tests/suites/test_suite_ssl.function

/* BEGIN_HEADER */
#include <ssl_misc.h>
#include <mbedtls/timing.h>
#include <mbedtls/debug.h>
#include <mbedtls/pk.h>
#include <ssl_tls13_keys.h>
#include <ssl_tls13_invasive.h>
#include <test/ssl_helpers.h>

#include <constant_time_internal.h>
#include <test/constant_flow.h>

#define SSL_MESSAGE_QUEUE_INIT      { NULL, 0, 0, 0 }

/* Mnemonics for the early data test scenarios */
#define TEST_EARLY_DATA_ACCEPTED 0
#define TEST_EARLY_DATA_NO_INDICATION_SENT 1
#define TEST_EARLY_DATA_SERVER_REJECTS 2
#define TEST_EARLY_DATA_HRR 3
#define TEST_EARLY_DATA_SAME_ALPN 4
#define TEST_EARLY_DATA_DIFF_ALPN 5
#define TEST_EARLY_DATA_NO_INITIAL_ALPN 6
#define TEST_EARLY_DATA_NO_LATER_ALPN 7

#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
    defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
    defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
    defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
    defined(PSA_WANT_ALG_SHA_256) && \
    defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_R1_384) && \
    defined(PSA_HAVE_ALG_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
/*
 * Test function to write early data for negative tests where
 * mbedtls_ssl_write_early_data() cannot be used.
 */
static int write_early_data(mbedtls_ssl_context *ssl,
                            unsigned char *buf, size_t len)
{
    int ret = mbedtls_ssl_get_max_out_record_payload(ssl);

    TEST_ASSERT(ret > 0);
    TEST_LE_U(len, (size_t) ret);

    ret = mbedtls_ssl_flush_output(ssl);
    TEST_EQUAL(ret, 0);
    TEST_EQUAL(ssl->out_left, 0);

    ssl->out_msglen = len;
    ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
    if (len > 0) {
        memcpy(ssl->out_msg, buf, len);
    }

    ret = mbedtls_ssl_write_record(ssl, 1);
    TEST_EQUAL(ret, 0);

    ret = len;

exit:
    return ret;
}
#endif

#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
    defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) && \
    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
    defined(PSA_WANT_ECC_SECP_R1_384) && \
    defined(PSA_WANT_ALG_SHA_256)
/*
 * Test function to perform a handshake using the mfl extension and with
 * setting the resize buffer option.
 */
static void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation,
                           int serialize, int dtls, char *cipher)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.mfl = mfl;
    options.cipher = cipher;
    options.renegotiate = renegotiation;
    options.legacy_renegotiation = legacy_renegotiation;
    options.serialize = serialize;
    options.dtls = dtls;
    if (dtls) {
        options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
    }
    options.resize_buffers = 1;

    const mbedtls_ssl_ciphersuite_t *ciphersuite =
        mbedtls_ssl_ciphersuite_from_string(cipher);
    if (ciphersuite != NULL) {
        options.pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite);
    }

    mbedtls_test_ssl_perform_handshake(&options);

    mbedtls_test_free_handshake_options(&options);
}

#endif

#if defined(PSA_WANT_ALG_GCM) || defined(PSA_WANT_ALG_CHACHA20_POLY1305)
#define TEST_GCM_OR_CHACHAPOLY_ENABLED
#endif

typedef enum {
    RECOMBINE_NOMINAL,          /* param: ignored */
    RECOMBINE_SPLIT_FIRST,      /* param: offset of split (<=0 means from end) */
    RECOMBINE_INSERT_EMPTY,     /* param: offset (<0 means from end) */
    RECOMBINE_COALESCE,         /* param: min number of records */
    RECOMBINE_COALESCE_SPLIT_ONCE, /* param: offset of split (<=0 means from end) */
    RECOMBINE_COALESCE_SPLIT_ENDS, /* the hairiest one? param: offset, must be >0 */
} recombine_records_instruction_t;

#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)

/* Split the first record into two pieces of lengths offset and
 * record_length-offset. If offset is zero or negative, count from the end of
 * the record. */
static int recombine_split_first_record(mbedtls_test_ssl_buffer *buf,
                                        int offset)
{
    const size_t header_length = 5;
    TEST_LE_U(header_length, buf->content_length);
    size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);

    if (offset > 0) {
        TEST_LE_S(offset, record_length);
    } else {
        TEST_LE_S(-offset, record_length);
        offset = record_length + offset;
    }

    /* Check that we have room to insert a record header */
    TEST_LE_U(buf->content_length + header_length, buf->capacity);

    /* Make room for a record header */
    size_t new_record_start = header_length + offset;
    size_t new_content_start = new_record_start + header_length;
    memmove(buf->buffer + new_content_start,
            buf->buffer + new_record_start,
            buf->content_length - new_record_start);
    buf->content_length += header_length;

    /* Construct a header for the new record based on the existing one */
    memcpy(buf->buffer + new_record_start, buf->buffer, header_length);
    MBEDTLS_PUT_UINT16_BE(record_length - offset,
                          buf->buffer, new_content_start - 2);

    /* Adjust the length of the first record */
    MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);

    return 0;

exit:
    return -1;
}

/* Insert an empty record at the given offset. If offset is negative,
 * count from the end of the first record. */
static int recombine_insert_empty_record(mbedtls_test_ssl_buffer *buf,
                                         int offset)
{
    const size_t header_length = 5;
    TEST_LE_U(header_length, buf->content_length);
    size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);

    if (offset >= 0) {
        TEST_LE_S(offset, record_length);
    } else {
        TEST_LE_S(-offset, record_length);
        offset = record_length + offset;
    }

    /* Check that we have room to insert two record headers */
    TEST_LE_U(buf->content_length + 2 * header_length, buf->capacity);

    /* Make room for an empty record and a record header */
    size_t empty_record_start = header_length + offset;
    size_t empty_content_start = empty_record_start + header_length;
    size_t tail_record_start = empty_content_start;
    size_t tail_content_start = tail_record_start + header_length;
    memmove(buf->buffer + tail_content_start,
            buf->buffer + tail_record_start,
            buf->content_length - tail_record_start);
    buf->content_length += 2 * header_length;

    /* Construct headers for the new records based on the existing one */
    memcpy(buf->buffer + empty_record_start, buf->buffer, header_length);
    MBEDTLS_PUT_UINT16_BE(0, buf->buffer, empty_content_start - 2);
    memcpy(buf->buffer + tail_record_start, buf->buffer, header_length);
    MBEDTLS_PUT_UINT16_BE(record_length - offset,
                          buf->buffer, tail_content_start - 2);

    /* Adjust the length of the first record */
    MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2);

    return 0;

exit:
    return -1;
}

/* Coalesce TLS handshake records.
 * DTLS is not supported.
 * Encrypted or authenticated handshake records are not supported.
 * Assume the buffer content is a valid sequence of records.
 */
static int recombine_coalesce_handshake_records(mbedtls_test_ssl_buffer *buf,
                                                int max)
{
    const size_t header_length = 5;
    TEST_LE_U(header_length, buf->content_length);
    if (buf->buffer[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
        return 0;
    }

    size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2);
    TEST_LE_U(header_length + record_length, buf->content_length);

    int count;
    for (count = 1; count < max; count++) {
        size_t next_start = header_length + record_length;
        if (next_start >= buf->content_length) {
            /* We've already reached the last record. */
            break;
        }

        TEST_LE_U(next_start + header_length, buf->content_length);
        if (buf->buffer[next_start] != MBEDTLS_SSL_MSG_HANDSHAKE) {
            /* There's another record, but it isn't a handshake record. */
            break;
        }
        size_t next_length =
            MBEDTLS_GET_UINT16_BE(buf->buffer, next_start + header_length - 2);
        TEST_LE_U(next_start + header_length + next_length, buf->content_length);

        /* Erase the next record header */
        memmove(buf->buffer + next_start,
                buf->buffer + next_start + header_length,
                buf->content_length - next_start);
        buf->content_length -= header_length;
        /* Update the first record length */
        record_length += next_length;
        TEST_LE_U(record_length, 0xffff);
        MBEDTLS_PUT_UINT16_BE(record_length, buf->buffer, header_length - 2);
    }

    return count;

exit:
    return -1;
}

static int recombine_records(mbedtls_test_ssl_endpoint *server,
                             recombine_records_instruction_t instruction,
                             int param)
{
    mbedtls_test_ssl_buffer *buf = server->socket.output;
    int ret;

    /* buf is a circular buffer. For simplicity, this code assumes that
     * the data is located at the beginning. This should be ok since
     * this function is only meant to be used on the first flight
     * emitted by a server. */
    TEST_EQUAL(buf->start, 0);

    switch (instruction) {
        case RECOMBINE_NOMINAL:
            break;

        case RECOMBINE_SPLIT_FIRST:
            ret = recombine_split_first_record(buf, param);
            TEST_LE_S(0, ret);
            break;

        case RECOMBINE_INSERT_EMPTY:
            ret = recombine_insert_empty_record(buf, param);
            TEST_LE_S(0, ret);
            break;

        case RECOMBINE_COALESCE:
            ret = recombine_coalesce_handshake_records(buf, param);
            if (param == INT_MAX) {
                TEST_LE_S(1, ret);
            } else {
                TEST_EQUAL(ret, param);
            }
            break;

        case RECOMBINE_COALESCE_SPLIT_ONCE:
            ret = recombine_coalesce_handshake_records(buf, INT_MAX);
            /* Require at least two coalesced records, otherwise this
             * doesn't lead to a meaningful test (use
             * RECOMBINE_SPLIT_FIRST instead). */
            TEST_LE_S(2, ret);
            ret = recombine_split_first_record(buf, param);
            TEST_LE_S(0, ret);
            break;

        case RECOMBINE_COALESCE_SPLIT_ENDS:
            ret = recombine_coalesce_handshake_records(buf, INT_MAX);
            /* Accept a single record, which will be split at both ends */
            TEST_LE_S(1, ret);
            TEST_LE_S(1, param);
            ret = recombine_split_first_record(buf, -param);
            TEST_LE_S(0, ret);
            ret = recombine_split_first_record(buf, param);
            TEST_LE_S(0, ret);
            break;

        default:
            TEST_FAIL("Instructions not understood");
    }

    return 1;

exit:
    return 0;
}

#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

/* END_HEADER */

/* BEGIN_DEPENDENCIES
 * depends_on:MBEDTLS_SSL_TLS_C
 * END_DEPENDENCIES
 */

/* BEGIN_CASE */
void test_callback_buffer_sanity()
{
    enum { MSGLEN = 10 };
    mbedtls_test_ssl_buffer buf;
    mbedtls_test_ssl_buffer_init(&buf);
    unsigned char input[MSGLEN];
    unsigned char output[MSGLEN];

    USE_PSA_INIT();
    memset(input, 0, sizeof(input));

    /* Make sure calling put and get on NULL buffer results in error. */
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, input, sizeof(input))
                == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, output, sizeof(output))
                == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, sizeof(input))
                == -1);

    TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, 0) == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, NULL, 0) == -1);

    /* Make sure calling put and get on a buffer that hasn't been set up results
     * in error. */
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input))
                == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output))
                == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input))
                == -1);

    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == -1);

    /* Make sure calling put and get on NULL input only results in
     * error if the length is not zero, and that a NULL output is valid for data
     * dropping.
     */

    TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, sizeof(input)) == 0);

    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input))
                == -1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, sizeof(output))
                == 0);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == 0);
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == 0);

    /* Make sure calling put several times in the row is safe */

    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input))
                == sizeof(input));
    TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, 2) == 2);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 1);
    TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 0);


exit:
    mbedtls_test_ssl_buffer_free(&buf);
    USE_PSA_DONE();
}
/* END_CASE */

/*
 * Test if the implementation of `mbedtls_test_ssl_buffer` related functions is
 * correct and works as expected.
 *
 * That is
 *  - If we try to put in \p put1 bytes then we can put in \p put1_ret bytes.
 *  - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
 *  - Next, if we try to put in \p put1 bytes then we can put in \p put1_ret
 *    bytes.
 *  - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
 *  - All of the bytes we got match the bytes we put in in a FIFO manner.
 */

/* BEGIN_CASE */
void test_callback_buffer(int size, int put1, int put1_ret,
                          int get1, int get1_ret, int put2, int put2_ret,
                          int get2, int get2_ret)
{
    enum { ROUNDS = 2 };
    size_t put[ROUNDS];
    int put_ret[ROUNDS];
    size_t get[ROUNDS];
    int get_ret[ROUNDS];
    mbedtls_test_ssl_buffer buf;
    unsigned char *input = NULL;
    size_t input_len;
    unsigned char *output = NULL;
    size_t output_len;
    size_t i, j, written, read;

    mbedtls_test_ssl_buffer_init(&buf);
    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, size) == 0);

    /* Check the sanity of input parameters and initialise local variables. That
     * is, ensure that the amount of data is not negative and that we are not
     * expecting more to put or get than we actually asked for. */
    TEST_ASSERT(put1 >= 0);
    put[0] = put1;
    put_ret[0] = put1_ret;
    TEST_ASSERT(put1_ret <= put1);
    TEST_ASSERT(put2 >= 0);
    put[1] = put2;
    put_ret[1] = put2_ret;
    TEST_ASSERT(put2_ret <= put2);

    TEST_ASSERT(get1 >= 0);
    get[0] = get1;
    get_ret[0] = get1_ret;
    TEST_ASSERT(get1_ret <= get1);
    TEST_ASSERT(get2 >= 0);
    get[1] = get2;
    get_ret[1] = get2_ret;
    TEST_ASSERT(get2_ret <= get2);

    input_len = 0;
    /* Calculate actual input and output lengths */
    for (j = 0; j < ROUNDS; j++) {
        if (put_ret[j] > 0) {
            input_len += put_ret[j];
        }
    }
    /* In order to always have a valid pointer we always allocate at least 1
     * byte. */
    if (input_len == 0) {
        input_len = 1;
    }
    TEST_CALLOC(input, input_len);

    output_len = 0;
    for (j = 0; j < ROUNDS; j++) {
        if (get_ret[j] > 0) {
            output_len += get_ret[j];
        }
    }
    TEST_ASSERT(output_len <= input_len);
    /* In order to always have a valid pointer we always allocate at least 1
     * byte. */
    if (output_len == 0) {
        output_len = 1;
    }
    TEST_CALLOC(output, output_len);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < input_len; i++) {
        input[i] = i & 0xFF;
    }

    written = read = 0;
    for (j = 0; j < ROUNDS; j++) {
        TEST_ASSERT(put_ret[j] == mbedtls_test_ssl_buffer_put(&buf,
                                                              input + written, put[j]));
        written += put_ret[j];
        TEST_ASSERT(get_ret[j] == mbedtls_test_ssl_buffer_get(&buf,
                                                              output + read, get[j]));
        read += get_ret[j];
        TEST_ASSERT(read <= written);
        if (get_ret[j] > 0) {
            TEST_ASSERT(memcmp(output + read - get_ret[j],
                               input + read - get_ret[j], get_ret[j])
                        == 0);
        }
    }

exit:
    mbedtls_free(input);
    mbedtls_free(output);
    mbedtls_test_ssl_buffer_free(&buf);
    USE_PSA_DONE();
}
/* END_CASE */

/*
 * Test if the implementation of `mbedtls_test_mock_socket` related
 * I/O functions is correct and works as expected on unconnected sockets.
 */

/* BEGIN_CASE */
void ssl_mock_sanity()
{
    enum { MSGLEN = 105 };
    unsigned char message[MSGLEN] = { 0 };
    unsigned char received[MSGLEN] = { 0 };
    mbedtls_test_mock_socket socket;

    mbedtls_test_mock_socket_init(&socket);
    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0);
    mbedtls_test_mock_socket_close(&socket);
    mbedtls_test_mock_socket_init(&socket);
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0);
    mbedtls_test_mock_socket_close(&socket);

    mbedtls_test_mock_socket_init(&socket);
    TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0);
    mbedtls_test_mock_socket_close(&socket);
    mbedtls_test_mock_socket_init(&socket);
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0);
    mbedtls_test_mock_socket_close(&socket);

exit:
    mbedtls_test_mock_socket_close(&socket);
    USE_PSA_DONE();
}
/* END_CASE */

/*
 * Test if the implementation of `mbedtls_test_mock_socket` related functions
 * can send a single message from the client to the server.
 */

/* BEGIN_CASE */
void ssl_mock_tcp(int blocking)
{
    enum { MSGLEN = 105 };
    enum { BUFLEN = MSGLEN / 5 };
    unsigned char message[MSGLEN];
    unsigned char received[MSGLEN];
    mbedtls_test_mock_socket client;
    mbedtls_test_mock_socket server;
    size_t written, read;
    int send_ret, recv_ret;
    mbedtls_ssl_send_t *send;
    mbedtls_ssl_recv_t *recv;
    unsigned i;

    if (blocking == 0) {
        send = mbedtls_test_mock_tcp_send_nb;
        recv = mbedtls_test_mock_tcp_recv_nb;
    } else {
        send = mbedtls_test_mock_tcp_send_b;
        recv = mbedtls_test_mock_tcp_recv_b;
    }

    mbedtls_test_mock_socket_init(&client);
    mbedtls_test_mock_socket_init(&server);
    USE_PSA_INIT();

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }

    /* Make sure that sending a message takes a few  iterations. */
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      BUFLEN));

    /* Send the message to the server */
    send_ret = recv_ret = 1;
    written = read = 0;
    while (send_ret != 0 || recv_ret != 0) {
        send_ret = send(&client, message + written, MSGLEN - written);

        TEST_ASSERT(send_ret >= 0);
        TEST_ASSERT(send_ret <= BUFLEN);
        written += send_ret;

        /* If the buffer is full we can test blocking and non-blocking send */
        if (send_ret == BUFLEN) {
            int blocking_ret = send(&client, message, 1);
            if (blocking) {
                TEST_ASSERT(blocking_ret == 0);
            } else {
                TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE);
            }
        }

        recv_ret = recv(&server, received + read, MSGLEN - read);

        /* The result depends on whether any data was sent */
        if (send_ret > 0) {
            TEST_ASSERT(recv_ret > 0);
            TEST_ASSERT(recv_ret <= BUFLEN);
            read += recv_ret;
        } else if (blocking) {
            TEST_ASSERT(recv_ret == 0);
        } else {
            TEST_ASSERT(recv_ret == MBEDTLS_ERR_SSL_WANT_READ);
            recv_ret = 0;
        }

        /* If the buffer is empty we can test blocking and non-blocking read */
        if (recv_ret == BUFLEN) {
            int blocking_ret = recv(&server, received, 1);
            if (blocking) {
                TEST_ASSERT(blocking_ret == 0);
            } else {
                TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ);
            }
        }
    }
    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

exit:
    mbedtls_test_mock_socket_close(&client);
    mbedtls_test_mock_socket_close(&server);
    USE_PSA_DONE();
}
/* END_CASE */

/*
 * Test if the implementation of `mbedtls_test_mock_socket` related functions
 * can send messages in both direction at the same time (with the I/O calls
 * interleaving).
 */

/* BEGIN_CASE */
void ssl_mock_tcp_interleaving(int blocking)
{
    enum { ROUNDS = 2 };
    enum { MSGLEN = 105 };
    enum { BUFLEN = MSGLEN / 5 };
    unsigned char message[ROUNDS][MSGLEN];
    unsigned char received[ROUNDS][MSGLEN];
    mbedtls_test_mock_socket client;
    mbedtls_test_mock_socket server;
    size_t written[ROUNDS];
    size_t read[ROUNDS];
    int send_ret[ROUNDS];
    int recv_ret[ROUNDS];
    unsigned i, j, progress;
    mbedtls_ssl_send_t *send;
    mbedtls_ssl_recv_t *recv;

    if (blocking == 0) {
        send = mbedtls_test_mock_tcp_send_nb;
        recv = mbedtls_test_mock_tcp_recv_nb;
    } else {
        send = mbedtls_test_mock_tcp_send_b;
        recv = mbedtls_test_mock_tcp_recv_b;
    }

    mbedtls_test_mock_socket_init(&client);
    mbedtls_test_mock_socket_init(&server);
    USE_PSA_INIT();

    /* Fill up the buffers with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < ROUNDS; i++) {
        for (j = 0; j < MSGLEN; j++) {
            message[i][j] = (i * MSGLEN + j) & 0xFF;
        }
    }

    /* Make sure that sending a message takes a few  iterations. */
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      BUFLEN));

    /* Send the message from both sides, interleaving. */
    progress = 1;
    for (i = 0; i < ROUNDS; i++) {
        written[i] = 0;
        read[i] = 0;
    }
    /* This loop does not stop as long as there was a successful write or read
     * of at least one byte on either side. */
    while (progress != 0) {
        mbedtls_test_mock_socket *socket;

        for (i = 0; i < ROUNDS; i++) {
            /* First sending is from the client */
            socket = (i % 2 == 0) ? (&client) : (&server);

            send_ret[i] = send(socket, message[i] + written[i],
                               MSGLEN - written[i]);
            TEST_ASSERT(send_ret[i] >= 0);
            TEST_ASSERT(send_ret[i] <= BUFLEN);
            written[i] += send_ret[i];

            /* If the buffer is full we can test blocking and non-blocking
             * send */
            if (send_ret[i] == BUFLEN) {
                int blocking_ret = send(socket, message[i], 1);
                if (blocking) {
                    TEST_ASSERT(blocking_ret == 0);
                } else {
                    TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE);
                }
            }
        }

        for (i = 0; i < ROUNDS; i++) {
            /* First receiving is from the server */
            socket = (i % 2 == 0) ? (&server) : (&client);

            recv_ret[i] = recv(socket, received[i] + read[i],
                               MSGLEN - read[i]);

            /* The result depends on whether any data was sent */
            if (send_ret[i] > 0) {
                TEST_ASSERT(recv_ret[i] > 0);
                TEST_ASSERT(recv_ret[i] <= BUFLEN);
                read[i] += recv_ret[i];
            } else if (blocking) {
                TEST_ASSERT(recv_ret[i] == 0);
            } else {
                TEST_ASSERT(recv_ret[i] == MBEDTLS_ERR_SSL_WANT_READ);
                recv_ret[i] = 0;
            }

            /* If the buffer is empty we can test blocking and non-blocking
             * read */
            if (recv_ret[i] == BUFLEN) {
                int blocking_ret = recv(socket, received[i], 1);
                if (blocking) {
                    TEST_ASSERT(blocking_ret == 0);
                } else {
                    TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ);
                }
            }
        }

        progress = 0;
        for (i = 0; i < ROUNDS; i++) {
            progress += send_ret[i] + recv_ret[i];
        }
    }

    for (i = 0; i < ROUNDS; i++) {
        TEST_ASSERT(memcmp(message[i], received[i], MSGLEN) == 0);
    }

exit:
    mbedtls_test_mock_socket_close(&client);
    mbedtls_test_mock_socket_close(&server);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_queue_sanity()
{
    mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;

    USE_PSA_INIT();
    /* Trying to push/pull to an empty queue */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(NULL, 1)
                == MBEDTLS_TEST_ERROR_ARG_NULL);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(NULL, 1)
                == MBEDTLS_TEST_ERROR_ARG_NULL);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
    TEST_ASSERT(queue.capacity == 3);
    TEST_ASSERT(queue.num == 0);

exit:
    mbedtls_test_ssl_message_queue_free(&queue);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_queue_basic()
{
    mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;

    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);

    /* Sanity test - 3 pushes and 3 pops with sufficient space */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
    TEST_ASSERT(queue.capacity == 3);
    TEST_ASSERT(queue.num == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
    TEST_ASSERT(queue.capacity == 3);
    TEST_ASSERT(queue.num == 2);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
    TEST_ASSERT(queue.capacity == 3);
    TEST_ASSERT(queue.num == 3);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);

exit:
    mbedtls_test_ssl_message_queue_free(&queue);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_queue_overflow_underflow()
{
    mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;

    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);

    /* 4 pushes (last one with an error), 4 pops (last one with an error) */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3)
                == MBEDTLS_ERR_SSL_WANT_WRITE);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1)
                == MBEDTLS_ERR_SSL_WANT_READ);

exit:
    mbedtls_test_ssl_message_queue_free(&queue);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_queue_interleaved()
{
    mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;

    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);

    /* Interleaved test - [2 pushes, 1 pop] twice, and then two pops
     * (to wrap around the buffer) */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) == 3);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 5) == 5);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 8) == 8);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 3) == 3);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 5) == 5);

    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 8) == 8);

exit:
    mbedtls_test_ssl_message_queue_free(&queue);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_queue_insufficient_buffer()
{
    mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
    size_t message_len = 10;
    size_t buffer_len = 5;

    USE_PSA_INIT();
    TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 1) == 0);

    /* Popping without a sufficient buffer */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, message_len)
                == (int) message_len);
    TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, buffer_len)
                == (int) buffer_len);
exit:
    mbedtls_test_ssl_message_queue_free(&queue);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_uninitialized()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN] = { 0 }, received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;
    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);

    USE_PSA_INIT();
    /* Send with a NULL context */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(NULL, message, MSGLEN)
                == MBEDTLS_TEST_ERROR_CONTEXT_ERROR);

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(NULL, message, MSGLEN)
                == MBEDTLS_TEST_ERROR_CONTEXT_ERROR);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 1,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 1,
                                                  &client,
                                                  &client_context) == 0);

    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MBEDTLS_TEST_ERROR_SEND_FAILED);

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_READ);

    /* Push directly to a queue to later simulate a disconnected behavior */
    TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&server_queue,
                                                         MSGLEN)
                == MSGLEN);

    /* Test if there's an error when trying to read from a disconnected
     * socket */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_TEST_ERROR_RECV_FAILED);
exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_basic()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 1,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 1,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN));

    /* Send the message to the server */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN) == MSGLEN);

    /* Read from the server */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
    memset(received, 0, MSGLEN);

    /* Send the message to the client */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
                                               MSGLEN)
                == MSGLEN);

    /* Read from the client */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
                                               MSGLEN)
                == MSGLEN);
    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_queue_overflow_underflow()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 2,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 2,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN*2));

    /* Send three message to the server, last one with an error */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN - 1)
                == MSGLEN - 1);

    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_WRITE);

    /* Read three messages from the server, last one with an error */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN - 1)
                == MSGLEN - 1);

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_READ);

exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_socket_overflow()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 2,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 2,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN));

    /* Send two message to the server, second one with an error */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MBEDTLS_TEST_ERROR_SEND_FAILED);

    /* Read the only message from the server */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_truncated()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 2,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 2,
                                                  &client,
                                                  &client_context) == 0);

    memset(received, 0, MSGLEN);
    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      2 * MSGLEN));

    /* Send two messages to the server, the second one small enough to fit in the
     * receiver's buffer. */
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MSGLEN);
    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN / 2)
                == MSGLEN / 2);
    /* Read a truncated message from the server */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN/2)
                == MSGLEN/2);

    /* Test that the first half of the message is valid, and second one isn't */
    TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0);
    TEST_ASSERT(memcmp(message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2)
                != 0);
    memset(received, 0, MSGLEN);

    /* Read a full message from the server */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN/2)
                == MSGLEN / 2);

    /* Test that the first half of the message is valid */
    TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0);

exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_socket_read_error()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 1,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 1,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN));

    TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                               MSGLEN)
                == MSGLEN);

    /* Force a read error by disconnecting the socket by hand */
    server.status = 0;
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_TEST_ERROR_RECV_FAILED);
    /* Return to a valid state */
    server.status = MBEDTLS_MOCK_SOCKET_CONNECTED;

    memset(received, 0, sizeof(received));

    /* Test that even though the server tried to read once disconnected, the
     * continuity is preserved */
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MSGLEN);

    TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_interleaved_one_way()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 3,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 3,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN*3));

    /* Interleaved test - [2 sends, 1 read] twice, and then two reads
     * (to wrap around the buffer) */
    for (i = 0; i < 2; i++) {
        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                                   MSGLEN) == MSGLEN);
        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
        memset(received, 0, sizeof(received));
    }

    for (i = 0; i < 2; i++) {
        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
    }
    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_READ);
exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_message_mock_interleaved_two_ways()
{
    enum { MSGLEN = 10 };
    unsigned char message[MSGLEN], received[MSGLEN];
    mbedtls_test_mock_socket client, server;
    unsigned i;
    mbedtls_test_ssl_message_queue server_queue, client_queue;
    mbedtls_test_message_socket_context server_context, client_context;

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
                                                  &client_queue, 3,
                                                  &server,
                                                  &server_context) == 0);

    TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
                                                  &server_queue, 3,
                                                  &client,
                                                  &client_context) == 0);

    /* Fill up the buffer with structured data so that unwanted changes
     * can be detected */
    for (i = 0; i < MSGLEN; i++) {
        message[i] = i & 0xFF;
    }
    TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
                                                      MSGLEN*3));

    /* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads
     * (to wrap around the buffer) both ways. */
    for (i = 0; i < 2; i++) {
        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

        memset(received, 0, sizeof(received));

        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);

        memset(received, 0, sizeof(received));
    }

    for (i = 0; i < 2; i++) {
        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
        memset(received, 0, sizeof(received));

        TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
                                                   MSGLEN) == MSGLEN);

        TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
        memset(received, 0, sizeof(received));
    }

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_READ);

    TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
                                               MSGLEN)
                == MBEDTLS_ERR_SSL_WANT_READ);
exit:
    mbedtls_test_message_socket_close(&server_context);
    mbedtls_test_message_socket_close(&client_context);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */
void ssl_dtls_replay(data_t *prevs, data_t *new, int ret)
{
    uint32_t len = 0;
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;

    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_config_init(&conf);
    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
                                            MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT) == 0);

    TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);

    /* Read previous record numbers */
    for (len = 0; len < prevs->len; len += 6) {
        memcpy(ssl.in_ctr + 2, prevs->x + len, 6);
        mbedtls_ssl_dtls_replay_update(&ssl);
    }

    /* Check new number */
    memcpy(ssl.in_ctr + 2, new->x, 6);
    TEST_ASSERT(mbedtls_ssl_dtls_replay_check(&ssl) == ret);

exit:
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void ssl_set_hostname_twice(char *input_hostname0, char *input_hostname1)
{
    const char *output_hostname;
    mbedtls_ssl_context ssl;

    mbedtls_ssl_init(&ssl);
    USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname0) == 0);
    output_hostname = mbedtls_ssl_get_hostname(&ssl);
    TEST_ASSERT(strcmp(input_hostname0, output_hostname) == 0);

    TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname1) == 0);
    output_hostname = mbedtls_ssl_get_hostname(&ssl);
    TEST_ASSERT(strcmp(input_hostname1, output_hostname) == 0);

exit:
    mbedtls_ssl_free(&ssl);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_crypt_record(int cipher_type, int hash_id,
                      int etm, int tag_mode, int ver,
                      int cid0_len, int cid1_len)
{
    /*
     * Test several record encryptions and decryptions
     * with plenty of space before and after the data
     * within the record buffer.
     */

    int ret;
    int num_records = 16;
    mbedtls_ssl_context ssl; /* ONLY for debugging */

    mbedtls_ssl_transform t0, t1;
    unsigned char *buf = NULL;
    size_t const buflen = 512;
    mbedtls_record rec, rec_backup;

    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_transform_init(&t0);
    mbedtls_ssl_transform_init(&t1);
    MD_OR_USE_PSA_INIT();

    ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
                                            etm, tag_mode, ver,
                                            (size_t) cid0_len,
                                            (size_t) cid1_len);

    TEST_ASSERT(ret == 0);

    TEST_CALLOC(buf, buflen);

    while (num_records-- > 0) {
        mbedtls_ssl_transform *t_dec, *t_enc;
        /* Take turns in who's sending and who's receiving. */
        if (num_records % 3 == 0) {
            t_dec = &t0;
            t_enc = &t1;
        } else {
            t_dec = &t1;
            t_enc = &t0;
        }

        /*
         * The record header affects the transformation in two ways:
         * 1) It determines the AEAD additional data
         * 2) The record counter sometimes determines the IV.
         *
         * Apart from that, the fields don't have influence.
         * In particular, it is currently not the responsibility
         * of ssl_encrypt/decrypt_buf to check if the transform
         * version matches the record version, or that the
         * type is sensible.
         */

        memset(rec.ctr, num_records, sizeof(rec.ctr));
        rec.type    = 42;
        rec.ver[0]  = num_records;
        rec.ver[1]  = num_records;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
        rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

        rec.buf     = buf;
        rec.buf_len = buflen;
        rec.data_offset = 16;
        /* Make sure to vary the length to exercise different
         * paddings. */
        rec.data_len = 1 + num_records;

        memset(rec.buf + rec.data_offset, 42, rec.data_len);

        /* Make a copy for later comparison */
        rec_backup = rec;

        /* Encrypt record */
        ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec);
        TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
        if (ret != 0) {
            continue;
        }

#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
        if (rec.cid_len != 0) {
            /* DTLS 1.2 + CID hides the real content type and
             * uses a special CID content type in the protected
             * record. Double-check this. */
            TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID);
        }
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
            /* TLS 1.3 hides the real content type and
             * always uses Application Data as the content type
             * for protected records. Double-check this. */
            TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA);
        }
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

        /* Decrypt record with t_dec */
        ret = mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec);
        TEST_ASSERT(ret == 0);

        /* Compare results */
        TEST_ASSERT(rec.type == rec_backup.type);
        TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0);
        TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]);
        TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]);
        TEST_ASSERT(rec.data_len == rec_backup.data_len);
        TEST_ASSERT(rec.data_offset == rec_backup.data_offset);
        TEST_ASSERT(memcmp(rec.buf + rec.data_offset,
                           rec_backup.buf + rec_backup.data_offset,
                           rec.data_len) == 0);
    }

exit:

    /* Cleanup */
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_transform_free(&t0);
    mbedtls_ssl_transform_free(&t1);

    mbedtls_free(buf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_crypt_record_small(int cipher_type, int hash_id,
                            int etm, int tag_mode, int ver,
                            int cid0_len, int cid1_len)
{
    /*
     * Test pairs of encryption and decryption with an increasing
     * amount of space in the record buffer - in more detail:
     * 1) Try to encrypt with 0, 1, 2, ... bytes available
     *    in front of the plaintext, and expect the encryption
     *    to succeed starting from some offset. Always keep
     *    enough space in the end of the buffer.
     * 2) Try to encrypt with 0, 1, 2, ... bytes available
     *    at the end of the plaintext, and expect the encryption
     *    to succeed starting from some offset. Always keep
     *    enough space at the beginning of the buffer.
     * 3) Try to encrypt with 0, 1, 2, ... bytes available
     *    both at the front and end of the plaintext,
     *    and expect the encryption to succeed starting from
     *    some offset.
     *
     * If encryption succeeds, check that decryption succeeds
     * and yields the original record.
     */

    mbedtls_ssl_context ssl; /* ONLY for debugging */

    mbedtls_ssl_transform t0, t1;
    unsigned char *buf = NULL;
    size_t const buflen = 256;
    mbedtls_record rec, rec_backup;

    int ret;
    int mode;              /* Mode 1, 2 or 3 as explained above     */
    size_t offset;         /* Available space at beginning/end/both */
    size_t threshold = 96; /* Maximum offset to test against        */

    size_t default_pre_padding  = 64;  /* Pre-padding to use in mode 2  */
    size_t default_post_padding = 128; /* Post-padding to use in mode 1 */

    int seen_success; /* Indicates if in the current mode we've
                       * already seen a successful test. */

    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_transform_init(&t0);
    mbedtls_ssl_transform_init(&t1);
    MD_OR_USE_PSA_INIT();

    ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
                                            etm, tag_mode, ver,
                                            (size_t) cid0_len,
                                            (size_t) cid1_len);

    TEST_ASSERT(ret == 0);

    TEST_CALLOC(buf, buflen);

    for (mode = 1; mode <= 3; mode++) {
        seen_success = 0;
        for (offset = 0; offset <= threshold; offset++) {
            mbedtls_ssl_transform *t_dec, *t_enc;
            t_dec = &t0;
            t_enc = &t1;

            memset(rec.ctr, offset, sizeof(rec.ctr));
            rec.type    = 42;
            rec.ver[0]  = offset;
            rec.ver[1]  = offset;
            rec.buf     = buf;
            rec.buf_len = buflen;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
            rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

            switch (mode) {
                case 1: /* Space in the beginning */
                    rec.data_offset = offset;
                    rec.data_len = buflen - offset - default_post_padding;
                    break;

                case 2: /* Space in the end */
                    rec.data_offset = default_pre_padding;
                    rec.data_len = buflen - default_pre_padding - offset;
                    break;

                case 3: /* Space in the beginning and end */
                    rec.data_offset = offset;
                    rec.data_len = buflen - 2 * offset;
                    break;

                default:
                    TEST_ASSERT(0);
                    break;
            }

            memset(rec.buf + rec.data_offset, 42, rec.data_len);

            /* Make a copy for later comparison */
            rec_backup = rec;

            /* Encrypt record */
            ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec);

            if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
                /* It's ok if the output buffer is too small. We do insist
                 * on at least one mode succeeding; this is tracked by
                 * seen_success. */
                continue;
            }

            TEST_EQUAL(ret, 0);
            seen_success = 1;

#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
            if (rec.cid_len != 0) {
                /* DTLS 1.2 + CID hides the real content type and
                 * uses a special CID content type in the protected
                 * record. Double-check this. */
                TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID);
            }
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
            if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
                /* TLS 1.3 hides the real content type and
                 * always uses Application Data as the content type
                 * for protected records. Double-check this. */
                TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA);
            }
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

            /* Decrypt record with t_dec */
            TEST_ASSERT(mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec) == 0);

            /* Compare results */
            TEST_ASSERT(rec.type == rec_backup.type);
            TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0);
            TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]);
            TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]);
            TEST_ASSERT(rec.data_len == rec_backup.data_len);
            TEST_ASSERT(rec.data_offset == rec_backup.data_offset);
            TEST_ASSERT(memcmp(rec.buf + rec.data_offset,
                               rec_backup.buf + rec_backup.data_offset,
                               rec.data_len) == 0);
        }

        TEST_ASSERT(seen_success == 1);
    }

exit:

    /* Cleanup */
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_transform_free(&t0);
    mbedtls_ssl_transform_free(&t1);

    mbedtls_free(buf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_hkdf_expand_label(int hash_alg,
                                 data_t *secret,
                                 int label_idx,
                                 data_t *ctx,
                                 int desired_length,
                                 data_t *expected)
{
    unsigned char dst[100];

    unsigned char const *lbl = NULL;
    size_t lbl_len;
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string)                       \
    if (label_idx == (int) tls13_label_ ## name)                      \
    {                                                                  \
        lbl = mbedtls_ssl_tls13_labels.name;                           \
        lbl_len = sizeof(mbedtls_ssl_tls13_labels.name);             \
    }
    MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
    TEST_ASSERT(lbl != NULL);

    /* Check sanity of test parameters. */
    TEST_ASSERT((size_t) desired_length <= sizeof(dst));
    TEST_ASSERT((size_t) desired_length == expected->len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_hkdf_expand_label(
                    (psa_algorithm_t) hash_alg,
                    secret->x, secret->len,
                    lbl, lbl_len,
                    ctx->x, ctx->len,
                    dst, desired_length) == 0);

    TEST_MEMORY_COMPARE(dst, (size_t) desired_length,
                        expected->x, (size_t) expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_traffic_key_generation(int hash_alg,
                                      data_t *server_secret,
                                      data_t *client_secret,
                                      int desired_iv_len,
                                      int desired_key_len,
                                      data_t *expected_server_write_key,
                                      data_t *expected_server_write_iv,
                                      data_t *expected_client_write_key,
                                      data_t *expected_client_write_iv)
{
    mbedtls_ssl_key_set keys;

    /* Check sanity of test parameters. */
    TEST_ASSERT(client_secret->len == server_secret->len);
    TEST_ASSERT(
        expected_client_write_iv->len == expected_server_write_iv->len &&
        expected_client_write_iv->len == (size_t) desired_iv_len);
    TEST_ASSERT(
        expected_client_write_key->len == expected_server_write_key->len &&
        expected_client_write_key->len == (size_t) desired_key_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_make_traffic_keys(
                    (psa_algorithm_t) hash_alg,
                    client_secret->x,
                    server_secret->x,
                    client_secret->len /* == server_secret->len */,
                    desired_key_len, desired_iv_len,
                    &keys) == 0);

    TEST_MEMORY_COMPARE(keys.client_write_key,
                        keys.key_len,
                        expected_client_write_key->x,
                        (size_t) desired_key_len);
    TEST_MEMORY_COMPARE(keys.server_write_key,
                        keys.key_len,
                        expected_server_write_key->x,
                        (size_t) desired_key_len);
    TEST_MEMORY_COMPARE(keys.client_write_iv,
                        keys.iv_len,
                        expected_client_write_iv->x,
                        (size_t) desired_iv_len);
    TEST_MEMORY_COMPARE(keys.server_write_iv,
                        keys.iv_len,
                        expected_server_write_iv->x,
                        (size_t) desired_iv_len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_secret(int hash_alg,
                             data_t *secret,
                             int label_idx,
                             data_t *ctx,
                             int desired_length,
                             int already_hashed,
                             data_t *expected)
{
    unsigned char dst[100];

    unsigned char const *lbl = NULL;
    size_t lbl_len;
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string)                         \
    if (label_idx == (int) tls13_label_ ## name)                       \
    {                                                                  \
        lbl = mbedtls_ssl_tls13_labels.name;                           \
        lbl_len = sizeof(mbedtls_ssl_tls13_labels.name);               \
    }
    MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
    TEST_ASSERT(lbl != NULL);

    /* Check sanity of test parameters. */
    TEST_ASSERT((size_t) desired_length <= sizeof(dst));
    TEST_ASSERT((size_t) desired_length == expected->len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_derive_secret(
                    (psa_algorithm_t) hash_alg,
                    secret->x, secret->len,
                    lbl, lbl_len,
                    ctx->x, ctx->len,
                    already_hashed,
                    dst, desired_length) == 0);

    TEST_MEMORY_COMPARE(dst, desired_length,
                        expected->x, desired_length);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_early_secrets(int hash_alg,
                                    data_t *secret,
                                    data_t *transcript,
                                    data_t *traffic_expected,
                                    data_t *exporter_expected)
{
    mbedtls_ssl_tls13_early_secrets secrets;

    /* Double-check that we've passed sane parameters. */
    psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
    size_t const hash_len = PSA_HASH_LENGTH(alg);
    TEST_ASSERT(PSA_ALG_IS_HASH(alg)               &&
                secret->len == hash_len            &&
                transcript->len == hash_len        &&
                traffic_expected->len == hash_len  &&
                exporter_expected->len == hash_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_derive_early_secrets(
                    alg, secret->x, transcript->x, transcript->len,
                    &secrets) == 0);

    TEST_MEMORY_COMPARE(secrets.client_early_traffic_secret, hash_len,
                        traffic_expected->x, traffic_expected->len);
    TEST_MEMORY_COMPARE(secrets.early_exporter_master_secret, hash_len,
                        exporter_expected->x, exporter_expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_handshake_secrets(int hash_alg,
                                        data_t *secret,
                                        data_t *transcript,
                                        data_t *client_expected,
                                        data_t *server_expected)
{
    mbedtls_ssl_tls13_handshake_secrets secrets;

    /* Double-check that we've passed sane parameters. */
    psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
    size_t const hash_len = PSA_HASH_LENGTH(alg);
    TEST_ASSERT(PSA_ALG_IS_HASH(alg)              &&
                secret->len == hash_len           &&
                transcript->len == hash_len       &&
                client_expected->len == hash_len  &&
                server_expected->len == hash_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_derive_handshake_secrets(
                    alg, secret->x, transcript->x, transcript->len,
                    &secrets) == 0);

    TEST_MEMORY_COMPARE(secrets.client_handshake_traffic_secret, hash_len,
                        client_expected->x, client_expected->len);
    TEST_MEMORY_COMPARE(secrets.server_handshake_traffic_secret, hash_len,
                        server_expected->x, server_expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_application_secrets(int hash_alg,
                                          data_t *secret,
                                          data_t *transcript,
                                          data_t *client_expected,
                                          data_t *server_expected,
                                          data_t *exporter_expected)
{
    mbedtls_ssl_tls13_application_secrets secrets;

    /* Double-check that we've passed sane parameters. */
    psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
    size_t const hash_len = PSA_HASH_LENGTH(alg);
    TEST_ASSERT(PSA_ALG_IS_HASH(alg)              &&
                secret->len == hash_len           &&
                transcript->len == hash_len       &&
                client_expected->len == hash_len  &&
                server_expected->len == hash_len  &&
                exporter_expected->len == hash_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_derive_application_secrets(
                    alg, secret->x, transcript->x, transcript->len,
                    &secrets) == 0);

    TEST_MEMORY_COMPARE(secrets.client_application_traffic_secret_N, hash_len,
                        client_expected->x, client_expected->len);
    TEST_MEMORY_COMPARE(secrets.server_application_traffic_secret_N, hash_len,
                        server_expected->x, server_expected->len);
    TEST_MEMORY_COMPARE(secrets.exporter_master_secret, hash_len,
                        exporter_expected->x, exporter_expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_resumption_secrets(int hash_alg,
                                         data_t *secret,
                                         data_t *transcript,
                                         data_t *resumption_expected)
{
    mbedtls_ssl_tls13_application_secrets secrets;

    /* Double-check that we've passed sane parameters. */
    psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
    size_t const hash_len = PSA_HASH_LENGTH(alg);
    TEST_ASSERT(PSA_ALG_IS_HASH(alg)                &&
                secret->len == hash_len             &&
                transcript->len == hash_len         &&
                resumption_expected->len == hash_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_derive_resumption_master_secret(
                    alg, secret->x, transcript->x, transcript->len,
                    &secrets) == 0);

    TEST_MEMORY_COMPARE(secrets.resumption_master_secret, hash_len,
                        resumption_expected->x, resumption_expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_create_psk_binder(int hash_alg,
                                 data_t *psk,
                                 int psk_type,
                                 data_t *transcript,
                                 data_t *binder_expected)
{
    unsigned char binder[MBEDTLS_MD_MAX_SIZE];

    /* Double-check that we've passed sane parameters. */
    psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
    size_t const hash_len = PSA_HASH_LENGTH(alg);
    TEST_ASSERT(PSA_ALG_IS_HASH(alg)            &&
                transcript->len == hash_len     &&
                binder_expected->len == hash_len);

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_create_psk_binder(
                    NULL,  /* SSL context for debugging only */
                    alg,
                    psk->x, psk->len,
                    psk_type,
                    transcript->x,
                    binder) == 0);

    TEST_MEMORY_COMPARE(binder, hash_len,
                        binder_expected->x, binder_expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_record_protection(int ciphersuite,
                                 int endpoint,
                                 int ctr,
                                 int padding_used,
                                 data_t *server_write_key,
                                 data_t *server_write_iv,
                                 data_t *client_write_key,
                                 data_t *client_write_iv,
                                 data_t *plaintext,
                                 data_t *ciphertext)
{
    mbedtls_ssl_key_set keys;
    mbedtls_ssl_transform transform_send;
    mbedtls_ssl_transform_init(&transform_send);
    mbedtls_ssl_transform transform_recv;
    mbedtls_ssl_transform_init(&transform_recv);
    mbedtls_record rec;
    unsigned char *buf = NULL;
    size_t buf_len;
    int other_endpoint;

    TEST_ASSERT(endpoint == MBEDTLS_SSL_IS_CLIENT ||
                endpoint == MBEDTLS_SSL_IS_SERVER);

    if (endpoint == MBEDTLS_SSL_IS_SERVER) {
        other_endpoint = MBEDTLS_SSL_IS_CLIENT;
    }
    if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
        other_endpoint = MBEDTLS_SSL_IS_SERVER;
    }

    TEST_ASSERT(server_write_key->len == client_write_key->len);
    TEST_ASSERT(server_write_iv->len  == client_write_iv->len);

    memcpy(keys.client_write_key,
           client_write_key->x, client_write_key->len);
    memcpy(keys.client_write_iv,
           client_write_iv->x, client_write_iv->len);
    memcpy(keys.server_write_key,
           server_write_key->x, server_write_key->len);
    memcpy(keys.server_write_iv,
           server_write_iv->x, server_write_iv->len);

    keys.key_len = server_write_key->len;
    keys.iv_len  = server_write_iv->len;

    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
                    &transform_send, endpoint,
                    ciphersuite, &keys, NULL) == 0);
    TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
                    &transform_recv, other_endpoint,
                    ciphersuite, &keys, NULL) == 0);

    /* Make sure we have enough space in the buffer even if
     * we use more padding than the KAT. */
    buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
    TEST_CALLOC(buf, buf_len);
    rec.type   = MBEDTLS_SSL_MSG_APPLICATION_DATA;

    /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */
    mbedtls_ssl_write_version(rec.ver,
                              MBEDTLS_SSL_TRANSPORT_STREAM,
                              MBEDTLS_SSL_VERSION_TLS1_2);

    /* Copy plaintext into record structure */
    rec.buf = buf;
    rec.buf_len = buf_len;
    rec.data_offset = 0;
    TEST_ASSERT(plaintext->len <= ciphertext->len);
    memcpy(rec.buf + rec.data_offset, plaintext->x, plaintext->len);
    rec.data_len = plaintext->len;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

    memset(&rec.ctr[0], 0, 8);
    rec.ctr[7] = ctr;

    TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec) == 0);

    if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) {
        TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,
                            ciphertext->x, ciphertext->len);
    }

    TEST_ASSERT(mbedtls_ssl_decrypt_buf(NULL, &transform_recv, &rec) == 0);
    TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,
                        plaintext->x, plaintext->len);

exit:
    mbedtls_free(buf);
    mbedtls_ssl_transform_free(&transform_send);
    mbedtls_ssl_transform_free(&transform_recv);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_key_evolution(int hash_alg,
                             data_t *secret,
                             data_t *input,
                             data_t *expected)
{
    unsigned char secret_new[MBEDTLS_MD_MAX_SIZE];

    PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls13_evolve_secret(
                    (psa_algorithm_t) hash_alg,
                    secret->len ? secret->x : NULL,
                    input->len ? input->x : NULL, input->len,
                    secret_new) == 0);

    TEST_MEMORY_COMPARE(secret_new, (size_t) expected->len,
                        expected->x, (size_t) expected->len);

exit:
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */
void ssl_tls_prf(int type, data_t *secret, data_t *random,
                 char *label, data_t *result_str, int exp_ret)
{
    unsigned char *output;

    output = mbedtls_calloc(1, result_str->len);
    if (output == NULL) {
        goto exit;
    }

    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_tls_prf(type, secret->x, secret->len,
                                    label, random->x, random->len,
                                    output, result_str->len) == exp_ret);

    if (exp_ret == 0) {
        TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
                                        result_str->len, result_str->len) == 0);
    }
exit:

    mbedtls_free(output);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
                                     int endpoint_type, int tls_version)
{
    mbedtls_ssl_session original, restored;
    unsigned char *buf = NULL;
    size_t len;

    /*
     * Test that a save-load pair is the identity
     */
    mbedtls_ssl_session_init(&original);
    mbedtls_ssl_session_init(&restored);
    USE_PSA_INIT();

    /* Prepare a dummy session to work on */
    ((void) tls_version);
    ((void) ticket_len);
    ((void) crt_file);
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
        TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                        &original, 0, endpoint_type) == 0);
    }
#endif

#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
        TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                        &original, ticket_len, endpoint_type, crt_file) == 0);
    }
#endif

    /* Serialize it */
    TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len)
                == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
    TEST_CALLOC(buf, len);
    TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len)
                == 0);

    /* Restore session from serialized data */
    TEST_ASSERT(mbedtls_ssl_session_load(&restored, buf, len) == 0);

    /*
     * Make sure both session structures are identical
     */
#if defined(MBEDTLS_HAVE_TIME)
    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
        TEST_ASSERT(original.start == restored.start);
    }
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
    TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
#endif
#endif /* MBEDTLS_HAVE_TIME */

    TEST_ASSERT(original.tls_version == restored.tls_version);
    TEST_ASSERT(original.endpoint == restored.endpoint);
    TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
        TEST_ASSERT(original.id_len == restored.id_len);
        TEST_ASSERT(memcmp(original.id,
                           restored.id, sizeof(original.id)) == 0);
        TEST_ASSERT(memcmp(original.master,
                           restored.master, sizeof(original.master)) == 0);

#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
        TEST_ASSERT((original.peer_cert == NULL) ==
                    (restored.peer_cert == NULL));
        if (original.peer_cert != NULL) {
            TEST_ASSERT(original.peer_cert->raw.len ==
                        restored.peer_cert->raw.len);
            TEST_ASSERT(memcmp(original.peer_cert->raw.p,
                               restored.peer_cert->raw.p,
                               original.peer_cert->raw.len) == 0);
        }
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
        TEST_ASSERT(original.peer_cert_digest_type ==
                    restored.peer_cert_digest_type);
        TEST_ASSERT(original.peer_cert_digest_len ==
                    restored.peer_cert_digest_len);
        TEST_ASSERT((original.peer_cert_digest == NULL) ==
                    (restored.peer_cert_digest == NULL));
        if (original.peer_cert_digest != NULL) {
            TEST_ASSERT(memcmp(original.peer_cert_digest,
                               restored.peer_cert_digest,
                               original.peer_cert_digest_len) == 0);
        }
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
        TEST_ASSERT(original.verify_result == restored.verify_result);

#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
        TEST_ASSERT(original.mfl_code == restored.mfl_code);
#endif

#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
        TEST_ASSERT(original.encrypt_then_mac == restored.encrypt_then_mac);
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
        TEST_ASSERT(original.ticket_len == restored.ticket_len);
        if (original.ticket_len != 0) {
            TEST_ASSERT(original.ticket != NULL);
            TEST_ASSERT(restored.ticket != NULL);
            TEST_ASSERT(memcmp(original.ticket,
                               restored.ticket, original.ticket_len) == 0);
        }
        TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime);
#endif
    }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */

#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
        TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add);
        TEST_ASSERT(original.ticket_flags == restored.ticket_flags);
        TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len);
        if (original.resumption_key_len != 0) {
            TEST_ASSERT(original.resumption_key != NULL);
            TEST_ASSERT(restored.resumption_key != NULL);
            TEST_ASSERT(memcmp(original.resumption_key,
                               restored.resumption_key,
                               original.resumption_key_len) == 0);
        }
#endif /* MBEDTLS_SSL_SESSION_TICKETS */

#if defined(MBEDTLS_SSL_SRV_C)
        if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
            TEST_ASSERT(original.ticket_alpn != NULL);
            TEST_ASSERT(restored.ticket_alpn != NULL);
            TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn),
                                restored.ticket_alpn, strlen(restored.ticket_alpn));
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
        }
#endif /* MBEDTLS_SSL_SRV_C */

#if defined(MBEDTLS_SSL_CLI_C)
        if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_HAVE_TIME)
            TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time);
#endif
            TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime);
            TEST_ASSERT(original.ticket_len == restored.ticket_len);
            if (original.ticket_len != 0) {
                TEST_ASSERT(original.ticket != NULL);
                TEST_ASSERT(restored.ticket != NULL);
                TEST_ASSERT(memcmp(original.ticket,
                                   restored.ticket,
                                   original.ticket_len) == 0);
            }
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
            TEST_ASSERT(original.hostname != NULL);
            TEST_ASSERT(restored.hostname != NULL);
            TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname),
                                restored.hostname, strlen(restored.hostname));
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
        }
#endif /* MBEDTLS_SSL_CLI_C */
    }
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_SSL_EARLY_DATA)
    TEST_ASSERT(
        original.max_early_data_size == restored.max_early_data_size);
#endif

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
    TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
#endif

exit:
    mbedtls_ssl_session_free(&original);
    mbedtls_ssl_session_free(&restored);
    mbedtls_free(buf);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_serialize_session_load_save(int ticket_len, char *crt_file,
                                     int endpoint_type, int tls_version)
{
    mbedtls_ssl_session session;
    unsigned char *buf1 = NULL, *buf2 = NULL;
    size_t len0, len1, len2;

    /*
     * Test that a load-save pair is the identity
     */
    mbedtls_ssl_session_init(&session);
    USE_PSA_INIT();

    /* Prepare a dummy session to work on */
    ((void) ticket_len);
    ((void) crt_file);

    switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        case MBEDTLS_SSL_VERSION_TLS1_3:
            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                            &session, 0, endpoint_type) == 0);
            break;
#endif

#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        case MBEDTLS_SSL_VERSION_TLS1_2:
            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                            &session, ticket_len, endpoint_type, crt_file) == 0);
            break;
#endif
        default:
            /* should never happen */
            TEST_ASSERT(0);
            break;
    }

    /* Get desired buffer size for serializing */
    TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &len0)
                == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);

    /* Allocate first buffer */
    buf1 = mbedtls_calloc(1, len0);
    TEST_ASSERT(buf1 != NULL);

    /* Serialize to buffer and free live session */
    TEST_ASSERT(mbedtls_ssl_session_save(&session, buf1, len0, &len1)
                == 0);
    TEST_ASSERT(len0 == len1);
    mbedtls_ssl_session_free(&session);

    /* Restore session from serialized data */
    TEST_ASSERT(mbedtls_ssl_session_load(&session, buf1, len1) == 0);

    /* Allocate second buffer and serialize to it */
    buf2 = mbedtls_calloc(1, len0);
    TEST_ASSERT(buf2 != NULL);
    TEST_ASSERT(mbedtls_ssl_session_save(&session, buf2, len0, &len2)
                == 0);

    /* Make sure both serialized versions are identical */
    TEST_ASSERT(len1 == len2);
    TEST_ASSERT(memcmp(buf1, buf2, len1) == 0);

exit:
    mbedtls_ssl_session_free(&session);
    mbedtls_free(buf1);
    mbedtls_free(buf2);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file,
                                         int endpoint_type, int tls_version)
{
    mbedtls_ssl_session session;
    unsigned char *buf = NULL;
    size_t good_len, bad_len, test_len;

    /*
     * Test that session_save() fails cleanly on small buffers
     */
    mbedtls_ssl_session_init(&session);
    USE_PSA_INIT();

    /* Prepare dummy session and get serialized size */
    ((void) ticket_len);
    ((void) crt_file);

    switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        case MBEDTLS_SSL_VERSION_TLS1_3:
            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                            &session, 0, endpoint_type) == 0);
            break;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        case MBEDTLS_SSL_VERSION_TLS1_2:
            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                            &session, ticket_len, endpoint_type, crt_file) == 0);
            break;
#endif
        default:
            /* should never happen */
            TEST_ASSERT(0);
            break;
    }

    TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
                == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);

    /* Try all possible bad lengths */
    for (bad_len = 1; bad_len < good_len; bad_len++) {
        /* Allocate exact size so that asan/valgrind can detect any overwrite */
        mbedtls_free(buf);
        buf = NULL;
        TEST_CALLOC(buf, bad_len);
        TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len,
                                             &test_len)
                    == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
        TEST_ASSERT(test_len == good_len);
    }

exit:
    mbedtls_ssl_session_free(&session);
    mbedtls_free(buf);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file,
                                         int endpoint_type, int tls_version)
{
    mbedtls_ssl_session session;
    unsigned char *good_buf = NULL, *bad_buf = NULL;
    size_t good_len, bad_len;

    /*
     * Test that session_load() fails cleanly on small buffers
     */
    mbedtls_ssl_session_init(&session);
    USE_PSA_INIT();

    /* Prepare serialized session data */
    ((void) ticket_len);
    ((void) crt_file);

    switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        case MBEDTLS_SSL_VERSION_TLS1_3:
            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                            &session, 0, endpoint_type) == 0);
            break;
#endif

#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        case MBEDTLS_SSL_VERSION_TLS1_2:
            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                            &session, ticket_len, endpoint_type, crt_file) == 0);
            break;
#endif

        default:
            /* should never happen */
            TEST_ASSERT(0);
            break;
    }

    TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
                == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
    TEST_CALLOC(good_buf, good_len);
    TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len,
                                         &good_len) == 0);
    mbedtls_ssl_session_free(&session);

    /* Try all possible bad lengths */
    for (bad_len = 0; bad_len < good_len; bad_len++) {
        /* Allocate exact size so that asan/valgrind can detect any overread */
        mbedtls_free(bad_buf);
        bad_buf = NULL;
        TEST_CALLOC_NONNULL(bad_buf, bad_len);
        memcpy(bad_buf, good_buf, bad_len);

        TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len)
                    == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
    }

exit:
    mbedtls_ssl_session_free(&session);
    mbedtls_free(good_buf);
    mbedtls_free(bad_buf);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_session_serialize_version_check(int corrupt_major,
                                         int corrupt_minor,
                                         int corrupt_patch,
                                         int corrupt_config,
                                         int endpoint_type,
                                         int tls_version)
{
    unsigned char serialized_session[2048];
    size_t serialized_session_len;
    unsigned cur_byte;
    mbedtls_ssl_session session;
    uint8_t should_corrupt_byte[] = { corrupt_major  == 1,
                                      corrupt_minor  == 1,
                                      corrupt_patch  == 1,
                                      corrupt_config == 1,
                                      corrupt_config == 1 };

    mbedtls_ssl_session_init(&session);
    USE_PSA_INIT();

    switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        case MBEDTLS_SSL_VERSION_TLS1_3:
            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                            &session, 0, endpoint_type) == 0);
            break;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        case MBEDTLS_SSL_VERSION_TLS1_2:
            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                            &session, 0, endpoint_type, NULL) == 0);

            break;
#endif
        default:
            /* should never happen */
            TEST_ASSERT(0);
            break;
    }

    /* Infer length of serialized session. */
    TEST_ASSERT(mbedtls_ssl_session_save(&session,
                                         serialized_session,
                                         sizeof(serialized_session),
                                         &serialized_session_len) == 0);

    mbedtls_ssl_session_free(&session);

    /* Without any modification, we should be able to successfully
     * de-serialize the session - double-check that. */
    TEST_ASSERT(mbedtls_ssl_session_load(&session,
                                         serialized_session,
                                         serialized_session_len) == 0);
    mbedtls_ssl_session_free(&session);

    /* Go through the bytes in the serialized session header and
     * corrupt them bit-by-bit. */
    for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) {
        int cur_bit;
        unsigned char *const byte = &serialized_session[cur_byte];

        if (should_corrupt_byte[cur_byte] == 0) {
            continue;
        }

        for (cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++) {
            unsigned char const corrupted_bit = 0x1u << cur_bit;
            /* Modify a single bit in the serialized session. */
            *byte ^= corrupted_bit;

            /* Attempt to deserialize */
            TEST_ASSERT(mbedtls_ssl_session_load(&session,
                                                 serialized_session,
                                                 serialized_session_len) ==
                        MBEDTLS_ERR_SSL_VERSION_MISMATCH);

            /* Undo the change */
            *byte ^= corrupted_bit;
        }
    }
exit:
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void ssl_session_id_accessors_check(int tls_version)
{
    mbedtls_ssl_session session;
    int ciphersuite_id;
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

    mbedtls_ssl_session_init(&session);
    USE_PSA_INIT();

    switch (tls_version) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
        case MBEDTLS_SSL_VERSION_TLS1_3:
            ciphersuite_id = MBEDTLS_TLS1_3_AES_128_GCM_SHA256;
            TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
                            &session, 0, MBEDTLS_SSL_IS_SERVER) == 0);
            break;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
        case MBEDTLS_SSL_VERSION_TLS1_2:
            ciphersuite_id = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256;
            TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
                            &session, 0, MBEDTLS_SSL_IS_SERVER, NULL) == 0);

            break;
#endif
        default:
            /* should never happen */
            TEST_ASSERT(0);
            break;
    }
    TEST_ASSERT(*mbedtls_ssl_session_get_id(&session) == session.id);
    TEST_ASSERT(mbedtls_ssl_session_get_id_len(&session) == session.id_len);
    /* mbedtls_test_ssl_tls1x_populate_session sets a mock suite-id of 0xabcd */
    TEST_ASSERT(mbedtls_ssl_session_get_ciphersuite_id(&session) == 0xabcd);

    /* Test setting a reference id for tls1.3 and tls1.2 */
    ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
    if (ciphersuite_info != NULL) {
        TEST_ASSERT(mbedtls_ssl_ciphersuite_get_id(ciphersuite_info) == ciphersuite_id);
    }

exit:
    mbedtls_ssl_session_free(&session);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_256 */
void mbedtls_endpoint_sanity(int endpoint_type)
{
    enum { BUFFSIZE = 1024 };
    mbedtls_test_ssl_endpoint ep;
    int ret = -1;
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);
    options.pk_alg = MBEDTLS_PK_RSA;

    MD_OR_USE_PSA_INIT();

    ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options,
                                         NULL, NULL, NULL);
    TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);

    ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg,
                                                     0, 0, 0);
    TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);

    ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options,
                                         NULL, NULL, NULL);
    TEST_ASSERT(ret == 0);

exit:
    mbedtls_test_ssl_endpoint_free(&ep, NULL);
    mbedtls_test_free_handshake_options(&options);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
void move_handshake_to_state(int endpoint_type, int tls_version, int state, int need_pass)
{
    enum { BUFFSIZE = 1024 };
    mbedtls_test_ssl_endpoint base_ep, second_ep;
    int ret = -1;
    (void) tls_version;

    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.pk_alg = MBEDTLS_PK_RSA;

    /*
     * If both TLS 1.2 and 1.3 are enabled and we want to do a TLS 1.2
     * handshake, force the TLS 1.2 version on endpoint under test.
     */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if (MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) {
        if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
            options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
            options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
        } else {
            options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
            options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
        }
    }
#endif

    MD_OR_USE_PSA_INIT();
    mbedtls_platform_zeroize(&base_ep, sizeof(base_ep));
    mbedtls_platform_zeroize(&second_ep, sizeof(second_ep));

    ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options,
                                         NULL, NULL, NULL);
    TEST_ASSERT(ret == 0);

    ret = mbedtls_test_ssl_endpoint_init(
        &second_ep,
        (endpoint_type == MBEDTLS_SSL_IS_SERVER) ?
        MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
        &options, NULL, NULL, NULL);

    TEST_ASSERT(ret == 0);

    ret = mbedtls_test_mock_socket_connect(&(base_ep.socket),
                                           &(second_ep.socket),
                                           BUFFSIZE);
    TEST_ASSERT(ret == 0);

    ret = mbedtls_test_move_handshake_to_state(&(base_ep.ssl),
                                               &(second_ep.ssl),
                                               state);
    if (need_pass) {
        TEST_ASSERT(ret == 0 ||
                    ret == MBEDTLS_ERR_SSL_WANT_READ ||
                    ret == MBEDTLS_ERR_SSL_WANT_WRITE);
        TEST_ASSERT(base_ep.ssl.state == state);
    } else {
        TEST_ASSERT(ret != 0 &&
                    ret != MBEDTLS_ERR_SSL_WANT_READ &&
                    ret != MBEDTLS_ERR_SSL_WANT_WRITE);
        TEST_ASSERT(base_ep.ssl.state != state);
    }

exit:
    mbedtls_test_free_handshake_options(&options);
    mbedtls_test_ssl_endpoint_free(&base_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&second_ep, NULL);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void handshake_version(int dtls, int client_min_version, int client_max_version,
                       int server_min_version, int server_max_version,
                       int expected_negotiated_version)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.client_min_version = client_min_version;
    options.client_max_version = client_max_version;
    options.server_min_version = server_min_version;
    options.server_max_version = server_max_version;
    options.expected_negotiated_version = expected_negotiated_version;

    options.dtls = dtls;
    mbedtls_test_ssl_perform_handshake(&options);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;

exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 */
void handshake_psk_cipher(char *cipher, int pk_alg, data_t *psk_str, int dtls)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.cipher = cipher;
    options.dtls = dtls;
    options.psk_str = psk_str;
    options.pk_alg = pk_alg;

    options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;

    mbedtls_test_ssl_perform_handshake(&options);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;

exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 */
void handshake_cipher(char *cipher, int pk_alg, int dtls)
{
    test_handshake_psk_cipher(cipher, pk_alg, NULL, dtls);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ALG_SHA_256 */
void handshake_ciphersuite_select(char *cipher, int pk_alg, data_t *psk_str,
                                  int psa_alg, int psa_alg2, int psa_usage,
                                  int expected_handshake_result,
                                  int expected_ciphersuite)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.cipher = cipher;
    options.psk_str = psk_str;
    options.pk_alg = pk_alg;
    options.opaque_alg = psa_alg;
    options.opaque_alg2 = psa_alg2;
    options.opaque_usage = psa_usage;
    options.expected_handshake_result = expected_handshake_result;
    options.expected_ciphersuite = expected_ciphersuite;

    options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;

    mbedtls_test_ssl_perform_handshake(&options);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;

exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
void app_data(int mfl, int cli_msg_len, int srv_msg_len,
              int expected_cli_fragments,
              int expected_srv_fragments, int dtls)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.mfl = mfl;
    options.cli_msg_len = cli_msg_len;
    options.srv_msg_len = srv_msg_len;
    options.expected_cli_fragments = expected_cli_fragments;
    options.expected_srv_fragments = expected_srv_fragments;
    options.dtls = dtls;

    options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;

    mbedtls_test_ssl_perform_handshake(&options);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;

exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void app_data_tls(int mfl, int cli_msg_len, int srv_msg_len,
                  int expected_cli_fragments,
                  int expected_srv_fragments)
{
    test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
                  expected_srv_fragments, 0);
    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void app_data_dtls(int mfl, int cli_msg_len, int srv_msg_len,
                   int expected_cli_fragments,
                   int expected_srv_fragments)
{
    test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
                  expected_srv_fragments, 1);
    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:TEST_GCM_OR_CHACHAPOLY_ENABLED */
void handshake_serialization()
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.serialize = 1;
    options.dtls = 1;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
    mbedtls_test_ssl_perform_handshake(&options);
    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
void handshake_fragmentation(int mfl,
                             int expected_srv_hs_fragmentation,
                             int expected_cli_hs_fragmentation)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern;

    srv_pattern.pattern = cli_pattern.pattern = "found fragmented DTLS handshake";
    srv_pattern.counter = 0;
    cli_pattern.counter = 0;

    mbedtls_test_init_handshake_options(&options);
    options.dtls = 1;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
    options.mfl = mfl;
    /* Set cipher to one using CBC so that record splitting can be tested */
    options.cipher = "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384";
    options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
    options.srv_log_obj = &srv_pattern;
    options.cli_log_obj = &cli_pattern;
    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
    options.cli_log_fun = mbedtls_test_ssl_log_analyzer;

    mbedtls_test_ssl_perform_handshake(&options);

    /* Test if the server received a fragmented handshake */
    if (expected_srv_hs_fragmentation) {
        TEST_ASSERT(srv_pattern.counter >= 1);
    }
    /* Test if the client received a fragmented handshake */
    if (expected_cli_hs_fragmentation) {
        TEST_ASSERT(cli_pattern.counter >= 1);
    }

exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* This test case doesn't actually depend on certificates,
 * but our helper code for mbedtls_test_ssl_endpoint does. */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void recombine_server_first_flight(int version,
                                   int instruction, int param,
                                   char *client_log, char *server_log,
                                   int goal_state, int expected_ret)
{
    enum { BUFFSIZE = 17000 };
    mbedtls_test_ssl_endpoint client;
    memset(&client, 0, sizeof(client));
    mbedtls_test_ssl_endpoint server;
    memset(&server, 0, sizeof(server));
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_handshake_test_options server_options;
    mbedtls_test_init_handshake_options(&server_options);
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_test_ssl_log_pattern cli_pattern = { .pattern = client_log };
    mbedtls_test_ssl_log_pattern srv_pattern = { .pattern = server_log };
#else
    (void) client_log;
    (void) server_log;
#endif
    int ret = 0;

    MD_OR_USE_PSA_INIT();
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_debug_set_threshold(3);
#endif

    client_options.client_min_version = version;
    client_options.client_max_version = version;
#if defined(MBEDTLS_DEBUG_C)
    client_options.cli_log_obj = &cli_pattern;
    client_options.cli_log_fun = mbedtls_test_ssl_log_analyzer;
#endif
    TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                              &client_options, NULL, NULL,
                                              NULL), 0);
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_ssl_conf_dbg(&client.conf, client_options.cli_log_fun,
                         client_options.cli_log_obj);
#endif

    server_options.server_min_version = version;
    server_options.server_max_version = version;
#if defined(MBEDTLS_DEBUG_C)
    server_options.srv_log_obj = &srv_pattern;
    server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
#endif
    TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                              &server_options, NULL, NULL,
                                              NULL), 0);
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_ssl_conf_dbg(&server.conf, server_options.srv_log_fun,
                         server_options.srv_log_obj);
#endif

    TEST_EQUAL(mbedtls_test_mock_socket_connect(&client.socket,
                                                &server.socket,
                                                BUFFSIZE), 0);

    /* Client: emit the first flight from the client */
    while (ret == 0) {
        mbedtls_test_set_step(client.ssl.state);
        ret = mbedtls_ssl_handshake_step(&client.ssl);
    }
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
    ret = 0;
    TEST_EQUAL(client.ssl.state, MBEDTLS_SSL_SERVER_HELLO);

    /* Server: parse the first flight from the client
     * and emit the first flight from the server */
    while (ret == 0) {
        mbedtls_test_set_step(1000 + server.ssl.state);
        ret = mbedtls_ssl_handshake_step(&server.ssl);
    }
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
    ret = 0;
    TEST_EQUAL(server.ssl.state, MBEDTLS_SSL_SERVER_HELLO_DONE + 1);

    /* Recombine the first flight from the server */
    TEST_ASSERT(recombine_records(&server, instruction, param));

    /* Client: parse the first flight from the server
     * and emit the second flight from the client */
    while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
        mbedtls_test_set_step(client.ssl.state);
        ret = mbedtls_ssl_handshake_step(&client.ssl);
        if (client.ssl.state == goal_state && ret != 0) {
            TEST_EQUAL(ret, expected_ret);
            goto goal_reached;
        }
    }
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    if (version >= MBEDTLS_SSL_VERSION_TLS1_3 &&
        goal_state >= MBEDTLS_SSL_HANDSHAKE_OVER) {
        TEST_EQUAL(ret, 0);
    } else
#endif
    {
        TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
    }
    ret = 0;

    /* Server: parse the first flight from the client
     * and emit the second flight from the server */
    while (ret == 0 && !mbedtls_ssl_is_handshake_over(&server.ssl)) {
        mbedtls_test_set_step(1000 + server.ssl.state);
        ret = mbedtls_ssl_handshake_step(&server.ssl);
    }
    TEST_EQUAL(ret, 0);

    /* Client: parse the second flight from the server */
    while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) {
        mbedtls_test_set_step(client.ssl.state);
        ret = mbedtls_ssl_handshake_step(&client.ssl);
    }
    if (client.ssl.state == goal_state) {
        TEST_EQUAL(ret, expected_ret);
    } else {
        TEST_EQUAL(ret, 0);
    }

goal_reached:
#if defined(MBEDTLS_DEBUG_C)
    TEST_ASSERT(cli_pattern.counter >= 1);
    TEST_ASSERT(srv_pattern.counter >= 1);
#endif

exit:
    mbedtls_test_ssl_endpoint_free(&client, NULL);
    mbedtls_test_ssl_endpoint_free(&server, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    MD_OR_USE_PSA_DONE();
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_debug_set_threshold(0);
#endif
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
void renegotiation(int legacy_renegotiation)
{
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    options.renegotiate = 1;
    options.legacy_renegotiation = legacy_renegotiation;
    options.dtls = 1;
    options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;

    mbedtls_test_ssl_perform_handshake(&options);

    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
exit:
    mbedtls_test_free_handshake_options(&options);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_256:MBEDTLS_TEST_HAS_AEAD_ALG */
void resize_buffers_serialize_mfl(int mfl)
{
    /* Choose an AEAD ciphersuite */
    const int *ciphersuites = mbedtls_ssl_list_ciphersuites();
    const mbedtls_ssl_ciphersuite_t *ciphersuite = NULL;
    int i = 0;
    while (ciphersuites[i] != 0) {
        ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]);

        if (ciphersuite->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
            const mbedtls_ssl_mode_t mode =
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
                mbedtls_ssl_get_mode_from_ciphersuite(0, ciphersuite);
#else
                mbedtls_ssl_get_mode_from_ciphersuite(ciphersuite);
#endif
            if (mode == MBEDTLS_SSL_MODE_AEAD) {
                break;
            }
        }

        i++;
    }

    TEST_ASSERT(ciphersuite != NULL);

    resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
                   (char *) ciphersuite->name);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
void resize_buffers_renegotiate_mfl(int mfl, int legacy_renegotiation,
                                    char *cipher)
{
    resize_buffers(mfl, 1, legacy_renegotiation, 0, 1, cipher);
    /* The goto below is used to avoid an "unused label" warning.*/
    goto exit;
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
void test_multiple_psks()
{
    unsigned char psk0[10] = { 0 };
    unsigned char psk0_identity[] = { 'f', 'o', 'o' };

    unsigned char psk1[10] = { 0 };
    unsigned char psk1_identity[] = { 'b', 'a', 'r' };

    mbedtls_ssl_config conf;

    mbedtls_ssl_config_init(&conf);
    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
                                     psk0, sizeof(psk0),
                                     psk0_identity, sizeof(psk0_identity)) == 0);
    TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
                                     psk1, sizeof(psk1),
                                     psk1_identity, sizeof(psk1_identity)) ==
                MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);

exit:
    mbedtls_ssl_config_free(&conf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
void test_multiple_psks_opaque(int mode)
{
    /*
     * Mode 0: Raw PSK, then opaque PSK
     * Mode 1: Opaque PSK, then raw PSK
     * Mode 2: 2x opaque PSK
     */

    unsigned char psk0_raw[10] = { 0 };
    unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' };

    mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 1);

    unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' };

    unsigned char psk1_raw[10] = { 0 };
    unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' };

    mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 2);

    unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' };

    mbedtls_ssl_config conf;

    mbedtls_ssl_config_init(&conf);
    MD_OR_USE_PSA_INIT();

    switch (mode) {
        case 0:

            TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
                                             psk0_raw, sizeof(psk0_raw),
                                             psk0_raw_identity, sizeof(psk0_raw_identity))
                        == 0);
            TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
                                                    psk1_opaque,
                                                    psk1_opaque_identity,
                                                    sizeof(psk1_opaque_identity))
                        == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
            break;

        case 1:

            TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
                                                    psk0_opaque,
                                                    psk0_opaque_identity,
                                                    sizeof(psk0_opaque_identity))
                        == 0);
            TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
                                             psk1_raw, sizeof(psk1_raw),
                                             psk1_raw_identity, sizeof(psk1_raw_identity))
                        == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);

            break;

        case 2:

            TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
                                                    psk0_opaque,
                                                    psk0_opaque_identity,
                                                    sizeof(psk0_opaque_identity))
                        == 0);
            TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
                                                    psk1_opaque,
                                                    psk1_opaque_identity,
                                                    sizeof(psk1_opaque_identity))
                        == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);

            break;

        default:
            TEST_ASSERT(0);
            break;
    }

exit:
    mbedtls_ssl_config_free(&conf);
    MD_OR_USE_PSA_DONE();

}
/* END_CASE */

/* BEGIN_CASE */
void conf_version(int endpoint, int transport,
                  int min_tls_version, int max_tls_version,
                  int expected_ssl_setup_result)
{
    mbedtls_ssl_config conf;
    mbedtls_ssl_context ssl;

    mbedtls_ssl_config_init(&conf);
    mbedtls_ssl_init(&ssl);
    MD_OR_USE_PSA_INIT();

    mbedtls_ssl_conf_endpoint(&conf, endpoint);
    mbedtls_ssl_conf_transport(&conf, transport);
    mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version);
    mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version);

    TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result);
    TEST_EQUAL(mbedtls_ssl_conf_get_endpoint(
                   mbedtls_ssl_context_get_config(&ssl)), endpoint);

    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);

exit:
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void conf_group()
{
    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
                                       MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
                                       MBEDTLS_SSL_IANA_TLS_GROUP_NONE };

    mbedtls_ssl_config conf;
    mbedtls_ssl_config_init(&conf);

    mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT,
                                MBEDTLS_SSL_TRANSPORT_STREAM,
                                MBEDTLS_SSL_PRESET_DEFAULT);

    mbedtls_ssl_conf_groups(&conf, iana_tls_group_list);

    mbedtls_ssl_context ssl;
    mbedtls_ssl_init(&ssl);
    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);

    TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list != NULL);

    TEST_EQUAL(ssl.conf->
               group_list[ARRAY_LENGTH(iana_tls_group_list) - 1],
               MBEDTLS_SSL_IANA_TLS_GROUP_NONE);

    for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) {
        TEST_EQUAL(iana_tls_group_list[i], ssl.conf->group_list[i]);
    }

exit:
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_SHA_256 */
void force_bad_session_id_len()
{
    enum { BUFFSIZE = 1024 };
    mbedtls_test_handshake_test_options options;
    mbedtls_test_ssl_endpoint client, server;
    mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern;
    mbedtls_test_message_socket_context server_context, client_context;

    srv_pattern.pattern = cli_pattern.pattern = "cache did not store session";
    srv_pattern.counter = 0;
    mbedtls_test_init_handshake_options(&options);

    options.srv_log_obj = &srv_pattern;
    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;

    mbedtls_platform_zeroize(&client, sizeof(client));
    mbedtls_platform_zeroize(&server, sizeof(server));

    mbedtls_test_message_socket_init(&server_context);
    mbedtls_test_message_socket_init(&client_context);
    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                               &options, NULL, NULL,
                                               NULL) == 0);

    TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                               &options, NULL, NULL, NULL) == 0);

    mbedtls_debug_set_threshold(1);
    mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun,
                         options.srv_log_obj);

    TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket),
                                                 &(server.socket),
                                                 BUFFSIZE) == 0);

    TEST_ASSERT(mbedtls_test_move_handshake_to_state(
                    &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_WRAPUP)
                ==  0);
    /* Force a bad session_id_len that will be read by the server in
     * mbedtls_ssl_cache_set. */
    server.ssl.session_negotiate->id_len = 33;
    if (options.cli_msg_len != 0 || options.srv_msg_len != 0) {
        /* Start data exchanging test */
        TEST_ASSERT(mbedtls_test_ssl_exchange_data(
                        &(client.ssl), options.cli_msg_len,
                        options.expected_cli_fragments,
                        &(server.ssl), options.srv_msg_len,
                        options.expected_srv_fragments)
                    == 0);
    }

    /* Make sure that the cache did not store the session */
    TEST_EQUAL(srv_pattern.counter, 1);
exit:
    mbedtls_test_ssl_endpoint_free(&client, NULL);
    mbedtls_test_ssl_endpoint_free(&server, NULL);
    mbedtls_test_free_handshake_options(&options);
    mbedtls_debug_set_threshold(0);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */
void cookie_parsing(data_t *cookie, int exp_ret)
{
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
    size_t len;

    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_config_init(&conf);
    USE_PSA_INIT();

    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
                                           MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                           MBEDTLS_SSL_PRESET_DEFAULT),
               0);

    TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
    TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id,
                                                    ssl.cli_id_len,
                                                    cookie->x, cookie->len,
                                                    ssl.out_buf,
                                                    MBEDTLS_SSL_OUT_CONTENT_LEN,
                                                    &len),
               exp_ret);

exit:
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
void timing_final_delay_accessor()
{
    mbedtls_timing_delay_context    delay_context;

    USE_PSA_INIT();
    mbedtls_timing_set_delay(&delay_context, 50, 100);

    TEST_ASSERT(mbedtls_timing_get_final_delay(&delay_context) == 100);

exit:
    USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID */
void cid_sanity()
{
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;

    unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
    unsigned char test_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
    int cid_enabled;
    size_t own_cid_len;

    mbedtls_test_rnd_std_rand(NULL, own_cid, sizeof(own_cid));

    mbedtls_ssl_init(&ssl);
    mbedtls_ssl_config_init(&conf);
    MD_OR_USE_PSA_INIT();

    TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
                                            MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_STREAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT)
                == 0);

    TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);

    /* Can't use CID functions with stream transport. */
    TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
                                    sizeof(own_cid))
                == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
                                        &own_cid_len)
                == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
                                            MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_DATAGRAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT)
                == 0);

    /* Attempt to set config cid size too big. */
    TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, MBEDTLS_SSL_CID_IN_LEN_MAX + 1,
                                     MBEDTLS_SSL_UNEXPECTED_CID_IGNORE)
                == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, sizeof(own_cid),
                                     MBEDTLS_SSL_UNEXPECTED_CID_IGNORE)
                == 0);

    /* Attempt to set CID length not matching config. */
    TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
                                    MBEDTLS_SSL_CID_IN_LEN_MAX - 1)
                == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
                                    sizeof(own_cid))
                == 0);

    /* Test we get back what we put in. */
    TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
                                        &own_cid_len)
                == 0);

    TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_ENABLED);
    TEST_MEMORY_COMPARE(own_cid, own_cid_len, test_cid, own_cid_len);

    /* Test disabling works. */
    TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_DISABLED, NULL,
                                    0)
                == 0);

    TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
                                        &own_cid_len)
                == 0);

    TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_DISABLED);

exit:
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
void raw_key_agreement_fail(int bad_server_ecdhe_key)
{
    enum { BUFFSIZE = 17000 };
    mbedtls_test_ssl_endpoint client, server;
    mbedtls_psa_stats_t stats;
    size_t free_slots_before = -1;
    mbedtls_test_handshake_test_options client_options, server_options;
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);

    uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
                                       MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
    MD_OR_USE_PSA_INIT();
    mbedtls_platform_zeroize(&client, sizeof(client));
    mbedtls_platform_zeroize(&server, sizeof(server));

    /* Client side, force SECP256R1 to make one key bitflip fail
     * the raw key agreement. Flipping the first byte makes the
     * required 0x04 identifier invalid. */
    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.group_list = iana_tls_group_list;
    TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                              &client_options, NULL, NULL,
                                              NULL), 0);

    /* Server side */
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
    server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
    TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                              &server_options, NULL, NULL,
                                              NULL), 0);

    TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket),
                                                &(server.socket),
                                                BUFFSIZE), 0);

    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(client.ssl), &(server.ssl),
                   MBEDTLS_SSL_CLIENT_KEY_EXCHANGE), 0);

    mbedtls_psa_get_stats(&stats);
    /* Save the number of slots in use up to this point.
     * With PSA, one can be used for the ECDH private key. */
    free_slots_before = stats.empty_slots;

    if (bad_server_ecdhe_key) {
        /* Force a simulated bitflip in the server key. to make the
         * raw key agreement in ssl_write_client_key_exchange fail. */
        (client.ssl).handshake->xxdh_psa_peerkey[0] ^= 0x02;
    }

    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_OVER),
               bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0);

    mbedtls_psa_get_stats(&stats);

    /* Make sure that the key slot is already destroyed in case of failure,
     * without waiting to close the connection. */
    if (bad_server_ecdhe_key) {
        TEST_EQUAL(free_slots_before, stats.empty_slots);
    }

exit:
    mbedtls_test_ssl_endpoint_free(&client, NULL);
    mbedtls_test_ssl_endpoint_free(&server, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);

    MD_OR_USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384 */
void tls13_server_certificate_msg_invalid_vector_len()
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    unsigned char *buf, *end;
    size_t buf_len;
    int step = 0;
    int expected_result;
    mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;

    /*
     * Test set-up
     */
    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));

    mbedtls_test_init_handshake_options(&client_options);
    MD_OR_USE_PSA_INIT();

    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_test_init_handshake_options(&server_options);
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    while (1) {
        mbedtls_test_set_step(++step);

        ret = mbedtls_test_move_handshake_to_state(
            &(server_ep.ssl), &(client_ep.ssl),
            MBEDTLS_SSL_CERTIFICATE_VERIFY);
        TEST_EQUAL(ret, 0);

        ret = mbedtls_ssl_flush_output(&(server_ep.ssl));
        TEST_EQUAL(ret, 0);

        ret = mbedtls_test_move_handshake_to_state(
            &(client_ep.ssl), &(server_ep.ssl),
            MBEDTLS_SSL_SERVER_CERTIFICATE);
        TEST_EQUAL(ret, 0);

        ret = mbedtls_ssl_tls13_fetch_handshake_msg(&(client_ep.ssl),
                                                    MBEDTLS_SSL_HS_CERTIFICATE,
                                                    &buf, &buf_len);
        TEST_EQUAL(ret, 0);

        end = buf + buf_len;

        /*
         * Tweak server Certificate message and parse it.
         */

        ret = mbedtls_test_tweak_tls13_certificate_msg_vector_len(
            buf, &end, step, &expected_result, &expected_chk_buf_ptr_args);

        if (ret != 0) {
            break;
        }

        ret = mbedtls_ssl_tls13_parse_certificate(&(client_ep.ssl), buf, end);
        TEST_EQUAL(ret, expected_result);

        TEST_ASSERT(mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
                        &expected_chk_buf_ptr_args) == 0);

        mbedtls_ssl_reset_chk_buf_ptr_fail_args();

        ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
        TEST_EQUAL(ret, 0);

        ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
        TEST_EQUAL(ret, 0);
    }

exit:
    mbedtls_ssl_reset_chk_buf_ptr_fail_args();
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
void ssl_ecjpake_set_password(int use_opaque_arg)
{
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT;
#else   /* MBEDTLS_USE_PSA_CRYPTO */
    (void) use_opaque_arg;
#endif  /* MBEDTLS_USE_PSA_CRYPTO */
    unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = "";
    size_t pwd_len = 0;
    int ret;

    mbedtls_ssl_init(&ssl);
    MD_OR_USE_PSA_INIT();

    /* test with uninitalized SSL context */
    ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    mbedtls_ssl_config_init(&conf);

    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
                                           MBEDTLS_SSL_IS_CLIENT,
                                           MBEDTLS_SSL_TRANSPORT_STREAM,
                                           MBEDTLS_SSL_PRESET_DEFAULT), 0);

    TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);

    /* test with empty password or unitialized password key (depending on use_opaque_arg) */
    ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

    pwd_len = strlen(ECJPAKE_TEST_PWD);
    memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len);

#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (use_opaque_arg) {
        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
        psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;

        /* First try with an invalid usage */
        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
        psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
        psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);

        PSA_ASSERT(psa_import_key(&attributes, pwd_string,
                                  pwd_len, &pwd_slot));

        ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);

        /* check that the opaque key is still valid after failure */
        TEST_EQUAL(psa_get_key_attributes(pwd_slot, &check_attributes),
                   PSA_SUCCESS);

        psa_destroy_key(pwd_slot);

        /* Then set the correct usage */
        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);

        PSA_ASSERT(psa_import_key(&attributes, pwd_string,
                                  pwd_len, &pwd_slot));
    }
#endif  /* MBEDTLS_USE_PSA_CRYPTO */

    /* final check which should work without errors */
    ECJPAKE_TEST_SET_PASSWORD(0);

#if defined(MBEDTLS_USE_PSA_CRYPTO)
    if (use_opaque_arg) {
        psa_destroy_key(pwd_slot);
    }
#endif  /* MBEDTLS_USE_PSA_CRYPTO */
    mbedtls_ssl_free(&ssl);
    mbedtls_ssl_config_free(&conf);

    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE */
void elliptic_curve_get_properties()
{
    psa_key_type_t psa_type = PSA_KEY_TYPE_NONE;
    size_t psa_bits;

    MD_OR_USE_PSA_INIT();

#if defined(PSA_WANT_ECC_SECP_R1_521)
    TEST_AVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521);
#else
    TEST_UNAVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521);
#endif
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
    TEST_AVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512);
#else
    TEST_UNAVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_384)
    TEST_AVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384);
#else
    TEST_UNAVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384);
#endif
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
    TEST_AVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384);
#else
    TEST_UNAVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_256)
    TEST_AVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256);
#else
    TEST_UNAVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256);
#endif
#if defined(PSA_WANT_ECC_SECP_K1_256)
    TEST_AVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256);
#else
    TEST_UNAVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256);
#endif
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
    TEST_AVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
#else
    TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_224)
    TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
#else
    TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_192)
    TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
#else
    TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
#endif
#if defined(PSA_WANT_ECC_SECP_K1_192)
    TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
#else
    TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
    TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
#else
    TEST_UNAVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_448)
    TEST_AVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448);
#else
    TEST_UNAVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448);
#endif
    goto exit;
exit:
    MD_OR_USE_PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_resume_session_with_ticket()
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);

    PSA_INIT();

    /*
     * Run first handshake to get a ticket from the server.
     */
    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Handshake with ticket.
     *
     * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not
     * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks
     * below.
     */
    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(server_ep.ssl), &(client_ep.ssl),
                   MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);

    TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
    TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
    TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
               MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    PSA_DONE();
}
/* END_CASE */

/*
 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is
 * a temporary workaround to not run the test in Windows-2013 where there is
 * an issue with mbedtls_vsnprintf().
 */
/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_read_early_data(int scenario)
{
    int ret = -1;
    unsigned char buf[64];
    const char *early_data = "This is early data.";
    size_t early_data_len = strlen(early_data);
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;
    mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
    uint16_t group_list[3] = {
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
    };

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);

    PSA_INIT();

    /*
     * Run first handshake to get a ticket from the server.
     */

    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.group_list = group_list;
    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.group_list = group_list;
    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;

#if defined(MBEDTLS_SSL_ALPN)
    switch (scenario) {
        case TEST_EARLY_DATA_SAME_ALPN:
        case TEST_EARLY_DATA_DIFF_ALPN:
        case TEST_EARLY_DATA_NO_LATER_ALPN:
            client_options.alpn_list[0] = "ALPNExample";
            client_options.alpn_list[1] = NULL;
            server_options.alpn_list[0] = "ALPNExample";
            server_options.alpn_list[1] = NULL;
            break;
    }
#endif

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
            break;

        case TEST_EARLY_DATA_NO_INDICATION_SENT:
            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS:
            mbedtls_debug_set_threshold(3);
            server_pattern.pattern =
                "EarlyData: deprotect and discard app data records.";
            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_HRR:
            mbedtls_debug_set_threshold(3);
            server_pattern.pattern =
                "EarlyData: Ignore application message before 2nd ClientHello";
            server_options.group_list = group_list + 1;
            break;
#if defined(MBEDTLS_SSL_ALPN)
        case TEST_EARLY_DATA_SAME_ALPN:
            client_options.alpn_list[0] = "ALPNExample";
            client_options.alpn_list[1] = NULL;
            server_options.alpn_list[0] = "ALPNExample";
            server_options.alpn_list[1] = NULL;
            break;
        case TEST_EARLY_DATA_DIFF_ALPN:
        case TEST_EARLY_DATA_NO_INITIAL_ALPN:
            client_options.alpn_list[0] = "ALPNExample2";
            client_options.alpn_list[1] = NULL;
            server_options.alpn_list[0] = "ALPNExample2";
            server_options.alpn_list[1] = NULL;
            mbedtls_debug_set_threshold(3);
            server_pattern.pattern =
                "EarlyData: rejected, the selected ALPN is different "
                "from the one associated with the pre-shared key.";
            break;
        case TEST_EARLY_DATA_NO_LATER_ALPN:
            client_options.alpn_list[0] = NULL;
            server_options.alpn_list[0] = NULL;
            mbedtls_debug_set_threshold(3);
            server_pattern.pattern =
                "EarlyData: rejected, the selected ALPN is different "
                "from the one associated with the pre-shared key.";
            break;
#endif

        default:
            TEST_FAIL("Unknown scenario.");
    }

    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
    server_options.srv_log_obj = &server_pattern;
    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Handshake with ticket and send early data.
     */
    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(client_ep.ssl), &(server_ep.ssl),
                   MBEDTLS_SSL_SERVER_HELLO), 0);

    ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
                                       (unsigned char *) early_data,
                                       early_data_len);

    if (client_ep.ssl.early_data_state !=
        MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
        TEST_EQUAL(ret, early_data_len);
    } else {
        TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
    }

    ret = mbedtls_test_move_handshake_to_state(
        &(server_ep.ssl), &(client_ep.ssl),
        MBEDTLS_SSL_HANDSHAKE_WRAPUP);

    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
#if defined(MBEDTLS_SSL_ALPN)
        case TEST_EARLY_DATA_SAME_ALPN:
#endif
            TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
            TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl),
                                                   buf, sizeof(buf)), early_data_len);
            TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
            break;

        case TEST_EARLY_DATA_NO_INDICATION_SENT:
            TEST_EQUAL(ret, 0);
            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
        case TEST_EARLY_DATA_HRR:
#if defined(MBEDTLS_SSL_ALPN)
        case TEST_EARLY_DATA_DIFF_ALPN:
        case TEST_EARLY_DATA_NO_INITIAL_ALPN:
        case TEST_EARLY_DATA_NO_LATER_ALPN:
#endif
            TEST_EQUAL(ret, 0);
            TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
            TEST_EQUAL(server_pattern.counter, 1);
            break;

        default:
            TEST_FAIL("Unknown scenario.");
    }

    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(server_ep.ssl), &(client_ep.ssl),
                   MBEDTLS_SSL_HANDSHAKE_OVER), 0);

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    mbedtls_debug_set_threshold(0);
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_cli_early_data_state(int scenario)
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;
    uint16_t group_list[3] = {
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
    };
    uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN];

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);

    PSA_INIT();

    /*
     * Run first handshake to get a ticket from the server.
     */
    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    if (scenario == TEST_EARLY_DATA_HRR) {
        client_options.group_list = group_list;
        server_options.group_list = group_list;
    }

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
            break;

        case TEST_EARLY_DATA_NO_INDICATION_SENT:
            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS:
            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_HRR:
            server_options.group_list = group_list + 1;
            break;

        default:
            TEST_FAIL("Unknown scenario.");
    }

    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Go through the handshake sequence, state by state, checking the early
     * data status each time.
     */
    do {
        int state = client_ep.ssl.state;

        /* Progress the handshake from at least one state */
        while (client_ep.ssl.state == state) {
            ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
            TEST_ASSERT((ret == 0) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
            if (client_ep.ssl.state != state) {
                break;
            }
            ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
            TEST_ASSERT((ret == 0) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
        }

        if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
            TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)),
                       MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
        }

        switch (client_ep.ssl.state) {
            case MBEDTLS_SSL_CLIENT_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
                        } else {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        }
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_SERVER_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
                            memcpy(client_random,
                                   client_ep.ssl.handshake->randbytes,
                                   MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
                        } else {
                            TEST_EQUAL(client_ep.ssl.early_data_state,
                                       MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                            TEST_MEMORY_COMPARE(client_random,
                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
                                                client_ep.ssl.handshake->randbytes,
                                                MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
                        }
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_SERVER_FINISHED:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_END_OF_EARLY_DATA:
                TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
                TEST_EQUAL(client_ep.ssl.early_data_state,
                           MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
                break;

            case MBEDTLS_SSL_CLIENT_CERTIFICATE:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_CLIENT_FINISHED:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
            case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT);
                        break;

                    default:
                        TEST_FAIL("Unexpected or unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
                TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR);
                TEST_EQUAL(client_ep.ssl.early_data_state,
                           MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                break;

            case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
                switch (scenario) {
                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unexpected or unknown scenario.");
                }
                break;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

            case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
            case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
            case MBEDTLS_SSL_HANDSHAKE_OVER:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
                        break;

                    case TEST_EARLY_DATA_NO_INDICATION_SENT:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(client_ep.ssl.early_data_state,
                                   MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            default:
                TEST_FAIL("Unexpected state.");
        }
    } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER);

    ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl));
    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED);
            break;

        case TEST_EARLY_DATA_NO_INDICATION_SENT:
            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED);
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
        case TEST_EARLY_DATA_HRR:
            TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED);
            break;

        default:
            TEST_FAIL("Unknown scenario.");
    }

    ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl));
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA);

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
    TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1);
#endif

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_write_early_data(int scenario)
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;
    uint16_t group_list[3] = {
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
    };
    int beyond_first_hello = 0;

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);

    PSA_INIT();

    /*
     * Run first handshake to get a ticket from the server.
     */
    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    if (scenario == TEST_EARLY_DATA_HRR) {
        client_options.group_list = group_list;
        server_options.group_list = group_list;
    }

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
            break;

        case TEST_EARLY_DATA_NO_INDICATION_SENT:
            client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS:
            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            break;

        case TEST_EARLY_DATA_HRR:
            /*
             * Remove server support for the group negotiated in
             * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest.
             */
            server_options.group_list = group_list + 1;
            break;

        default:
            TEST_FAIL("Unknown scenario.");
    }

    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Run handshakes going one state further in the handshake sequence at each
     * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER
     * state. For each reached handshake state, check the result of the call
     * to mbedtls_ssl_write_early_data(), make sure we can complete the
     * handshake successfully and then reset the connection to restart the
     * handshake from scratch.
     */
    do {
        int client_state = client_ep.ssl.state;
        int previous_client_state;
        const char *early_data_string = "This is early data.";
        const unsigned char *early_data = (const unsigned char *) early_data_string;
        size_t early_data_len = strlen(early_data_string);
        int write_early_data_ret, read_early_data_ret;
        unsigned char read_buf[64];

        write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
                                                            early_data,
                                                            early_data_len);

        if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) {
            TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
            TEST_EQUAL(client_ep.ssl.state, client_state);
            goto complete_handshake;
        }

        switch (client_state) {
            case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */
            case MBEDTLS_SSL_CLIENT_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(write_early_data_ret, early_data_len);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
                            TEST_EQUAL(write_early_data_ret, early_data_len);
                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        } else {
                            beyond_first_hello = 1;
                            TEST_EQUAL(write_early_data_ret,
                                       MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO);
                        }
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_SERVER_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(write_early_data_ret, early_data_len);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        if (!client_ep.ssl.handshake->hello_retry_request_flag) {
                            TEST_EQUAL(write_early_data_ret, early_data_len);
                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        } else {
                            TEST_EQUAL(write_early_data_ret,
                                       MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                            TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        }
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(write_early_data_ret, early_data_len);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_SERVER_FINISHED:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED:
                        TEST_EQUAL(write_early_data_ret, early_data_len);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
                        break;

                    case TEST_EARLY_DATA_SERVER_REJECTS:
                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
                        break;

                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
                        break;

                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_END_OF_EARLY_DATA:
                TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
                TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA);
                break;

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
            case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(write_early_data_ret, early_data_len);
                        TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
                        break;
                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
                TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR);
                TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
                break;

            case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
                switch (scenario) {
                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(write_early_data_ret,
                                   MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                        TEST_EQUAL(client_ep.ssl.state,
                                   MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
                        break;
                    default:
                        TEST_FAIL("Unexpected or unknown scenario.");
                }
                break;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

            case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */
            case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */
            case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
            case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
            case MBEDTLS_SSL_HANDSHAKE_OVER:
                switch (scenario) {
                    case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
                    case TEST_EARLY_DATA_HRR:
                        TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
                        TEST_EQUAL(client_ep.ssl.state, client_state);
                        break;
                    default:
                        TEST_FAIL("Unknown scenario.");
                }
                break;

            default:
                TEST_FAIL("Unexpected state.");
        }

complete_handshake:
        do {
            ret = mbedtls_test_move_handshake_to_state(
                &(server_ep.ssl), &(client_ep.ssl),
                MBEDTLS_SSL_HANDSHAKE_OVER);

            if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
                read_early_data_ret = mbedtls_ssl_read_early_data(
                    &(server_ep.ssl), read_buf, sizeof(read_buf));

                TEST_EQUAL(read_early_data_ret, early_data_len);
            }
        } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);

        TEST_EQUAL(ret, 0);
        TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                       &(client_ep.ssl), &(server_ep.ssl),
                       MBEDTLS_SSL_HANDSHAKE_OVER), 0);

        mbedtls_test_mock_socket_close(&(client_ep.socket));
        mbedtls_test_mock_socket_close(&(server_ep.socket));

        ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
        TEST_EQUAL(ret, 0);

        ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
        TEST_EQUAL(ret, 0);

        ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
        TEST_EQUAL(ret, 0);

        ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                               &(server_ep.socket), 1024);
        TEST_EQUAL(ret, 0);

        previous_client_state = client_state;
        if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) {
            break;
        }

        /* In case of HRR scenario, once we have been through it, move over
         * the first ClientHello and ServerHello otherwise we just keep playing
         * this first part of the handshake with HRR.
         */
        if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) {
            TEST_ASSERT(mbedtls_test_move_handshake_to_state(
                            &(client_ep.ssl), &(server_ep.ssl),
                            MBEDTLS_SSL_SERVER_HELLO) == 0);
            TEST_ASSERT(mbedtls_test_move_handshake_to_state(
                            &(client_ep.ssl), &(server_ep.ssl),
                            MBEDTLS_SSL_CLIENT_HELLO) == 0);
        }

        TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                       &(client_ep.ssl), &(server_ep.ssl),
                       previous_client_state), 0);

        /* Progress the handshake from at least one state */
        while (client_ep.ssl.state == previous_client_state) {
            ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
            TEST_ASSERT((ret == 0) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
            if (client_ep.ssl.state != previous_client_state) {
                break;
            }
            ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
            TEST_ASSERT((ret == 0) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
                        (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
        }
    } while (1);

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_cli_max_early_data_size(int max_early_data_size_arg)
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;
    unsigned char *buf = NULL;
    uint32_t buf_size = 64;
    uint32_t max_early_data_size;
    uint32_t written_early_data_size = 0;
    uint32_t read_early_data_size = 0;

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);

    PSA_INIT();
    TEST_CALLOC(buf, buf_size);

    /*
     * Run first handshake to get a ticket from the server.
     */

    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.max_early_data_size = max_early_data_size_arg;

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);

    max_early_data_size = saved_session.max_early_data_size;
    /*
     * (max_early_data_size + 1024) for the size of the socket buffers for the
     * server one to be able to contain the maximum number of early data bytes
     * plus the first flight of client messages. Needed because we cannot
     * initiate the handshake on server side before doing all the calls to
     * mbedtls_ssl_write_early_data() we want to test. See below for more
     * information.
     */
    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket),
                                           max_early_data_size + 1024);
    TEST_EQUAL(ret, 0);

    /* If our server is configured with max_early_data_size equal to zero, it
     * does not set the MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA flag for
     * the tickets it creates. To be able to test early data with a ticket
     * allowing early data in its flags but with max_early_data_size equal to
     * zero (case supported by our client) tweak the ticket flags here.
     */
    if (max_early_data_size == 0) {
        saved_session.ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
    }

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    while (written_early_data_size < max_early_data_size) {
        uint32_t remaining = max_early_data_size - written_early_data_size;

        for (size_t i = 0; i < buf_size; i++) {
            buf[i] = (unsigned char) (written_early_data_size + i);
        }

        ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
                                           buf,
                                           buf_size);

        if (buf_size <= remaining) {
            TEST_EQUAL(ret, buf_size);
        } else {
            TEST_EQUAL(ret, remaining);
        }
        written_early_data_size += buf_size;
    }
    TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);

    ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), buf, 1);
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
    TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);
    TEST_EQUAL(client_ep.ssl.early_data_state,
               MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);

    /*
     * Now, check data on server side. It is not done in the previous loop as
     * in the first call to mbedtls_ssl_handshake(), the server ends up sending
     * its Finished message and then in the following call to
     * mbedtls_ssl_write_early_data() we go past the early data writing window
     * and we cannot test multiple calls to the API is this writing window.
     */
    while (read_early_data_size < max_early_data_size) {
        ret = mbedtls_ssl_handshake(&(server_ep.ssl));
        TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);

        ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
                                          buf,
                                          buf_size);
        TEST_ASSERT(ret > 0);

        for (size_t i = 0; i < (size_t) ret; i++) {
            TEST_EQUAL(buf[i], (unsigned char) (read_early_data_size + i));
        }

        read_early_data_size += ret;
    }
    TEST_EQUAL(read_early_data_size, max_early_data_size);

    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);

    TEST_ASSERT(mbedtls_test_move_handshake_to_state(
                    &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_HANDSHAKE_OVER)
                ==  0);

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    mbedtls_free(buf);
    PSA_DONE();
}
/* END_CASE */

/*
 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
 * a temporary workaround to not run the test in Windows-2013 where there is
 * an issue with mbedtls_vsnprintf().
 */
/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg)
{
    int ret = -1;
    mbedtls_test_ssl_endpoint client_ep, server_ep;
    mbedtls_test_handshake_test_options client_options;
    mbedtls_test_handshake_test_options server_options;
    mbedtls_ssl_session saved_session;
    mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
    uint16_t group_list[3] = {
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
    };
    char pattern[128];
    unsigned char *buf_write = NULL;
    uint32_t write_size = (uint32_t) write_size_arg;
    unsigned char *buf_read = NULL;
    uint32_t read_size;
    uint32_t expanded_early_data_chunk_size = 0;
    uint32_t written_early_data_size = 0;
    uint32_t max_early_data_size;

    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
    mbedtls_test_init_handshake_options(&client_options);
    mbedtls_test_init_handshake_options(&server_options);
    mbedtls_ssl_session_init(&saved_session);
    PSA_INIT();

    TEST_CALLOC(buf_write, write_size);

    /*
     * Allocate a smaller buffer for early data reading to exercise the reading
     * of data in one record in multiple calls.
     */
    read_size = (write_size / 2) + 1;
    TEST_CALLOC(buf_read, read_size);

    /*
     * Run first handshake to get a ticket from the server.
     */

    client_options.pk_alg = MBEDTLS_PK_ECDSA;
    client_options.group_list = group_list;
    client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.pk_alg = MBEDTLS_PK_ECDSA;
    server_options.group_list = group_list;
    server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
    server_options.max_early_data_size = max_early_data_size_arg;

    ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
                                        &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Prepare for handshake with the ticket.
     */
    server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
    server_options.srv_log_obj = &server_pattern;
    server_pattern.pattern = pattern;

    switch (scenario) {
        case TEST_EARLY_DATA_ACCEPTED:
            break;

        case TEST_EARLY_DATA_SERVER_REJECTS:
            server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
            ret = mbedtls_snprintf(pattern, sizeof(pattern),
                                   "EarlyData: deprotect and discard app data records.");
            TEST_ASSERT(ret < (int) sizeof(pattern));
            mbedtls_debug_set_threshold(3);
            break;

        case TEST_EARLY_DATA_HRR:
            /*
             * Remove server support for the group negotiated in
             * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest.
             */
            server_options.group_list = group_list + 1;
            ret = mbedtls_snprintf(
                pattern, sizeof(pattern),
                "EarlyData: Ignore application message before 2nd ClientHello");
            TEST_ASSERT(ret < (int) sizeof(pattern));
            mbedtls_debug_set_threshold(3);
            break;

        default:
            TEST_FAIL("Unknown scenario.");
    }

    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                         &client_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                         &server_options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
                                        mbedtls_test_ticket_write,
                                        mbedtls_test_ticket_parse,
                                        NULL);

    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
                                           &(server_ep.socket), 1024);
    TEST_EQUAL(ret, 0);

    max_early_data_size = saved_session.max_early_data_size;

    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
    TEST_EQUAL(ret, 0);

    /*
     * Start an handshake based on the ticket up to the point where early data
     * can be sent from client side. Then send in a loop as much early data as
     * possible without going over the maximum permitted size for the ticket.
     * Finally, do a last writting to go past that maximum permitted size and
     * check that we detect it.
     */
    TEST_EQUAL(mbedtls_test_move_handshake_to_state(
                   &(client_ep.ssl), &(server_ep.ssl),
                   MBEDTLS_SSL_SERVER_HELLO), 0);

    TEST_ASSERT(client_ep.ssl.early_data_state !=
                MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);

    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);

    /*
     * Write and if possible read as much as possible chunks of write_size
     * bytes data without getting over the max_early_data_size limit.
     */
    do {
        uint32_t read_early_data_size = 0;

        /*
         * The contents of the early data are not very important, write a
         * pattern that varies byte-by-byte and is different for every chunk of
         * early data.
         */
        if ((written_early_data_size + write_size) > max_early_data_size) {
            break;
        }

        /*
         * If the server rejected early data, base the determination of when
         * to stop the loop on the expanded size (padding and encryption
         * expansion) of early data on server side and the number of early data
         * received so far by the server (multiple of the expanded size).
         */
        if ((expanded_early_data_chunk_size != 0) &&
            ((server_ep.ssl.total_early_data_size +
              expanded_early_data_chunk_size) > max_early_data_size)) {
            break;
        }

        for (size_t i = 0; i < write_size; i++) {
            buf_write[i] = (unsigned char) (written_early_data_size + i);
        }

        ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
        TEST_EQUAL(ret, write_size);
        written_early_data_size += write_size;

        switch (scenario) {
            case TEST_EARLY_DATA_ACCEPTED:
                while (read_early_data_size < write_size) {
                    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
                    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);

                    ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
                                                      buf_read, read_size);
                    TEST_ASSERT(ret > 0);

                    TEST_MEMORY_COMPARE(buf_read, ret,
                                        buf_write + read_early_data_size, ret);
                    read_early_data_size += ret;

                    TEST_EQUAL(server_ep.ssl.total_early_data_size,
                               written_early_data_size);
                }
                break;

            case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
            case TEST_EARLY_DATA_HRR:
                ret = mbedtls_ssl_handshake(&(server_ep.ssl));
                /*
                 * In this write loop we try to always stay below the
                 * max_early_data_size limit but if max_early_data_size is very
                 * small we may exceed the max_early_data_size limit on the
                 * first write. In TEST_EARLY_DATA_SERVER_REJECTS/
                 * TEST_EARLY_DATA_HRR scenario, this is for sure the case if
                 * max_early_data_size is smaller than the smallest possible
                 * inner content/protected record. Take into account this
                 * possibility here but only for max_early_data_size values
                 * that are close to write_size. Below, '1' is for the inner
                 * type byte and '16' is to take into account some AEAD
                 * expansion (tag, ...).
                 */
                if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
                    if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) {
                        TEST_LE_U(max_early_data_size,
                                  write_size + 1 +
                                  MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
                    } else {
                        TEST_LE_U(max_early_data_size,
                                  write_size + 1 + 16 +
                                  MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
                    }
                    goto exit;
                }

                TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);

                TEST_EQUAL(server_pattern.counter, 1);
                server_pattern.counter = 0;
                if (expanded_early_data_chunk_size == 0) {
                    expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size;
                }
                break;
        }
        TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size);
    } while (1);

    mbedtls_debug_set_threshold(3);
    ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
    TEST_EQUAL(ret, write_size);

    ret = mbedtls_snprintf(pattern, sizeof(pattern),
                           "EarlyData: Too much early data received");
    TEST_ASSERT(ret < (int) sizeof(pattern));

    ret = mbedtls_ssl_handshake(&(server_ep.ssl));
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
    TEST_EQUAL(server_pattern.counter, 1);

exit:
    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
    mbedtls_test_free_handshake_options(&client_options);
    mbedtls_test_free_handshake_options(&server_options);
    mbedtls_ssl_session_free(&saved_session);
    mbedtls_free(buf_write);
    mbedtls_free(buf_read);
    mbedtls_debug_set_threshold(0);
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void inject_client_content_on_the_wire(int pk_alg,
                                       int state, data_t *data,
                                       char *log_pattern, int expected_ret)
{
    /* This function allows us to inject content at a specific state
     * in the handshake, or when it's completed. The content is injected
     * on the mock TCP socket, as if we were an active network attacker.
     *
     * This function is suitable to inject:
     * - crafted records, at any point;
     * - valid records that contain crafted handshake messages, but only
     *   when the traffic is still unprotected (for TLS 1.2 that's most of the
     *   handshake, for TLS 1.3 that's only the Hello messages);
     * - handshake messages that are fragmented in a specific way,
     *   under the same conditions as above.
     */
    enum { BUFFSIZE = 16384 };
    mbedtls_test_ssl_endpoint server, client;
    mbedtls_platform_zeroize(&server, sizeof(server));
    mbedtls_platform_zeroize(&client, sizeof(client));
    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);
    mbedtls_test_ssl_log_pattern srv_pattern;
    memset(&srv_pattern, 0, sizeof(srv_pattern));
    int ret = -1;

    PSA_INIT();

    srv_pattern.pattern = log_pattern;
    options.srv_log_obj = &srv_pattern;
    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
    mbedtls_debug_set_threshold(3);

    options.pk_alg = pk_alg;

    ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret,  0);

    ret = mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret,  0);

    ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket,
                                           BUFFSIZE);
    TEST_EQUAL(ret,  0);

    /* Make the server move to the required state */
    ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, state);
    TEST_EQUAL(ret, 0);

    /* Send the crafted message */
    ret = mbedtls_test_mock_tcp_send_b(&client.socket, data->x, data->len);
    TEST_EQUAL(ret, (int) data->len);

    /* Have the server process it.
     * Need the loop because a server that support 1.3 and 1.2
     * will process a 1.2 ClientHello in two steps.
     */
    do {
        ret = mbedtls_ssl_handshake_step(&server.ssl);
    } while (ret == 0 && server.ssl.state == state);
    TEST_EQUAL(ret,  expected_ret);
    TEST_ASSERT(srv_pattern.counter >= 1);

exit:
    mbedtls_test_free_handshake_options(&options);
    mbedtls_test_ssl_endpoint_free(&server, NULL);
    mbedtls_test_ssl_endpoint_free(&client, NULL);
    mbedtls_debug_set_threshold(0);
    PSA_DONE();
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_SHA_256:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_ALG_ECDSA_ANY */
void send_large_fragmented_hello(int hs_len_int, int first_frag_content_len_int,
                                 char *log_pattern, int expected_ret)
{
    /* This function sends a long message (claiming to be a ClientHello)
     * fragmented in 1-byte fragments (except the initial fragment).
     * The purpose is to test how the stack reacts when receiving:
     * - a message larger than our buffer;
     * - a message smaller than our buffer, but where the intermediate size of
     *   holding all the fragments (including overhead) is larger than our
     *   buffer.
     */
    enum { BUFFSIZE = 16384 };
    mbedtls_test_ssl_endpoint server, client;
    mbedtls_platform_zeroize(&server, sizeof(server));
    mbedtls_platform_zeroize(&client, sizeof(client));

    mbedtls_test_handshake_test_options options;
    mbedtls_test_init_handshake_options(&options);

    mbedtls_test_ssl_log_pattern srv_pattern;
    memset(&srv_pattern, 0, sizeof(srv_pattern));

    unsigned char *first_frag = NULL;
    int ret = -1;

    size_t hs_len = (size_t) hs_len_int;
    size_t first_frag_content_len = (size_t) first_frag_content_len_int;

    PSA_INIT();

    srv_pattern.pattern = log_pattern;
    options.srv_log_obj = &srv_pattern;
    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
    mbedtls_debug_set_threshold(1);

    // Does't really matter but we want to know to declare dependencies.
    options.pk_alg = MBEDTLS_PK_ECDSA;

    ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret,  0);

    ret = mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret,  0);

    ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket,
                                           BUFFSIZE);
    TEST_EQUAL(ret,  0);

    /* Make the server move past the initial dummy state */
    ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl,
                                               MBEDTLS_SSL_CLIENT_HELLO);
    TEST_EQUAL(ret, 0);

    /* Prepare initial fragment */
    const size_t first_len = 5 // record header, see below
                             + 4 // handshake header, see balow
                             + first_frag_content_len;
    TEST_CALLOC(first_frag, first_len);
    unsigned char *p = first_frag;
    // record header
    // record type: handshake
    *p++ = 0x16,
    // record version (actually common to TLS 1.2 and TLS 1.3)
    *p++ = 0x03,
    *p++ = 0x03,
    // record length: two bytes
    *p++ = (unsigned char) (((4 + first_frag_content_len) >> 8) & 0xff);
    *p++ = (unsigned char) (((4 + first_frag_content_len) >> 0) & 0xff);
    // handshake header
    // handshake type: ClientHello
    *p++ = 0x01,
    // handshake length: three bytes
    *p++ = (unsigned char) ((hs_len >> 16) & 0xff);
    *p++ = (unsigned char) ((hs_len >>  8) & 0xff);
    *p++ = (unsigned char) ((hs_len >>  0) & 0xff);
    // handshake content: dummy value
    memset(p, 0x2a, first_frag_content_len);

    /* Send initial fragment and have the server process it. */
    ret = mbedtls_test_mock_tcp_send_b(&client.socket, first_frag, first_len);
    TEST_ASSERT(ret >= 0 && (size_t) ret == first_len);

    ret = mbedtls_ssl_handshake_step(&server.ssl);
    TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);

    /* Dummy 1-byte fragment to repeatedly send next */
    const unsigned char next[] = {
        0x16, 0x03, 0x03, 0x00, 0x01, // record header (see above)
        0x2a, // Dummy handshake message content
    };
    for (size_t left = hs_len - first_frag_content_len; left != 0; left--) {
        ret = mbedtls_test_mock_tcp_send_b(&client.socket, next, sizeof(next));
        TEST_ASSERT(ret >= 0 && (size_t) ret == sizeof(next));

        ret = mbedtls_ssl_handshake_step(&server.ssl);
        if (ret != MBEDTLS_ERR_SSL_WANT_READ) {
            break;
        }
    }
    TEST_EQUAL(ret, expected_ret);
    TEST_EQUAL(srv_pattern.counter, 1);

exit:
    mbedtls_test_free_handshake_options(&options);
    mbedtls_test_ssl_endpoint_free(&server, NULL);
    mbedtls_test_ssl_endpoint_free(&client, NULL);
    mbedtls_debug_set_threshold(0);
    mbedtls_free(first_frag);
    PSA_DONE();
}
/* END_CASE */