+#ifndef OPENSSL_NO_TLS1_2
+static const char *multiblock_cipherlist_data[]=
+{
+ "AES128-SHA",
+ "AES128-SHA256",
+ "AES256-SHA",
+ "AES256-SHA256",
+};
+
+/* Reduce the fragment size - so the multiblock test buffer can be small */
+# define MULTIBLOCK_FRAGSIZE 512
+
+static int test_multiblock_write(int test_index)
+{
+ static const char *fetchable_ciphers[]=
+ {
+ "AES-128-CBC-HMAC-SHA1",
+ "AES-128-CBC-HMAC-SHA256",
+ "AES-256-CBC-HMAC-SHA1",
+ "AES-256-CBC-HMAC-SHA256"
+ };
+ const char *cipherlist = multiblock_cipherlist_data[test_index];
+ const SSL_METHOD *smeth = TLS_server_method();
+ const SSL_METHOD *cmeth = TLS_client_method();
+ int min_version = TLS1_VERSION;
+ int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+
+ /*
+ * Choose a buffer large enough to perform a multi-block operation
+ * i.e: write_len >= 4 * frag_size
+ * 9 * is chosen so that multiple multiblocks are used + some leftover.
+ */
+ unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
+ unsigned char buf[sizeof(msg)], *p = buf;
+ size_t readbytes, written, len;
+ EVP_CIPHER *ciph = NULL;
+
+ /*
+ * Check if the cipher exists before attempting to use it since it only has
+ * a hardware specific implementation.
+ */
+ ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
+ if (ciph == NULL) {
+ TEST_skip("Multiblock cipher is not available for %s", cipherlist);
+ return 1;
+ }
+ EVP_CIPHER_free(ciph);
+
+ /* Set up a buffer with some data that will be sent to the client */
+ RAND_bytes(msg, sizeof(msg));
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ /* settings to force it to use AES-CBC-HMAC_SHA */
+ SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
+ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
+ || !TEST_size_t_eq(written, sizeof(msg)))
+ goto end;
+
+ len = written;
+ while (len > 0) {
+ if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
+ goto end;
+ p += readbytes;
+ len -= readbytes;
+ }
+ if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
+ goto end;
+
+ testresult = 1;
+end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif /* OPENSSL_NO_TLS1_2 */
+
+/*
+ * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
+ * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
+ * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
+ * Test 3: Client does not set servername on initial handshake (TLSv1.2)
+ * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
+ * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
+ * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
+ * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
+ * Test 8: Client does not set servername on initial handshake(TLSv1.3)
+ * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
+ */
+static int test_servername(int tst)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+ const char *sexpectedhost = NULL, *cexpectedhost = NULL;
+
+#ifdef OPENSSL_NO_TLS1_2
+ if (tst <= 4)
+ return 1;
+#endif
+#ifdef OPENSSL_NO_TLS1_3
+ if (tst >= 5)
+ return 1;
+#endif
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(),
+ TLS1_VERSION,
+ (tst <= 4) ? TLS1_2_VERSION
+ : TLS1_3_VERSION,
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (tst != 1 && tst != 6) {
+ if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
+ hostname_cb)))
+ goto end;
+ }
+
+ if (tst != 3 && tst != 8) {
+ if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
+ goto end;
+ sexpectedhost = cexpectedhost = "goodhost";
+ }
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
+ cexpectedhost)
+ || !TEST_str_eq(SSL_get_servername(serverssl,
+ TLSEXT_NAMETYPE_host_name),
+ sexpectedhost))
+ goto end;
+
+ /* Now repeat with a resumption handshake */
+
+ if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
+ || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
+ || !TEST_true(SSL_SESSION_is_resumable(sess))
+ || !TEST_int_eq(SSL_shutdown(serverssl), 0))
+ goto end;
+
+ SSL_free(clientssl);
+ SSL_free(serverssl);
+ clientssl = serverssl = NULL;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_session(clientssl, sess)))
+ goto end;
+
+ sexpectedhost = cexpectedhost = "goodhost";
+ if (tst == 2 || tst == 7) {
+ /* Set an inconsistent hostname */
+ if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
+ goto end;
+ /*
+ * In TLSv1.2 we expect the hostname from the original handshake, in
+ * TLSv1.3 we expect the hostname from this handshake
+ */
+ if (tst == 7)
+ sexpectedhost = cexpectedhost = "altgoodhost";
+
+ if (!TEST_str_eq(SSL_get_servername(clientssl,
+ TLSEXT_NAMETYPE_host_name),
+ "altgoodhost"))
+ goto end;
+ } else if (tst == 4 || tst == 9) {
+ /*
+ * A TLSv1.3 session does not associate a session with a servername,
+ * but a TLSv1.2 session does.
+ */
+ if (tst == 9)
+ sexpectedhost = cexpectedhost = NULL;
+
+ if (!TEST_str_eq(SSL_get_servername(clientssl,
+ TLSEXT_NAMETYPE_host_name),
+ cexpectedhost))
+ goto end;
+ } else {
+ if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
+ goto end;
+ /*
+ * In a TLSv1.2 resumption where the hostname was not acknowledged
+ * we expect the hostname on the server to be empty. On the client we
+ * return what was requested in this case.
+ *
+ * Similarly if the client didn't set a hostname on an original TLSv1.2
+ * session but is now, the server hostname will be empty, but the client
+ * is as we set it.
+ */
+ if (tst == 1 || tst == 3)
+ sexpectedhost = NULL;
+
+ if (!TEST_str_eq(SSL_get_servername(clientssl,
+ TLSEXT_NAMETYPE_host_name),
+ "goodhost"))
+ goto end;
+ }
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ if (!TEST_true(SSL_session_reused(clientssl))
+ || !TEST_true(SSL_session_reused(serverssl))
+ || !TEST_str_eq(SSL_get_servername(clientssl,
+ TLSEXT_NAMETYPE_host_name),
+ cexpectedhost)
+ || !TEST_str_eq(SSL_get_servername(serverssl,
+ TLSEXT_NAMETYPE_host_name),
+ sexpectedhost))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_SESSION_free(sess);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
+#ifndef OPENSSL_NO_EC
+/*
+ * Test that if signature algorithms are not available, then we do not offer or
+ * accept them.
+ * Test 0: Two RSA sig algs available: both RSA sig algs shared
+ * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
+ * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
+ * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
+ * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
+ * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
+ */
+static int test_sigalgs_available(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
+ OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
+ OSSL_PROVIDER *filterprov = NULL;
+ int sig, hash;
+
+ if (!TEST_ptr(tmpctx))
+ goto end;
+
+ if (idx != 0 && idx != 3) {
+ if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
+ filter_provider_init)))
+ goto end;
+
+ filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
+ if (!TEST_ptr(filterprov))
+ goto end;
+
+ if (idx < 3) {
+ /*
+ * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
+ * or accepted for the peer that uses this libctx. Note that libssl
+ * *requires* SHA2-256 to be available so we cannot disable that. We
+ * also need SHA1 for our certificate.
+ */
+ if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
+ "SHA2-256:SHA1")))
+ goto end;
+ } else {
+ if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
+ "ECDSA"))
+ || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
+ "EC:X25519:X448")))
+ goto end;
+ }
+
+ if (idx == 1 || idx == 4)
+ clientctx = tmpctx;
+ else
+ serverctx = tmpctx;
+ }
+
+ cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
+ sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(),
+ TLS1_VERSION,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;