   6292 }
   6293 
   6294 static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
   6295     size_t inlen, int *al, void *parse_arg)
   6296 {
   6297     int *server = (int *)parse_arg;
   6298 
   6299     if (SSL_is_server(s))
   6300         srvparseoldcb++;
   6301     else
   6302         clntparseoldcb++;
   6303 
   6304     if (*server != SSL_is_server(s)
   6305         || inlen != sizeof(char)
   6306         || *in != 1)
   6307         return -1;
   6308 
   6309     return 1;
   6310 }
   6311 
   6312 static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
   6313     const unsigned char **out, size_t *outlen, X509 *x,
   6314     size_t chainidx, int *al, void *add_arg)
   6315 {
   6316     int *server = (int *)add_arg;
   6317     unsigned char *data;
   6318 
   6319     if (SSL_is_server(s))
   6320         srvaddnewcb++;
   6321     else
   6322         clntaddnewcb++;
   6323 
   6324     if (*server != SSL_is_server(s)
   6325         || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
   6326         return -1;
   6327 
   6328     *data = 1;
   6329     *out = data;
   6330     *outlen = sizeof(*data);
   6331     return 1;
   6332 }
   6333 
   6334 static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
   6335     const unsigned char *out, void *add_arg)
   6336 {
   6337     OPENSSL_free((unsigned char *)out);
   6338 }
   6339 
   6340 static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
   6341     const unsigned char *in, size_t inlen, X509 *x,
   6342     size_t chainidx, int *al, void *parse_arg)
   6343 {
   6344     int *server = (int *)parse_arg;
   6345 
   6346     if (SSL_is_server(s))
   6347         srvparsenewcb++;
   6348     else
   6349         clntparsenewcb++;
   6350 
   6351     if (*server != SSL_is_server(s)
   6352         || inlen != sizeof(char) || *in != 1)
   6353         return -1;
   6354 
   6355     return 1;
   6356 }
   6357 
   6358 static int sni_cb(SSL *s, int *al, void *arg)
   6359 {
   6360     SSL_CTX *ctx = (SSL_CTX *)arg;
   6361 
   6362     if (SSL_set_SSL_CTX(s, ctx) == NULL) {
   6363         *al = SSL_AD_INTERNAL_ERROR;
   6364         return SSL_TLSEXT_ERR_ALERT_FATAL;
   6365     }
   6366     snicb++;
   6367     return SSL_TLSEXT_ERR_OK;
   6368 }
   6369 
   6370 static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
   6371 {
   6372     return 1;
   6373 }
   6374 
   6375 /*
   6376  * Custom call back tests.
   6377  * Test 0: Old style callbacks in TLSv1.2
   6378  * Test 1: New style callbacks in TLSv1.2
   6379  * Test 2: New style callbacks in TLSv1.2 with SNI
   6380  * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
   6381  * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
   6382  * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
   6383  */
   6384 static int test_custom_exts(int tst)
   6385 {
   6386     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
   6387     SSL *clientssl = NULL, *serverssl = NULL;
   6388     int testresult = 0;
   6389     static int server = 1;
   6390     static int client = 0;
   6391     SSL_SESSION *sess = NULL;
   6392     unsigned int context;
   6393 
   6394 #if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
   6395     /* Skip tests for TLSv1.2 and below in this case */
   6396     if (tst < 3)
   6397         return 1;
   6398 #endif
   6399 
   6400     /* Reset callback counters */
   6401     clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
   6402     clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
   6403     snicb = 0;
   6404 
   6405     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   6406             TLS_client_method(), TLS1_VERSION, 0,
   6407             &sctx, &cctx, cert, privkey)))
   6408         goto end;
   6409 
   6410     if (tst == 2
   6411         && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
   6412             TLS1_VERSION, 0,
   6413             &sctx2, NULL, cert, privkey)))
   6414         goto end;
   6415 
   6416     if (tst < 3) {
   6417         SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
   6418         SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
   6419         if (sctx2 != NULL)
   6420             SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
   6421     }
   6422 
   6423     if (tst == 5) {
   6424         context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
   6425             | SSL_EXT_TLS1_3_CERTIFICATE;
   6426         SSL_CTX_set_verify(sctx,
   6427             SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
   6428             verify_cb);
   6429         if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
   6430                              SSL_FILETYPE_PEM),
   6431                 1)
   6432             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
   6433                                 SSL_FILETYPE_PEM),
   6434                 1)
   6435             || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
   6436             goto end;
   6437     } else if (tst == 4) {
   6438         context = SSL_EXT_CLIENT_HELLO
   6439             | SSL_EXT_TLS1_2_SERVER_HELLO
   6440             | SSL_EXT_TLS1_3_SERVER_HELLO
   6441             | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
   6442             | SSL_EXT_TLS1_3_CERTIFICATE
   6443             | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
   6444     } else {
   6445         context = SSL_EXT_CLIENT_HELLO
   6446             | SSL_EXT_TLS1_2_SERVER_HELLO
   6447             | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
   6448     }
   6449 
   6450     /* Create a client side custom extension */
   6451     if (tst == 0) {
   6452         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
   6453                 old_add_cb, old_free_cb,
   6454                 &client, old_parse_cb,
   6455                 &client)))
   6456             goto end;
   6457     } else {
   6458         if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
   6459                 new_add_cb, new_free_cb,
   6460                 &client, new_parse_cb, &client)))
   6461             goto end;
   6462     }
   6463 
   6464     /* Should not be able to add duplicates */
   6465     if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
   6466             old_add_cb, old_free_cb,
   6467             &client, old_parse_cb,
   6468             &client))
   6469         || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
   6470             context, new_add_cb,
   6471             new_free_cb, &client,
   6472             new_parse_cb, &client)))
   6473         goto end;
   6474 
   6475     /* Create a server side custom extension */
   6476     if (tst == 0) {
   6477         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
   6478                 old_add_cb, old_free_cb,
   6479                 &server, old_parse_cb,
   6480                 &server)))
   6481             goto end;
   6482     } else {
   6483         if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
   6484                 new_add_cb, new_free_cb,
   6485                 &server, new_parse_cb, &server)))
   6486             goto end;
   6487         if (sctx2 != NULL
   6488             && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
   6489                 context, new_add_cb,
   6490                 new_free_cb, &server,
   6491                 new_parse_cb, &server)))
   6492             goto end;
   6493     }
   6494 
   6495     /* Should not be able to add duplicates */
   6496     if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
   6497             old_add_cb, old_free_cb,
   6498             &server, old_parse_cb,
   6499             &server))
   6500         || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
   6501             context, new_add_cb,
   6502             new_free_cb, &server,
   6503             new_parse_cb, &server)))
   6504         goto end;
   6505 
   6506     if (tst == 2) {
   6507         /* Set up SNI */
   6508         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
   6509             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
   6510             goto end;
   6511     }
   6512 
   6513     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   6514             &clientssl, NULL, NULL))
   6515         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   6516             SSL_ERROR_NONE)))
   6517         goto end;
   6518 
   6519     if (tst == 0) {
   6520         if (clntaddoldcb != 1
   6521             || clntparseoldcb != 1
   6522             || srvaddoldcb != 1
   6523             || srvparseoldcb != 1)
   6524             goto end;
   6525     } else if (tst == 1 || tst == 2 || tst == 3) {
   6526         if (clntaddnewcb != 1
   6527             || clntparsenewcb != 1
   6528             || srvaddnewcb != 1
   6529             || srvparsenewcb != 1
   6530             || (tst != 2 && snicb != 0)
   6531             || (tst == 2 && snicb != 1))
   6532             goto end;
   6533     } else if (tst == 5) {
   6534         if (clntaddnewcb != 1
   6535             || clntparsenewcb != 1
   6536             || srvaddnewcb != 1
   6537             || srvparsenewcb != 1)
   6538             goto end;
   6539     } else {
   6540         /* In this case there 2 NewSessionTicket messages created */
   6541         if (clntaddnewcb != 1
   6542             || clntparsenewcb != 5
   6543             || srvaddnewcb != 5
   6544             || srvparsenewcb != 1)
   6545             goto end;
   6546     }
   6547 
   6548     sess = SSL_get1_session(clientssl);
   6549     SSL_shutdown(clientssl);
   6550     SSL_shutdown(serverssl);
   6551     SSL_free(serverssl);
   6552     SSL_free(clientssl);
   6553     serverssl = clientssl = NULL;
   6554 
   6555     if (tst == 3 || tst == 5) {
   6556         /* We don't bother with the resumption aspects for these tests */
   6557         testresult = 1;
   6558         goto end;
   6559     }
   6560 
   6561     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   6562             NULL, NULL))
   6563         || !TEST_true(SSL_set_session(clientssl, sess))
   6564         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   6565             SSL_ERROR_NONE)))
   6566         goto end;
   6567 
   6568     /*
   6569      * For a resumed session we expect to add the ClientHello extension. For the
   6570      * old style callbacks we ignore it on the server side because they set
   6571      * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
   6572      * them.
   6573      */
   6574     if (tst == 0) {
   6575         if (clntaddoldcb != 2
   6576             || clntparseoldcb != 1
   6577             || srvaddoldcb != 1
   6578             || srvparseoldcb != 1)
   6579             goto end;
   6580     } else if (tst == 1 || tst == 2 || tst == 3) {
   6581         if (clntaddnewcb != 2
   6582             || clntparsenewcb != 2
   6583             || srvaddnewcb != 2
   6584             || srvparsenewcb != 2)
   6585             goto end;
   6586     } else {
   6587         /*
   6588          * No Certificate message extensions in the resumption handshake,
   6589          * 2 NewSessionTickets in the initial handshake, 1 in the resumption
   6590          */
   6591         if (clntaddnewcb != 2
   6592             || clntparsenewcb != 8
   6593             || srvaddnewcb != 8
   6594             || srvparsenewcb != 2)
   6595             goto end;
   6596     }
   6597 
   6598     testresult = 1;
   6599 
   6600 end:
   6601     SSL_SESSION_free(sess);
   6602     SSL_free(serverssl);
   6603     SSL_free(clientssl);
   6604     SSL_CTX_free(sctx2);
   6605     SSL_CTX_free(sctx);
   6606     SSL_CTX_free(cctx);
   6607     return testresult;
   6608 }
   6609 
   6610 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
   6611 
   6612 #define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
   6613     | SSL_EXT_CLIENT_HELLO                            \
   6614     | SSL_EXT_TLS1_2_SERVER_HELLO                     \
   6615     | SSL_EXT_IGNORE_ON_RESUMPTION)
   6616 
   6617 #define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
   6618     | SSL_EXT_TLS1_2_SERVER_HELLO                \
   6619     | SSL_EXT_CLIENT_HELLO)
   6620 
   6621 #define SERVERINFO_CUSTOM                                 \
   6622     0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
   6623         0x00, 0x03,                                       \
   6624         0x04, 0x05, 0x06
   6625 
   6626 static const unsigned char serverinfo_custom_tls13[] = {
   6627     0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
   6628     SERVERINFO_CUSTOM
   6629 };
   6630 static const unsigned char serverinfo_custom_v2[] = {
   6631     0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
   6632     SERVERINFO_CUSTOM
   6633 };
   6634 static const unsigned char serverinfo_custom_v1[] = {
   6635     SERVERINFO_CUSTOM
   6636 };
   6637 static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
   6638 static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
   6639 static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
   6640 
   6641 static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
   6642     unsigned int context,
   6643     const unsigned char *in,
   6644     size_t inlen, X509 *x,
   6645     size_t chainidx, int *al,
   6646     void *parse_arg)
   6647 {
   6648     const size_t len = serverinfo_custom_v1_len;
   6649     const unsigned char *si = &serverinfo_custom_v1[len - 3];
   6650     int *p_cb_result = (int *)parse_arg;
   6651     *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
   6652     return 1;
   6653 }
   6654 
   6655 static int test_serverinfo_custom(const int idx)
   6656 {
   6657     SSL_CTX *sctx = NULL, *cctx = NULL;
   6658     SSL *clientssl = NULL, *serverssl = NULL;
   6659     int testresult = 0;
   6660     int cb_result = 0;
   6661 
   6662     /*
   6663      * Following variables are set in the switch statement
   6664      *  according to the test iteration.
   6665      * Default values do not make much sense: test would fail with them.
   6666      */
   6667     int serverinfo_version = 0;
   6668     int protocol_version = 0;
   6669     unsigned int extension_context = 0;
   6670     const unsigned char *si = NULL;
   6671     size_t si_len = 0;
   6672 
   6673     const int call_use_serverinfo_ex = idx > 0;
   6674     switch (idx) {
   6675     case 0: /* FALLTHROUGH */
   6676     case 1:
   6677         serverinfo_version = SSL_SERVERINFOV1;
   6678         protocol_version = TLS1_2_VERSION;
   6679         extension_context = SYNTHV1CONTEXT;
   6680         si = serverinfo_custom_v1;
   6681         si_len = serverinfo_custom_v1_len;
   6682         break;
   6683     case 2:
   6684         serverinfo_version = SSL_SERVERINFOV2;
   6685         protocol_version = TLS1_2_VERSION;
   6686         extension_context = SYNTHV1CONTEXT;
   6687         si = serverinfo_custom_v2;
   6688         si_len = serverinfo_custom_v2_len;
   6689         break;
   6690     case 3:
   6691         serverinfo_version = SSL_SERVERINFOV2;
   6692         protocol_version = TLS1_3_VERSION;
   6693         extension_context = TLS13CONTEXT;
   6694         si = serverinfo_custom_tls13;
   6695         si_len = serverinfo_custom_tls13_len;
   6696         break;
   6697     }
   6698 
   6699     if (!TEST_true(create_ssl_ctx_pair(libctx,
   6700             TLS_method(),
   6701             TLS_method(),
   6702             protocol_version,
   6703             protocol_version,
   6704             &sctx, &cctx, cert, privkey)))
   6705         goto end;
   6706 
   6707     if (call_use_serverinfo_ex) {
   6708         if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
   6709                 si, si_len)))
   6710             goto end;
   6711     } else {
   6712         if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
   6713             goto end;
   6714     }
   6715 
   6716     if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
   6717             extension_context,
   6718             NULL, NULL, NULL,
   6719             serverinfo_custom_parse_cb,
   6720             &cb_result))
   6721         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   6722             NULL, NULL))
   6723         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   6724             SSL_ERROR_NONE))
   6725         || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
   6726         goto end;
   6727 
   6728     if (!TEST_true(cb_result))
   6729         goto end;
   6730 
   6731     testresult = 1;
   6732 
   6733 end:
   6734     SSL_free(serverssl);
   6735     SSL_free(clientssl);
   6736     SSL_CTX_free(sctx);
   6737     SSL_CTX_free(cctx);
   6738 
   6739     return testresult;
   6740 }
   6741 #endif
   6742 
   6743 /*
   6744  * Test that SSL_export_keying_material() produces expected results. There are
   6745  * no test vectors so all we do is test that both sides of the communication
   6746  * produce the same results for different protocol versions.
   6747  */
   6748 #define SMALL_LABEL_LEN 10
   6749 #define LONG_LABEL_LEN 249
   6750 static int test_export_key_mat(int tst)
   6751 {
   6752     int testresult = 0;
   6753     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
   6754     SSL *clientssl = NULL, *serverssl = NULL;
   6755     const char label[LONG_LABEL_LEN + 1] = "test label";
   6756     const unsigned char context[] = "context";
   6757     const unsigned char *emptycontext = NULL;
   6758     unsigned char longcontext[1280];
   6759     int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
   6760     unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
   6761     unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
   6762     size_t labellen;
   6763     const int protocols[] = {
   6764         TLS1_VERSION,
   6765         TLS1_1_VERSION,
   6766         TLS1_2_VERSION,
   6767         TLS1_3_VERSION,
   6768         TLS1_3_VERSION,
   6769         TLS1_3_VERSION
   6770     };
   6771 
   6772 #ifdef OPENSSL_NO_TLS1
   6773     if (tst == 0)
   6774         return 1;
   6775 #endif
   6776 #ifdef OPENSSL_NO_TLS1_1
   6777     if (tst == 1)
   6778         return 1;
   6779 #endif
   6780     if (is_fips && (tst == 0 || tst == 1))
   6781         return 1;
   6782 #ifdef OPENSSL_NO_TLS1_2
   6783     if (tst == 2)
   6784         return 1;
   6785 #endif
   6786 #ifdef OSSL_NO_USABLE_TLS1_3
   6787     if (tst >= 3)
   6788         return 1;
   6789 #endif
   6790     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   6791             TLS_client_method(), TLS1_VERSION, 0,
   6792             &sctx, &cctx, cert, privkey)))
   6793         goto end;
   6794 
   6795     OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
   6796     SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
   6797     SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
   6798     if ((protocols[tst] < TLS1_2_VERSION) && (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0") || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
   6799         goto end;
   6800 
   6801     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   6802             NULL)))
   6803         goto end;
   6804 
   6805     /*
   6806      * Premature call of SSL_export_keying_material should just fail.
   6807      */
   6808     if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
   6809                          sizeof(ckeymat1), label,
   6810                          SMALL_LABEL_LEN + 1, context,
   6811                          sizeof(context) - 1, 1),
   6812             0))
   6813         goto end;
   6814 
   6815     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   6816             SSL_ERROR_NONE)))
   6817         goto end;
   6818 
   6819     if (tst == 5) {
   6820         /*
   6821          * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
   6822          * go over that.
   6823          */
   6824         if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
   6825                              sizeof(ckeymat1), label,
   6826                              LONG_LABEL_LEN + 1, context,
   6827                              sizeof(context) - 1, 1),
   6828                 0))
   6829             goto end;
   6830 
   6831         testresult = 1;
   6832         goto end;
   6833     } else if (tst == 4) {
   6834         labellen = LONG_LABEL_LEN;
   6835     } else {
   6836         labellen = SMALL_LABEL_LEN;
   6837     }
   6838 
   6839     memset(longcontext, 1, sizeof(longcontext));
   6840 
   6841     if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
   6842                          sizeof(ckeymat1), label,
   6843                          labellen, context,
   6844                          sizeof(context) - 1, 1),
   6845             1)
   6846         || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
   6847                             sizeof(ckeymat2), label,
   6848                             labellen,
   6849                             emptycontext,
   6850                             0, 1),
   6851             1)
   6852         || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
   6853                             sizeof(ckeymat3), label,
   6854                             labellen,
   6855                             NULL, 0, 0),
   6856             1)
   6857         || (test_longcontext
   6858             && !TEST_int_eq(SSL_export_keying_material(clientssl,
   6859                                 ckeymat4,
   6860                                 sizeof(ckeymat4), label,
   6861                                 labellen,
   6862                                 longcontext,
   6863                                 sizeof(longcontext), 1),
   6864                 1))
   6865         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
   6866                             sizeof(skeymat1), label,
   6867                             labellen,
   6868                             context,
   6869                             sizeof(context) - 1, 1),
   6870             1)
   6871         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
   6872                             sizeof(skeymat2), label,
   6873                             labellen,
   6874                             emptycontext,
   6875                             0, 1),
   6876             1)
   6877         || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
   6878                             sizeof(skeymat3), label,
   6879                             labellen,
   6880                             NULL, 0, 0),
   6881             1)
   6882         || (test_longcontext
   6883             && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
   6884                                 sizeof(skeymat4), label,
   6885                                 labellen,
   6886                                 longcontext,
   6887                                 sizeof(longcontext), 1),
   6888                 1))
   6889         /*
   6890          * Check that both sides created the same key material with the
   6891          * same context.
   6892          */
   6893         || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
   6894             sizeof(skeymat1))
   6895         /*
   6896          * Check that both sides created the same key material with an
   6897          * empty context.
   6898          */
   6899         || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
   6900             sizeof(skeymat2))
   6901         /*
   6902          * Check that both sides created the same key material without a
   6903          * context.
   6904          */
   6905         || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
   6906             sizeof(skeymat3))
   6907         /*
   6908          * Check that both sides created the same key material with a
   6909          * long context.
   6910          */
   6911         || (test_longcontext
   6912             && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
   6913                 sizeof(skeymat4)))
   6914         /* Different contexts should produce different results */
   6915         || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
   6916             sizeof(ckeymat2)))
   6917         goto end;
   6918 
   6919     /*
   6920      * Check that an empty context and no context produce different results in
   6921      * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
   6922      */
   6923     if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3)))
   6924         || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))))
   6925         goto end;
   6926 
   6927     testresult = 1;
   6928 
   6929 end:
   6930     SSL_free(serverssl);
   6931     SSL_free(clientssl);
   6932     SSL_CTX_free(sctx2);
   6933     SSL_CTX_free(sctx);
   6934     SSL_CTX_free(cctx);
   6935 
   6936     return testresult;
   6937 }
   6938 
   6939 #ifndef OSSL_NO_USABLE_TLS1_3
   6940 /*
   6941  * Test that SSL_export_keying_material_early() produces expected
   6942  * results. There are no test vectors so all we do is test that both
   6943  * sides of the communication produce the same results for different
   6944  * protocol versions.
   6945  */
   6946 static int test_export_key_mat_early(int idx)
   6947 {
   6948     static const char label[] = "test label";
   6949     static const unsigned char context[] = "context";
   6950     int testresult = 0;
   6951     SSL_CTX *cctx = NULL, *sctx = NULL;
   6952     SSL *clientssl = NULL, *serverssl = NULL;
   6953     SSL_SESSION *sess = NULL;
   6954     const unsigned char *emptycontext = NULL;
   6955     unsigned char ckeymat1[80], ckeymat2[80];
   6956     unsigned char skeymat1[80], skeymat2[80];
   6957     unsigned char buf[1];
   6958     size_t readbytes, written;
   6959 
   6960     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
   6961             &sess, idx, SHA384_DIGEST_LENGTH)))
   6962         goto end;
   6963 
   6964     /* Here writing 0 length early data is enough. */
   6965     if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
   6966         || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
   6967                             &readbytes),
   6968             SSL_READ_EARLY_DATA_ERROR)
   6969         || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   6970             SSL_EARLY_DATA_ACCEPTED))
   6971         goto end;
   6972 
   6973     if (!TEST_int_eq(SSL_export_keying_material_early(
   6974                          clientssl, ckeymat1, sizeof(ckeymat1), label,
   6975                          sizeof(label) - 1, context, sizeof(context) - 1),
   6976             1)
   6977         || !TEST_int_eq(SSL_export_keying_material_early(
   6978                             clientssl, ckeymat2, sizeof(ckeymat2), label,
   6979                             sizeof(label) - 1, emptycontext, 0),
   6980             1)
   6981         || !TEST_int_eq(SSL_export_keying_material_early(
   6982                             serverssl, skeymat1, sizeof(skeymat1), label,
   6983                             sizeof(label) - 1, context, sizeof(context) - 1),
   6984             1)
   6985         || !TEST_int_eq(SSL_export_keying_material_early(
   6986                             serverssl, skeymat2, sizeof(skeymat2), label,
   6987                             sizeof(label) - 1, emptycontext, 0),
   6988             1)
   6989         /*
   6990          * Check that both sides created the same key material with the
   6991          * same context.
   6992          */
   6993         || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
   6994             sizeof(skeymat1))
   6995         /*
   6996          * Check that both sides created the same key material with an
   6997          * empty context.
   6998          */
   6999         || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
   7000             sizeof(skeymat2))
   7001         /* Different contexts should produce different results */
   7002         || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
   7003             sizeof(ckeymat2)))
   7004         goto end;
   7005 
   7006     testresult = 1;
   7007 
   7008 end:
   7009     SSL_SESSION_free(sess);
   7010     SSL_SESSION_free(clientpsk);
   7011     SSL_SESSION_free(serverpsk);
   7012     clientpsk = serverpsk = NULL;
   7013     SSL_free(serverssl);
   7014     SSL_free(clientssl);
   7015     SSL_CTX_free(sctx);
   7016     SSL_CTX_free(cctx);
   7017 
   7018     return testresult;
   7019 }
   7020 
   7021 #define NUM_KEY_UPDATE_MESSAGES 40
   7022 /*
   7023  * Test KeyUpdate.
   7024  */
   7025 static int test_key_update(void)
   7026 {
   7027     SSL_CTX *cctx = NULL, *sctx = NULL;
   7028     SSL *clientssl = NULL, *serverssl = NULL;
   7029     int testresult = 0, i, j;
   7030     char buf[20];
   7031     static char *mess = "A test message";
   7032 
   7033     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7034             TLS_client_method(),
   7035             TLS1_3_VERSION,
   7036             0,
   7037             &sctx, &cctx, cert, privkey))
   7038         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7039             NULL, NULL))
   7040         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7041             SSL_ERROR_NONE)))
   7042         goto end;
   7043 
   7044     for (j = 0; j < 2; j++) {
   7045         /* Send lots of KeyUpdate messages */
   7046         for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
   7047             if (!TEST_true(SSL_key_update(clientssl,
   7048                     (j == 0)
   7049                         ? SSL_KEY_UPDATE_NOT_REQUESTED
   7050                         : SSL_KEY_UPDATE_REQUESTED))
   7051                 || !TEST_true(SSL_do_handshake(clientssl)))
   7052                 goto end;
   7053         }
   7054 
   7055         /* Check that sending and receiving app data is ok */
   7056         if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
   7057             || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
   7058                 strlen(mess)))
   7059             goto end;
   7060 
   7061         if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
   7062             || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
   7063                 strlen(mess)))
   7064             goto end;
   7065     }
   7066 
   7067     testresult = 1;
   7068 
   7069 end:
   7070     SSL_free(serverssl);
   7071     SSL_free(clientssl);
   7072     SSL_CTX_free(sctx);
   7073     SSL_CTX_free(cctx);
   7074 
   7075     return testresult;
   7076 }
   7077 
   7078 /*
   7079  * Test we can handle a KeyUpdate (update requested) message while
   7080  * write data is pending in peer.
   7081  * Test 0: Client sends KeyUpdate while Server is writing
   7082  * Test 1: Server sends KeyUpdate while Client is writing
   7083  */
   7084 static int test_key_update_peer_in_write(int tst)
   7085 {
   7086     SSL_CTX *cctx = NULL, *sctx = NULL;
   7087     SSL *clientssl = NULL, *serverssl = NULL;
   7088     int testresult = 0;
   7089     char buf[20];
   7090     static char *mess = "A test message";
   7091     BIO *bretry = BIO_new(bio_s_always_retry());
   7092     BIO *tmp = NULL;
   7093     SSL *peerupdate = NULL, *peerwrite = NULL;
   7094 
   7095     if (!TEST_ptr(bretry)
   7096         || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7097             TLS_client_method(),
   7098             TLS1_3_VERSION,
   7099             0,
   7100             &sctx, &cctx, cert, privkey))
   7101         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7102             NULL, NULL))
   7103         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7104             SSL_ERROR_NONE)))
   7105         goto end;
   7106 
   7107     peerupdate = tst == 0 ? clientssl : serverssl;
   7108     peerwrite = tst == 0 ? serverssl : clientssl;
   7109 
   7110     if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
   7111         || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
   7112         goto end;
   7113 
   7114     /* Swap the writing endpoint's write BIO to force a retry */
   7115     tmp = SSL_get_wbio(peerwrite);
   7116     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
   7117         tmp = NULL;
   7118         goto end;
   7119     }
   7120     SSL_set0_wbio(peerwrite, bretry);
   7121     bretry = NULL;
   7122 
   7123     /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
   7124     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
   7125         || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
   7126         || !TEST_true(SSL_want_write(peerwrite))
   7127         || !TEST_true(SSL_net_write_desired(peerwrite)))
   7128         goto end;
   7129 
   7130     /* Reinstate the original writing endpoint's write BIO */
   7131     SSL_set0_wbio(peerwrite, tmp);
   7132     tmp = NULL;
   7133 
   7134     /* Now read some data - we will read the key update */
   7135     if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
   7136         || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
   7137         || !TEST_true(SSL_want_read(peerwrite))
   7138         || !TEST_true(SSL_net_read_desired(peerwrite)))
   7139         goto end;
   7140 
   7141     /*
   7142      * Complete the write we started previously and read it from the other
   7143      * endpoint
   7144      */
   7145     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
   7146         || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
   7147         goto end;
   7148 
   7149     /* Write more data to ensure we send the KeyUpdate message back */
   7150     if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
   7151         || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
   7152         goto end;
   7153 
   7154     if (!TEST_false(SSL_net_read_desired(peerwrite))
   7155         || !TEST_false(SSL_net_write_desired(peerwrite))
   7156         || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
   7157         goto end;
   7158 
   7159     testresult = 1;
   7160 
   7161 end:
   7162     SSL_free(serverssl);
   7163     SSL_free(clientssl);
   7164     SSL_CTX_free(sctx);
   7165     SSL_CTX_free(cctx);
   7166     BIO_free(bretry);
   7167     BIO_free(tmp);
   7168 
   7169     return testresult;
   7170 }
   7171 
   7172 /*
   7173  * Test we can handle a KeyUpdate (update requested) message while
   7174  * peer read data is pending after peer accepted keyupdate(the msg header
   7175  * had been read 5 bytes).
   7176  * Test 0: Client sends KeyUpdate while Server is reading
   7177  * Test 1: Server sends KeyUpdate while Client is reading
   7178  */
   7179 static int test_key_update_peer_in_read(int tst)
   7180 {
   7181     SSL_CTX *cctx = NULL, *sctx = NULL;
   7182     SSL *clientssl = NULL, *serverssl = NULL;
   7183     int testresult = 0;
   7184     char prbuf[515], lwbuf[515] = { 0 };
   7185     static char *mess = "A test message";
   7186     BIO *lbio = NULL, *pbio = NULL;
   7187     SSL *local = NULL, *peer = NULL;
   7188 
   7189     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7190             TLS_client_method(),
   7191             TLS1_3_VERSION,
   7192             0,
   7193             &sctx, &cctx, cert, privkey))
   7194         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7195             NULL, NULL))
   7196         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7197             SSL_ERROR_NONE)))
   7198         goto end;
   7199 
   7200     local = tst == 0 ? clientssl : serverssl;
   7201     peer = tst == 0 ? serverssl : clientssl;
   7202 
   7203     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
   7204         goto end;
   7205 
   7206     SSL_set_bio(local, lbio, lbio);
   7207     SSL_set_bio(peer, pbio, pbio);
   7208 
   7209     /*
   7210      * we first write keyupdate msg then appdata in local
   7211      * write data in local will fail with SSL_ERROR_WANT_WRITE,because
   7212      * lwbuf app data msg size + key updata msg size > 512(the size of
   7213      * the bio pair buffer)
   7214      */
   7215     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
   7216         || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
   7217         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
   7218         goto end;
   7219 
   7220     /*
   7221      * first read keyupdate msg in peer in peer
   7222      * then read appdata that we know will fail with SSL_ERROR_WANT_READ
   7223      */
   7224     if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
   7225         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
   7226         goto end;
   7227 
   7228     /* Now write some data in peer - we will write the key update */
   7229     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
   7230         goto end;
   7231 
   7232     /*
   7233      * write data in local previously that we will complete
   7234      * read data in peer previously that we will complete
   7235      */
   7236     if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
   7237         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
   7238         goto end;
   7239 
   7240     /* check that sending and receiving appdata ok */
   7241     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
   7242         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
   7243         goto end;
   7244 
   7245     testresult = 1;
   7246 
   7247 end:
   7248     SSL_free(serverssl);
   7249     SSL_free(clientssl);
   7250     SSL_CTX_free(sctx);
   7251     SSL_CTX_free(cctx);
   7252 
   7253     return testresult;
   7254 }
   7255 
   7256 /*
   7257  * Test we can't send a KeyUpdate (update requested) message while
   7258  * local write data is pending.
   7259  * Test 0: Client sends KeyUpdate while Client is writing
   7260  * Test 1: Server sends KeyUpdate while Server is writing
   7261  */
   7262 static int test_key_update_local_in_write(int tst)
   7263 {
   7264     SSL_CTX *cctx = NULL, *sctx = NULL;
   7265     SSL *clientssl = NULL, *serverssl = NULL;
   7266     int testresult = 0;
   7267     char buf[20];
   7268     static char *mess = "A test message";
   7269     BIO *bretry = BIO_new(bio_s_always_retry());
   7270     BIO *tmp = NULL;
   7271     SSL *local = NULL, *peer = NULL;
   7272 
   7273     if (!TEST_ptr(bretry)
   7274         || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7275             TLS_client_method(),
   7276             TLS1_3_VERSION,
   7277             0,
   7278             &sctx, &cctx, cert, privkey))
   7279         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7280             NULL, NULL))
   7281         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7282             SSL_ERROR_NONE)))
   7283         goto end;
   7284 
   7285     local = tst == 0 ? clientssl : serverssl;
   7286     peer = tst == 0 ? serverssl : clientssl;
   7287 
   7288     /* Swap the writing endpoint's write BIO to force a retry */
   7289     tmp = SSL_get_wbio(local);
   7290     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
   7291         tmp = NULL;
   7292         goto end;
   7293     }
   7294     SSL_set0_wbio(local, bretry);
   7295     bretry = NULL;
   7296 
   7297     /* write data in local will fail with SSL_ERROR_WANT_WRITE */
   7298     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
   7299         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
   7300         goto end;
   7301 
   7302     /* Reinstate the original writing endpoint's write BIO */
   7303     SSL_set0_wbio(local, tmp);
   7304     tmp = NULL;
   7305 
   7306     /* SSL_key_update will fail, because writing in local*/
   7307     if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
   7308         || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
   7309         goto end;
   7310 
   7311     ERR_clear_error();
   7312     /* write data in local previously that we will complete */
   7313     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
   7314         goto end;
   7315 
   7316     /* SSL_key_update will succeed because there is no pending write data */
   7317     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
   7318         || !TEST_int_eq(SSL_do_handshake(local), 1))
   7319         goto end;
   7320 
   7321     /*
   7322      * we write some appdata in local
   7323      * read data in peer - we will read the keyupdate msg
   7324      */
   7325     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
   7326         || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
   7327         goto end;
   7328 
   7329     /* Write more peer more data to ensure we send the keyupdate message back */
   7330     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
   7331         || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
   7332         goto end;
   7333 
   7334     testresult = 1;
   7335 
   7336 end:
   7337     SSL_free(serverssl);
   7338     SSL_free(clientssl);
   7339     SSL_CTX_free(sctx);
   7340     SSL_CTX_free(cctx);
   7341     BIO_free(bretry);
   7342     BIO_free(tmp);
   7343 
   7344     return testresult;
   7345 }
   7346 
   7347 /*
   7348  * Test we can handle a KeyUpdate (update requested) message while
   7349  * local read data is pending(the msg header had been read 5 bytes).
   7350  * Test 0: Client sends KeyUpdate while Client is reading
   7351  * Test 1: Server sends KeyUpdate while Server is reading
   7352  */
   7353 static int test_key_update_local_in_read(int tst)
   7354 {
   7355     SSL_CTX *cctx = NULL, *sctx = NULL;
   7356     SSL *clientssl = NULL, *serverssl = NULL;
   7357     int testresult = 0;
   7358     char lrbuf[515], pwbuf[515] = { 0 }, prbuf[20];
   7359     static char *mess = "A test message";
   7360     BIO *lbio = NULL, *pbio = NULL;
   7361     SSL *local = NULL, *peer = NULL;
   7362 
   7363     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7364             TLS_client_method(),
   7365             TLS1_3_VERSION,
   7366             0,
   7367             &sctx, &cctx, cert, privkey))
   7368         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7369             NULL, NULL))
   7370         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7371             SSL_ERROR_NONE)))
   7372         goto end;
   7373 
   7374     local = tst == 0 ? clientssl : serverssl;
   7375     peer = tst == 0 ? serverssl : clientssl;
   7376 
   7377     if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
   7378         goto end;
   7379 
   7380     SSL_set_bio(local, lbio, lbio);
   7381     SSL_set_bio(peer, pbio, pbio);
   7382 
   7383     /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
   7384     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
   7385         || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
   7386         goto end;
   7387 
   7388     /* read appdata in local will fail with SSL_ERROR_WANT_READ */
   7389     if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
   7390         || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
   7391         goto end;
   7392 
   7393     /* SSL_do_handshake will send keyupdate msg */
   7394     if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
   7395         || !TEST_int_eq(SSL_do_handshake(local), 1))
   7396         goto end;
   7397 
   7398     /*
   7399      * write data in peer previously that we will complete
   7400      * read data in local previously that we will complete
   7401      */
   7402     if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
   7403         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
   7404         goto end;
   7405 
   7406     /*
   7407      * write data in local
   7408      * read data in peer - we will read the key update
   7409      */
   7410     if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
   7411         || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
   7412         goto end;
   7413 
   7414     /* Write more peer data to ensure we send the keyupdate message back */
   7415     if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
   7416         || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
   7417         goto end;
   7418 
   7419     testresult = 1;
   7420 
   7421 end:
   7422     SSL_free(serverssl);
   7423     SSL_free(clientssl);
   7424     SSL_CTX_free(sctx);
   7425     SSL_CTX_free(cctx);
   7426 
   7427     return testresult;
   7428 }
   7429 #endif /* OSSL_NO_USABLE_TLS1_3 */
   7430 
   7431 /*
   7432  * Test clearing a connection via SSL_clear(), or resetting it via
   7433  * SSL_set_connect_state()/SSL_set_accept_state()
   7434  * Test 0: SSL_set_connect_state, TLSv1.3
   7435  * Test 1: SSL_set_connect_state, TLSv1.2
   7436  * Test 2: SSL_set_accept_state, TLSv1.3
   7437  * Test 3: SSL_set_accept_state, TLSv1.2
   7438  * Test 4: SSL_clear (client), TLSv1.3
   7439  * Test 5: SSL_clear (client), TLSv1.2
   7440  * Test 6: SSL_clear (server), TLSv1.3
   7441  * Test 7: SSL_clear (server), TLSv1.2
   7442  */
   7443 static int test_ssl_clear(int idx)
   7444 {
   7445     SSL_CTX *cctx = NULL, *sctx = NULL;
   7446     SSL *clientssl = NULL, *serverssl = NULL;
   7447     SSL *writer, *reader;
   7448     int testresult = 0;
   7449     int tls12test, servertest, cleartest;
   7450     size_t written, readbytes;
   7451     const char *msg = "Hello World";
   7452     unsigned char buf[5];
   7453 
   7454     tls12test = idx & 1;
   7455     idx >>= 1;
   7456     servertest = idx & 1;
   7457     idx >>= 1;
   7458     cleartest = idx & 1;
   7459 
   7460 #ifdef OPENSSL_NO_TLS1_2
   7461     if (tls12test == 1)
   7462         return TEST_skip("No TLSv1.2 in this build");
   7463 #endif
   7464 
   7465     /* Create an initial connection */
   7466     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7467             TLS_client_method(), TLS1_VERSION, 0,
   7468             &sctx, &cctx, cert, privkey))
   7469         || (tls12test
   7470             && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
   7471                 TLS1_2_VERSION)))
   7472         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   7473             &clientssl, NULL, NULL))
   7474         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7475             SSL_ERROR_NONE)))
   7476         goto end;
   7477 
   7478     if (servertest) {
   7479         writer = clientssl;
   7480         reader = serverssl;
   7481     } else {
   7482         writer = serverssl;
   7483         reader = clientssl;
   7484     }
   7485 
   7486     /* Write some data */
   7487     if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
   7488         || written != strlen(msg))
   7489         goto end;
   7490 
   7491     /*
   7492      * Read a partial record. The remaining buffered data should be cleared by
   7493      * the subsequent clear/reset
   7494      */
   7495     if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
   7496         || readbytes != sizeof(buf))
   7497         goto end;
   7498 
   7499     SSL_shutdown(clientssl);
   7500     SSL_shutdown(serverssl);
   7501 
   7502     /* Reset/clear one SSL object in order to reuse it. We free the other one */
   7503     if (servertest) {
   7504         if (cleartest) {
   7505             if (!TEST_true(SSL_clear(serverssl)))
   7506                 goto end;
   7507         } else {
   7508             SSL_set_accept_state(serverssl);
   7509         }
   7510         SSL_free(clientssl);
   7511         clientssl = NULL;
   7512     } else {
   7513         if (cleartest) {
   7514             if (!TEST_true(SSL_clear(clientssl)))
   7515                 goto end;
   7516         } else {
   7517             SSL_set_connect_state(clientssl);
   7518         }
   7519         SSL_free(serverssl);
   7520         serverssl = NULL;
   7521     }
   7522 
   7523     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7524             NULL, NULL))
   7525         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   7526             SSL_ERROR_NONE))
   7527         || !TEST_true(servertest || SSL_session_reused(clientssl)))
   7528         goto end;
   7529 
   7530     SSL_shutdown(clientssl);
   7531     SSL_shutdown(serverssl);
   7532 
   7533     testresult = 1;
   7534 
   7535 end:
   7536     SSL_free(serverssl);
   7537     SSL_free(clientssl);
   7538     SSL_CTX_free(sctx);
   7539     SSL_CTX_free(cctx);
   7540 
   7541     return testresult;
   7542 }
   7543 
   7544 /* Parse CH and retrieve any MFL extension value if present */
   7545 static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
   7546 {
   7547     long len;
   7548     unsigned char *data;
   7549     PACKET pkt, pkt2, pkt3;
   7550     unsigned int MFL_code = 0, type = 0;
   7551 
   7552     if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **)&data), 0))
   7553         goto end;
   7554 
   7555     memset(&pkt, 0, sizeof(pkt));
   7556     memset(&pkt2, 0, sizeof(pkt2));
   7557     memset(&pkt3, 0, sizeof(pkt3));
   7558 
   7559     if (!TEST_long_gt(len, 0)
   7560         || !TEST_true(PACKET_buf_init(&pkt, data, len))
   7561         /* Skip the record header */
   7562         || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
   7563         /* Skip the handshake message header */
   7564         || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
   7565         /* Skip client version and random */
   7566         || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE))
   7567         /* Skip session id */
   7568         || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
   7569         /* Skip ciphers */
   7570         || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
   7571         /* Skip compression */
   7572         || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
   7573         /* Extensions len */
   7574         || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
   7575         goto end;
   7576 
   7577     /* Loop through all extensions */
   7578     while (PACKET_remaining(&pkt2)) {
   7579         if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
   7580             || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
   7581             goto end;
   7582 
   7583         if (type == TLSEXT_TYPE_max_fragment_length) {
   7584             if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
   7585                 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
   7586                 goto end;
   7587 
   7588             *mfl_codemfl_code = MFL_code;
   7589             return 1;
   7590         }
   7591     }
   7592 
   7593 end:
   7594     return 0;
   7595 }
   7596 
   7597 /* Maximum-Fragment-Length TLS extension mode to test */
   7598 static const unsigned char max_fragment_len_test[] = {
   7599     TLSEXT_max_fragment_length_512,
   7600     TLSEXT_max_fragment_length_1024,
   7601     TLSEXT_max_fragment_length_2048,
   7602     TLSEXT_max_fragment_length_4096
   7603 };
   7604 
   7605 static int test_max_fragment_len_ext(int idx_tst)
   7606 {
   7607     SSL_CTX *ctx = NULL;
   7608     SSL *con = NULL;
   7609     int testresult = 0, MFL_mode = 0;
   7610     BIO *rbio, *wbio;
   7611 
   7612     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
   7613             TLS1_VERSION, 0, NULL, &ctx, NULL,
   7614             NULL)))
   7615         return 0;
   7616 
   7617     if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
   7618             ctx, max_fragment_len_test[idx_tst])))
   7619         goto end;
   7620 
   7621     con = SSL_new(ctx);
   7622     if (!TEST_ptr(con))
   7623         goto end;
   7624 
   7625     rbio = BIO_new(BIO_s_mem());
   7626     wbio = BIO_new(BIO_s_mem());
   7627     if (!TEST_ptr(rbio) || !TEST_ptr(wbio)) {
   7628         BIO_free(rbio);
   7629         BIO_free(wbio);
   7630         goto end;
   7631     }
   7632 
   7633     SSL_set_bio(con, rbio, wbio);
   7634 
   7635     if (!TEST_int_le(SSL_connect(con), 0)) {
   7636         /* This shouldn't succeed because we don't have a server! */
   7637         goto end;
   7638     }
   7639 
   7640     if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
   7641         /* no MFL in client hello */
   7642         goto end;
   7643     if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
   7644         goto end;
   7645 
   7646     testresult = 1;
   7647 
   7648 end:
   7649     SSL_free(con);
   7650     SSL_CTX_free(ctx);
   7651 
   7652     return testresult;
   7653 }
   7654 
   7655 #ifndef OSSL_NO_USABLE_TLS1_3
   7656 static int test_pha_key_update(void)
   7657 {
   7658     SSL_CTX *cctx = NULL, *sctx = NULL;
   7659     SSL *clientssl = NULL, *serverssl = NULL;
   7660     int testresult = 0;
   7661 
   7662     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7663             TLS_client_method(), TLS1_VERSION, 0,
   7664             &sctx, &cctx, cert, privkey)))
   7665         return 0;
   7666 
   7667     if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
   7668         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
   7669         || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
   7670         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
   7671         goto end;
   7672 
   7673     SSL_CTX_set_post_handshake_auth(cctx, 1);
   7674 
   7675     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7676             NULL, NULL)))
   7677         goto end;
   7678 
   7679     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   7680             SSL_ERROR_NONE)))
   7681         goto end;
   7682 
   7683     SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
   7684     if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
   7685         goto end;
   7686 
   7687     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
   7688         goto end;
   7689 
   7690     /* Start handshake on the server */
   7691     if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
   7692         goto end;
   7693 
   7694     /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
   7695     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   7696             SSL_ERROR_NONE)))
   7697         goto end;
   7698 
   7699     SSL_shutdown(clientssl);
   7700     SSL_shutdown(serverssl);
   7701 
   7702     testresult = 1;
   7703 
   7704 end:
   7705     SSL_free(serverssl);
   7706     SSL_free(clientssl);
   7707     SSL_CTX_free(sctx);
   7708     SSL_CTX_free(cctx);
   7709     return testresult;
   7710 }
   7711 #endif
   7712 
   7713 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
   7714 
   7715 static SRP_VBASE *vbase = NULL;
   7716 
   7717 static int ssl_srp_cb(SSL *s, int *ad, void *arg)
   7718 {
   7719     int ret = SSL3_AL_FATAL;
   7720     char *username;
   7721     SRP_user_pwd *user = NULL;
   7722 
   7723     username = SSL_get_srp_username(s);
   7724     if (username == NULL) {
   7725         *ad = SSL_AD_INTERNAL_ERROR;
   7726         goto err;
   7727     }
   7728 
   7729     user = SRP_VBASE_get1_by_user(vbase, username);
   7730     if (user == NULL) {
   7731         *ad = SSL_AD_INTERNAL_ERROR;
   7732         goto err;
   7733     }
   7734 
   7735     if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
   7736             user->info)
   7737         <= 0) {
   7738         *ad = SSL_AD_INTERNAL_ERROR;
   7739         goto err;
   7740     }
   7741 
   7742     ret = 0;
   7743 
   7744 err:
   7745     SRP_user_pwd_free(user);
   7746     return ret;
   7747 }
   7748 
   7749 static int create_new_vfile(char *userid, char *password, const char *filename)
   7750 {
   7751     char *gNid = NULL;
   7752     OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
   7753     TXT_DB *db = NULL;
   7754     int ret = 0;
   7755     BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
   7756     size_t i;
   7757 
   7758     if (!TEST_ptr(dummy) || !TEST_ptr(row))
   7759         goto end;
   7760 
   7761     gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
   7762         &row[DB_srpverifier], NULL, NULL, libctx, NULL);
   7763     if (!TEST_ptr(gNid))
   7764         goto end;
   7765 
   7766     /*
   7767      * The only way to create an empty TXT_DB is to provide a BIO with no data
   7768      * in it!
   7769      */
   7770     db = TXT_DB_read(dummy, DB_NUMBER);
   7771     if (!TEST_ptr(db))
   7772         goto end;
   7773 
   7774     out = BIO_new_file(filename, "w");
   7775     if (!TEST_ptr(out))
   7776         goto end;
   7777 
   7778     row[DB_srpid] = OPENSSL_strdup(userid);
   7779     row[DB_srptype] = OPENSSL_strdup("V");
   7780     row[DB_srpgN] = OPENSSL_strdup(gNid);
   7781 
   7782     if (!TEST_ptr(row[DB_srpid])
   7783         || !TEST_ptr(row[DB_srptype])
   7784         || !TEST_ptr(row[DB_srpgN])
   7785         || !TEST_true(TXT_DB_insert(db, row)))
   7786         goto end;
   7787 
   7788     row = NULL;
   7789 
   7790     if (TXT_DB_write(out, db) <= 0)
   7791         goto end;
   7792 
   7793     ret = 1;
   7794 end:
   7795     if (row != NULL) {
   7796         for (i = 0; i < DB_NUMBER; i++)
   7797             OPENSSL_free(row[i]);
   7798     }
   7799     OPENSSL_free(row);
   7800     BIO_free(dummy);
   7801     BIO_free(out);
   7802     TXT_DB_free(db);
   7803 
   7804     return ret;
   7805 }
   7806 
   7807 static int create_new_vbase(char *userid, char *password)
   7808 {
   7809     BIGNUM *verifier = NULL, *salt = NULL;
   7810     const SRP_gN *lgN = NULL;
   7811     SRP_user_pwd *user_pwd = NULL;
   7812     int ret = 0;
   7813 
   7814     lgN = SRP_get_default_gN(NULL);
   7815     if (!TEST_ptr(lgN))
   7816         goto end;
   7817 
   7818     if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
   7819             lgN->N, lgN->g, libctx, NULL)))
   7820         goto end;
   7821 
   7822     user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
   7823     if (!TEST_ptr(user_pwd))
   7824         goto end;
   7825 
   7826     user_pwd->N = lgN->N;
   7827     user_pwd->g = lgN->g;
   7828     user_pwd->id = OPENSSL_strdup(userid);
   7829     if (!TEST_ptr(user_pwd->id))
   7830         goto end;
   7831 
   7832     user_pwd->v = verifier;
   7833     user_pwd->s = salt;
   7834     verifier = salt = NULL;
   7835 
   7836     if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
   7837         goto end;
   7838     user_pwd = NULL;
   7839 
   7840     ret = 1;
   7841 end:
   7842     SRP_user_pwd_free(user_pwd);
   7843     BN_free(salt);
   7844     BN_free(verifier);
   7845 
   7846     return ret;
   7847 }
   7848 
   7849 /*
   7850  * SRP tests
   7851  *
   7852  * Test 0: Simple successful SRP connection, new vbase
   7853  * Test 1: Connection failure due to bad password, new vbase
   7854  * Test 2: Simple successful SRP connection, vbase loaded from existing file
   7855  * Test 3: Connection failure due to bad password, vbase loaded from existing
   7856  *         file
   7857  * Test 4: Simple successful SRP connection, vbase loaded from new file
   7858  * Test 5: Connection failure due to bad password, vbase loaded from new file
   7859  */
   7860 static int test_srp(int tst)
   7861 {
   7862     char *userid = "test", *password = "password", *tstsrpfile;
   7863     SSL_CTX *cctx = NULL, *sctx = NULL;
   7864     SSL *clientssl = NULL, *serverssl = NULL;
   7865     int ret, testresult = 0;
   7866 
   7867     vbase = SRP_VBASE_new(NULL);
   7868     if (!TEST_ptr(vbase))
   7869         goto end;
   7870 
   7871     if (tst == 0 || tst == 1) {
   7872         if (!TEST_true(create_new_vbase(userid, password)))
   7873             goto end;
   7874     } else {
   7875         if (tst == 4 || tst == 5) {
   7876             if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
   7877                 goto end;
   7878             tstsrpfile = tmpfilename;
   7879         } else {
   7880             tstsrpfile = srpvfile;
   7881         }
   7882         if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
   7883             goto end;
   7884     }
   7885 
   7886     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   7887             TLS_client_method(), TLS1_VERSION, 0,
   7888             &sctx, &cctx, cert, privkey)))
   7889         goto end;
   7890 
   7891     if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
   7892         || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
   7893         || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
   7894         || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
   7895         || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
   7896         goto end;
   7897 
   7898     if (tst % 2 == 1) {
   7899         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
   7900             goto end;
   7901     } else {
   7902         if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
   7903             goto end;
   7904     }
   7905 
   7906     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   7907             NULL, NULL)))
   7908         goto end;
   7909 
   7910     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
   7911     if (ret) {
   7912         if (!TEST_true(tst % 2 == 0))
   7913             goto end;
   7914     } else {
   7915         if (!TEST_true(tst % 2 == 1))
   7916             goto end;
   7917     }
   7918 
   7919     testresult = 1;
   7920 
   7921 end:
   7922     SRP_VBASE_free(vbase);
   7923     vbase = NULL;
   7924     SSL_free(serverssl);
   7925     SSL_free(clientssl);
   7926     SSL_CTX_free(sctx);
   7927     SSL_CTX_free(cctx);
   7928 
   7929     return testresult;
   7930 }
   7931 #endif
   7932 
   7933 static int info_cb_failed = 0;
   7934 static int info_cb_offset = 0;
   7935 static int info_cb_this_state = -1;
   7936 
   7937 static struct info_cb_states_st {
   7938     int where;
   7939     const char *statestr;
   7940 } info_cb_states[][60] = {
   7941     {
   7942         /* TLSv1.2 server followed by resumption */
   7943         { SSL_CB_HANDSHAKE_START, NULL },
   7944         { SSL_CB_LOOP, "PINIT" },
   7945         { SSL_CB_LOOP, "PINIT" },
   7946         { SSL_CB_LOOP, "TRCH" },
   7947         { SSL_CB_LOOP, "TWSH" },
   7948         { SSL_CB_LOOP, "TWSC" },
   7949         { SSL_CB_LOOP, "TWSKE" },
   7950         { SSL_CB_LOOP, "TWSD" },
   7951         { SSL_CB_EXIT, NULL },
   7952         { SSL_CB_LOOP, "TWSD" },
   7953         { SSL_CB_LOOP, "TRCKE" },
   7954         { SSL_CB_LOOP, "TRCCS" },
   7955         { SSL_CB_LOOP, "TRFIN" },
   7956         { SSL_CB_LOOP, "TWST" },
   7957         { SSL_CB_LOOP, "TWCCS" },
   7958         { SSL_CB_LOOP, "TWFIN" },
   7959         { SSL_CB_HANDSHAKE_DONE, NULL },
   7960         { SSL_CB_EXIT, NULL },
   7961         { SSL_CB_ALERT, NULL },
   7962         { SSL_CB_HANDSHAKE_START, NULL },
   7963         { SSL_CB_LOOP, "PINIT" },
   7964         { SSL_CB_LOOP, "PINIT" },
   7965         { SSL_CB_LOOP, "TRCH" },
   7966         { SSL_CB_LOOP, "TWSH" },
   7967         { SSL_CB_LOOP, "TWCCS" },
   7968         { SSL_CB_LOOP, "TWFIN" },
   7969         { SSL_CB_EXIT, NULL },
   7970         { SSL_CB_LOOP, "TWFIN" },
   7971         { SSL_CB_LOOP, "TRCCS" },
   7972         { SSL_CB_LOOP, "TRFIN" },
   7973         { SSL_CB_HANDSHAKE_DONE, NULL },
   7974         { SSL_CB_EXIT, NULL },
   7975         { 0, NULL },
   7976     },
   7977     {
   7978         /* TLSv1.2 client followed by resumption */
   7979         { SSL_CB_HANDSHAKE_START, NULL },
   7980         { SSL_CB_LOOP, "PINIT" },
   7981         { SSL_CB_LOOP, "TWCH" },
   7982         { SSL_CB_EXIT, NULL },
   7983         { SSL_CB_LOOP, "TWCH" },
   7984         { SSL_CB_LOOP, "TRSH" },
   7985         { SSL_CB_LOOP, "TRSC" },
   7986         { SSL_CB_LOOP, "TRSKE" },
   7987         { SSL_CB_LOOP, "TRSD" },
   7988         { SSL_CB_LOOP, "TWCKE" },
   7989         { SSL_CB_LOOP, "TWCCS" },
   7990         { SSL_CB_LOOP, "TWFIN" },
   7991         { SSL_CB_EXIT, NULL },
   7992         { SSL_CB_LOOP, "TWFIN" },
   7993         { SSL_CB_LOOP, "TRST" },
   7994         { SSL_CB_LOOP, "TRCCS" },
   7995         { SSL_CB_LOOP, "TRFIN" },
   7996         { SSL_CB_HANDSHAKE_DONE, NULL },
   7997         { SSL_CB_EXIT, NULL },
   7998         { SSL_CB_ALERT, NULL },
   7999         { SSL_CB_HANDSHAKE_START, NULL },
   8000         { SSL_CB_LOOP, "PINIT" },
   8001         { SSL_CB_LOOP, "TWCH" },
   8002         { SSL_CB_EXIT, NULL },
   8003         { SSL_CB_LOOP, "TWCH" },
   8004         { SSL_CB_LOOP, "TRSH" },
   8005         { SSL_CB_LOOP, "TRCCS" },
   8006         { SSL_CB_LOOP, "TRFIN" },
   8007         { SSL_CB_LOOP, "TWCCS" },
   8008         { SSL_CB_LOOP, "TWFIN" },
   8009         { SSL_CB_HANDSHAKE_DONE, NULL },
   8010         { SSL_CB_EXIT, NULL },
   8011         { 0, NULL },
   8012     },
   8013     {
   8014         /* TLSv1.3 server followed by resumption */
   8015         { SSL_CB_HANDSHAKE_START, NULL },
   8016         { SSL_CB_LOOP, "PINIT" },
   8017         { SSL_CB_LOOP, "PINIT" },
   8018         { SSL_CB_LOOP, "TRCH" },
   8019         { SSL_CB_LOOP, "TWSH" },
   8020         { SSL_CB_LOOP, "TWCCS" },
   8021         { SSL_CB_LOOP, "TWEE" },
   8022         { SSL_CB_LOOP, "TWSC" },
   8023         { SSL_CB_LOOP, "TWSCV" },
   8024         { SSL_CB_LOOP, "TWFIN" },
   8025         { SSL_CB_LOOP, "TED" },
   8026         { SSL_CB_EXIT, NULL },
   8027         { SSL_CB_LOOP, "TED" },
   8028         { SSL_CB_LOOP, "TRFIN" },
   8029         { SSL_CB_HANDSHAKE_DONE, NULL },
   8030         { SSL_CB_LOOP, "TWST" },
   8031         { SSL_CB_LOOP, "TWST" },
   8032         { SSL_CB_EXIT, NULL },
   8033         { SSL_CB_ALERT, NULL },
   8034         { SSL_CB_HANDSHAKE_START, NULL },
   8035         { SSL_CB_LOOP, "PINIT" },
   8036         { SSL_CB_LOOP, "PINIT" },
   8037         { SSL_CB_LOOP, "TRCH" },
   8038         { SSL_CB_LOOP, "TWSH" },
   8039         { SSL_CB_LOOP, "TWCCS" },
   8040         { SSL_CB_LOOP, "TWEE" },
   8041         { SSL_CB_LOOP, "TWFIN" },
   8042         { SSL_CB_LOOP, "TED" },
   8043         { SSL_CB_EXIT, NULL },
   8044         { SSL_CB_LOOP, "TED" },
   8045         { SSL_CB_LOOP, "TRFIN" },
   8046         { SSL_CB_HANDSHAKE_DONE, NULL },
   8047         { SSL_CB_LOOP, "TWST" },
   8048         { SSL_CB_EXIT, NULL },
   8049         { 0, NULL },
   8050     },
   8051     {
   8052         /* TLSv1.3 client followed by resumption */
   8053         { SSL_CB_HANDSHAKE_START, NULL },
   8054         { SSL_CB_LOOP, "PINIT" },
   8055         { SSL_CB_LOOP, "TWCH" },
   8056         { SSL_CB_EXIT, NULL },
   8057         { SSL_CB_LOOP, "TWCH" },
   8058         { SSL_CB_LOOP, "TRSH" },
   8059         { SSL_CB_LOOP, "TREE" },
   8060         { SSL_CB_LOOP, "TRSC" },
   8061         { SSL_CB_LOOP, "TRSCV" },
   8062         { SSL_CB_LOOP, "TRFIN" },
   8063         { SSL_CB_LOOP, "TWCCS" },
   8064         { SSL_CB_LOOP, "TWFIN" },
   8065         { SSL_CB_HANDSHAKE_DONE, NULL },
   8066         { SSL_CB_EXIT, NULL },
   8067         { SSL_CB_LOOP, "SSLOK" },
   8068         { SSL_CB_LOOP, "SSLOK" },
   8069         { SSL_CB_LOOP, "TRST" },
   8070         { SSL_CB_EXIT, NULL },
   8071         { SSL_CB_LOOP, "SSLOK" },
   8072         { SSL_CB_LOOP, "SSLOK" },
   8073         { SSL_CB_LOOP, "TRST" },
   8074         { SSL_CB_EXIT, NULL },
   8075         { SSL_CB_ALERT, NULL },
   8076         { SSL_CB_HANDSHAKE_START, NULL },
   8077         { SSL_CB_LOOP, "PINIT" },
   8078         { SSL_CB_LOOP, "TWCH" },
   8079         { SSL_CB_EXIT, NULL },
   8080         { SSL_CB_LOOP, "TWCH" },
   8081         { SSL_CB_LOOP, "TRSH" },
   8082         { SSL_CB_LOOP, "TREE" },
   8083         { SSL_CB_LOOP, "TRFIN" },
   8084         { SSL_CB_LOOP, "TWCCS" },
   8085         { SSL_CB_LOOP, "TWFIN" },
   8086         { SSL_CB_HANDSHAKE_DONE, NULL },
   8087         { SSL_CB_EXIT, NULL },
   8088         { SSL_CB_LOOP, "SSLOK" },
   8089         { SSL_CB_LOOP, "SSLOK" },
   8090         { SSL_CB_LOOP, "TRST" },
   8091         { SSL_CB_EXIT, NULL },
   8092         { 0, NULL },
   8093     },
   8094     {
   8095         /* TLSv1.3 server, early_data */
   8096         { SSL_CB_HANDSHAKE_START, NULL },
   8097         { SSL_CB_LOOP, "PINIT" },
   8098         { SSL_CB_LOOP, "PINIT" },
   8099         { SSL_CB_LOOP, "TRCH" },
   8100         { SSL_CB_LOOP, "TWSH" },
   8101         { SSL_CB_LOOP, "TWCCS" },
   8102         { SSL_CB_LOOP, "TWEE" },
   8103         { SSL_CB_LOOP, "TWFIN" },
   8104         { SSL_CB_HANDSHAKE_DONE, NULL },
   8105         { SSL_CB_EXIT, NULL },
   8106         { SSL_CB_HANDSHAKE_START, NULL },
   8107         { SSL_CB_LOOP, "TED" },
   8108         { SSL_CB_LOOP, "TED" },
   8109         { SSL_CB_LOOP, "TWEOED" },
   8110         { SSL_CB_LOOP, "TRFIN" },
   8111         { SSL_CB_HANDSHAKE_DONE, NULL },
   8112         { SSL_CB_LOOP, "TWST" },
   8113         { SSL_CB_EXIT, NULL },
   8114         { 0, NULL },
   8115     },
   8116     {
   8117         /* TLSv1.3 client, early_data */
   8118         { SSL_CB_HANDSHAKE_START, NULL },
   8119         { SSL_CB_LOOP, "PINIT" },
   8120         { SSL_CB_LOOP, "TWCH" },
   8121         { SSL_CB_LOOP, "TWCCS" },
   8122         { SSL_CB_HANDSHAKE_DONE, NULL },
   8123         { SSL_CB_EXIT, NULL },
   8124         { SSL_CB_HANDSHAKE_START, NULL },
   8125         { SSL_CB_LOOP, "TED" },
   8126         { SSL_CB_LOOP, "TED" },
   8127         { SSL_CB_LOOP, "TRSH" },
   8128         { SSL_CB_LOOP, "TREE" },
   8129         { SSL_CB_LOOP, "TRFIN" },
   8130         { SSL_CB_LOOP, "TPEDE" },
   8131         { SSL_CB_LOOP, "TWEOED" },
   8132         { SSL_CB_LOOP, "TWFIN" },
   8133         { SSL_CB_HANDSHAKE_DONE, NULL },
   8134         { SSL_CB_EXIT, NULL },
   8135         { SSL_CB_LOOP, "SSLOK" },
   8136         { SSL_CB_LOOP, "SSLOK" },
   8137         { SSL_CB_LOOP, "TRST" },
   8138         { SSL_CB_EXIT, NULL },
   8139         { 0, NULL },
   8140     },
   8141     {
   8142         /* TLSv1.3 server, certificate compression, followed by resumption */
   8143         { SSL_CB_HANDSHAKE_START, NULL },
   8144         { SSL_CB_LOOP, "PINIT" },
   8145         { SSL_CB_LOOP, "PINIT" },
   8146         { SSL_CB_LOOP, "TRCH" },
   8147         { SSL_CB_LOOP, "TWSH" },
   8148         { SSL_CB_LOOP, "TWCCS" },
   8149         { SSL_CB_LOOP, "TWEE" },
   8150         { SSL_CB_LOOP, "TWSCC" },
   8151         { SSL_CB_LOOP, "TWSCV" },
   8152         { SSL_CB_LOOP, "TWFIN" },
   8153         { SSL_CB_LOOP, "TED" },
   8154         { SSL_CB_EXIT, NULL },
   8155         { SSL_CB_LOOP, "TED" },
   8156         { SSL_CB_LOOP, "TRFIN" },
   8157         { SSL_CB_HANDSHAKE_DONE, NULL },
   8158         { SSL_CB_LOOP, "TWST" },
   8159         { SSL_CB_LOOP, "TWST" },
   8160         { SSL_CB_EXIT, NULL },
   8161         { SSL_CB_ALERT, NULL },
   8162         { SSL_CB_HANDSHAKE_START, NULL },
   8163         { SSL_CB_LOOP, "PINIT" },
   8164         { SSL_CB_LOOP, "PINIT" },
   8165         { SSL_CB_LOOP, "TRCH" },
   8166         { SSL_CB_LOOP, "TWSH" },
   8167         { SSL_CB_LOOP, "TWCCS" },
   8168         { SSL_CB_LOOP, "TWEE" },
   8169         { SSL_CB_LOOP, "TWFIN" },
   8170         { SSL_CB_LOOP, "TED" },
   8171         { SSL_CB_EXIT, NULL },
   8172         { SSL_CB_LOOP, "TED" },
   8173         { SSL_CB_LOOP, "TRFIN" },
   8174         { SSL_CB_HANDSHAKE_DONE, NULL },
   8175         { SSL_CB_LOOP, "TWST" },
   8176         { SSL_CB_EXIT, NULL },
   8177         { 0, NULL },
   8178     },
   8179     {
   8180         /* TLSv1.3 client, certificate compression, followed by resumption */
   8181         { SSL_CB_HANDSHAKE_START, NULL },
   8182         { SSL_CB_LOOP, "PINIT" },
   8183         { SSL_CB_LOOP, "TWCH" },
   8184         { SSL_CB_EXIT, NULL },
   8185         { SSL_CB_LOOP, "TWCH" },
   8186         { SSL_CB_LOOP, "TRSH" },
   8187         { SSL_CB_LOOP, "TREE" },
   8188         { SSL_CB_LOOP, "TRSCC" },
   8189         { SSL_CB_LOOP, "TRSCV" },
   8190         { SSL_CB_LOOP, "TRFIN" },
   8191         { SSL_CB_LOOP, "TWCCS" },
   8192         { SSL_CB_LOOP, "TWFIN" },
   8193         { SSL_CB_HANDSHAKE_DONE, NULL },
   8194         { SSL_CB_EXIT, NULL },
   8195         { SSL_CB_LOOP, "SSLOK" },
   8196         { SSL_CB_LOOP, "SSLOK" },
   8197         { SSL_CB_LOOP, "TRST" },
   8198         { SSL_CB_EXIT, NULL },
   8199         { SSL_CB_LOOP, "SSLOK" },
   8200         { SSL_CB_LOOP, "SSLOK" },
   8201         { SSL_CB_LOOP, "TRST" },
   8202         { SSL_CB_EXIT, NULL },
   8203         { SSL_CB_ALERT, NULL },
   8204         { SSL_CB_HANDSHAKE_START, NULL },
   8205         { SSL_CB_LOOP, "PINIT" },
   8206         { SSL_CB_LOOP, "TWCH" },
   8207         { SSL_CB_EXIT, NULL },
   8208         { SSL_CB_LOOP, "TWCH" },
   8209         { SSL_CB_LOOP, "TRSH" },
   8210         { SSL_CB_LOOP, "TREE" },
   8211         { SSL_CB_LOOP, "TRFIN" },
   8212         { SSL_CB_LOOP, "TWCCS" },
   8213         { SSL_CB_LOOP, "TWFIN" },
   8214         { SSL_CB_HANDSHAKE_DONE, NULL },
   8215         { SSL_CB_EXIT, NULL },
   8216         { SSL_CB_LOOP, "SSLOK" },
   8217         { SSL_CB_LOOP, "SSLOK" },
   8218         { SSL_CB_LOOP, "TRST" },
   8219         { SSL_CB_EXIT, NULL },
   8220         { 0, NULL },
   8221     },
   8222     {
   8223         { 0, NULL },
   8224     }
   8225 };
   8226 
   8227 static void sslapi_info_callback(const SSL *s, int where, int ret)
   8228 {
   8229     struct info_cb_states_st *state = info_cb_states[info_cb_offset];
   8230 
   8231     /* We do not ever expect a connection to fail in this test */
   8232     if (!TEST_false(ret == 0)) {
   8233         info_cb_failed = 1;
   8234         return;
   8235     }
   8236 
   8237     /*
   8238      * Do some sanity checks. We never expect these things to happen in this
   8239      * test
   8240      */
   8241     if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
   8242         || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
   8243         || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
   8244         info_cb_failed = 1;
   8245         return;
   8246     }
   8247 
   8248     /* Now check we're in the right state */
   8249     if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
   8250         info_cb_failed = 1;
   8251         return;
   8252     }
   8253     if ((where & SSL_CB_LOOP) != 0
   8254         && !TEST_int_eq(strcmp(SSL_state_string(s),
   8255                             state[info_cb_this_state].statestr),
   8256             0)) {
   8257         info_cb_failed = 1;
   8258         return;
   8259     }
   8260 
   8261     /*
   8262      * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
   8263      */
   8264     if ((where & SSL_CB_HANDSHAKE_DONE)
   8265         && SSL_in_init((SSL *)s) != 0) {
   8266         info_cb_failed = 1;
   8267         return;
   8268     }
   8269 }
   8270 
   8271 /*
   8272  * Test the info callback gets called when we expect it to.
   8273  *
   8274  * Test 0: TLSv1.2, server
   8275  * Test 1: TLSv1.2, client
   8276  * Test 2: TLSv1.3, server
   8277  * Test 3: TLSv1.3, client
   8278  * Test 4: TLSv1.3, server, early_data
   8279  * Test 5: TLSv1.3, client, early_data
   8280  * Test 6: TLSv1.3, server, compressed certificate
   8281  * Test 7: TLSv1.3, client, compressed certificate
   8282  */
   8283 static int test_info_callback(int tst)
   8284 {
   8285     SSL_CTX *cctx = NULL, *sctx = NULL;
   8286     SSL *clientssl = NULL, *serverssl = NULL;
   8287     SSL_SESSION *clntsess = NULL;
   8288     int testresult = 0;
   8289     int tlsvers;
   8290 
   8291     if (tst < 2) {
   8292 /* We need either ECDHE or DHE for the TLSv1.2 test to work */
   8293 #if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH))
   8294         tlsvers = TLS1_2_VERSION;
   8295 #else
   8296         return 1;
   8297 #endif
   8298     } else {
   8299 #ifndef OSSL_NO_USABLE_TLS1_3
   8300         tlsvers = TLS1_3_VERSION;
   8301 #else
   8302         return 1;
   8303 #endif
   8304     }
   8305 
   8306     /* Reset globals */
   8307     info_cb_failed = 0;
   8308     info_cb_this_state = -1;
   8309     info_cb_offset = tst;
   8310 
   8311 #ifndef OSSL_NO_USABLE_TLS1_3
   8312     if (tst >= 4 && tst < 6) {
   8313         SSL_SESSION *sess = NULL;
   8314         size_t written, readbytes;
   8315         unsigned char buf[80];
   8316         OSSL_TIME timer;
   8317 
   8318         /* early_data tests */
   8319         if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
   8320                 &serverssl, &sess, 0,
   8321                 SHA384_DIGEST_LENGTH)))
   8322             goto end;
   8323 
   8324         /* We don't actually need this reference */
   8325         SSL_SESSION_free(sess);
   8326 
   8327         SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
   8328             sslapi_info_callback);
   8329 
   8330         /* Write and read some early data and then complete the connection */
   8331         timer = ossl_time_now();
   8332         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
   8333                 &written))
   8334             || !TEST_size_t_eq(written, strlen(MSG1)))
   8335             goto end;
   8336 
   8337         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
   8338                              sizeof(buf), &readbytes),
   8339                 SSL_READ_EARLY_DATA_SUCCESS)) {
   8340             testresult = check_early_data_timeout(timer);
   8341             goto end;
   8342         }
   8343 
   8344         if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
   8345             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
   8346                 SSL_EARLY_DATA_ACCEPTED)
   8347             || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8348                 SSL_ERROR_NONE))
   8349             || !TEST_false(info_cb_failed))
   8350             goto end;
   8351 
   8352         testresult = 1;
   8353         goto end;
   8354     }
   8355 #endif
   8356 
   8357     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   8358             TLS_client_method(),
   8359             tlsvers, tlsvers, &sctx, &cctx, cert,
   8360             privkey)))
   8361         goto end;
   8362 
   8363     if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
   8364         goto end;
   8365 
   8366     /*
   8367      * For even numbered tests we check the server callbacks. For odd numbers we
   8368      * check the client.
   8369      */
   8370     SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
   8371         sslapi_info_callback);
   8372     if (tst >= 6) {
   8373         if (!SSL_CTX_compress_certs(sctx, 0))
   8374             goto end;
   8375     }
   8376 
   8377     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   8378             &clientssl, NULL, NULL))
   8379         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8380             SSL_ERROR_NONE))
   8381         || !TEST_false(info_cb_failed))
   8382         goto end;
   8383 
   8384     clntsess = SSL_get1_session(clientssl);
   8385     SSL_shutdown(clientssl);
   8386     SSL_shutdown(serverssl);
   8387     SSL_free(serverssl);
   8388     SSL_free(clientssl);
   8389     serverssl = clientssl = NULL;
   8390 
   8391     /* Now do a resumption */
   8392     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   8393             NULL))
   8394         || !TEST_true(SSL_set_session(clientssl, clntsess))
   8395         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8396             SSL_ERROR_NONE))
   8397         || !TEST_true(SSL_session_reused(clientssl))
   8398         || !TEST_false(info_cb_failed))
   8399         goto end;
   8400 
   8401     testresult = 1;
   8402 
   8403 end:
   8404     SSL_free(serverssl);
   8405     SSL_free(clientssl);
   8406     SSL_SESSION_free(clntsess);
   8407     SSL_CTX_free(sctx);
   8408     SSL_CTX_free(cctx);
   8409     return testresult;
   8410 }
   8411 
   8412 static int test_ssl_pending(int tst)
   8413 {
   8414     SSL_CTX *cctx = NULL, *sctx = NULL;
   8415     SSL *clientssl = NULL, *serverssl = NULL;
   8416     int testresult = 0;
   8417     char msg[] = "A test message";
   8418     char buf[5];
   8419     size_t written, readbytes;
   8420 
   8421     if (tst == 0) {
   8422         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   8423                 TLS_client_method(),
   8424                 TLS1_VERSION, 0,
   8425                 &sctx, &cctx, cert, privkey)))
   8426             goto end;
   8427     } else {
   8428 #ifndef OPENSSL_NO_DTLS
   8429         if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
   8430                 DTLS_client_method(),
   8431                 DTLS1_VERSION, 0,
   8432                 &sctx, &cctx, cert, privkey)))
   8433             goto end;
   8434 
   8435 #ifdef OPENSSL_NO_DTLS1_2
   8436         /* Not supported in the FIPS provider */
   8437         if (is_fips) {
   8438             testresult = 1;
   8439             goto end;
   8440         };
   8441         /*
   8442          * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
   8443          * level 0
   8444          */
   8445         if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
   8446             || !TEST_true(SSL_CTX_set_cipher_list(cctx,
   8447                 "DEFAULT:@SECLEVEL=0")))
   8448             goto end;
   8449 #endif
   8450 #else
   8451         return 1;
   8452 #endif
   8453     }
   8454 
   8455     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   8456             NULL, NULL))
   8457         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8458             SSL_ERROR_NONE)))
   8459         goto end;
   8460 
   8461     if (!TEST_int_eq(SSL_pending(clientssl), 0)
   8462         || !TEST_false(SSL_has_pending(clientssl))
   8463         || !TEST_int_eq(SSL_pending(serverssl), 0)
   8464         || !TEST_false(SSL_has_pending(serverssl))
   8465         || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
   8466         || !TEST_size_t_eq(written, sizeof(msg))
   8467         || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
   8468         || !TEST_size_t_eq(readbytes, sizeof(buf))
   8469         || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
   8470         || !TEST_true(SSL_has_pending(clientssl)))
   8471         goto end;
   8472 
   8473     testresult = 1;
   8474 
   8475 end:
   8476     SSL_free(serverssl);
   8477     SSL_free(clientssl);
   8478     SSL_CTX_free(sctx);
   8479     SSL_CTX_free(cctx);
   8480 
   8481     return testresult;
   8482 }
   8483 
   8484 static struct {
   8485     unsigned int maxprot;
   8486     const char *clntciphers;
   8487     const char *clnttls13ciphers;
   8488     const char *srvrciphers;
   8489     const char *srvrtls13ciphers;
   8490     const char *shared;
   8491     const char *fipsshared;
   8492 } shared_ciphers_data[] = {
   8493 /*
   8494  * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
   8495  * TLSv1.3 is enabled but TLSv1.2 is disabled.
   8496  */
   8497 #if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
   8498     { TLS1_2_VERSION,
   8499         "AES128-SHA:AES256-SHA",
   8500         NULL,
   8501         "AES256-SHA:DHE-RSA-AES128-SHA",
   8502         NULL,
   8503         "AES256-SHA",
   8504         "AES256-SHA" },
   8505 #if !defined(OPENSSL_NO_CHACHA)      \
   8506     && !defined(OPENSSL_NO_POLY1305) \
   8507     && !defined(OPENSSL_NO_EC)
   8508     { TLS1_2_VERSION,
   8509         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
   8510         NULL,
   8511         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
   8512         NULL,
   8513         "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
   8514         "AES128-SHA" },
   8515 #endif
   8516     { TLS1_2_VERSION,
   8517         "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
   8518         NULL,
   8519         "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
   8520         NULL,
   8521         "AES128-SHA:AES256-SHA",
   8522         "AES128-SHA:AES256-SHA" },
   8523     { TLS1_2_VERSION,
   8524         "AES128-SHA:AES256-SHA",
   8525         NULL,
   8526         "AES128-SHA:DHE-RSA-AES128-SHA",
   8527         NULL,
   8528         "AES128-SHA",
   8529         "AES128-SHA" },
   8530     { TLS1_2_VERSION,
   8531         "AES256-SHA",
   8532         NULL,
   8533         "AES128-SHA",
   8534         NULL,
   8535         "",
   8536         "" },
   8537 #endif
   8538 /*
   8539  * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
   8540  * enabled.
   8541  */
   8542 #if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
   8543     && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
   8544     { TLS1_3_VERSION,
   8545         "AES128-SHA:AES256-SHA",
   8546         NULL,
   8547         "AES256-SHA:AES128-SHA256",
   8548         NULL,
   8549         "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
   8550         "TLS_AES_128_GCM_SHA256:AES256-SHA",
   8551         "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" },
   8552 #endif
   8553 #ifndef OSSL_NO_USABLE_TLS1_3
   8554     { TLS1_3_VERSION,
   8555         "AES128-SHA",
   8556         "TLS_AES_256_GCM_SHA384",
   8557         "AES256-SHA",
   8558         "TLS_AES_256_GCM_SHA384",
   8559         "TLS_AES_256_GCM_SHA384",
   8560         "TLS_AES_256_GCM_SHA384" },
   8561     { TLS1_3_VERSION,
   8562         "AES128-SHA",
   8563         "TLS_AES_128_GCM_SHA256",
   8564         "AES256-SHA",
   8565         "TLS_AES_256_GCM_SHA384",
   8566         "",
   8567         "" },
   8568 #endif
   8569 };
   8570 
   8571 static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
   8572 {
   8573     SSL_CTX *cctx = NULL, *sctx = NULL;
   8574     SSL *clientssl = NULL, *serverssl = NULL;
   8575     int testresult = 0;
   8576     char buf[1024];
   8577     OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
   8578     const char *expbuf = is_fips ? shared_ciphers_data[tst].fipsshared
   8579                                  : shared_ciphers_data[tst].shared;
   8580     int handshakeok = strcmp(expbuf, "") != 0;
   8581 
   8582     if (!TEST_ptr(tmplibctx))
   8583         goto end;
   8584 
   8585     /*
   8586      * Regardless of whether we're testing with the FIPS provider loaded into
   8587      * libctx, we want one peer to always use the full set of ciphersuites
   8588      * available. Therefore we use a separate libctx with the default provider
   8589      * loaded into it. We run the same tests twice - once with the client side
   8590      * having the full set of ciphersuites and once with the server side.
   8591      */
   8592     if (clnt) {
   8593         cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
   8594         if (!TEST_ptr(cctx))
   8595             goto end;
   8596     } else {
   8597         sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
   8598         if (!TEST_ptr(sctx))
   8599             goto end;
   8600     }
   8601 
   8602     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   8603             TLS_client_method(),
   8604             TLS1_VERSION,
   8605             shared_ciphers_data[tst].maxprot,
   8606             &sctx, &cctx, cert, privkey)))
   8607         goto end;
   8608 
   8609     if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
   8610             shared_ciphers_data[tst].clntciphers))
   8611         || (shared_ciphers_data[tst].clnttls13ciphers != NULL
   8612             && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
   8613                 shared_ciphers_data[tst].clnttls13ciphers)))
   8614         || !TEST_true(SSL_CTX_set_cipher_list(sctx,
   8615             shared_ciphers_data[tst].srvrciphers))
   8616         || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
   8617             && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
   8618                 shared_ciphers_data[tst].srvrtls13ciphers))))
   8619         goto end;
   8620 
   8621     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   8622             NULL)))
   8623         goto end;
   8624 
   8625     if (handshakeok) {
   8626         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   8627                 SSL_ERROR_NONE)))
   8628             goto end;
   8629     } else {
   8630         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
   8631                 SSL_ERROR_NONE)))
   8632             goto end;
   8633     }
   8634 
   8635     if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
   8636         || !TEST_int_eq(strcmp(buf, expbuf), 0)) {
   8637         TEST_info("Shared ciphers are: %s\n", buf);
   8638         goto end;
   8639     }
   8640 
   8641     testresult = 1;
   8642 
   8643 end:
   8644     SSL_free(serverssl);
   8645     SSL_free(clientssl);
   8646     SSL_CTX_free(sctx);
   8647     SSL_CTX_free(cctx);
   8648     OSSL_LIB_CTX_free(tmplibctx);
   8649 
   8650     return testresult;
   8651 }
   8652 
   8653 static int test_ssl_get_shared_ciphers(int tst)
   8654 {
   8655     return int_test_ssl_get_shared_ciphers(tst, 0)
   8656         && int_test_ssl_get_shared_ciphers(tst, 1);
   8657 }
   8658 
   8659 static const char *appdata = "Hello World";
   8660 static int gen_tick_called, dec_tick_called, tick_key_cb_called;
   8661 static int tick_key_renew = 0;
   8662 static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
   8663 
   8664 static int gen_tick_cb(SSL *s, void *arg)
   8665 {
   8666     gen_tick_called = 1;
   8667 
   8668     return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
   8669         strlen(appdata));
   8670 }
   8671 
   8672 static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
   8673     const unsigned char *keyname,
   8674     size_t keyname_length,
   8675     SSL_TICKET_STATUS status,
   8676     void *arg)
   8677 {
   8678     void *tickdata;
   8679     size_t tickdlen;
   8680 
   8681     dec_tick_called = 1;
   8682 
   8683     if (status == SSL_TICKET_EMPTY)
   8684         return SSL_TICKET_RETURN_IGNORE_RENEW;
   8685 
   8686     if (!TEST_true(status == SSL_TICKET_SUCCESS
   8687             || status == SSL_TICKET_SUCCESS_RENEW))
   8688         return SSL_TICKET_RETURN_ABORT;
   8689 
   8690     if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
   8691             &tickdlen))
   8692         || !TEST_size_t_eq(tickdlen, strlen(appdata))
   8693         || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
   8694         return SSL_TICKET_RETURN_ABORT;
   8695 
   8696     if (tick_key_cb_called) {
   8697         /* Don't change what the ticket key callback wanted to do */
   8698         switch (status) {
   8699         case SSL_TICKET_NO_DECRYPT:
   8700             return SSL_TICKET_RETURN_IGNORE_RENEW;
   8701 
   8702         case SSL_TICKET_SUCCESS:
   8703             return SSL_TICKET_RETURN_USE;
   8704 
   8705         case SSL_TICKET_SUCCESS_RENEW:
   8706             return SSL_TICKET_RETURN_USE_RENEW;
   8707 
   8708         default:
   8709             return SSL_TICKET_RETURN_ABORT;
   8710         }
   8711     }
   8712     return tick_dec_ret;
   8713 }
   8714 
   8715 #ifndef OPENSSL_NO_DEPRECATED_3_0
   8716 static int tick_key_cb(SSL *s, unsigned char key_name[16],
   8717     unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
   8718     HMAC_CTX *hctx, int enc)
   8719 {
   8720     const unsigned char tick_aes_key[16] = "0123456789abcdef";
   8721     const unsigned char tick_hmac_key[16] = "0123456789abcdef";
   8722     EVP_CIPHER *aes128cbc;
   8723     EVP_MD *sha256;
   8724     int ret;
   8725 
   8726     tick_key_cb_called = 1;
   8727 
   8728     if (tick_key_renew == -1)
   8729         return 0;
   8730 
   8731     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
   8732     if (!TEST_ptr(aes128cbc))
   8733         return 0;
   8734     sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
   8735     if (!TEST_ptr(sha256)) {
   8736         EVP_CIPHER_free(aes128cbc);
   8737         return 0;
   8738     }
   8739 
   8740     memset(iv, 0, AES_BLOCK_SIZE);
   8741     memset(key_name, 0, 16);
   8742     if (aes128cbc == NULL
   8743         || sha256 == NULL
   8744         || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
   8745         || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
   8746             NULL))
   8747         ret = -1;
   8748     else
   8749         ret = tick_key_renew ? 2 : 1;
   8750 
   8751     EVP_CIPHER_free(aes128cbc);
   8752     EVP_MD_free(sha256);
   8753 
   8754     return ret;
   8755 }
   8756 #endif
   8757 
   8758 static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
   8759     unsigned char iv[EVP_MAX_IV_LENGTH],
   8760     EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
   8761 {
   8762     const unsigned char tick_aes_key[16] = "0123456789abcdef";
   8763     unsigned char tick_hmac_key[16] = "0123456789abcdef";
   8764     OSSL_PARAM params[2];
   8765     EVP_CIPHER *aes128cbc;
   8766     int ret;
   8767 
   8768     tick_key_cb_called = 1;
   8769 
   8770     if (tick_key_renew == -1)
   8771         return 0;
   8772 
   8773     aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
   8774     if (!TEST_ptr(aes128cbc))
   8775         return 0;
   8776 
   8777     memset(iv, 0, AES_BLOCK_SIZE);
   8778     memset(key_name, 0, 16);
   8779     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
   8780         "SHA256", 0);
   8781     params[1] = OSSL_PARAM_construct_end();
   8782     if (aes128cbc == NULL
   8783         || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
   8784         || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
   8785             params))
   8786         ret = -1;
   8787     else
   8788         ret = tick_key_renew ? 2 : 1;
   8789 
   8790     EVP_CIPHER_free(aes128cbc);
   8791 
   8792     return ret;
   8793 }
   8794 
   8795 /*
   8796  * Test the various ticket callbacks
   8797  * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
   8798  * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
   8799  * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
   8800  * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
   8801  * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
   8802  * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
   8803  * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
   8804  * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
   8805  * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
   8806  * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
   8807  * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
   8808  * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
   8809  * Test 12: TLSv1.2, old ticket key callback, no ticket
   8810  * Test 13: TLSv1.3, old ticket key callback, no ticket
   8811  * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
   8812  * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
   8813  * Test 16: TLSv1.2, ticket key callback, ticket, renewal
   8814  * Test 17: TLSv1.3, ticket key callback, ticket, renewal
   8815  * Test 18: TLSv1.2, ticket key callback, no ticket
   8816  * Test 19: TLSv1.3, ticket key callback, no ticket
   8817  */
   8818 static int test_ticket_callbacks(int tst)
   8819 {
   8820     SSL_CTX *cctx = NULL, *sctx = NULL;
   8821     SSL *clientssl = NULL, *serverssl = NULL;
   8822     SSL_SESSION *clntsess = NULL;
   8823     int testresult = 0;
   8824 
   8825 #ifdef OPENSSL_NO_TLS1_2
   8826     if (tst % 2 == 0)
   8827         return 1;
   8828 #endif
   8829 #ifdef OSSL_NO_USABLE_TLS1_3
   8830     if (tst % 2 == 1)
   8831         return 1;
   8832 #endif
   8833 #ifdef OPENSSL_NO_DEPRECATED_3_0
   8834     if (tst >= 8 && tst <= 13)
   8835         return 1;
   8836 #endif
   8837 
   8838     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
   8839 
   8840     /* Which tests the ticket key callback should request renewal for */
   8841 
   8842     if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
   8843         tick_key_renew = 1;
   8844     else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
   8845         tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
   8846     else
   8847         tick_key_renew = 0;
   8848 
   8849     /* Which tests the decrypt ticket callback should request renewal for */
   8850     switch (tst) {
   8851     case 0:
   8852     case 1:
   8853         tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
   8854         break;
   8855 
   8856     case 2:
   8857     case 3:
   8858         tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
   8859         break;
   8860 
   8861     case 4:
   8862     case 5:
   8863         tick_dec_ret = SSL_TICKET_RETURN_USE;
   8864         break;
   8865 
   8866     case 6:
   8867     case 7:
   8868         tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
   8869         break;
   8870 
   8871     default:
   8872         tick_dec_ret = SSL_TICKET_RETURN_ABORT;
   8873     }
   8874 
   8875     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   8876             TLS_client_method(),
   8877             TLS1_VERSION,
   8878             ((tst % 2) == 0) ? TLS1_2_VERSION
   8879                              : TLS1_3_VERSION,
   8880             &sctx, &cctx, cert, privkey)))
   8881         goto end;
   8882 
   8883     /*
   8884      * We only want sessions to resume from tickets - not the session cache. So
   8885      * switch the cache off.
   8886      */
   8887     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
   8888         goto end;
   8889 
   8890     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
   8891             NULL)))
   8892         goto end;
   8893 
   8894     if (tst >= 14) {
   8895         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
   8896             goto end;
   8897 #ifndef OPENSSL_NO_DEPRECATED_3_0
   8898     } else if (tst >= 8) {
   8899         if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
   8900             goto end;
   8901 #endif
   8902     }
   8903 
   8904     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   8905             NULL, NULL))
   8906         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8907             SSL_ERROR_NONE)))
   8908         goto end;
   8909 
   8910     /*
   8911      * The decrypt ticket key callback in TLSv1.2 should be called even though
   8912      * we have no ticket yet, because it gets called with a status of
   8913      * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
   8914      * actually send any ticket data). This does not happen in TLSv1.3 because
   8915      * it is not valid to send empty ticket data in TLSv1.3.
   8916      */
   8917     if (!TEST_int_eq(gen_tick_called, 1)
   8918         || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
   8919         goto end;
   8920 
   8921     gen_tick_called = dec_tick_called = 0;
   8922 
   8923     clntsess = SSL_get1_session(clientssl);
   8924     SSL_shutdown(clientssl);
   8925     SSL_shutdown(serverssl);
   8926     SSL_free(serverssl);
   8927     SSL_free(clientssl);
   8928     serverssl = clientssl = NULL;
   8929 
   8930     /* Now do a resumption */
   8931     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   8932             NULL))
   8933         || !TEST_true(SSL_set_session(clientssl, clntsess))
   8934         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   8935             SSL_ERROR_NONE)))
   8936         goto end;
   8937 
   8938     if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
   8939         || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
   8940         || tick_key_renew == -1) {
   8941         if (!TEST_false(SSL_session_reused(clientssl)))
   8942             goto end;
   8943     } else {
   8944         if (!TEST_true(SSL_session_reused(clientssl)))
   8945             goto end;
   8946     }
   8947 
   8948     if (!TEST_int_eq(gen_tick_called,
   8949             (tick_key_renew
   8950                 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
   8951                 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
   8952                 ? 1
   8953                 : 0)
   8954         /* There is no ticket to decrypt in tests 13 and 19 */
   8955         || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
   8956         goto end;
   8957 
   8958     testresult = 1;
   8959 
   8960 end:
   8961     SSL_SESSION_free(clntsess);
   8962     SSL_free(serverssl);
   8963     SSL_free(clientssl);
   8964     SSL_CTX_free(sctx);
   8965     SSL_CTX_free(cctx);
   8966 
   8967     return testresult;
   8968 }
   8969 
   8970 /*
   8971  * Callback that always returns ABORT for successfully decrypted tickets.
   8972  * Used by test_ticket_abort_session_leak to exercise the error path in
   8973  * tls_parse_ctos_psk() that previously leaked the SSL_SESSION.
   8974  */
   8975 static SSL_TICKET_RETURN dec_tick_abort_cb(SSL *s, SSL_SESSION *ss,
   8976     const unsigned char *keyname,
   8977     size_t keyname_length,
   8978     SSL_TICKET_STATUS status,
   8979     void *arg)
   8980 {
   8981     if (status == SSL_TICKET_SUCCESS || status == SSL_TICKET_SUCCESS_RENEW)
   8982         return SSL_TICKET_RETURN_ABORT;
   8983 
   8984     return SSL_TICKET_RETURN_IGNORE_RENEW;
   8985 }
   8986 
   8987 /*
   8988  * Test that returning SSL_TICKET_RETURN_ABORT from the decrypt ticket callback
   8989  * during TLS 1.3 resumption does not leak the SSL_SESSION allocated by
   8990  * tls_decrypt_ticket().  Before the fix, tls_parse_ctos_psk() would execute a
   8991  * bare "return 0" instead of "goto err", bypassing SSL_SESSION_free(sess).
   8992  * When run under LeakSanitizer the leaked session will be reported.
   8993  */
   8994 static int test_ticket_abort_session_leak(void)
   8995 {
   8996     SSL_CTX *cctx = NULL, *sctx = NULL;
   8997     SSL *clientssl = NULL, *serverssl = NULL;
   8998     SSL_SESSION *clntsess = NULL;
   8999     int testresult = 0;
   9000 
   9001 #ifdef OSSL_NO_USABLE_TLS1_3
   9002     return 1;
   9003 #endif
   9004 
   9005     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9006             TLS_client_method(),
   9007             TLS1_3_VERSION, TLS1_3_VERSION,
   9008             &sctx, &cctx, cert, privkey)))
   9009         goto end;
   9010 
   9011     if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
   9012         goto end;
   9013 
   9014     /* First handshake: use the normal gen/dec callbacks to get a ticket */
   9015     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
   9016             NULL)))
   9017         goto end;
   9018 
   9019     gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
   9020     tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
   9021 
   9022     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9023             NULL, NULL))
   9024         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   9025             SSL_ERROR_NONE)))
   9026         goto end;
   9027 
   9028     clntsess = SSL_get1_session(clientssl);
   9029     if (!TEST_ptr(clntsess))
   9030         goto end;
   9031 
   9032     SSL_shutdown(clientssl);
   9033     SSL_shutdown(serverssl);
   9034     SSL_free(serverssl);
   9035     SSL_free(clientssl);
   9036     serverssl = clientssl = NULL;
   9037 
   9038     /*
   9039      * Second handshake (resumption): switch to the abort callback.
   9040      * The server will decrypt the ticket, allocate an SSL_SESSION, then the
   9041      * callback returns ABORT.  The handshake must fail, and the session
   9042      * allocated inside tls_decrypt_ticket() must be freed (not leaked).
   9043      */
   9044     if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb,
   9045             dec_tick_abort_cb, NULL)))
   9046         goto end;
   9047 
   9048     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9049             NULL, NULL))
   9050         || !TEST_true(SSL_set_session(clientssl, clntsess)))
   9051         goto end;
   9052 
   9053     /* Resumption should fail because the callback aborts */
   9054     if (!TEST_false(create_ssl_connection(serverssl, clientssl,
   9055             SSL_ERROR_SSL)))
   9056         goto end;
   9057 
   9058     testresult = 1;
   9059 
   9060 end:
   9061     SSL_SESSION_free(clntsess);
   9062     SSL_free(serverssl);
   9063     SSL_free(clientssl);
   9064     SSL_CTX_free(sctx);
   9065     SSL_CTX_free(cctx);
   9066 
   9067     return testresult;
   9068 }
   9069 
   9070 /*
   9071  * Test incorrect shutdown.
   9072  * Test 0: client does not shutdown properly,
   9073  *         server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
   9074  *         server should get SSL_ERROR_SSL
   9075  * Test 1: client does not shutdown properly,
   9076  *         server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
   9077  *         server should get SSL_ERROR_ZERO_RETURN
   9078  */
   9079 static int test_incorrect_shutdown(int tst)
   9080 {
   9081     SSL_CTX *cctx = NULL, *sctx = NULL;
   9082     SSL *clientssl = NULL, *serverssl = NULL;
   9083     int testresult = 0;
   9084     char buf[80];
   9085     BIO *c2s;
   9086 
   9087     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9088             TLS_client_method(), 0, 0,
   9089             &sctx, &cctx, cert, privkey)))
   9090         goto end;
   9091 
   9092     if (tst == 1)
   9093         SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
   9094 
   9095     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9096             NULL, NULL)))
   9097         goto end;
   9098 
   9099     if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   9100             SSL_ERROR_NONE)))
   9101         goto end;
   9102 
   9103     c2s = SSL_get_rbio(serverssl);
   9104     BIO_set_mem_eof_return(c2s, 0);
   9105 
   9106     if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
   9107         goto end;
   9108 
   9109     if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
   9110         goto end;
   9111     if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN))
   9112         goto end;
   9113 
   9114     testresult = 1;
   9115 
   9116 end:
   9117     SSL_free(serverssl);
   9118     SSL_free(clientssl);
   9119     SSL_CTX_free(sctx);
   9120     SSL_CTX_free(cctx);
   9121 
   9122     return testresult;
   9123 }
   9124 
   9125 /*
   9126  * Test bi-directional shutdown.
   9127  * Test 0: TLSv1.2
   9128  * Test 1: TLSv1.2, server continues to read/write after client shutdown
   9129  * Test 2: TLSv1.3, no pending NewSessionTicket messages
   9130  * Test 3: TLSv1.3, pending NewSessionTicket messages
   9131  * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
   9132  *                  sends key update, client reads it
   9133  * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
   9134  *                  sends CertificateRequest, client reads and ignores it
   9135  * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
   9136  *                  doesn't read it
   9137  */
   9138 static int test_shutdown(int tst)
   9139 {
   9140     SSL_CTX *cctx = NULL, *sctx = NULL;
   9141     SSL *clientssl = NULL, *serverssl = NULL;
   9142     int testresult = 0;
   9143     char msg[] = "A test message";
   9144     char buf[80];
   9145     size_t written, readbytes;
   9146     SSL_SESSION *sess;
   9147 
   9148 #ifdef OPENSSL_NO_TLS1_2
   9149     if (tst <= 1)
   9150         return 1;
   9151 #endif
   9152 #ifdef OSSL_NO_USABLE_TLS1_3
   9153     if (tst >= 2)
   9154         return 1;
   9155 #endif
   9156 
   9157     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9158             TLS_client_method(),
   9159             TLS1_VERSION,
   9160             (tst <= 1) ? TLS1_2_VERSION
   9161                        : TLS1_3_VERSION,
   9162             &sctx, &cctx, cert, privkey)))
   9163         goto end;
   9164 
   9165     if (tst == 5)
   9166         SSL_CTX_set_post_handshake_auth(cctx, 1);
   9167 
   9168     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9169             NULL, NULL)))
   9170         goto end;
   9171 
   9172     if (tst == 3) {
   9173         if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
   9174                 SSL_ERROR_NONE, 1, 0))
   9175             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
   9176             || !TEST_false(SSL_SESSION_is_resumable(sess)))
   9177             goto end;
   9178     } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   9179                    SSL_ERROR_NONE))
   9180         || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
   9181         || !TEST_true(SSL_SESSION_is_resumable(sess))) {
   9182         goto end;
   9183     }
   9184 
   9185     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
   9186         goto end;
   9187 
   9188     if (tst >= 4) {
   9189         /*
   9190          * Reading on the server after the client has sent close_notify should
   9191          * fail and provide SSL_ERROR_ZERO_RETURN
   9192          */
   9193         if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
   9194             || !TEST_int_eq(SSL_get_error(serverssl, 0),
   9195                 SSL_ERROR_ZERO_RETURN)
   9196             || !TEST_int_eq(SSL_get_shutdown(serverssl),
   9197                 SSL_RECEIVED_SHUTDOWN)
   9198             /*
   9199              * Even though we're shutdown on receive we should still be
   9200              * able to write.
   9201              */
   9202             || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
   9203             goto end;
   9204         if (tst == 4
   9205             && !TEST_true(SSL_key_update(serverssl,
   9206                 SSL_KEY_UPDATE_REQUESTED)))
   9207             goto end;
   9208         if (tst == 5) {
   9209             SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
   9210             if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
   9211                 goto end;
   9212         }
   9213         if ((tst == 4 || tst == 5)
   9214             && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
   9215             goto end;
   9216         if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
   9217             goto end;
   9218         if (tst == 4 || tst == 5) {
   9219             /* Should still be able to read data from server */
   9220             if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
   9221                     &readbytes))
   9222                 || !TEST_size_t_eq(readbytes, sizeof(msg))
   9223                 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
   9224                 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
   9225                     &readbytes))
   9226                 || !TEST_size_t_eq(readbytes, sizeof(msg))
   9227                 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
   9228                 goto end;
   9229         }
   9230     }
   9231 
   9232     /* Writing on the client after sending close_notify shouldn't be possible */
   9233     if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
   9234         goto end;
   9235 
   9236     if (tst < 4) {
   9237         /*
   9238          * For these tests the client has sent close_notify but it has not yet
   9239          * been received by the server. The server has not sent close_notify
   9240          * yet.
   9241          */
   9242         if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
   9243             /*
   9244              * Writing on the server after sending close_notify shouldn't
   9245              * be possible.
   9246              */
   9247             || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
   9248             || !TEST_int_eq(SSL_shutdown(clientssl), 1)
   9249             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
   9250             || !TEST_true(SSL_SESSION_is_resumable(sess))
   9251             || !TEST_int_eq(SSL_shutdown(serverssl), 1))
   9252             goto end;
   9253     } else if (tst == 4 || tst == 5) {
   9254         /*
   9255          * In this test the client has sent close_notify and it has been
   9256          * received by the server which has responded with a close_notify. The
   9257          * client needs to read the close_notify sent by the server.
   9258          */
   9259         if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
   9260             || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
   9261             || !TEST_true(SSL_SESSION_is_resumable(sess)))
   9262             goto end;
   9263     } else {
   9264         /*
   9265          * tst == 6
   9266          *
   9267          * The client has sent close_notify and is expecting a close_notify
   9268          * back, but instead there is application data first. The shutdown
   9269          * should fail with a fatal error.
   9270          */
   9271         if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
   9272             || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
   9273             goto end;
   9274     }
   9275 
   9276     testresult = 1;
   9277 
   9278 end:
   9279     SSL_free(serverssl);
   9280     SSL_free(clientssl);
   9281     SSL_CTX_free(sctx);
   9282     SSL_CTX_free(cctx);
   9283 
   9284     return testresult;
   9285 }
   9286 
   9287 /*
   9288  * Test that sending close_notify alerts works correctly in the case of a
   9289  * retryable write failure.
   9290  */
   9291 static int test_async_shutdown(void)
   9292 {
   9293     SSL_CTX *cctx = NULL, *sctx = NULL;
   9294     SSL *clientssl = NULL, *serverssl = NULL;
   9295     int testresult = 0;
   9296     BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
   9297 
   9298     if (!TEST_ptr(bretry))
   9299         goto end;
   9300 
   9301     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9302             TLS_client_method(),
   9303             0, 0,
   9304             &sctx, &cctx, cert, privkey)))
   9305         goto end;
   9306 
   9307     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   9308             NULL)))
   9309         goto end;
   9310 
   9311     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   9312         goto end;
   9313 
   9314     /* Close write side of clientssl */
   9315     if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
   9316         goto end;
   9317 
   9318     tmp = SSL_get_wbio(serverssl);
   9319     if (!TEST_true(BIO_up_ref(tmp))) {
   9320         tmp = NULL;
   9321         goto end;
   9322     }
   9323     SSL_set0_wbio(serverssl, bretry);
   9324     bretry = NULL;
   9325 
   9326     /* First server shutdown should fail because of a retrable write failure */
   9327     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
   9328         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
   9329         goto end;
   9330 
   9331     /* Second server shutdown should fail for the same reason */
   9332     if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
   9333         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
   9334         goto end;
   9335 
   9336     SSL_set0_wbio(serverssl, tmp);
   9337     tmp = NULL;
   9338 
   9339     /* Third server shutdown should send close_notify */
   9340     if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
   9341         goto end;
   9342 
   9343     /* Fourth server shutdown should read close_notify from client and finish */
   9344     if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
   9345         goto end;
   9346 
   9347     /* Client should also successfully fully shutdown */
   9348     if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
   9349         goto end;
   9350 
   9351     testresult = 1;
   9352 end:
   9353     SSL_free(serverssl);
   9354     SSL_free(clientssl);
   9355     SSL_CTX_free(sctx);
   9356     SSL_CTX_free(cctx);
   9357     BIO_free(bretry);
   9358     BIO_free(tmp);
   9359 
   9360     return testresult;
   9361 }
   9362 
   9363 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
   9364 static int cert_cb_cnt;
   9365 
   9366 static int load_chain(const char *file, EVP_PKEY **pkey, X509 **x509,
   9367     STACK_OF(X509) *chain)
   9368 {
   9369     char *path = test_mk_file_path(certsdir, file);
   9370     BIO *in = NULL;
   9371     X509 *x = NULL;
   9372     int ok = 0;
   9373 
   9374     if (path == NULL)
   9375         return 0;
   9376     if ((in = BIO_new(BIO_s_file())) == NULL
   9377         || BIO_read_filename(in, path) <= 0)
   9378         goto out;
   9379     if (pkey == NULL) {
   9380         if ((x = X509_new_ex(libctx, NULL)) == NULL
   9381             || PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
   9382             goto out;
   9383         if (chain == NULL)
   9384             *x509 = x;
   9385         else if (!sk_X509_push(chain, x))
   9386             goto out;
   9387     } else if (PEM_read_bio_PrivateKey_ex(in, pkey, NULL, NULL,
   9388                    libctx, NULL)
   9389         == NULL) {
   9390         goto out;
   9391     }
   9392 
   9393     x = NULL;
   9394     ok = 1;
   9395 out:
   9396     X509_free(x);
   9397     BIO_free(in);
   9398     OPENSSL_free(path);
   9399     return ok;
   9400 }
   9401 
   9402 static int cert_cb(SSL *s, void *arg)
   9403 {
   9404     SSL_CTX *ctx = (SSL_CTX *)arg;
   9405     EVP_PKEY *pkey = NULL;
   9406     X509 *x509 = NULL, *x = NULL;
   9407     STACK_OF(X509) *chain = NULL;
   9408     int ret = 0;
   9409 
   9410     if (cert_cb_cnt == 0) {
   9411         /* Suspend the handshake */
   9412         cert_cb_cnt++;
   9413         return -1;
   9414     } else if (cert_cb_cnt == 1) {
   9415         /*
   9416          * Update the SSL_CTX, set the certificate and private key and then
   9417          * continue the handshake normally.
   9418          */
   9419         if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
   9420             return 0;
   9421 
   9422         if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
   9423             || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
   9424                 SSL_FILETYPE_PEM))
   9425             || !TEST_true(SSL_check_private_key(s)))
   9426             return 0;
   9427         cert_cb_cnt++;
   9428         return 1;
   9429     } else if (cert_cb_cnt == 3) {
   9430         int rv;
   9431 
   9432         chain = sk_X509_new_null();
   9433 #ifndef OPENSSL_NO_ML_DSA
   9434         if (SSL_version(s) >= TLS1_3_VERSION
   9435             && fips_provider_version_ge(libctx, 3, 5, 0)) {
   9436             if (!TEST_ptr(chain)
   9437                 || !TEST_true(load_chain("root-ml-dsa-44-cert.pem", NULL, NULL, chain))
   9438                 || !TEST_true(load_chain("server-ml-dsa-44-cert.pem", NULL, &x509, NULL))
   9439                 || !TEST_true(load_chain("server-ml-dsa-44-key.pem", &pkey, NULL, NULL)))
   9440                 goto out;
   9441             goto check;
   9442         }
   9443 #endif
   9444         if (!TEST_ptr(chain)
   9445             || !TEST_true(load_chain("ca-cert.pem", NULL, NULL, chain))
   9446             || !TEST_true(load_chain("root-cert.pem", NULL, NULL, chain))
   9447             || !TEST_true(load_chain("p256-ee-rsa-ca-cert.pem", NULL,
   9448                 &x509, NULL))
   9449             || !TEST_true(load_chain("p256-ee-rsa-ca-key.pem", &pkey,
   9450                 NULL, NULL)))
   9451             goto out;
   9452 
   9453 #ifndef OPENSSL_NO_ML_DSA
   9454     check:
   9455 #endif
   9456         rv = SSL_check_chain(s, x509, pkey, chain);
   9457         /*
   9458          * If the cert doesn't show as valid here (e.g., because we don't
   9459          * have any shared sigalgs), then we will not set it, and there will
   9460          * be no certificate at all on the SSL or SSL_CTX.  This, in turn,
   9461          * will cause tls_choose_sigalgs() to fail the connection.
   9462          */
   9463         if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
   9464             == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
   9465             if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
   9466                 goto out;
   9467         }
   9468 
   9469         ret = 1;
   9470     }
   9471 
   9472     /* Abort the handshake */
   9473 out:
   9474     EVP_PKEY_free(pkey);
   9475     X509_free(x509);
   9476     X509_free(x);
   9477     OSSL_STACK_OF_X509_free(chain);
   9478     return ret;
   9479 }
   9480 
   9481 /*
   9482  * Test the certificate callback.
   9483  * Test 0: Callback fails
   9484  * Test 1: Success - no SSL_set_SSL_CTX() in the callback
   9485  * Test 2: Success - SSL_set_SSL_CTX() in the callback
   9486  * Test 3: Success - Call SSL_check_chain from the callback
   9487  * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
   9488  *                   chain
   9489  * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
   9490  */
   9491 static int test_cert_cb_int(int prot, int tst)
   9492 {
   9493     SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
   9494     SSL *clientssl = NULL, *serverssl = NULL;
   9495     int testresult = 0, ret;
   9496 
   9497 #ifdef OPENSSL_NO_EC
   9498     /* We use an EC cert in these tests with TLS 1.2 or absent ML-DSA */
   9499     if (tst >= 3)
   9500         return 1;
   9501 #endif
   9502 
   9503     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9504             TLS_client_method(),
   9505             prot,
   9506             prot,
   9507             &sctx, &cctx, NULL, NULL)))
   9508         goto end;
   9509 
   9510     if (tst == 0)
   9511         cert_cb_cnt = -1;
   9512     else if (tst >= 3)
   9513         cert_cb_cnt = 3;
   9514     else
   9515         cert_cb_cnt = 0;
   9516 
   9517     if (tst == 2) {
   9518         snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   9519         if (!TEST_ptr(snictx))
   9520             goto end;
   9521     }
   9522 
   9523     SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
   9524 
   9525     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9526             NULL, NULL)))
   9527         goto end;
   9528 
   9529     if (tst == 3) {
   9530         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
   9531                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
   9532                 "?ecdsa_secp256r1_sha256:?mldsa44"))
   9533             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
   9534                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
   9535                 "?ecdsa_secp256r1_sha256:?mldsa44")))
   9536             goto end;
   9537     } else if (tst == 4) {
   9538         /*
   9539          * We cause SSL_check_chain() to fail by specifying sig_algs that
   9540          * the chain doesn't meet (root either RSA or ML-DSA).
   9541          */
   9542         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
   9543                 "ecdsa_secp256r1_sha256"))
   9544             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
   9545                 "?ecdsa_secp256r1_sha256:?mldsa44")))
   9546             goto end;
   9547     } else if (tst == 5) {
   9548         /*
   9549          * We cause SSL_check_chain() to fail by specifying sig_algs that
   9550          * the ee cert doesn't meet (the ee uses an ECDSA or ML-DSA cert)
   9551          */
   9552         if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
   9553                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256"))
   9554             || !TEST_true(SSL_set1_sigalgs_list(serverssl,
   9555                 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256:"
   9556                 "?ecdsa_secp256r1_sha256:?mldsa44")))
   9557             goto end;
   9558     }
   9559 
   9560     ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
   9561     if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
   9562         || (tst > 0
   9563             && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
   9564         goto end;
   9565     }
   9566 
   9567     testresult = 1;
   9568 
   9569 end:
   9570     SSL_free(serverssl);
   9571     SSL_free(clientssl);
   9572     SSL_CTX_free(sctx);
   9573     SSL_CTX_free(cctx);
   9574     SSL_CTX_free(snictx);
   9575 
   9576     return testresult;
   9577 }
   9578 #endif
   9579 
   9580 static int test_cert_cb(int tst)
   9581 {
   9582     int testresult = 1;
   9583 
   9584 #ifndef OPENSSL_NO_TLS1_2
   9585     testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
   9586 #endif
   9587 #ifndef OSSL_NO_USABLE_TLS1_3
   9588     testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
   9589 #endif
   9590 
   9591     return testresult;
   9592 }
   9593 
   9594 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
   9595 {
   9596     X509 *xcert;
   9597     EVP_PKEY *privpkey;
   9598     BIO *in = NULL;
   9599     BIO *priv_in = NULL;
   9600 
   9601     /* Check that SSL_get0_peer_certificate() returns something sensible */
   9602     if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
   9603         return 0;
   9604 
   9605     in = BIO_new_file(cert, "r");
   9606     if (!TEST_ptr(in))
   9607         return 0;
   9608 
   9609     if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
   9610         || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
   9611         || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
   9612         || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
   9613                          NULL, NULL,
   9614                          libctx, NULL)))
   9615         goto err;
   9616 
   9617     *x509 = xcert;
   9618     *pkey = privpkey;
   9619 
   9620     BIO_free(in);
   9621     BIO_free(priv_in);
   9622     return 1;
   9623 err:
   9624     X509_free(xcert);
   9625     BIO_free(in);
   9626     BIO_free(priv_in);
   9627     return 0;
   9628 }
   9629 
   9630 static int test_client_cert_cb(int tst)
   9631 {
   9632     SSL_CTX *cctx = NULL, *sctx = NULL;
   9633     SSL *clientssl = NULL, *serverssl = NULL;
   9634     int testresult = 0;
   9635 
   9636 #ifdef OPENSSL_NO_TLS1_2
   9637     if (tst == 0)
   9638         return 1;
   9639 #endif
   9640 #ifdef OSSL_NO_USABLE_TLS1_3
   9641     if (tst == 1)
   9642         return 1;
   9643 #endif
   9644 
   9645     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9646             TLS_client_method(),
   9647             TLS1_VERSION,
   9648             tst == 0 ? TLS1_2_VERSION
   9649                      : TLS1_3_VERSION,
   9650             &sctx, &cctx, cert, privkey)))
   9651         goto end;
   9652 
   9653     /*
   9654      * Test that setting a client_cert_cb results in a client certificate being
   9655      * sent.
   9656      */
   9657     SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
   9658     SSL_CTX_set_verify(sctx,
   9659         SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
   9660         verify_cb);
   9661 
   9662     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9663             NULL, NULL))
   9664         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   9665             SSL_ERROR_NONE)))
   9666         goto end;
   9667 
   9668     testresult = 1;
   9669 
   9670 end:
   9671     SSL_free(serverssl);
   9672     SSL_free(clientssl);
   9673     SSL_CTX_free(sctx);
   9674     SSL_CTX_free(cctx);
   9675 
   9676     return testresult;
   9677 }
   9678 
   9679 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
   9680 /*
   9681  * Test setting certificate authorities on both client and server.
   9682  *
   9683  * Test 0: SSL_CTX_set0_CA_list() only
   9684  * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
   9685  * Test 2: Only SSL_CTX_set_client_CA_list()
   9686  */
   9687 static int test_ca_names_int(int prot, int tst)
   9688 {
   9689     SSL_CTX *cctx = NULL, *sctx = NULL;
   9690     SSL *clientssl = NULL, *serverssl = NULL;
   9691     int testresult = 0;
   9692     size_t i;
   9693     X509_NAME *name[] = { NULL, NULL, NULL, NULL };
   9694     char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
   9695     STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
   9696     const STACK_OF(X509_NAME) *sktmp = NULL;
   9697 
   9698     for (i = 0; i < OSSL_NELEM(name); i++) {
   9699         name[i] = X509_NAME_new();
   9700         if (!TEST_ptr(name[i])
   9701             || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
   9702                 MBSTRING_ASC,
   9703                 (unsigned char *)
   9704                     strnames[i],
   9705                 -1, -1, 0)))
   9706             goto end;
   9707     }
   9708 
   9709     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   9710             TLS_client_method(),
   9711             TLS1_VERSION,
   9712             prot,
   9713             &sctx, &cctx, cert, privkey)))
   9714         goto end;
   9715 
   9716     SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
   9717 
   9718     if (tst == 0 || tst == 1) {
   9719         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
   9720             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
   9721             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
   9722             || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
   9723             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
   9724             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
   9725             goto end;
   9726 
   9727         SSL_CTX_set0_CA_list(sctx, sk1);
   9728         SSL_CTX_set0_CA_list(cctx, sk2);
   9729         sk1 = sk2 = NULL;
   9730     }
   9731     if (tst == 1 || tst == 2) {
   9732         if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
   9733             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
   9734             || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
   9735             || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
   9736             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
   9737             || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
   9738             goto end;
   9739 
   9740         SSL_CTX_set_client_CA_list(sctx, sk1);
   9741         SSL_CTX_set_client_CA_list(cctx, sk2);
   9742         sk1 = sk2 = NULL;
   9743     }
   9744 
   9745     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9746             NULL, NULL))
   9747         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   9748             SSL_ERROR_NONE)))
   9749         goto end;
   9750 
   9751     /*
   9752      * We only expect certificate authorities to have been sent to the server
   9753      * if we are using TLSv1.3 and SSL_set0_CA_list() was used
   9754      */
   9755     sktmp = SSL_get0_peer_CA_list(serverssl);
   9756     if (prot == TLS1_3_VERSION
   9757         && (tst == 0 || tst == 1)) {
   9758         if (!TEST_ptr(sktmp)
   9759             || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
   9760             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
   9761                                 name[0]),
   9762                 0)
   9763             || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
   9764                                 name[1]),
   9765                 0))
   9766             goto end;
   9767     } else if (!TEST_ptr_null(sktmp)) {
   9768         goto end;
   9769     }
   9770 
   9771     /*
   9772      * In all tests we expect certificate authorities to have been sent to the
   9773      * client. However, SSL_set_client_CA_list() should override
   9774      * SSL_set0_CA_list()
   9775      */
   9776     sktmp = SSL_get0_peer_CA_list(clientssl);
   9777     if (!TEST_ptr(sktmp)
   9778         || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
   9779         || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
   9780                             name[tst == 0 ? 0 : 2]),
   9781             0)
   9782         || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
   9783                             name[tst == 0 ? 1 : 3]),
   9784             0))
   9785         goto end;
   9786 
   9787     testresult = 1;
   9788 
   9789 end:
   9790     SSL_free(serverssl);
   9791     SSL_free(clientssl);
   9792     SSL_CTX_free(sctx);
   9793     SSL_CTX_free(cctx);
   9794     for (i = 0; i < OSSL_NELEM(name); i++)
   9795         X509_NAME_free(name[i]);
   9796     sk_X509_NAME_pop_free(sk1, X509_NAME_free);
   9797     sk_X509_NAME_pop_free(sk2, X509_NAME_free);
   9798 
   9799     return testresult;
   9800 }
   9801 #endif
   9802 
   9803 static int test_ca_names(int tst)
   9804 {
   9805     int testresult = 1;
   9806 
   9807 #ifndef OPENSSL_NO_TLS1_2
   9808     testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
   9809 #endif
   9810 #ifndef OSSL_NO_USABLE_TLS1_3
   9811     testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
   9812 #endif
   9813 
   9814     return testresult;
   9815 }
   9816 
   9817 #ifndef OPENSSL_NO_TLS1_2
   9818 static const char *multiblock_cipherlist_data[] = {
   9819     "AES128-SHA",
   9820     "AES128-SHA256",
   9821     "AES256-SHA",
   9822     "AES256-SHA256",
   9823 };
   9824 
   9825 /* Reduce the fragment size - so the multiblock test buffer can be small */
   9826 #define MULTIBLOCK_FRAGSIZE 512
   9827 
   9828 static int test_multiblock_write(int test_index)
   9829 {
   9830     static const char *fetchable_ciphers[] = {
   9831         "AES-128-CBC-HMAC-SHA1",
   9832         "AES-128-CBC-HMAC-SHA256",
   9833         "AES-256-CBC-HMAC-SHA1",
   9834         "AES-256-CBC-HMAC-SHA256"
   9835     };
   9836     const char *cipherlist = multiblock_cipherlist_data[test_index];
   9837     const SSL_METHOD *smeth = TLS_server_method();
   9838     const SSL_METHOD *cmeth = TLS_client_method();
   9839     int min_version = TLS1_VERSION;
   9840     int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
   9841     SSL_CTX *cctx = NULL, *sctx = NULL;
   9842     SSL *clientssl = NULL, *serverssl = NULL;
   9843     int testresult = 0;
   9844 
   9845     /*
   9846      * Choose a buffer large enough to perform a multi-block operation
   9847      * i.e: write_len >= 4 * frag_size
   9848      * 9 * is chosen so that multiple multiblocks are used + some leftover.
   9849      */
   9850     unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
   9851     unsigned char buf[sizeof(msg)], *p = buf;
   9852     size_t readbytes, written, len;
   9853     EVP_CIPHER *ciph = NULL;
   9854 
   9855     /*
   9856      * Check if the cipher exists before attempting to use it since it only has
   9857      * a hardware specific implementation.
   9858      */
   9859     ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
   9860     if (ciph == NULL) {
   9861         TEST_skip("Multiblock cipher is not available for %s", cipherlist);
   9862         return 1;
   9863     }
   9864     EVP_CIPHER_free(ciph);
   9865 
   9866     /* Set up a buffer with some data that will be sent to the client */
   9867     RAND_bytes(msg, sizeof(msg));
   9868 
   9869     if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
   9870             max_version, &sctx, &cctx, cert,
   9871             privkey)))
   9872         goto end;
   9873 
   9874     if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
   9875         goto end;
   9876 
   9877     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   9878             NULL, NULL)))
   9879         goto end;
   9880 
   9881     /* settings to force it to use AES-CBC-HMAC_SHA */
   9882     SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
   9883     if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
   9884         goto end;
   9885 
   9886     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   9887         goto end;
   9888 
   9889     if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
   9890         || !TEST_size_t_eq(written, sizeof(msg)))
   9891         goto end;
   9892 
   9893     len = written;
   9894     while (len > 0) {
   9895         if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
   9896             goto end;
   9897         p += readbytes;
   9898         len -= readbytes;
   9899     }
   9900     if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
   9901         goto end;
   9902 
   9903     testresult = 1;
   9904 end:
   9905     SSL_free(serverssl);
   9906     SSL_free(clientssl);
   9907     SSL_CTX_free(sctx);
   9908     SSL_CTX_free(cctx);
   9909 
   9910     return testresult;
   9911 }
   9912 #endif /* OPENSSL_NO_TLS1_2 */
   9913 
   9914 static int test_session_timeout(int test)
   9915 {
   9916     /*
   9917      * Test session ordering and timeout
   9918      * Can't explicitly test performance of the new code,
   9919      * but can test to see if the ordering of the sessions
   9920      * are correct, and they are removed as expected
   9921      */
   9922     SSL_SESSION *early = NULL;
   9923     SSL_SESSION *middle = NULL;
   9924     SSL_SESSION *late = NULL;
   9925     SSL_CTX *ctx;
   9926     int testresult = 0;
   9927     time_t now = time(NULL);
   9928 #define TIMEOUT 10
   9929 
   9930     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
   9931         || !TEST_ptr(early = SSL_SESSION_new())
   9932         || !TEST_ptr(middle = SSL_SESSION_new())
   9933         || !TEST_ptr(late = SSL_SESSION_new()))
   9934         goto end;
   9935 
   9936     /* assign unique session ids */
   9937     early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
   9938     memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
   9939     middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
   9940     memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
   9941     late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
   9942     memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
   9943 
   9944     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
   9945         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
   9946         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
   9947         goto end;
   9948 
   9949     /* Make sure they are all added */
   9950     if (!TEST_ptr(early->prev)
   9951         || !TEST_ptr(middle->prev)
   9952         || !TEST_ptr(late->prev))
   9953         goto end;
   9954 
   9955     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
   9956         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
   9957         || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
   9958         goto end;
   9959 
   9960     if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
   9961         || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
   9962         || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
   9963         goto end;
   9964 
   9965     /* Make sure they are all still there */
   9966     if (!TEST_ptr(early->prev)
   9967         || !TEST_ptr(middle->prev)
   9968         || !TEST_ptr(late->prev))
   9969         goto end;
   9970 
   9971     /* Make sure they are in the expected order */
   9972     if (!TEST_ptr_eq(late->next, middle)
   9973         || !TEST_ptr_eq(middle->next, early)
   9974         || !TEST_ptr_eq(early->prev, middle)
   9975         || !TEST_ptr_eq(middle->prev, late))
   9976         goto end;
   9977 
   9978     /* This should remove "early" */
   9979     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT - 1);
   9980     if (!TEST_ptr_null(early->prev)
   9981         || !TEST_ptr(middle->prev)
   9982         || !TEST_ptr(late->prev))
   9983         goto end;
   9984 
   9985     /* This should remove "middle" */
   9986     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 1);
   9987     if (!TEST_ptr_null(early->prev)
   9988         || !TEST_ptr_null(middle->prev)
   9989         || !TEST_ptr(late->prev))
   9990         goto end;
   9991 
   9992     /* This should remove "late" */
   9993     SSL_CTX_flush_sessions_ex(ctx, now + TIMEOUT + 11);
   9994     if (!TEST_ptr_null(early->prev)
   9995         || !TEST_ptr_null(middle->prev)
   9996         || !TEST_ptr_null(late->prev))
   9997         goto end;
   9998 
   9999     /* Add them back in again */
   10000     if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
   10001         || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
   10002         || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
   10003         goto end;
   10004 
   10005     /* Make sure they are all added */
   10006     if (!TEST_ptr(early->prev)
   10007         || !TEST_ptr(middle->prev)
   10008         || !TEST_ptr(late->prev))
   10009         goto end;
   10010 
   10011     /* This should remove all of them */
   10012     SSL_CTX_flush_sessions_ex(ctx, 0);
   10013     if (!TEST_ptr_null(early->prev)
   10014         || !TEST_ptr_null(middle->prev)
   10015         || !TEST_ptr_null(late->prev))
   10016         goto end;
   10017 
   10018     (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME | SSL_CTX_get_session_cache_mode(ctx));
   10019 
   10020     /* make sure |now| is NOT  equal to the current time */
   10021     now -= 10;
   10022     if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
   10023         || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
   10024         || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
   10025         goto end;
   10026 
   10027     testresult = 1;
   10028 end:
   10029     SSL_CTX_free(ctx);
   10030     SSL_SESSION_free(early);
   10031     SSL_SESSION_free(middle);
   10032     SSL_SESSION_free(late);
   10033     return testresult;
   10034 }
   10035 
   10036 /*
   10037  * Test that a session cache overflow works as expected
   10038  * Test 0: TLSv1.3, timeout on new session later than old session
   10039  * Test 1: TLSv1.2, timeout on new session later than old session
   10040  * Test 2: TLSv1.3, timeout on new session earlier than old session
   10041  * Test 3: TLSv1.2, timeout on new session earlier than old session
   10042  */
   10043 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
   10044 static int test_session_cache_overflow(int idx)
   10045 {
   10046     SSL_CTX *sctx = NULL, *cctx = NULL;
   10047     SSL *serverssl = NULL, *clientssl = NULL;
   10048     int testresult = 0;
   10049     SSL_SESSION *sess = NULL;
   10050     int references;
   10051 
   10052 #ifdef OSSL_NO_USABLE_TLS1_3
   10053     /* If no TLSv1.3 available then do nothing in this case */
   10054     if (idx % 2 == 0)
   10055         return TEST_skip("No TLSv1.3 available");
   10056 #endif
   10057 #ifdef OPENSSL_NO_TLS1_2
   10058     /* If no TLSv1.2 available then do nothing in this case */
   10059     if (idx % 2 == 1)
   10060         return TEST_skip("No TLSv1.2 available");
   10061 #endif
   10062 
   10063     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10064             TLS_client_method(), TLS1_VERSION,
   10065             (idx % 2 == 0) ? TLS1_3_VERSION
   10066                            : TLS1_2_VERSION,
   10067             &sctx, &cctx, cert, privkey))
   10068         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
   10069         goto end;
   10070 
   10071     SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
   10072     get_sess_val = NULL;
   10073 
   10074     SSL_CTX_sess_set_cache_size(sctx, 1);
   10075 
   10076     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10077             NULL, NULL)))
   10078         goto end;
   10079 
   10080     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10081         goto end;
   10082 
   10083     if (idx > 1) {
   10084         sess = SSL_get_session(serverssl);
   10085         if (!TEST_ptr(sess))
   10086             goto end;
   10087 
   10088         /*
   10089          * Cause this session to have a longer timeout than the next session to
   10090          * be added.
   10091          */
   10092         if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
   10093             sess = NULL;
   10094             goto end;
   10095         }
   10096         sess = NULL;
   10097     }
   10098 
   10099     SSL_shutdown(serverssl);
   10100     SSL_shutdown(clientssl);
   10101     SSL_free(serverssl);
   10102     SSL_free(clientssl);
   10103     serverssl = clientssl = NULL;
   10104 
   10105     /*
   10106      * Session cache size is 1 and we already populated the cache with a session
   10107      * so the next connection should cause an overflow.
   10108      */
   10109 
   10110     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10111             NULL, NULL)))
   10112         goto end;
   10113 
   10114     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10115         goto end;
   10116 
   10117     /*
   10118      * The session we just negotiated may have been already removed from the
   10119      * internal cache - but we will return it anyway from our external cache.
   10120      */
   10121     get_sess_val = SSL_get_session(serverssl);
   10122     if (!TEST_ptr(get_sess_val))
   10123         goto end;
   10124     /*
   10125      * Normally the session is also stored in the cache, thus we have more than
   10126      * one reference, but due to an out-of-memory error it can happen that this
   10127      * is the only reference, and in that case the SSL_free(serverssl) below
   10128      * would free the get_sess_val, causing a use-after-free error.
   10129      */
   10130     if (!TEST_true(CRYPTO_GET_REF(&get_sess_val->references, &references))
   10131         || !TEST_int_ge(references, 2))
   10132         goto end;
   10133     sess = SSL_get1_session(clientssl);
   10134     if (!TEST_ptr(sess))
   10135         goto end;
   10136 
   10137     SSL_shutdown(serverssl);
   10138     SSL_shutdown(clientssl);
   10139     SSL_free(serverssl);
   10140     SSL_free(clientssl);
   10141     serverssl = clientssl = NULL;
   10142 
   10143     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10144             NULL, NULL)))
   10145         goto end;
   10146 
   10147     if (!TEST_true(SSL_set_session(clientssl, sess)))
   10148         goto end;
   10149 
   10150     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10151         goto end;
   10152 
   10153     testresult = 1;
   10154 
   10155 end:
   10156     SSL_free(serverssl);
   10157     SSL_free(clientssl);
   10158     SSL_CTX_free(sctx);
   10159     SSL_CTX_free(cctx);
   10160     SSL_SESSION_free(sess);
   10161 
   10162     return testresult;
   10163 }
   10164 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
   10165 
   10166 /*
   10167  * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
   10168  * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
   10169  * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
   10170  * Test 3: Client does not set servername on initial handshake (TLSv1.2)
   10171  * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
   10172  * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
   10173  * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
   10174  * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
   10175  * Test 8: Client does not set servername on initial handshake(TLSv1.3)
   10176  * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
   10177  */
   10178 static int test_servername(int tst)
   10179 {
   10180     SSL_CTX *cctx = NULL, *sctx = NULL;
   10181     SSL *clientssl = NULL, *serverssl = NULL;
   10182     int testresult = 0;
   10183     SSL_SESSION *sess = NULL;
   10184     const char *sexpectedhost = NULL, *cexpectedhost = NULL;
   10185 
   10186 #ifdef OPENSSL_NO_TLS1_2
   10187     if (tst <= 4)
   10188         return 1;
   10189 #endif
   10190 #ifdef OSSL_NO_USABLE_TLS1_3
   10191     if (tst >= 5)
   10192         return 1;
   10193 #endif
   10194 
   10195     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10196             TLS_client_method(),
   10197             TLS1_VERSION,
   10198             (tst <= 4) ? TLS1_2_VERSION
   10199                        : TLS1_3_VERSION,
   10200             &sctx, &cctx, cert, privkey))
   10201         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10202             NULL, NULL)))
   10203         goto end;
   10204 
   10205     if (tst != 1 && tst != 6) {
   10206         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
   10207                 hostname_cb)))
   10208             goto end;
   10209     }
   10210 
   10211     if (tst != 3 && tst != 8) {
   10212         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
   10213             goto end;
   10214         sexpectedhost = cexpectedhost = "goodhost";
   10215     }
   10216 
   10217     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10218         goto end;
   10219 
   10220     if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
   10221             cexpectedhost)
   10222         || !TEST_str_eq(SSL_get_servername(serverssl,
   10223                             TLSEXT_NAMETYPE_host_name),
   10224             sexpectedhost))
   10225         goto end;
   10226 
   10227     /* Now repeat with a resumption handshake */
   10228 
   10229     if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
   10230         || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
   10231         || !TEST_true(SSL_SESSION_is_resumable(sess))
   10232         || !TEST_int_eq(SSL_shutdown(serverssl), 0))
   10233         goto end;
   10234 
   10235     SSL_free(clientssl);
   10236     SSL_free(serverssl);
   10237     clientssl = serverssl = NULL;
   10238 
   10239     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   10240             NULL)))
   10241         goto end;
   10242 
   10243     if (!TEST_true(SSL_set_session(clientssl, sess)))
   10244         goto end;
   10245 
   10246     sexpectedhost = cexpectedhost = "goodhost";
   10247     if (tst == 2 || tst == 7) {
   10248         /* Set an inconsistent hostname */
   10249         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
   10250             goto end;
   10251         /*
   10252          * In TLSv1.2 we expect the hostname from the original handshake, in
   10253          * TLSv1.3 we expect the hostname from this handshake
   10254          */
   10255         if (tst == 7)
   10256             sexpectedhost = cexpectedhost = "altgoodhost";
   10257 
   10258         if (!TEST_str_eq(SSL_get_servername(clientssl,
   10259                              TLSEXT_NAMETYPE_host_name),
   10260                 "altgoodhost"))
   10261             goto end;
   10262     } else if (tst == 4 || tst == 9) {
   10263         /*
   10264          * A TLSv1.3 session does not associate a session with a servername,
   10265          * but a TLSv1.2 session does.
   10266          */
   10267         if (tst == 9)
   10268             sexpectedhost = cexpectedhost = NULL;
   10269 
   10270         if (!TEST_str_eq(SSL_get_servername(clientssl,
   10271                              TLSEXT_NAMETYPE_host_name),
   10272                 cexpectedhost))
   10273             goto end;
   10274     } else {
   10275         if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
   10276             goto end;
   10277         /*
   10278          * In a TLSv1.2 resumption where the hostname was not acknowledged
   10279          * we expect the hostname on the server to be empty. On the client we
   10280          * return what was requested in this case.
   10281          *
   10282          * Similarly if the client didn't set a hostname on an original TLSv1.2
   10283          * session but is now, the server hostname will be empty, but the client
   10284          * is as we set it.
   10285          */
   10286         if (tst == 1 || tst == 3)
   10287             sexpectedhost = NULL;
   10288 
   10289         if (!TEST_str_eq(SSL_get_servername(clientssl,
   10290                              TLSEXT_NAMETYPE_host_name),
   10291                 "goodhost"))
   10292             goto end;
   10293     }
   10294 
   10295     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10296         goto end;
   10297 
   10298     if (!TEST_true(SSL_session_reused(clientssl))
   10299         || !TEST_true(SSL_session_reused(serverssl))
   10300         || !TEST_str_eq(SSL_get_servername(clientssl,
   10301                             TLSEXT_NAMETYPE_host_name),
   10302             cexpectedhost)
   10303         || !TEST_str_eq(SSL_get_servername(serverssl,
   10304                             TLSEXT_NAMETYPE_host_name),
   10305             sexpectedhost))
   10306         goto end;
   10307 
   10308     testresult = 1;
   10309 
   10310 end:
   10311     SSL_SESSION_free(sess);
   10312     SSL_free(serverssl);
   10313     SSL_free(clientssl);
   10314     SSL_CTX_free(sctx);
   10315     SSL_CTX_free(cctx);
   10316 
   10317     return testresult;
   10318 }
   10319 
   10320 static int test_unknown_sigalgs_groups(void)
   10321 {
   10322     int ret = 0;
   10323     SSL_CTX *ctx = NULL;
   10324 
   10325     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
   10326         goto end;
   10327 
   10328     if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
   10329                          "RSA+SHA256:?nonexistent:?RSA+SHA512"),
   10330             0))
   10331         goto end;
   10332     if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
   10333         || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
   10334         || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
   10335         goto end;
   10336 
   10337     if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
   10338                          "RSA+SHA256:?nonexistent:?RSA+SHA512"),
   10339             0))
   10340         goto end;
   10341     if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
   10342         || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
   10343         || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
   10344         goto end;
   10345 
   10346     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
   10347                          "nonexistent"),
   10348             0))
   10349         goto end;
   10350 
   10351     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
   10352                          "?nonexistent1:?nonexistent2:?nonexistent3"),
   10353             0))
   10354         goto end;
   10355 
   10356 #ifndef OPENSSL_NO_EC
   10357     if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
   10358                          "P-256:nonexistent"),
   10359             0))
   10360         goto end;
   10361 
   10362     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
   10363                          "P-384:?nonexistent:?P-521"),
   10364             0))
   10365         goto end;
   10366     if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
   10367         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
   10368         || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
   10369         goto end;
   10370 #endif
   10371 
   10372     ret = 1;
   10373 end:
   10374     SSL_CTX_free(ctx);
   10375     return ret;
   10376 }
   10377 
   10378 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
   10379 static int test_configuration_of_groups(void)
   10380 {
   10381     int ret = 0;
   10382     SSL_CTX *ctx = NULL;
   10383     size_t groups_len;
   10384 
   10385     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
   10386         goto end;
   10387     groups_len = ctx->ext.supportedgroups_len;
   10388 
   10389     if (!TEST_size_t_gt(groups_len, 0)
   10390         || !TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT"), 0)
   10391         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len))
   10392         goto end;
   10393 
   10394     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "DEFAULT:-?P-256"), 0)
   10395 #if !defined(OPENSSL_NO_EC)
   10396         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len - 1)
   10397 #else
   10398         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, groups_len)
   10399 #endif
   10400     )
   10401         goto end;
   10402 
   10403 #if !defined(OPENSSL_NO_EC)
   10404     if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, "?P-256:?P-521:-?P-256"), 0)
   10405         || !TEST_size_t_eq(ctx->ext.supportedgroups_len, 1)
   10406         || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp521r1))
   10407         goto end;
   10408 #endif
   10409 
   10410     ret = 1;
   10411 
   10412 end:
   10413     SSL_CTX_free(ctx);
   10414     return ret;
   10415 }
   10416 #endif
   10417 
   10418 #if !defined(OPENSSL_NO_EC) \
   10419     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
   10420 /*
   10421  * Test that if signature algorithms are not available, then we do not offer or
   10422  * accept them.
   10423  * Test 0: Two RSA sig algs available: both RSA sig algs shared
   10424  * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
   10425  * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
   10426  * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
   10427  * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
   10428  * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
   10429  */
   10430 static int test_sigalgs_available(int idx)
   10431 {
   10432     SSL_CTX *cctx = NULL, *sctx = NULL;
   10433     SSL *clientssl = NULL, *serverssl = NULL;
   10434     int testresult = 0;
   10435     OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
   10436     OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
   10437     OSSL_PROVIDER *filterprov = NULL;
   10438     int sig, hash, numshared, numshared_expected, hash_expected, sig_expected;
   10439     const char *sigalg_name, *signame_expected;
   10440 
   10441     if (!TEST_ptr(tmpctx))
   10442         goto end;
   10443 
   10444     if (idx != 0 && idx != 3) {
   10445         if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
   10446                 filter_provider_init)))
   10447             goto end;
   10448 
   10449         filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
   10450         if (!TEST_ptr(filterprov))
   10451             goto end;
   10452 
   10453         if (idx < 3) {
   10454             /*
   10455              * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
   10456              * or accepted for the peer that uses this libctx. Note that libssl
   10457              * *requires* SHA2-256 to be available so we cannot disable that. We
   10458              * also need SHA1 for our certificate.
   10459              */
   10460             if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
   10461                     "SHA2-256:SHA1")))
   10462                 goto end;
   10463         } else {
   10464             if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
   10465                     "ECDSA"))
   10466 #ifdef OPENSSL_NO_ECX
   10467                 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
   10468 #else
   10469                 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
   10470                     "EC:X25519:X448"))
   10471 #endif
   10472             )
   10473                 goto end;
   10474         }
   10475 
   10476         if (idx == 1 || idx == 4)
   10477             clientctx = tmpctx;
   10478         else
   10479             serverctx = tmpctx;
   10480     }
   10481 
   10482     cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
   10483     sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
   10484     if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
   10485         goto end;
   10486 
   10487     /* Avoid MLKEM groups that depend on possibly filtered-out digests */
   10488     if (!TEST_true(SSL_CTX_set1_groups_list(cctx,
   10489             "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072"))
   10490         || !TEST_true(SSL_CTX_set1_groups_list(sctx,
   10491             "?X25519:?secp256r1:?ffdhe2048:?ffdhe3072")))
   10492         goto end;
   10493 
   10494     if (idx != 5) {
   10495         /* RSA first server key */
   10496         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10497                 TLS_client_method(),
   10498                 TLS1_VERSION,
   10499                 0,
   10500                 &sctx, &cctx, cert, privkey)))
   10501             goto end;
   10502     } else {
   10503         /* ECDSA P-256 first server key */
   10504         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10505                 TLS_client_method(),
   10506                 TLS1_VERSION,
   10507                 0,
   10508                 &sctx, &cctx, cert2, privkey2)))
   10509             goto end;
   10510     }
   10511 
   10512     /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
   10513     if (idx < 4) {
   10514         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
   10515                 "ECDHE-RSA-AES128-GCM-SHA256")))
   10516             goto end;
   10517     } else {
   10518         if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
   10519                 "ECDHE-ECDSA-AES128-GCM-SHA256")))
   10520             goto end;
   10521     }
   10522 
   10523     if (idx < 3) {
   10524         if (!SSL_CTX_set1_sigalgs_list(cctx,
   10525                 "rsa_pss_rsae_sha384"
   10526                 ":rsa_pss_rsae_sha256")
   10527             || !SSL_CTX_set1_sigalgs_list(sctx,
   10528                 "rsa_pss_rsae_sha384"
   10529                 ":rsa_pss_rsae_sha256"))
   10530             goto end;
   10531     } else {
   10532         if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
   10533             || !SSL_CTX_set1_sigalgs_list(sctx,
   10534                 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
   10535             goto end;
   10536     }
   10537 
   10538     /* ECDSA P-256 second server key, unless already first */
   10539     if (idx != 5
   10540         && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
   10541                              SSL_FILETYPE_PEM),
   10542                 1)
   10543             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
   10544                                 privkey2,
   10545                                 SSL_FILETYPE_PEM),
   10546                 1)
   10547             || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
   10548         goto end;
   10549 
   10550     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10551             NULL, NULL)))
   10552         goto end;
   10553 
   10554     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10555         goto end;
   10556 
   10557     /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
   10558     numshared = SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash,
   10559         NULL, NULL, NULL);
   10560     numshared_expected = 1;
   10561     hash_expected = NID_sha256;
   10562     sig_expected = NID_rsassaPss;
   10563     signame_expected = "rsa_pss_rsae_sha256";
   10564     switch (idx) {
   10565     case 0:
   10566         hash_expected = NID_sha384;
   10567         signame_expected = "rsa_pss_rsae_sha384";
   10568         /* FALLTHROUGH */
   10569     case 3:
   10570         numshared_expected = 2;
   10571         break;
   10572     case 4:
   10573     case 5:
   10574         sig_expected = EVP_PKEY_EC;
   10575         signame_expected = "ecdsa_secp256r1_sha256";
   10576         break;
   10577     }
   10578     if (!TEST_int_eq(numshared, numshared_expected)
   10579         || !TEST_int_eq(hash, hash_expected)
   10580         || !TEST_int_eq(sig, sig_expected)
   10581         || !TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
   10582         || !TEST_ptr(sigalg_name)
   10583         || !TEST_str_eq(sigalg_name, signame_expected))
   10584         goto end;
   10585 
   10586     testresult = filter_provider_check_clean_finish();
   10587 
   10588 end:
   10589     SSL_free(serverssl);
   10590     SSL_free(clientssl);
   10591     SSL_CTX_free(sctx);
   10592     SSL_CTX_free(cctx);
   10593     OSSL_PROVIDER_unload(filterprov);
   10594     OSSL_LIB_CTX_free(tmpctx);
   10595 
   10596     return testresult;
   10597 }
   10598 #endif /*                                                                     \
   10599         * !defined(OPENSSL_NO_EC)                                             \
   10600         * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) \
   10601         */
   10602 
   10603 #ifndef OPENSSL_NO_TLS1_3
   10604 /* This test can run in TLSv1.3 even if ec and dh are disabled */
   10605 static int test_pluggable_group(int idx)
   10606 {
   10607     SSL_CTX *cctx = NULL, *sctx = NULL;
   10608     SSL *clientssl = NULL, *serverssl = NULL;
   10609     int testresult = 0;
   10610     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
   10611     /* Check that we are not impacted by a provider without any groups */
   10612     OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
   10613     const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
   10614 
   10615     if (!TEST_ptr(tlsprov))
   10616         goto end;
   10617 
   10618     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10619             TLS_client_method(),
   10620             TLS1_3_VERSION,
   10621             TLS1_3_VERSION,
   10622             &sctx, &cctx, cert, privkey))
   10623         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10624             NULL, NULL)))
   10625         goto end;
   10626 
   10627     /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
   10628     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
   10629         /* removing a single algorithm from the list makes the test pass */
   10630         || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
   10631         goto end;
   10632 
   10633     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10634         goto end;
   10635 
   10636     if (!TEST_str_eq(group_name,
   10637             SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
   10638         goto end;
   10639 
   10640     if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
   10641         || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
   10642         goto end;
   10643 
   10644     testresult = 1;
   10645 
   10646 end:
   10647     SSL_free(serverssl);
   10648     SSL_free(clientssl);
   10649     SSL_CTX_free(sctx);
   10650     SSL_CTX_free(cctx);
   10651     OSSL_PROVIDER_unload(tlsprov);
   10652     OSSL_PROVIDER_unload(legacyprov);
   10653 
   10654     return testresult;
   10655 }
   10656 
   10657 /*
   10658  * This function triggers encode, decode and sign functions
   10659  * of the artificial "xorhmacsig" algorithm implemented in tls-provider
   10660  * creating private key and certificate files for use in TLS testing.
   10661  */
   10662 static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
   10663 {
   10664     EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
   10665         (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
   10666     EVP_PKEY *pkey = NULL;
   10667     X509 *x509 = X509_new();
   10668     X509_NAME *name = NULL;
   10669     BIO *keybio = NULL, *certbio = NULL;
   10670     int ret = 1;
   10671 
   10672     if (!TEST_ptr(evpctx)
   10673         || !TEST_int_gt(EVP_PKEY_keygen_init(evpctx), 0)
   10674         || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
   10675         || !TEST_ptr(pkey)
   10676         || !TEST_ptr(x509)
   10677         || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
   10678         || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
   10679         || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
   10680         || !TEST_true(X509_set_pubkey(x509, pkey))
   10681         || !TEST_ptr(name = X509_get_subject_name(x509))
   10682         || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
   10683             (unsigned char *)"CH", -1, -1, 0))
   10684         || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
   10685             (unsigned char *)"test.org", -1, -1, 0))
   10686         || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
   10687             (unsigned char *)"localhost", -1, -1, 0))
   10688         || !TEST_true(X509_set_issuer_name(x509, name))
   10689         || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
   10690         || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
   10691         || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
   10692         || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
   10693         || !TEST_true(PEM_write_bio_X509(certbio, x509)))
   10694         ret = 0;
   10695 
   10696     EVP_PKEY_free(pkey);
   10697     X509_free(x509);
   10698     EVP_PKEY_CTX_free(evpctx);
   10699     BIO_free(keybio);
   10700     BIO_free(certbio);
   10701     return ret;
   10702 }
   10703 
   10704 /*
   10705  * Test that signature algorithms loaded via the provider interface can
   10706  * correctly establish a TLS (1.3) connection.
   10707  * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
   10708  * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
   10709  * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd
   10710  * Test 3: Test 0 using RPK
   10711  * Test 4: Test 1 using RPK
   10712  * Test 5: Test 2 using RPK
   10713  */
   10714 static int test_pluggable_signature(int idx)
   10715 {
   10716     static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
   10717     SSL_CTX *cctx = NULL, *sctx = NULL;
   10718     SSL *clientssl = NULL, *serverssl = NULL;
   10719     int testresult = 0;
   10720     OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
   10721     OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
   10722     char *certfilename = "tls-prov-cert.pem";
   10723     char *privkeyfilename = "tls-prov-key.pem";
   10724     const char *sigalg_name = NULL, *expected_sigalg_name;
   10725     int sigidx = idx % 3;
   10726     int rpkidx = idx / 3;
   10727     int do_conf_cmd = 0;
   10728 
   10729     if (sigidx == 2) {
   10730         sigidx = 0;
   10731         do_conf_cmd = 1;
   10732     }
   10733 
   10734     /* See create_cert_key() above */
   10735     expected_sigalg_name = (sigidx == 0) ? "xorhmacsig" : "xorhmacsha2sig";
   10736 
   10737     /* create key and certificate for the different algorithm types */
   10738     if (!TEST_ptr(tlsprov)
   10739         || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
   10740         goto end;
   10741 
   10742     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10743             TLS_client_method(),
   10744             TLS1_3_VERSION,
   10745             TLS1_3_VERSION,
   10746             &sctx, &cctx, NULL, NULL)))
   10747         goto end;
   10748 
   10749     if (do_conf_cmd) {
   10750         SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
   10751 
   10752         if (!TEST_ptr(confctx))
   10753             goto end;
   10754         SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE | SSL_CONF_FLAG_SHOW_ERRORS);
   10755         SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
   10756         if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0)
   10757             || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0)
   10758             || !TEST_true(SSL_CONF_CTX_finish(confctx))) {
   10759             SSL_CONF_CTX_free(confctx);
   10760             goto end;
   10761         }
   10762         SSL_CONF_CTX_free(confctx);
   10763     } else {
   10764         if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename,
   10765                              SSL_FILETYPE_PEM),
   10766                 1)
   10767             || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
   10768                                 privkeyfilename,
   10769                                 SSL_FILETYPE_PEM),
   10770                 1))
   10771             goto end;
   10772     }
   10773     if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
   10774         goto end;
   10775 
   10776     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10777             NULL, NULL)))
   10778         goto end;
   10779 
   10780     /* Enable RPK for server cert */
   10781     if (rpkidx) {
   10782         if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
   10783             || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
   10784             goto end;
   10785     }
   10786 
   10787     /* This is necessary to pass minimal setup w/o other groups configured */
   10788     if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
   10789         || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
   10790         goto end;
   10791 
   10792     /*
   10793      * If this connection gets established, it must have been completed
   10794      * via the tls-provider-implemented "hmacsig" algorithm, testing
   10795      * both sign and verify functions during handshake.
   10796      */
   10797     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10798         goto end;
   10799 
   10800     /* If using RPK, make sure we got one */
   10801     if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
   10802         goto end;
   10803 
   10804     if (!TEST_true(SSL_get0_peer_signature_name(clientssl, &sigalg_name))
   10805         || !TEST_str_eq(sigalg_name, expected_sigalg_name)
   10806         || !TEST_ptr(sigalg_name))
   10807         goto end;
   10808 
   10809     testresult = 1;
   10810 
   10811 end:
   10812     SSL_free(serverssl);
   10813     SSL_free(clientssl);
   10814     SSL_CTX_free(sctx);
   10815     SSL_CTX_free(cctx);
   10816     OSSL_PROVIDER_unload(tlsprov);
   10817     OSSL_PROVIDER_unload(defaultprov);
   10818 
   10819     return testresult;
   10820 }
   10821 #endif
   10822 
   10823 #ifndef OPENSSL_NO_TLS1_2
   10824 static int test_ssl_dup(void)
   10825 {
   10826     SSL_CTX *cctx = NULL, *sctx = NULL;
   10827     SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
   10828     int testresult = 0;
   10829     BIO *rbio = NULL, *wbio = NULL;
   10830 
   10831     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10832             TLS_client_method(),
   10833             0,
   10834             0,
   10835             &sctx, &cctx, cert, privkey)))
   10836         goto end;
   10837 
   10838     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10839             NULL, NULL)))
   10840         goto end;
   10841 
   10842     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
   10843         || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
   10844         goto end;
   10845 
   10846     client2ssl = SSL_dup(clientssl);
   10847     rbio = SSL_get_rbio(clientssl);
   10848     if (!TEST_ptr(rbio)
   10849         || !TEST_true(BIO_up_ref(rbio)))
   10850         goto end;
   10851     SSL_set0_rbio(client2ssl, rbio);
   10852     rbio = NULL;
   10853 
   10854     wbio = SSL_get_wbio(clientssl);
   10855     if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
   10856         goto end;
   10857     SSL_set0_wbio(client2ssl, wbio);
   10858     rbio = NULL;
   10859 
   10860     if (!TEST_ptr(client2ssl)
   10861         /* Handshake not started so pointers should be different */
   10862         || !TEST_ptr_ne(clientssl, client2ssl))
   10863         goto end;
   10864 
   10865     if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
   10866         || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
   10867         goto end;
   10868 
   10869     if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
   10870         goto end;
   10871 
   10872     SSL_free(clientssl);
   10873     clientssl = SSL_dup(client2ssl);
   10874     if (!TEST_ptr(clientssl)
   10875         /* Handshake has finished so pointers should be the same */
   10876         || !TEST_ptr_eq(clientssl, client2ssl))
   10877         goto end;
   10878 
   10879     testresult = 1;
   10880 
   10881 end:
   10882     SSL_free(serverssl);
   10883     SSL_free(clientssl);
   10884     SSL_free(client2ssl);
   10885     SSL_CTX_free(sctx);
   10886     SSL_CTX_free(cctx);
   10887 
   10888     return testresult;
   10889 }
   10890 
   10891 static int secret_cb(SSL *s, void *secretin, int *secret_len,
   10892     STACK_OF(SSL_CIPHER) *peer_ciphers,
   10893     const SSL_CIPHER **cipher, void *arg)
   10894 {
   10895     int i;
   10896     unsigned char *secret = secretin;
   10897 
   10898     /* Just use a fixed master secret */
   10899     for (i = 0; i < *secret_len; i++)
   10900         secret[i] = 0xff;
   10901 
   10902     /* We don't set a preferred cipher */
   10903 
   10904     return 1;
   10905 }
   10906 
   10907 /*
   10908  * Test the session_secret_cb which is designed for use with EAP-FAST
   10909  */
   10910 static int test_session_secret_cb(int idx)
   10911 {
   10912     SSL_CTX *cctx = NULL, *sctx = NULL;
   10913     SSL *clientssl = NULL, *serverssl = NULL;
   10914     SSL_SESSION *secret_sess = NULL, *server_sess = NULL;
   10915     unsigned int sess_len;
   10916     const unsigned char *sessid;
   10917     int testresult = 0;
   10918 
   10919     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   10920             TLS_client_method(),
   10921             0,
   10922             0,
   10923             &sctx, &cctx, cert, privkey)))
   10924         goto end;
   10925 
   10926     /* Create an initial connection and save the session */
   10927     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10928             NULL, NULL)))
   10929         goto end;
   10930 
   10931     /* session_secret_cb does not support TLSv1.3 */
   10932     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
   10933         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
   10934         goto end;
   10935 
   10936     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10937         goto end;
   10938 
   10939     if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
   10940         goto end;
   10941 
   10942     shutdown_ssl_connection(serverssl, clientssl);
   10943     serverssl = clientssl = NULL;
   10944 
   10945     /* Resume the earlier session */
   10946     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   10947             NULL, NULL)))
   10948         goto end;
   10949 
   10950     if (idx == 0) {
   10951         /*
   10952          * Normal case: no session id
   10953          */
   10954         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
   10955             goto end;
   10956     } else {
   10957         /*
   10958          * Set an explicit session id. Normally we don't support this, but we
   10959          * can get away with it if we reset the session id later
   10960          */
   10961         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, (unsigned char *)"sessionid", 9)))
   10962             goto end;
   10963     }
   10964 
   10965     if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
   10966         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
   10967         || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
   10968             NULL))
   10969         || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
   10970             NULL))
   10971         || !TEST_true(SSL_set_session(clientssl, secret_sess)))
   10972         goto end;
   10973 
   10974     if (idx == 1) {
   10975         /*
   10976          * We just send the ClientHello here. We expect this to fail with
   10977          * SSL_ERROR_WANT_READ
   10978          */
   10979         if (!TEST_int_le(SSL_connect(clientssl), 0))
   10980             goto end;
   10981         /* Reset the session id to avoid confusing the state machine */
   10982         if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
   10983             goto end;
   10984     }
   10985     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   10986         goto end;
   10987 
   10988     /* Check that session resumption was successful */
   10989     if (!TEST_true(SSL_session_reused(clientssl))
   10990         || !TEST_true(SSL_session_reused(serverssl)))
   10991         goto end;
   10992 
   10993     if (idx == 1) {
   10994         server_sess = SSL_get1_session(serverssl);
   10995         if (!TEST_ptr(server_sess))
   10996             goto end;
   10997         sessid = SSL_SESSION_get_id(server_sess, &sess_len);
   10998 
   10999         if (!TEST_mem_eq(sessid, sess_len, "sessionid", 9))
   11000             goto end;
   11001     }
   11002     testresult = 1;
   11003 
   11004 end:
   11005     SSL_SESSION_free(secret_sess);
   11006     SSL_SESSION_free(server_sess);
   11007     SSL_free(serverssl);
   11008     SSL_free(clientssl);
   11009     SSL_CTX_free(sctx);
   11010     SSL_CTX_free(cctx);
   11011 
   11012     return testresult;
   11013 }
   11014 
   11015 #ifndef OPENSSL_NO_DH
   11016 
   11017 static EVP_PKEY *tmp_dh_params = NULL;
   11018 
   11019 /* Helper function for the test_set_tmp_dh() tests */
   11020 static EVP_PKEY *get_tmp_dh_params(void)
   11021 {
   11022     if (tmp_dh_params == NULL) {
   11023         BIGNUM *p = NULL;
   11024         OSSL_PARAM_BLD *tmpl = NULL;
   11025         EVP_PKEY_CTX *pctx = NULL;
   11026         OSSL_PARAM *params = NULL;
   11027         EVP_PKEY *dhpkey = NULL;
   11028 
   11029         p = BN_get_rfc3526_prime_2048(NULL);
   11030         if (!TEST_ptr(p))
   11031             goto end;
   11032 
   11033         pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
   11034         if (!TEST_ptr(pctx)
   11035             || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
   11036             goto end;
   11037 
   11038         tmpl = OSSL_PARAM_BLD_new();
   11039         if (!TEST_ptr(tmpl)
   11040             || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
   11041                 OSSL_PKEY_PARAM_FFC_P,
   11042                 p))
   11043             || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
   11044                 OSSL_PKEY_PARAM_FFC_G,
   11045                 2)))
   11046             goto end;
   11047 
   11048         params = OSSL_PARAM_BLD_to_param(tmpl);
   11049         if (!TEST_ptr(params)
   11050             || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
   11051                                 EVP_PKEY_KEY_PARAMETERS,
   11052                                 params),
   11053                 1))
   11054             goto end;
   11055 
   11056         tmp_dh_params = dhpkey;
   11057     end:
   11058         BN_free(p);
   11059         EVP_PKEY_CTX_free(pctx);
   11060         OSSL_PARAM_BLD_free(tmpl);
   11061         OSSL_PARAM_free(params);
   11062     }
   11063 
   11064     if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
   11065         return NULL;
   11066 
   11067     return tmp_dh_params;
   11068 }
   11069 
   11070 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11071 /* Callback used by test_set_tmp_dh() */
   11072 static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
   11073 {
   11074     EVP_PKEY *dhpkey = get_tmp_dh_params();
   11075     DH *ret = NULL;
   11076 
   11077     if (!TEST_ptr(dhpkey))
   11078         return NULL;
   11079 
   11080     /*
   11081      * libssl does not free the returned DH, so we free it now knowing that even
   11082      * after we free dhpkey, there will still be a reference to the owning
   11083      * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
   11084      * of time we need it for.
   11085      */
   11086     ret = EVP_PKEY_get1_DH(dhpkey);
   11087     DH_free(ret);
   11088 
   11089     EVP_PKEY_free(dhpkey);
   11090 
   11091     return ret;
   11092 }
   11093 #endif
   11094 
   11095 /*
   11096  * Test the various methods for setting temporary DH parameters
   11097  *
   11098  * Test  0: Default (no auto) setting
   11099  * Test  1: Explicit SSL_CTX auto off
   11100  * Test  2: Explicit SSL auto off
   11101  * Test  3: Explicit SSL_CTX auto on
   11102  * Test  4: Explicit SSL auto on
   11103  * Test  5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
   11104  * Test  6: Explicit SSL auto off, custom DH params via EVP_PKEY
   11105  *
   11106  * The following are testing deprecated APIs, so we only run them if available
   11107  * Test  7: Explicit SSL_CTX auto off, custom DH params via DH
   11108  * Test  8: Explicit SSL auto off, custom DH params via DH
   11109  * Test  9: Explicit SSL_CTX auto off, custom DH params via callback
   11110  * Test 10: Explicit SSL auto off, custom DH params via callback
   11111  */
   11112 static int test_set_tmp_dh(int idx)
   11113 {
   11114     SSL_CTX *cctx = NULL, *sctx = NULL;
   11115     SSL *clientssl = NULL, *serverssl = NULL;
   11116     int testresult = 0;
   11117     int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
   11118     int expected = (idx <= 2) ? 0 : 1;
   11119     EVP_PKEY *dhpkey = NULL;
   11120 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11121     DH *dh = NULL;
   11122 #else
   11123 
   11124     if (idx >= 7)
   11125         return 1;
   11126 #endif
   11127 
   11128     if (idx >= 5 && idx <= 8) {
   11129         dhpkey = get_tmp_dh_params();
   11130         if (!TEST_ptr(dhpkey))
   11131             goto end;
   11132     }
   11133 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11134     if (idx == 7 || idx == 8) {
   11135         dh = EVP_PKEY_get1_DH(dhpkey);
   11136         if (!TEST_ptr(dh))
   11137             goto end;
   11138     }
   11139 #endif
   11140 
   11141     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   11142             TLS_client_method(),
   11143             0,
   11144             0,
   11145             &sctx, &cctx, cert, privkey)))
   11146         goto end;
   11147 
   11148     if ((idx & 1) == 1) {
   11149         if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
   11150             goto end;
   11151     }
   11152 
   11153     if (idx == 5) {
   11154         if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
   11155             goto end;
   11156         dhpkey = NULL;
   11157     }
   11158 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11159     else if (idx == 7) {
   11160         if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
   11161             goto end;
   11162     } else if (idx == 9) {
   11163         SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
   11164     }
   11165 #endif
   11166 
   11167     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   11168             NULL, NULL)))
   11169         goto end;
   11170 
   11171     if ((idx & 1) == 0 && idx != 0) {
   11172         if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
   11173             goto end;
   11174     }
   11175     if (idx == 6) {
   11176         if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
   11177             goto end;
   11178         dhpkey = NULL;
   11179     }
   11180 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11181     else if (idx == 8) {
   11182         if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
   11183             goto end;
   11184     } else if (idx == 10) {
   11185         SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
   11186     }
   11187 #endif
   11188 
   11189     if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
   11190         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
   11191         || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
   11192         goto end;
   11193 
   11194     /*
   11195      * If autoon then we should succeed. Otherwise we expect failure because
   11196      * there are no parameters
   11197      */
   11198     if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
   11199                          SSL_ERROR_NONE),
   11200             expected))
   11201         goto end;
   11202 
   11203     testresult = 1;
   11204 
   11205 end:
   11206 #ifndef OPENSSL_NO_DEPRECATED_3_0
   11207     DH_free(dh);
   11208 #endif
   11209     SSL_free(serverssl);
   11210     SSL_free(clientssl);
   11211     SSL_CTX_free(sctx);
   11212     SSL_CTX_free(cctx);
   11213     EVP_PKEY_free(dhpkey);
   11214 
   11215     return testresult;
   11216 }
   11217 
   11218 /*
   11219  * Test the auto DH keys are appropriately sized
   11220  */
   11221 static int test_dh_auto(int idx)
   11222 {
   11223     SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
   11224     SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11225     SSL *clientssl = NULL, *serverssl = NULL;
   11226     int testresult = 0;
   11227     EVP_PKEY *tmpkey = NULL;
   11228     char *thiscert = NULL, *thiskey = NULL;
   11229     size_t expdhsize = 0;
   11230     const char *ciphersuite = "DHE-RSA-AES128-SHA";
   11231 
   11232     if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
   11233         goto end;
   11234 
   11235     switch (idx) {
   11236     case 0:
   11237         /* The FIPS provider doesn't support this DH size - so we ignore it */
   11238         if (is_fips) {
   11239             testresult = 1;
   11240             goto end;
   11241         }
   11242         thiscert = cert1024;
   11243         thiskey = privkey1024;
   11244         expdhsize = 1024;
   11245         SSL_CTX_set_security_level(sctx, 1);
   11246         SSL_CTX_set_security_level(cctx, 1);
   11247         break;
   11248     case 1:
   11249         /* 2048 bit prime */
   11250         thiscert = cert;
   11251         thiskey = privkey;
   11252         expdhsize = 2048;
   11253         break;
   11254     case 2:
   11255         thiscert = cert3072;
   11256         thiskey = privkey3072;
   11257         expdhsize = 3072;
   11258         break;
   11259     case 3:
   11260         thiscert = cert4096;
   11261         thiskey = privkey4096;
   11262         expdhsize = 4096;
   11263         break;
   11264     case 4:
   11265         thiscert = cert8192;
   11266         thiskey = privkey8192;
   11267         expdhsize = 8192;
   11268         break;
   11269     /* No certificate cases */
   11270     case 5:
   11271         /* The FIPS provider doesn't support this DH size - so we ignore it */
   11272         if (is_fips) {
   11273             testresult = 1;
   11274             goto end;
   11275         }
   11276         ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
   11277         expdhsize = 1024;
   11278         break;
   11279     case 6:
   11280         ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
   11281         expdhsize = 3072;
   11282         break;
   11283     default:
   11284         TEST_error("Invalid text index");
   11285         goto end;
   11286     }
   11287 
   11288     if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
   11289             NULL,
   11290             0,
   11291             0,
   11292             &sctx, &cctx, thiscert, thiskey)))
   11293         goto end;
   11294 
   11295     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   11296             NULL, NULL)))
   11297         goto end;
   11298 
   11299     if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
   11300         || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
   11301         || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
   11302         || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
   11303         || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
   11304         goto end;
   11305 
   11306     /*
   11307      * Send the server's first flight. At this point the server has created the
   11308      * temporary DH key but hasn't finished using it yet. Once used it is
   11309      * removed, so we cannot test it.
   11310      */
   11311     if (!TEST_int_le(SSL_connect(clientssl), 0)
   11312         || !TEST_int_le(SSL_accept(serverssl), 0))
   11313         goto end;
   11314 
   11315     if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
   11316         goto end;
   11317     if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
   11318         goto end;
   11319 
   11320     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   11321         goto end;
   11322 
   11323     testresult = 1;
   11324 
   11325 end:
   11326     SSL_free(serverssl);
   11327     SSL_free(clientssl);
   11328     SSL_CTX_free(sctx);
   11329     SSL_CTX_free(cctx);
   11330     EVP_PKEY_free(tmpkey);
   11331 
   11332     return testresult;
   11333 }
   11334 #endif /* OPENSSL_NO_DH */
   11335 #endif /* OPENSSL_NO_TLS1_2 */
   11336 
   11337 #ifndef OSSL_NO_USABLE_TLS1_3
   11338 /*
   11339  * Test that setting an SNI callback works with TLSv1.3. Specifically we check
   11340  * that it works even without a certificate configured for the original
   11341  * SSL_CTX
   11342  */
   11343 static int test_sni_tls13(void)
   11344 {
   11345     SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
   11346     SSL *clientssl = NULL, *serverssl = NULL;
   11347     int testresult = 0;
   11348 
   11349     /* Reset callback counter */
   11350     snicb = 0;
   11351 
   11352     /* Create an initial SSL_CTX with no certificate configured */
   11353     sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11354     if (!TEST_ptr(sctx))
   11355         goto end;
   11356     /* Require TLSv1.3 as a minimum */
   11357     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   11358             TLS_client_method(), TLS1_3_VERSION, 0,
   11359             &sctx2, &cctx, cert, privkey)))
   11360         goto end;
   11361 
   11362     /* Set up SNI */
   11363     if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
   11364         || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
   11365         goto end;
   11366 
   11367     /*
   11368      * Connection should still succeed because the final SSL_CTX has the right
   11369      * certificates configured.
   11370      */
   11371     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   11372             &clientssl, NULL, NULL))
   11373         || !TEST_true(create_ssl_connection(serverssl, clientssl,
   11374             SSL_ERROR_NONE)))
   11375         goto end;
   11376 
   11377     /* We should have had the SNI callback called exactly once */
   11378     if (!TEST_int_eq(snicb, 1))
   11379         goto end;
   11380 
   11381     testresult = 1;
   11382 
   11383 end:
   11384     SSL_free(serverssl);
   11385     SSL_free(clientssl);
   11386     SSL_CTX_free(sctx2);
   11387     SSL_CTX_free(sctx);
   11388     SSL_CTX_free(cctx);
   11389     return testresult;
   11390 }
   11391 
   11392 /*
   11393  * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
   11394  * 0 = TLSv1.2
   11395  * 1 = TLSv1.3
   11396  */
   11397 static int test_ticket_lifetime(int idx)
   11398 {
   11399     SSL_CTX *cctx = NULL, *sctx = NULL;
   11400     SSL *clientssl = NULL, *serverssl = NULL;
   11401     int testresult = 0;
   11402     int version = TLS1_3_VERSION;
   11403 
   11404 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
   11405 #define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
   11406 
   11407     if (idx == 0) {
   11408 #ifdef OPENSSL_NO_TLS1_2
   11409         return TEST_skip("TLS 1.2 is disabled.");
   11410 #else
   11411         version = TLS1_2_VERSION;
   11412 #endif
   11413     }
   11414 
   11415     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   11416             TLS_client_method(), version, version,
   11417             &sctx, &cctx, cert, privkey)))
   11418         goto end;
   11419 
   11420     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   11421             &clientssl, NULL, NULL)))
   11422         goto end;
   11423 
   11424     /*
   11425      * Set the timeout to be more than 1 week
   11426      * make sure the returned value is the default
   11427      */
   11428     if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
   11429             SSL_get_default_timeout(serverssl)))
   11430         goto end;
   11431 
   11432     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   11433         goto end;
   11434 
   11435     if (idx == 0) {
   11436         /* TLSv1.2 uses the set value */
   11437         if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
   11438             goto end;
   11439     } else {
   11440         /* TLSv1.3 uses the limited value */
   11441         if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
   11442             goto end;
   11443     }
   11444     testresult = 1;
   11445 
   11446 end:
   11447     SSL_free(serverssl);
   11448     SSL_free(clientssl);
   11449     SSL_CTX_free(sctx);
   11450     SSL_CTX_free(cctx);
   11451     return testresult;
   11452 }
   11453 #endif
   11454 /*
   11455  * Test that setting an ALPN does not violate RFC
   11456  */
   11457 static int test_set_alpn(void)
   11458 {
   11459     SSL_CTX *ctx = NULL;
   11460     SSL *ssl = NULL;
   11461     int testresult = 0;
   11462 
   11463     unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
   11464     unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
   11465     unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
   11466     unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00 };
   11467     unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd' };
   11468     unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd' };
   11469 
   11470     /* Create an initial SSL_CTX with no certificate configured */
   11471     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11472     if (!TEST_ptr(ctx))
   11473         goto end;
   11474 
   11475     /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
   11476     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
   11477         goto end;
   11478     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
   11479         goto end;
   11480     if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
   11481         goto end;
   11482     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
   11483         goto end;
   11484     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
   11485         goto end;
   11486     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
   11487         goto end;
   11488     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
   11489         goto end;
   11490     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
   11491         goto end;
   11492     if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
   11493         goto end;
   11494 
   11495     ssl = SSL_new(ctx);
   11496     if (!TEST_ptr(ssl))
   11497         goto end;
   11498 
   11499     if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
   11500         goto end;
   11501     if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
   11502         goto end;
   11503     if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
   11504         goto end;
   11505     if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
   11506         goto end;
   11507     if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
   11508         goto end;
   11509     if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
   11510         goto end;
   11511     if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
   11512         goto end;
   11513     if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
   11514         goto end;
   11515     if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
   11516         goto end;
   11517 
   11518     testresult = 1;
   11519 
   11520 end:
   11521     SSL_free(ssl);
   11522     SSL_CTX_free(ctx);
   11523     return testresult;
   11524 }
   11525 
   11526 /*
   11527  * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
   11528  */
   11529 static int test_set_verify_cert_store_ssl_ctx(void)
   11530 {
   11531     SSL_CTX *ctx = NULL;
   11532     int testresult = 0;
   11533     X509_STORE *store = NULL, *new_store = NULL,
   11534                *cstore = NULL, *new_cstore = NULL;
   11535 
   11536     /* Create an initial SSL_CTX. */
   11537     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11538     if (!TEST_ptr(ctx))
   11539         goto end;
   11540 
   11541     /* Retrieve verify store pointer. */
   11542     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
   11543         goto end;
   11544 
   11545     /* Retrieve chain store pointer. */
   11546     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
   11547         goto end;
   11548 
   11549     /* We haven't set any yet, so this should be NULL. */
   11550     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
   11551         goto end;
   11552 
   11553     /* Create stores. We use separate stores so pointers are different. */
   11554     new_store = X509_STORE_new();
   11555     if (!TEST_ptr(new_store))
   11556         goto end;
   11557 
   11558     new_cstore = X509_STORE_new();
   11559     if (!TEST_ptr(new_cstore))
   11560         goto end;
   11561 
   11562     /* Set stores. */
   11563     if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
   11564         goto end;
   11565 
   11566     if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
   11567         goto end;
   11568 
   11569     /* Should be able to retrieve the same pointer. */
   11570     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
   11571         goto end;
   11572 
   11573     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
   11574         goto end;
   11575 
   11576     if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
   11577         goto end;
   11578 
   11579     /* Should be able to unset again. */
   11580     if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
   11581         goto end;
   11582 
   11583     if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
   11584         goto end;
   11585 
   11586     /* Should now be NULL. */
   11587     if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
   11588         goto end;
   11589 
   11590     if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
   11591         goto end;
   11592 
   11593     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
   11594         goto end;
   11595 
   11596     testresult = 1;
   11597 
   11598 end:
   11599     X509_STORE_free(new_store);
   11600     X509_STORE_free(new_cstore);
   11601     SSL_CTX_free(ctx);
   11602     return testresult;
   11603 }
   11604 
   11605 /*
   11606  * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
   11607  */
   11608 static int test_set_verify_cert_store_ssl(void)
   11609 {
   11610     SSL_CTX *ctx = NULL;
   11611     SSL *ssl = NULL;
   11612     int testresult = 0;
   11613     X509_STORE *store = NULL, *new_store = NULL,
   11614                *cstore = NULL, *new_cstore = NULL;
   11615 
   11616     /* Create an initial SSL_CTX. */
   11617     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11618     if (!TEST_ptr(ctx))
   11619         goto end;
   11620 
   11621     /* Create an SSL object. */
   11622     ssl = SSL_new(ctx);
   11623     if (!TEST_ptr(ssl))
   11624         goto end;
   11625 
   11626     /* Retrieve verify store pointer. */
   11627     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
   11628         goto end;
   11629 
   11630     /* Retrieve chain store pointer. */
   11631     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
   11632         goto end;
   11633 
   11634     /* We haven't set any yet, so this should be NULL. */
   11635     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
   11636         goto end;
   11637 
   11638     /* Create stores. We use separate stores so pointers are different. */
   11639     new_store = X509_STORE_new();
   11640     if (!TEST_ptr(new_store))
   11641         goto end;
   11642 
   11643     new_cstore = X509_STORE_new();
   11644     if (!TEST_ptr(new_cstore))
   11645         goto end;
   11646 
   11647     /* Set stores. */
   11648     if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
   11649         goto end;
   11650 
   11651     if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
   11652         goto end;
   11653 
   11654     /* Should be able to retrieve the same pointer. */
   11655     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
   11656         goto end;
   11657 
   11658     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
   11659         goto end;
   11660 
   11661     if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
   11662         goto end;
   11663 
   11664     /* Should be able to unset again. */
   11665     if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
   11666         goto end;
   11667 
   11668     if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
   11669         goto end;
   11670 
   11671     /* Should now be NULL. */
   11672     if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
   11673         goto end;
   11674 
   11675     if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
   11676         goto end;
   11677 
   11678     if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
   11679         goto end;
   11680 
   11681     testresult = 1;
   11682 
   11683 end:
   11684     X509_STORE_free(new_store);
   11685     X509_STORE_free(new_cstore);
   11686     SSL_free(ssl);
   11687     SSL_CTX_free(ctx);
   11688     return testresult;
   11689 }
   11690 
   11691 static int test_inherit_verify_param(void)
   11692 {
   11693     int testresult = 0;
   11694 
   11695     SSL_CTX *ctx = NULL;
   11696     X509_VERIFY_PARAM *cp = NULL;
   11697     SSL *ssl = NULL;
   11698     X509_VERIFY_PARAM *sp = NULL;
   11699     int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
   11700 
   11701     ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
   11702     if (!TEST_ptr(ctx))
   11703         goto end;
   11704 
   11705     cp = SSL_CTX_get0_param(ctx);
   11706     if (!TEST_ptr(cp))
   11707         goto end;
   11708     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
   11709         goto end;
   11710 
   11711     X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
   11712 
   11713     ssl = SSL_new(ctx);
   11714     if (!TEST_ptr(ssl))
   11715         goto end;
   11716 
   11717     sp = SSL_get0_param(ssl);
   11718     if (!TEST_ptr(sp))
   11719         goto end;
   11720     if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
   11721         goto end;
   11722 
   11723     testresult = 1;
   11724 
   11725 end:
   11726     SSL_free(ssl);
   11727     SSL_CTX_free(ctx);
   11728 
   11729     return testresult;
   11730 }
   11731 
   11732 static int test_load_dhfile(void)
   11733 {
   11734 #ifndef OPENSSL_NO_DH
   11735     int testresult = 0;
   11736 
   11737     SSL_CTX *ctx = NULL;
   11738     SSL_CONF_CTX *cctx = NULL;
   11739 
   11740     if (dhfile == NULL)
   11741         return 1;
   11742 
   11743     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
   11744         || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
   11745         goto end;
   11746 
   11747     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
   11748     SSL_CONF_CTX_set_flags(cctx,
   11749         SSL_CONF_FLAG_CERTIFICATE
   11750             | SSL_CONF_FLAG_SERVER
   11751             | SSL_CONF_FLAG_FILE);
   11752 
   11753     if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
   11754         goto end;
   11755 
   11756     testresult = 1;
   11757 end:
   11758     SSL_CONF_CTX_free(cctx);
   11759     SSL_CTX_free(ctx);
   11760 
   11761     return testresult;
   11762 #else
   11763     return TEST_skip("DH not supported by this build");
   11764 #endif
   11765 }
   11766 
   11767 #ifndef OSSL_NO_USABLE_TLS1_3
   11768 /* Test that read_ahead works across a key change */
   11769 static int test_read_ahead_key_change(void)
   11770 {
   11771     SSL_CTX *cctx = NULL, *sctx = NULL;
   11772     SSL *clientssl = NULL, *serverssl = NULL;
   11773     int testresult = 0;
   11774     char *msg = "Hello World";
   11775     size_t written, readbytes;
   11776     char buf[80];
   11777     int i;
   11778 
   11779     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   11780             TLS_client_method(), TLS1_3_VERSION, 0,
   11781             &sctx, &cctx, cert, privkey)))
   11782         goto end;
   11783 
   11784     SSL_CTX_set_read_ahead(sctx, 1);
   11785 
   11786     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   11787             &clientssl, NULL, NULL)))
   11788         goto end;
   11789 
   11790     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   11791         goto end;
   11792 
   11793     /* Write some data, send a key update, write more data */
   11794     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
   11795         || !TEST_size_t_eq(written, strlen(msg)))
   11796         goto end;
   11797 
   11798     if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
   11799         goto end;
   11800 
   11801     if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
   11802         || !TEST_size_t_eq(written, strlen(msg)))
   11803         goto end;
   11804 
   11805     /*
   11806      * Since read_ahead is on the first read below should read the record with
   11807      * the first app data, the second record with the key update message, and
   11808      * the third record with the app data all in one go. We should be able to
   11809      * still process the read_ahead data correctly even though it crosses
   11810      * epochs
   11811      */
   11812     for (i = 0; i < 2; i++) {
   11813         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
   11814                 &readbytes)))
   11815             goto end;
   11816 
   11817         buf[readbytes] = '\0';
   11818         if (!TEST_str_eq(buf, msg))
   11819             goto end;
   11820     }
   11821 
   11822     testresult = 1;
   11823 
   11824 end:
   11825     SSL_free(serverssl);
   11826     SSL_free(clientssl);
   11827     SSL_CTX_free(sctx);
   11828     SSL_CTX_free(cctx);
   11829     return testresult;
   11830 }
   11831 
   11832 static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
   11833 {
   11834     int *called = arg;
   11835 
   11836     switch ((*called)++) {
   11837     case 0:
   11838         /* Add some padding to first record */
   11839         return 512;
   11840     case 1:
   11841         /* Maximally pad the second record */
   11842         return SSL3_RT_MAX_PLAIN_LENGTH - len;
   11843     case 2:
   11844         /*
   11845          * Exceeding the maximum padding should be fine. It should just pad to
   11846          * the maximum anyway
   11847          */
   11848         return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
   11849     case 3:
   11850         /*
   11851          * Very large padding should also be ok. Should just pad to the maximum
   11852          * allowed
   11853          */
   11854         return SIZE_MAX;
   11855     default:
   11856         return 0;
   11857     }
   11858 }
   11859 
   11860 /*
   11861  * Test that setting record padding in TLSv1.3 works as expected
   11862  * Test 0: Record padding callback on the SSL_CTX
   11863  * Test 1: Record padding callback on the SSL
   11864  * Test 2: Record block padding on the SSL_CTX
   11865  * Test 3: Record block padding on the SSL
   11866  * Test 4: Extended record block padding on the SSL_CTX
   11867  * Test 5: Extended record block padding on the SSL
   11868  */
   11869 static int test_tls13_record_padding(int idx)
   11870 {
   11871     SSL_CTX *cctx = NULL, *sctx = NULL;
   11872     SSL *clientssl = NULL, *serverssl = NULL;
   11873     int testresult = 0;
   11874     char *msg = "Hello World";
   11875     size_t written, readbytes;
   11876     char buf[80];
   11877     int i;
   11878     int called = 0;
   11879 
   11880     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   11881             TLS_client_method(), TLS1_3_VERSION, 0,
   11882             &sctx, &cctx, cert, privkey)))
   11883         goto end;
   11884 
   11885     if (idx == 0) {
   11886         SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
   11887         SSL_CTX_set_record_padding_callback_arg(cctx, &called);
   11888         if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
   11889             goto end;
   11890     } else if (idx == 2) {
   11891         /* Exceeding the max plain length should fail */
   11892         if (!TEST_false(SSL_CTX_set_block_padding(cctx,
   11893                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
   11894             goto end;
   11895         if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
   11896             goto end;
   11897     } else if (idx == 4) {
   11898         /* pad only handshake/alert messages */
   11899         if (!TEST_true(SSL_CTX_set_block_padding_ex(cctx, 0, 512)))
   11900             goto end;
   11901     }
   11902 
   11903     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   11904             &clientssl, NULL, NULL)))
   11905         goto end;
   11906 
   11907     if (idx == 1) {
   11908         SSL_set_record_padding_callback(clientssl, record_pad_cb);
   11909         SSL_set_record_padding_callback_arg(clientssl, &called);
   11910         if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
   11911             goto end;
   11912     } else if (idx == 3) {
   11913         /* Exceeding the max plain length should fail */
   11914         if (!TEST_false(SSL_set_block_padding(clientssl,
   11915                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
   11916             goto end;
   11917         if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
   11918             goto end;
   11919     } else if (idx == 5) {
   11920         /* Exceeding the max plain length should fail */
   11921         if (!TEST_false(SSL_set_block_padding_ex(clientssl, 0,
   11922                 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
   11923             goto end;
   11924         /* pad server and client handshake only */
   11925         if (!TEST_true(SSL_set_block_padding_ex(clientssl, 0, 512)))
   11926             goto end;
   11927         if (!TEST_true(SSL_set_block_padding_ex(serverssl, 0, 512)))
   11928             goto end;
   11929     }
   11930 
   11931     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   11932         goto end;
   11933 
   11934     called = 0;
   11935     /*
   11936      * Write some data, then check we can read it. Do this four times to check
   11937      * we can continue to write and read padded data after the initial record
   11938      * padding has been added. We don't actually check that the padding has
   11939      * been applied to the record - just that we can continue to communicate
   11940      * normally and that the callback has been called (if appropriate).
   11941      */
   11942     for (i = 0; i < 4; i++) {
   11943         if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
   11944             || !TEST_size_t_eq(written, strlen(msg)))
   11945             goto end;
   11946 
   11947         if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
   11948                 &readbytes))
   11949             || !TEST_size_t_eq(written, readbytes))
   11950             goto end;
   11951 
   11952         buf[readbytes] = '\0';
   11953         if (!TEST_str_eq(buf, msg))
   11954             goto end;
   11955     }
   11956 
   11957     if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
   11958         goto end;
   11959 
   11960     testresult = 1;
   11961 end:
   11962     SSL_free(serverssl);
   11963     SSL_free(clientssl);
   11964     SSL_CTX_free(sctx);
   11965     SSL_CTX_free(cctx);
   11966     return testresult;
   11967 }
   11968 #endif /* OSSL_NO_USABLE_TLS1_3 */
   11969 
   11970 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
   11971 /*
   11972  * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
   11973  * support this yet. The only pipeline capable cipher that we have is in the
   11974  * dasync engine (providers don't support this yet), so we have to use
   11975  * deprecated APIs for this test.
   11976  *
   11977  * Test 0: Client has pipelining enabled, server does not
   11978  * Test 1: Server has pipelining enabled, client does not
   11979  * Test 2: Client has pipelining enabled, server does not: not enough data to
   11980  *         fill all the pipelines
   11981  * Test 3: Client has pipelining enabled, server does not: not enough data to
   11982  *         fill all the pipelines by more than a full pipeline's worth
   11983  * Test 4: Client has pipelining enabled, server does not: more data than all
   11984  *         the available pipelines can take
   11985  * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
   11986  * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
   11987  *         is created)
   11988  */
   11989 static int test_pipelining(int idx)
   11990 {
   11991     SSL_CTX *cctx = NULL, *sctx = NULL;
   11992     SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
   11993     int testresult = 0, numreads;
   11994     /* A 55 byte message */
   11995     unsigned char *msg = (unsigned char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
   11996     size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
   11997     size_t expectedreads;
   11998     unsigned char *buf = NULL;
   11999     ENGINE *e = NULL;
   12000 
   12001     if (idx != 6) {
   12002         e = load_dasync();
   12003         if (e == NULL)
   12004             return 0;
   12005     }
   12006 
   12007     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12008             TLS_client_method(), 0,
   12009             TLS1_2_VERSION, &sctx, &cctx, cert,
   12010             privkey)))
   12011         goto end;
   12012 
   12013     if (idx == 6) {
   12014         e = load_dasync();
   12015         if (e == NULL)
   12016             goto end;
   12017         /* Now act like test 0 */
   12018         idx = 0;
   12019     }
   12020 
   12021     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   12022             &clientssl, NULL, NULL)))
   12023         goto end;
   12024 
   12025     if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
   12026         goto end;
   12027 
   12028     /* peera is always configured for pipelining, while peerb is not. */
   12029     if (idx == 1) {
   12030         peera = serverssl;
   12031         peerb = clientssl;
   12032 
   12033     } else {
   12034         peera = clientssl;
   12035         peerb = serverssl;
   12036     }
   12037 
   12038     if (idx == 5) {
   12039         numpipes = 2;
   12040         /* Maximum allowed fragment size */
   12041         fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
   12042         msglen = fragsize * numpipes;
   12043         msg = OPENSSL_malloc(msglen);
   12044         if (!TEST_ptr(msg))
   12045             goto end;
   12046         if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
   12047             goto end;
   12048     } else if (idx == 4) {
   12049         msglen = 55;
   12050     } else {
   12051         msglen = 50;
   12052     }
   12053     if (idx == 2)
   12054         msglen -= 2; /* Send 2 less bytes */
   12055     else if (idx == 3)
   12056         msglen -= 12; /* Send 12 less bytes */
   12057 
   12058     buf = OPENSSL_malloc(msglen);
   12059     if (!TEST_ptr(buf))
   12060         goto end;
   12061 
   12062     if (idx == 5) {
   12063         /*
   12064          * Test that setting a split send fragment longer than the maximum
   12065          * allowed fails
   12066          */
   12067         if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
   12068             goto end;
   12069     }
   12070 
   12071     /*
   12072      * In the normal case. We have 5 pipelines with 10 bytes per pipeline
   12073      * (50 bytes in total). This is a ridiculously small number of bytes -
   12074      * but sufficient for our purposes
   12075      */
   12076     if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
   12077         || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
   12078         goto end;
   12079 
   12080     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12081         goto end;
   12082 
   12083     /* Write some data from peera to peerb */
   12084     if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
   12085         || !TEST_size_t_eq(written, msglen))
   12086         goto end;
   12087 
   12088     /*
   12089      * If the pipelining code worked, then we expect all |numpipes| pipelines to
   12090      * have been used - except in test 3 where only |numpipes - 1| pipelines
   12091      * will be used. This will result in |numpipes| records (|numpipes - 1| for
   12092      * test 3) having been sent to peerb. Since peerb is not using read_ahead we
   12093      * expect this to be read in |numpipes| or |numpipes - 1| separate
   12094      * SSL_read_ex calls. In the case of test 4, there is then one additional
   12095      * read for left over data that couldn't fit in the previous pipelines
   12096      */
   12097     for (offset = 0, numreads = 0;
   12098         offset < msglen;
   12099         offset += readbytes, numreads++) {
   12100         if (!TEST_true(SSL_read_ex(peerb, buf + offset,
   12101                 msglen - offset, &readbytes)))
   12102             goto end;
   12103     }
   12104 
   12105     expectedreads = idx == 4 ? numpipes + 1
   12106                              : (idx == 3 ? numpipes - 1 : numpipes);
   12107     if (!TEST_mem_eq(msg, msglen, buf, offset)
   12108         || !TEST_int_eq(numreads, expectedreads))
   12109         goto end;
   12110 
   12111     /*
   12112      * Write some data from peerb to peera. We do this in up to |numpipes + 1|
   12113      * chunks to exercise the read pipelining code on peera.
   12114      */
   12115     for (offset = 0; offset < msglen; offset += fragsize) {
   12116         size_t sendlen = msglen - offset;
   12117 
   12118         if (sendlen > fragsize)
   12119             sendlen = fragsize;
   12120         if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
   12121             || !TEST_size_t_eq(written, sendlen))
   12122             goto end;
   12123     }
   12124 
   12125     /*
   12126      * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
   12127      * separate chunks (depending on which test we are running). If the
   12128      * pipelining is working then we expect peera to read up to numpipes chunks
   12129      * and process them in parallel, giving back the complete result in a single
   12130      * call to SSL_read_ex
   12131      */
   12132     if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
   12133         || !TEST_size_t_le(readbytes, msglen))
   12134         goto end;
   12135 
   12136     if (idx == 4) {
   12137         size_t readbytes2;
   12138 
   12139         if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
   12140                 msglen - readbytes, &readbytes2)))
   12141             goto end;
   12142         readbytes += readbytes2;
   12143         if (!TEST_size_t_le(readbytes, msglen))
   12144             goto end;
   12145     }
   12146 
   12147     if (!TEST_mem_eq(msg, msglen, buf, readbytes))
   12148         goto end;
   12149 
   12150     testresult = 1;
   12151 end:
   12152     SSL_free(serverssl);
   12153     SSL_free(clientssl);
   12154     SSL_CTX_free(sctx);
   12155     SSL_CTX_free(cctx);
   12156     if (e != NULL) {
   12157         ENGINE_unregister_ciphers(e);
   12158         ENGINE_finish(e);
   12159         ENGINE_free(e);
   12160     }
   12161     OPENSSL_free(buf);
   12162     if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
   12163         OPENSSL_free(msg);
   12164     return testresult;
   12165 }
   12166 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
   12167 
   12168 static int check_version_string(SSL *s, int version)
   12169 {
   12170     const char *verstr = NULL;
   12171 
   12172     switch (version) {
   12173     case SSL3_VERSION:
   12174         verstr = "SSLv3";
   12175         break;
   12176     case TLS1_VERSION:
   12177         verstr = "TLSv1";
   12178         break;
   12179     case TLS1_1_VERSION:
   12180         verstr = "TLSv1.1";
   12181         break;
   12182     case TLS1_2_VERSION:
   12183         verstr = "TLSv1.2";
   12184         break;
   12185     case TLS1_3_VERSION:
   12186         verstr = "TLSv1.3";
   12187         break;
   12188     case DTLS1_VERSION:
   12189         verstr = "DTLSv1";
   12190         break;
   12191     case DTLS1_2_VERSION:
   12192         verstr = "DTLSv1.2";
   12193     }
   12194 
   12195     return TEST_str_eq(verstr, SSL_get_version(s));
   12196 }
   12197 
   12198 /*
   12199  * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
   12200  * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
   12201  * test_version() in quicapitest.c which does the same thing for QUIC
   12202  * connections.
   12203  */
   12204 static int test_version(int idx)
   12205 {
   12206     SSL_CTX *cctx = NULL, *sctx = NULL;
   12207     SSL *clientssl = NULL, *serverssl = NULL;
   12208     int testresult = 0, version;
   12209     const SSL_METHOD *servmeth = TLS_server_method();
   12210     const SSL_METHOD *clientmeth = TLS_client_method();
   12211 
   12212     switch (idx) {
   12213 #if !defined(OPENSSL_NO_SSL3)
   12214     case 0:
   12215         version = SSL3_VERSION;
   12216         break;
   12217 #endif
   12218 #if !defined(OPENSSL_NO_TLS1)
   12219     case 1:
   12220         version = TLS1_VERSION;
   12221         break;
   12222 #endif
   12223 #if !defined(OPENSSL_NO_TLS1_2)
   12224     case 2:
   12225         version = TLS1_2_VERSION;
   12226         break;
   12227 #endif
   12228 #if !defined(OSSL_NO_USABLE_TLS1_3)
   12229     case 3:
   12230         version = TLS1_3_VERSION;
   12231         break;
   12232 #endif
   12233 #if !defined(OPENSSL_NO_DTLS1)
   12234     case 4:
   12235         version = DTLS1_VERSION;
   12236         break;
   12237 #endif
   12238 #if !defined(OPENSSL_NO_DTLS1_2)
   12239     case 5:
   12240         version = DTLS1_2_VERSION;
   12241         break;
   12242 #endif
   12243     /*
   12244      * NB we do not support QUIC in this test. That is covered by quicapitest.c
   12245      * We also don't support DTLS1_BAD_VER since we have no server support for
   12246      * that.
   12247      */
   12248     default:
   12249         TEST_skip("Unsupported protocol version");
   12250         return 1;
   12251     }
   12252 
   12253     if (is_fips
   12254         && (version == SSL3_VERSION
   12255             || version == TLS1_VERSION
   12256             || version == DTLS1_VERSION)) {
   12257         TEST_skip("Protocol version not supported with FIPS");
   12258         return 1;
   12259     }
   12260 
   12261 #if !defined(OPENSSL_NO_DTLS)
   12262     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
   12263         servmeth = DTLS_server_method();
   12264         clientmeth = DTLS_client_method();
   12265     }
   12266 #endif
   12267 
   12268     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
   12269             version, &sctx, &cctx, cert, privkey)))
   12270         goto end;
   12271 
   12272     if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
   12273         || !TEST_true(SSL_CTX_set_cipher_list(cctx,
   12274             "DEFAULT:@SECLEVEL=0")))
   12275         goto end;
   12276 
   12277     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   12278             &clientssl, NULL, NULL)))
   12279         goto end;
   12280 
   12281     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12282         goto end;
   12283 
   12284     if (!TEST_int_eq(SSL_version(serverssl), version)
   12285         || !TEST_int_eq(SSL_version(clientssl), version)
   12286         || !TEST_true(check_version_string(serverssl, version))
   12287         || !TEST_true(check_version_string(clientssl, version)))
   12288         goto end;
   12289 
   12290     if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
   12291         if (!TEST_true(SSL_is_dtls(serverssl))
   12292             || !TEST_true(SSL_is_dtls(clientssl))
   12293             || !TEST_false(SSL_is_tls(serverssl))
   12294             || !TEST_false(SSL_is_tls(clientssl))
   12295             || !TEST_false(SSL_is_quic(serverssl))
   12296             || !TEST_false(SSL_is_quic(clientssl)))
   12297             goto end;
   12298     } else {
   12299         if (!TEST_true(SSL_is_tls(serverssl))
   12300             || !TEST_true(SSL_is_tls(clientssl))
   12301             || !TEST_false(SSL_is_dtls(serverssl))
   12302             || !TEST_false(SSL_is_dtls(clientssl))
   12303             || !TEST_false(SSL_is_quic(serverssl))
   12304             || !TEST_false(SSL_is_quic(clientssl)))
   12305             goto end;
   12306     }
   12307 
   12308     testresult = 1;
   12309 end:
   12310     SSL_free(serverssl);
   12311     SSL_free(clientssl);
   12312     SSL_CTX_free(sctx);
   12313     SSL_CTX_free(cctx);
   12314     return testresult;
   12315 }
   12316 
   12317 /*
   12318  * Test that the SSL_rstate_string*() APIs return sane results
   12319  */
   12320 static int test_rstate_string(void)
   12321 {
   12322     SSL_CTX *cctx = NULL, *sctx = NULL;
   12323     SSL *clientssl = NULL, *serverssl = NULL;
   12324     int testresult = 0, version;
   12325     const SSL_METHOD *servmeth = TLS_server_method();
   12326     const SSL_METHOD *clientmeth = TLS_client_method();
   12327     size_t written, readbytes;
   12328     unsigned char buf[2];
   12329     unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
   12330         SSL3_RT_APPLICATION_DATA,
   12331         TLS1_2_VERSION_MAJOR,
   12332         0, /* To be filled in later */
   12333         0,
   12334         1
   12335     };
   12336 
   12337     if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
   12338             0, &sctx, &cctx, cert, privkey)))
   12339         goto end;
   12340 
   12341     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   12342             &clientssl, NULL, NULL)))
   12343         goto end;
   12344 
   12345     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
   12346         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
   12347         goto end;
   12348 
   12349     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12350         goto end;
   12351 
   12352     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
   12353         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
   12354         goto end;
   12355 
   12356     /* Fill in the correct version for the record header */
   12357     version = SSL_version(serverssl);
   12358     if (version == TLS1_3_VERSION)
   12359         version = TLS1_2_VERSION;
   12360     dummyheader[2] = version & 0xff;
   12361 
   12362     /*
   12363      * Send a dummy header. If we continued to read the body as well this
   12364      * would fail with a bad record mac, but we're not going to go that far.
   12365      */
   12366     if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
   12367             sizeof(dummyheader), &written))
   12368         || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
   12369         goto end;
   12370 
   12371     if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
   12372         goto end;
   12373 
   12374     if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
   12375         || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
   12376         goto end;
   12377 
   12378     testresult = 1;
   12379 end:
   12380     SSL_free(serverssl);
   12381     SSL_free(clientssl);
   12382     SSL_CTX_free(sctx);
   12383     SSL_CTX_free(cctx);
   12384     return testresult;
   12385 }
   12386 
   12387 /*
   12388  * Force a write retry during handshaking. We test various combinations of
   12389  * scenarios. We test a large certificate message which will fill the buffering
   12390  * BIO used in the handshake. We try with client auth on and off. Finally we
   12391  * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
   12392  * to indicate retry via -1 - but sometimes BIOs don't do that.
   12393  *
   12394  * Test 0: Standard certificate message
   12395  * Test 1: Large certificate message
   12396  * Test 2: Standard cert, verify peer
   12397  * Test 3: Large cert, verify peer
   12398  * Test 4: Standard cert, BIO returns 0 on retry
   12399  * Test 5: Large cert, BIO returns 0 on retry
   12400  * Test 6: Standard cert, verify peer, BIO returns 0 on retry
   12401  * Test 7: Large cert, verify peer, BIO returns 0 on retry
   12402  * Test 8-15: Repeat of above with TLSv1.2
   12403  */
   12404 static int test_handshake_retry(int idx)
   12405 {
   12406     SSL_CTX *cctx = NULL, *sctx = NULL;
   12407     SSL *clientssl = NULL, *serverssl = NULL;
   12408     int testresult = 0;
   12409     BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
   12410     int maxversion = 0;
   12411 
   12412     if (!TEST_ptr(bretry))
   12413         goto end;
   12414 
   12415 #ifndef OPENSSL_NO_TLS1_2
   12416     if ((idx & 8) == 8)
   12417         maxversion = TLS1_2_VERSION;
   12418 #else
   12419     if ((idx & 8) == 8)
   12420         return TEST_skip("No TLSv1.2");
   12421 #endif
   12422 
   12423     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12424             TLS_client_method(), 0, maxversion,
   12425             &sctx, &cctx, cert, privkey)))
   12426         goto end;
   12427 
   12428     /*
   12429      * Add a large amount of data to fill the buffering BIO used by the SSL
   12430      * object
   12431      */
   12432     if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
   12433         goto end;
   12434 
   12435     /*
   12436      * We don't actually configure a client cert, but neither do we fail if one
   12437      * isn't present.
   12438      */
   12439     if ((idx & 2) == 2)
   12440         SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
   12441 
   12442     if ((idx & 4) == 4)
   12443         set_always_retry_err_val(0);
   12444 
   12445     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   12446             &clientssl, NULL, NULL)))
   12447         goto end;
   12448 
   12449     tmp = SSL_get_wbio(serverssl);
   12450     if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
   12451         tmp = NULL;
   12452         goto end;
   12453     }
   12454     SSL_set0_wbio(serverssl, bretry);
   12455     bretry = NULL;
   12456 
   12457     if (!TEST_int_eq(SSL_connect(clientssl), -1))
   12458         goto end;
   12459 
   12460     if (!TEST_int_eq(SSL_accept(serverssl), -1)
   12461         || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
   12462         goto end;
   12463 
   12464     /* Restore a BIO that will let the write succeed */
   12465     SSL_set0_wbio(serverssl, tmp);
   12466     tmp = NULL;
   12467 
   12468     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12469         goto end;
   12470 
   12471     testresult = 1;
   12472 end:
   12473     SSL_free(serverssl);
   12474     SSL_free(clientssl);
   12475     SSL_CTX_free(sctx);
   12476     SSL_CTX_free(cctx);
   12477     BIO_free(bretry);
   12478     BIO_free(tmp);
   12479     set_always_retry_err_val(-1);
   12480     return testresult;
   12481 }
   12482 
   12483 /*
   12484  * Test that receiving retries when writing application data works as expected
   12485  */
   12486 static int test_data_retry(void)
   12487 {
   12488     SSL_CTX *cctx = NULL, *sctx = NULL;
   12489     SSL *clientssl = NULL, *serverssl = NULL;
   12490     int testresult = 0;
   12491     unsigned char inbuf[1200], outbuf[1200];
   12492     size_t i;
   12493     BIO *tmp = NULL;
   12494     BIO *bretry = BIO_new(bio_s_maybe_retry());
   12495     size_t written, readbytes, totread = 0;
   12496 
   12497     if (!TEST_ptr(bretry))
   12498         goto end;
   12499 
   12500     for (i = 0; i < sizeof(inbuf); i++)
   12501         inbuf[i] = (unsigned char)(0xff & i);
   12502     memset(outbuf, 0, sizeof(outbuf));
   12503 
   12504     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12505             TLS_client_method(), 0, 0, &sctx, &cctx,
   12506             cert, privkey)))
   12507         goto end;
   12508 
   12509     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   12510             NULL)))
   12511         goto end;
   12512 
   12513     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12514         goto end;
   12515 
   12516     /* Smallest possible max send fragment is 512 */
   12517     if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
   12518         goto end;
   12519 
   12520     tmp = SSL_get_wbio(clientssl);
   12521     if (!TEST_ptr(tmp))
   12522         goto end;
   12523     if (!TEST_true(BIO_up_ref(tmp)))
   12524         goto end;
   12525     BIO_push(bretry, tmp);
   12526     tmp = NULL;
   12527     SSL_set0_wbio(clientssl, bretry);
   12528     if (!BIO_up_ref(bretry)) {
   12529         bretry = NULL;
   12530         goto end;
   12531     }
   12532 
   12533     for (i = 0; i < 3; i++) {
   12534         /* We expect this call to make no progress and indicate retry */
   12535         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
   12536             goto end;
   12537         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
   12538             goto end;
   12539 
   12540         /* Allow one write to progress, but the next one to signal retry */
   12541         if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
   12542                 NULL)))
   12543             goto end;
   12544 
   12545         if (i == 2)
   12546             break;
   12547 
   12548         /*
   12549          * This call will hopefully make progress but will still indicate retry
   12550          * because there is more data than will fit into a single record.
   12551          */
   12552         if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
   12553             goto end;
   12554         if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
   12555             goto end;
   12556     }
   12557 
   12558     /* The final call should write the last chunk of data and succeed */
   12559     if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
   12560         goto end;
   12561     /* Read all the data available */
   12562     while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
   12563         &readbytes))
   12564         totread += readbytes;
   12565     if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
   12566         goto end;
   12567 
   12568     testresult = 1;
   12569 end:
   12570     SSL_free(serverssl);
   12571     SSL_free(clientssl);
   12572     SSL_CTX_free(sctx);
   12573     SSL_CTX_free(cctx);
   12574     BIO_free_all(bretry);
   12575     BIO_free(tmp);
   12576     return testresult;
   12577 }
   12578 
   12579 struct resume_servername_cb_data {
   12580     int i;
   12581     SSL_CTX *cctx;
   12582     SSL_CTX *sctx;
   12583     SSL_SESSION *sess;
   12584     int recurse;
   12585 };
   12586 
   12587 /*
   12588  * Servername callback. We use it here to run another complete handshake using
   12589  * the same session - and mark the session as not_resuamble at the end
   12590  */
   12591 static int resume_servername_cb(SSL *s, int *ad, void *arg)
   12592 {
   12593     struct resume_servername_cb_data *cbdata = arg;
   12594     SSL *serverssl = NULL, *clientssl = NULL;
   12595     int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   12596 
   12597     if (cbdata->recurse)
   12598         return SSL_TLSEXT_ERR_ALERT_FATAL;
   12599 
   12600     if ((cbdata->i % 3) != 1)
   12601         return SSL_TLSEXT_ERR_OK;
   12602 
   12603     cbdata->recurse = 1;
   12604 
   12605     if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
   12606             &clientssl, NULL, NULL))
   12607         || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
   12608         goto end;
   12609 
   12610     ERR_set_mark();
   12611     /*
   12612      * We expect this to fail - because the servername cb will fail. This will
   12613      * mark the session as not_resumable.
   12614      */
   12615     if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
   12616         ERR_clear_last_mark();
   12617         goto end;
   12618     }
   12619     ERR_pop_to_mark();
   12620 
   12621     ret = SSL_TLSEXT_ERR_OK;
   12622 end:
   12623     SSL_free(serverssl);
   12624     SSL_free(clientssl);
   12625     cbdata->recurse = 0;
   12626     return ret;
   12627 }
   12628 /*
   12629  * Test multiple resumptions and cache size handling
   12630  * Test 0: TLSv1.3 (max_early_data set)
   12631  * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
   12632  * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
   12633  * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
   12634  * Test 4: TLSv1.2
   12635  */
   12636 static int test_multi_resume(int idx)
   12637 {
   12638     SSL_CTX *sctx = NULL, *cctx = NULL;
   12639     SSL *serverssl = NULL, *clientssl = NULL;
   12640     SSL_SESSION *sess = NULL;
   12641     int max_version = TLS1_3_VERSION;
   12642     int i, testresult = 0;
   12643     struct resume_servername_cb_data cbdata;
   12644 
   12645 #if defined(OPENSSL_NO_TLS1_2)
   12646     if (idx == 4)
   12647         return TEST_skip("TLSv1.2 is disabled in this build");
   12648 #else
   12649     if (idx == 4)
   12650         max_version = TLS1_2_VERSION;
   12651 #endif
   12652 #if defined(OSSL_NO_USABLE_TLS1_3)
   12653     if (idx != 4)
   12654         return TEST_skip("No usable TLSv1.3 in this build");
   12655 #endif
   12656 
   12657     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12658             TLS_client_method(), TLS1_VERSION,
   12659             max_version, &sctx, &cctx, cert,
   12660             privkey)))
   12661         goto end;
   12662 
   12663     /*
   12664      * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
   12665      * replay protection), or if SSL_OP_NO_TICKET is in use
   12666      */
   12667     if (idx == 0 || idx == 2) {
   12668         if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
   12669             goto end;
   12670     }
   12671     if (idx == 1 || idx == 2 || idx == 3)
   12672         SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
   12673 
   12674     SSL_CTX_sess_set_cache_size(sctx, 5);
   12675 
   12676     if (idx == 3) {
   12677         SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
   12678         SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
   12679         cbdata.cctx = cctx;
   12680         cbdata.sctx = sctx;
   12681         cbdata.recurse = 0;
   12682     }
   12683 
   12684     for (i = 0; i < 30; i++) {
   12685         if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   12686                 NULL, NULL))
   12687             || !TEST_true(SSL_set_session(clientssl, sess)))
   12688             goto end;
   12689 
   12690         /*
   12691          * Check simultaneous resumes. We pause the connection part way through
   12692          * the handshake by (mis)using the servername_cb. The pause occurs after
   12693          * session resumption has already occurred, but before any session
   12694          * tickets have been issued. While paused we run another complete
   12695          * handshake resuming the same session.
   12696          */
   12697         if (idx == 3) {
   12698             cbdata.i = i;
   12699             cbdata.sess = sess;
   12700         }
   12701 
   12702         /*
   12703          * Recreate a bug where dynamically changing the max_early_data value
   12704          * can cause sessions in the session cache which cannot be deleted.
   12705          */
   12706         if ((idx == 0 || idx == 2) && (i % 3) == 2)
   12707             SSL_set_max_early_data(serverssl, 0);
   12708 
   12709         if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   12710             goto end;
   12711 
   12712         if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
   12713             if (!TEST_false(SSL_session_reused(clientssl)))
   12714                 goto end;
   12715         } else {
   12716             if (!TEST_true(SSL_session_reused(clientssl)))
   12717                 goto end;
   12718         }
   12719         SSL_SESSION_free(sess);
   12720 
   12721         /* Do a full handshake, followed by two resumptions */
   12722         if ((i % 3) == 2) {
   12723             sess = NULL;
   12724         } else {
   12725             if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
   12726                 goto end;
   12727         }
   12728 
   12729         SSL_shutdown(clientssl);
   12730         SSL_shutdown(serverssl);
   12731         SSL_free(serverssl);
   12732         SSL_free(clientssl);
   12733         serverssl = clientssl = NULL;
   12734     }
   12735 
   12736     /* We should never exceed the session cache size limit */
   12737     if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
   12738         goto end;
   12739 
   12740     testresult = 1;
   12741 end:
   12742     SSL_free(serverssl);
   12743     SSL_free(clientssl);
   12744     SSL_CTX_free(sctx);
   12745     SSL_CTX_free(cctx);
   12746     SSL_SESSION_free(sess);
   12747     return testresult;
   12748 }
   12749 
   12750 static struct next_proto_st {
   12751     int serverlen;
   12752     unsigned char server[40];
   12753     int clientlen;
   12754     unsigned char client[40];
   12755     int expected_ret;
   12756     size_t selectedlen;
   12757     unsigned char selected[40];
   12758 } next_proto_tests[] = {
   12759     { 4, { 3, 'a', 'b', 'c' },
   12760         4, { 3, 'a', 'b', 'c' },
   12761         OPENSSL_NPN_NEGOTIATED,
   12762         3, { 'a', 'b', 'c' } },
   12763     { 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
   12764         4, { 3, 'a', 'b', 'c' },
   12765         OPENSSL_NPN_NEGOTIATED,
   12766         3, { 'a', 'b', 'c' } },
   12767     { 7, {
   12768              2,
   12769              'a',
   12770              'b',
   12771              3,
   12772              'a',
   12773              'b',
   12774              'c',
   12775          },
   12776         4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
   12777     { 4, { 3, 'a', 'b', 'c' }, 7, {
   12778                                       3,
   12779                                       'a',
   12780                                       'b',
   12781                                       'c',
   12782                                       2,
   12783                                       'a',
   12784                                       'b',
   12785                                   },
   12786         OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } },
   12787     { 4, { 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, 7, { 2, 'a', 'b', 3, 'a', 'b', 'c' }, OPENSSL_NPN_NEGOTIATED, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'b', 'c', 'd' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 0, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { -1, { 0 }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 0, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 4, { 3, 'a', 'b', 'c' }, -1, { 0 }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }, { 3, { 3, 'a', 'b', 'c' }, 4, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 3, { 'a', 'b', 'c' } }, { 4, { 3, 'a', 'b', 'c' }, 3, { 3, 'a', 'b', 'c' }, OPENSSL_NPN_NO_OVERLAP, 0, { 0 } }
   12788 };
   12789 
   12790 static int test_select_next_proto(int idx)
   12791 {
   12792     struct next_proto_st *np = &next_proto_tests[idx];
   12793     int ret = 0;
   12794     unsigned char *out, *client, *server;
   12795     unsigned char outlen;
   12796     unsigned int clientlen, serverlen;
   12797 
   12798     if (np->clientlen == -1) {
   12799         client = NULL;
   12800         clientlen = 0;
   12801     } else {
   12802         client = np->client;
   12803         clientlen = (unsigned int)np->clientlen;
   12804     }
   12805     if (np->serverlen == -1) {
   12806         server = NULL;
   12807         serverlen = 0;
   12808     } else {
   12809         server = np->server;
   12810         serverlen = (unsigned int)np->serverlen;
   12811     }
   12812 
   12813     if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
   12814                          client, clientlen),
   12815             np->expected_ret))
   12816         goto err;
   12817 
   12818     if (np->selectedlen == 0) {
   12819         if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
   12820             goto err;
   12821     } else {
   12822         if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
   12823             goto err;
   12824     }
   12825 
   12826     ret = 1;
   12827 err:
   12828     return ret;
   12829 }
   12830 
   12831 static const unsigned char fooprot[] = { 3, 'f', 'o', 'o' };
   12832 static const unsigned char barprot[] = { 3, 'b', 'a', 'r' };
   12833 
   12834 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
   12835 static int npn_advert_cb(SSL *ssl, const unsigned char **out,
   12836     unsigned int *outlen, void *arg)
   12837 {
   12838     int *idx = (int *)arg;
   12839 
   12840     switch (*idx) {
   12841     default:
   12842     case 0:
   12843         *out = fooprot;
   12844         *outlen = sizeof(fooprot);
   12845         return SSL_TLSEXT_ERR_OK;
   12846 
   12847     case 1:
   12848         *out = NULL;
   12849         *outlen = 0;
   12850         return SSL_TLSEXT_ERR_OK;
   12851 
   12852     case 2:
   12853         return SSL_TLSEXT_ERR_NOACK;
   12854     }
   12855 }
   12856 
   12857 static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
   12858     const unsigned char *in, unsigned int inlen, void *arg)
   12859 {
   12860     int *idx = (int *)arg;
   12861 
   12862     switch (*idx) {
   12863     case 0:
   12864     case 1:
   12865         *out = (unsigned char *)(fooprot + 1);
   12866         *outlen = *fooprot;
   12867         return SSL_TLSEXT_ERR_OK;
   12868 
   12869     case 3:
   12870         *out = (unsigned char *)(barprot + 1);
   12871         *outlen = *barprot;
   12872         return SSL_TLSEXT_ERR_OK;
   12873 
   12874     case 4:
   12875         *outlen = 0;
   12876         return SSL_TLSEXT_ERR_OK;
   12877 
   12878     default:
   12879     case 2:
   12880         return SSL_TLSEXT_ERR_ALERT_FATAL;
   12881     }
   12882 }
   12883 
   12884 /*
   12885  * Test the NPN callbacks
   12886  * Test 0: advert = foo, select = foo
   12887  * Test 1: advert = <empty>, select = foo
   12888  * Test 2: no advert
   12889  * Test 3: advert = foo, select = bar
   12890  * Test 4: advert = foo, select = <empty> (should fail)
   12891  */
   12892 static int test_npn(int idx)
   12893 {
   12894     SSL_CTX *sctx = NULL, *cctx = NULL;
   12895     SSL *serverssl = NULL, *clientssl = NULL;
   12896     int testresult = 0;
   12897 
   12898     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12899             TLS_client_method(), 0, TLS1_2_VERSION,
   12900             &sctx, &cctx, cert, privkey)))
   12901         goto end;
   12902 
   12903     SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
   12904     SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
   12905 
   12906     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   12907             NULL)))
   12908         goto end;
   12909 
   12910     if (idx == 4) {
   12911         /* We don't allow empty selection of NPN, so this should fail */
   12912         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
   12913                 SSL_ERROR_NONE)))
   12914             goto end;
   12915     } else {
   12916         const unsigned char *prot;
   12917         unsigned int protlen;
   12918 
   12919         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   12920                 SSL_ERROR_NONE)))
   12921             goto end;
   12922 
   12923         SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
   12924         switch (idx) {
   12925         case 0:
   12926         case 1:
   12927             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
   12928                 goto end;
   12929             break;
   12930         case 2:
   12931             if (!TEST_uint_eq(protlen, 0))
   12932                 goto end;
   12933             break;
   12934         case 3:
   12935             if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
   12936                 goto end;
   12937             break;
   12938         default:
   12939             TEST_error("Should not get here");
   12940             goto end;
   12941         }
   12942     }
   12943 
   12944     testresult = 1;
   12945 end:
   12946     SSL_free(serverssl);
   12947     SSL_free(clientssl);
   12948     SSL_CTX_free(sctx);
   12949     SSL_CTX_free(cctx);
   12950 
   12951     return testresult;
   12952 }
   12953 #endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
   12954 
   12955 static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
   12956     unsigned char *outlen, const unsigned char *in,
   12957     unsigned int inlen, void *arg)
   12958 {
   12959     int *idx = (int *)arg;
   12960 
   12961     switch (*idx) {
   12962     case 0:
   12963         *out = (unsigned char *)(fooprot + 1);
   12964         *outlen = *fooprot;
   12965         return SSL_TLSEXT_ERR_OK;
   12966 
   12967     case 2:
   12968         *out = (unsigned char *)(barprot + 1);
   12969         *outlen = *barprot;
   12970         return SSL_TLSEXT_ERR_OK;
   12971 
   12972     case 3:
   12973         *outlen = 0;
   12974         return SSL_TLSEXT_ERR_OK;
   12975 
   12976     default:
   12977     case 1:
   12978         return SSL_TLSEXT_ERR_ALERT_FATAL;
   12979     }
   12980     return 0;
   12981 }
   12982 
   12983 /*
   12984  * Test the ALPN callbacks
   12985  * Test 0: client = foo, select = foo
   12986  * Test 1: client = <empty>, select = none
   12987  * Test 2: client = foo, select = bar (should fail)
   12988  * Test 3: client = foo, select = <empty> (should fail)
   12989  */
   12990 static int test_alpn(int idx)
   12991 {
   12992     SSL_CTX *sctx = NULL, *cctx = NULL;
   12993     SSL *serverssl = NULL, *clientssl = NULL;
   12994     int testresult = 0;
   12995     const unsigned char *prots = fooprot;
   12996     unsigned int protslen = sizeof(fooprot);
   12997 
   12998     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   12999             TLS_client_method(), 0, 0,
   13000             &sctx, &cctx, cert, privkey)))
   13001         goto end;
   13002 
   13003     SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
   13004 
   13005     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   13006             NULL)))
   13007         goto end;
   13008 
   13009     if (idx == 1) {
   13010         prots = NULL;
   13011         protslen = 0;
   13012     }
   13013 
   13014     /* SSL_set_alpn_protos returns 0 for success! */
   13015     if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
   13016         goto end;
   13017 
   13018     if (idx == 2 || idx == 3) {
   13019         /* We don't allow empty selection of NPN, so this should fail */
   13020         if (!TEST_false(create_ssl_connection(serverssl, clientssl,
   13021                 SSL_ERROR_NONE)))
   13022             goto end;
   13023     } else {
   13024         const unsigned char *prot;
   13025         unsigned int protlen;
   13026 
   13027         if (!TEST_true(create_ssl_connection(serverssl, clientssl,
   13028                 SSL_ERROR_NONE)))
   13029             goto end;
   13030 
   13031         SSL_get0_alpn_selected(clientssl, &prot, &protlen);
   13032         switch (idx) {
   13033         case 0:
   13034             if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
   13035                 goto end;
   13036             break;
   13037         case 1:
   13038             if (!TEST_uint_eq(protlen, 0))
   13039                 goto end;
   13040             break;
   13041         default:
   13042             TEST_error("Should not get here");
   13043             goto end;
   13044         }
   13045     }
   13046 
   13047     testresult = 1;
   13048 end:
   13049     SSL_free(serverssl);
   13050     SSL_free(clientssl);
   13051     SSL_CTX_free(sctx);
   13052     SSL_CTX_free(cctx);
   13053 
   13054     return testresult;
   13055 }
   13056 
   13057 #if !defined(OSSL_NO_USABLE_TLS1_3)
   13058 struct quic_tls_test_data {
   13059     struct quic_tls_test_data *peer;
   13060     uint32_t renc_level;
   13061     uint32_t wenc_level;
   13062     unsigned char rcd_data[4][2048];
   13063     size_t rcd_data_len[4];
   13064     unsigned char rsecret[3][48];
   13065     size_t rsecret_len[3];
   13066     unsigned char wsecret[3][48];
   13067     size_t wsecret_len[3];
   13068     unsigned char params[3];
   13069     size_t params_len;
   13070     int alert;
   13071     int err;
   13072     int forcefail;
   13073     int sm_count;
   13074 };
   13075 
   13076 static int clientquicdata = 0xff, serverquicdata = 0xfe;
   13077 
   13078 static int check_app_data(SSL *s)
   13079 {
   13080     int *data, *comparedata;
   13081 
   13082     /* Check app data works */
   13083     data = (int *)SSL_get_app_data(s);
   13084     comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata;
   13085 
   13086     if (!TEST_true(comparedata == data))
   13087         return 0;
   13088 
   13089     return 1;
   13090 }
   13091 
   13092 static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len,
   13093     size_t *consumed, void *arg)
   13094 {
   13095     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13096     struct quic_tls_test_data *peer = data->peer;
   13097     size_t max_len = sizeof(peer->rcd_data[data->wenc_level])
   13098         - peer->rcd_data_len[data->wenc_level];
   13099 
   13100     if (!check_app_data(s)) {
   13101         data->err = 1;
   13102         return 0;
   13103     }
   13104 
   13105     if (buf_len > max_len)
   13106         buf_len = max_len;
   13107 
   13108     if (buf_len == 0) {
   13109         *consumed = 0;
   13110         return 1;
   13111     }
   13112 
   13113     memcpy(peer->rcd_data[data->wenc_level]
   13114             + peer->rcd_data_len[data->wenc_level],
   13115         buf, buf_len);
   13116     peer->rcd_data_len[data->wenc_level] += buf_len;
   13117 
   13118     *consumed = buf_len;
   13119     return 1;
   13120 }
   13121 static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf,
   13122     size_t *bytes_read, void *arg)
   13123 {
   13124     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13125 
   13126     if (!check_app_data(s)) {
   13127         data->err = 1;
   13128         return 0;
   13129     }
   13130 
   13131     *bytes_read = data->rcd_data_len[data->renc_level];
   13132     *buf = data->rcd_data[data->renc_level];
   13133     return 1;
   13134 }
   13135 
   13136 static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg)
   13137 {
   13138     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13139 
   13140     if (!check_app_data(s)) {
   13141         data->err = 1;
   13142         return 0;
   13143     }
   13144 
   13145     /* See if we need to force a failure in this callback */
   13146     if (data->forcefail) {
   13147         data->forcefail = 0;
   13148         data->err = 1;
   13149         return 0;
   13150     }
   13151 
   13152     if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level])
   13153         || !TEST_size_t_gt(bytes_read, 0)) {
   13154         data->err = 1;
   13155         return 0;
   13156     }
   13157     data->rcd_data_len[data->renc_level] = 0;
   13158 
   13159     return 1;
   13160 }
   13161 
   13162 struct secret_yield_entry {
   13163     uint8_t recorded;
   13164     int prot_level;
   13165     int direction;
   13166     int sm_generation;
   13167     SSL *ssl;
   13168 };
   13169 
   13170 static struct secret_yield_entry secret_history[16];
   13171 static int secret_history_idx = 0;
   13172 /*
   13173  * Note, this enum needs to match the direction values passed
   13174  * to yield_secret_cb
   13175  */
   13176 typedef enum {
   13177     LAST_DIR_READ = 0,
   13178     LAST_DIR_WRITE = 1,
   13179     LAST_DIR_UNSET = 2
   13180 } last_dir_history_state;
   13181 
   13182 static int check_secret_history(SSL *s)
   13183 {
   13184     int i;
   13185     int ret = 0;
   13186     last_dir_history_state last_state = LAST_DIR_UNSET;
   13187     int last_prot_level = 0;
   13188     int last_generation = 0;
   13189 
   13190     TEST_info("Checking history for %p\n", (void *)s);
   13191     for (i = 0; secret_history[i].recorded == 1; i++) {
   13192         if (secret_history[i].ssl != s)
   13193             continue;
   13194         TEST_info("Got %s(%d) secret for level %d, last level %d, last state %d, gen %d\n",
   13195             secret_history[i].direction == 1 ? "Write" : "Read", secret_history[i].direction,
   13196             secret_history[i].prot_level, last_prot_level, last_state,
   13197             secret_history[i].sm_generation);
   13198 
   13199         if (last_state == LAST_DIR_UNSET) {
   13200             last_prot_level = secret_history[i].prot_level;
   13201             last_state = secret_history[i].direction;
   13202             last_generation = secret_history[i].sm_generation;
   13203             continue;
   13204         }
   13205 
   13206         switch (secret_history[i].direction) {
   13207         case 1:
   13208             /*
   13209              * write case
   13210              * NOTE: There is an odd corner case here.  It may occur that
   13211              * in a single iteration of the state machine, the read key is yielded
   13212              * prior to the write key for the same level.  This is undesirable
   13213              * for quic, but it is ok, as the general implementation of every 3rd
   13214              * party quic stack while preferring write keys before read, allows
   13215              * for read before write if both keys are yielded in the same call
   13216              * to SSL_do_handshake, as the tls adaptation code for that quic stack
   13217              * can then cache keys until both are available, so we allow read before
   13218              * write here iff they occur in the same iteration of SSL_do_handshake
   13219              * as represented by the recorded sm_generation value.
   13220              */
   13221             if (last_prot_level == secret_history[i].prot_level
   13222                 && last_state == LAST_DIR_READ) {
   13223                 if (last_generation == secret_history[i].sm_generation) {
   13224                     TEST_info("Read before write key in same SSL state machine iteration is ok");
   13225                 } else {
   13226                     TEST_error("Got read key before write key");
   13227                     goto end;
   13228                 }
   13229             }
   13230             /* FALLTHROUGH */
   13231         case 0:
   13232             /*
   13233              * Read case
   13234              */
   13235             break;
   13236         default:
   13237             TEST_error("Unknown direction");
   13238             goto end;
   13239         }
   13240         last_prot_level = secret_history[i].prot_level;
   13241         last_state = secret_history[i].direction;
   13242         last_generation = secret_history[i].sm_generation;
   13243     }
   13244 
   13245     ret = 1;
   13246 end:
   13247     return ret;
   13248 }
   13249 
   13250 static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
   13251     const unsigned char *secret, size_t secret_len,
   13252     void *arg)
   13253 {
   13254     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13255 
   13256     if (!check_app_data(s))
   13257         goto err;
   13258 
   13259     if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY
   13260         || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13261         goto err;
   13262 
   13263     switch (direction) {
   13264     case 0: /* read */
   13265         if (!TEST_size_t_le(secret_len, sizeof(data->rsecret)))
   13266             goto err;
   13267         data->renc_level = prot_level;
   13268         memcpy(data->rsecret[prot_level - 1], secret, secret_len);
   13269         data->rsecret_len[prot_level - 1] = secret_len;
   13270         break;
   13271 
   13272     case 1: /* write */
   13273         if (!TEST_size_t_le(secret_len, sizeof(data->wsecret)))
   13274             goto err;
   13275         data->wenc_level = prot_level;
   13276         memcpy(data->wsecret[prot_level - 1], secret, secret_len);
   13277         data->wsecret_len[prot_level - 1] = secret_len;
   13278         break;
   13279 
   13280     default:
   13281         goto err;
   13282     }
   13283 
   13284     secret_history[secret_history_idx].direction = direction;
   13285     secret_history[secret_history_idx].prot_level = (int)prot_level;
   13286     secret_history[secret_history_idx].recorded = 1;
   13287     secret_history[secret_history_idx].ssl = s;
   13288     secret_history[secret_history_idx].sm_generation = data->sm_count;
   13289     secret_history_idx++;
   13290     return 1;
   13291 err:
   13292     data->err = 1;
   13293     return 0;
   13294 }
   13295 
   13296 static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
   13297     const unsigned char *secret, size_t secret_len,
   13298     void *arg)
   13299 {
   13300     (void)s;
   13301     (void)prot_level;
   13302     (void)direction;
   13303     (void)secret;
   13304     (void)secret_len;
   13305     (void)arg;
   13306     /*
   13307      * This callback is to test double free in quic tls
   13308      */
   13309     return 0;
   13310 }
   13311 
   13312 static int got_transport_params_cb(SSL *s, const unsigned char *params,
   13313     size_t params_len,
   13314     void *arg)
   13315 {
   13316     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13317 
   13318     if (!check_app_data(s)) {
   13319         data->err = 1;
   13320         return 0;
   13321     }
   13322 
   13323     if (!TEST_size_t_le(params_len, sizeof(data->params))) {
   13324         data->err = 1;
   13325         return 0;
   13326     }
   13327 
   13328     memcpy(data->params, params, params_len);
   13329     data->params_len = params_len;
   13330 
   13331     return 1;
   13332 }
   13333 
   13334 static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
   13335 {
   13336     struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg;
   13337 
   13338     if (!check_app_data(s)) {
   13339         data->err = 1;
   13340         return 0;
   13341     }
   13342 
   13343     data->alert = 1;
   13344     return 1;
   13345 }
   13346 
   13347 /* Extension id reserved for private use by IANA */
   13348 #define TEST_TLS_EXTENSION_ID 65282
   13349 
   13350 static int add_ext_cb_called = 0;
   13351 static int parse_ext_cb_called = 0;
   13352 
   13353 static int add_old_ext(SSL *s, unsigned int ext_type,
   13354     const unsigned char **out, size_t *outlen,
   13355     int *al, void *add_arg)
   13356 {
   13357     static const unsigned char data = 0xff;
   13358 
   13359     add_ext_cb_called++;
   13360     *out = &data;
   13361     *outlen = 1;
   13362     return 1;
   13363 }
   13364 
   13365 static void free_old_ext(SSL *s, unsigned int ext_type,
   13366     const unsigned char *out, void *add_arg)
   13367 {
   13368     /* Do nothing */
   13369 }
   13370 
   13371 static int parse_old_ext(SSL *s, unsigned int ext_type,
   13372     const unsigned char *in, size_t inlen,
   13373     int *al, void *parse_arg)
   13374 {
   13375     parse_ext_cb_called++;
   13376     if (inlen != 1 || *in != 0xff) {
   13377         *al = SSL_AD_DECODE_ERROR;
   13378         return 0;
   13379     }
   13380     return 1;
   13381 }
   13382 
   13383 /*
   13384  * Test the QUIC TLS API
   13385  * Test 0: Normal run
   13386  * Test 1: Force a failure
   13387  * Test 3: Use a CCM based ciphersuite
   13388  * Test 4: fail yield_secret_cb to see double free
   13389  * Test 5: Normal run with SNI
   13390  */
   13391 static int test_quic_tls(int idx)
   13392 {
   13393     SSL_CTX *sctx = NULL, *sctx2 = NULL, *cctx = NULL;
   13394     SSL *serverssl = NULL, *clientssl = NULL;
   13395     int testresult = 0;
   13396     OSSL_DISPATCH qtdis[] = {
   13397         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
   13398         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
   13399             (void (*)(void))crypto_recv_rcd_cb },
   13400         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
   13401             (void (*)(void))crypto_release_rcd_cb },
   13402         { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
   13403             (void (*)(void))yield_secret_cb },
   13404         { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
   13405             (void (*)(void))got_transport_params_cb },
   13406         { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
   13407         { 0, NULL }
   13408     };
   13409     struct quic_tls_test_data sdata, cdata;
   13410     const unsigned char cparams[] = {
   13411         0xff, 0x01, 0x00
   13412     };
   13413     const unsigned char sparams[] = {
   13414         0xfe, 0x01, 0x00
   13415     };
   13416     int i;
   13417 
   13418     if (idx == 4)
   13419         qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
   13420 
   13421     snicb = 0;
   13422     memset(secret_history, 0, sizeof(secret_history));
   13423     secret_history_idx = 0;
   13424     memset(&sdata, 0, sizeof(sdata));
   13425     memset(&cdata, 0, sizeof(cdata));
   13426     sdata.peer = &cdata;
   13427     cdata.peer = &sdata;
   13428     if (idx == 1)
   13429         sdata.forcefail = 1;
   13430 
   13431     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   13432             TLS_client_method(), TLS1_3_VERSION, 0,
   13433             &sctx, &cctx, cert, privkey)))
   13434         goto end;
   13435 
   13436     if (idx == 5) {
   13437         static int dummy = 1;
   13438 
   13439         if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
   13440                 TLS1_3_VERSION, 0,
   13441                 &sctx2, NULL, cert, privkey)))
   13442             goto end;
   13443 
   13444         /*
   13445          * We add an old style custom extension to ensure that it gets correctly
   13446          * handled when we copy QUIC's connection specific custom extensions.
   13447          */
   13448         add_ext_cb_called = 0;
   13449         parse_ext_cb_called = 0;
   13450         if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx,
   13451                 TEST_TLS_EXTENSION_ID,
   13452                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
   13453             goto end;
   13454         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx,
   13455                 TEST_TLS_EXTENSION_ID,
   13456                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
   13457             goto end;
   13458         if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx2,
   13459                 TEST_TLS_EXTENSION_ID,
   13460                 add_old_ext, free_old_ext, &dummy, parse_old_ext, &dummy)))
   13461             goto end;
   13462 
   13463         /* Set up SNI */
   13464         if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
   13465             || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
   13466             goto end;
   13467     }
   13468 
   13469     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   13470             NULL)))
   13471         goto end;
   13472 
   13473     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
   13474     SSL_set_bio(serverssl, NULL, NULL);
   13475     SSL_set_bio(clientssl, NULL, NULL);
   13476 
   13477     if (idx == 2) {
   13478         if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256"))
   13479             || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256")))
   13480             goto end;
   13481     }
   13482 
   13483     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
   13484         || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
   13485         goto end;
   13486 
   13487     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
   13488         || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
   13489         || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
   13490             sizeof(cparams)))
   13491         || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
   13492             sizeof(sparams))))
   13493         goto end;
   13494 
   13495     if (idx != 1 && idx != 4) {
   13496         if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
   13497                 &cdata.sm_count, &sdata.sm_count)))
   13498             goto end;
   13499     } else {
   13500         /* We expect this connection to fail */
   13501         if (!TEST_false(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
   13502                 &cdata.sm_count, &sdata.sm_count)))
   13503             goto end;
   13504         testresult = 1;
   13505         sdata.err = 0;
   13506         goto end;
   13507     }
   13508 
   13509     /* We should have had the SNI callback called exactly once */
   13510     if (idx == 5) {
   13511         if (!TEST_int_eq(snicb, 1))
   13512             goto end;
   13513     }
   13514 
   13515     /* Check no problems during the handshake */
   13516     if (!TEST_false(sdata.alert)
   13517         || !TEST_false(cdata.alert)
   13518         || !TEST_false(sdata.err)
   13519         || !TEST_false(cdata.err))
   13520         goto end;
   13521 
   13522     /* Check the secrets all match */
   13523     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
   13524         i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
   13525         i++) {
   13526         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
   13527                 cdata.rsecret[i], cdata.rsecret_len[i]))
   13528             goto end;
   13529     }
   13530 
   13531     /*
   13532      * Check that our secret history yields write secrets before read secrets
   13533      */
   13534     if (!TEST_int_eq(check_secret_history(serverssl), 1))
   13535         goto end;
   13536     if (!TEST_int_eq(check_secret_history(clientssl), 1))
   13537         goto end;
   13538 
   13539     /* Check the transport params */
   13540     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
   13541         || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
   13542             sizeof(sparams)))
   13543         goto end;
   13544 
   13545     /* Check the encryption levels are what we expect them to be */
   13546     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13547         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13548         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13549         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
   13550         goto end;
   13551 
   13552     /*
   13553      * We only expect the add cb to have actually been called because we are
   13554      * using the old style callbacks that only apply to TLSv1.2. Since we are
   13555      * using TLSv1.3 here, the add will be called for the ClientHello but
   13556      * nothing else.
   13557      */
   13558     if (idx == 5) {
   13559         if (!TEST_int_eq(add_ext_cb_called, 1)
   13560             || !TEST_int_eq(parse_ext_cb_called, 0))
   13561             goto end;
   13562     }
   13563 
   13564     testresult = 1;
   13565 end:
   13566     SSL_free(serverssl);
   13567     SSL_free(clientssl);
   13568     SSL_CTX_free(sctx2);
   13569     SSL_CTX_free(sctx);
   13570     SSL_CTX_free(cctx);
   13571 
   13572     /* Check that we didn't suddenly hit an unexpected failure during cleanup */
   13573     if (!TEST_false(sdata.err) || !TEST_false(cdata.err))
   13574         testresult = 0;
   13575 
   13576     return testresult;
   13577 }
   13578 
   13579 static void assert_no_end_of_early_data(int write_p, int version, int content_type,
   13580     const void *buf, size_t msglen, SSL *ssl, void *arg)
   13581 {
   13582     const unsigned char *msg = buf;
   13583 
   13584     if (content_type == SSL3_RT_HANDSHAKE && msg[0] == SSL3_MT_END_OF_EARLY_DATA)
   13585         end_of_early_data = 1;
   13586 }
   13587 
   13588 static int test_quic_tls_early_data(void)
   13589 {
   13590     SSL_CTX *sctx = NULL, *cctx = NULL;
   13591     SSL *serverssl = NULL, *clientssl = NULL;
   13592     int testresult = 0;
   13593     SSL_SESSION *sess = NULL;
   13594     const OSSL_DISPATCH qtdis[] = {
   13595         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb },
   13596         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
   13597             (void (*)(void))crypto_recv_rcd_cb },
   13598         { OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
   13599             (void (*)(void))crypto_release_rcd_cb },
   13600         { OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
   13601             (void (*)(void))yield_secret_cb },
   13602         { OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
   13603             (void (*)(void))got_transport_params_cb },
   13604         { OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb },
   13605         { 0, NULL }
   13606     };
   13607     struct quic_tls_test_data sdata, cdata;
   13608     const unsigned char cparams[] = {
   13609         0xff, 0x01, 0x00
   13610     };
   13611     const unsigned char sparams[] = {
   13612         0xfe, 0x01, 0x00
   13613     };
   13614     int i;
   13615 
   13616     memset(secret_history, 0, sizeof(secret_history));
   13617     secret_history_idx = 0;
   13618     memset(&sdata, 0, sizeof(sdata));
   13619     memset(&cdata, 0, sizeof(cdata));
   13620     sdata.peer = &cdata;
   13621     cdata.peer = &sdata;
   13622     end_of_early_data = 0;
   13623 
   13624     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   13625             TLS_client_method(), TLS1_3_VERSION, 0,
   13626             &sctx, &cctx, cert, privkey)))
   13627         goto end;
   13628 
   13629     SSL_CTX_set_max_early_data(sctx, 0xffffffff);
   13630     SSL_CTX_set_max_early_data(cctx, 0xffffffff);
   13631 
   13632     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   13633             NULL)))
   13634         goto end;
   13635 
   13636     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   13637         goto end;
   13638 
   13639     sess = SSL_get1_session(clientssl);
   13640     SSL_shutdown(clientssl);
   13641     SSL_shutdown(serverssl);
   13642     SSL_free(serverssl);
   13643     SSL_free(clientssl);
   13644     serverssl = clientssl = NULL;
   13645 
   13646     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
   13647             &clientssl, NULL, NULL))
   13648         || !TEST_true(SSL_set_session(clientssl, sess)))
   13649         goto end;
   13650 
   13651     /* Reset the BIOs we set in create_ssl_objects. We should not need them */
   13652     SSL_set_bio(serverssl, NULL, NULL);
   13653     SSL_set_bio(clientssl, NULL, NULL);
   13654 
   13655     if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata))
   13656         || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata)))
   13657         goto end;
   13658 
   13659     if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata))
   13660         || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata))
   13661         || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams,
   13662             sizeof(cparams)))
   13663         || !TEST_true(SSL_set_quic_tls_transport_params(serverssl, sparams,
   13664             sizeof(sparams))))
   13665         goto end;
   13666 
   13667     /*
   13668      * Reset our secret history so we get the record of the second connection
   13669      */
   13670     memset(secret_history, 0, sizeof(secret_history));
   13671     secret_history_idx = 0;
   13672 
   13673     SSL_set_quic_tls_early_data_enabled(serverssl, 1);
   13674     SSL_set_quic_tls_early_data_enabled(clientssl, 1);
   13675 
   13676     SSL_set_msg_callback(serverssl, assert_no_end_of_early_data);
   13677     SSL_set_msg_callback(clientssl, assert_no_end_of_early_data);
   13678 
   13679     if (!TEST_int_eq(SSL_connect(clientssl), -1)
   13680         || !TEST_int_eq(SSL_accept(serverssl), -1)
   13681         || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED)
   13682         || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ)
   13683         || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ))
   13684         goto end;
   13685 
   13686     /* Check the encryption levels are what we expect them to be */
   13687     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE)
   13688         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13689         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
   13690         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY))
   13691         goto end;
   13692 
   13693     sdata.sm_count = 0;
   13694     cdata.sm_count = 0;
   13695     if (!TEST_true(create_ssl_connection_ex(serverssl, clientssl, SSL_ERROR_NONE,
   13696             &cdata.sm_count, &sdata.sm_count)))
   13697         goto end;
   13698 
   13699     /* Check no problems during the handshake */
   13700     if (!TEST_false(sdata.alert)
   13701         || !TEST_false(cdata.alert)
   13702         || !TEST_false(sdata.err)
   13703         || !TEST_false(cdata.err))
   13704         goto end;
   13705 
   13706     /* Check the secrets all match */
   13707     for (i = OSSL_RECORD_PROTECTION_LEVEL_EARLY - 1;
   13708         i < OSSL_RECORD_PROTECTION_LEVEL_APPLICATION;
   13709         i++) {
   13710         if (!TEST_mem_eq(sdata.wsecret[i], sdata.wsecret_len[i],
   13711                 cdata.rsecret[i], cdata.rsecret_len[i]))
   13712             goto end;
   13713     }
   13714 
   13715     if (!TEST_int_eq(check_secret_history(serverssl), 1))
   13716         goto end;
   13717     if (!TEST_int_eq(check_secret_history(clientssl), 1))
   13718         goto end;
   13719 
   13720     /* Check the transport params */
   13721     if (!TEST_mem_eq(sdata.params, sdata.params_len, cparams, sizeof(cparams))
   13722         || !TEST_mem_eq(cdata.params, cdata.params_len, sparams,
   13723             sizeof(sparams)))
   13724         goto end;
   13725 
   13726     /* Check the encryption levels are what we expect them to be */
   13727     if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13728         || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13729         || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION)
   13730         || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION))
   13731         goto end;
   13732 
   13733     /* Check there is no EndOfEearlyData in handshake */
   13734     if (!TEST_int_eq(end_of_early_data, 0))
   13735         goto end;
   13736 
   13737     testresult = 1;
   13738 end:
   13739     SSL_SESSION_free(sess);
   13740     SSL_SESSION_free(clientpsk);
   13741     SSL_SESSION_free(serverpsk);
   13742     clientpsk = serverpsk = NULL;
   13743     SSL_free(serverssl);
   13744     SSL_free(clientssl);
   13745     SSL_CTX_free(sctx);
   13746     SSL_CTX_free(cctx);
   13747 
   13748     return testresult;
   13749 }
   13750 #endif /* !defined(OSSL_NO_USABLE_TLS1_3) */
   13751 
   13752 static int test_no_renegotiation(int idx)
   13753 {
   13754     SSL_CTX *sctx = NULL, *cctx = NULL;
   13755     SSL *serverssl = NULL, *clientssl = NULL;
   13756     int testresult = 0, ret;
   13757     int max_proto;
   13758     const SSL_METHOD *sm, *cm;
   13759     unsigned char buf[5];
   13760 
   13761     if (idx == 0) {
   13762 #ifndef OPENSSL_NO_TLS1_2
   13763         max_proto = TLS1_2_VERSION;
   13764         sm = TLS_server_method();
   13765         cm = TLS_client_method();
   13766 #else
   13767         return TEST_skip("TLSv1.2 is disabled in this build");
   13768 #endif
   13769     } else {
   13770 #ifndef OPENSSL_NO_DTLS1_2
   13771         max_proto = DTLS1_2_VERSION;
   13772         sm = DTLS_server_method();
   13773         cm = DTLS_client_method();
   13774 #else
   13775         return TEST_skip("DTLSv1.2 is disabled in this build");
   13776 #endif
   13777     }
   13778     if (!TEST_true(create_ssl_ctx_pair(libctx, sm, cm, 0, max_proto,
   13779             &sctx, &cctx, cert, privkey)))
   13780         goto end;
   13781 
   13782     SSL_CTX_set_options(sctx, SSL_OP_NO_RENEGOTIATION);
   13783 
   13784     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   13785             NULL)))
   13786         goto end;
   13787 
   13788     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   13789         goto end;
   13790 
   13791     if (!TEST_true(SSL_renegotiate(clientssl))
   13792         || !TEST_int_le(ret = SSL_connect(clientssl), 0)
   13793         || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
   13794         goto end;
   13795 
   13796     /*
   13797      * We've not sent any application data, so we expect this to fail. It should
   13798      * also read the renegotiation attempt, and send back a no_renegotiation
   13799      * warning alert because we have renegotiation disabled.
   13800      */
   13801     if (!TEST_int_le(ret = SSL_read(serverssl, buf, sizeof(buf)), 0))
   13802         goto end;
   13803     if (!TEST_int_eq(SSL_get_error(serverssl, ret), SSL_ERROR_WANT_READ))
   13804         goto end;
   13805 
   13806     /*
   13807      * The client should now see the no_renegotiation warning and fail the
   13808      * connection
   13809      */
   13810     if (!TEST_int_le(ret = SSL_connect(clientssl), 0)
   13811         || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_SSL)
   13812         || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_RENEGOTIATION))
   13813         goto end;
   13814 
   13815     testresult = 1;
   13816 end:
   13817     SSL_free(serverssl);
   13818     SSL_free(clientssl);
   13819     SSL_CTX_free(sctx);
   13820     SSL_CTX_free(cctx);
   13821 
   13822     return testresult;
   13823 }
   13824 
   13825 #if defined(DO_SSL_TRACE_TEST)
   13826 /*
   13827  * Tests that the SSL_trace() msg_callback works as expected with a PQ Groups.
   13828  */
   13829 static int test_ssl_trace(void)
   13830 {
   13831     SSL_CTX *sctx = NULL, *cctx = NULL;
   13832     SSL *serverssl = NULL, *clientssl = NULL;
   13833     int testresult = 0;
   13834     BIO *bio = NULL;
   13835     char *reffile = NULL;
   13836     char *grouplist = "MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768"
   13837                       ":SecP384r1MLKEM1024:secp521r1:secp384r1:secp256r1";
   13838 
   13839     if (!fips_provider_version_ge(libctx, 3, 5, 0))
   13840         return TEST_skip("FIPS provider does not support MLKEM algorithms");
   13841 
   13842     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   13843             TLS_client_method(),
   13844             TLS1_3_VERSION, TLS1_3_VERSION,
   13845             &sctx, &cctx, cert, privkey))
   13846         || !TEST_ptr(bio = BIO_new(BIO_s_mem()))
   13847         || !TEST_true(SSL_CTX_set1_groups_list(sctx, grouplist))
   13848         || !TEST_true(SSL_CTX_set1_groups_list(cctx, grouplist))
   13849         || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
   13850             "TLS_AES_128_GCM_SHA256"))
   13851         || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
   13852             "TLS_AES_128_GCM_SHA256"))
   13853 #ifdef SSL_OP_LEGACY_EC_POINT_FORMATS
   13854         || !TEST_true(SSL_CTX_set_options(cctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
   13855         || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_LEGACY_EC_POINT_FORMATS))
   13856 #endif
   13857         || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
   13858             NULL, NULL)))
   13859         goto err;
   13860 
   13861     SSL_set_msg_callback(clientssl, SSL_trace);
   13862     SSL_set_msg_callback_arg(clientssl, bio);
   13863 
   13864     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   13865         goto err;
   13866 
   13867     /* Skip the comparison of the trace when the fips provider is used. */
   13868     if (is_fips) {
   13869         /* Check whether there was something written. */
   13870         if (!TEST_int_gt(BIO_pending(bio), 0))
   13871             goto err;
   13872     } else {
   13873 
   13874 #ifdef OPENSSL_NO_ZLIB
   13875         reffile = test_mk_file_path(datadir, "ssltraceref.txt");
   13876 #else
   13877         reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt");
   13878 #endif
   13879         if (!TEST_true(compare_with_reference_file(bio, reffile)))
   13880             goto err;
   13881     }
   13882 
   13883     testresult = 1;
   13884 err:
   13885     BIO_free(bio);
   13886     SSL_free(serverssl);
   13887     SSL_free(clientssl);
   13888     SSL_CTX_free(sctx);
   13889     SSL_CTX_free(cctx);
   13890     OPENSSL_free(reffile);
   13891 
   13892     return testresult;
   13893 }
   13894 #endif
   13895 
   13896 /*
   13897  * Test that SSL_CTX_set1_groups() when called with a list where the first
   13898  * entry is unsupported, will send a key_share that uses the next usable entry.
   13899  */
   13900 static int test_ssl_set_groups_unsupported_keyshare(int idx)
   13901 {
   13902 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
   13903     int testresult = 0;
   13904     SSL_CTX *sctx = NULL, *cctx = NULL;
   13905     SSL *serverssl = NULL, *clientssl = NULL;
   13906     int client_groups[] = {
   13907         NID_brainpoolP256r1tls13,
   13908         NID_sect163k1,
   13909         NID_secp384r1,
   13910         NID_ffdhe2048,
   13911     };
   13912 
   13913     switch (idx) {
   13914     case 1:
   13915         client_groups[0] = NID_id_tc26_gost_3410_2012_512_paramSetC;
   13916         if (sizeof(unsigned long) == 4) {
   13917             return TEST_skip("SSL_CTX_set1_groups() is broken on 32-bit systems with TLS"
   13918                              " group IDs > 0x20, see https://github.com/openssl/openssl/issues/29196");
   13919         }
   13920         break;
   13921     }
   13922 
   13923     if (!TEST_true(create_ssl_ctx_pair(libctx,
   13924             TLS_server_method(),
   13925             TLS_client_method(),
   13926             0, 0,
   13927             &sctx,
   13928             &cctx,
   13929             cert,
   13930             privkey)))
   13931         goto end;
   13932 
   13933     if (!TEST_true(SSL_CTX_set1_groups(cctx,
   13934             client_groups,
   13935             OSSL_NELEM(client_groups))))
   13936         goto end;
   13937 
   13938     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
   13939             NULL)))
   13940         goto end;
   13941 
   13942     if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
   13943         goto end;
   13944 
   13945     testresult = 1;
   13946 end:
   13947     SSL_free(serverssl);
   13948     SSL_free(clientssl);
   13949     SSL_CTX_free(sctx);
   13950     SSL_CTX_free(cctx);
   13951 
   13952     return testresult;
   13953 #else /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
   13954     return TEST_skip("No EC and DH support.");
   13955 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
   13956 }
   13957 
   13958 /*
   13959  * Test that if we attempt to send HTTP to a TLS server that we get the expected
   13960  * failure reason code.
   13961  */
   13962 static int test_http_verbs(int idx)
   13963 {
   13964     SSL_CTX *sctx = NULL;
   13965     SSL *serverssl = NULL;
   13966     int testresult = 0;
   13967     const char *verbs[] = { "GET", "POST", "HEAD" };
   13968     const char *http_trailer = " / HTTP/1.0\r\n\r\n";
   13969     BIO *b = BIO_new(BIO_s_mem());
   13970 
   13971     if (!TEST_true((unsigned int)idx < OSSL_NELEM(verbs)))
   13972         goto end;
   13973 
   13974     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
   13975             NULL, 0, 0, &sctx, NULL, cert, privkey)))
   13976         goto end;
   13977 
   13978     serverssl = SSL_new(sctx);
   13979     if (!TEST_ptr(serverssl))
   13980         goto end;
   13981 
   13982     if (!TEST_int_gt(BIO_write(b, verbs[idx], (int)strlen(verbs[idx])), 0))
   13983         goto end;
   13984     if (!TEST_int_gt(BIO_write(b, http_trailer, (int)strlen(http_trailer)), 0))
   13985         goto end;
   13986     SSL_set_bio(serverssl, b, b);
   13987     b = NULL;
   13988 
   13989     ERR_clear_error();
   13990     if (!TEST_int_le(SSL_accept(serverssl), 0))
   13991         goto end;
   13992     if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_HTTP_REQUEST))
   13993         goto end;
   13994 
   13995     testresult = 1;
   13996 end:
   13997     SSL_free(serverssl);
   13998     SSL_CTX_free(sctx);
   13999     BIO_free(b);
   14000 
   14001     return testresult;
   14002 }
   14003 
   14004 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
   14005 
   14006 int setup_tests(void)
   14007 {
   14008     char *modulename;
   14009     char *configfile;
   14010 
   14011     libctx = OSSL_LIB_CTX_new();
   14012     if (!TEST_ptr(libctx))
   14013         return 0;
   14014 
   14015     defctxnull = OSSL_PROVIDER_load(NULL, "null");
   14016 
   14017     /*
   14018      * Verify that the default and fips providers in the default libctx are not
   14019      * available
   14020      */
   14021     if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
   14022         || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
   14023         return 0;
   14024 
   14025     if (!test_skip_common_options()) {
   14026         TEST_error("Error parsing test options\n");
   14027         return 0;
   14028     }
   14029 
   14030     if (!TEST_ptr(certsdir = test_get_argument(0))
   14031         || !TEST_ptr(srpvfile = test_get_argument(1))
   14032         || !TEST_ptr(tmpfilename = test_get_argument(2))
   14033         || !TEST_ptr(modulename = test_get_argument(3))
   14034         || !TEST_ptr(configfile = test_get_argument(4))
   14035         || !TEST_ptr(dhfile = test_get_argument(5)))
   14036         return 0;
   14037 
   14038     datadir = test_get_argument(6);
   14039 
   14040     if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
   14041         return 0;
   14042 
   14043     /* Check we have the expected provider available */
   14044     if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
   14045         return 0;
   14046 
   14047     /* Check the default provider is not available */
   14048     if (strcmp(modulename, "default") != 0
   14049         && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
   14050         return 0;
   14051 
   14052     if (strcmp(modulename, "fips") == 0) {
   14053         OSSL_PROVIDER *prov = NULL;
   14054         OSSL_PARAM params[2];
   14055 
   14056         is_fips = 1;
   14057 
   14058         prov = OSSL_PROVIDER_load(libctx, "fips");
   14059         if (prov != NULL) {
   14060             /* Query the fips provider to check if the check ems option is enabled */
   14061             params[0] = OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
   14062                 &fips_ems_check);
   14063             params[1] = OSSL_PARAM_construct_end();
   14064             OSSL_PROVIDER_get_params(prov, params);
   14065             OSSL_PROVIDER_unload(prov);
   14066         }
   14067     }
   14068 
   14069     /*
   14070      * We add, but don't load the test "tls-provider". We'll load it when we
   14071      * need it.
   14072      */
   14073     if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
   14074             tls_provider_init)))
   14075         return 0;
   14076 
   14077     if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
   14078 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
   14079         TEST_error("not supported in this build");
   14080         return 0;
   14081 #else
   14082         int i, mcount, rcount, fcount;
   14083 
   14084         for (i = 0; i < 4; i++)
   14085             test_export_key_mat(i);
   14086         CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
   14087         test_printf_stdout("malloc %d realloc %d free %d\n",
   14088             mcount, rcount, fcount);
   14089         return 1;
   14090 #endif
   14091     }
   14092 
   14093     cert = test_mk_file_path(certsdir, "servercert.pem");
   14094     if (cert == NULL)
   14095         goto err;
   14096 
   14097     privkey = test_mk_file_path(certsdir, "serverkey.pem");
   14098     if (privkey == NULL)
   14099         goto err;
   14100 
   14101     cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
   14102     if (cert2 == NULL)
   14103         goto err;
   14104 
   14105     privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
   14106     if (privkey2 == NULL)
   14107         goto err;
   14108 
   14109     cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
   14110     if (cert1024 == NULL)
   14111         goto err;
   14112 
   14113     privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
   14114     if (privkey1024 == NULL)
   14115         goto err;
   14116 
   14117     cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
   14118     if (cert3072 == NULL)
   14119         goto err;
   14120 
   14121     privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
   14122     if (privkey3072 == NULL)
   14123         goto err;
   14124 
   14125     cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
   14126     if (cert4096 == NULL)
   14127         goto err;
   14128 
   14129     privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
   14130     if (privkey4096 == NULL)
   14131         goto err;
   14132 
   14133     cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
   14134     if (cert8192 == NULL)
   14135         goto err;
   14136 
   14137     privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
   14138     if (privkey8192 == NULL)
   14139         goto err;
   14140 
   14141     if (fips_ems_check) {
   14142 #ifndef OPENSSL_NO_TLS1_2
   14143         ADD_TEST(test_no_ems);
   14144 #endif
   14145         return 1;
   14146     }
   14147 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
   14148 #if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
   14149     ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
   14150     ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
   14151 #endif
   14152 #ifndef OSSL_NO_USABLE_TLS1_3
   14153     ADD_TEST(test_ktls_moving_write_buffer);
   14154 #endif
   14155 #endif
   14156     ADD_TEST(test_large_message_tls);
   14157     ADD_TEST(test_large_message_tls_read_ahead);
   14158 #ifndef OPENSSL_NO_DTLS
   14159     ADD_TEST(test_large_message_dtls);
   14160 #endif
   14161     ADD_ALL_TESTS(test_large_app_data, 28);
   14162     ADD_TEST(test_cleanse_plaintext);
   14163 #ifndef OPENSSL_NO_OCSP
   14164     ADD_TEST(test_tlsext_status_type);
   14165 #endif
   14166     ADD_TEST(test_session_with_only_int_cache);
   14167     ADD_TEST(test_session_with_only_ext_cache);
   14168     ADD_TEST(test_session_with_both_cache);
   14169     ADD_TEST(test_session_wo_ca_names);
   14170 #ifndef OSSL_NO_USABLE_TLS1_3
   14171     ADD_ALL_TESTS(test_stateful_tickets, 3);
   14172     ADD_ALL_TESTS(test_stateless_tickets, 3);
   14173     ADD_TEST(test_psk_tickets);
   14174     ADD_ALL_TESTS(test_extra_tickets, 6);
   14175 #endif
   14176     ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
   14177     ADD_TEST(test_ssl_bio_pop_next_bio);
   14178     ADD_TEST(test_ssl_bio_pop_ssl_bio);
   14179     ADD_TEST(test_ssl_bio_change_rbio);
   14180     ADD_TEST(test_ssl_bio_change_wbio);
   14181     ADD_TEST(test_ssl_set_wbio_chain_no_leak);
   14182 #if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
   14183     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
   14184     ADD_TEST(test_keylog);
   14185 #endif
   14186 #ifndef OSSL_NO_USABLE_TLS1_3
   14187     ADD_TEST(test_keylog_no_master_key);
   14188 #endif
   14189     ADD_TEST(test_client_cert_verify_cb);
   14190     ADD_TEST(test_ssl_build_cert_chain);
   14191     ADD_TEST(test_ssl_ctx_build_cert_chain);
   14192 #ifndef OPENSSL_NO_TLS1_2
   14193     ADD_TEST(test_client_hello_cb);
   14194     ADD_TEST(test_no_ems);
   14195     ADD_TEST(test_ccs_change_cipher);
   14196 #endif
   14197 #ifndef OSSL_NO_USABLE_TLS1_3
   14198     ADD_ALL_TESTS(test_early_data_read_write, 6);
   14199     /*
   14200      * We don't do replay tests for external PSK. Replay protection isn't used
   14201      * in that scenario.
   14202      */
   14203     ADD_ALL_TESTS(test_early_data_replay, 2);
   14204     ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
   14205     ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
   14206     ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
   14207     ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
   14208     ADD_ALL_TESTS(test_early_data_not_sent, 3);
   14209     ADD_ALL_TESTS(test_early_data_psk, 8);
   14210     ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
   14211     ADD_ALL_TESTS(test_early_data_not_expected, 3);
   14212 #ifndef OPENSSL_NO_TLS1_2
   14213     ADD_ALL_TESTS(test_early_data_tls1_2, 3);
   14214 #endif
   14215 #endif
   14216 #ifndef OSSL_NO_USABLE_TLS1_3
   14217     ADD_ALL_TESTS(test_set_ciphersuite, 10);
   14218     ADD_TEST(test_ciphersuite_change);
   14219     ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
   14220 #ifdef OPENSSL_NO_PSK
   14221     ADD_ALL_TESTS(test_tls13_psk, 1);
   14222 #else
   14223     ADD_ALL_TESTS(test_tls13_psk, 4);
   14224 #endif /* OPENSSL_NO_PSK */
   14225 #ifndef OSSL_NO_USABLE_TLS1_3
   14226     ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
   14227 #endif /* OSSL_NO_USABLE_TLS1_3 */
   14228 #ifndef OPENSSL_NO_TLS1_2
   14229     /* Test with both TLSv1.3 and 1.2 versions */
   14230     ADD_ALL_TESTS(test_key_exchange, 21);
   14231 #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
   14232     ADD_ALL_TESTS(test_negotiated_group,
   14233         4 * (OSSL_NELEM(ecdhe_kexch_groups) + OSSL_NELEM(ffdhe_kexch_groups)));
   14234 #endif
   14235 #else
   14236     /* Test with only TLSv1.3 versions */
   14237     ADD_ALL_TESTS(test_key_exchange, 18);
   14238 #endif
   14239     ADD_ALL_TESTS(test_custom_exts, 6);
   14240     ADD_TEST(test_stateless);
   14241     ADD_TEST(test_pha_key_update);
   14242 #else
   14243     ADD_ALL_TESTS(test_custom_exts, 3);
   14244 #endif
   14245     ADD_ALL_TESTS(test_export_key_mat, 6);
   14246 #ifndef OSSL_NO_USABLE_TLS1_3
   14247     ADD_ALL_TESTS(test_export_key_mat_early, 3);
   14248     ADD_TEST(test_key_update);
   14249     ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
   14250     ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
   14251     ADD_ALL_TESTS(test_key_update_local_in_write, 2);
   14252     ADD_ALL_TESTS(test_key_update_local_in_read, 2);
   14253 #endif
   14254     ADD_ALL_TESTS(test_ssl_clear, 8);
   14255     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
   14256 #if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
   14257     ADD_ALL_TESTS(test_srp, 6);
   14258 #endif
   14259 #if !defined(OPENSSL_NO_COMP_ALG)
   14260     /* Add compression case */
   14261     ADD_ALL_TESTS(test_info_callback, 8);
   14262 #else
   14263     ADD_ALL_TESTS(test_info_callback, 6);
   14264 #endif
   14265     ADD_ALL_TESTS(test_ssl_pending, 2);
   14266     ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
   14267     ADD_ALL_TESTS(test_ticket_callbacks, 20);
   14268     ADD_TEST(test_ticket_abort_session_leak);
   14269     ADD_ALL_TESTS(test_shutdown, 7);
   14270     ADD_TEST(test_async_shutdown);
   14271     ADD_ALL_TESTS(test_incorrect_shutdown, 2);
   14272     ADD_ALL_TESTS(test_cert_cb, 6);
   14273     ADD_ALL_TESTS(test_client_cert_cb, 2);
   14274     ADD_ALL_TESTS(test_ca_names, 3);
   14275 #ifndef OPENSSL_NO_TLS1_2
   14276     ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
   14277 #endif
   14278     ADD_ALL_TESTS(test_servername, 10);
   14279     ADD_TEST(test_unknown_sigalgs_groups);
   14280 #if (!defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)) || !defined(OPENSSL_NO_ML_KEM)
   14281     ADD_TEST(test_configuration_of_groups);
   14282 #endif
   14283 #if !defined(OPENSSL_NO_EC) \
   14284     && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
   14285     ADD_ALL_TESTS(test_sigalgs_available, 6);
   14286 #endif
   14287 #ifndef OPENSSL_NO_TLS1_3
   14288     ADD_ALL_TESTS(test_pluggable_group, 2);
   14289     ADD_ALL_TESTS(test_pluggable_signature, 6);
   14290 #endif
   14291 #ifndef OPENSSL_NO_TLS1_2
   14292     ADD_TEST(test_ssl_dup);
   14293     ADD_ALL_TESTS(test_session_secret_cb, 2);
   14294 #ifndef OPENSSL_NO_DH
   14295     ADD_ALL_TESTS(test_set_tmp_dh, 11);
   14296     ADD_ALL_TESTS(test_dh_auto, 7);
   14297 #endif
   14298 #endif
   14299 #ifndef OSSL_NO_USABLE_TLS1_3
   14300     ADD_TEST(test_sni_tls13);
   14301     ADD_ALL_TESTS(test_ticket_lifetime, 2);
   14302 #endif
   14303     ADD_TEST(test_inherit_verify_param);
   14304     ADD_TEST(test_set_alpn);
   14305     ADD_TEST(test_set_verify_cert_store_ssl_ctx);
   14306     ADD_TEST(test_set_verify_cert_store_ssl);
   14307     ADD_ALL_TESTS(test_session_timeout, 1);
   14308 #if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
   14309     ADD_ALL_TESTS(test_session_cache_overflow, 4);
   14310 #endif
   14311     ADD_TEST(test_load_dhfile);
   14312 #ifndef OSSL_NO_USABLE_TLS1_3
   14313     ADD_TEST(test_read_ahead_key_change);
   14314     ADD_ALL_TESTS(test_tls13_record_padding, 6);
   14315 #endif
   14316 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
   14317     ADD_ALL_TESTS(test_serverinfo_custom, 4);
   14318 #endif
   14319 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
   14320     ADD_ALL_TESTS(test_pipelining, 7);
   14321 #endif
   14322     ADD_ALL_TESTS(test_version, 6);
   14323     ADD_TEST(test_rstate_string);
   14324     ADD_ALL_TESTS(test_handshake_retry, 16);
   14325     ADD_TEST(test_data_retry);
   14326     ADD_ALL_TESTS(test_multi_resume, 5);
   14327     ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
   14328 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
   14329     ADD_ALL_TESTS(test_npn, 5);
   14330 #endif
   14331     ADD_ALL_TESTS(test_alpn, 4);
   14332 #if !defined(OSSL_NO_USABLE_TLS1_3)
   14333     ADD_ALL_TESTS(test_quic_tls, 6);
   14334     ADD_TEST(test_quic_tls_early_data);
   14335 #endif
   14336     ADD_ALL_TESTS(test_no_renegotiation, 2);
   14337 #if defined(DO_SSL_TRACE_TEST)
   14338     if (datadir != NULL)
   14339         ADD_TEST(test_ssl_trace);
   14340 #endif
   14341     ADD_ALL_TESTS(test_ssl_set_groups_unsupported_keyshare, 2);
   14342     ADD_ALL_TESTS(test_http_verbs, 3);
   14343     return 1;
   14344 
   14345 err:
   14346     OPENSSL_free(cert);
   14347     OPENSSL_free(privkey);
   14348     OPENSSL_free(cert2);
   14349     OPENSSL_free(privkey2);
   14350     return 0;
   14351 }
   14352 
   14353 void cleanup_tests(void)
   14354 {
   14355 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
   14356     EVP_PKEY_free(tmp_dh_params);
   14357 #endif
   14358     OPENSSL_free(cert);
   14359     OPENSSL_free(privkey);
   14360     OPENSSL_free(cert2);
   14361     OPENSSL_free(privkey2);
   14362     OPENSSL_free(cert1024);
   14363     OPENSSL_free(privkey1024);
   14364     OPENSSL_free(cert3072);
   14365     OPENSSL_free(privkey3072);
   14366     OPENSSL_free(cert4096);
   14367     OPENSSL_free(privkey4096);
   14368     OPENSSL_free(cert8192);
   14369     OPENSSL_free(privkey8192);
   14370     bio_s_mempacket_test_free();
   14371     bio_s_always_retry_free();
   14372     bio_s_maybe_retry_free();
   14373     OSSL_PROVIDER_unload(defctxnull);
   14374     OSSL_LIB_CTX_free(libctx);
   14375 }
   14376